Upload File

quark: formally verified web browserztatlock/pubs/...quark: formally verified web browser zachary...

  • Home
  • Documents
  • QUARK: Formally Verified Web Browserztatlock/pubs/...QUARK: Formally Verified Web Browser Zachary Tatlock, Dongseok Jang, Sorin Lerner Design Shim Verification Evaluation QUARK KERNEL
1
QUARK: Formally Verified Web Browser Zachary Tatlock, Dongseok Jang, Sorin Lerner Design Shim Verification Evaluation QUARK KERNEL Tabs Net Privilege Separation Simple Interfaces Components run with minimal privilege Sandbox complex, vulnerable parts ( ) Impl. and verify trusted kernel in Coq ( ) Kernel orchestrates messaging over pipes Components access resources via kernel Simple kernel; state-of-the-art tabs (WebKit) Kernel as Restrictive Wrapper Trace Based Reasoning Guarantee behavior of entire system Only reason about tiny fraction of code Thin shim restricts even exploited components to only approved actions Enables us to use off-the- shelf rendering engine Formalize behavior as seq of syscalls Chain of recv / send to process messages ... QUARK KERNEL Security Guarantees Specification Implementation Tab Isolation Cookie Integrity Address Bar Integrity Enum. valid exchanges Abstract impl. details Message exchange Resource management Written in Coq + YNot Verification Effort Performance Robustness Support rich apps: 165 lines sec. props 4k line Coq proof Spec eases mods Base for new policies 0 1 2 3 Normalized to WebKit Optimizations reduce overhead to 20%

Upload: others

Post on 27-Jul-2020

3 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: QUARK: Formally Verified Web Browserztatlock/pubs/...QUARK: Formally Verified Web Browser Zachary Tatlock, Dongseok Jang, Sorin Lerner Design Shim Verification Evaluation QUARK KERNEL

QUARK: Formally Verified Web BrowserZachary Tatlock, Dongseok Jang, Sorin Lerner

Design Shim Verification

Evaluation

QUARK KERNEL

TabsNet

Privilege Separation

Simple Interfaces

Components run with minimal privilege

Sandbox complex, vulnerable parts ( )

Impl. and verify trusted kernel in Coq ( )

Kernel orchestrates messaging over pipes

Components access resources via kernel

Simple kernel; state-of-the-art tabs (WebKit)

Kernel as Restrictive Wrapper

Trace Based Reasoning

Guarantee behavior of entire system

Only reason about tiny fraction of code

Thin shim restricts even exploited components to only approved actions

Enables us to use off-the-shelf rendering engine

Formalize behavior as seq of syscalls

Chain of recv / send to process messages

...QUARK KERNEL

Security Guarantees

Specification

Implementation

Tab IsolationCookie IntegrityAddress Bar Integrity

Enum. valid exchangesAbstract impl. details

Message exchangeResource managementWritten in Coq + YNot

Verification Effort Performance RobustnessSupport rich apps:165 lines sec. props

4k line Coq proof

Spec eases mods

Base for new policies0

1

2

3

Nor

mal

ized

to W

ebKi

t

Optimizations reduce overhead to 20%

Charm Quark Bottom Quark Top Quark Are there more lepton ...korytov/tmp4/lectures/note_A21_cbt_generation... · Charm Quark Bottom Quark Top Quark Are there more lepton-quark generations?

Formally Verified Algorithms for Upper-Bounding State Space ... › ~mansour › cv-and-website › ... · Formally Verified Algorithms for Upper-Bounding State Space Diameters

Towards verified programming of embedded devices

Towards a Formally Verified Microkernel using the VCC Verifier

ECCP A Formally-Verified Migration Protocol For Mobile, Multi-Homed Hosts Matvey Arye Joint work with: Erik Nordström, Robert Kiefer Jennifer Rexford, Michael

An Empirical Study on the Correctness of Formally Verified ...checked proof of linearizability of the Raft state machine replication algorithm, as well as verified implementations

DICE : A Formally Verified Implementation of DICE Measured Boot · 2021. 2. 25. · DICE?, a formal specification as well as a formally verified implementation of DICE, an industry

Practical Verified Computation with Streaming Interactive

Domain Separation by Construction - Portland State Universityprogramatica.cs.pdx.edu/P/domainseparation.pdffork, sleep, etc.) and a formally verified security policy (domain separation)

Formally Verified Cryptographic Web Applications in WebAssembly · Formally Verified Cryptographic Web Applications in WebAssembly ... apps for iOS and Android, Electron apps that

QUARK MATTER SYMMETRY ENERGY AND QUARK STARS

Adaptive Cruise Control: Hybrid, Distributed, and Now ...aplatzer/pub/dccs.pdf · Adaptive Cruise Control: Hybrid, Distributed, and Now Formally Verified 45 Unlike [2,12,14,17],

A Mechanically Verified Compiling Specification for a

A Formally Verified Cryptographic Extension to a RISC-V

Bagpipe: Verified BGP Configuration Checking

Concepts in Theoretical Physics - University of · PDF fileThe New Periodic Table electron down quark up quark strange quark charm quark bottom quark top quark neutrino muon neutrino

Multi-Quark Hadrons in the Quark Model

ECCP A Formally-Verified Migration Protocol For Mobile , Multi -Homed Hosts

Towards a Formally Verified Microkernel using the Frama-C ...§ão... · graduate course, that was a project based in the formal methods 1. This dissertation is also related to the

Level Design Quake Army Knife (QuArK): – CSG & BSPs – quark/ quark/ MilkShape 3D – low-polygon

heppennames - BaKoMa TeX · •charm quark \Pqc ⇒ c • bottom quark \Pqb ⇒ b • top quark \Pqt ⇒ t • down anti-quark \Paqd ⇒ d • up anti-quark \Paqu ⇒ u • strange

Verified Petition for

Kopitiam – a unified IDE for developing formally verified ... · Kopitiam – a unified IDE for developing formally verified Java programs Hannes Mehnert and Jesper Bengtson

A Formally-Verified Migration Protocol For Mobile, Multi ...mfreed/docs/eccp-icnp12.pdf · A Formally-Verified Migration Protocol For Mobile, Multi-Homed Hosts ... mobility, and

A Formally Verified Hybrid System for Safe Advisories in the Next … · 2020-02-15 · A Formally Verified Hybrid System for Safe Advisories in the Next-Generation Airborne Collision

Formal verification of a code generator for a modeling ... · In this talk... Velus is a formally-verified code generator, producing C code from the Lustre modeling language, connected

A Secure and Formally Verified Commodity Multiprocessor

A Formally-Verified C static analyzer - TUM - Chair VIIschulzef/2015-02-03-David... · 2015-02-10 · yesterday today tomorrow. The increasing complexity of safety critical systems

A Formally Verified Hybrid System for the Next-Generation ... · Sample advisories and their modeling variables; full table in Technical Report [10] ACAS X Specification [12] Our

Quark Recombination and Heavy Quark Diffusion

electronneutrinoup quarkdown quark electronneutrinoup quarkdown quark positronanti-neutrino anti-up quark anti-down quark

Quark Publishing Platform 10.5.1 ReadMefiles.quark.com/download/documentation/Quark... · Quark Publishing Platform 10.5.1 ReadMe Quark® Publishing Platform™ besteht aus einer

A Formally Verified Hybrid System for the Next-Generation ...symbolaris.com/pub/acasx-zones.pdf · Next-Generation Airborne Collision Avoidance System? ... Next-Generation Airborne

A formally verified compiler back-end · during program execution.) We write S ⇓ B to mean that program S executes with observable behavior B, and likewise for C. The strongest

DICE : A Formally Verified Implementation of DICE Measured Boot