Type-preserving compilation of end-to-end verification of security enforcement

A number of programming languages use rich type systems to verify security properties of code. Some of these languages are meant for source programming, but programs written in these languages are compiled without explicit security proofs, limiting their utility in settings where proofs are necessary, e.g., proof-carrying authorization. Others languages do include explicit proofs, but these are generally lambda calculi not intended for source programming, that must be further compiled to an executable form. A language suitable for source programming backed by a compiler that enables end-to-end verification is missing. In this paper, we present a type-preserving compiler that translates programs written in FINE, a source-level functional language with dependent refinements and affine types, to DCIL, a new extension of the .NET Common Intermediate Language. FINE is type checked using an external SMT solver to reduce the proof burden on source programmers. We extract explicit LCF-style proof terms from the solver and carry these proof terms in the compilation to DCIL, thereby removing the solver from the trusted computing base. Explicit proofs enable DCIL to be used in a number of important scenarios, including the verification of mobile code, proof-carrying authorization, and evidence-based auditing. We report on our experience using FINE to build reference monitors for several applications, ranging from a plugin-based email client to a conference management server.

[1]  Juan Chen,et al.  Enforcing Stateful Authorization and Information Flow Policies in Fine , 2010, ESOP.

[2]  Robert Harper,et al.  Distributed programming with distributed authorization , 2010, TLDI '10.

[3]  Nikhil Swamy,et al.  End-to-end Verification of Security Enforcement is Fine (Extended version) , 2009 .

[4]  Timothy W. Simpson,et al.  Verified programming in Guru , 2009, PLPV '09.

[5]  Sascha Böhme,et al.  Proof Reconstruction for Z3 in Isabelle/HOL , 2009 .

[6]  Jens Palsberg,et al.  Constrained types for object-oriented languages , 2008, OOPSLA.

[7]  Limin Jia,et al.  AURA: a programming language for authorization and audit , 2008, ICFP.

[8]  Andrew D. Gordon,et al.  Refinement Types for Secure Implementations , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[9]  Limin Jia,et al.  Evidence-Based Audit , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[10]  Michael Hicks,et al.  Fable: A Language for Enforcing User-defined Security Policies , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[11]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[12]  Andrew D. Gordon,et al.  Proceedings of the 21st IEEE Computer Security Foundations Symposium, CSF 2008, Pittsburgh, Pennsylvania, USA, 23-25 June 2008 , 2008, CSF.

[13]  Kathi Fisler,et al.  Specifying and Reasoning About Dynamic Access-Control Policies , 2006, IJCAR.

[14]  Dachuan Yu,et al.  A Typed Assembly Language for Confidentiality , 2006, ESOP.

[15]  Cormac Flanagan,et al.  Hybrid type checking , 2006, POPL '06.

[16]  Stephen N. Freund,et al.  Hybrid Types , Invariants , and Refinements For Imperative Objects , 2006 .

[17]  Andrew Kennedy,et al.  Transposing F to C#: Expressivity of polymorphism in an object-oriented language , 2004 .

[18]  Andrew Kennedy,et al.  Transposing F to C♯: expressivity of parametric polymorphism in an object‐oriented language , 2004, Concurr. Pract. Exp..

[19]  Pierre Castéran,et al.  Interactive Theorem Proving and Program Development , 2004, Texts in Theoretical Computer Science An EATCS Series.

[20]  Andrew C. Myers,et al.  Dynamic Security Labels and Noninterference , 2004 .

[21]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[22]  Andrew W. Appel,et al.  Proof-carrying authentication , 1999, CCS '99.

[23]  MorrisettGreg,et al.  From system F to typed assembly language , 1999 .

[24]  Amr Sabry,et al.  The essence of compiling with continuations , 1993, PLDI '93.

[25]  Amr Sabry,et al.  The essence of compiling with continuations (with retrospective) , 1993, PLDI 1993.

[26]  Robin Milner,et al.  LCF: A Way of Doing Proofs with a Machine , 1979, MFCS.