Formal Methods in System Design

, Volume 51, Issue 2, pp 362–394 | Cite as

Program synthesis for interactive-security systems

  • William R. HarrisEmail author
  • Somesh Jha
  • Thomas W. Reps
  • Sanjit A. Seshia


Developing practical but secure programs remains an important and open problem. Recently, the operating-system and architecture communities have proposed novel systems, which we refer to as interactive-security systems. They provide primitives that a program can use to perform security-critical operations, such as reading from and writing to system storage by restricting some modules to execute with limited privileges. Developing programs that use the low-level primitives provided by such systems to correctly ensure end-to-end security guarantees while preserving intended functionality is a challenging problem. This paper describes previous and proposed work on techniques and tools that enable a programmer to generate programs automatically that use such primitives. For two interactive security systems, namely the Capsicum capability system and the HiStar information-flow system, we developed languages of policies that a programmer can use to directly express security and functionality requirements, along with synthesizers that take a program and policy in the language and generate a program that correctly uses system primitives to satisfy the policy. We propose future work on developing a similar synthesizer for novel architectures that enable an application to execute different modules in Secure Isolated Regions without trusting any other software components on a platform, including the operating system.


Computer security Program synthesis Information flow Capabilities Secure isolated regions 



The authors wish to thank the many researchers and collaborators who contributed to the work described in this paper, including Jonathan Anderson, Manuel Costa, Akash Lal, Nuno Lopes, Roman Manevich, Sriram Rajamani, Mooly Sagiv, Rohit Sinha, Kapil Vaswani, Robert Watson, and Nickolai Zeldovich. The work described in this paper was supported, in part, by a gift from Rajiv and Ritu Batra; by DARPA under Cooperative Agreement HR0011-12-2-0012; by NSF under Grants CCF-0904371, CNS-1228620, CNS-1228782, and SATC-1526211; by the NSF STARSS Grant CNS-1528108; by SRC contracts 2460.001 and 2638.001; by a gift from Microsoft Research; by AFRL under DARPA CRASH Award FA8650-10-C-7088, DARPA MUSE Award FA8750-14-2-0270, DARPA STAC Award FA8750-15-C-0082, and DARPA XD3 Award HR0011-16-C-0059; by USAF and DARPA under Contract No. FA8650-15-C-7562; and by the UW-Madison Office of the Vice Chancellor for Research and Graduate Education with funding from the Wisconsin Alumni Research Foundation. Any opinions, findings, and conclusions or recommendations expressed in this publication are those of the authors, and do not necessarily reflect the views of the sponsoring agencies.


  1. 1.
    Albarghouthi A, Gulwani S, Kincaid Z (2013) Recursive program synthesis. In: CAVGoogle Scholar
  2. 2.
    Alur R, Bodík R, Juniwal G, Martin M M K, Raghothaman M, Seshia S A, Singh R, Solar-Lezama A, Torlak E, Udupa A (2013) Syntax-guided synthesis. In: FMCADGoogle Scholar
  3. 3.
    Alur R, La Torre S, Madhusudan P (2006) Modular strategies for recursive game graphs. Theor Comput Sci 354(2):230–249CrossRefzbMATHMathSciNetGoogle Scholar
  4. 4.
    Alur R, Madhusudan P (2004) Visibly pushdown languages. In: STOCGoogle Scholar
  5. 5.
    ARM (2016) Products. Accessed 9 Sept 2016
  6. 6.
    Barthe G, Fournet C, Grégoire B, Strub P-Y, Swamy N, Béguelin SZ (2014) Probabilistic relational verification for cryptographic implementations. In: POPLGoogle Scholar
  7. 7.
    Bittau A, Marchenko P, Handley M, Karp B (2008) Wedge: splitting applications into reduced-privilege compartments. In: NSDIGoogle Scholar
  8. 8.
    Brumley D, Song D X (2004) Privtrans: automatically partitioning programs for privilege separation. In: USENIX security symposiumGoogle Scholar
  9. 9.
  10. 10.
    C. E. Board. GNU Tar and GNU Cpio rmt_read__() function buffer overflow., Mar 2010
  11. 11.
    Cheung A, Arden O, Madden S, Myers AC (2012) Automatic partitioning of database applications. PVLDB 5(11):1471–1482Google Scholar
  12. 12.
    Chong S, Liu J, Myers A C, Qi X, Vikram K, Zheng L, Zheng X (2007) Secure web application via automatic partitioning. In: SOSPGoogle Scholar
  13. 13.
    Clarkson MR, Schneider FB (2010) Hyperproperties. J Comput Secur 18(6):1157–1210CrossRefGoogle Scholar
  14. 14.
    Costan V, Lebedev I, Devadas S (2015) Sanctum: minimal hardware extensions for strong software isolation. Cryptology ePrint Archive, Report 2015/564.
  15. 15.
  16. 16.
  17. 17.
  18. 18.
    Denning DE (1976) A lattice model of secure information flow. Commun ACM 19(5):236–243CrossRefzbMATHMathSciNetGoogle Scholar
  19. 19.
    Efstathopoulos P, Kohler E (2008) Manageable fine-grained information flow. In: EuroSysGoogle Scholar
  20. 20.
    Efstathopoulos P, Krohn M N, Vandebogart S, Frey C, Ziegler D, Kohler E, Mazières D, Kaashoek MF, Morris R (2005) Labels and event processes in the Asbestos operating system. In: SOSPGoogle Scholar
  21. 21.
    Erlingsson Ú, Schneider FB (2000) IRM enforcement of Java stack inspection. In: SSPGoogle Scholar
  22. 22.
    FreeBSD 9.0-RELEASE announcement., Jan 2012
  23. 23.
    Giffin DB, Levy A, Stefan D, Terei D, Mazières D, Mitchell JC, Russo A (2012) Hails: protecting data privacy in untrusted web applications. In: OSDIGoogle Scholar
  24. 24.
    Grumberg O, Long DE (1994) Model checking and modular verification. ACM Trans Program Lang Syst 16(3):843–871CrossRefGoogle Scholar
  25. 25.
    Gudka K, Watson RNM, Hand S, Laurie B, Madhavapeddy A (2012) Exploring compartmentalization hypothesis with SOAPP. In: AHANS 2012Google Scholar
  26. 26.
    Harris W (2014) Secure programming via game-based synthesis. PhD thesis, University of Wisconsin—MadisonGoogle Scholar
  27. 27.
    Harris W, Zeldovich N, Jha S, Reps T, Manevich R, Sagiv M (2014) Modular synthesis of DIFC programs. Technical report, Georgia Insitute of TechnologyGoogle Scholar
  28. 28.
    Harris WR, Jha S, Reps T (2010) DIFC programs by automatic instrumentation. In: CCSGoogle Scholar
  29. 29.
    Harris WR, Jha S, Reps T (2012) Secure programming via visibly pushdown safety games. In: CAVGoogle Scholar
  30. 30.
    Harris WR, Jha S, Reps T, Anderson J, Watson RNM (2013) Declarative, temporal, and practical programming with capabilities. In: SSPGoogle Scholar
  31. 31.
    Hawkins P, Aiken A, Fisher K, Rinard MC, Sagiv M (2011) Data representation synthesis. In: PLDIGoogle Scholar
  32. 32.
    Hazay C, Lindell Y (2010) Efficient secure two-party protocols: techniques and constructions. Springer, BerlinCrossRefzbMATHGoogle Scholar
  33. 33.
    Holzer A, Franz M, Katzenbeisser S, Veith H (2012) Secure two-party computations in ANSI C. In: CCSGoogle Scholar
  34. 34.
    Hriţcu C, Greenberg M, Karel B, Pierce BC, Morrisett G (2013) All your IFCException are belong to us. In: SSPGoogle Scholar
  35. 35.
    Intel Software (2016) Intel SGX homepage. Accessed 9 Sept 2016
  36. 36.
    Jobstmann B, Griesmayer A, Bloem R (2005) Program repair as a game. In: CAVGoogle Scholar
  37. 37.
    Krohn MN, Yip A, Brodsky MZ, Cliffer N, Kaashoek MF, Kohler E, Morris R (2007) Information flow control for standard OS abstractions. In: SOSPGoogle Scholar
  38. 38.
    Lattner C (2011), Nov 2011
  39. 39.
    Livshits B, Chong S (2013) Towards fully automatic placement of security sanitizers and declassifiers. In: POPLGoogle Scholar
  40. 40.
    Livshits VB, Nori AV, Rajamani SK, Banerjee A (2009) Merlin: specification inference for explicit information flow problems. In: PLDIGoogle Scholar
  41. 41.
    Manevich R (2011), June 2011
  42. 42.
    Myers AC (1999) Jflow: practical mostly-static information flow control. In: POPLGoogle Scholar
  43. 43.
    Neumann PG, Boyer RS, Robinson L, Levitt KN, Boyer RS, Saxena AR (1980) A provably secure operating system. Technical report CSL-116, Stanford Research InstituteGoogle Scholar
  44. 44.
    Pnueli A (1985) Logics and models of concurrent systems. In: Apt KR (ed) In transition from global to modular temporal reasoning about programs. Springer, New YorkCrossRefGoogle Scholar
  45. 45.
    Roy I, Porter DE, Bond MD, McKinley KS, Witchel E (2009) Laminar: practical fine-grained decentralized information flow control. In: PLDIGoogle Scholar
  46. 46.
    Sabelfeld A, Sands D (2005) Dimensions and principles of declassification. In: CSFW-18Google Scholar
  47. 47.
    Sagiv S, Reps T, Wilhelm R (2002) Parametric shape analysis via 3-valued logic. ACM Trans Program Lang Syst 24(3):217–298CrossRefGoogle Scholar
  48. 48.
    Saltzer JH, Schroeder MD (1975) The protection of information in computer systems. Proc IEEE 63(9):1278–1308CrossRefGoogle Scholar
  49. 49.
    Schuster F, Costa M, Fournet C, Gkantsidis C, Peinado M, Mainar-Ruiz G, Russinovich M (2015) VC3: trustworthy data analytics in the cloud using SGX. In: SPGoogle Scholar
  50. 50.
    Shapiro JS, Smith JM, Farber DJ (1999) EROS: a fast capability system. In: SOSPGoogle Scholar
  51. 51.
    Sinha R, Costa M, Lal A, Lopes NP, Rajamani SK, Seshia SA, Vaswani K (2016) A design and verification methodology for secure isolated regions. In: PLDIGoogle Scholar
  52. 52.
    Sinha R, Rajamani SK, Seshia SA, Vaswani K (2015) Moat: verifying confidentiality of enclave programs. In: CCSGoogle Scholar
  53. 53.
    Skalka C, Smith SF (2000) Static enforcement of security with types. In: ICFP, pp 34–45Google Scholar
  54. 54.
    Sohail S, Somenzi F (2009) Safety first: a two-stage algorithm for LTL games. In: FMCADGoogle Scholar
  55. 55.
    Solar-Lezama A, Arnold G, Tancau L, Bodík R, Saraswat VA, Seshia SA (2007) Sketching stencils. In: PLDIGoogle Scholar
  56. 56.
    Solar-Lezama A, Jones CG, Bodík R (2008) Sketching concurrent data structures. In: PLDIGoogle Scholar
  57. 57.
    Solar-Lezama A, Rabbah RM, Bodík R, Ebcioglu K (2005) Programming by sketching for bit-streaming programs. In: PLDIGoogle Scholar
  58. 58.
    Solar-Lezama A, Tancau L, Bodík R, Seshia SA, Saraswat VA (2006) Combinatorial sketching for finite programs. In: ASPLOSGoogle Scholar
  59. 59.
    Swamy N, Chen J, Fournet C, Strub P-Y, Bhargavan K, Yang J (2011) Secure distributed programming with value-dependent types. In: ICFPGoogle Scholar
  60. 60.
    Swamy N, Corcoran BJ, Hicks M (2008) Fable: a language for enforcing user-defined security policies. In: SSPGoogle Scholar
  61. 61.
    Swamy N, Hicks M (2008) Verified enforcement of stateful information release policies. SIGPLAN Not 43(12):21–31CrossRefGoogle Scholar
  62. 62.
    T. M. Corporation (2011) Cwe—2011 cwe/sans top 25 most dangerous software errorsGoogle Scholar
  63. 63.
    Tsai M-H, Tsay Y-K, Hwang Y-S (2013) GOAL for games, omega-automata, and logics. In: CAVGoogle Scholar
  64. 64.
    U.S.D. of Defense. Trusted computer system evaluation criteria. DoD Standard 5200.28-STD, Dec 1985Google Scholar
  65. 65.
    Vaughan JA, Chong S (2011) Inference of expressive declassification policies. In: SSPGoogle Scholar
  66. 66.
    Vulnerability note VU#520827., May 2012
  67. 67.
    Vulnerability note VU#381508., July 2011
  68. 68.
    Watson RNM, Anderson J, Laurie B, Kennaway K (2010) Capsicum: practical capabilities for UNIX. In: USENIX security symposiumGoogle Scholar
  69. 69.
    Wright C, Cowan C, Smalley S, Morris J, Kroah-Hartman G (2002) Linux security modules: general security support for the Linux kernel. In: USENIX security symposiumGoogle Scholar
  70. 70.
    Yao A (1982) Protocols for secure computations. In: FOCSGoogle Scholar
  71. 71.
    Zeldovich N, Boyd-Wickizer S, Kohler E, Mazières D (2006) Making information flow explicit in HiStar. In: OSDIGoogle Scholar

Copyright information

© Springer Science+Business Media, LLC 2017

Authors and Affiliations

  1. 1.Georgia Institute of TechnologyAtlantaUSA
  2. 2.University of Wisconsin–MadisonMadisonUSA
  3. 3.GrammaTech Inc.IthacaUSA
  4. 4.University of California, BerkeleyBerkeleyUSA

Personalised recommendations