Event-based Compositional Reasoning of Information-Flow Security for Concurrent Systems

TL;DR

This paper introduces a novel rely-guarantee-based compositional reasoning framework for information-flow security in concurrent systems, incorporating event-based semantics to improve applicability to system-level security verification.

Contribution

It proposes an event-based language and a rely-guarantee proof system with new unwinding conditions, enabling modular security proofs for concurrent systems at the system level.

Findings

Designed an event-incorporating language with IFS semantics.

Developed a rely-guarantee proof system with event unwinding conditions.

Mechanized the approach in Isabelle/HOL and verified multicore kernels.

Abstract

High assurance of information-flow security (IFS) for concurrent systems is challenging. A promising way for formal verification of concurrent systems is the rely-guarantee method. However, existing compositional reasoning approaches for IFS concentrate on language-based IFS. It is often not applicable for system-level security, such as multicore operating system kernels, in which secrecy of actions should also be considered. On the other hand, existing studies on the rely-guarantee method are basically built on concurrent programming languages, by which semantics of concurrent systems cannot be completely captured in a straightforward way. In order to formally verify state-action based IFS for concurrent systems, we propose a rely-guarantee-based compositional reasoning approach for IFS in this paper. We first design a language by incorporating ``Event'' into concurrent languages and give the IFS semantics of the language. As a primitive element, events offer an extremely neat framework for modeling system and are not necessarily atomic in our language. For compositional reasoning of IFS, we use rely-guarantee specification to define new forms of unwinding conditions (UCs) on events, i.e., event UCs. By a rely-guarantee proof system of the language and the soundness of event UCs, we have that event UCs imply IFS of concurrent systems. In such a way, we relax the atomicity constraint of actions in traditional UCs and provide a compositional reasoning way for IFS in which security proof of systems can be discharged by independent security proof on individual events. Finally, we mechanize the approach in Isabelle/HOL and develop a formal specification and its IFS proof for multicore separation kernels as a study case according to an industrial standard -- ARINC 653.