The Tome of Secure Compilation: Fully Abstract Compilation to Protected Modules Architectures ; Het boek van veilige compilatie: Volledig abstracte compilatie naar beschermende modulearchitecturen

Mature manhood: that means to have rediscovered the seriousness one had as a child at play. Friedrich Nietzsche Beyond Good and Evil Part IV Aphorism 94 A compiler is a complex software artefact that, among other things, translates programs written in a source-level language into programs written in a targetlevel one. Source-level programming languages often provide programmers with means to define and enforce security policies. However, this does not always hold for target languages, so compilers do not always have the means to translate secure source programs into secure target programs. When security policies are not preserved by a compiler during the language translation, the generated target-level code can be subject to malicious security-breaching attacks. When security is preserved by a compiler, however, source-level security policies cannot be violated in the generated target-level code. A compiler that preserves sourcelevel security policies in the target-level programs it generates is called a secure compiler. This thesis then presents a secure compiler from an object-oriented Javalike language to untyped assembly code extended with protected module architectures (PMA) – an isolation mechanism of modern processors. To prove that compiler secure, it is proven to be fully abstract, so it preserves (and reflects) the behaviour of the programs it compiles. Since the behaviour of programs captures also the security policies of that program, a fully abstract compiler is a secure one. This thesis also studies the behaviour for untyped assembly code extended with PMA in terms of trace semantics. Two such trace semantics are developed in

[1]  Martín Abadi,et al.  Secure communications processing for distributed languages , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[2]  Frank Piessens,et al.  Secure Compilation to Modern Processors , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[3]  Juan Chen,et al.  Type-preserving compilation of end-to-end verification of security enforcement , 2010, PLDI '10.

[4]  Julian Rathke,et al.  Full Abstraction for Polymorphic Pi-Calculus , 2005, FoSSaCS.

[5]  Xavier Leroy Keynote II: Formally verifying a compiler: Why? How? How far? , 2011, CGO.

[6]  S. Abramsky The lazy lambda calculus , 1990 .

[7]  Reiner Hähnle,et al.  ABS: A Core Language for Abstract Behavioral Specification , 2010, FMCO.

[8]  Arnd Poetzsch-Heffter,et al.  A fully abstract trace-based semantics for reasoning about backward compatibility of class libraries , 2014, Sci. Comput. Program..

[9]  Cédric Fournet,et al.  A security-preserving compiler for distributed programs: from information-flow policies to cryptographic mechanisms , 2009, CCS.

[10]  Andrew D. Gordon,et al.  Secure compilation of a multi-tier web language , 2009, TLDI '09.

[11]  Juan del Cuvillo,et al.  Using innovative instructions to create trustworthy software solutions , 2013, HASP '13.

[12]  Ittai Anati,et al.  Innovative Technology for CPU Based Attestation and Sealing , 2013 .

[13]  Krste Asanovic,et al.  Mondrian memory protection , 2002, ASPLOS X.

[14]  Robert Bruce Findler,et al.  Operational semantics for multi-language programs , 2009 .

[15]  Louis-Julien Guillemette A type-preserving compiler from system f to typed assembly language , 2009 .

[16]  Jonathan M. Smith,et al.  PUMP: a programmable unit for metadata processing , 2014, HASP@ISCA.

[17]  Cédric Fournet,et al.  A secure compiler for session abstractions , 2008, J. Comput. Secur..

[18]  Frank Piessens,et al.  VeriFast: A Powerful, Sound, Predictable, Fast Verifier for C and Java , 2011, NASA Formal Methods.

[19]  Chung-Kil Hur,et al.  Biorthogonality, step-indexing and compiler correctness , 2009, ICFP.

[20]  Chung-Kil Hur,et al.  A kripke logical relation between ML and assembly , 2011, POPL '11.

[21]  Joachim Parrow,et al.  Expressiveness of Process Algebras , 2008, LIX.

[22]  Daniele Gorla,et al.  Full abstraction for expressiveness: history, myths and facts † , 2014, Mathematical Structures in Computer Science.

[23]  Daniel Kroening,et al.  A Survey of Automated Techniques for Formal Software Verification , 2008, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[24]  Andreas Lochbihler,et al.  Verifying a Compiler for Java Threads , 2010, ESOP.

[25]  Dominic Duggan Type-based cryptographic operations , 2004, J. Comput. Secur..

[26]  Matthias Felleisen,et al.  Abstract models of memory management , 1995, FPCA '95.

[27]  D. Sangiorgi Introduction to Bisimulation and Coinduction , 2011 .

[28]  Marco Patrignani,et al.  Secure Compilation of Object-Oriented Components to Protected Module Architectures , 2013, APLAS.

[29]  Frank Piessens,et al.  Efficient Isolation of Trusted Subsystems in Embedded Systems , 2010, SecureComm.

[30]  James Laird A Fully Abstract Trace Semantics for General References , 2007, ICALP.

[31]  C. A. R. Hoare,et al.  Semantics of Nondeterminism, Concurrency, and Communication , 1979, J. Comput. Syst. Sci..

[32]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[33]  Julian Rathke,et al.  Java Jr: Fully Abstract Trace Semantics for a Core Java Language , 2005, ESOP.

[34]  Matthias Blume,et al.  An equivalence-preserving CPS translation via multi-language semantics , 2011, ICFP '11.

[35]  Adrian Perrig,et al.  TrustVisor: Efficient TCB Reduction and Attestation , 2010, 2010 IEEE Symposium on Security and Privacy.

[36]  Karim Eldefrawy SMART: Secure and Minimal Architecture for (Establishing a Dynamic) Root of Trust , 2012, NDSS 2012.

[37]  Dave Clarke,et al.  Subobject-Oriented Programming , 2012, FMCO.

[38]  Ariel J. Feldman,et al.  Lest we remember: cold-boot attacks on encryption keys , 2008, CACM.

[39]  Attacks on and Countermeasures for USB Hardware Token Devices , 2000 .

[40]  William J. Dally,et al.  Hardware support for fast capability-based addressing , 1994, ASPLOS VI.

[41]  Alfred V. Aho,et al.  Compilers: Principles, Techniques, and Tools , 1986, Addison-Wesley series in computer science / World student series edition.

[42]  Suresh Jagannathan,et al.  Relaxed-memory concurrency and verified compilation , 2011, POPL '11.

[43]  Dan Grossman,et al.  Principals in programming languages: a syntactic proof technique , 1999, ICFP '99.

[44]  Stefan Monnier,et al.  A type-preserving compiler in Haskell , 2008, ICFP 2008.

[45]  Luca Padovani,et al.  Foundations of session types , 2009, PPDP '09.

[46]  Ian Goldberg,et al.  A Secure Environment for Untrusted Helper Applications ( Confining the Wily Hacker ) , 1996 .

[47]  Roland Ducournau,et al.  Implementing statically typed object-oriented programming languages , 2011, ACM Comput. Surv..

[48]  G.D. Plotkin,et al.  LCF Considered as a Programming Language , 1977, Theor. Comput. Sci..

[49]  Jonathan M. Smith,et al.  Architectural Support for Software-Defined Metadata Processing , 2015, ASPLOS.

[50]  Andrew Kennedy Securing the .NET programming model , 2006, Theor. Comput. Sci..

[51]  Frank Piessens,et al.  Fides: selectively hardening software application components against kernel-level or process-level malware , 2012, CCS '12.

[52]  Marco Patrignani,et al.  Fully abstract trace semantics for protected module architectures , 2015, Comput. Lang. Syst. Struct..

[53]  Hovav Shacham,et al.  Return-Oriented Programming: Systems, Languages, and Applications , 2012, TSEC.

[54]  Per Larsen,et al.  Profile-guided automated software diversity , 2013, Proceedings of the 2013 IEEE/ACM International Symposium on Code Generation and Optimization (CGO).

[55]  Martín Abadi,et al.  Secure implementation of channel abstractions , 1998, Proceedings. Thirteenth Annual IEEE Symposium on Logic in Computer Science (Cat. No.98CB36226).

[56]  Cédric Fournet,et al.  Cryptographically Sound Implementations for Communicating Processes , 2006, ICALP.

[57]  Amal Ahmed,et al.  Step-Indexed Syntactic Logical Relations for Recursive and Quantified Types , 2006, ESOP.

[58]  Johannes Winter,et al.  A Hijacker's Guide to the LPC Bus , 2011, EuroPKI.

[59]  Michele Bugliesi,et al.  Secure implementations of typed channel abstractions , 2007, POPL '07.

[60]  Jon G. Riecke,et al.  Fully abstract translations between functional languages , 1991, POPL '91.

[61]  Carlos V. Rozas,et al.  Innovative instructions and software model for isolated execution , 2013, HASP '13.

[62]  Adam Chlipala,et al.  A certified type-preserving compiler from lambda calculus to assembly language , 2007, PLDI '07.

[63]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[64]  Peeter Laud,et al.  Secure Implementation of Asynchronous Method Calls and Futures , 2012, INTRUST.

[65]  Per Larsen,et al.  Security through Diversity: Are We There Yet? , 2014, IEEE Security & Privacy.

[66]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[67]  Juan Chen,et al.  Fully abstract compilation to JavaScript , 2013, POPL.

[68]  Alessandro Orso,et al.  Preventing SQL injection attacks using AMNESIA , 2006, ICSE.

[69]  Davide Sangiorgi,et al.  Expressing mobility in process algebras : first-order and higher-order paradigms , 1993 .

[70]  Robin Milner,et al.  A Theory of Type Polymorphism in Programming , 1978, J. Comput. Syst. Sci..

[71]  Marco Patrignani,et al.  Secure Compilation to Protected Module Architectures , 2015, TOPL.

[72]  Xavier Leroy,et al.  Formal certification of a compiler back-end or: programming a compiler with a proof assistant , 2006, POPL '06.

[73]  Ralph Johnson,et al.  design patterns elements of reusable object oriented software , 2019 .

[74]  John C. Mitchell On Abstraction and the Expressive Power of Programming Languages , 1991, Sci. Comput. Program..

[75]  Jack B. Dennis,et al.  Programming semantics for multiprogrammed computations , 1966, CACM.

[76]  Zhong Shao,et al.  Type-preserving compilation of featherweight java , 2003, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[77]  Calton Pu,et al.  Reducing TCB complexity for security-sensitive applications: three case studies , 2006, EuroSys.

[78]  Robert N. M. Watson,et al.  Capsicum: Practical Capabilities for UNIX , 2010, USENIX Security Symposium.

[79]  Xavier Leroy,et al.  A Formally Verified Compiler Back-end , 2009, Journal of Automated Reasoning.

[80]  Davide Sangiorgi,et al.  The Pi-Calculus - a theory of mobile processes , 2001 .

[81]  Frank Piessens,et al.  Sancus: Low-cost Trustworthy Extensible Networked Devices with a Zero-software Trusted Computing Base , 2013, USENIX Security Symposium.

[82]  Martín Abadi,et al.  Protection in Programming-Language Translations , 1998, ICALP.

[83]  Mitchell Wand,et al.  The Theory of Fexprs is Trivial , 1998, LISP Symb. Comput..

[84]  Gilles Barthe,et al.  Security of multithreaded programs by compilation , 2007, TSEC.

[85]  George C. Necula,et al.  Proof-Carrying Code , 2011, Encyclopedia of Cryptography and Security.

[86]  Martín Abadi,et al.  Layout Randomization and Nondeterminism , 2013, MFPS.

[87]  Martín Abadi,et al.  Authentication primitives and their compilation , 2000, POPL '00.

[88]  Julian Rathke,et al.  A fully abstract may testing semantics for concurrent objects , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[89]  Cédric Fournet,et al.  The reflexive CHAM and the join-calculus , 1996, POPL '96.

[90]  Wenke Lee,et al.  Secure in-VM monitoring using hardware virtualization , 2009, CCS.

[91]  Magnus O. Myreen Verified just-in-time compiler on x86 , 2010, POPL '10.

[92]  B. Preneel,et al.  Analyzing trusted platform communication ? , 2005 .

[93]  Graem A. Ringwood,et al.  Garbage collecting the Internet: a survey of distributed garbage collection , 1998, CSUR.

[94]  Robin Milner,et al.  Fully Abstract Models of Typed lambda-Calculi , 1977, Theor. Comput. Sci..

[95]  Julian Rathke,et al.  Local Memory via Layout Randomization , 2011, 2011 IEEE 24th Computer Security Foundations Symposium.

[96]  Frank S. de Boer,et al.  A Fully Abstract Semantics for UML Components , 2004, FMCO.

[97]  Andrew C. Myers,et al.  Programming Languages for Information Security , 2002 .

[98]  Raoul Strackx Security Primitives for Protected-Module Architectures Based on Program-Counter-Based Memory Access Control; Beveiligingsprimitieven voor softwaremodules die beschermd worden door geheugentoegangscontrole op basis van de programmateller , 2014 .

[99]  J. Vitek,et al.  Principals , Policies and Keys in a Secure Distributed Programming Language Tom Chothia , 2008 .

[100]  Marco Patrignani,et al.  Operational Semantics for Secure Interoperation , 2014, PLAS@ECOOP.

[101]  Andrew M. Pitts,et al.  A Fully Abstract Translation between a Lambda-Calculus with Reference Types and Standard ML , 1995, TLCA.

[102]  Benjamin C. Pierce,et al.  A verified information-flow architecture , 2014, J. Comput. Secur..

[103]  Martín Abadi,et al.  On Protection by Layout Randomization , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[104]  Chung-Kil Hur,et al.  Realizability and Compositional Compiler Correctness for a Polymorphic Language , 2010 .

[105]  Marco Patrignani,et al.  Fully abstract trace semantics for low-level isolation mechanisms , 2013, SAC.

[106]  John Power,et al.  From Comodels to Coalgebras: State and Arrays , 2004, CMCS.

[107]  Gilles Barthe,et al.  Security types preserving compilation , 2004, Comput. Lang. Syst. Struct..

[108]  Joachim Parrow General conditions for full abstraction , 2016, Math. Struct. Comput. Sci..

[109]  Andrew W. Appel Modern Compiler Implementation in ML: Basic Techniques , 1997 .

[110]  Carlos Miguel Tavares Calafate,et al.  A low-cost embedded IDS to monitor and prevent Man-in-the-Middle attacks on wired LAN environments , 2007, The International Conference on Emerging Security Information, Systems, and Technologies (SECUREWARE 2007).

[111]  Frank Piessens,et al.  Breaking the memory secrecy assumption , 2009, EUROSEC '09.

[112]  Pierre-Louis Curien,et al.  A Semantic Characterization of Full Abstraction for Typed Lambda Calculi , 1984, FOCS.

[113]  Úlfar Erlingsson,et al.  Low-Level Software Security by Example , 2010, Handbook of Information and Communication Security.

[114]  Peter G. Neumann,et al.  The CHERI capability model: Revisiting RISC in an age of risk , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[115]  Benjamin C. Pierce,et al.  Types and programming languages: the next generation , 2003, 18th Annual IEEE Symposium of Logic in Computer Science, 2003. Proceedings..

[116]  Dan R. Ghica,et al.  A System-Level Game Semantics , 2012, MFPS.

[117]  David Flanagan,et al.  Java in a Nutshell , 1996 .

[118]  Matthias Blume,et al.  Typed closure conversion preserves observational equivalence , 2008, ICFP.

[119]  Michael K. Reiter,et al.  Flicker: an execution infrastructure for tcb minimization , 2008, Eurosys '08.

[120]  Steve Zdancewic,et al.  Run-time principals in information-flow type systems , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[121]  Dan R. Ghica,et al.  Coherent Minimisation: Towards efficient tamper-proof compilation , 2012, ICE.

[122]  Robin Milner,et al.  Communicating and mobile systems - the Pi-calculus , 1999 .