Results 1 - 10 of 31

Attacking, Repairing, and Verifying SecVisor: A Retrospective on the Security of a Hypervisor

by Jason Franklin, Arvind Seshadri, Ning Qu, Anupam Datta, Sagar Chaki
"... SecVisor is a hypervisor designed to guarantee that only code approved by the user of a system executes at the privilege level of the OS kernel [17]. We employ a model checker to verify the design properties of SecVisor and identify two design-level attacks that violate SecVisor’s security requireme ..."
Abstract - Cited by 2 (1 self) - Add to MetaCart
Visor and successfully performing two attacks against a SecVisorprotected Linux kernel. To repair SecVisor, we design and implement an efficient and secure memory protection scheme. We formally verify the security of our scheme. We demonstrate that the performance impact of our proposed defense is negligible

Verifying information flow goals in security-enhanced Linux

by Joshua D. Guttman, Amy L. Herzog, John D. Ramsdell, Clement W. Skorupka - Journal of Computer Security
"... In this paper, we present a systematic way to determine the infor-mation flow security goals achieved by systems running a secure O/S, specifically systems running Security-Enhanced Linux. A formalization of the access control mechanism of the SELinux security server, together with a labeled transit ..."
Abstract - Cited by 31 (0 self) - Add to MetaCart
In this paper, we present a systematic way to determine the infor-mation flow security goals achieved by systems running a secure O/S, specifically systems running Security-Enhanced Linux. A formalization of the access control mechanism of the SELinux security server, together with a labeled

Formalizing Information Flow in a Haskell Hypervisor

by Rebekah Leslie
"... Abstract — Separation kernels are the holy grail of secure systems, remaining elusive despite years of research into their design, implementation, and analysis. Though separation kernel research has achieved many successes, the disconnect between information flow theory and system implementation is ..."
Abstract - Cited by 1 (0 self) - Add to MetaCart
is a significant barrier to further progress. In this paper, we show how a particular branch of information flow theory, noninterference, can be utilized to formulate correctness and security properties of a microkernelstyle hypervisor. Thus, we not only provide a first step towards a formally verified

Towards Verified Cloud Computing Environments

by Nikolai Kosmatov, Matthieu Lemerre
"... Abstract—As the usage of the cloud becomes pervasive in our lives, it is needed to ensure the reliability, safety and security of cloud environments. In this paper we study a usual software stack of a cloud environment from the perspective of formal verification. This software stack ranges from appl ..."
Abstract - Add to MetaCart
Abstract—As the usage of the cloud becomes pervasive in our lives, it is needed to ensure the reliability, safety and security of cloud environments. In this paper we study a usual software stack of a cloud environment from the perspective of formal verification. This software stack ranges from

The Implementation of Lisex, a MLS Linux Prototype

by Maximiliano Cristiá, Gisela Giusti, Felipe Manzano
"... In this article we describe the design and implementation of a Linux multi-level secure (MLS) file system containing access control lists (ACL). The resulting prototype is called Lisex. We implemented Lisex from model formally written and verified in Coq. We used abstract data types (ADT) to impleme ..."
Abstract - Add to MetaCart
In this article we describe the design and implementation of a Linux multi-level secure (MLS) file system containing access control lists (ACL). The resulting prototype is called Lisex. We implemented Lisex from model formally written and verified in Coq. We used abstract data types (ADT

Scalable Parametric Verification of Secure Systems: How to Verify Reference Monitors without Worrying about Data Structure Size

by Jason Franklin, Sagar Chaki, Anupam Datta, Arvind Seshadri
"... The security of systems such as operating systems, hypervisors, and web browsers depend critically on reference monitors to correctly enforce their desired security policy in the presence of adversaries. Recent progress in developing reference monitors with small code size and narrow interfaces has ..."
Abstract - Cited by 10 (4 self) - Add to MetaCart
for expressing security policies that the monitor is expected to enforce. The central technical results of the paper are a set of small model theorems. These theorems state that in order to verify that a policy is enforced by a reference monitor with an arbitrarily large data structure, it is sufficient to model

How to Verify Reference Monitors without Worrying about Data Structure Size

by Jason Franklin, Sagar Chaki, Anupam Datta, Arvind Sesahdri, Jason Franklin, Sagar Chaki, Anupam Datta, Arvind Seshadri , 2010
"... The security of systems such as operating systems, hypervisors, and web browsers depend critically on reference monitors to correctly enforce their desired security policy in the presence of adversaries. Recent progress in developing reference monitors with small code size and narrow interfaces has ..."
Abstract - Add to MetaCart
for expressing security policies that the monitor is expected to enforce. The central technical results of the paper are a set of small model theorems. These theorems state that in order to verify that a policy is enforced by a reference monitor with an arbitrarily large data structure, it is sufficient to model

Not for distribution or attribution: for review purposes only A MLS Linux Prototype Called Lisex

by Maximiliano Cristia, Gisela Giusti, Felipe Manzano
"... In this article we describe the design and implementation of a Linux multi-level secure file system containing access control lists (ACL). The resulting prototype is called Lisex. We implemented Lisex from a formal model written and formally verified in Coq. Also, we have used abstract data types (A ..."
Abstract - Add to MetaCart
In this article we describe the design and implementation of a Linux multi-level secure file system containing access control lists (ACL). The resulting prototype is called Lisex. We implemented Lisex from a formal model written and formally verified in Coq. Also, we have used abstract data types

Formal verification of a microkernel used in dependable software systems

by Christoph Baumann, Bernhard Beckert, Holger Blasum, Thorsten Bormer - In Proc. SAFECOMP 2009, LNCS , 2009
"... Abstract. In recent years, deductive program verification has improved to a degree that makes it feasible for real-world programs. Following this observation, the main goal of the Verisoft XT project is (a) the creation of methods and tools which allow for the pervasive formal verification of integr ..."
Abstract - Cited by 5 (2 self) - Add to MetaCart
of integrated computer systems, and (b) the prototypical realization of four concrete, industrial application tasks. In this paper, we report on the Verisoft XT subproject Avionics, where formal verification is applied to a commercial embedded operating system. The goal is to use deductive techniques to verify

CMU-CyLab-12-017

by Sagar Chaki, Amit Vasudevan, Limin Jia, Jonathan Mccune, Anupam Datta, Integrity-protected Hypervisor, Sagar Chaki, Amit Vasudevan, Limin Jia, Jonathan Mccune, Anupam Datta , 2012
"... Hypervisors are a popular mechanism for implementing software virtualization. Since hypervisors execute at a very high privilege level, they must be secure. A fundamental security property of a hypervisor is memory integrity – the hypervisor’s memory must not be modified by software running at a low ..."
Abstract - Add to MetaCart
lower privilege level. In this paper, we present a methodology – called DRIVE – for designing, developing, and verifying hypervisors to ensure memory integrity. DRIVE combines the power of architectural constraints (captured by a set of system properties and verification conditions) with that of formal
Results 1 - 10 of 31