Modern multicore hardware and multithreaded programming languages expose weak memory models to programmers, which relax the intuitive sequential consistency (SC) memory model in order to support a variety of hardware and compiler optimizations. However, to our knowledge all prior work on secure information flow in a concurrent setting has assumed SC semantics. This paper investigates the impact of the Total Store Order (TSO) memory model, which is used by Intel x86 and Sun SPARC processors, on secure information flow, focusing on the natural security condition known as possibilistic noninterference. We show that possibilistic noninterference under SC and TSO are incomparable notions, neither property implies the other one. We define a simple type system for possibilistic noninterference under SC and demonstrate that it is unsound under TSO. We then provide two variants of this type system that are sound under TSO: one that requires only a small change to the original type system but is overly restrictive, and another that incorporates a form of flow sensitivity to safely retain additional expressiveness. Finally, we show that the original type system is in fact sound under TSO for programs that are free of data races.
展开▼
机译:现代多核硬件和多线程编程语言向程序员暴露了薄弱的内存模型,从而放松了直观的顺序一致性(SC)内存模型,以支持各种硬件和编译器优化。但是,据我们所知,在并发设置中有关安全信息流的所有先前工作都假定使用SC语义。本文研究了Intel x86和Sun SPARC处理器使用的Total Store Order(TSO)内存模型对安全信息流的影响,重点关注被称为可能性非干扰的自然安全条件。我们表明,SC和TSO下的可能性非干扰是无法比拟的概念,两个属性都不暗示另一个。我们为SC下的可能的无干扰定义了一个简单的类型系统,并证明了在TSO下它是不合理的。然后,我们提供此类型系统的两个变体,这些变体在TSO之下是合理的:一个仅需要对原始类型系统进行少量更改但过于严格,而另一个则结合了流动敏感性形式以安全地保留其他表现形式。最后,我们表明,对于没有数据争用的程序,原始类型系统实际上在TSO下是健全的。
展开▼
