Practical Probability: Applying pGCL to Lattice Scheduling

  • David Cock
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7998)


Building on our published mechanisation of the probabilistic program logic pGCL we present a verified lattice scheduler, a standard covert-channel mitigation technique, employing randomisation as an elegant means of ensuring starvation-freeness. We show that this scheduler enforces probabilistic non-leakage, in addition to non-starvation. The refinement framework employed is compatible with that used in the L4.verified project, supporting our argument that full-scale verification of probabilistic security properties for realistic systems software is feasible.


Probabilistic Choice Cache Line Covert Channel Private State Practical Probability 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [BBCL12]
    Barthe, G., Betarte, G., Campo, J.D., Luna, C.: Cache-leakage resilient os isolation in an idealized model of virtualization. In: 25th Comp. Security Foundations WS, pp. 186–197 (2012)Google Scholar
  2. [Ber04]
    Bernstein, D.J.: Cache-timing attacks on AES (2004)Google Scholar
  3. [CKS08]
    Cock, D., Klein, G., Sewell, T.: Secure microkernels, state monads and scalable refinement. In: Mohamed, O.A., Muñoz, C., Tahar, S. (eds.) TPHOLs 2008. LNCS, vol. 5170, pp. 167–182. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  4. [CM07]
    Chen, H., Malacaria, P.: Quantitative analysis of leakage for multi-threaded programs. In: Proceedings of the 2007 Workshop on Programming Languages and Analysis for Security, PLAS 2007, pp. 31–40. ACM, New York (2007)CrossRefGoogle Scholar
  5. [Coc12]
    Cock, D.: Verifying probabilistic correctness in isabelle with pGCL. In: Systems Software Verification, Sydney, Australia, p. 10 (November 2012)Google Scholar
  6. [Den76]
    Denning, D.E.: A lattice model of secure information flow. CACM 19, 236–242 (1976)MathSciNetzbMATHCrossRefGoogle Scholar
  7. [Dij75]
    Dijkstra, E.W.: Guarded commands, nondeterminacy and formal derivation of programs. CACM 18(8), 453–457 (1975)MathSciNetzbMATHCrossRefGoogle Scholar
  8. [DoD86]
    US Department of Defence. Trusted Computer System Evaluation Criteria, DoD 5200.28-STD (1986)Google Scholar
  9. [FS03]
    Fidge, C., Shankland, C.: But what if i don’t want to wait forever? Formal Aspects of Computing 14, 281–294 (2003)CrossRefGoogle Scholar
  10. [GKV11]
    Gong, X., Kiyavash, N., Venkitasubramaniam, P.: Information theoretic analysis of side channel information leakage in FCFS schedulers. In: 2011 IEEE International Symposium on Information Theory Proceedings (ISIT), pp. 1255–1259 (August 2011)Google Scholar
  11. [HMM05]
    Hurd, J., McIver, A., Morgan, C.: Probabilistic guarded commands mechanized in HOL. Theoretical Computer Science 346(1), 96–112 (2005)MathSciNetzbMATHCrossRefGoogle Scholar
  12. [HN12]
    Huisman, M., Ngo, T.M.: Scheduler-specific confidentiality for multi-threaded programs and its logic-based verification. In: Beckert, B., Damiani, F., Gurov, D. (eds.) FoVeOOS 2011. LNCS, vol. 7421, pp. 178–195. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  13. [Hu92]
    Hu, W.M.: Lattice scheduling and covert channels. In: IEEE Symp. Security & Privacy, pp. 52–61 (1992)Google Scholar
  14. [KEH+09]
    Klein, G., Elphinstone, K., Heiser, G., Andronick, J., Cock, D., Derrin, P., Elkaduwe, D., Engelhardt, K., Kolanski, R., Norrish, M., Sewell, T., Tuch, H., Winwood, S.: seL4: Formal verification of an OS kernel. In: Proceedings of the 22nd ACM Symposium on Operating Systems Principles, Big Sky, MT, USA, pp. 207–220. ACM (2009)Google Scholar
  15. [KZB+91]
    Karger, P.A., Zurko, M.E., Bonin, D.W., Mason, A.H., Kahn, C.E.: A retrospective on the VAX VMM security kernel. Trans. Softw. Engin. 17(11), 1147–1165 (1991)CrossRefGoogle Scholar
  16. [MM99]
    Morgan, C., Mciver, A.K.: An expectation-based model for probabilistic temporal logic. Logic Journal of the IGPL 7, 779–804 (1999)MathSciNetzbMATHCrossRefGoogle Scholar
  17. [MM04]
    McIver, A., Morgan, C.: Abstraction, Refinement and Proof for Probabilistic Systems. Springer (2004)Google Scholar
  18. [MM12]
    Matichuk, D., Murray, T.: Extensible specifications for automatic re-use of specifications and proofs. In: Eleftherakis, G., Hinchey, M., Holcombe, M. (eds.) SEFM 2012. LNCS, vol. 7504, pp. 333–341. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  19. [MMB+12]
    Murray, T., Matichuk, D., Brassil, M., Gammie, P., Klein, G.: Noninterference for operating system kernels. In: Hawblitzel, C., Miller, D. (eds.) CPP 2012. LNCS, vol. 7679, pp. 126–142. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  20. [Per05]
    Percival, C.: Cache missing for fun and profit. In: BSDCan 2005 (2005)Google Scholar
  21. [vO04]
    von Oheimb, D.: Information flow control revisited: Noninfluence = noninterference + nonleakage. In: Samarati, P., Ryan, P.Y.A., Gollmann, D., Molva, R. (eds.) ESORICS 2004. LNCS, vol. 3193, pp. 225–243. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  22. [WW94]
    Waldspurger, C.A., Weihl, W.E.: Lottery scheduling: Flexible proportional-share resource management. In: 1st OSDI, Monterey, CA, USA, pp. 1–11 (November 1994)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • David Cock
    • 1
  1. 1.NICTA and University of New South WalesAustralia

Personalised recommendations