Compositional Non-Interference for Fine-Grained Concurrent Programs

TL;DR

This paper introduces SeLoC, a novel separation logic framework that combines type systems and program logics to verify non-interference in fine-grained concurrent programs, enabling modular and automated security proofs.

Contribution

SeLoC is the first relational separation logic for non-interference that supports compositional verification of concurrent programs with typed and untyped parts.

Findings

Supports fine-grained concurrency verification

Combines type checking with manual proofs

Fully machine-checked in Coq using Iris

Abstract

Non-interference is a program property that ensures the absence of information leaks. In the context of programming languages, there exist two common approaches for establishing non-interference: type systems and program logics. Type systems provide strong automation (by means of type checking), but they are inherently restrictive in the kind of programs they support. Program logics support challenging programs, but they typically require significant human assistance, and cannot handle modules or higher-order programs. To connect these two approaches, we present SeLoC---a separation logic for non-interference, on top of which we build a type system using the technique of logical relations. By building a type system on top of separation logic, we can compositionally verify programs that consist of typed and untyped parts. The former parts are verified through type checking, while the latter parts are verified through manual proof. The core technical contribution of SeLoC is a relational form of weakest preconditions that can track information flow using separation logic resources. SeLoC is fully machine-checked, and built on top of the Iris framework for concurrent separation logic in Coq. The integration with Iris provides seamless support for fine-grained concurrency, which was beyond the reach of prior type systems and program logics for non-interference.