Reasoning About a Machine with Local Capabilities - Provably Safe Stack and Return Pointer Management

Capability machines provide security guarantees at machine level which makes them an interesting target for secure compilation schemes that provably enforce properties such as control-flow correctness and encapsulation of local state. We provide a formalization of a representative capability machine with local capabilities and study a novel calling convention. We provide a logical relation that semantically captures the guarantees provided by the hardware (a form of capability safety) and use it to prove control-flow correctness and encapsulation of local state. The logical relation is not specific to our calling convention and can be used to reason about arbitrary programs.

[1]  Jonathan M. Smith,et al.  EROS: a fast capability system , 1999, SOSP.

[2]  Ankur Taly,et al.  Object Capabilities and Isolation of Untrusted Web Applications , 2010, 2010 IEEE Symposium on Security and Privacy.

[3]  Amal Ahmed,et al.  Semantics of types for mutable state , 2004 .

[4]  Lars Birkedal,et al.  The category-theoretic solution of recursive metric-space equations , 2010, Theor. Comput. Sci..

[5]  David H. Ackley,et al.  Building diverse computer systems , 1997, Proceedings. The Sixth Workshop on Hot Topics in Operating Systems (Cat. No.97TB100133).

[6]  Lars Birkedal,et al.  The impact of higher-order state and control effects on local relational reasoning , 2012, J. Funct. Program..

[7]  Dominique Devriese,et al.  Reasoning about a Machine with Local Capabilities , 2019, ACM Trans. Program. Lang. Syst..

[8]  Hongseok Yang,et al.  Step-indexed kripke models over recursive worlds , 2011, POPL '11.

[9]  Lars Birkedal,et al.  The Essence of Higher-Order Concurrent Separation Logic , 2017, ESOP.

[10]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[11]  Jean-Louis Krivine,et al.  Classical Logic, Storage Operators and Second-Order lambda-Calculus , 1994, Ann. Pure Appl. Log..

[12]  L. Birkedal,et al.  A Taste of Categorical Logic — Tutorial Notes , 2014 .

[13]  Chung-Kil Hur,et al.  A kripke logical relation between ML and assembly , 2011, POPL '11.

[14]  Chung-Kil Hur,et al.  Biorthogonality, step-indexing and compiler correctness , 2009, ICFP.

[15]  Lars Birkedal,et al.  Higher-order ghost state , 2016, ICFP.

[16]  Marco Patrignani,et al.  A Formal Model for Capability Machines An Illustrative Case Study towards Secure Compilation to CHERI , 2016 .

[17]  Henry M. Levy,et al.  Capability-Based Computer Systems , 1984 .

[18]  Peter G. Neumann,et al.  The CHERI capability model: Revisiting RISC in an age of risk , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[19]  Derek Dreyer,et al.  Robust and compositional verification of object capability patterns , 2017, Proc. ACM Program. Lang..

[20]  Frank Yellin,et al.  The Java Virtual Machine Specification , 1996 .

[21]  Benjamin C. Pierce,et al.  Beyond Good and Evil: Formalizing the Security Guarantees of Compartmentalizing Compilation , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).

[22]  Peter G. Neumann,et al.  CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization , 2015, 2015 IEEE Symposium on Security and Privacy.

[23]  Dominique Devriese,et al.  Reasoning about Object Capabilities with Logical Relations and Effect Parametricity , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[24]  Jack B. Dennis,et al.  Programming semantics for multiprogrammed computations , 1966, CACM.

[25]  Tiark Rompf,et al.  Gentrification gone too far? affordable 2nd-class values for fun and (co-)effect , 2016, OOPSLA.

[26]  Lars Birkedal,et al.  Interactive proofs in higher-order concurrent separation logic , 2017, POPL.

[27]  Andrew W. Appel,et al.  An indexed model of recursive types for foundational proof-carrying code , 2001, TOPL.

[28]  Dominique Devriese,et al.  On Modular and Fully-Abstract Compilation , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).

[29]  Zhong Shao,et al.  Certified assembly programming with embedded code pointers , 2006, POPL '06.

[30]  Lars Birkedal,et al.  Iris: Monoids and Invariants as an Orthogonal Basis for Concurrent Reasoning , 2015, POPL.

[31]  Martín Abadi Protection in Programming-Language Translations: Mobile Object Systems (Abstract) , 1998, ECOOP Workshops.

[32]  Lars Birkedal,et al.  A kripke logical relation for effect-based program transformations , 2011, ICFP '11.

[33]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[34]  Derek Dreyer,et al.  State-dependent representation independence , 2009, POPL '09.

[35]  Pierre America,et al.  Solving Reflexive Domain Equations in a Category of Complete Metric Spaces , 1987, J. Comput. Syst. Sci..

[36]  William J. Dally,et al.  Hardware support for fast capability-based addressing , 1994, ASPLOS VI.

[37]  I. Stark,et al.  Operational reasoning for functions with local state , 1999 .