browser security guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... ·...
TRANSCRIPT
![Page 1: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/1.jpg)
Browser Security Guarantees through Formal Shim Verification
Dongseok Jang Zachary Tatlock Sorin LernerUC San Diego
![Page 2: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/2.jpg)
Browsers: Critical Infrastructure
Ubiquitous:many platforms, sensitive apps
Vulnerable: Pwn2Own, just a click to exploit
Reactive Defenses:many ad hoc, bug triage, regressions
![Page 3: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/3.jpg)
Fully Formal Verification
Fully formal, machine checkable proof
Develop correctness proof in synch
Code in language that eases reasoning
![Page 4: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/4.jpg)
Fully Formal Verification
Success story: CompCert C compiler
OS (seL4), RDBMS & HTTPD (YNot)realistic implementations guaranteed bug free
Compiler Bugs Found
GCC 122
LLVM 181
CompCert
[Yang et al. PLDI 11]
0
![Page 5: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/5.jpg)
Fully Formal Verification
Success story: CompCert C compiler
OS (seL4), DB, HTTPD (YNot)realistic implementations guaranteed bug free
Compiler Bugs Found
GCC 100
LLVM 150
CompCert
[Yang et al. PLDI 11]
0?
The CatchThrow away all your code
Rewrite in unfamiliar language
Formally specify correctness
Prove every detail correct
Heroic effort
![Page 6: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/6.jpg)
Formally Verify a Browser?!
Complex parts
Subtle interactions
Loose access policy
Constant evolution
Resources
JavaScriptInterpreter
JPEGDecoder
HTMLRenderer
![Page 7: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/7.jpg)
Formally Verify a Browser?!
Resources
Shim
JavaScriptInterpreter
JPEGDecoder
HTMLRenderer
Insert shimguards resource access
Verify shimprove security props
Isolatesandbox untrusted code
Formal Shim Verification
✔
![Page 8: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/8.jpg)
Formally Verify a Browser?!
Resources
Shim
JavaScriptInterpreter
JPEGDecoder
HTMLRenderer
QUARKformally verified browser
Formal Shim Verification
✔Security Props1. Tab isolation2. Cookie integrity3. Addr bar correctness
Prove code correctmachine checkable proof
![Page 9: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/9.jpg)
Fully Formal Verification
![Page 10: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/10.jpg)
Fully Formal Verification
Codein language supporting reasoning
![Page 11: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/11.jpg)
Fully Formal Verification
Code
Speclogical properties
characterizing correctness
![Page 12: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/12.jpg)
Fully Formal Verification
Code
Spec
Proof Assistant
Coq Theorem Prover
![Page 13: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/13.jpg)
Fully Formal Verification
Code
Spec
Proof Assistant
interactively show code satisfies specification
Coq Theorem Prover
![Page 14: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/14.jpg)
Fully Formal Verification
Code
Spec
ML x86Proof Assistant
compile down to machine code
![Page 15: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/15.jpg)
Fully Formal Verification
Code
Spec
Proof Assistant
ML x86
Extremely strong guarantees about
actual system!
![Page 16: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/16.jpg)
Fully Formal Verification
Code
Spec
Proof Assistant
ML x86
Rewrite entire system!
![Page 17: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/17.jpg)
Fully Formal Verification
Code
Spec
Proof Assistant
ML x86
Rewrite entire system!
Prove every detail correct
![Page 18: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/18.jpg)
Formal Shim Verification
Resources
Shim
JavaScriptInterpreter
JPEGDecoder
HTMLRenderer
✔
![Page 19: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/19.jpg)
Formal Shim Verification
Formally verify shimensure accesses secure
Adapt to sandboxrequest access via shim
Write shimdesign effective interface
Sandbox..
Shim✔
Resources
UntrustedCode
![Page 20: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/20.jpg)
Formal Shim Verification
Formally verify shimensure accesses secure
Adapt to sandboxrequest access via shim
Write shimdesign effective interface
Sandbox..
Shim✔
Resources
UntrustedCode
Key InsightGuarantee sec props for entire system
Only reason about small shim
Radically ease verification burden
Prove actual code correct
![Page 21: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/21.jpg)
Sandbox..
Quark: Verified Browser
Shim✔
Resources
UntrustedCode
![Page 22: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/22.jpg)
Sandbox..
Quark: Verified Browser
Shim✔
UntrustedCode
Resources
![Page 23: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/23.jpg)
Sandbox..
Quark: Verified Browser
Shim✔
UntrustedCode
Resources
persistent storage
user interface
networkNet
![Page 24: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/24.jpg)
Sandbox..
Quark: Verified Browser
UntrustedCode
ResourcesNet
Shim✔
![Page 25: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/25.jpg)
Sandbox..
Quark: Verified Browser
✔
UntrustedCode
ResourcesNet
Quark Kernel✔
Shim
code, spec, proof in Coq
Quark browser kernel
![Page 26: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/26.jpg)
Quark: Verified Browser
✔
ResourcesNet
Quark Kernel✔
Shim
Sandbox..
UntrustedCode
![Page 27: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/27.jpg)
Quark: Verified Browser
✔
ResourcesNet
Quark Kernel✔
Shim
Sandbox..
UntrustedCode
Untrusted Code
run as separate procs
strictly sandboxed
browser components
![Page 28: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/28.jpg)
Quark: Verified Browser
✔
ResourcesNet
Quark Kernel✔
Shim
Sandbox..
UntrustedCode
Untrusted Code
talk to kernel over pipe
run as separate procs
strictly sandboxed
browser components
![Page 29: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/29.jpg)
Quark: Verified Browser
✔
ResourcesNet
Quark Kernel✔
Shim
Sandbox..
UntrustedCode
Untrusted Code
two component types
![Page 30: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/30.jpg)
Quark: Verified Browser
✔
ResourcesNet
Quark Kernel✔
ShimUntrusted Code
two component types
WebKit Tab modified WebKit,
intercept accesses
![Page 31: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/31.jpg)
WebKit Tab
Quark: Verified Browser
✔
ResourcesNet
Quark Kernel✔
ShimUntrusted Code
two component types
![Page 32: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/32.jpg)
WebKit Tab
Quark: Verified Browser
✔
ResourcesNet
Quark Kernel✔
ShimUntrusted Code
Cookie Manager
two component types
written in Python,manages single domain
![Page 33: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/33.jpg)
Quark: Verified BrowserResourcesShimUntrusted Code
✔
Net
Quark Kernel✔
Cookie Manager
WebKit Tab
WebKit tabs
cookie managers
two component types
![Page 34: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/34.jpg)
Quark: Verified BrowserResourcesShimUntrusted Code
✔
Net
Quark Kernel✔
Cookie Manager
WebKit Tab
WebKit Tab
WebKit Tab
Cookie Manager
several instances each
WebKit tabs
cookie managers
two component types
![Page 35: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/35.jpg)
Quark: Verified Browser
✔
Net
Quark Kernel✔
Cookie Manager
WebKit Tab
WebKit Tab
WebKit Tab
Cookie Manager
![Page 36: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/36.jpg)
Quark Kernel: Code, Spec, Proof
Quark Kernel✔
![Page 37: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/37.jpg)
Quark Kernel: Code, Spec, Proof
![Page 38: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/38.jpg)
Quark Kernel: Code, Spec, Proof
Definition kstep ...
![Page 39: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/39.jpg)
Quark Kernel: Code, Spec, Proof
Definition kstep(focused_tab, tabs) := ...
kernel state
![Page 40: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/40.jpg)
Quark Kernel: Code, Spec, Proof
Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); ...
Unix-style select to find a component pipe ready to read
![Page 41: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/41.jpg)
Quark Kernel: Code, Spec, Proof
Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with | Stdin => ... | Tab t => ...
case: f is user input
case: f is tab pipe
![Page 42: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/42.jpg)
Quark Kernel: Code, Spec, Proof
Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with | Stdin => cmd <- read_cmd(stdin); ...
| Tab t => ...
read command from user over stdin
![Page 43: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/43.jpg)
Quark Kernel: Code, Spec, Proof
Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with | Stdin => cmd <- read_cmd(stdin); match cmd with | AddTab => ...
| ... | Tab t => ...
user wants to create and focus a new tab
![Page 44: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/44.jpg)
Quark Kernel: Code, Spec, Proof
Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with | Stdin => cmd <- read_cmd(stdin); match cmd with | AddTab => t <- mk_tab(); ...
| ... | Tab t => ...
create a new tab
![Page 45: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/45.jpg)
Quark Kernel: Code, Spec, Proof
Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with | Stdin => cmd <- read_cmd(stdin); match cmd with | AddTab => t <- mk_tab(); write_msg(t, Render); ... | ... | Tab t => ...
tell new tab to render itself
![Page 46: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/46.jpg)
Quark Kernel: Code, Spec, Proof
Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with | Stdin => cmd <- read_cmd(stdin); match cmd with | AddTab => t <- mk_tab(); write_msg(t, Render); return (t, t::tabs) | ... | Tab t => ...
return updated state
![Page 47: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/47.jpg)
Quark Kernel: Code, Spec, Proof
Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with | Stdin => cmd <- read_cmd(stdin); match cmd with | AddTab => t <- mk_tab(); write_msg(t, Render); return (t, t::tabs) | ... | Tab t => ...
handle other user commands
![Page 48: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/48.jpg)
Quark Kernel: Code, Spec, Proof
Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with | Stdin => cmd <- read_cmd(stdin); match cmd with | AddTab => t <- mk_tab(); write_msg(t, Render); return (t, t::tabs) | ... | Tab t => ...
handle requests from tabs
![Page 49: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/49.jpg)
Quark Kernel: Code, Spec, Proof
Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); match f with | Stdin => cmd <- read_cmd(stdin); match cmd with | AddTab => t <- mk_tab(); write_msg(t, Render); return (t, t::tabs) | ... | Tab t => ...
![Page 50: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/50.jpg)
Quark Kernel: Code, Spec, Proof
![Page 51: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/51.jpg)
Quark Kernel: Code, Spec, ProofSpecify correct behavior wrt syscall seqs
read(), write(), open(), write(), ...
![Page 52: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/52.jpg)
Quark Kernel: Code, Spec, ProofSpecify correct behavior wrt syscall seqs
trace: all syscalls made by Quark kernel during execution
![Page 53: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/53.jpg)
Quark Kernel: Code, Spec, ProofSpecify correct behavior wrt syscall seqs
kstep()kstep()kstep()kstep()
![Page 54: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/54.jpg)
Quark Kernel: Code, Spec, ProofSpecify correct behavior wrt syscall seqs
structure of produceable traces supports spec & proof
![Page 55: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/55.jpg)
Quark Kernel: Code, Spec, ProofSpecify correct behavior wrt syscall seqs
structure of produceable traces supports spec & proof
Example: address bar correctness
![Page 56: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/56.jpg)
Quark Kernel: Code, Spec, ProofSpecify correct behavior wrt syscall seqs
structure of produceable traces supports spec & proof
Example: address bar correctnessforall trace tab domain,
...
for any trace, tab, and domain
where trace is a sequence of syscalls
![Page 57: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/57.jpg)
Quark Kernel: Code, Spec, ProofSpecify correct behavior wrt syscall seqs
structure of produceable traces supports spec & proof
Example: address bar correctnessforall trace tab domain,
quark_produced(trace) /\
...if Quark could have produced this trace
![Page 58: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/58.jpg)
Quark Kernel: Code, Spec, ProofSpecify correct behavior wrt syscall seqs
structure of produceable traces supports spec & proof
Example: address bar correctnessforall trace tab domain,
quark_produced(trace) /\
tab = cur_tab(trace) /\
...and tab is the selected
tab in this trace
![Page 59: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/59.jpg)
Quark Kernel: Code, Spec, ProofSpecify correct behavior wrt syscall seqs
structure of produceable traces supports spec & proof
Example: address bar correctnessforall trace tab domain,
quark_produced(trace) /\
tab = cur_tab(trace) /\
domain = addr_bar(trace) ->
...
and domain displayed in address bar for this trace
![Page 60: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/60.jpg)
Quark Kernel: Code, Spec, ProofSpecify correct behavior wrt syscall seqs
structure of produceable traces supports spec & proof
Example: address bar correctnessforall trace tab domain,
quark_produced(trace) /\
tab = cur_tab(trace) /\
domain = addr_bar(trace) ->
domain = tab_domain(tab)
then domain is the domain of the focused tab
![Page 61: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/61.jpg)
Quark Kernel: Code, Spec, ProofSpecify correct behavior wrt syscall seqs
structure of produceable traces supports spec & proof
Example: address bar correctnessforall trace tab domain,
quark_produced(trace) /\
tab = cur_tab(trace) /\
domain = addr_bar(trace) ->
domain = tab_domain(tab)
![Page 62: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/62.jpg)
Quark Kernel: Code, Spec, Proof
Formal Security PropertiesTab Non-Interferenceno tab affects kernel interaction with another tab
Cookie Confidentiality and Integritycookies only accessed by tabs of same domain
Address Bar Integrity and Correctnessaddress bar accurate, only modified by user action
![Page 63: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/63.jpg)
Quark Kernel: Code, Spec, Proof
![Page 64: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/64.jpg)
Quark Kernel: Code, Spec, Proof
Prove kernel code satisfies sec propsby induction on traces Quark can produce
![Page 65: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/65.jpg)
Quark Kernel: Code, Spec, Proof
Prove kernel code satisfies sec props
induction hypothesis:trace valid up to this point
by induction on traces Quark can produce
✔
![Page 66: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/66.jpg)
Quark Kernel: Code, Spec, Proof
Prove kernel code satisfies sec props
induction hypothesis:trace valid up to this point
proof obligation:still valid after step?
+
by induction on traces Quark can produce
?✔
![Page 67: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/67.jpg)
Quark Kernel: Code, Spec, Proof
induction hypothesis:trace valid up to this point
proof obligation:still valid after step?
+ ?✔
Proceed by case analysis on kstep()what syscalls can be appended to trace?
will they still satisfy all security properties?
prove each case using interactive proof assistant
![Page 68: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/68.jpg)
Quark Kernel: Code, Spec, Proof
Key InsightGuarantee sec props for browser
Use state-of-the-art components
Only prove simple browser kernel
![Page 69: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/69.jpg)
Usability Demo Video
![Page 70: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/70.jpg)
Trusted Computing Base
Infrastructure we assume correctany bugs here can invalidate our formal guarantees
Statement of security propertiesCoq (soundness, proof checker)
Fundamental
OCaml [VeriML]Tab Sandbox [RockSalt]Operating System [seL4]
...
Eventually Verified
[active research]
![Page 71: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/71.jpg)
Security Analysis
Formally prove important sec props
WebKit defenses remain in effect
Other desirable security policies
![Page 72: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/72.jpg)
Future Work
Liveness propertiesformally prove that kernel never blocks
Finer grained resource accessessupport mashups and plugins
Filesystem access, sound, historycould be implemented w/out major redesign
![Page 73: Browser Security Guarantees - homes.cs.washington.eduztatlock/pubs/quark-jang-usenixsec12... · Browser Security Guarantees through Formal Shim Verification Dongseok Jang Zachary](https://reader030.vdocuments.net/reader030/viewer/2022040514/5e6d7177f30da1321d183fb6/html5/thumbnails/73.jpg)
Conclusion
Quark: Verified BrowserGuarantee sec props for browser
Only prove simple browser kernel
Use state-of-the-art components
Formal Shim VerificationGuarantee sec props for entire system
Only reason about small shim
Radically ease verification burden
http://goto.ucsd.edu/quark