CS 528/428 Reading List, Spring 2011

Content

• Background and Overview
• VMM and Microkernels
• Exokernel and VMM Security
• Capability-Based Systems
• Reasoning about Capabilities
• Decentralized Information Flow Control
• DIFC-Based OS and Programs
• Declassification and Noninterference
• Separation Logic and Rely-Guarantee Reasoning
• Linearizability and Concurrent Objects
• Trustworthy Hardware
• Event Logics
• Security for Mashups
• More on Concurrency

Background and Overview

• N. Falliere, L. Murchu, and E. Chien. W32.Stuxnet Dossier. November 2010. (PDF).
• F.B. Schneider, G. Morrisett, and R. Harper. A Language-Based Approach to Security (PDF).
• A. Sabelfeld and A.C. Myers. Language-Based Information-Flow Security. In JSAC, 21(1), January 2003. (PDF)
• Z. Shao. Certified Software. In Communications of ACM, 53(12), December 2010. (PDF)
• L. Lamport. The Future of Computing: Logic or Biology (PDF).
• P. Wadler. Proofs are Programs: 19th Century Logic and 21st Century Computing (PDF).

VMM and Microkernels

• R.P.Goldberg. Architecture of Virtual Machines, July 1973. (PDF)
• G.J.Popek and R.P.Goldberg. Formal Requirements for Virtualizable Third Generation Architectures. In CACM 17(7), July 1974. R(PDF)
• J. Liedtke. On Microkernel Construction. In SOSP'95. (PDF)
• Microkernels Meet Recursive Virtual Machines. by Ford et al in OSDI'96 (PDF)
• P. Barham et al. Xen and the Art of Virtualization. SOSP'03 (PDF)
• Whitaker et al. Scale and Performance in the Denali Isolation Kernel. In OSDI'02. (html)
• J.E. Smith and R. Nair. Virtual Machines. ISBN 1-55860-910-5. Morgan Kaufmann, 2005. Chapter 8 on VMM. (google book page)
• S. Hand et al. Are Virtual Machine Monitors Microkernels Done Right? In HotOS'05. (html)

Exokernel and VMM Security

• D.R. Engler et al. Exokernel: An Operating System Architecture for Application-Level Resource Management, SOSP'95. (PDF, slides)
• T.Garfinkel et al. Terra: a Virtual Machine-Based Platform for Trusted Computing, SOSP'03. (PDF)
• M.F. Kaashoek et al. Application Performance and Flexibility on Exokernel Systems, SOSP'97. (PDF)
• S. King et al. SubVirt: Implementing Malware with Virtual Machines, 2006 IEEE Symposium on Security and Privacy. (PDF)
• D. Wentzlaff. An Operating System for Multicore and Clouds: Mechanisms and Implementation, SOCC'10. (PDF)

Capability-Based Systems

• H.M. Levy. Capability-Based Computer Systems, Digital Press, 1984. Chapter 1 (PDF)
• M.S. Miller et al. Capability Myths Demolished, Technical Report SRL2003-02, Johns Hopkins University. (PDF)
• A.C. Bomberger et al. The KeyKOS NanoKernel Architecture, USENIX Workshop on Micro-Kernels and Other Kernel Architectures. April 1992. (PDF)
• J.S. Shapiro et al. EROS: A Fast Capability System, SOSP'99. (PDF)
• J.S.Shapiro and N. Hardy. EROS: A Principle-Driven Operating System from the Ground Up. (PDF)
• Documents available at the KeyKos home page.
• Documents available at the EROS home page.

Reasoning about Capabilities

• R.J. Lipton and L. Snyder. A Linear Time Algorithm for Deciding Subject Security. (PDF)
• D. Elkaduwe et al. Verified Protection Model of the seL4 Microkernel. (PDF)
• A. Boyton. A Verified Shared Capability Model. (PDF)
• J.S.Shapiro. The Practical Application of a Decidable Access Model. 2003. (PDF)
• J.S.Shapiro and S. Weber. Verifying the EROS Confinement Mechanism. IEEE Security&Privacy 2000. (PDF)
• M. Hohmuth et al. Reducing TCB size by using untrusted components: small kernels vesus virtual machine monitors. SIGOPS European workshop 2004. (PDF)
• J.S.Shapiro et al. Towards a Verified General-Purpose Operating System Kernel. (HTML)

Decentralized Information Flow Control

• A.C. Myers and B. Liskov. Protecting Privacy using Decentralized Label Model. In TOSEM'00, October 2000. (PDF)
• A.C. Myers. JFlow: Practical Mostly-Static Information Flow Control.In POPL'99, January 1999. (PDF)
• A. Sabelfeld and D. Sands. Declassification: Dimensions and Principles. In Journal of Computer Security, 2007. (PDF)
• B. Lampson. A Note on the Confinement Problem. In Communications of ACM, 16(10), October 1973. (PDF)

DIFC-Based OS and Programs

• M. Krohn et al. Information Flow Control for Standard OS Abstraction. In SOSP'07, October 2007. (PDF)
• M. Krohn and E. Tromer. Noninterference for a Practical DIFC-Based Operating System. In Oakland'09, May 2009. (PDF)
• P. Efstathopoulous et al. Labels and Event Processes in the Asbestos Operating System. In SOSP'05, October 2005. (PDF)
• N. Zeldovich et al. Making Information Flow Explicit in HiStar. In OSDI'06, November 2006. (PDF)
• N. Zeldovich et al. Hardware Enforcement of Application Security Policies Using Tagged Memory. In OSDI'08. (PDF)
• Indrajit Roy et al. Laminar: Practical Fine-Grained Decentralized Information Flow Control. In PLDI'09, June 2009. (PDF)
• W.R. Harris et al. DIFC Programs by Automoatic Instrumentation. In CCS'10, October 2010. (PDF)
• N. Zeldovich et al. Securing Distributed Systems with Information Flow Control. In NSDI'08, April 2008. (PDF)
• W.R. Harris et al. Verifying Information Flow Control over Unbounded Processes. In FM'09, November 2009. (PDF)
• A. Yip et al. Improving Application Security with Data Flow Assertions. In SOSP'09, October 2009. (PDF)

Declassification and Noninterference

• S. Chong and A.C. Myers. End-to-End Enforcement of Erasure and Declassification. In CSF'08. (PDF)
• A. Sabelfeld and D. Sands. Declassification: Dimensions and Principles. In Journal of Computer Security, 2007. (PDF)
• A.C. Myers, A. Sabelfeld, and S. Zdancewic. Enforcing Robust Declassification. In Journal of Computer Security, 14(2), 2006. (PDF)
• P. Li and S. Zdancewic. Downgrading Policies and Relaxed Noninterference. In POPL'05, January 2005. (PDF)
• M. Abadi, A. Banerjee, N. Heintze, and J.G. Riecke. A Core Calculus of Dependency. In POPL'99, January 1999. (PDF)
• N. Heintze and J.G.Riecke. The SLam Calculus: Programming with Secrecy and Integrity. In POPL'98, January 1998. (PDF)

Separation Logic and Rely-Guarantee Reasoning

• J.C. Reynolds. An Introduction to Separation Logic. Lecture Notes for the FIRST PhD Fall School on Logics and Semantics of State, Copenhagen, October 2008. (PDF; also see an older version of the slides and a more recent version of the lecture notes)
• P.W. O'Hearn. Resources, Concurrency and Local Reasoning. In Theoretical Computer Science, 375 (1-3): 271-307, May 2007. (PDF; also see O'Hearn's slides in pdf)
• V. Vafeiadis. Modular Fine-Grained Concurrency Verification. PhD dissertation. University of Cambridge, July 2008 (PDF, mainly Chapters 2-3 but Chapters 4-5 are interesting too). This is an expanded version of the RGSep CONCUR'07 paper by Vafeiadis and Parkinson)
• X. Feng. Local Rely-Gurantee Reasoning. In POPL'09, January 2009. (PDF)
• M. Fu et al. Reasoning about Optimistic Concurrency Using a Program Logic for History. In CONCUR'10, September 2010. (PDF)

Linearizability and Concurrent Objects

• I. Filipovic et al. Abstraction for Concurrent Objects. In Theoretical Computer Science 411 (2010). (PDF)
• A. Turon and M. Wand. A separation logic for refining concurrent objects. In POPL 2011. (PDF)
• M.P.Herlihy and J.M.Wing. Linearizability: A Correctness Condition for Concurrent Objects. In TOPLAS 12(3), July 1990. (PDF)

Trustworthy Hardware

• E. Love et al. Enhancing Security via Provably Trustworthy Hardware Intellectual Property. To appear in HOST'11. (PDF)
• L. Strozek. Verilog Tutorial. (PDF)

Event Logics

• M. Bickford and R.L. Constable. A Causal Logic of Events in Formalized Computational Type Theory. Cornell University Technical Report 2005-2010. (PDF)
• M. Bickford and R.L. Constable. Automated Proof of Authentication Protocols in a Logic of Events. In VERIFY 2010. (PDF)

Security for Mashups

• H.J. Wang, X. Fan, C. Jackson, and J. Howell. Protection and Communication Abstractions for Web Browsers in MashupOS. In SOSP'07, October 2007. (PDF)
• J. Magazinius et al. A Lattice-based Approach to Mashup Security. In ASIACCS'10, April 2010. (PDF)
• H.J. Wang, C. Grier, A. Moshchuk, S.T. King, P. Choudury, and H. Venter. The Multi-Principal OS Construction of the Gazelle Web Browser. Microsoft Technical Report MSR-TR-2009-16. February 2009. (PDF)
• M.S. Miller, M. Samuel, B. Laurie, I. Awad, and M. Stay. Caja: Safe Active Content in Sanitized JavaScript. (Caja web site and PDF)
• D. Yu, A. Chander, N.Islam, and I. Serikov. JavaScript Instrumentation for Browser Security. In POPL'07, January 2007. (PDF)
• The Json web site.

More on Concurrency

• M. Dodds et al. Modular reasoning for deterministic parallelism. In POPL'11 (PDF)
• M. Dodds et al. Deny-Guarantee Reasoning. In ESOP'09 (PDF)