CommCSL: Proving Information Flow Security for Concurrent Programs using Abstract Commutativity
dc.contributor.author
Eilers, Marco
dc.contributor.author
Dardinier, Thibault
dc.contributor.author
Müller, Peter
dc.date.accessioned
2023-06-30T10:45:54Z
dc.date.available
2023-06-28T05:48:59Z
dc.date.available
2023-06-29T09:40:40Z
dc.date.available
2023-06-30T10:45:54Z
dc.date.issued
2023-06
dc.identifier.issn
2475-1421
dc.identifier.other
10.1145/3591289
en_US
dc.identifier.uri
http://hdl.handle.net/20.500.11850/618841
dc.identifier.doi
10.3929/ethz-b-000618841
dc.description.abstract
Information flow security ensures that the secret data manipulated by a program does not influence its observable output. Proving information flow security is especially challenging for concurrent programs, where operations on secret data may influence the execution time of a thread and, thereby, the interleaving between different threads. Such internal timing channels may affect the observable outcome of a program even if an attacker does not observe execution times. Existing verification techniques for information flow security in concurrent programs attempt to prove that secret data does not influence the relative timing of threads. However, these techniques are often restrictive (for instance because they disallow branching on secret data) and make strong assumptions about the execution platform (ignoring caching, processor instructions with data-dependent runtime, and other common features that affect execution time). In this paper, we present a novel verification technique for secure information flow in concurrent programs that lifts these restrictions and does not make any assumptions about timing behavior. The key idea is to prove that all mutating operations performed on shared data commute, such that different thread interleavings do not influence its final value. Crucially, commutativity is required only for an abstraction of the shared data that contains the information that will be leaked to a public output. Abstract commutativity is satisfied by many more operations than standard commutativity, which makes our technique widely applicable. We formalize our technique in CommCSL, a relational concurrent separation logic with support for commutativity-based reasoning, and prove its soundness in Isabelle/HOL. We implemented CommCSL in HyperViper, an automated verifier based on the Viper verification infrastructure, and demonstrate its ability to verify challenging examples.
en_US
dc.format
application/pdf
en_US
dc.language.iso
en
en_US
dc.publisher
Association for Computing Machinery
en_US
dc.rights.uri
http://creativecommons.org/licenses/by/4.0/
dc.subject
Commutativity
en_US
dc.subject
Information flow
en_US
dc.subject
Separation logic
en_US
dc.subject
Concurrency
en_US
dc.title
CommCSL: Proving Information Flow Security for Concurrent Programs using Abstract Commutativity
en_US
dc.type
Journal Article
dc.rights.license
Creative Commons Attribution 4.0 International
dc.date.published
2023-06-06
ethz.journal.title
Proceedings of the ACM on Programming Languages
ethz.journal.volume
7
en_US
ethz.journal.issue
PLDI
en_US
ethz.journal.abbreviated
Proc. ACM Program. Lang.
ethz.pages.start
175
en_US
ethz.size
26 p.
en_US
ethz.version.deposit
publishedVersion
en_US
ethz.grant
Formal Foundations of Translational Program Verifiers
en_US
ethz.identifier.wos
ethz.identifier.scopus
ethz.publication.place
New York, NY
en_US
ethz.publication.status
published
en_US
ethz.leitzahl
ETH Zürich::00002 - ETH Zürich::00012 - Lehre und Forschung::00007 - Departemente::02150 - Dep. Informatik / Dep. of Computer Science::02664 - Inst. f. Programmiersprachen u. -systeme / Inst. Programming Languages and Systems::03653 - Müller, Peter / Müller, Peter
ethz.leitzahl.certified
ETH Zürich::00002 - ETH Zürich::00012 - Lehre und Forschung::00007 - Departemente::02150 - Dep. Informatik / Dep. of Computer Science::02664 - Inst. f. Programmiersprachen u. -systeme / Inst. Programming Languages and Systems::03653 - Müller, Peter / Müller, Peter
ethz.grant.agreementno
197065
ethz.grant.fundername
SNF
ethz.grant.funderDoi
10.13039/501100001711
ethz.grant.program
Projekte MINT
ethz.relation.isNewVersionOf
20.500.11850/584024
ethz.date.deposited
2023-06-28T05:49:01Z
ethz.source
SCOPUS
ethz.eth
yes
en_US
ethz.availability
Open access
en_US
ethz.rosetta.installDate
2023-06-30T10:46:59Z
ethz.rosetta.lastUpdated
2024-02-03T00:55:14Z
ethz.rosetta.versionExported
true
ethz.COinS
ctx_ver=Z39.88-2004&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.atitle=CommCSL:%20Proving%20Information%20Flow%20Security%20for%20Concurrent%20Programs%20using%20Abstract%20Commutativity&rft.jtitle=Proceedings%20of%20the%20ACM%20on%20Programming%20Languages&rft.date=2023-06&rft.volume=7&rft.issue=PLDI&rft.spage=175&rft.issn=2475-1421&rft.au=Eilers,%20Marco&Dardinier,%20Thibault&M%C3%BCller,%20Peter&rft.genre=article&rft_id=info:doi/10.1145/3591289&
Files in this item
Publication type
-
Journal Article [130568]