Formalizing a Secure Foreign Function Interface

Many high-level functional programming languages provide programmers with the ability to interoperate with untyped and low-level languages such as C and assembly. Research into the security of such interoperation has generally focused on a closed world scenario, one where both the high-level and low-level code are defined and analyzed statically. In practice, however, components are sometimes linked in at run-time through malicious means. In this paper we formalize an operational semantics that securely combines \(\mathrm{MiniML}\), a light-weight ML, with a model of a low-level attacker, without relying on any static checks on the attacker. We prove that the operational semantics are secure by establishing that they preserve and reflect the equivalences of \(\mathrm{MiniML}\). To that end a notion of bisimulation for the interaction between the attacker and \(\mathrm{MiniML}\) is developed.

[1]  Julian Rathke,et al.  Local Memory via Layout Randomization , 2011, 2011 IEEE 24th Computer Security Foundations Symposium.

[2]  Amey Karkare,et al.  Heap reference analysis using access graphs , 2006, ACM Trans. Program. Lang. Syst..

[3]  James Laird A Fully Abstract Trace Semantics for General References , 2007, ICALP.

[4]  Martín Abadi,et al.  Protection in Programming-Language Translations , 1998, ICALP.

[5]  Mitchell Wand,et al.  The Theory of Fexprs is Trivial , 1998, LISP Symb. Comput..

[6]  Robert Bruce Findler,et al.  Operational semantics for multi-language programs , 2009 .

[7]  Marco Patrignani,et al.  Secure Compilation to Protected Module Architectures , 2015, TOPL.

[8]  Frank Piessens,et al.  A programming model for concurrent object-oriented programs , 2008, TOPL.

[9]  Jeffrey S. Foster,et al.  Checking type safety of foreign function calls , 2008, ACM Trans. Program. Lang. Syst..

[10]  Philip Wadler,et al.  Well-Typed Programs Can't Be Blamed , 2009, ESOP.

[11]  Andrew W. Appel,et al.  Safe Java Native Interface , 2006 .

[12]  Jan Vitek,et al.  Secure Internet Programming , 1999 .

[13]  Robert Hieb,et al.  The Revised Report on the Syntactic Theories of Sequential Control and State , 1992, Theor. Comput. Sci..

[14]  Julian Rathke,et al.  Towards a theory of bisimulation for local names , 1999, Proceedings. 14th Symposium on Logic in Computer Science (Cat. No. PR00158).

[15]  Dave Clarke,et al.  Formalizing a Secure Foreign Function Interface – Extended Version , 2015 .

[16]  Davide Sangiorgi,et al.  Environmental Bisimulations for Higher-Order Languages , 2007, 22nd Annual IEEE Symposium on Logic in Computer Science (LICS 2007).

[17]  Andrew D. Gordon Bisimilarity as a theory of functional programming , 1995, MFPS.

[18]  Marco Patrignani,et al.  Operational Semantics for Secure Interoperation , 2014, PLAS@ECOOP.