Thomas Bauereiss’s research while affiliated with University of Cambridge and other places

What is this page?


This page lists works of an author who doesn't have a ResearchGate profile or hasn't added the works to their profile yet. It is automatically generated from public (personal) data to further our legitimate goal of comprehensive and accurate scientific recordkeeping. If you are this author and want this page removed, please let us know.

Publications (12)


Fig. 10. GIC automaton, for each PE and each INTID, based on Figure 4-3 "Interrupt handling state machine" from Arm [10, §4.1.2], specialised to edge-triggered behaviour.
Relaxed exception semantics for Arm-A (extended version)
  • Preprint
  • File available

December 2024

·

5 Reads

Ben Simner

·

Alasdair Armstrong

·

Thomas Bauereiss

·

[...]

·

and Peter Sewell

To manage exceptions, software relies on a key architectural guarantee, precision: that exceptions appear to execute between instructions. However, this definition, dating back over 60 years, fundamentally assumes a sequential programmers model. Modern architectures such as Arm-A with programmer-observable relaxed behaviour make such a naive definition inadequate, and it is unclear exactly what guarantees programmers have on exception entry and exit. In this paper, we clarify the concepts needed to discuss exceptions in the relaxed-memory setting -- a key aspect of precisely specifying the architectural interface between hardware and software. We explore the basic relaxed behaviour across exception boundaries, and the semantics of external aborts, using Arm-A as a representative modern architecture. We identify an important problem, present yet unexplored for decades: pinning down what it means for exceptions to be precise in a relaxed setting. We describe key phenomena that any definition should account for. We develop an axiomatic model for Arm-A precise exceptions, tooling for axiomatic model execution, and a library of tests. Finally we explore the relaxed semantics of software-generated interrupts, as used in sophisticated programming patterns, and sketch how they too could be modelled.

Download

Verified Security for the Morello Capability-enhanced Prototype Arm Architecture

March 2022

·

48 Reads

·

20 Citations

Lecture Notes in Computer Science

Memory safety bugs continue to be a major source of security vulnerabilities in our critical infrastructure. The CHERI project has proposed extending conventional architectures with hardware-supported capabilities to enable fine-grained memory protection and scalable compartmentalisation, allowing historically memory-unsafe C and C++ to be adapted to deterministically mitigate large classes of vulnerabilities, while requiring only minor changes to existing system software sources. Arm is currently designing and building Morello, a CHERI-enabled prototype architecture, processor, SoC, and board, extending the high-performance Neoverse N1, to enable industrial evaluation of CHERI and pave the way for potential mass-market adoption. However, for such a major new security-oriented architecture feature, it is important to establish high confidence that it does provide the intended protections, and that cannot be done with conventional engineering techniques. In this paper we put the Morello architecture on a solid mathematical footing from the outset. We define the fundamental security property that Morello aims to provide, reachable capability monotonicity, and prove that the architecture definition satisfies it. This proof is mechanised in Isabelle/HOL, and applies to a translation of the official Arm specification of the Morello instruction-set architecture (ISA) into Isabelle. The main challenge is handling the complexity and scale of a production architecture: 62,000 lines of specification, translated to 210,000 lines of Isabelle. We do so by factoring the proof via a narrow abstraction capturing essential properties of arbitrary CHERI ISAs, expressed above a monadic intra-instruction semantics. We also develop a model-based test generator, which generates instruction-sequence tests that give good specification coverage, used in early testing of the Morello implementation and in Morello QEMU development, and we use Arm’s internal test suite to validate our model. This gives us machine-checked mathematical proofs of whole-ISA security properties of a full-scale industry architecture, at design-time. To the best of our knowledge, this is the first demonstration that that is feasible, and it significantly increases confidence in Morello.


ConĄdentiality properties for CoCon. The observations are made by a group of users G.
Bounded-deducibility security

June 2021

·

19 Reads

·

4 Citations

We describe Bounded-Deducibility (BD) security, an expressive framework for the specification and verification of information-flow security. The framework grew by confronting concrete challenges of specifying and verifying fine-grained confidentiality properties in some realistic web-based systems. The concepts and theorems that constitute this framework have an eventful history of such "confrontations", often involving trial and error, which are reported in previous papers. This paper is the first to focus on the framework itself rather than the case studies, gathering in one place all the abstract results about BD security.



Fig. 1. Sail ISA semantics and (in yellow) the generated prover and emulator versions. The grey parts are previous concurrency and ISA models, user-mode only and not yet fully integrated into current Sail
ISA semantics for ARMv8-a, RISC-v, and CHERI-MIPS

January 2019

·

1,043 Reads

·

95 Citations

Proceedings of the ACM on Programming Languages

Architecture specifications notionally define the fundamental interface between hardware and software: the envelope of allowed behaviour for processor implementations, and the basic assumptions for software development and verification. But in practice, they are typically prose and pseudocode documents, not rigorous or executable artifacts, leaving software and verification on shaky ground. In this paper, we present rigorous semantic models for the sequential behaviour of large parts of the mainstream ARMv8-A, RISC-V, and MIPS architectures, and the research CHERI-MIPS architecture, that are complete enough to boot operating systems, variously Linux, FreeBSD, or seL4. Our ARMv8-A models are automatically translated from authoritative ARM-internal definitions, and (in one variant) tested against the ARM Architecture Validation Suite. We do this using a custom language for ISA semantics, Sail, with a lightweight dependent type system, that supports automatic generation of emulator code in C and OCaml, and automatic generation of proof-assistant definitions for Isabelle, HOL4, and (currently only for MIPS) Coq. We use the former for validation, and to assess specification coverage. To demonstrate the usability of the latter, we prove (in Isabelle) correctness of a purely functional characterisation of ARMv8-A address translation. We moreover integrate the RISC-V model into the RMEM tool for (user-mode) relaxed-memory concurrency exploration. We prove (on paper) the soundness of the core Sail type system. We thereby take a big step towards making the architectural abstraction actually well-defined, establishing foundations for verification and reasoning.


The bound for post text confidentiality
The bound for friendship status confidentiality
Graph of unwinding relations
Refined graph
The unwinding relations for post-text confidentiality
CoSMed: A Confidentiality-Verified Social Media Platform

June 2018

·

36 Reads

·

18 Citations

Journal of Automated Reasoning

This paper describes progress with our agenda of formal verification of information flow security for realistic systems. We present CoSMed, a social media platform with verified document confidentiality. The system’s kernel is implemented and verified in the proof assistant Isabelle/HOL. For verification, we employ the framework of Bounded-Deducibility (BD) Security, previously introduced for the conference system CoCon. CoSMed is a second major case study in this framework. For CoSMed, the static topology of declassification bounds and triggers that characterized previous instances of BD Security has to give way to a dynamic integration of the triggers as part of the bounds. We also show that, from a theoretical viewpoint, the removal of triggers from the notion of BD Security does not restrict its expressiveness.


CoSMed: A Confidentiality-Verified Social Media Platform

February 2018

·

6 Reads

·

2 Citations

This paper describes progress with our agenda of formal verification of information flow security for realistic systems. We present CoSMed, a social media platform with verified document confidentiality. The system’s kernel is implemented and verified in the proof assistant Isabelle/HOL. For verification, we employ the framework of Bounded-Deducibility (BD) Security, previously introduced for the conference system CoCon. CoSMed is a second major case study in this framework. For CoSMed, the static topology of declassification bounds and triggers that characterized previous instances of BD Security has to give way to a dynamic integration of the triggers as part of the bounds. We also show that, from a theoretical viewpoint, the removal of triggers from the notion of BD Security does not restrict its expressiveness.


CoSMed: A Confidentiality-Verified Social Media Platform

August 2016

·

111 Reads

·

16 Citations

Lecture Notes in Computer Science

This paper describes progress with our agenda of formal verification of information-flow security for realistic systems. We present CoSMed, a social media platform with verified document confidentiality. The system’s kernel is implemented and verified in the proof assistant Isabelle/HOL. For verification, we employ the framework of Bounded-Deducibility (BD) Security, previously introduced for the conference system CoCon. CoSMed is a second major case study in this framework. For CoSMed, the static topology of declassification bounds and triggers that characterized previous instances of BD security has to give way to a dynamic integration of the triggers as part of the bounds.


Compatibility of Safety Properties and Possibilistic Information Flow Security in MAKS

June 2014

·

5 Reads

IFIP Advances in Information and Communication Technology

Motivated by typical security requirements of workflow management systems, we consider the integrated verification of both safety properties (e.g. separation of duty) and information flow security predicates of the MAKS framework (e.g. modeling confidentiality requirements). Due to the refinement paradox, enforcement of safety properties might violate possibilistic information flow properties of a system. We present an approach where sufficient conditions for the compatibility of safety properties and information flow security are derived by performing an information flow analysis of a monitor enforcing the safety property and applying existing compositionality results for MAKS security predicates. These conditions then guarantee that the composition of a target system with the monitor satisfies both kinds of properties. We illustrate our approach by deriving sufficient conditions for the security-preserving enforcement of separation of duty and ordered message delivery in an asynchronous communication platform. © IFIP International Federation for Information Processing 2014.


Figure 1: Example workflow (adapted from A. Brucker and I. Hang, unpublished) 
Possibilistic Information Flow Control for Workflow Management Systems

April 2014

·

100 Reads

·

8 Citations

it - Information Technology

Workflow management plays an important role in analyzing and automating business processes. Security requirements in workflow management systems are typically mapped to (role-based) access control configurations. This paper focuses on information flow control, taking into account implicit information leaks. The presented approach operates on a specification level in which no executable program is available yet. We illustrate the modeling of a workflow management system as a composition of state-event systems, each representing one of the activities of the workflow. This facilitates distributed deployment and eases verification by splitting up the verification of the overall system into verification of the individual components. Confidentiality requirements are modeled in terms of information flow predicates using the MAKS framework and verified following existing decomposition methodologies, which are adapted for open systems with ongoing user interaction. We discuss the interaction with other security requirements, notably separation of duty.


Citations (7)


... However, the results have been compelling: MSRC reported more than a two-thirds deterministic mitigation rate for memory-safety vulnerabilities with the deployment of CHERI's referential, spatial, and temporal memory safety. 3. Formal proof of architectural security properties: Formal modeling of the Morello and CHERI-MIPS ISAs has supported formal verification (machine-checked mathematical proof) that the ISAs enforce key properties, such as correctness of capability bounds comparison and isolation of arbitrary code by compartmentalization mechanisms, 12 and formal semantics for CHERI C has clarified its security properties. 13 4. Penetration-testing exercises, ideally performed with a strong attacker awareness of the CHERI model so that attack strategies can take this into account: These exercisers have primarily been performed externally and include an activity by MSRC to consider the impact of CHERI on WebKit JavaScriptCore ( JSC) with CHERI-aware attackers as well as a DARPA-sponsored, crowdsourced penetration activity. ...

Reference:

CHERI: Hardware-Enabled C/C++ Memory Protection at Scale
Verified Security for the Morello Capability-enhanced Prototype Arm Architecture

Lecture Notes in Computer Science

... The client is responsible for connecting to the server and executing commands. This compartmentalization prevents an attacker who exploits a vulnerability in the client from gaining access to the server [10]. ...

Rigorous engineering for hardware security: Formal modelling and proof in the CHERI design and implementation process
  • Citing Conference Paper
  • May 2020

... Muitas metodologias de teste acabaram se tornando proprietárias e muito específicas da implementação [Jones et al. 1995]. Apesar de esforços na direção de generalização [Sawada 2000, Bertran et al. 2012, Schubert et al. 2018, Bruns et al. 2023, uma nova geração de trabalhos só se tornou visível com o advento de arquiteturas e implementações abertas em larga escala, especialmente proporcionadas pela arquitetura RISC-V [Armstrong et al. 2019, Herdt et al. 2020, bem como geradores auxiliados por IA [Orenes-Vera et al. 2023]. ...

ISA semantics for ARMv8-a, RISC-v, and CHERI-MIPS

Proceedings of the ACM on Programming Languages

... Three major verification case studies will also be briefly described while recalling their contribution to the framework's design (Section 3). These are the CoCon conference management system (Section 3.1, [23,37]), the CoSMed social media platform (Section 3.2, [7,9]), and the CoSMeDis distributed extension of CoSMed (Section 3.3, [8]). ...

CoSMed: A Confidentiality-Verified Social Media Platform
  • Citing Article
  • February 2018

... Prior work on practical secure declassification includes the verification of the kernel of a conference management system [66], a social media platform [12] and its distributed successor [11]. These works proved variants of the generic security property of Bounded Deducibility [65], which is similar to declassification policies D. The proofs use manual unwinding in Isabelle/HOL, over an abstract program representation of I/O automata. ...

CoSMed: A Confidentiality-Verified Social Media Platform

Journal of Automated Reasoning

... • An delegation/revocation policy [3], [32], [50], [38] updates dynamically the sensitivity roles in a security system to accommodate the mutable requirements of security, such as delegating/revoking the access rights of a new/leaving employee. Moreover, there are a few case studies on the needed security properties in the light of one specific context or task [6], [31], [43], [49], and build systems that provably enforces some variants of declassification policy (e.g., CoCon [34], CosMeDis [12]) and erasure policy (e.g., Civitas [21]). ...

CoSMed: A Confidentiality-Verified Social Media Platform

Lecture Notes in Computer Science

... However, it seems to us that document workflows have not had the same interest for the scientific community. But nowadays, the emergence and supremacy of the Internet in electronic exchanges and e-Government [13] [14] [15] [16] [17] are leading to a massive dematerialization of documents; which requires a conceptual reconsideration of the organizational framework for the processing of said documents in both public and private administrations [17] [18]. This problem seems open to us and deserves the interest of the scientific community [19]. ...

Possibilistic Information Flow Control for Workflow Management Systems

it - Information Technology