On Modular and Fully-Abstract Compilation

Secure compilation studies compilers that generate target-level components that are as secure as their source-level counterparts. Full abstraction is the most widely-proven property when defining a secure compiler. A compiler is modular if it allows different components to be compiled independently and then to be linked together to form a whole program. Unfortunately, many existing fully-abstract compilers to untyped machine code are not modular. So, while fully-abstractly compiled components are secure from malicious attackers, if they are linked against each other the resulting component may become vulnerable to attacks. This paper studies how to devise modular, fully-abstract compilers. It first analyses the attacks arising when compiled programs are linked together, identifying security threats that are due to linking. Then, it defines a compiler from an object-based language with method calls and dynamic memory allocation to untyped assembly language extended with a memory isolation mechanism. The paper provides a proof sketch that the defined compiler is fully-abstract and modular, so its output can be linked together without introducing security violations.

[1]  Martín Abadi,et al.  Secure implementation of channel abstractions , 1998, Proceedings. Thirteenth Annual IEEE Symposium on Logic in Computer Science (Cat. No.98CB36226).

[2]  Carlos V. Rozas,et al.  Innovative instructions and software model for isolated execution , 2013, HASP '13.

[3]  Julian Rathke,et al.  Local Memory via Layout Randomization , 2011, 2011 IEEE 24th Computer Security Foundations Symposium.

[4]  Michele Bugliesi,et al.  Secure implementations of typed channel abstractions , 2007, POPL '07.

[5]  Frank S. de Boer,et al.  A Fully Abstract Semantics for UML Components , 2004, FMCO.

[6]  Benjamin C. Pierce,et al.  A bisimulation for dynamic sealing , 2007, Theor. Comput. Sci..

[7]  Chung-Kil Hur,et al.  Biorthogonality, step-indexing and compiler correctness , 2009, ICFP.

[8]  Gilles Barthe,et al.  Security of multithreaded programs by compilation , 2007, TSEC.

[9]  Andrew D. Gordon,et al.  Secure compilation of a multi-tier web language , 2009, TLDI '09.

[10]  Ittai Anati,et al.  Innovative Technology for CPU Based Attestation and Sealing , 2013 .

[11]  Juan Chen,et al.  Fully abstract compilation to JavaScript , 2013, POPL.

[12]  Benjamin C. Pierce,et al.  A verified information-flow architecture , 2014, J. Comput. Secur..

[13]  Martín Abadi,et al.  On Protection by Layout Randomization , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[14]  Calton Pu,et al.  Reducing TCB complexity for security-sensitive applications: three case studies , 2006, EuroSys.

[15]  Robert N. M. Watson,et al.  Capsicum: Practical Capabilities for UNIX , 2010, USENIX Security Symposium.

[16]  Peter G. Neumann,et al.  The CHERI capability model: Revisiting RISC in an age of risk , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[17]  G.D. Plotkin,et al.  LCF Considered as a Programming Language , 1977, Theor. Comput. Sci..

[18]  Frank Piessens,et al.  Fides: selectively hardening software application components against kernel-level or process-level malware , 2012, CCS '12.

[19]  Marco Patrignani,et al.  Fully abstract trace semantics for protected module architectures , 2015, Comput. Lang. Syst. Struct..

[20]  Yannis Juglaret Secure Compilation Using Micro-Policies ( Extended Abstract ) , 2015 .

[21]  Chung-Kil Hur,et al.  A kripke logical relation between ML and assembly , 2011, POPL '11.

[22]  Julian Rathke,et al.  Java Jr: Fully Abstract Trace Semantics for a Core Java Language , 2005, ESOP.

[23]  Benjamin C. Pierce,et al.  Beyond Good and Evil: Formalizing the Security Guarantees of Compartmentalizing Compilation , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).

[24]  Juan Chen,et al.  Gradual typing embedded securely in JavaScript , 2014, POPL.

[25]  Xavier Leroy,et al.  A Formally Verified Compiler Back-end , 2009, Journal of Automated Reasoning.

[26]  Frank Piessens,et al.  Sancus: Low-cost Trustworthy Extensible Networked Devices with a Zero-software Trusted Computing Base , 2013, USENIX Security Symposium.

[27]  Martín Abadi,et al.  Protection in Programming-Language Translations , 1998, ICALP.

[28]  Cédric Fournet,et al.  A secure compiler for session abstractions , 2008, J. Comput. Secur..

[29]  Adrian Perrig,et al.  TrustVisor: Efficient TCB Reduction and Attestation , 2010, 2010 IEEE Symposium on Security and Privacy.

[30]  Daniele Gorla,et al.  Full abstraction for expressiveness: history, myths and facts † , 2014, Mathematical Structures in Computer Science.

[31]  Matthias Blume,et al.  Typed closure conversion preserves observational equivalence , 2008, ICFP.

[32]  Amal Ahmed Verified Compilers for a Multi-Language World , 2015, SNAPL.

[33]  Marco Patrignani,et al.  Secure Compilation to Protected Module Architectures , 2015, TOPL.

[34]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[35]  Dominique Devriese,et al.  On Modular and Fully-Abstract Compilation - Technical Appendix , 2016, ArXiv.

[36]  Dominique Devriese,et al.  Fully-abstract compilation by approximate back-translation , 2016, POPL.

[37]  Amal Ahmed,et al.  Noninterference for free , 2015, ICFP.

[38]  Matthias Blume,et al.  An equivalence-preserving CPS translation via multi-language semantics , 2011, ICFP '11.

[39]  Srinivas Devadas,et al.  Intel SGX Explained , 2016, IACR Cryptol. ePrint Arch..

[40]  Martín Abadi,et al.  Layout Randomization and Nondeterminism , 2013, MFPS.

[41]  Joachim Parrow General conditions for full abstraction , 2016, Math. Struct. Comput. Sci..