Verification challenges of pervasive information flow

Abstract

The CRASH/SAFE project aims to design a new computer system that is highly resistant to cyber-attack. 'It offers a rare opportunity to rethink the hardware / OS / software stack from a completely clean slate, unhampered by legacy constraints.' We are building novel hardware, a new high-level programming language, and a suite of modern operating system services, all embodying fundamental security principles -- separation of privilege, least privilege, mutual suspicion, etc. -- down to their very bones. Achieving these goals demands a co-design methodology in which all system layers are designed together, with a ruthless insistence on simplicity, security, and verifiability at every level. I will describe the current state of the CRASH/SAFE design and discuss some of the most interesting verification challenges that it raises.