Beyond Full Abstraction: Formalizing the Security Guarantees of Low-Level Compartmentalization

Compartmentalization is widely regarded as good security-engineering practice: if we break up a large software system into mutually distrustful components that run with minimal privileges, restricting their interactions to conform to well-defined interfaces, we can limit the damage caused by lowlevel attacks such as control-flow hijacking. But the formal guarantees provided by such low-level compartmentalization have seen surprisingly little investigation. We propose a new property, secure compartmentalization, that formally characterizes the security guarantees provided by lowlevel compartmentalization and clarifies its attacker model. We rationally reconstruct the secure compartmentalization property starting from the well-established notion of fully abstract compilation, by identifying and lifting three important limitations that make standard full abstraction unsuitable for compartmentalization. The connection to full abstraction allows us to prove secure compartmentalization for language implementations by adapting established proof techniques; we illustrate this for a simple unsafe imperative language with procedures and a compiler from this language to a compartmentalized abstract machine.

[1]  Niels Provos,et al.  Preventing Privilege Escalation , 2003, USENIX Security Symposium.

[2]  Ramana Kumar,et al.  CakeML: a verified implementation of ML , 2014, POPL.

[3]  Milo M. K. Martin,et al.  CETS: compiler enforced temporal safety for C , 2010, ISMM '10.

[4]  Bjorn De Sutter,et al.  ARMor: Fully verified software fault isolation , 2011, 2011 Proceedings of the Ninth ACM International Conference on Embedded Software (EMSOFT).

[5]  Milo M. K. Martin,et al.  SoftBound: highly compatible and complete spatial memory safety for c , 2009, PLDI '09.

[6]  Peter G. Neumann,et al.  CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization , 2015, 2015 IEEE Symposium on Security and Privacy.

[7]  Timothy Bourke,et al.  seL4: From General Purpose to a Proof of Information Flow Enforcement , 2013, 2013 IEEE Symposium on Security and Privacy.

[8]  Úlfar Erlingsson,et al.  Low-Level Software Security: Attacks and Defenses , 2007, FOSAD.

[9]  Julian Rathke,et al.  Local Memory via Layout Randomization , 2011, 2011 IEEE 24th Computer Security Foundations Symposium.

[10]  Julian Rathke,et al.  Java Jr: Fully Abstract Trace Semantics for a Core Java Language , 2005, ESOP.

[11]  Matthias Blume,et al.  An equivalence-preserving CPS translation via multi-language semantics , 2011, ICFP '11.

[12]  Peter G. Neumann,et al.  Clean Application Compartmentalization with SOAAP , 2015, CCS.

[13]  Jonathan M. Smith,et al.  Low-fat pointers: compact encoding and efficient gate-level implementation of fat pointers for spatial safety and capability-based security , 2013, CCS.

[14]  Richard Lippmann,et al.  Testing static analysis tools using exploitable buffer overflows from open source code , 2004, SIGSOFT '04/FSE-12.

[15]  Milo M. K. Martin,et al.  Everything You Want to Know About Pointer-Based Checking , 2015, SNAPL.

[16]  Charles Reis,et al.  Isolating web programs in modern browser architectures , 2009, EuroSys '09.

[17]  Frank Piessens,et al.  Secure Compilation to Modern Processors , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[18]  Hovav Shacham,et al.  When good instructions go bad: generalizing return-oriented programming to RISC , 2008, CCS.

[19]  Benjamin C. Pierce,et al.  Towards a Fully Abstract Compiler Using Micro-Policies: Secure Compilation for Mutually Distrustful Components , 2015, ArXiv.

[20]  Dominique Devriese,et al.  Multi-module fully abstract compilation (extended abstract) , 2015 .

[21]  Matthias Blume,et al.  Typed closure conversion preserves observational equivalence , 2008, ICFP.

[22]  Martín Abadi,et al.  XFI: software guards for system address spaces , 2006, OSDI '06.

[23]  Benjamin C. Pierce,et al.  Micro-Policies: Formally Verified, Tag-Based Security Monitors , 2015, 2015 IEEE Symposium on Security and Privacy.

[24]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[25]  Amal Ahmed Verified Compilers for a Multi-Language World , 2015, SNAPL.

[26]  Jonathan M. Smith,et al.  Hardware Support for Safety Interlocks and Introspection , 2012, 2012 IEEE Sixth International Conference on Self-Adaptive and Self-Organizing Systems Workshops.

[27]  Neha Narula,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, IEEE Symposium on Security and Privacy.

[28]  Peter G. Neumann,et al.  Beyond the PDP-11: Architectural Support for a Memory-Safe C Abstract Machine , 2015, ASPLOS.

[29]  Martín Abadi,et al.  On Protection by Layout Randomization , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[30]  Stelios Sidiroglou,et al.  Missing the Point(er): On the Effectiveness of Code Pointer Integrity , 2015, 2015 IEEE Symposium on Security and Privacy.

[31]  Herbert Bos,et al.  Out of Control: Overcoming Control-Flow Integrity , 2014, 2014 IEEE Symposium on Security and Privacy.

[32]  Milo M. K. Martin,et al.  WatchdogLite: Hardware-Accelerated Compiler-Based Pointer Checking , 2014, CGO '14.

[33]  Ahmad-Reza Sadeghi,et al.  Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization , 2013, 2013 IEEE Symposium on Security and Privacy.

[34]  Xavier Leroy,et al.  A Formally Verified Compiler Back-end , 2009, Journal of Automated Reasoning.

[35]  Gerwin Klein,et al.  seL4 Enforces Integrity , 2011, ITP.

[36]  Martín Abadi,et al.  Protection in Programming-Language Translations , 1998, ICALP.

[37]  Andrew W. Appel,et al.  Portable Software Fault Isolation , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[38]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[39]  Marco Patrignani,et al.  Secure Compilation to Protected Module Architectures , 2015, TOPL.

[40]  Frank Piessens,et al.  Sound Modular Verification of C Code Executing in an Unverified Context , 2014, POPL.

[41]  Milo M. K. Martin,et al.  Hardbound: architectural support for spatial safety of the C programming language , 2008, ASPLOS.

[42]  Martín Abadi,et al.  Layout Randomization and Nondeterminism , 2013, MFPS.

[43]  Marco Patrignani,et al.  The Tome of Secure Compilation: Fully Abstract Compilation to Protected Modules Architectures ; Het boek van veilige compilatie: Volledig abstracte compilatie naar beschermende modulearchitecturen , 2015 .

[44]  Julian Rathke,et al.  A fully abstract may testing semantics for concurrent objects , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[45]  Douglas Kilpatrick,et al.  Privman: A Library for Partitioning Applications , 2003, USENIX Annual Technical Conference, FREENIX Track.

[46]  Juan Chen,et al.  Fully abstract compilation to JavaScript , 2013, POPL.

[47]  Milo M. K. Martin,et al.  Hardware-Enforced Comprehensive Memory Safety , 2013, IEEE Micro.

[48]  Dominique Devriese,et al.  Fully-abstract compilation by approximate back-translation , 2016, POPL.

[49]  Mihai Budiu,et al.  Control-flow integrity principles, implementations, and applications , 2009, TSEC.

[50]  Marco Patrignani,et al.  A Secure Compiler for ML Modules , 2015, APLAS.

[51]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[52]  Jonathan M. Smith,et al.  Architectural Support for Software-Defined Metadata Processing , 2015, ASPLOS.

[53]  Fan Long,et al.  Control Jujutsu: On the Weaknesses of Fine-Grained Control Flow Integrity , 2015, CCS.

[54]  Martín Abadi,et al.  On Layout Randomization for Arrays and Functions , 2013, POST.

[55]  Ahmad-Reza Sadeghi,et al.  Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection , 2014, USENIX Security Symposium.

[56]  Mark Handley,et al.  Wedge: Splitting Applications into Reduced-Privilege Compartments , 2008, NSDI.

[57]  Xavier Leroy,et al.  Formal verification of a realistic compiler , 2009, CACM.

[58]  Joseph Tassarotti,et al.  RockSalt: better, faster, stronger SFI for the x86 , 2012, PLDI.

[59]  Marco Patrignani,et al.  Fully abstract trace semantics for protected module architectures , 2015, Comput. Lang. Syst. Struct..

[60]  Philip Wadler,et al.  Well-Typed Programs Can't Be Blamed , 2009, ESOP.

[61]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[62]  Robin Milner,et al.  Processes: A Mathematical Model of Computing Agents , 1975 .

[63]  Marco Patrignani,et al.  Secure Compilation of Object-Oriented Components to Protected Module Architectures , 2013, APLAS.