A Verified Information-Flow Architecture

TL;DR

This paper introduces SAFE, a secure computer architecture with hardware and software mechanisms for tracking and controlling information flow, supported by formal verification and a code generator for policies.

Contribution

It presents a formally verified, hardware-software architecture for secure information flow control, including a code generator and machine-checked proofs of noninterference.

Findings

Formal, machine-checked model of SAFE mechanisms

Proof of noninterference for the architecture

Verified code generator for information-flow policies

Abstract

SAFE is a clean-slate design for a highly secure computer system, with pervasive mechanisms for tracking and limiting information flows. At the lowest level, the SAFE hardware supports fine-grained programmable tags, with efficient and flexible propagation and combination of tags as instructions are executed. The operating system virtualizes these generic facilities to present an information-flow abstract machine that allows user programs to label sensitive data with rich confidentiality policies. We present a formal, machine-checked model of the key hardware and software mechanisms used to dynamically control information flow in SAFE and an end-to-end proof of noninterference for this model. We use a refinement proof methodology to propagate the noninterference property of the abstract machine down to the concrete machine level. We use an intermediate layer in the refinement chain that factors out the details of the information-flow control policy and devise a code generator for compiling such information-flow policies into low-level monitor code. Finally, we verify the correctness of this generator using a dedicated Hoare logic that abstracts from low-level machine instructions into a reusable set of verified structured code generators.