When Good Components Go Bad

Abate, Carmine; Amorim, Arthur Azevedo de; Blanco, Roberto; Evans, Ana Nora; Fachini, Guglielmo; Hriţcu, Cătălin; Laurent, Théo; Pierce, Benjamin C.; Stronati, Marco; Tolmach, Andrew

doi:10.1145/3243734.3243745

Cited by 23 publications

(6 citation statements)

References 75 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A compiler from the high-level to the low-level might be insecure as it exposes source-level programs to illicit control flow. This is another important and well-documented example of failure of full abstraction [8,37,3,33].…”

Section: Control Flowmentioning

confidence: 96%

A Categorical Approach to Secure Compilation

Tsampas¹,

Nuyts²,

Devriese³

et al. 2020

Lecture Notes in Computer Science

View full text Add to dashboard Cite

We introduce a novel approach to secure compilation based on maps of distributive laws. We demonstrate through four examples that the coherence criterion for maps of distributive laws can potentially be a viable alternative for compiler security instead of full abstraction, which is the preservation and reflection of contextual equivalence. To that end, we also make use of the well-behavedness properties of distributive laws to construct a categorical argument for the contextual connotations of bisimilarity.

show abstract

Section: Control Flowmentioning

confidence: 96%

A Categorical Approach to Secure Compilation

Tsampas¹,

Nuyts²,

Devriese³

et al. 2020

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…Formalization Prior work has developed formal frameworks for stating and proving strong isolation properties in the context of new languages or subsets of existing lan-guages [1,18,20,37,38]. MIR takes a different approach, working with an existing language and offering a quantification of privilege reduction rather than an all-or-nothing property.…”

Section: Related Workmentioning

confidence: 99%

“…Modern software development relies heavily on third-party libraries. 1 Such reliance has led to an explosion of attacks [14,29,33,34,56,68]: overprivileged code in imported libraries provides an attack vector that is exploitable long after libraries reach their end-users. Even when libraries are created and authored with the best possible intentions-i.e., are not actively malicious-their privilege can be exploited at runtime to compromise the entire application-or worse, the broader system on which the application is executing.…”

Section: Introductionmentioning

confidence: 99%

“…Inference Unfortunately, manually specifying permissions is challenging, even for security-paranoid developers. Typical challenges include (1) naming issues, such as variable aliasing, poor variable names, and non-local use, (2) library-internal code, possibly not intended for humans, and (3) continuous codebase evolution, which requires updating the specification for every code change. To address these problems, MIR analyzes name uses within a library to automatically infer permissions.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Mir: Automated Quantifiable Privilege Reduction Against Dynamic Library Compromise in JavaScript

Vasilakis¹,

Staicu²,

Ntousakis³

et al. 2020

Preprint

View full text Add to dashboard Cite

Third-party libraries ease the development of large-scale software systems. However, they often execute with significantly more privilege than needed to complete their task. This additional privilege is often exploited at runtime via dynamic compromise, even when these libraries are not actively malicious. MIR addresses this problem by introducing a fine-grained read-write-execute (RWX) permission model at the boundaries of libraries. Every field of an imported library is governed by a set of permissions, which developers can express when importing libraries. To enforce these permissions during program execution, MIR transforms libraries and their context to add runtime checks. As permissions can overwhelm developers, MIR's permission inference generates default permissions by analyzing how libraries are used by their consumers. Applied to 50 popular libraries, MIR's prototype for JavaScript demonstrates that the RWX permission model combines simplicity with power: it is simple enough to automatically infer 99.33% of required permissions, it is expressive enough to defend against 16 real threats, it is efficient enough to be usable in practice (1.93% overhead), and it enables a novel quantification of privilege reduction.

show abstract

“…There is existing work on formal, high-level properties of compartmentalization in the context of compilation. Juglaret et al [2016] and Abate et al [2018] investigate how a compiler can transfer properties of a compartmentalized source language application to the target language. While this work also relies on the notion of robust properties (at least superficially), it is actually complementary.…”

Section: Related Workmentioning

confidence: 99%

The high-level benefits of low-level sandboxing

Sammler

Garg

Dreyer

et al. 2019

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

Sandboxing is a common technique that allows low-level, untrusted components to safely interact with trusted code. However, previous work has only investigated the low-level memory isolation guarantees of sandboxing, leaving open the question of the end-to-end guarantees that sandboxing affords programmers. In this paper, we fill this gap by showing that sandboxing enables reasoning about the known concept of robust safety, i.e., safety of the trusted code even in the presence of arbitrary untrusted code. To do this, we first present an idealized operational semantics for a language that combines trusted code with untrusted code. Sandboxing is built into our semantics. Then, we prove that safety properties of the trusted code (as enforced through a rich type system) are upheld in the presence of arbitrary untrusted code, so long as all interactions with untrusted code occur at the łanyž type (a type inhabited by all values). Finally, to alleviate the burden of having to interact with untrusted code at only the łanyž type, we formalize and prove safe several wrappers, which automatically convert values between the łanyž type and much richer types. All our results are mechanized in the Coq proof assistant. One common engineering technique for ensuring secure interoperation between trusted and untrusted code is to physically sandbox the untrusted parts of an application at coarse granularity using hardware, kernel, or library support for isolation. Memory is partitioned into low and high compartments, and the hardware and kernel enforce that untrusted codeÐsandboxed in the low compartmentÐcannot directly access the memory in the high compartment (where trusted code operates) even if it can guess private memory addresses of the trusted code [Koning et al. 2017]. Additionally, untrusted code cannot directly access system calls. Examples of such techniques are software fault isolation by rewriting untrusted code [Yee et al. 2009], in-user-space sandboxing of untrusted libraries [Mozilla 2019; Lamowski et al. 2017; Google 2019; Vahldiek-Oberwagner et al. 2019], use of multiple kernel-backed address spaces within an application [Litton et al. 2016], and the use of modern features of CPUs like secure enclaves [McKeen et al. 2013; ARM Limited 2009].Although sandboxing is widely used, and prior work has shown formally that specific sandboxing techniques attain intrinsic properties like memory isolation, to the best of our knowledge there is no clear understanding of what end-to-end reasoning sandboxing affords programmers. Our goal in this paper is precisely to fill this gap: we show that sandboxing allows programmers to reason about the robust safety of trusted code. As explained above, robust safety is a well-studied concept, which means that the trusted code's safety properties hold even when co-executing with arbitrary untrusted code. In verification terms, sandboxing allows reasoning about the safety properties of trusted code without having to consider the behavior of untrusted code during verification.To formalize th...

show abstract

When Good Components Go Bad

Cited by 23 publications

References 75 publications

A Categorical Approach to Secure Compilation

A Categorical Approach to Secure Compilation

Mir: Automated Quantifiable Privilege Reduction Against Dynamic Library Compromise in JavaScript

The high-level benefits of low-level sandboxing

Contact Info

Product

Resources

About