The next 700 compiler correctness theorems (functional pearl)

Patterson, Daniel; Ahmed, Amal

doi:10.1145/3341689

Cited by 27 publications

(20 citation statements)

References 40 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Notice that condition (i) usually 4 even follows from whole-program correctness, namely, whole-program backward simulation (together with some structural lemmas about linking and compilation). Whole-program backward simulation is a standard [14,15] formal criterion for considering a compiler bug-free with respect to a given source semantics.…”

Section: A Fully Abstract Compilation Formallymentioning

confidence: 99%

CapablePtrs: Securely Compiling Partial Programs Using the Pointers-as-Capabilities Principle

El-Korashy

Tsampas

Patrignani

et al. 2021

2021 IEEE 34th Computer Security Foundations Symposium (CSF)

View full text Add to dashboard Cite

Capability machines such as CHERI provide memory capabilities that can be used by compilers to provide security benefits for compiled code (e.g., memory safety). The C to CHERI compiler, for example, achieves memory safety by following a principle called "pointers as capabilities" (PAC ).Informally, PAC says that a compiler should represent a source language pointer as a machine code capability. But the security properties of PAC compilers are not yet well understood. We show that memory safety is only one aspect, and that PAC compilers can provide significant additional security guarantees for partial programs: the compiler can provide guarantees for a compilation unit, even if that compilation unit is later linked to attacker-controlled machine code.This paper is the first to study the security of PAC compilers for partial programs formally. We prove for a model of such a compiler that it is fully abstract. The proof uses a novel proof technique (dubbed TrICL, read trickle), which is of broad interest because it reuses and extends the compiler correctness relation in a natural way, as we demonstrate.We implement our compiler on top of the CHERI platform and show that it can compile legacy C code with minimal code changes. We provide performance benchmarks that show how performance overhead is proportional to the number of crosscompilation-unit function calls.

show abstract

Section: A Fully Abstract Compilation Formallymentioning

confidence: 99%

CapablePtrs: Securely Compiling Partial Programs Using the Pointers-as-Capabilities Principle

El-Korashy

Tsampas

Patrignani

et al. 2021

2021 IEEE 34th Computer Security Foundations Symposium (CSF)

View full text Add to dashboard Cite

show abstract

“…As a result, common wisdom holds semantics preservation to be a lost cause for compositional compiler correctness [20]. Instead, research has focused on compositional reasoning methods based on contextual refinement, side-stepping the need for compositional semantics preservation [10,22].…”

Section: Compositional Compiler Correctnessmentioning

confidence: 99%

“…A general survey, discussion and synthesis of various compositional compiler correctness results is provided by Patterson and Ahmed [20]. We focus on CompCert extensions.…”

Section: Related Work and Evaluationmentioning

confidence: 99%

CompCertO: compiling certified open C components

Koenig

Shao

2021

Proceedings of the 42nd ACM SIGPLAN International Conference on Programming Language Design and Implementation

View full text Add to dashboard Cite

Since the introduction of CompCert, researchers have been refining its language semantics and correctness theorem, and used them as components in software verification efforts. Meanwhile, artifacts ranging from CPU designs to network protocols have been successfully verified, and there is interest in making them interoperable to tackle end-to-end verification at an even larger scale.Recent work shows that a synthesis of game semantics, refinement-based methods, and abstraction layers has the potential to serve as a common theory of certified components. Integrating certified compilers to such a theory is a critical goal. However, none of the existing variants of CompCert meets the requirements we have identified for this task.CompCertO extends the correctness theorem of CompCert to characterize compiled program components directly in terms of their interaction with each other. Through a careful and compositional treatment of calling conventions, this is achieved with minimal effort.

show abstract

“…The reason is that, as discussed above, allowing different memory relations would introduce different rely/guarantee conditions thereby breaking simulation after linking (i.e., horizontal compositionality) due to the mismatch between different rely/guarantee conditions. Second, proving vertical compositionality for open simulations is in general very technical and involved [Neis et al 2015;Patterson and Ahmed 2019]. Indeed the proof for structured simulations is about 5,000 SLOC in Coq.…”

Section: Problemsmentioning

confidence: 99%

“…Multi-language semantics. Ahmed and her collaborators propose multi-language semantics [New et al 2016;Patterson and Ahmed 2019;Patterson et al 2017;Perconti and Ahmed 2014;Scherer et al 2018] as an approach to prove compositional correctness and full abstraction of a compiler for both assembly-like and higher-order languages. Specifically, they define a language that combines all of the source, intermediate and target languages, and prove contextual equivalence and/or full abstraction for each translation pass in the combined language using logical relations (with back-translations).…”

Section: Compositional Compiler Correctness For Higher-order Languagesmentioning

confidence: 99%

CompCertM: CompCert with C-assembly linking and lightweight modular verification

Song

Cho

Kim

et al. 2019

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

Supporting multi-language linking such as linking C and handwritten assembly modules in the verified compiler CompCert requires a more compositional verification technique than that used in CompCert just supporting separate compilation. The two extensions, CompCertX and Compositional CompCert, supporting multi-language linking take different approaches. The former simplifies the problem by imposing restrictions that the source modules should have no mutual dependence and be verified against certain well-behaved specifications. On the other hand, the latter develops a new verification technique that directly solves the problem but at the expense of significantly increasing the verification cost.In this paper, we develop a novel lightweight verification technique, called RUSC (Refinement Under Self-related Contexts), and demonstrate how RUSC can solve the problem without any restrictions but still with low verification overhead. For this, we develop CompCertM, a full extension of the latest version of CompCert supporting multi-language linking. Moreover, we demonstrate the power of RUSC as a program verification technique by modularly verifying interesting programs consisting of C and handwritten assembly against their mathematical specifications.

show abstract

The next 700 compiler correctness theorems (functional pearl)

Cited by 27 publications

References 40 publications

CapablePtrs: Securely Compiling Partial Programs Using the Pointers-as-Capabilities Principle

CapablePtrs: Securely Compiling Partial Programs Using the Pointers-as-Capabilities Principle

CompCertO: compiling certified open C components

CompCertM: CompCert with C-assembly linking and lightweight modular verification

Contact Info

Product

Resources

About