Composable Security Analysis of OS Services

  • Ran Canetti
  • Suresh Chari
  • Shai Halevi
  • Birgit Pfitzmann
  • Arnab Roy
  • Michael Steiner
  • Wietse Venema
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6715)


We provide an analytical framework for basic integrity properties of file systems, namely the binding of files to filenames and writing capabilities. A salient feature of our modeling and analysis is that it is composable: In spite of the fact that we analyze the filesystem in isolation, security is guaranteed even when the file system operates as a component within an arbitrary, and potentially adversarial system.

Our results are obtained by adapting the Universally Composable (UC) security framework to the analysis of software systems. Originally developed for cryptographic protocols, the UC framework allows the analysis of simple components in isolation, and provides assurance that these components maintain their behavior when combined in a large system, potentially under adversarial conditions.


System Call Security Property Cryptographic Protocol Ideal World Parent Directory 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Backes, M., Pfitzmann, B., Waidner, M.: The reactive simulatability (RSIM) framework for asynchronous systems. Inf. Comput. 205(12), 1685–1720 (2007)MathSciNetCrossRefMATHGoogle Scholar
  2. 2.
    Bengtson, J., Bhargavan, K., Fournet, C., Gordon, A., Maffeis, S.: Refinement types for secure implementations. In: 21st IEEE Computer Security Foundations Symposium (CSFS), pp. 17–32 (2008)Google Scholar
  3. 3.
    Biba, K.: Integrity considerations for secure computer systems, MITRE TR-3153, Bedford, MA (1977)Google Scholar
  4. 4.
    Canetti, R.: Universally Composable Security: A New Paradigm for Cryptographic Protocols. In: FOCS, pp. 136–145 (2001)Google Scholar
  5. 5.
    Canetti, R.: Security and Composition of Cryptographic Protocols. SIGACT News 37(3&4) (2006)Google Scholar
  6. 6.
    Canetti, R., Chari, S., Halevi, S., Pfitzmann, B., Roy, A., Steiner, M., Venema, W.: Composable Security Analysis of OS Services, Cryptology ePrint Archive, Report 2010/213,
  7. 7.
    Chari, S., Halevi, S., Venema, W.: Where Do You Want to Go Today? Escalating Privileges by Pathname Manipulation. In: Proc. Symposium on Network and Distributed Systems Security, NDSS (2010)Google Scholar
  8. 8.
    Datta, A., Derek, A., Mitchell, J.C., Roy, A.: Protocol composition logic (PCL). Electronic Notes in Theoretical Computer Science (2007)Google Scholar
  9. 9.
    Datta, A., Franklin, J., Garg, D., Kaynar, D.: A logic of secure systems and its application to trusted computing. In: Proc. of the IEEE Symp. on Research in Security & Privacy, pp. 221–236 (2009)Google Scholar
  10. 10.
    Freitas, L., Woodcock, J., Fu, Z.: POSIX file store in Z/Eves. Science of Computer Programming 74(4), 238–257 (2009)MathSciNetCrossRefMATHGoogle Scholar
  11. 11.
    Goldreich, O.: Foundations of Cryptography, vol. 1, 2. Cambridge Press, Cambridge (2004)CrossRefMATHGoogle Scholar
  12. 12.
    Gross, T.R., Pfitzmann, B., Sadeghi, A.-R.: Browser model for security analysis of browser-based protocols. In: di Vimercati, S.d.C., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 489–508. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  13. 13.
    Joshi, R., Holzmann, G.J.: A mini challenge: Build a verifiable filesystem. Formal Aspects of Computing 19(2), 269–272 (2007)CrossRefMATHGoogle Scholar
  14. 14.
    Klein, G., Elphinstone, K., Heiser, G., Andronick, J., Cock, D., Derrin, P., Elkaduwe, D., Engelhardt, K., Kolanski, R., Norrish, M., Sewell, T., Tuch, H., Winwood, S.: seL4: Formal verification of an OS kernel. In: SOSP 2009, pp. 207–220 (2009)Google Scholar
  15. 15.
    McLean, J.: A general theory of composition for a class of ”possibilistic” properties. IEEE Transactions on Software Engineering 22(1), 53–67 (1996)CrossRefGoogle Scholar
  16. 16.
    Neumann, P., Feiertag, R.: PSOS revisited. In: Omondi, A.R., Sedukhin, S.G. (eds.) ACSAC 2003. LNCS, vol. 2823, pp. 208–216. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  17. 17.
    Neumann, P.: Principled assuredly trustworthy composable architectures, DARPA Project CHATS, Final Rep. (2004),
  18. 18.
    Pfitzmann, B., Waidner, M.: A General Framework for Formal Notions of “Secure” Systems. Institut fur Informatik, Hildesheim University (April 1994)Google Scholar
  19. 19.
    Pfitzmann, B., Waidner, M.: Composition and Integrity Preservation of Secure Reactive Systems. In: Proc. CCS, pp. 245–254 (2000)Google Scholar
  20. 20.
    The Open Group Base Spec. Issue 7, IEEE Std 1003.1-2008,

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Ran Canetti
    • 2
  • Suresh Chari
    • 1
  • Shai Halevi
    • 1
  • Birgit Pfitzmann
    • 1
  • Arnab Roy
    • 1
  • Michael Steiner
    • 1
  • Wietse Venema
    • 1
  1. 1.IBM T.J. Watson Research CenterUSA
  2. 2.Tel-Aviv UniversityIsrael

Personalised recommendations