
20 Oct 2017 at 14:00 in Kollegiesalen, Brinellvägen 8, KTH Campus
Secure System Virtualization: EndtoEnd Verification of Memory Isolation
(Hamed Nemati)
Over the last years, security kernels have played a promising role in
reshaping the landscape of platform security on today’s ubiquitous
embedded devices. Security kernels, such as separation kernels, enable
constructing highassurance mixedcriticality execution platforms. They
reduce the software portion of the system’s trusted computing base to
a thin layer, which enforces isolation between low and highcriticality
components. The reduced TCB minimizes the system attack surface and
facilitates the use of formal methods to ensure functional correctness and
security of the kernel.
In this thesis, we explore various aspects of building a provably secure
separation kernel using virtualization technology. We show how the memory
management subsystem can be virtualized to enforce isolation of system
components. Virtualization is done using directpaging that enables a
guest software to manage its own memory configuration. We demonstrate the
soundness of our approach by verifying that the highlevel model of the
system fulfills the desired security properties. Through refinement, we
then propagate these properties (semi)automatically to the machinecode of
the virtualization mechanism.
Further, we show how a runtime monitor can be securely deployed alongside
a Linux guest on a hypervisor to prevent code injection attacks targeting
Linux. The monitor takes advantage of the provided separation to protect
itself and to retain a complete view of the guest.
Separating components using a lowlevel software, while important, is
not by itself enough to guarantee security. Indeed, current processors
architecture involves features, such as caches, that can be utilized to
violate the isolation of components. We present a new lownoise attack
vector constructed by measuring caches effects. The vector is capable of
breaching isolation of system components of different criticality levels,
and it invalidates the verification of software that has been verified on a
memory coherent (cacheless) model. To restore isolation, we provide several
countermeasures and propose a methodology to repair the verification by
including caches in the statement of the toplevel security properties of
the system.

09 Jun 2017 at 14:00 in E2, Lindstedtsvägen 3, KTH Campus
Space in Proof Compexity
(Marc Vinyals, TCS, KTH)
Propositional proof complexity is the study of the resources that are
needed to prove formulas in propositional logic. In this thesis we are
concerned with the size and space of proofs, and in particular with the
latter.
Different approaches to reasoning are captured by corresponding proof
systems. The simplest and most well studied proof system is resolution, and
we try to get our understanding of other proof systems closer to that of
resolution.
In resolution we can prove a space lower bound just by showing that any
proof must have a large clause. We prove a similar relation between
resolution width and polynomial calculus space that lets us derive space
lower bounds, and we use it to separate degree and space.
For cutting planes we show lengthspace tradeoffs. This is, there are
formulas that have a proof in small space and a proof in small length, but
there is no proof that can optimize both measures at the same time.
We introduce a new measure of space, cumulative space, that accounts for
the space used throughout a proof rather than only its maximum. This is
exploratory work, but we can also prove new results for the usual space
measure.
We define a new proof system that aims to capture the power of current SAT
solvers, and we show a landscape of lengthspace tradeoffs comparable to
those in resolution.
To prove these results we build and use tools from other areas of
computational complexity. One area is pebble games, very simple
computational models that are useful for modelling space. In addition to
results with applications to proof complexity, we show that pebble game
cost is PSPACEhard to approximate.
Another area is communication complexity, the study of the amount of
communication that is needed to solve a problem when its description is
shared by multiple parties. We prove a simulation theorem that relates
the query complexity of a function with the communication complexity of a
composed function.

20 Jan 2017 at 14:00 in DRoom D2, Lindstedtsvägen 5
On Complexity Measures in Polynomial Calculus
(MMladen Mikša, KTH TCS group)
Proof complexity is the study of different resources that a proof needs
in different proof systems for propositional logic. This line of inquiry
relates to the fundamental questions in theoretical computer science, as
lower bounds on proof size for an arbitrary proof system would separate P
from NP.
We study two simple proof systems: resolution and polynomial calculus. In
resolution we reason using clauses, while in polynomial calculus we use
polynomials. We study three measures of complexity of proofs: size, space,
and width/degree. Size is the number of clauses or monomials that appear
in a resolution or polynomial calculus proof, respectively. Space is the
maximum number of clauses/monomials we need to keep at each time step of
the proof. Width/degree is the size of the largest clause/monomial in a
proof.
Width is a lower bound for space in resolution. The original proof of this
claim used finite model theory. In this thesis we give a different, more
direct proof of the spacewidth relation. We can ask whether a similar
relation holds between space and degree in polynomial calculus. We make
some progress on this front by showing that when a formula F requires
resolution width w then the XORified version of F requires polynomial
calculus space Ω(w). We also show that space lower bounds do not imply
degree lower bounds in polynomial calculus.
Width/degree and size are also related, as strong lower bounds for
width/degree imply strong lower bounds for size. Currently, proving width
lower bounds has a welldeveloped machinery behind it. However, the degree
measure is much less wellunderstood. We provide a unified framework for
almost all previous degree lower bounds. We also prove some new degree and
size lower bounds. In addition, we explore the relation between theory
and practice by running experiments on some current stateoftheart SAT
solvers.