StkTokens: enforcing well-bracketed control flow and stack encapsulation using linear capabilities

We propose and study StkTokens: a new calling convention that provably enforces well-bracketed control flow and local state encapsulation on a capability machine. The calling convention is based on linear capabilities: a type of capabilities that are prevented from being duplicated by the hardware. In addition to designing and formalizing this new calling convention, we also contribute a new way to formalize and prove that it effectively enforces well-bracketed control flow and local state encapsulation using what we call a fully abstract overlay semantics.

[1]  Peter G. Neumann,et al.  The CHERI capability model: Revisiting RISC in an age of risk , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[2]  Pierre America,et al.  Solving Reflexive Domain Equations in a Category of Complete Metric Spaces , 1987, J. Comput. Syst. Sci..

[3]  Dominique Devriese,et al.  Temporal Safety for Stack Allocated Memory on Capability Machines , 2019, 2019 IEEE 32nd Computer Security Foundations Symposium (CSF).

[4]  Peter G. Neumann,et al.  Capability Hardware Enhanced RISC Instructions: CHERI Instruction-set architecture , 2014 .

[5]  Hongseok Yang,et al.  Step-indexed kripke models over recursive worlds , 2011, POPL '11.

[6]  Peter G. Neumann,et al.  CHERI: a research platform deconflating hardware virtualisation and protection , 2012 .

[7]  Nick Szabo,et al.  Formalizing and Securing Relationships on Public Networks , 1997, First Monday.

[8]  Roberto Blanco,et al.  Journey Beyond Full Abstraction: Exploring Robust Property Preservation for Secure Compilation , 2018, 2019 IEEE 32nd Computer Security Foundations Symposium (CSF).

[9]  Benjamin C. Pierce,et al.  A verified information-flow architecture , 2014, J. Comput. Secur..

[10]  Fan Long,et al.  Control Jujutsu: On the Weaknesses of Fine-Grained Control Flow Integrity , 2015, CCS.

[11]  Marco Patrignani,et al.  Secure Compilation and Hyperproperty Preservation , 2017, 2017 IEEE 30th Computer Security Foundations Symposium (CSF).

[12]  Dominique Devriese,et al.  Linear capabilities for fully abstract compilation of separation-logic-verified code , 2019, Journal of Functional Programming.

[13]  Martín Abadi Protection in Programming-Language Translations: Mobile Object Systems (Abstract) , 1998, ECOOP Workshops.

[14]  Lars Birkedal,et al.  A kripke logical relation for effect-based program transformations , 2011, ICFP '11.

[15]  Martín Abadi,et al.  A Theory of Secure Control Flow , 2005, ICFEM.

[16]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[17]  L. Birkedal,et al.  A Taste of Categorical Logic — Tutorial Notes , 2014 .

[18]  Benjamin C. Pierce,et al.  Micro-Policies: Formally Verified, Tag-Based Security Monitors , 2015, 2015 IEEE Symposium on Security and Privacy.

[19]  Roberto Blanco,et al.  When Good Components Go Bad: Formally Secure Compilation Despite Dynamic Compromise , 2018, CCS.

[20]  David A. Wagner,et al.  Control-Flow Bending: On the Effectiveness of Control-Flow Integrity , 2015, USENIX Security Symposium.

[21]  Benjamin Grégoire,et al.  Formal Verification of a Constant-Time Preserving C Compiler : 3 by theoretical justifications : in [ , 2019 .

[22]  Henry M. Levy,et al.  Capability-Based Computer Systems , 1984 .

[23]  Dominique Devriese,et al.  Reasoning About a Machine with Local Capabilities - Provably Safe Stack and Return Pointer Management , 2018, ESOP.

[24]  Martín Abadi,et al.  Protection in Programming-Language Translations , 1998, ICALP.

[25]  BirkedalLars,et al.  StkTokens: enforcing well-bracketed control flow and stack encapsulation using linear capabilities , 2019 .

[26]  Amal Ahmed,et al.  Semantics of types for mutable state , 2004 .

[27]  Peter G. Neumann,et al.  Efficient Tagged Memory , 2017, 2017 IEEE International Conference on Computer Design (ICCD).

[28]  Dominique Devriese,et al.  Modular, Fully-abstract Compilation by Approximate Back-translation , 2017, Log. Methods Comput. Sci..

[29]  Dominique Devriese,et al.  On Modular and Fully-Abstract Compilation , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).

[30]  Peter G. Neumann,et al.  Fast Protection-Domain Crossing in the CHERI Capability-System Architecture , 2016, IEEE Micro.

[31]  Benjamin C. Pierce,et al.  Beyond Full Abstraction: Formalizing the Security Guarantees of Low-Level Compartmentalization , 2016, ArXiv.

[32]  Dana S. Scott,et al.  Data Types as Lattices , 1976, SIAM J. Comput..

[33]  Peter G. Neumann,et al.  CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization , 2015, 2015 IEEE Symposium on Security and Privacy.

[34]  Jack B. Dennis,et al.  Programming semantics for multiprogrammed computations , 1966, CACM.

[35]  Xi Chen,et al.  The Dynamics of Innocent Flesh on the Bone: Code Reuse Ten Years Later , 2017, CCS.

[36]  Max S. New,et al.  Fully abstract compilation via universal embedding , 2016, ICFP.

[37]  Benjamin C. Pierce,et al.  Beyond Good and Evil: Formalizing the Security Guarantees of Compartmentalizing Compilation , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).