Towards Automatic Compartmentalization of C Programs on Capability Machines

Capability-based protection mechanisms can offer fine-grained memory protection (through memory capabilities), as well as fine-grained protection of general software-defined objects (through object capabilities). Because of the similarity that capabilities have to the notion of pointer in C, compilers can use the capability mechanisms offered by the target platform to generate code that is more resilient to attack. For instance, C arrays can be compiled to memory capabilities thus providing hardwareenforced spatial safety guarantees and hence strong resilience against buffer overflow attacks. State-of-the-art capability-based systems (like for instance the CHERI system [1]) come with a C compiler that provides such safety guarantees. But such safe compilation does not provide security guarantees for an attacker model where an attacker can compromise part of the code of an application, for instance by providing a malicious library, possibly in compiled form. An application is still executed in a single protection domain. The mechanism of object capabilities can be used to remedy this: object capabilities support compartmentalization of an application where different parts of the application can be executed in different protection domains, and hence one part of the application can be protected against malicious behaviour in other parts. However, to the best of our knowledge, state-of-the-art C compilers provide no automatic support for such compartmentalization. In CHERI, support for such compartmentalization is offered as an API [2]. This paper reports on our work-in-progress on the definition, implementation and evaluation of a compiler that automatically compartmentalizes the programs it compiles, essentially by executing each C compilation unit in a separate protection domain. We provide a formal definition of our compiler, and an implementation on CHERI as a source-to-source compiler that can detect and insert the necessary invocations to CHERI’s API for compartmentalization. We illustrate the security properties of the compiler by means of examples and discuss our work-inprogress on formalizing and proving these security properties. This paper uses colours to distinguish elements of different languages. For a better experience, please print/view it in colour.

[1]  Jack B. Dennis,et al.  Programming semantics for multiprogrammed computations , 1966, CACM.

[2]  Robert S. Fabry,et al.  Capability-based addressing , 1974, CACM.

[3]  William A. Wulf,et al.  HYDRA , 1974, Commun. ACM.

[4]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[5]  Henry M. Levy,et al.  Capability-Based Computer Systems , 1984 .

[6]  William J. Dally,et al.  Hardware support for fast capability-based addressing , 1994, ASPLOS VI.

[7]  The M-Machine multicomputer , 1995, MICRO.

[8]  Martín Abadi,et al.  Protection in Programming-Language Translations , 1998, ICALP.

[9]  J. Shapiro,et al.  EROS: a fast capability system , 2000, OPSR.

[10]  Matthias Blume,et al.  Typed closure conversion preserves observational equivalence , 2008, ICFP.

[11]  Matthias Blume,et al.  Typed closure conversion preserves observational equivalence , 2008, ICFP 2008.

[12]  David A. Wagner,et al.  Joe-E: A Security-Oriented Subset of Java , 2010, NDSS.

[13]  Martín Abadi,et al.  On Protection by Layout Randomization , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[14]  Julian Rathke,et al.  Local Memory via Layout Randomization , 2011, 2011 IEEE 24th Computer Security Foundations Symposium.

[15]  Matthias Blume,et al.  An equivalence-preserving CPS translation via multi-language semantics , 2011, ICFP '11.

[16]  Frank Piessens,et al.  Secure Compilation to Modern Processors , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[17]  Juan Chen,et al.  Fully abstract compilation to JavaScript , 2013, POPL.

[18]  Frank Piessens,et al.  Sancus: Low-cost Trustworthy Extensible Networked Devices with a Zero-software Trusted Computing Base , 2013, USENIX Security Symposium.

[19]  Peter G. Neumann,et al.  The CHERI capability model: Revisiting RISC in an age of risk , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[20]  Peter G. Neumann,et al.  Capability Hardware Enhanced RISC Instructions: CHERI Instruction-set architecture , 2014 .

[21]  Jonathan Woodruff,et al.  CHERI: a RISC capability machine for practical memory safety , 2014 .

[22]  Yannis Juglaret Secure Compilation Using Micro-Policies ( Extended Abstract ) , 2015 .

[23]  Marco Patrignani,et al.  Secure Compilation to Protected Module Architectures , 2015, TOPL.

[24]  Peter G. Neumann,et al.  Capability Hardware Enhanced RISC Instructions: CHERI Programmer’s Guide , 2015 .

[25]  Marco Patrignani,et al.  Fully abstract trace semantics for protected module architectures , 2015, Comput. Lang. Syst. Struct..

[26]  Jonathan M. Smith,et al.  Architectural Support for Software-Defined Metadata Processing , 2015, ASPLOS.

[27]  Peter G. Neumann,et al.  CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization , 2015, 2015 IEEE Symposium on Security and Privacy.

[28]  Marco Patrignani,et al.  A Formal Model for Capability Machines An Illustrative Case Study towards Secure Compilation to CHERI , 2016 .

[29]  Dominique Devriese,et al.  Fully-abstract compilation by approximate back-translation , 2016, POPL.

[30]  Dominique Devriese,et al.  Reasoning about Object Capabilities with Logical Relations and Effect Parametricity , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[31]  Dominique Devriese,et al.  On Modular and Fully-Abstract Compilation , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).

[32]  Benjamin C. Pierce,et al.  Beyond Good and Evil: Formalizing the Security Guarantees of Compartmentalizing Compilation , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).

[33]  Max S. New,et al.  Fully abstract compilation via universal embedding , 2016, ICFP.

[34]  Marco Patrignani,et al.  Secure Compilation and Hyperproperty Preservation , 2017, 2017 IEEE 30th Computer Security Foundations Symposium (CSF).