Date of Award


Degree Type


Degree Name

Doctor of Philosophy (PhD)

Graduate Group

Computer and Information Science

First Advisor

Benjamin C. Pierce


This thesis proposes a formal methodology for defining, specifying, and

reasoning about micro-policies — security policies based on fine-grained tagging

that include forms of access control, memory safety, compartmentalization, and

information-flow control. Our methodology is based on a symbolic machine that

extends a conventional RISC-like architecture with tags. Tags express security

properties of parts of the program state ("this is an instruction," "this is

secret," etc.), and are checked and propagated on every instruction according to

flexible user-supplied rules. We apply this methodology to two widely studied

policies, information-flow control and heap memory safety, implementing them

with the symbolic machine and formally characterizing their security guarantees:

for information-flow control, we prove a classic notion of

termination-insensitive noninterference; for memory safety, a novel property

that protects memory regions that a program cannot validly reach through the

pointers it possesses — which, we believe, provides a useful criterion for

evaluating and comparing different flavors of memory safety. We show how the

symbolic machine can be realized with a more practical processor design, where a

software monitor takes advantage of a hardware cache to speed up its execution

while protecting itself from potentially malicious user-level code. Our

development has been formalized and verified in the Coq proof assistant,

attesting that our methodology can provide rigorous security guarantees.