CapablePtrs: Securely Compiling Partial Programs Using the Pointers-as-Capabilities Principle

El-Korashy, Akram; Tsampas, Stelios; Patrignani, Marco; Devriese, Dominique; Garg, Deepak; Piessens, Frank

doi:10.1109/csf51468.2021.00036

Cited by 8 publications

(16 citation statements)

References 45 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Consequently, information needed to reconstruct how to access the shared pointer is missing from interaction traces, which makes the back-translation extremely difficult. Prior work that has even considered this situation [18,38] relied on extensive bookkeeping to reconstruct this missing information, which is unwieldy and complex. For instance, the source context generated by El-Korashy et al [18] had to fetch all reachable pointers every time it got control and store them in its internal state.…”

Section: Data-flow Back-translationmentioning

confidence: 99%

“…Prior work that has even considered this situation [18,38] relied on extensive bookkeeping to reconstruct this missing information, which is unwieldy and complex. For instance, the source context generated by El-Korashy et al [18] had to fetch all reachable pointers every time it got control and store them in its internal state. This required complex simulation invariants, on top of the usual invariants between the states of the target and source contexts.…”

Section: Data-flow Back-translationmentioning

confidence: 99%

“…This proof step, often called back-translation, is crucial for establishing that a vulnerable compiled program only arises from a vulnerable source program, thus preserving the security of partial source programs even against adversarial target contexts. Although there is a long line of work on proving secure compilation for prototype compilation chains that differ in the specific security properties preserved and the way security is practically enforced [3,4,6,7,13,15,16,18,36,39,40,40,46,51,53], back-translation is a common, large element of such secure compilation proofs.…”

Section: Introductionmentioning

confidence: 99%

“…In contrast, trace-based back-translation works by defining a target-language interaction trace semantics that represents all the interactions between the compiled program and its context (e.g., cross-component calls and returns) and constructing the violating source context from the violating target trace instead of the violating target context [3,18,37,39]. This has the advantage of not having to mimic the internal behavior of the target context in the source language.…”

Section: Introductionmentioning

confidence: 99%

“…Although very powerful in principle, trace-based back-translation is rather understudied for settings where the program and its context can share memory by passing pointers or references to each other, something that is common in practical languages like C, Java, and ML. There is a good reason for this relative paucity of work: memory sharing is a source of interesting interaction between the program and its context, so allowing it makes the definition of traces [18,26], the backtranslation, and the proof of secure compilation significantly more complex. Moreover, as we explain below, memory sharing changes parts of the proof conceptually and needs fundamentally new techniques.…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

SecurePtrs: Proving Secure Compilation with Data-Flow Back-Translation and Turn-Taking Simulation

El-Korashy¹,

Blanco²,

Thibault³

et al. 2021

Preprint

Self Cite

View full text Add to dashboard Cite

Proving secure compilation of partial programs typically requires back-translating a target attack against the compiled program to an attack against the source program. To prove this back-translation step, one can syntactically translate the target attacker to a source one-i.e., syntax-directed backtranslation-or show that the interaction traces of the target attacker can also be produced by source attackers-i.e., tracedirected back-translation.Syntax-directed back-translation is not suitable when the target attacker uses unstructured control flow that the source language cannot directly represent. Trace-directed back-translation works with such syntactic dissimilarity because only the external interactions of the target attacker have to be mimicked in the source, not its internal control flow. Revealing only external interactions is, however, inconvenient when sharing memory via unforgeable pointers, since information about stashed pointers to shared memory gets lost. This made prior proofs complex, since the generated attacker had to stash all reachable pointers.In this work, we introduce more informative data-flow traces, which allow us to combine the best of syntax-directed and trace-directed back-translation. Our data-flow back-translation is simple, handles both syntactic dissimilarity and memory sharing well, and we have proved it correct in Coq.We, moreover, develop a novel turn-taking simulation relation and use it to prove a recomposition lemma, which is key to reusing compiler correctness in such secure compilation proofs. We are the first to mechanize such a recomposition lemma in a proof assistant in the presence of memory sharing.We put these two key innovations to use in a secure compilation proof for a code generation compiler pass between a safe source language with pointers and components, and a target language with unstructured control flow.

show abstract

Section: Data-flow Back-translationmentioning

confidence: 99%

Section: Data-flow Back-translationmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

SecurePtrs: Proving Secure Compilation with Data-Flow Back-Translation and Turn-Taking Simulation

El-Korashy¹,

Blanco²,

Thibault³

et al. 2021

Preprint

Self Cite

View full text Add to dashboard Cite

show abstract

Fully Abstract and Robust Compilation

Abate

Busi

Tsampas

2021

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Verified Security for the Morello Capability-enhanced Prototype Arm Architecture

Bauereiss

Campbell

Sewell

et al. 2022

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Memory safety bugs continue to be a major source of security vulnerabilities in our critical infrastructure. The CHERI project has proposed extending conventional architectures with hardware-supported capabilities to enable fine-grained memory protection and scalable compartmentalisation, allowing historically memory-unsafe C and C++ to be adapted to deterministically mitigate large classes of vulnerabilities, while requiring only minor changes to existing system software sources. Arm is currently designing and building Morello, a CHERI-enabled prototype architecture, processor, SoC, and board, extending the high-performance Neoverse N1, to enable industrial evaluation of CHERI and pave the way for potential mass-market adoption. However, for such a major new security-oriented architecture feature, it is important to establish high confidence that it does provide the intended protections, and that cannot be done with conventional engineering techniques.In this paper we put the Morello architecture on a solid mathematical footing from the outset. We define the fundamental security property that Morello aims to provide, reachable capability monotonicity, and prove that the architecture definition satisfies it. This proof is mechanised in Isabelle/HOL, and applies to a translation of the official Arm specification of the Morello instruction-set architecture (ISA) into Isabelle. The main challenge is handling the complexity and scale of a production architecture: 62,000 lines of specification, translated to 210,000 lines of Isabelle. We do so by factoring the proof via a narrow abstraction capturing essential properties of arbitrary CHERI ISAs, expressed above a monadic intra-instruction semantics. We also develop a model-based test generator, which generates instruction-sequence tests that give good specification coverage, used in early testing of the Morello implementation and in Morello QEMU development, and we use Arm’s internal test suite to validate our model.This gives us machine-checked mathematical proofs of whole-ISA security properties of a full-scale industry architecture, at design-time. To the best of our knowledge, this is the first demonstration that that is feasible, and it significantly increases confidence in Morello.

show abstract

CapablePtrs: Securely Compiling Partial Programs Using the Pointers-as-Capabilities Principle

Cited by 8 publications

References 45 publications

SecurePtrs: Proving Secure Compilation with Data-Flow Back-Translation and Turn-Taking Simulation

SecurePtrs: Proving Secure Compilation with Data-Flow Back-Translation and Turn-Taking Simulation

Fully Abstract and Robust Compilation

Verified Security for the Morello Capability-enhanced Prototype Arm Architecture

Contact Info

Product

Resources

About