Exploring Robust Property Preservation for Secure Compilation

Good programming languages provide helpful abstractions for writing more secure code (types, modules, interfaces, procedures, structured control flow), but the security properties from the source language are generally not preserved when compiling a program and linking it with adversarial low-level code (e.g., a library or a legacy application). Linked low-level code that is malicious or compromised can for instance read and write the compiled program’s data and code, jump to arbitrary instructions, or smash the stack, blatantly violating any source-level abstraction. By contrast, a secure compilation chain protects source-level abstractions all the way down, ensuring that even an adversarial target-level context cannot break the security properties of a compiled program any more than some source-level context could. However, the precise class of security properties one chooses to preserve crucially impacts not only the supported security goals and the strength of the attacker model, but also the kind of protections the compilation chain has to introduce and the kind of proof techniques one can use to make sure that the protections are watertight. Since efficiently achieving and proving secure compilation at scale are challenging open problems, designers of secure compilation chains have to strike a pragmatic balance between security and efficiency that matches their application domain. To inform this difficult design decision, we thoroughly explore a large space of formal secure compilation criteria based on the preservation of properties that are robustly satisfied against arbitrary adversarial contexts. We study robustly preserving various classes of trace properties such as safety, of hyperproperties such as noninterference, and of relational hyperproperties such as trace equivalence. For each of the studied classes we propose an equivalent "property-free" characterization of secure compilation that is generally better tailored for proofs. We, moreover, order the secure compilation criteria by their relative strength, discover a collapse between preserving hyperliveness and preserving all hyperproperties, and prove several separation results. Finally, we show that even the strongest of our secure compilation criteria, the robust preservation of all relational hyperproperties, is achievable for a simple translation from a statically typed to a dynamically typed language. We prove this using a universal embedding, a context back-translation technique previously developed for fully abstract compilation. We also illustrate that for proving the robust preservation of most relational safety properties including safety, noninterference, and sometimes trace equivalence, a less powerful but more generic technique can back-translate a finite set of finite execution prefixes into a source context.

[1]  Frank Piessens,et al.  Secure Compilation to Modern Processors , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[2]  Michael Backes,et al.  Union and Intersection Types for Secure Protocol Implementations , 2011, TOSCA.

[3]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[4]  Dominique Devriese,et al.  Fully-abstract compilation by approximate back-translation , 2016, POPL.

[5]  Ross J. Anderson,et al.  What You Get is What You C: Controlling Side Effects in Mainstream C Compilers , 2018, 2018 IEEE European Symposium on Security and Privacy (EuroS&P).

[6]  Stéphanie Delaune,et al.  A survey of symbolic methods for establishing equivalence-based properties in cryptographic protocols , 2017, J. Log. Algebraic Methods Program..

[7]  Marco Patrignani,et al.  A Secure Compiler for ML Modules , 2015, APLAS.

[8]  Martín Abadi,et al.  The Applied Pi Calculus , 2016, J. ACM.

[9]  Daniel Davis Wood,et al.  ETHEREUM: A SECURE DECENTRALISED GENERALISED TRANSACTION LEDGER , 2014 .

[10]  Xavier Leroy,et al.  Formal Verification of a C-like Memory Model and Its Uses for Verifying Program Transformations , 2008, Journal of Automated Reasoning.

[11]  Douglas Kilpatrick,et al.  Privman: A Library for Partitioning Applications , 2003, USENIX Annual Technical Conference, FREENIX Track.

[12]  Charles Reis,et al.  Isolating web programs in modern browser architectures , 2009, EuroSys '09.

[13]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[14]  Karthikeyan Bhargavan,et al.  HACL*: A Verified Modern Cryptographic Library , 2017, CCS.

[15]  Roberto Gorrieri,et al.  A Taxonomy of Security Properties for Process Algebras , 1995, J. Comput. Secur..

[16]  Nikhil Swamy,et al.  Verified low-level programming embedded in F* , 2017, Proc. ACM Program. Lang..

[17]  Juan Chen,et al.  Fully abstract compilation to JavaScript , 2013, POPL.

[18]  Marco Patrignani,et al.  Robustly Safe Compilation or, Efficient, Provably Secure Compilation , 2018, ArXiv.

[19]  Roberto Blanco,et al.  When Good Components Go Bad: Formally Secure Compilation Despite Dynamic Compromise , 2018, CCS.

[20]  Rocco De Nicola,et al.  Testing Equivalences for Processes , 1984, Theor. Comput. Sci..

[21]  David Baelde,et al.  A Reduced Semantics for Deciding Trace Equivalence , 2017, Log. Methods Comput. Sci..

[22]  Dawn Xiaodong Song,et al.  SoK: Eternal War in Memory , 2013, 2013 IEEE Symposium on Security and Privacy.

[23]  Leslie Lamport,et al.  Formal Foundation for Specification and Verification , 1984, Advanced Course: Distributed Systems.

[24]  Martín Abadi,et al.  Secure implementation of channel abstractions , 1998, Proceedings. Thirteenth Annual IEEE Symposium on Logic in Computer Science (Cat. No.98CB36226).

[25]  Zohar Manna,et al.  Temporal verification of reactive systems - safety , 1995 .

[26]  Jeehoon Kang,et al.  Lightweight verification of separate compilation , 2016, POPL.

[27]  David Sands,et al.  Termination-Insensitive Noninterference Leaks More Than Just a Bit , 2008, ESORICS.

[28]  Marco Patrignani,et al.  Secure Compilation and Hyperproperty Preservation , 2017, 2017 IEEE 30th Computer Security Foundations Symposium (CSF).

[29]  Max S. New,et al.  Fully abstract compilation via universal embedding , 2016, ICFP.

[30]  Andrew D. Gordon,et al.  Types and effects for asymmetric cryptographic protocols , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[31]  Niels Provos,et al.  Preventing Privilege Escalation , 2003, USENIX Security Symposium.

[32]  Julian Rathke,et al.  Local Memory via Layout Randomization , 2011, 2011 IEEE 24th Computer Security Foundations Symposium.

[33]  Bowen Alpern,et al.  Defining Liveness , 1984, Inf. Process. Lett..

[34]  Jeffrey S. Fenton Memoryless Subsystems , 1974, Comput. J..

[35]  Julian Rathke,et al.  A fully abstract may testing semantics for concurrent objects , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[36]  Leslie Lamport,et al.  Specifying Systems: The TLA+ Language and Tools for Hardware and Software Engineers [Book Review] , 2002, Computer.

[37]  Andrew W. Appel,et al.  Compositional CompCert , 2015, POPL.

[38]  Andrew C. Myers,et al.  Observational determinism for concurrent program security , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[39]  David Sands,et al.  A Per Model of Secure Information Flow in Sequential Programs , 1999, ESOP.

[40]  Fred B. Schneider On Concurrent Programming , 1997, Graduate Texts in Computer Science.

[41]  John McLean,et al.  Proving Noninterference and Functional Correctness Using Traces , 1992, J. Comput. Secur..

[42]  Vincent Cheval,et al.  Deciding equivalence-based properties using constraint solving , 2013, Theor. Comput. Sci..

[43]  Amal Ahmed,et al.  Verifying an Open Compiler Using Multi-language Semantics , 2014, ESOP.

[44]  Gang Tan,et al.  Principles and Implementation Techniques of Software-Based Fault Isolation , 2017, Found. Trends Priv. Secur..

[45]  Dawn Xiaodong Song,et al.  The Correctness-Security Gap in Compiler Optimization , 2015, 2015 IEEE Security and Privacy Workshops.

[46]  A. W. Roscoe CSP and determinism in security modelling , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[47]  Nikhil Swamy,et al.  Implementing and Proving the TLS 1.3 Record Layer , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[48]  Matthias Blume,et al.  Typed closure conversion preserves observational equivalence , 2008, ICFP.

[49]  Derek Dreyer,et al.  Robust and compositional verification of object capability patterns , 2017, Proc. ACM Program. Lang..

[50]  Amal Ahmed Verified Compilers for a Multi-Language World , 2015, SNAPL.

[51]  Martín Abadi,et al.  On Protection by Layout Randomization , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[52]  Vincent Cheval,et al.  DEEPSEC: Deciding Equivalence Properties in Security Protocols Theory and Practice , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[53]  Chung-Kil Hur,et al.  Pilsner: a compositionally verified compiler for a higher-order imperative language , 2015, ICFP.

[54]  Dominique Devriese,et al.  Modular, Fully-abstract Compilation by Approximate Back-translation , 2017, Log. Methods Comput. Sci..

[55]  Michael R. Clarkson,et al.  Hyperproperties , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[56]  Dominique Devriese,et al.  On Modular and Fully-Abstract Compilation , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).

[57]  Orna Kupferman,et al.  Robust Satisfaction , 1999, CONCUR.

[58]  Andrew Kennedy Securing the .NET programming model , 2006, Theor. Comput. Sci..

[59]  Marco Patrignani,et al.  Fully abstract trace semantics for protected module architectures , 2015, Comput. Lang. Syst. Struct..

[60]  Peter G. Neumann,et al.  Clean Application Compartmentalization with SOAAP , 2015, CCS.

[61]  Benjamin Grégoire,et al.  Secure Compilation of Side-Channel Countermeasures: The Case of Cryptographic “Constant-Time” , 2018, 2018 IEEE 31st Computer Security Foundations Symposium (CSF).

[62]  Martín Abadi,et al.  Protection in Programming-Language Translations , 1998, ICALP.

[63]  Ramana Kumar,et al.  CakeML: a verified implementation of ML , 2014, POPL.

[64]  Xavier Leroy,et al.  Formal verification of a realistic compiler , 2009, CACM.

[65]  Vern Paxson,et al.  The Matter of Heartbleed , 2014, Internet Measurement Conference.

[66]  Marco Patrignani,et al.  Secure Compilation to Protected Module Architectures , 2015, TOPL.

[67]  Marco Patrignani 1 Formal Approaches to Secure Compilation , 2018 .

[68]  Joost Engelfriet,et al.  Determinacy - (Observation Equivalence = Trace Equivalence) , 1985, Theor. Comput. Sci..

[69]  Adam Chlipala,et al.  Simple High-Level Code for Cryptographic Arithmetic - With Proofs, Without Compromises , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[70]  Cǎtǎlin Hriţcu,et al.  Micro-Policies: Formally Verified, Tag-Based Security Monitors , 2015, PLAS@ECOOP.

[71]  Dominique Devriese,et al.  Parametricity versus the universal type , 2018, Proc. ACM Program. Lang..

[72]  Mark Handley,et al.  Wedge: Splitting Applications into Reduced-Privilege Compartments , 2008, NSDI.

[73]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[74]  Andrew C. Myers,et al.  Nonmalleable Information Flow Control , 2017, CCS.

[75]  Julian Rathke,et al.  Java Jr: Fully Abstract Trace Semantics for a Core Java Language , 2005, ESOP.

[76]  Benjamin C. Pierce,et al.  Beyond Good and Evil: Formalizing the Security Guarantees of Compartmentalizing Compilation , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).

[77]  Peter G. Neumann,et al.  CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization , 2015, 2015 IEEE Symposium on Security and Privacy.

[78]  Michael Backes,et al.  Type-checking zero-knowledge , 2008, CCS.

[79]  Matthias Blume,et al.  An equivalence-preserving CPS translation via multi-language semantics , 2011, ICFP '11.

[80]  E. Stewart Lee,et al.  A general theory of security properties , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).