Beyond Good and Evil: Formalizing the Security Guarantees of Low-Level Compartmentalization

Compartmentalization is widely regarded as good security-engineering practice: if we break up a large software system into mutually distrustful components that run with minimal privileges, restricting their interactions to conform to well-defined interfaces, we can limit the damage caused by lowlevel attacks such as control-flow hijacking. But the formal guarantees provided by such low-level compartmentalization have seen surprisingly little investigation. We propose a new property, secure compartmentalization, that formally characterizes the security guarantees provided by lowlevel compartmentalization and clarifies its attacker model. We rationally reconstruct the secure compartmentalization property starting from the well-established notion of fully abstract compilation, by identifying and lifting three important limitations that make standard full abstraction unsuitable for compartmentalization. The connection to full abstraction allows us to prove secure compartmentalization for language implementations by adapting established proof techniques; we illustrate this for a simple unsafe imperative language with procedures and a compiler from this language to a compartmentalized abstract machine.

[1]  Frank Piessens,et al.  Secure Compilation to Modern Processors , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[2]  Joseph Tassarotti,et al.  RockSalt: better, faster, stronger SFI for the x86 , 2012, PLDI.

[3]  Neha Narula,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, IEEE Symposium on Security and Privacy.

[4]  Ahmad-Reza Sadeghi,et al.  Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection , 2014, USENIX Security Symposium.

[5]  Jonathan M. Smith,et al.  Architectural Support for Software-Defined Metadata Processing , 2015, ASPLOS.

[6]  Stelios Sidiroglou,et al.  Missing the Point(er): On the Effectiveness of Code Pointer Integrity , 2015, 2015 IEEE Symposium on Security and Privacy.

[7]  Milo M. K. Martin,et al.  Hardware-Enforced Comprehensive Memory Safety , 2013, IEEE Micro.

[8]  Matthias Blume,et al.  An equivalence-preserving CPS translation via multi-language semantics , 2011, ICFP '11.

[9]  Peter G. Neumann,et al.  Beyond the PDP-11: Architectural Support for a Memory-Safe C Abstract Machine , 2015, ASPLOS.

[10]  Mark Handley,et al.  Wedge: Splitting Applications into Reduced-Privilege Compartments , 2008, NSDI.

[11]  Frank Piessens,et al.  Sound Modular Verification of C Code Executing in an Unverified Context , 2014, POPL.

[12]  Martín Abadi,et al.  Layout Randomization and Nondeterminism , 2013, MFPS.

[13]  Robin Milner,et al.  Processes: A Mathematical Model of Computing Agents , 1975 .

[14]  Benjamin C. Pierce,et al.  Towards a Fully Abstract Compiler Using Micro-Policies: Secure Compilation for Mutually Distrustful Components , 2015, ArXiv.

[15]  Peter G. Neumann,et al.  CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization , 2015, 2015 IEEE Symposium on Security and Privacy.

[16]  Fan Long,et al.  Control Jujutsu: On the Weaknesses of Fine-Grained Control Flow Integrity , 2015, CCS.

[17]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[18]  Julian Rathke,et al.  Java Jr: Fully Abstract Trace Semantics for a Core Java Language , 2005, ESOP.

[19]  Milo M. K. Martin,et al.  WatchdogLite: Hardware-Accelerated Compiler-Based Pointer Checking , 2014, CGO '14.

[20]  Peter G. Neumann,et al.  Clean Application Compartmentalization with SOAAP , 2015, CCS.

[21]  Jonathan M. Smith,et al.  Hardware Support for Safety Interlocks and Introspection , 2012, 2012 IEEE Sixth International Conference on Self-Adaptive and Self-Organizing Systems Workshops.

[22]  Richard Lippmann,et al.  Testing static analysis tools using exploitable buffer overflows from open source code , 2004, SIGSOFT '04/FSE-12.

[23]  Dominique Devriese,et al.  Multi-module fully abstract compilation (extended abstract) , 2015 .

[24]  Marco Patrignani,et al.  A Secure Compiler for ML Modules , 2015, APLAS.

[25]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[26]  Ramana Kumar,et al.  CakeML: a verified implementation of ML , 2014, POPL.

[27]  Andrew W. Appel,et al.  Portable Software Fault Isolation , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[28]  Martín Abadi,et al.  Protection in Programming-Language Translations , 1998, ICALP.

[29]  Xavier Leroy,et al.  Formal verification of a realistic compiler , 2009, CACM.

[30]  Martín Abadi,et al.  XFI: software guards for system address spaces , 2006, OSDI '06.

[31]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[32]  Ahmad-Reza Sadeghi,et al.  Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization , 2013, 2013 IEEE Symposium on Security and Privacy.

[33]  Niels Provos,et al.  Preventing Privilege Escalation , 2003, USENIX Security Symposium.

[34]  Douglas Kilpatrick,et al.  Privman: A Library for Partitioning Applications , 2003, USENIX Annual Technical Conference, FREENIX Track.

[35]  Xavier Leroy,et al.  A Formally Verified Compiler Back-end , 2009, Journal of Automated Reasoning.

[36]  Gerwin Klein,et al.  seL4 Enforces Integrity , 2011, ITP.

[37]  Timothy Bourke,et al.  seL4: From General Purpose to a Proof of Information Flow Enforcement , 2013, 2013 IEEE Symposium on Security and Privacy.

[38]  Martín Abadi,et al.  On Protection by Layout Randomization , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[39]  Marco Patrignani,et al.  Secure Compilation to Protected Module Architectures , 2015, TOPL.

[40]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[41]  Benjamin C. Pierce,et al.  Micro-Policies: Formally Verified, Tag-Based Security Monitors , 2015, 2015 IEEE Symposium on Security and Privacy.

[42]  Amal Ahmed Verified Compilers for a Multi-Language World , 2015, SNAPL.

[43]  Dominique Devriese,et al.  Fully-abstract compilation by approximate back-translation , 2016, POPL.

[44]  Julian Rathke,et al.  Local Memory via Layout Randomization , 2011, 2011 IEEE 24th Computer Security Foundations Symposium.

[45]  Milo M. K. Martin,et al.  CETS: compiler enforced temporal safety for C , 2010, ISMM '10.

[46]  Mihai Budiu,et al.  Control-flow integrity principles, implementations, and applications , 2009, TSEC.

[47]  Herbert Bos,et al.  Out of Control: Overcoming Control-Flow Integrity , 2014, 2014 IEEE Symposium on Security and Privacy.

[48]  Milo M. K. Martin,et al.  Everything You Want to Know About Pointer-Based Checking , 2015, SNAPL.

[49]  Úlfar Erlingsson,et al.  Low-Level Software Security: Attacks and Defenses , 2007, FOSAD.

[50]  Philip Wadler,et al.  Well-Typed Programs Can't Be Blamed , 2009, ESOP.

[51]  Martín Abadi,et al.  On Layout Randomization for Arrays and Functions , 2013, POST.

[52]  Julian Rathke,et al.  A fully abstract may testing semantics for concurrent objects , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[53]  Juan Chen,et al.  Fully abstract compilation to JavaScript , 2013, POPL.

[54]  Marco Patrignani,et al.  Fully abstract trace semantics for protected module architectures , 2015, Comput. Lang. Syst. Struct..

[55]  Milo M. K. Martin,et al.  SoftBound: highly compatible and complete spatial memory safety for c , 2009, PLDI '09.

[56]  Jonathan M. Smith,et al.  Low-fat pointers: compact encoding and efficient gate-level implementation of fat pointers for spatial safety and capability-based security , 2013, CCS.

[57]  Matthias Blume,et al.  Typed closure conversion preserves observational equivalence , 2008, ICFP.

[58]  Marco Patrignani,et al.  Secure Compilation of Object-Oriented Components to Protected Module Architectures , 2013, APLAS.

[59]  Bjorn De Sutter,et al.  ARMor: Fully verified software fault isolation , 2011, 2011 Proceedings of the Ninth ACM International Conference on Embedded Software (EMSOFT).

[60]  Marco Patrignani,et al.  The Tome of Secure Compilation: Fully Abstract Compilation to Protected Modules Architectures ; Het boek van veilige compilatie: Volledig abstracte compilatie naar beschermende modulearchitecturen , 2015 .

[61]  Charles Reis,et al.  Isolating web programs in modern browser architectures , 2009, EuroSys '09.

[62]  Hovav Shacham,et al.  When good instructions go bad: generalizing return-oriented programming to RISC , 2008, CCS.

[63]  Milo M. K. Martin,et al.  Hardbound: architectural support for spatial safety of the C programming language , 2008, ASPLOS.