Program synthesis for interactive-security systems


Developing practical but secure programs remains an important and open problem. Recently, the operating-system and architecture communities have proposed novel systems, which we refer to as interactive-security systems. They provide primitives that a program can use to perform security-critical operations, such as reading from and writing to system storage by restricting some modules to execute with limited privileges. Developing programs that use the low-level primitives provided by such systems to correctly ensure end-to-end security guarantees while preserving intended functionality is a challenging problem. This paper describes previous and proposed work on techniques and tools that enable a programmer to generate programs automatically that use such primitives. For two interactive security systems, namely the Capsicum capability system and the HiStar information-flow system, we developed languages of policies that a programmer can use to directly express security and functionality requirements, along with synthesizers that take a program and policy in the language and generate a program that correctly uses system primitives to satisfy the policy. We propose future work on developing a similar synthesizer for novel architectures that enable an application to execute different modules in Secure Isolated Regions without trusting any other software components on a platform, including the operating system.

This is a preview of subscription content, log in to check access.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10


  1. 1.

    We adopt the nomenclature of SIR from [51].


  1. 1.

    Albarghouthi A, Gulwani S, Kincaid Z (2013) Recursive program synthesis. In: CAV

  2. 2.

    Alur R, Bodík R, Juniwal G, Martin M M K, Raghothaman M, Seshia S A, Singh R, Solar-Lezama A, Torlak E, Udupa A (2013) Syntax-guided synthesis. In: FMCAD

  3. 3.

    Alur R, La Torre S, Madhusudan P (2006) Modular strategies for recursive game graphs. Theor Comput Sci 354(2):230–249

    Article  MATH  MathSciNet  Google Scholar 

  4. 4.

    Alur R, Madhusudan P (2004) Visibly pushdown languages. In: STOC

  5. 5.

    ARM (2016) Products. Accessed 9 Sept 2016

  6. 6.

    Barthe G, Fournet C, Grégoire B, Strub P-Y, Swamy N, Béguelin SZ (2014) Probabilistic relational verification for cryptographic implementations. In: POPL

  7. 7.

    Bittau A, Marchenko P, Handley M, Karp B (2008) Wedge: splitting applications into reduced-privilege compartments. In: NSDI

  8. 8.

    Brumley D, Song D X (2004) Privtrans: automatically partitioning programs for privilege separation. In: USENIX security symposium

  9. 9.

    C. E. Board. CVE-2007-4476., Aug 2007

  10. 10.

    C. E. Board. GNU Tar and GNU Cpio rmt_read__() function buffer overflow., Mar 2010

  11. 11.

    Cheung A, Arden O, Madden S, Myers AC (2012) Automatic partitioning of database applications. PVLDB 5(11):1471–1482

    Google Scholar 

  12. 12.

    Chong S, Liu J, Myers A C, Qi X, Vikram K, Zheng L, Zheng X (2007) Secure web application via automatic partitioning. In: SOSP

  13. 13.

    Clarkson MR, Schneider FB (2010) Hyperproperties. J Comput Secur 18(6):1157–1210

    Article  Google Scholar 

  14. 14.

    Costan V, Lebedev I, Devadas S (2015) Sanctum: minimal hardware extensions for strong software isolation. Cryptology ePrint Archive, Report 2015/564.

  15. 15.

    CVE-2004-1488., Feb 2005

  16. 16.

    CVE-2007-3798., July 2007

  17. 17.

    CVE-2010-0405., Apr 2010

  18. 18.

    Denning DE (1976) A lattice model of secure information flow. Commun ACM 19(5):236–243

    Article  MATH  MathSciNet  Google Scholar 

  19. 19.

    Efstathopoulos P, Kohler E (2008) Manageable fine-grained information flow. In: EuroSys

  20. 20.

    Efstathopoulos P, Krohn M N, Vandebogart S, Frey C, Ziegler D, Kohler E, Mazières D, Kaashoek MF, Morris R (2005) Labels and event processes in the Asbestos operating system. In: SOSP

  21. 21.

    Erlingsson Ú, Schneider FB (2000) IRM enforcement of Java stack inspection. In: SSP

  22. 22.

    FreeBSD 9.0-RELEASE announcement., Jan 2012

  23. 23.

    Giffin DB, Levy A, Stefan D, Terei D, Mazières D, Mitchell JC, Russo A (2012) Hails: protecting data privacy in untrusted web applications. In: OSDI

  24. 24.

    Grumberg O, Long DE (1994) Model checking and modular verification. ACM Trans Program Lang Syst 16(3):843–871

    Article  Google Scholar 

  25. 25.

    Gudka K, Watson RNM, Hand S, Laurie B, Madhavapeddy A (2012) Exploring compartmentalization hypothesis with SOAPP. In: AHANS 2012

  26. 26.

    Harris W (2014) Secure programming via game-based synthesis. PhD thesis, University of Wisconsin—Madison

  27. 27.

    Harris W, Zeldovich N, Jha S, Reps T, Manevich R, Sagiv M (2014) Modular synthesis of DIFC programs. Technical report, Georgia Insitute of Technology

  28. 28.

    Harris WR, Jha S, Reps T (2010) DIFC programs by automatic instrumentation. In: CCS

  29. 29.

    Harris WR, Jha S, Reps T (2012) Secure programming via visibly pushdown safety games. In: CAV

  30. 30.

    Harris WR, Jha S, Reps T, Anderson J, Watson RNM (2013) Declarative, temporal, and practical programming with capabilities. In: SSP

  31. 31.

    Hawkins P, Aiken A, Fisher K, Rinard MC, Sagiv M (2011) Data representation synthesis. In: PLDI

  32. 32.

    Hazay C, Lindell Y (2010) Efficient secure two-party protocols: techniques and constructions. Springer, Berlin

    Google Scholar 

  33. 33.

    Holzer A, Franz M, Katzenbeisser S, Veith H (2012) Secure two-party computations in ANSI C. In: CCS

  34. 34.

    Hriţcu C, Greenberg M, Karel B, Pierce BC, Morrisett G (2013) All your IFCException are belong to us. In: SSP

  35. 35.

    Intel Software (2016) Intel SGX homepage. Accessed 9 Sept 2016

  36. 36.

    Jobstmann B, Griesmayer A, Bloem R (2005) Program repair as a game. In: CAV

  37. 37.

    Krohn MN, Yip A, Brodsky MZ, Cliffer N, Kaashoek MF, Kohler E, Morris R (2007) Information flow control for standard OS abstractions. In: SOSP

  38. 38.

    Lattner C (2011), Nov 2011

  39. 39.

    Livshits B, Chong S (2013) Towards fully automatic placement of security sanitizers and declassifiers. In: POPL

  40. 40.

    Livshits VB, Nori AV, Rajamani SK, Banerjee A (2009) Merlin: specification inference for explicit information flow problems. In: PLDI

  41. 41.

    Manevich R (2011), June 2011

  42. 42.

    Myers AC (1999) Jflow: practical mostly-static information flow control. In: POPL

  43. 43.

    Neumann PG, Boyer RS, Robinson L, Levitt KN, Boyer RS, Saxena AR (1980) A provably secure operating system. Technical report CSL-116, Stanford Research Institute

  44. 44.

    Pnueli A (1985) Logics and models of concurrent systems. In: Apt KR (ed) In transition from global to modular temporal reasoning about programs. Springer, New York

    Google Scholar 

  45. 45.

    Roy I, Porter DE, Bond MD, McKinley KS, Witchel E (2009) Laminar: practical fine-grained decentralized information flow control. In: PLDI

  46. 46.

    Sabelfeld A, Sands D (2005) Dimensions and principles of declassification. In: CSFW-18

  47. 47.

    Sagiv S, Reps T, Wilhelm R (2002) Parametric shape analysis via 3-valued logic. ACM Trans Program Lang Syst 24(3):217–298

    Article  Google Scholar 

  48. 48.

    Saltzer JH, Schroeder MD (1975) The protection of information in computer systems. Proc IEEE 63(9):1278–1308

    Article  Google Scholar 

  49. 49.

    Schuster F, Costa M, Fournet C, Gkantsidis C, Peinado M, Mainar-Ruiz G, Russinovich M (2015) VC3: trustworthy data analytics in the cloud using SGX. In: SP

  50. 50.

    Shapiro JS, Smith JM, Farber DJ (1999) EROS: a fast capability system. In: SOSP

  51. 51.

    Sinha R, Costa M, Lal A, Lopes NP, Rajamani SK, Seshia SA, Vaswani K (2016) A design and verification methodology for secure isolated regions. In: PLDI

  52. 52.

    Sinha R, Rajamani SK, Seshia SA, Vaswani K (2015) Moat: verifying confidentiality of enclave programs. In: CCS

  53. 53.

    Skalka C, Smith SF (2000) Static enforcement of security with types. In: ICFP, pp 34–45

  54. 54.

    Sohail S, Somenzi F (2009) Safety first: a two-stage algorithm for LTL games. In: FMCAD

  55. 55.

    Solar-Lezama A, Arnold G, Tancau L, Bodík R, Saraswat VA, Seshia SA (2007) Sketching stencils. In: PLDI

  56. 56.

    Solar-Lezama A, Jones CG, Bodík R (2008) Sketching concurrent data structures. In: PLDI

  57. 57.

    Solar-Lezama A, Rabbah RM, Bodík R, Ebcioglu K (2005) Programming by sketching for bit-streaming programs. In: PLDI

  58. 58.

    Solar-Lezama A, Tancau L, Bodík R, Seshia SA, Saraswat VA (2006) Combinatorial sketching for finite programs. In: ASPLOS

  59. 59.

    Swamy N, Chen J, Fournet C, Strub P-Y, Bhargavan K, Yang J (2011) Secure distributed programming with value-dependent types. In: ICFP

  60. 60.

    Swamy N, Corcoran BJ, Hicks M (2008) Fable: a language for enforcing user-defined security policies. In: SSP

  61. 61.

    Swamy N, Hicks M (2008) Verified enforcement of stateful information release policies. SIGPLAN Not 43(12):21–31

    Article  Google Scholar 

  62. 62.

    T. M. Corporation (2011) Cwe—2011 cwe/sans top 25 most dangerous software errors

  63. 63.

    Tsai M-H, Tsay Y-K, Hwang Y-S (2013) GOAL for games, omega-automata, and logics. In: CAV

  64. 64.

    U.S.D. of Defense. Trusted computer system evaluation criteria. DoD Standard 5200.28-STD, Dec 1985

  65. 65.

    Vaughan JA, Chong S (2011) Inference of expressive declassification policies. In: SSP

  66. 66.

    Vulnerability note VU#520827., May 2012

  67. 67.

    Vulnerability note VU#381508., July 2011

  68. 68.

    Watson RNM, Anderson J, Laurie B, Kennaway K (2010) Capsicum: practical capabilities for UNIX. In: USENIX security symposium

  69. 69.

    Wright C, Cowan C, Smalley S, Morris J, Kroah-Hartman G (2002) Linux security modules: general security support for the Linux kernel. In: USENIX security symposium

  70. 70.

    Yao A (1982) Protocols for secure computations. In: FOCS

  71. 71.

    Zeldovich N, Boyd-Wickizer S, Kohler E, Mazières D (2006) Making information flow explicit in HiStar. In: OSDI

Download references


The authors wish to thank the many researchers and collaborators who contributed to the work described in this paper, including Jonathan Anderson, Manuel Costa, Akash Lal, Nuno Lopes, Roman Manevich, Sriram Rajamani, Mooly Sagiv, Rohit Sinha, Kapil Vaswani, Robert Watson, and Nickolai Zeldovich. The work described in this paper was supported, in part, by a gift from Rajiv and Ritu Batra; by DARPA under Cooperative Agreement HR0011-12-2-0012; by NSF under Grants CCF-0904371, CNS-1228620, CNS-1228782, and SATC-1526211; by the NSF STARSS Grant CNS-1528108; by SRC contracts 2460.001 and 2638.001; by a gift from Microsoft Research; by AFRL under DARPA CRASH Award FA8650-10-C-7088, DARPA MUSE Award FA8750-14-2-0270, DARPA STAC Award FA8750-15-C-0082, and DARPA XD3 Award HR0011-16-C-0059; by USAF and DARPA under Contract No. FA8650-15-C-7562; and by the UW-Madison Office of the Vice Chancellor for Research and Graduate Education with funding from the Wisconsin Alumni Research Foundation. Any opinions, findings, and conclusions or recommendations expressed in this publication are those of the authors, and do not necessarily reflect the views of the sponsoring agencies.

Author information



Corresponding author

Correspondence to William R. Harris.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Harris, W.R., Jha, S., Reps, T.W. et al. Program synthesis for interactive-security systems. Form Methods Syst Des 51, 362–394 (2017).

Download citation


  • Computer security
  • Program synthesis
  • Information flow
  • Capabilities
  • Secure isolated regions