Beyond Good and Evil: Formalizing the Security Guarantees of Compartmentalizing Compilation

Compartmentalization is good security-engineering practice. By breaking a large software system into mutually distrustful components that run with minimal privileges, restricting their interactions to conform to well-defined interfaces, we can limit the damage caused by low-level attacks such as control-flow hijacking. When used to defend against such attacks, compartmentalization is often implemented cooperatively by a compiler and a low-level compartmentalization mechanism. However, the formal guarantees provided by such compartmentalizing compilation have seen surprisingly little investigation. We propose a new security property, secure compartmentalizing compilation (SCC), that formally characterizes the guarantees provided by compartmentalizing compilation and clarifies its attacker model. We reconstruct our property by starting from the well-established notion of fully abstract compilation, then identifying and lifting three important limitations that make standard full abstraction unsuitable for compartmentalization. The connection to full abstraction allows us to prove SCC by adapting established proof techniques, we illustrate this with a compiler from a simple unsafe imperative language with procedures to a compartmentalized abstract machine.

[1]  Julian Rathke,et al.  Local Memory via Layout Randomization , 2011, 2011 IEEE 24th Computer Security Foundations Symposium.

[2]  D. Garg,et al.  A Logic of Programs with Interface-Confined Code , 2015, 2015 IEEE 28th Computer Security Foundations Symposium.

[3]  Peter G. Neumann,et al.  Clean Application Compartmentalization with SOAAP , 2015, CCS.

[4]  Xavier Leroy,et al.  Formal verification of a realistic compiler , 2009, CACM.

[5]  Joseph Tassarotti,et al.  RockSalt: better, faster, stronger SFI for the x86 , 2012, PLDI.

[6]  Benjamin C. Pierce,et al.  Towards a Fully Abstract Compiler Using Micro-Policies: Secure Compilation for Mutually Distrustful Components , 2015, ArXiv.

[7]  Bennet S. Yee,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[8]  Milo M. K. Martin,et al.  WatchdogLite: Hardware-Accelerated Compiler-Based Pointer Checking , 2014, CGO '14.

[9]  Martín Abadi,et al.  Layout Randomization and Nondeterminism , 2013, MFPS.

[10]  Bjorn De Sutter,et al.  ARMor: Fully verified software fault isolation , 2011, 2011 Proceedings of the Ninth ACM International Conference on Embedded Software (EMSOFT).

[11]  Dominique Devriese,et al.  Modular, Fully-abstract Compilation by Approximate Back-translation , 2017, Log. Methods Comput. Sci..

[12]  Dominique Devriese,et al.  On Modular and Fully-Abstract Compilation , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).

[13]  Mathias Payer,et al.  Control-Flow Integrity , 2017, ACM Comput. Surv..

[14]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[15]  Úlfar Erlingsson,et al.  Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM , 2014, USENIX Security Symposium.

[16]  Hovav Shacham,et al.  When good instructions go bad: generalizing return-oriented programming to RISC , 2008, CCS.

[17]  Marco Patrignani,et al.  Secure Compilation of Object-Oriented Components to Protected Module Architectures , 2013, APLAS.

[18]  Douglas Kilpatrick,et al.  Privman: A Library for Partitioning Applications , 2003, USENIX Annual Technical Conference, FREENIX Track.

[19]  Jonathan M. Smith,et al.  Hardware Support for Safety Interlocks and Introspection , 2012, 2012 IEEE Sixth International Conference on Self-Adaptive and Self-Organizing Systems Workshops.

[20]  Julian Rathke,et al.  A fully abstract may testing semantics for concurrent objects , 2005, Theor. Comput. Sci..

[21]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[22]  Martín Abadi,et al.  On Protection by Layout Randomization , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[23]  Stelios Sidiroglou,et al.  Missing the Point(er): On the Effectiveness of Code Pointer Integrity , 2015, 2015 IEEE Symposium on Security and Privacy.

[24]  Peter G. Neumann,et al.  CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization , 2015, 2015 IEEE Symposium on Security and Privacy.

[25]  Dominique Devriese,et al.  Reasoning about Object Capabilities with Logical Relations and Effect Parametricity , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[26]  Mark Handley,et al.  Wedge: Splitting Applications into Reduced-Privilege Compartments , 2008, NSDI.

[27]  Max S. New,et al.  Fully abstract compilation via universal embedding , 2016, ICFP.

[28]  Niels Provos,et al.  Preventing Privilege Escalation , 2003, USENIX Security Symposium.

[29]  Úlfar Erlingsson,et al.  Low-Level Software Security: Attacks and Defenses , 2007, FOSAD.

[30]  Matthias Blume,et al.  An equivalence-preserving CPS translation via multi-language semantics , 2011, ICFP '11.

[31]  Jonathan M. Smith,et al.  Low-fat pointers: compact encoding and efficient gate-level implementation of fat pointers for spatial safety and capability-based security , 2013, CCS.

[32]  Richard Lippmann,et al.  Testing static analysis tools using exploitable buffer overflows from open source code , 2004, SIGSOFT '04/FSE-12.

[33]  Ahmad-Reza Sadeghi,et al.  Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection , 2014, USENIX Security Symposium.

[34]  Matthias Felleisen,et al.  Contracts for higher-order functions , 2002, ICFP '02.

[35]  Peter G. Neumann,et al.  Beyond the PDP-11: Architectural Support for a Memory-Safe C Abstract Machine , 2015, ASPLOS.

[36]  Ahmad-Reza Sadeghi,et al.  Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization , 2013, 2013 IEEE Symposium on Security and Privacy.

[37]  Milo M. K. Martin,et al.  Everything You Want to Know About Pointer-Based Checking , 2015, SNAPL.

[38]  Andrew W. Appel,et al.  Portable Software Fault Isolation , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[39]  Jonathan M. Smith,et al.  Architectural Support for Software-Defined Metadata Processing , 2015, ASPLOS.

[40]  Marco Patrignani,et al.  Secure Compilation to Protected Module Architectures , 2015, TOPL.

[41]  Fan Long,et al.  Control Jujutsu: On the Weaknesses of Fine-Grained Control Flow Integrity , 2015, CCS.

[42]  Martín Abadi,et al.  On Layout Randomization for Arrays and Functions , 2013, POST.

[43]  Julian Rathke,et al.  Java Jr: Fully Abstract Trace Semantics for a Core Java Language , 2005, ESOP.

[44]  Dominique Devriese,et al.  Fully-abstract compilation by approximate back-translation , 2016, POPL.

[45]  Mihai Budiu,et al.  Control-flow integrity principles, implementations, and applications , 2009, TSEC.

[46]  Marco Patrignani,et al.  A Secure Compiler for ML Modules , 2015, APLAS.

[47]  Marco Patrignani,et al.  The Tome of Secure Compilation: Fully Abstract Compilation to Protected Modules Architectures ; Het boek van veilige compilatie: Volledig abstracte compilatie naar beschermende modulearchitecturen , 2015 .

[48]  Koen Claessen,et al.  QuickCheck: a lightweight tool for random testing of Haskell programs , 2000, ICFP.

[49]  Charles Reis,et al.  Isolating web programs in modern browser architectures , 2009, EuroSys '09.

[50]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[51]  Matthias Blume,et al.  Typed closure conversion preserves observational equivalence , 2008, ICFP.

[52]  Martín Abadi,et al.  XFI: software guards for system address spaces , 2006, OSDI '06.

[53]  Amal Ahmed Verified Compilers for a Multi-Language World , 2015, SNAPL.

[54]  Herbert Bos,et al.  Out of Control: Overcoming Control-Flow Integrity , 2014, 2014 IEEE Symposium on Security and Privacy.

[55]  Frank Piessens,et al.  Sound Modular Verification of C Code Executing in an Unverified Context , 2014, POPL.

[56]  Ramana Kumar,et al.  CakeML: a verified implementation of ML , 2014, POPL.

[57]  Milo M. K. Martin,et al.  CETS: compiler enforced temporal safety for C , 2010, ISMM '10.

[58]  Milo M. K. Martin,et al.  SoftBound: highly compatible and complete spatial memory safety for c , 2009, PLDI '09.

[59]  Timothy Bourke,et al.  seL4: From General Purpose to a Proof of Information Flow Enforcement , 2013, 2013 IEEE Symposium on Security and Privacy.

[60]  Juan Chen,et al.  Fully abstract compilation to JavaScript , 2013, POPL.

[61]  Úlfar Erlingsson,et al.  Strato: A Retargetable Framework for Low-Level Inlined-Reference Monitors , 2013, USENIX Security Symposium.

[62]  Milo M. K. Martin,et al.  Hardware-Enforced Comprehensive Memory Safety , 2013, IEEE Micro.

[63]  Xavier Leroy,et al.  A Formally Verified Compiler Back-end , 2009, Journal of Automated Reasoning.

[64]  Gerwin Klein,et al.  seL4 Enforces Integrity , 2011, ITP.

[65]  Martín Abadi,et al.  Protection in Programming-Language Translations , 1998, ICALP.

[66]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[67]  Robin Milner,et al.  Processes: A Mathematical Model of Computing Agents , 1975 .

[68]  Frank Piessens,et al.  Secure Compilation to Modern Processors , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[69]  Benjamin C. Pierce,et al.  Micro-Policies: Formally Verified, Tag-Based Security Monitors , 2015, 2015 IEEE Symposium on Security and Privacy.

[70]  Marco Patrignani,et al.  Fully abstract trace semantics for protected module architectures , 2015, Comput. Lang. Syst. Struct..