Efficient and provable local capability revocation using uninitialized capabilities

Capability machines are a special form of CPUs that offer fine-grained privilege separation using a form of authority-carrying values known as capabilities. The CHERI capability machine offers local capabilities, which could be used as a cheap but restricted form of capability revocation. Unfortunately, local capability revocation is unrealistic in practice because large amounts of stack memory need to be cleared as a security precaution. In this paper, we address this shortcoming by introducing uninitialized capabilities: a new form of capabilities that represent read/write authority to a block of memory without exposing the memory’s initial contents. We provide a mechanically verified program logic for reasoning about programs on a capability machine with the new feature and we formalize and prove capability safety in the form of a universal contract for untrusted code. We use uninitialized capabilities for making a previously-proposed secure calling convention efficient and prove its security using the program logic. Finally, we report on a proof-of-concept implementation of uninitialized capabilities on the CHERI capability machine.

[1]  Lars Birkedal,et al.  The impact of higher-order state and control effects on local relational reasoning , 2012, J. Funct. Program..

[2]  Zhong Shao,et al.  Certified self-modifying code , 2007, PLDI '07.

[3]  Lars Birkedal,et al.  Iris from the ground up: A modular foundation for higher-order concurrent separation logic , 2018, Journal of Functional Programming.

[4]  Lars Birkedal,et al.  Interactive proofs in higher-order concurrent separation logic , 2017, POPL.

[5]  Dominique Devriese,et al.  Reasoning About a Machine with Local Capabilities - Provably Safe Stack and Return Pointer Management , 2018, ESOP.

[6]  Peter G. Neumann,et al.  Capability Hardware Enhanced RISC Instructions: CHERI Instruction-set architecture , 2014 .

[7]  Lars Birkedal,et al.  Mechanized relational verification of concurrent programs with continuations , 2019, Proc. ACM Program. Lang..

[8]  Lars Birkedal,et al.  The Essence of Higher-Order Concurrent Separation Logic , 2017, ESOP.

[9]  Timothy M. Jones,et al.  CHERIvoke: Characterising Pointer Revocation using CHERI Capabilities for Temporal Memory Safety , 2019, MICRO.

[10]  Henry M. Levy,et al.  Capability-Based Computer Systems , 1984 .

[11]  Derek Dreyer,et al.  State-dependent representation independence , 2009, POPL '09.

[12]  Peter G. Neumann,et al.  CHERI JNI: Sinking the Java Security Model into the C , 2017, ASPLOS.

[13]  Mark S. Miller,et al.  Robust composition: towards a unified approach to access control and concurrency control , 2006 .

[14]  Dominique Devriese,et al.  Linear capabilities for fully abstract compilation of separation-logic-verified code , 2019, Journal of Functional Programming.

[15]  Peter G. Neumann,et al.  CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization , 2015, 2015 IEEE Symposium on Security and Privacy.

[16]  Peter G. Neumann,et al.  Cornucopia: Temporal Safety for CHERI Heaps , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[17]  Adam Chlipala,et al.  Mostly-automated verification of low-level programs in computational separation logic , 2011, PLDI '11.

[18]  Marco Patrignani,et al.  A Formal Model for Capability Machines An Illustrative Case Study towards Secure Compilation to CHERI , 2016 .

[19]  Zhong Shao,et al.  Certified assembly programming with embedded code pointers , 2006, POPL '06.

[20]  Peter G. Neumann,et al.  CHERI Concentrate: Practical Compressed Capabilities , 2019, IEEE Transactions on Computers.

[21]  Dominique Devriese,et al.  StkTokens: enforcing well-bracketed control flow and stack encapsulation using linear capabilities , 2018, Journal of Functional Programming.

[22]  Jack B. Dennis,et al.  Programming semantics for multiprogrammed computations , 1966, CACM.

[23]  Derek Dreyer,et al.  Robust and compositional verification of object capability patterns , 2017, Proc. ACM Program. Lang..

[24]  Hongseok Yang,et al.  Step-indexed kripke models over recursive worlds , 2011, POPL '11.

[25]  Scala step-by-step: soundness for DOT with step-indexed logical relations in Iris , 2020, Proc. ACM Program. Lang..

[26]  Peter G. Neumann,et al.  Rigorous engineering for hardware security: Formal modelling and proof in the CHERI design and implementation process , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[27]  Lars Birkedal,et al.  Iris: Monoids and Invariants as an Orthogonal Basis for Concurrent Reasoning , 2015, POPL.

[28]  William J. Dally,et al.  Hardware support for fast capability-based addressing , 1994, ASPLOS VI.

[29]  Ankur Taly,et al.  Object Capabilities and Isolation of Untrusted Web Applications , 2010, 2010 IEEE Symposium on Security and Privacy.

[30]  Dominique Devriese,et al.  Reasoning about Object Capabilities with Logical Relations and Effect Parametricity , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[31]  Amal Ahmed,et al.  Semantics of types for mutable state , 2004 .

[32]  Joseph Tassarotti,et al.  MoSeL: a general, extensible modal framework for interactive proofs in separation logic , 2018, Proc. ACM Program. Lang..

[33]  Lars Birkedal,et al.  A logical relation for monadic encapsulation of state: proving contextual equivalences in the presence of runST , 2017, Proc. ACM Program. Lang..

[34]  Sophia Drossopoulou,et al.  Holistic Specifications for Robust Programs , 2020, FASE.

[35]  Lars Birkedal,et al.  Higher-order ghost state , 2016, ICFP.

[36]  Nick Benton,et al.  High-level separation logic for low-level code , 2013, POPL.

[37]  Peter G. Neumann,et al.  Fast Protection-Domain Crossing in the CHERI Capability-System Architecture , 2016, IEEE Micro.

[38]  Magnus O. Myreen,et al.  Hoare Logic for Realistically Modelled Machine Code , 2007, TACAS.