Robustly Safe Compilation or, Efficient, Provably Secure Compilation

Secure compilers generate compiled code that withstands many target-level attacks such as alteration of control flow, data leaks or memory corruption. Many existing secure compilers are proven to be fully abstract, meaning that they reflect and preserve observational equivalence. Fully abstract compilation is a strong and useful property that, in certain cases, comes at the cost of requiring expensive runtime constructs in compiled code. These constructs may have no relevance for security, but are needed to accommodate differences between the source language and the target language that fully abstract compilation necessarily regards. As an alternative to fully abstract compilation, this paper explores a different criterion for secure compilation called robustly safe compilation or RSC. Briefly, this criterion means that the compiled code preserves relevant safety properties of the source program against all adversarial contexts interacting with said program. We show that RSC can be attained easily and results in code that is more efficient than that generated by fully abstract compilers. We also develop three illustrative robustly-safe compilers and, through them, develop two different proof techniques for establishing that a compiler attains RSC. Through these, we also establish that proving RSC is simpler than proving fully abstraction.

[1]  Joachim Parrow General conditions for full abstraction , 2016, Math. Struct. Comput. Sci..

[2]  Andrew D. Gordon,et al.  A type discipline for authorization policies , 2005, TOPL.

[3]  Fred B. Schneider,et al.  Enforceable security policies , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[4]  Roberto Blanco,et al.  Journey Beyond Full Abstraction: Exploring Robust Property Preservation for Secure Compilation , 2018, 2019 IEEE 32nd Computer Security Foundations Symposium (CSF).

[5]  Zhong Shao,et al.  End-to-end verification of information-flow security for C and assembly programs , 2016, PLDI.

[6]  Stephen Chong Expressive and Enforceable Information Security Policies , 2008 .

[7]  Marco Patrignani,et al.  Robust Hyperproperty Preservation for Secure Compilation (Extended Abstract) , 2017, ArXiv.

[8]  Xavier Leroy,et al.  Formal certification of a compiler back-end or: programming a compiler with a proof assistant , 2006, POPL '06.

[9]  Michael Backes,et al.  Union, intersection and refinement types and reasoning about type disjointness for secure protocol implementations , 2014, J. Comput. Secur..

[10]  Martín Abadi,et al.  On Protection by Layout Randomization , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[11]  Flemming Nielson,et al.  Principles of Program Analysis , 1999, Springer Berlin Heidelberg.

[12]  Julian Rathke,et al.  Local Memory via Layout Randomization , 2011, 2011 IEEE 24th Computer Security Foundations Symposium.

[13]  Andrew D. Gordon,et al.  Refinement Types for Secure Implementations , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[14]  Andrew C. Myers,et al.  Programming Languages for Information Security , 2002 .

[15]  Michele Bugliesi,et al.  Secure implementations of typed channel abstractions , 2007, POPL '07.

[16]  Amal Ahmed,et al.  Noninterference for free , 2015, ICFP.

[17]  Kedar S. Namjoshi,et al.  Witnessing Secure Compilation , 2020, VMCAI.

[18]  Benjamin Grégoire,et al.  Jasmin: High-Assurance and High-Speed Cryptography , 2017, CCS.

[19]  David Sands,et al.  Declassification: Dimensions and principles , 2009, J. Comput. Secur..

[20]  Dominique Devriese,et al.  StkTokens: enforcing well-bracketed control flow and stack encapsulation using linear capabilities , 2018, Journal of Functional Programming.

[21]  Marco Patrignani,et al.  Secure Compilation of Object-Oriented Components to Protected Module Architectures , 2013, APLAS.

[22]  Luca Cardelli,et al.  Secrecy and Group Creation , 2000, CONCUR.

[23]  Martín Abadi,et al.  Authentication primitives and their compilation , 2000, POPL '00.

[24]  Marco Patrignani,et al.  Secure Compilation and Hyperproperty Preservation , 2017, 2017 IEEE 30th Computer Security Foundations Symposium (CSF).

[25]  Marco Patrignani,et al.  The Tome of Secure Compilation: Fully Abstract Compilation to Protected Modules Architectures ; Het boek van veilige compilatie: Volledig abstracte compilatie naar beschermende modulearchitecturen , 2015 .

[26]  Taesoo Kim,et al.  Breaking Kernel Address Space Layout Randomization with Intel TSX , 2016, CCS.

[27]  Dominique Devriese,et al.  Modular, Fully-abstract Compilation by Approximate Back-translation , 2017, Log. Methods Comput. Sci..

[28]  F. Piessens,et al.  Towards Automatic Compartmentalization of C Programs on Capability Machines , 2017 .

[29]  Dominique Devriese,et al.  On Modular and Fully-Abstract Compilation , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).

[30]  Peter G. Neumann,et al.  The CHERI capability model: Revisiting RISC in an age of risk , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[31]  Matthias Blume,et al.  Typed closure conversion preserves observational equivalence , 2008, ICFP 2008.

[32]  Juan Chen,et al.  Gradual typing embedded securely in JavaScript , 2014, POPL.

[33]  Andrew D. Gordon,et al.  Authenticity by typing for security protocols , 2003 .

[34]  Max S. New,et al.  Fully abstract compilation via universal embedding , 2016, ICFP.

[35]  Roberto Blanco,et al.  Trace-Relating Compiler Correctness and Secure Compilation , 2019, ESOP.

[36]  Ian David Bede Stark,et al.  Names and higher-order functions , 1994 .

[37]  Derek Dreyer,et al.  Robust and compositional verification of object capability patterns , 2017, Proc. ACM Program. Lang..

[38]  Georg Neis,et al.  Non-parametric parametricity , 2011, J. Funct. Program..

[39]  Andrew W. Appel,et al.  Compositional CompCert , 2015, POPL.

[40]  Martín Abadi,et al.  Secrecy by typing in security protocols , 1999, JACM.

[41]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[42]  Dominique Devriese,et al.  Parametricity versus the universal type , 2018, Proc. ACM Program. Lang..

[43]  Carlos V. Rozas,et al.  Innovative instructions and software model for isolated execution , 2013, HASP '13.

[44]  Chung-Kil Hur,et al.  A kripke logical relation between ML and assembly , 2011, POPL '11.

[45]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[46]  Julian Rathke,et al.  Java Jr: Fully Abstract Trace Semantics for a Core Java Language , 2005, ESOP.

[47]  Benjamin C. Pierce,et al.  Beyond Good and Evil: Formalizing the Security Guarantees of Compartmentalizing Compilation , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).

[48]  Frank Piessens,et al.  Secure Compilation to Modern Processors , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[49]  Marco Patrignani,et al.  Secure Compilation to Protected Module Architectures , 2015, TOPL.

[50]  Chung-Kil Hur,et al.  Pilsner: a compositionally verified compiler for a higher-order imperative language , 2015, ICFP.

[51]  Marco Patrignani,et al.  Fully abstract trace semantics for protected module architectures , 2015, Comput. Lang. Syst. Struct..

[52]  Jeehoon Kang,et al.  Lightweight verification of separate compilation , 2016, POPL.

[53]  Benjamin C. Pierce,et al.  A bisimulation for dynamic sealing , 2004, Theor. Comput. Sci..

[54]  Xavier Leroy,et al.  A Formally Verified Compiler Back-end , 2009, Journal of Automated Reasoning.

[55]  Dominique Devriese,et al.  Reasoning About a Machine with Local Capabilities - Provably Safe Stack and Return Pointer Management , 2018, ESOP.

[56]  Benjamin Grégoire,et al.  Secure Compilation of Side-Channel Countermeasures: The Case of Cryptographic “Constant-Time” , 2018, 2018 IEEE 31st Computer Security Foundations Symposium (CSF).

[57]  Martín Abadi,et al.  Protection in Programming-Language Translations , 1998, ICALP.

[58]  Martín Abadi,et al.  Code-Carrying Authorization , 2008, ESORICS.

[59]  Martín Abadi,et al.  Secure implementation of channel abstractions , 1998, Proceedings. Thirteenth Annual IEEE Symposium on Logic in Computer Science (Cat. No.98CB36226).

[60]  Roberto Blanco,et al.  When Good Components Go Bad: Formally Secure Compilation Despite Dynamic Compromise , 2018, CCS.

[61]  Marco Patrignani,et al.  A Formal Model for Capability Machines An Illustrative Case Study towards Secure Compilation to CHERI , 2016 .

[62]  Martín Abadi,et al.  Secrecy by Typing inSecurity Protocols , 1997, TACS.

[63]  Matthias Blume,et al.  An equivalence-preserving CPS translation via multi-language semantics , 2011, ICFP '11.

[64]  Thomas R. Gross,et al.  CAIN: Silently Breaking ASLR in the Cloud , 2015, WOOT.

[65]  Cédric Fournet,et al.  A secure compiler for session abstractions , 2008, J. Comput. Secur..

[66]  Daniele Gorla,et al.  Full abstraction for expressiveness: history, myths and facts † , 2014, Mathematical Structures in Computer Science.

[67]  Marco Patrignani,et al.  Ownership Types for the Join Calculus , 2011, FMOODS/FORTE.

[68]  Juan Chen,et al.  Fully abstract compilation to JavaScript , 2013, POPL.

[69]  George Candea,et al.  Code-pointer integrity , 2014, OSDI.

[70]  Marco Patrignani,et al.  Formal Approaches to Secure Compilation , 2019 .

[71]  Gérard Boudol,et al.  Secure Information Flow as a Safety Property , 2009, Formal Aspects in Security and Trust.

[72]  Gérard Berry,et al.  The chemical abstract machine , 1989, POPL '90.

[73]  Dominique Devriese,et al.  Fully-abstract compilation by approximate back-translation , 2016, POPL.

[74]  Marco Patrignani,et al.  Robustly Safe Compilation , 2019, ESOP.

[75]  Chung-Kil Hur,et al.  Realizability and Compositional Compiler Correctness for a Polymorphic Language , 2010 .

[76]  Mihai Budiu,et al.  Control-flow integrity principles, implementations, and applications , 2009, TSEC.

[77]  Marco Patrignani,et al.  A Secure Compiler for ML Modules , 2015, APLAS.

[78]  James H. Morris Protection in programming languages , 1973, CACM.

[79]  Gilles Barthe,et al.  Security types preserving compilation , 2004, Comput. Lang. Syst. Struct..

[80]  William J. Dally,et al.  Hardware support for fast capability-based addressing , 1994, ASPLOS VI.