Modular, Fully-abstract Compilation by Approximate Back-translation

A compiler is fully-abstract if the compilation from source language programs to target language programs reflects and preserves behavioural equivalence. Such compilers have important security benefits, as they limit the power of an attacker interacting with the program in the target language to that of an attacker interacting with the program in the source language. Proving compiler full-abstraction is, however, rather complicated. A common proof technique is based on the back-translation of target-level program contexts to behaviourally-equivalent source-level contexts. However, constructing such a back- translation is problematic when the source language is not strong enough to embed an encoding of the target language. For instance, when compiling from STLC to ULC, the lack of recursive types in the former prevents such a back-translation. We propose a general and elegant solution for this problem. The key insight is that it suffices to construct an approximate back-translation. The approximation is only accurate up to a certain number of steps and conservative beyond that, in the sense that the context generated by the back-translation may diverge when the original would not, but not vice versa. Based on this insight, we describe a general technique for proving compiler full-abstraction and demonstrate it on a compiler from STLC to ULC. The proof uses asymmetric cross-language logical relations and makes innovative use of step-indexing to express the relation between a context and its approximate back-translation. The proof extends easily to common compiler patterns such as modular compilation and it, to the best of our knowledge, it is the first compiler full abstraction proof to have been fully mechanised in Coq. We believe this proof technique can scale to challenging settings and enable simpler, more scalable proofs of compiler full-abstraction.

[1]  Dominique Devriese,et al.  Fully-abstract compilation by approximate back-translation , 2016, POPL.

[2]  Chung-Kil Hur,et al.  Realizability and Compositional Compiler Correctness for a Polymorphic Language , 2010 .

[3]  Martín Abadi,et al.  A core calculus of dependency , 1999, POPL '99.

[4]  Frank Piessens,et al.  Secure Compilation to Modern Processors , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[5]  J. Fincham,et al.  Beyond good and evil , 1992, Nature.

[6]  Dominique Devriese,et al.  On Modular and Fully-Abstract Compilation , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).

[7]  BirkedalLars,et al.  The impact of higher-order state and control effects on local relational reasoning , 2010 .

[8]  Dana S. Scott,et al.  Data Types as Lattices , 1976, SIAM J. Comput..

[9]  John C. Mitchell On Abstraction and the Expressive Power of Programming Languages , 1991, Sci. Comput. Program..

[10]  Marco Patrignani,et al.  The Tome of Secure Compilation: Fully Abstract Compilation to Protected Modules Architectures ; Het boek van veilige compilatie: Volledig abstracte compilatie naar beschermende modulearchitecturen , 2015 .

[11]  Max S. New,et al.  Fully abstract compilation via universal embedding , 2016, ICFP.

[12]  Dan Grossman,et al.  TALx86: A Realistic Typed Assembly Language∗ , 1999 .

[13]  Daniele Gorla,et al.  Full abstraction for expressiveness: history, myths and facts † , 2014, Mathematical Structures in Computer Science.

[14]  Dominique Devriese,et al.  Fully-abstract compilation by approximate back-translation: Technical appendix , 2015 .

[15]  Benjamin C. Pierce,et al.  Beyond Good and Evil: Formalizing the Security Guarantees of Compartmentalizing Compilation , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).

[16]  Amal Ahmed,et al.  Noninterference for free , 2015, ICFP.

[17]  Amal Ahmed,et al.  Verifying an Open Compiler Using Multi-language Semantics , 2014, ESOP.

[18]  Amal Ahmed,et al.  Parametric Polymorphism through Run-Time Sealing or, Theorems for Low, Low Prices! , 2008, ESOP.

[19]  Benjamin C. Pierce,et al.  Mechanized Metatheory for the Masses: The PoplMark Challenge , 2005, TPHOLs.

[20]  Lars Birkedal,et al.  The impact of higher-order state and control effects on local relational reasoning , 2012, J. Funct. Program..

[21]  Robert Bruce Findler,et al.  Operational semantics for multi-language programs , 2007, POPL '07.

[22]  Pierre-Louis Curien,et al.  A Semantic Characterization of Full Abstraction for Typed Lambda Calculi , 1984, FOCS.

[23]  Julian Rathke,et al.  Local Memory via Layout Randomization , 2011, 2011 IEEE 24th Computer Security Foundations Symposium.

[24]  Gordon D. Plotkin,et al.  An ideal model for recursive polymorphic types , 1984, Inf. Control..

[25]  Steve Zdancewic,et al.  Translating dependency into parametricity , 2004, ICFP '04.

[26]  Benjamin C. Pierce,et al.  A bisimulation for dynamic sealing , 2004, Theor. Comput. Sci..

[27]  Jon G. Riecke,et al.  Fully abstract translations between functional languages , 1991, POPL '91.

[28]  Marco Patrignani,et al.  Secure Compilation to Protected Module Architectures , 2015, TOPL.

[29]  Benjamin C. Pierce,et al.  Types and programming languages: the next generation , 2003, 18th Annual IEEE Symposium of Logic in Computer Science, 2003. Proceedings..

[30]  Joachim Parrow General conditions for full abstraction , 2016, Math. Struct. Comput. Sci..

[31]  Martín Abadi,et al.  Protection in Programming-Language Translations , 1998, ICALP.

[32]  Matthias Blume,et al.  An equivalence-preserving CPS translation via multi-language semantics , 2011, ICFP '11.

[33]  Matthias Blume,et al.  Typed closure conversion preserves observational equivalence , 2008, ICFP.

[34]  Joachim Niehren,et al.  Observational program calculi and the correctness of translations , 2015, Theor. Comput. Sci..

[35]  Juan Chen,et al.  Fully abstract compilation to JavaScript , 2013, POPL.

[36]  Chung-Kil Hur,et al.  The marriage of bisimulations and Kripke logical relations , 2012, POPL '12.

[37]  Andrew M. Pitts,et al.  A Fully Abstract Translation between a Lambda-Calculus with Reference Types and Standard ML , 1995, TLCA.

[38]  Tom Schrijvers,et al.  Needle & Knot: Binder Boilerplate Tied Up , 2016, ESOP.

[39]  Martín Abadi,et al.  On Protection by Layout Randomization , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[40]  Atsushi Igarashi,et al.  Proving Noninterference by a Fully Complete Translation to the Simply Typed lambda-Calculus , 2006, ASIAN.

[41]  Georg Neis,et al.  Non-parametric parametricity , 2009, ICFP.

[42]  S. F. Smith,et al.  The coverage of operational semantics , 1999 .

[43]  Chung-Kil Hur,et al.  Biorthogonality, step-indexing and compiler correctness , 2009, ICFP.

[44]  Eike Ritter Calculus with Reference Types and Standard ML , 1994 .

[45]  Chung-Kil Hur,et al.  Pilsner: a compositionally verified compiler for a higher-order imperative language , 2015, ICFP.

[46]  G.D. Plotkin,et al.  LCF Considered as a Programming Language , 1977, Theor. Comput. Sci..

[47]  Andrew Kennedy Securing the .NET programming model , 2006, Theor. Comput. Sci..