Towards a Fully Abstract Compiler Using Micro-Policies: Secure Compilation for Mutually Distrustful Components

Secure compilation prevents all low-level attacks on compiled code and allows for sound reasoning about security in the source language. In this work we propose a new attacker model for secure compilation that extends the well-known notion of full abstraction to ensure protection for mutually distrustful components. We devise a compiler chain (compiler, linker, and loader) and a novel security monitor that together defend against this strong attacker model. The monitor is implemented using a recently proposed, generic tag-based protection framework called micro-policies, which comes with hardware support for efficient caching and with a formal verification methodology. Our monitor protects the abstractions of a simple object-oriented language---class isolation, the method call discipline, and type safety---against arbitrary low-level attackers.

[1]  Benjamin C. Pierce,et al.  SAFE: A clean-slate architecture for secure systems , 2013, 2013 IEEE International Conference on Technologies for Homeland Security (HST).

[2]  Carlos V. Rozas,et al.  Innovative instructions and software model for isolated execution , 2013, HASP '13.

[3]  Dawn Xiaodong Song,et al.  SoK: Eternal War in Memory , 2013, 2013 IEEE Symposium on Security and Privacy.

[4]  Juan Chen,et al.  Fully abstract compilation to JavaScript , 2013, POPL.

[5]  Juan Chen,et al.  Secure distributed programming with value-dependent types , 2013, J. Funct. Program..

[6]  Gavin M. Bierman,et al.  Effects and effect inference for a core Java calculus , 2003, Electron. Notes Theor. Comput. Sci..

[7]  Dominique Devriese,et al.  Multi-module fully abstract compilation (extended abstract) , 2015 .

[8]  Peter G. Neumann,et al.  CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization , 2015, 2015 IEEE Symposium on Security and Privacy.

[9]  Xavier Leroy,et al.  Formal verification of a realistic compiler , 2009, CACM.

[10]  Joseph Tassarotti,et al.  RockSalt: better, faster, stronger SFI for the x86 , 2012, PLDI.

[11]  Neha Narula,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, IEEE Symposium on Security and Privacy.

[12]  Andrew Kennedy Securing the .NET programming model , 2006, Theor. Comput. Sci..

[13]  Frank Piessens,et al.  Fides: selectively hardening software application components against kernel-level or process-level malware , 2012, CCS '12.

[14]  Marco Patrignani,et al.  Fully abstract trace semantics for protected module architectures , 2015, Comput. Lang. Syst. Struct..

[15]  Yannis Juglaret Secure Compilation Using Micro-Policies ( Extended Abstract ) , 2015 .

[16]  Martín Abadi,et al.  Layout Randomization and Nondeterminism , 2013, MFPS.

[17]  Matthias Felleisen,et al.  Contracts for higher-order functions , 2002, ICFP '02.

[18]  Ahmad-Reza Sadeghi,et al.  Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization , 2013, 2013 IEEE Symposium on Security and Privacy.

[19]  Julian Rathke,et al.  Local Memory via Layout Randomization , 2011, 2011 IEEE 24th Computer Security Foundations Symposium.

[20]  Cǎtǎlin Hriţcu,et al.  Micro-Policies: Formally Verified, Tag-Based Security Monitors , 2015, PLAS@ECOOP.

[21]  Frank Piessens,et al.  Secure Compilation to Modern Processors , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[22]  Martín Abadi,et al.  On Layout Randomization for Arrays and Functions , 2013, POST.

[23]  Philip Wadler,et al.  Featherweight Java: a minimal core calculus for Java and GJ , 1999, OOPSLA '99.

[24]  Jonathan M. Smith,et al.  Architectural Support for Software-Defined Metadata Processing , 2015, ASPLOS.

[25]  Úlfar Erlingsson,et al.  Low-Level Software Security: Attacks and Defenses , 2007, FOSAD.

[26]  Julian Rathke,et al.  Java Jr: Fully Abstract Trace Semantics for a Core Java Language , 2005, ESOP.

[27]  Zhenkai Liang,et al.  Detecting and Preventing ActiveX API-Misuse Vulnerabilities in Internet Explorer , 2012, ICICS.

[28]  Benjamin C. Pierce,et al.  A verified information-flow architecture , 2014, J. Comput. Secur..

[29]  Martín Abadi,et al.  On Protection by Layout Randomization , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[30]  Stelios Sidiroglou,et al.  Missing the Point(er): On the Effectiveness of Code Pointer Integrity , 2015, 2015 IEEE Symposium on Security and Privacy.

[31]  Draft Alpha is for Address ! The Essence of Memory Safety , 2022 .

[32]  Marco Patrignani,et al.  The Tome of Secure Compilation: Fully Abstract Compilation to Protected Modules Architectures ; Het boek van veilige compilatie: Volledig abstracte compilatie naar beschermende modulearchitecturen , 2015 .

[33]  Peter G. Neumann,et al.  CHERI: a research platform deconflating hardware virtualisation and protection , 2012 .

[34]  William J. Dally,et al.  Hardware support for fast capability-based addressing , 1994, ASPLOS VI.

[35]  Frank Piessens,et al.  Sound Modular Verification of C Code Executing in an Unverified Context , 2014, POPL.

[36]  Amal Ahmed,et al.  Verifying an Open Compiler Using Multi-language Semantics , 2014, ESOP.

[37]  Zhong Shao,et al.  A Compositional Semantics for Verified Separate Compilation and Linking , 2015, CPP.

[38]  Krste Asanovic,et al.  Mondrian memory protection , 2002, ASPLOS X.

[39]  Marco Patrignani,et al.  Secure Compilation to Protected Module Architectures , 2015, TOPL.

[40]  Dan Grossman,et al.  Peek: A Formally Verified Peephole Optimization Framework for x86 , 2014 .

[41]  Martín Abadi,et al.  Protection in Programming-Language Translations , 1998, ICALP.

[42]  Juan del Cuvillo,et al.  Using innovative instructions to create trustworthy software solutions , 2013, HASP '13.

[43]  Martín Abadi,et al.  XFI: software guards for system address spaces , 2006, OSDI '06.

[44]  Amal Ahmed Verified Compilers for a Multi-Language World , 2015, SNAPL.