Reasoning About a Capability Machine with Local Capabilities Provably Safe Stack and Return Pointer Management ( without OS Support )

Capability machines provide security guarantees at machine level which makes them an interesting target for compilation schemes that provably enforce properties like control-flow correctness and encapsulation of local state. We provide a formalization of a representative capability machine with local capabilities and study a novel calling convention for enforcing control-flow correctness and encapsulation of local state on it. To prove these properties, we provide a logical relation that semantically captures the guarantees provided by the hardware (a form of capability safety). These results are not tied to our calling convention and can be used to reason about arbitrary programs.

[1]  Jack B. Dennis,et al.  Programming semantics for multiprogrammed computations , 1966, CACM.

[2]  Henry M. Levy,et al.  Capability-Based Computer Systems , 1984 .

[3]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[4]  Jean-Louis Krivine,et al.  Classical Logic, Storage Operators and Second-Order lambda-Calculus , 1994, Ann. Pure Appl. Log..

[5]  William J. Dally,et al.  Hardware support for fast capability-based addressing , 1994, ASPLOS VI.

[6]  Frank Yellin,et al.  The Java Virtual Machine Specification , 1996 .

[7]  David H. Ackley,et al.  Building diverse computer systems , 1997, Proceedings. The Sixth Workshop on Hot Topics in Operating Systems (Cat. No.97TB100133).

[8]  Martín Abadi Protection in Programming-Language Translations: Mobile Object Systems (Abstract) , 1998, ECOOP Workshops.

[9]  MorrisettGreg,et al.  From system F to typed assembly language , 1999 .

[10]  I. Stark,et al.  Operational reasoning for functions with local state , 1999 .

[11]  J. Shapiro,et al.  EROS: a fast capability system , 2000, OPSR.

[12]  Andrew W. Appel,et al.  An indexed model of recursive types for foundational proof-carrying code , 2001, TOPL.

[13]  Amal Ahmed,et al.  Semantics of types for mutable state , 2004 .

[14]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[15]  Zhong Shao,et al.  Certified assembly programming with embedded code pointers , 2006, POPL '06.

[16]  Chung-Kil Hur,et al.  Biorthogonality, step-indexing and compiler correctness , 2009, ICFP.

[17]  Derek Dreyer,et al.  State-dependent representation independence , 2009, POPL '09.

[18]  Ankur Taly,et al.  Object Capabilities and Isolation of Untrusted Web Applications , 2010, 2010 IEEE Symposium on Security and Privacy.

[19]  Chung-Kil Hur,et al.  A kripke logical relation between ML and assembly , 2011, POPL '11.

[20]  Lars Birkedal,et al.  A kripke logical relation for effect-based program transformations , 2011, ICFP '11.

[21]  Hongseok Yang,et al.  Step-indexed kripke models over recursive worlds , 2011, POPL '11.

[22]  Lars Birkedal,et al.  The impact of higher-order state and control effects on local relational reasoning , 2012, J. Funct. Program..

[23]  Peter G. Neumann,et al.  The CHERI capability model: Revisiting RISC in an age of risk , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[24]  A Taste of Categorical Logic — Tutorial Notes , 2014 .

[25]  Lars Birkedal,et al.  Iris: Monoids and Invariants as an Orthogonal Basis for Concurrent Reasoning , 2015, POPL.

[26]  Peter G. Neumann,et al.  CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization , 2015, 2015 IEEE Symposium on Security and Privacy.

[27]  Marco Patrignani,et al.  A Formal Model for Capability Machines An Illustrative Case Study towards Secure Compilation to CHERI , 2016 .

[28]  Tiark Rompf,et al.  Gentrification gone too far? affordable 2nd-class values for fun and (co-)effect , 2016, OOPSLA.

[29]  Dominique Devriese,et al.  Reasoning about Object Capabilities with Logical Relations and Effect Parametricity , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[30]  Dominique Devriese,et al.  On Modular and Fully-Abstract Compilation , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).

[31]  Benjamin C. Pierce,et al.  Beyond Good and Evil: Formalizing the Security Guarantees of Compartmentalizing Compilation , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).

[32]  Lars Birkedal,et al.  Higher-order ghost state , 2016, ICFP.

[33]  Lars Birkedal,et al.  The Essence of Higher-Order Concurrent Separation Logic , 2017, ESOP.

[34]  Interactive proofs in higher-order concurrent separation logic , 2017, POPL.

[35]  Robust and Compositional Verification of Object Capability Pa erns ( Long Version ) , 2017 .

[36]  Lars Birkedal,et al.  Interactive proofs in higher-order concurrent separation logic , 2017, POPL.