3
;; Essay on formalizing "black" data.
5
;; This file introduces some concepts useful in specifying a firewall.
6
;; It was not immediately obvious how to formalize the correct
7
;; operation of a firewall. What makes it difficult is describing
8
;; what it means for data not to contain sensitive information. We
9
;; introduce the notion of "black", which is a predicate on a segment
10
;; name and a system state. The intended interpretation is that black
11
;; segments do not contain sensitive information that requires
14
;; Mostly we leave "black" unspecified. However, we assume that it
15
;; has the following properties:
17
;; 1. If all segments in a system are black, then after the system
18
;; progresses one step each segment is black. (No "spontaneous
21
;; 2. There exists a function "scrub" that modifies a segment so
24
;; 3. Elements of system state that are not associated with the
25
;; segment are irrelevant in deciding whether a segment is black.
27
;; Is this approach to modeling reasonable? Assume that each byte of
28
;; the system has associated with it a "black" bit that tells whether
29
;; the byte is cleared. Any operation that produces data sets the
30
;; result's black bit to the "and" of all the input black bits.
32
;; Axiom one holds, since any operation will set black bits if every
33
;; segment in the system has its black bits set. Note that
34
;; applications are not modeled at this level, but it is worth
35
;; considering whether this framework could model something like a
36
;; decryption algorithm. Note that decryption requires keys or
37
;; algorithms that would not be considered "black" in this framework,
38
;; so this axiom would not be inconsistent with such models.
40
;; Axiom two holds since one can "scrub" a data segment by zeroizing
41
;; all the data and setting the black bits. (Of course, not under
44
;; Axiom three holds since it is straightforward to tell if a segment
45
;; is black by checking all its black bits.
49
;; input: segment name, machine state
50
;; output: boolean indicating whether segment is cleared
55
;; input: segment name, machine state
56
;; output machine state in which segment is cleared and other
57
;; segments are untouched
62
;; A "black" segment contains no sensitive information
63
(local (defun black (segname st) (declare (ignore segname) (ignore st)) t))
65
;; A list of segments is all black
66
(defun blacklist (segnames st)
69
(black (car segnames) st)
70
(blacklist (cdr segnames) st))
73
;; A segment to be "scrubbed"
74
(local (defun scrub (seg st) (declare (ignore seg)) st))
76
;; A list of segments to be "scrubbed"
77
(defun scrublist (segs st)
79
(scrublist (cdr segs) (scrub (car segs) st))
82
(defthm scrub-commutative
84
(scrub seg1 (scrub seg2 st))
85
(scrub seg2 (scrub seg1 st))))
87
(defthm segment-scrub-different
88
(implies (not (equal seg1 seg2))
89
(equal (select seg1 (scrub seg2 st))
93
(black seg1 (scrub seg2 st))
100
(current (scrub seg st))
103
;; If every segment is black, then after one step an arbitrary segment
105
(defthm spontaneous-generation
107
(blacklist (segslist (allparts)) st)
108
(black seg (next st))))
110
;; Only the contents of a segment determine its blackness
111
(defthm black-function-of-segment
113
(equal (select x st1) (select x st2))
114
(equal (black x st1) (black x st2)))