Compositional noninterference on hardware weak memory models

Abstract

Weak memory models are employed by all modern multicore processors to improve their performance. For most code, the effects of such memory models can be largely ignored by the programmer. However, for low-level operating system or library code which can include data races for efficiency, these effects may lead to information leaks which cannot be detected without taking the specific memory model into account. While there have been some efforts to develop information flow logics which can detect such leaks, the existing approaches are either not compositional, hindering scalability, or support only a limited form of compositionality, reducing applicability to programs with only simple interactions between threads. This paper is the first to provide a compositional logic for enforcing noninterference properties on more complex concurrent algorithms, while taking into account the underlying hardware memory model. It uses rely/guarantee reasoning to establish how security classifications may be modified by concurrent threads, and considers effects of out-of-order execution allowed on modern multicore processors. The results have been formalised and proved sound in the Isabelle/HOL theorem prover, and automated in a prototype symbolic execution tool. • Weak memory models can invalidate rely/guarantee reasoning. • Structured rely/guarantees with additional checks can support general reasoning. • Rely/guarantee reasoning supports compositional information flow analysis.