Journey Beyond Full Abstraction: Exploring Robust Property Preservation for Secure Compilation

Good programming languages provide helpful abstractions for writing secure code, but the security properties of the source language are generally not preserved when compiling a program and linking it with adversarial code in a low-level target language (e.g., a library or a legacy application). Linked target code that is compromised or malicious may, for instance, read and write the compiled program^{\prime}s data and code, jump to arbitrary memory locations, or smash the stack, blatantly violating any source-level abstraction. By contrast, a fully abstract compilation chain protects source-level abstractions all the way down, ensuring that linked adversarial target code cannot observe more about the compiled program than what some linked source code could about the source program. However, while research in this area has so far focused on preserving observational equivalence, as needed for achieving full abstraction, there is a much larger space of security properties one can choose to preserve against linked adversarial code. And the precise class of security properties one chooses crucially impacts not only the supported security goals and the strength of the attacker model, but also the kind of protections a secure compilation chain has to introduce. We are the first to thoroughly explore a large space of formal secure compilation criteria based on robust property preservation, i.e., the preservation of properties satisfied against arbitrary adversarial contexts. We study robustly preserving various classes of trace properties such as safety, of hyperproperties such as noninterference, and of relational hyperproperties such as trace equivalence. This leads to many new secure compilation criteria, some of which are easier to practically achieve and prove than full abstraction, and some of which provide strictly stronger security guarantees. For each of the studied criteria we propose an equivalent "property-free" characterization that clarifies which proof techniques apply. For relational properties and hyperproperties, which relate the behaviors of multiple programs, our formal definitions of the property classes themselves are novel. We order our criteria by their relative strength and show several collapses and separation results. Finally, we adapt existing proof techniques to show that even the strongest of our secure compilation criteria, the robust preservation of all relational hyperproperties, is achievable for a simple translation from a statically typed to a dynamically typed language.

[1]  Jeehoon Kang,et al.  Lightweight verification of separate compilation , 2016, POPL.

[2]  Pierre-Yves Strub,et al.  Dependent types and multi-monadic effects in F* , 2016, POPL.

[3]  Ramana Kumar,et al.  CakeML: a verified implementation of ML , 2014, POPL.

[4]  Michael R. Clarkson,et al.  Hyperproperties , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[5]  Martín Abadi,et al.  Secure Implementation of Channel Abstractions , 2002, Inf. Comput..

[6]  Orna Kupferman,et al.  Robust Satisfaction , 1999, CONCUR.

[7]  Randal E. Bryant,et al.  Concurrent programming , 1980, Operating Systems Engineering.

[8]  Adam Chlipala,et al.  Simple High-Level Code for Cryptographic Arithmetic - With Proofs, Without Compromises , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[9]  Dominique Devriese,et al.  Parametricity versus the universal type , 2018, Proc. ACM Program. Lang..

[10]  Max S. New,et al.  Fully abstract compilation via universal embedding , 2016, ICFP.

[11]  Andrew D. Gordon,et al.  Types and effects for asymmetric cryptographic protocols , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[12]  Niels Provos,et al.  Preventing Privilege Escalation , 2003, USENIX Security Symposium.

[13]  Julian Rathke,et al.  A fully abstract may testing semantics for concurrent objects , 2005, Theor. Comput. Sci..

[14]  Juan Chen,et al.  Fully abstract compilation to JavaScript , 2013, POPL.

[15]  Andrew W. Appel,et al.  Compositional CompCert , 2015, POPL.

[16]  Sandrine Blazy,et al.  Compiling Sandboxes: Formally Verified Software Fault Isolation , 2019, ESOP.

[17]  Marco Patrignani,et al.  Secure Compilation to Protected Module Architectures , 2015, TOPL.

[18]  Mitchell Wand,et al.  The mystery of the tower revealed: A nonreflective description of the reflective tower , 1988, LISP Symb. Comput..

[19]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[20]  Mark Handley,et al.  Wedge: Splitting Applications into Reduced-Privilege Compartments , 2008, NSDI.

[21]  Gang Tan,et al.  Principles and Implementation Techniques of Software-Based Fault Isolation , 2017, Found. Trends Priv. Secur..

[22]  Davide Sangiorgi,et al.  The Pi-Calculus - a theory of mobile processes , 2001 .

[23]  Benjamin Grégoire,et al.  Secure Compilation of Side-Channel Countermeasures: The Case of Cryptographic “Constant-Time” , 2018, 2018 IEEE 31st Computer Security Foundations Symposium (CSF).

[24]  Dawn Xiaodong Song,et al.  The Correctness-Security Gap in Compiler Optimization , 2015, 2015 IEEE Security and Privacy Workshops.

[25]  Martín Abadi,et al.  Protection in Programming-Language Translations , 1998, ICALP.

[26]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[27]  A. W. Roscoe CSP and determinism in security modelling , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[28]  David Baelde,et al.  A Reduced Semantics for Deciding Trace Equivalence , 2017, Log. Methods Comput. Sci..

[29]  Peter G. Neumann,et al.  Beyond the PDP-11: Architectural Support for a Memory-Safe C Abstract Machine , 2015, ASPLOS.

[30]  Michele Pasqua,et al.  On Topologies for (Hyper)Properties , 2017, ICTCS/CILC.

[31]  Frank Piessens,et al.  Secure Compilation to Modern Processors , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[32]  Zohar Manna,et al.  Temporal verification of reactive systems - safety , 1995 .

[33]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[34]  Charles Reis,et al.  Isolating web programs in modern browser architectures , 2009, EuroSys '09.

[35]  Benjamin C. Pierce,et al.  Micro-Policies: Formally Verified, Tag-Based Security Monitors , 2015, 2015 IEEE Symposium on Security and Privacy.

[36]  Stéphanie Delaune,et al.  A survey of symbolic methods for establishing equivalence-based properties in cryptographic protocols , 2017, J. Log. Algebraic Methods Program..

[37]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[38]  Grigore Rosu,et al.  On Safety Properties and Their Monitoring , 2012, Sci. Ann. Comput. Sci..

[39]  Vincent Cheval,et al.  DEEPSEC: Deciding Equivalence Properties in Security Protocols Theory and Practice , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[40]  Chung-Kil Hur,et al.  Pilsner: a compositionally verified compiler for a higher-order imperative language , 2015, ICFP.

[41]  Andrew Kennedy Securing the .NET programming model , 2006, Theor. Comput. Sci..

[42]  Marco Patrignani,et al.  Fully abstract trace semantics for protected module architectures , 2015, Comput. Lang. Syst. Struct..

[43]  Nikhil Swamy,et al.  Implementing and Proving the TLS 1.3 Record Layer , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[44]  Matthias Felleisen,et al.  On the Expressive Power of Programming Languages , 1990, ESOP.

[45]  Marco Patrignani,et al.  Formal Approaches to Secure Compilation , 2019 .

[46]  Ross J. Anderson,et al.  What You Get is What You C: Controlling Side Effects in Mainstream C Compilers , 2018, 2018 IEEE European Symposium on Security and Privacy (EuroS&P).

[47]  Michael Backes,et al.  Union and Intersection Types for Secure Protocol Implementations , 2011, TOSCA.

[48]  Martín Abadi,et al.  The Applied Pi Calculus , 2016, J. ACM.

[49]  Dominique Devriese,et al.  StkTokens: enforcing well-bracketed control flow and stack encapsulation using linear capabilities , 2018, Journal of Functional Programming.

[50]  Douglas Kilpatrick,et al.  Privman: A Library for Partitioning Applications , 2003, USENIX Annual Technical Conference, FREENIX Track.

[51]  Daniel Davis Wood,et al.  ETHEREUM: A SECURE DECENTRALISED GENERALISED TRANSACTION LEDGER , 2014 .

[52]  Frank Piessens,et al.  Secure Compilation (Dagstuhl Seminar 18201) , 2018, Dagstuhl Reports.

[53]  Zhong Shao,et al.  End-to-end verification of information-flow security for C and assembly programs , 2016, PLDI.

[54]  Martín Abadi,et al.  On Protection by Layout Randomization , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[55]  Michele Pasqua,et al.  Verifying Bounded Subset-Closed Hyperproperties , 2018, SAS.

[56]  Benjamin Grégoire,et al.  EasyCrypt: A Tutorial , 2013, FOSAD.

[57]  Roberto Blanco,et al.  When Good Components Go Bad: Formally Secure Compilation Despite Dynamic Compromise , 2018, CCS.

[58]  Leslie Lamport,et al.  Formal Foundation for Specification and Verification , 1984, Advanced Course: Distributed Systems.

[59]  Matthias Blume,et al.  An equivalence-preserving CPS translation via multi-language semantics , 2011, ICFP '11.

[60]  E. Stewart Lee,et al.  A general theory of security properties , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[61]  Brian Cantwell Smith,et al.  Reflection and semantics in LISP , 1984, POPL.

[62]  Matthias Blume,et al.  Typed closure conversion preserves observational equivalence , 2008, ICFP.

[63]  Derek Dreyer,et al.  Robust and compositional verification of object capability patterns , 2017, Proc. ACM Program. Lang..

[64]  Amal Ahmed Verified Compilers for a Multi-Language World , 2015, SNAPL.

[65]  David Sands,et al.  Termination-Insensitive Noninterference Leaks More Than Just a Bit , 2008, ESORICS.

[66]  Marco Patrignani,et al.  Secure Compilation and Hyperproperty Preservation , 2017, 2017 IEEE 30th Computer Security Foundations Symposium (CSF).

[67]  Leslie Lamport,et al.  Specifying Systems: The TLA+ Language and Tools for Hardware and Software Engineers [Book Review] , 2002, Computer.

[68]  Andrew C. Myers,et al.  Observational determinism for concurrent program security , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[69]  Roberto Gorrieri,et al.  A Taxonomy of Security Properties for Process Algebras , 1995, J. Comput. Secur..

[70]  Xavier Leroy,et al.  Formal verification of a realistic compiler , 2009, CACM.

[71]  Vern Paxson,et al.  The Matter of Heartbleed , 2014, Internet Measurement Conference.

[72]  Jeffrey S. Fenton Memoryless Subsystems , 1974, Comput. J..

[73]  Thomas P. Jensen,et al.  Securing Compilation Against Memory Probing , 2018, PLAS@CCS.

[74]  Dominique Devriese,et al.  Fully-abstract compilation by approximate back-translation , 2016, POPL.

[75]  Marco Patrignani,et al.  Robustly Safe Compilation , 2019, ESOP.

[76]  Marco Patrignani,et al.  A Secure Compiler for ML Modules , 2015, APLAS.

[77]  Karthikeyan Bhargavan,et al.  HACL*: A Verified Modern Cryptographic Library , 2017, CCS.

[78]  Nikhil Swamy,et al.  Verified low-level programming embedded in F* , 2017, Proc. ACM Program. Lang..

[79]  Nick Benton,et al.  Simple relational correctness proofs for static analyses and program transformations , 2004, POPL.

[80]  Andrew Ruef,et al.  Checked C: Making C Safe by Extension , 2018, 2018 IEEE Cybersecurity Development (SecDev).

[81]  Peter G. Neumann,et al.  CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization , 2015, 2015 IEEE Symposium on Security and Privacy.

[82]  Michael Backes,et al.  Type-checking zero-knowledge , 2008, CCS.

[83]  David Sands,et al.  A Per Model of Secure Information Flow in Sequential Programs , 1999, High. Order Symb. Comput..

[84]  Kedar S. Namjoshi,et al.  Securing a Compiler Transformation , 2016, SAS.

[85]  Milo M. K. Martin,et al.  Everything You Want to Know About Pointer-Based Checking , 2015, SNAPL.

[86]  Peter G. Neumann,et al.  CHERI JNI: Sinking the Java Security Model into the C , 2017, ASPLOS.

[87]  Julian Rathke,et al.  Local Memory via Layout Randomization , 2011, 2011 IEEE 24th Computer Security Foundations Symposium.

[88]  Bowen Alpern,et al.  Defining Liveness , 1984, Inf. Process. Lett..

[89]  Benjamin Grégoire,et al.  Jasmin: High-Assurance and High-Speed Cryptography , 2017, CCS.

[90]  Peter G. Neumann,et al.  Clean Application Compartmentalization with SOAAP , 2015, CCS.

[91]  David Sands,et al.  A Per Model of Secure Information Flow in Sequential Programs , 1999, ESOP.

[92]  John McLean,et al.  Proving Noninterference and Functional Correctness Using Traces , 1992, J. Comput. Secur..

[93]  Vincent Cheval,et al.  Deciding equivalence-based properties using constraint solving , 2013, Theor. Comput. Sci..

[94]  Amal Ahmed,et al.  Verifying an Open Compiler Using Multi-language Semantics , 2014, ESOP.

[95]  Andrew C. Myers,et al.  Nonmalleable Information Flow Control , 2017, CCS.

[96]  Julian Rathke,et al.  Java Jr: Fully Abstract Trace Semantics for a Core Java Language , 2005, ESOP.

[97]  Dominique Devriese,et al.  Fully-abstract compilation by approximate back-translation: Technical appendix , 2015 .

[98]  Benjamin C. Pierce,et al.  Beyond Good and Evil: Formalizing the Security Guarantees of Compartmentalizing Compilation , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).