CommCSL: Proving Information Flow Security for Concurrent Programs using Abstract Commutativity

Information flow security ensures that the secret data manipulated by a program does not influence its observable output. Proving information is especially challenging for concurrent programs, where operations on may execution time of thread and, thereby, interleaving between different threads. Such internal timing channels affect outcome even if an attacker observe times. Existing verification techniques in programs attempt to prove relative However, these are often restrictive (for instance because they disallow branching data) and make strong assumptions about platform (ignoring caching, processor instructions with data-dependent runtime, other common features time). In this paper, we present novel technique secure lifts restrictions any behavior. The key idea all mutating performed shared commute, such interleavings do final value. Crucially, commutativity required only abstraction contains will be leaked public Abstract satisfied many more than standard commutativity, which makes our widely applicable. We formalize CommCSL, relational separation logic support commutativity-based reasoning, soundness Isabelle/HOL. implemented CommCSL HyperViper, automated verifier based Viper infrastructure, demonstrate ability verify examples.