Trustworthy Systems

Proving confidentiality and its preservation under compilation for mixed-sensitivity concurrent programs

Authors

Robert Sison

    School of Computer Science and Engineering
    UNSW,
    Sydney 2052, Australia

Abstract

Here, I pose the thesis that proving noninterference and its preservation by a compiler is feasible for mixed-sensitivity concurrent programs. Software does not always have the luxury of limiting itself to single-threaded computation with resources statically dedicated to each user to ensure the confidentiality of their data. Prior work therefore presented formal methods for proving and preserving the strictest kind of confidentiality property, noninterference, for mixed-sensitivity concurrent programs: a term I coin to describe those programs that might reuse memory shared between their threads to hold data of different sensitivity levels at different times. Although these methods addressed challenges in formalising the value-dependent coordination of such mixed-sensitivity reuse under the impact of concurrency, their practicality remained unclear: Could they be used to prove noninterference for any nontrivial mixed-sensitivity concurrent program in its entirety? Furthermore, could any compiler be verified to preserve the needed guarantees to the compiled code?

To support this claim, I prove for the first time both (1) noninterference for a nontrivial mixed-sensitivity concurrent program, modelling a real-world use case, and (2) its preservation by a compiler down to an assembly-level model. This main result rests on two major contributions. First, I demonstrate how programming-language designers can make reasoning on each thread sufficient to prove noninterference for such programs, by supplying synchronisation primitives (here, mutex locks for a generic imperative language) and proving they maintain as invariant the necessary requirements. Second, I demonstrate how compiler developers can make confidentiality-preserving refinement a feasible target for verification, by using a decomposition principle to prove that a compiler (here, from that imperative language to a generic RISC-style assembly language) establishes it for mixed-sensitivity concurrent programs. Thus, per-thread reasoning proves noninterference for the case study, and the verified compiler preserves it to assembly automatically. All my results are formalised and proved in the Isabelle/HOL interactive proof assistant.

My work paves the way for more fully featured programming languages and their compilers, in replicating these results, to raise the typical level of assurance readily offered by developers of multithreaded software responsible for data of multiple sensitivity levels.

BibTeX Entry

  @phdthesis{Sison:phd,
    address          = {unswaddr},
    author           = {Robert Sison},
    doi              = {10.26190/5fab5c0a76454},
    month            = oct,
    paperurl         = {https://trustworthy.systems/publications/papers/Sison%3Aphd.pdf},
    school           = {UNSW},
    title            = {Proving Confidentiality and Its Preservation Under Compilation for Mixed-Sensitivity Concurrent
                        Programs},
    url              = {http://handle.unsw.edu.au/1959.4/70452},
    year             = {2020}
  }

Download