Temporal Safety for Stack Allocated Memory on Capability Machines

Memory capabilities as supported in capability machines are very similar to fat pointers, and hence are very useful for the efficient enforcement of spatial memory safety. Enforcing temporal memory safety however, is more challenging. This paper investigates an approach to enforce temporal memory safety for stack-allocated memory in C-like languages by extending capabilities with a simple dynamic mechanism. This mechanism ensures that capabilities with a certain lifetime can only be stored in memory that has a longer lifetime. Our mechanism prevents temporal memory safety violations, yet is sufficiently permissive to allow typical C coding idioms where addresses of local variables are passed up the call stack. We formalize the desired behavior of a simple C-like language as a dependently typed operational semantics, and we show that existing compilers to capability machines do not simulate this desired behavior: they either have to break temporal safety, or they have to defensively rule out allowed behaviors. Finally, we show that with our proposed dynamic mechanism, our compiler is fully abstract.

[1]  F. Piessens,et al.  Towards Automatic Compartmentalization of C Programs on Capability Machines , 2017 .

[2]  Frank Piessens,et al.  Secure Compilation to Modern Processors , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[3]  Ulf Norell,et al.  Dependently typed programming in Agda , 2009, TLDI '09.

[4]  Dominique Devriese,et al.  Reasoning about a Machine with Local Capabilities , 2019, ACM Trans. Program. Lang. Syst..

[5]  Robert N. M. Watson,et al.  Into the depths of C: elaborating the de facto standards , 2016, PLDI.

[6]  Peter G. Neumann,et al.  Capability Hardware Enhanced RISC Instructions: CHERI Instruction-set architecture , 2014 .

[7]  Milo M. K. Martin,et al.  CETS: compiler enforced temporal safety for C , 2010, ISMM '10.

[8]  Marc Graham Information Technology. Programming Language. The SQL Ada Module Description Language (SAMeDL). , 1995 .

[9]  Dominique Devriese,et al.  On Modular and Fully-Abstract Compilation , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).

[10]  Peter G. Neumann,et al.  CHERI: a research platform deconflating hardware virtualisation and protection , 2012 .

[11]  Peter G. Neumann,et al.  The CHERI capability model: Revisiting RISC in an age of risk , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[12]  Dominique Devriese,et al.  StkTokens: enforcing well-bracketed control flow and stack encapsulation using linear capabilities , 2018, Journal of Functional Programming.

[13]  Per Larsen,et al.  SoK: Sanitizing for Security , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[14]  Peter G. Neumann,et al.  Efficient Tagged Memory , 2017, 2017 IEEE International Conference on Computer Design (ICCD).

[15]  James H. Morris,et al.  Lambda-calculus models of programming languages. , 1969 .

[16]  William J. Dally,et al.  Hardware support for fast capability-based addressing , 1994, ASPLOS VI.

[17]  Peter G. Neumann,et al.  CHERI Concentrate: Practical Compressed Capabilities , 2019, IEEE Transactions on Computers.

[18]  Josselin Feist Finding the needle in the heap : combining binary analysis techniques to trigger use-after-free. (Analyses de code binaire pour la détection et le déclenchement de use-after-free) , 2017 .

[19]  Peter G. Neumann,et al.  CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization , 2015, 2015 IEEE Symposium on Security and Privacy.

[20]  J. Shapiro,et al.  EROS: a fast capability system , 2000, OPSR.

[21]  Marco Patrignani,et al.  Secure Compilation to Protected Module Architectures , 2015, TOPL.

[22]  Robbert Krebbers,et al.  Intrinsically-typed definitional interpreters for imperative languages , 2018, Proc. ACM Program. Lang..

[23]  Dawn Xiaodong Song,et al.  SoK: Eternal War in Memory , 2013, 2013 IEEE Symposium on Security and Privacy.