Trustworthy Systems

Formalising the prevention of microarchitectural timing channels by operating systems


Robert Sison, Scott Buckley, Toby Murray, Gerwin Klein and Gernot Heiser

University of Melbourne

UNSW Sydney



Microarchitectural timing channels are a well-known mechanism for information leakage. Time protection has recently been demonstrated as an operating-system mechanism able to prevent them. However, established theories of information-flow security are insufficient for verifying time protection, which must distinguish between (legal) overt and (illegal) covert flows. We provide a machine-checked formalisation of time protection via a dynamic, observer-relative, intransitive nonleakage property over a careful model of the state elements that cause timing channels. We instantiate and prove our property over a generic model of OS interaction with its users, demonstrating for the first time the feasibility of proving time protection for OS implementations.

BibTeX Entry

    address          = {L\"{u}beck, DE},
    artefact         = {},
    author           = {Sison, Robert and Buckley, Scott and Murray, Toby and Klein, Gerwin and Heiser, Gernot},
    booktitle        = {International Symposium on Formal Methods (FM)},
    date             = {March 6-10, 2023},
    doi              = {10.1007/978-3-031-27481-7_8},
    keywords         = {timing channels, theorem proving, formal security definitions, information-flow security, operating
    month            = mar,
    numpages         = {19},
    paperurl         = {},
    publisher        = {Springer},
    title            = {Formalising the Prevention of Microarchitectural Timing Channels by Operating Systems},
    year             = {2023}