When Good Components Go Bad: Formally Secure Compilation Despite Dynamic Compromise

We propose a new formal criterion for evaluating secure compilation schemes for unsafe languages, expressing end-to-end security guarantees for software components that may become compromised after encountering undefined behavior---for example, by accessing an array out of bounds. Our criterion is the first to model dynamic compromise in a system of mutually distrustful components with clearly specified privileges. It articulates how each component should be protected from all the others---in particular, from components that have encountered undefined behavior and become compromised. Each component receives secure compilation guarantees---in particular, its internal invariants are protected from compromised components---up to the point when this component itself becomes compromised, after which we assume an attacker can take complete control and use this component's privileges to attack other components. More precisely, a secure compilation chain must ensure that a dynamically compromised component cannot break the safety properties of the system at the target level any more than an arbitrary attacker-controlled component (with the same interface and privileges, but without undefined behaviors) already could at the source level. To illustrate the model, we construct a secure compilation chain for a small unsafe language with buffers, procedures, and components, targeting a simple abstract machine with built-in compartmentalization. We give a careful proof (mostly machine-checked in Coq) that this compiler satisfies our secure compilation criterion. Finally, we show that the protection guarantees offered by the compartmentalized abstract machine can be achieved at the machine-code level using either software fault isolation or a tag-based reference monitor.

[1]  Leslie Lamport,et al.  The Byzantine Generals Problem , 1982, TOPL.

[2]  Leslie Lamport,et al.  Formal Foundation for Specification and Verification , 1984, Advanced Course: Distributed Systems.

[3]  Leslie Lamport,et al.  Distributed Systems: Methods and Tools for Specification, An Advanced Course, April 3-12, 1984 and April 16-25, 1985, Munich, Germany , 1985, Advanced Course: Distributed Systems.

[4]  Andrzej Filinski Linear continuations , 1992, POPL '92.

[5]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[6]  Simon S. Lam,et al.  A semantic model for authentication protocols , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.

[7]  Martín Abadi,et al.  Protection in Programming-Language Translations , 1998, ICALP.

[8]  Orna Kupferman,et al.  Robust Satisfaction , 1999, CONCUR.

[9]  Andrew D. Gordon,et al.  Ðð Blockinøöóòò Aeóøø× Ò Ìììóööøø Blockin Blockinð Óñôùøøö Ë Blockin , 2007 .

[10]  Miguel Castro,et al.  Practical byzantine fault tolerance and proactive recovery , 2002, TOCS.

[11]  Martín Abadi,et al.  Secure Implementation of Channel Abstractions , 2002, Inf. Comput..

[12]  Andrew C. Myers,et al.  Secure Information Flow via Linear Continuations , 2002, High. Order Symb. Comput..

[13]  Andrew D. Gordon,et al.  Types and effects for asymmetric cryptographic protocols , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[14]  Niels Provos,et al.  Preventing Privilege Escalation , 2003, USENIX Security Symposium.

[15]  Martín Abadi,et al.  Access Control Based on Execution History , 2003, NDSS.

[16]  Douglas Kilpatrick,et al.  Privman: A Library for Partitioning Applications , 2003, USENIX Annual Technical Conference, FREENIX Track.

[17]  Andrew D. Gordon,et al.  Types and effects for asymmetric cryptographic protocols , 2004 .

[18]  Andrew D. Gordon,et al.  Secrecy Despite Compromise: Types, Cryptography, and the Pi-Calculus , 2005, CONCUR.

[19]  Julian Rathke,et al.  Java Jr: Fully Abstract Trace Semantics for a Core Java Language , 2005, ESOP.

[20]  Andrew Kennedy Securing the .NET programming model , 2006, Theor. Comput. Sci..

[21]  Andrew D. Gordon,et al.  A type discipline for authorization policies , 2005, TOPL.

[22]  Andrew D. Gordon,et al.  A Type Discipline for Authorization in Distributed Systems , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[23]  Matthias Blume,et al.  Typed closure conversion preserves observational equivalence , 2008, ICFP.

[24]  Michael R. Clarkson,et al.  Hyperproperties , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[25]  Mark Handley,et al.  Wedge: Splitting Applications into Reduced-Privilege Compartments , 2008, NSDI.

[26]  Xavier Leroy,et al.  Formal Verification of a C-like Memory Model and Its Uses for Verifying Program Transformations , 2008, Journal of Automated Reasoning.

[27]  Bennet S. Yee,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[28]  Xavier Leroy,et al.  Formal verification of a realistic compiler , 2009, CACM.

[29]  Michael Backes,et al.  Achieving Security Despite Compromise Using Zero-knowledge , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[30]  Charles Reis,et al.  Isolating web programs in modern browser architectures , 2009, EuroSys '09.

[31]  Martín Abadi,et al.  On Protection by Layout Randomization , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[32]  Bjorn De Sutter,et al.  ARMor: Fully verified software fault isolation , 2011, 2011 Proceedings of the Ninth ACM International Conference on Embedded Software (EMSOFT).

[33]  Julian Rathke,et al.  Local Memory via Layout Randomization , 2011, 2011 IEEE 24th Computer Security Foundations Symposium.

[34]  Gerwin Klein,et al.  seL4 Enforces Integrity , 2011, ITP.

[35]  Matthias Blume,et al.  An equivalence-preserving CPS translation via multi-language semantics , 2011, ICFP '11.

[36]  Robert N. M. Watson,et al.  Exploring Compartmentalisation Hypotheses with SOAAP , 2012, 2012 IEEE Sixth International Conference on Self-Adaptive and Self-Organizing Systems Workshops.

[37]  Frank Piessens,et al.  Secure Compilation to Modern Processors , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[38]  Alvin Cheung,et al.  Undefined behavior: what happened to my code? , 2012, APSys.

[39]  Joseph Tassarotti,et al.  RockSalt: better, faster, stronger SFI for the x86 , 2012, PLDI.

[40]  Juan Chen,et al.  Fully abstract compilation to JavaScript , 2013, POPL.

[41]  Martín Abadi,et al.  On Layout Randomization for Arrays and Functions , 2013, POST.

[42]  Timothy Bourke,et al.  seL4: From General Purpose to a Proof of Information Flow Enforcement , 2013, 2013 IEEE Symposium on Security and Privacy.

[43]  Dawn Xiaodong Song,et al.  SoK: Eternal War in Memory , 2013, 2013 IEEE Symposium on Security and Privacy.

[44]  Armando Solar-Lezama,et al.  Towards optimization-safe systems: analyzing the impact of undefined behavior , 2013, SOSP.

[45]  R. Sekar,et al.  Eternal War in Memory , 2014, IEEE Security & Privacy.

[46]  Benjamin C. Pierce,et al.  A verified information-flow architecture , 2014, POPL.

[47]  Frank Piessens,et al.  Sound Modular Verification of C Code Executing in an Unverified Context , 2014, POPL.

[48]  David A. Basin,et al.  Know Your Enemy: Compromising Adversaries in Protocol Analysis , 2014, TSEC.

[49]  Andrew W. Appel,et al.  Portable Software Fault Isolation , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[50]  Marco Patrignani,et al.  Fully abstract trace semantics for low-level isolation mechanisms , 2013, SAC.

[51]  Benjamin C. Pierce,et al.  Foundational Property-Based Testing , 2015, ITP.

[52]  Peter G. Neumann,et al.  Clean Application Compartmentalization with SOAAP , 2015, CCS.

[53]  Peter G. Neumann,et al.  Beyond the PDP-11: Architectural Support for a Memory-Safe C Abstract Machine , 2015, ASPLOS.

[54]  Benjamin C. Pierce,et al.  Micro-Policies: Formally Verified, Tag-Based Security Monitors , 2015, 2015 IEEE Symposium on Security and Privacy.

[55]  Amal Ahmed Verified Compilers for a Multi-Language World , 2015, SNAPL.

[56]  Marco Patrignani,et al.  Secure Compilation to Protected Module Architectures , 2015, TOPL.

[57]  Chucky Ellison,et al.  Defining the undefinedness of C , 2015, PLDI.

[58]  Benjamin C. Pierce,et al.  Towards a Fully Abstract Compiler Using Micro-Policies: Secure Compilation for Mutually Distrustful Components , 2015, ArXiv.

[59]  Marco Patrignani,et al.  Fully abstract trace semantics for protected module architectures , 2015, Comput. Lang. Syst. Struct..

[60]  Robbert Krebbers,et al.  The C standard formalized in Coq , 2015 .

[61]  Jonathan M. Smith,et al.  Architectural Support for Software-Defined Metadata Processing , 2015, ASPLOS.

[62]  Marco Patrignani,et al.  A Secure Compiler for ML Modules , 2015, APLAS.

[63]  Peter G. Neumann,et al.  CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization , 2015, 2015 IEEE Symposium on Security and Privacy.

[64]  D. Garg,et al.  A Logic of Programs with Interface-Confined Code , 2015, 2015 IEEE 28th Computer Security Foundations Symposium.

[65]  Erik van der Kouwe,et al.  TypeSan: Practical Type Confusion Detection , 2016, CCS.

[66]  Dan Grossman,et al.  Verified peephole optimizations for CompCert , 2016, PLDI.

[67]  Dominique Devriese,et al.  Fully-abstract compilation by approximate back-translation , 2016, POPL.

[68]  Dominique Devriese,et al.  Reasoning about Object Capabilities with Logical Relations and Effect Parametricity , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[69]  Frank Piessens,et al.  Towards safe enclaves , 2016 .

[70]  Benjamin C. Pierce,et al.  A verified information-flow architecture , 2014, J. Comput. Secur..

[71]  Robert N. M. Watson,et al.  Into the depths of C: elaborating the de facto standards , 2016, PLDI.

[72]  Jeehoon Kang,et al.  Lightweight verification of separate compilation , 2016, POPL.

[73]  Dominique Devriese,et al.  On Modular and Fully-Abstract Compilation , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).

[74]  Benjamin C. Pierce,et al.  Beyond Good and Evil: Formalizing the Security Guarantees of Compartmentalizing Compilation , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).

[75]  Max S. New,et al.  Fully abstract compilation via universal embedding , 2016, ICFP.

[76]  Arthur Azevedo de Amorim A Methodology For Micro-Policies , 2017 .

[77]  Chung-Kil Hur,et al.  Taming undefined behavior in LLVM , 2017, PLDI.

[78]  Derek Dreyer,et al.  Robust and compositional verification of object capability patterns , 2017, Proc. ACM Program. Lang..

[79]  Marco Patrignani,et al.  Robust Hyperproperty Preservation for Secure Compilation (Extended Abstract) , 2017, ArXiv.

[80]  L. Birkedal,et al.  Reasoning About a Capability Machine with Local Capabilities Provably Safe Stack and Return Pointer Management ( without OS Support ) , 2017 .

[81]  Dominique Devriese,et al.  Modular, Fully-abstract Compilation by Approximate Back-translation , 2017, Log. Methods Comput. Sci..

[82]  Cédric Fournet,et al.  Building Secure SGX Enclaves using F*, C/C++ and X64 , 2017 .

[83]  Gang Tan,et al.  Principles and Implementation Techniques of Software-Based Fault Isolation , 2017, Found. Trends Priv. Secur..

[84]  F. Piessens,et al.  Towards Automatic Compartmentalization of C Programs on Capability Machines , 2017 .

[85]  Alon Zakai,et al.  Bringing the web up to speed with WebAssembly , 2017, PLDI.

[86]  Roberto Blanco,et al.  Exploring Robust Property Preservation for Secure Compilation , 2018, ArXiv.

[87]  Jonathan M. Smith,et al.  BreakApp: Automated, Flexible Application Compartmentalization , 2018, NDSS.

[88]  Dominique Devriese,et al.  Parametricity versus the universal type , 2018, Proc. ACM Program. Lang..

[89]  Roland H. C. Yap,et al.  EffectiveSan: type and memory error detection using dynamically typed C/C++ , 2017, PLDI.

[90]  Dominique Devriese,et al.  Reasoning About a Machine with Local Capabilities - Provably Safe Stack and Return Pointer Management , 2018, ESOP.

[91]  Benjamin C. Pierce,et al.  The Meaning of Memory Safety , 2017, POST.

[92]  Marco Patrignani,et al.  Robustly Safe Compilation or, Efficient, Provably Secure Compilation , 2018, ArXiv.

[93]  Ross J. Anderson,et al.  What You Get is What You C: Controlling Side Effects in Mainstream C Compilers , 2018, 2018 IEEE European Symposium on Security and Privacy (EuroS&P).

[94]  Roberto Blanco,et al.  Journey Beyond Full Abstraction: Exploring Robust Property Preservation for Secure Compilation , 2018, 2019 IEEE 32nd Computer Security Foundations Symposium (CSF).

[95]  Marco Patrignani,et al.  Robustly Safe Compilation , 2019, ESOP.

[96]  Dominique Devriese,et al.  StkTokens: enforcing well-bracketed control flow and stack encapsulation using linear capabilities , 2018, Journal of Functional Programming.