Journey Beyond Full Abstraction Exploring Robust Property Preservation for Secure Compilation Carmine Abate Deepak Garg Marco Patrignani C ătălin Hrițcu Jérémy Thibault MPISWS Stanford amp CISPA ID: 769393
Download Presentation The PPT/PDF document "Journey Beyond Full" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Journey Beyond Full Abstraction:Exploring Robust Property Preservation for Secure Compilation Carmine Abate Deepak Garg Marco Patrignani C ătălinHrițcu JérémyThibault MPI-SWS Stanford& CISPA Inria Paris Inria Paris Inria Paris Rob Blanco Inria Paris
Good programming languages providehelpful abstractions for writing more secure code structured control flow, procedures, modules, interfaces, correctness and security specifications, ... 2 abstractions not enforced when compiling and linking with adversarial low-level code all source-level security guarantees are lost
HACL* verified cryptographic library, in practice3 HACL* library Firefox web browser ASM ASM Insecure interoperability: linked code can read and write data and code , jump to arbitrary instructions , smash the stack , ... ~100.000 LOC in F* 16.000.000+ LOC in C/C++ KreMLin + CompCert GCC 160x , in practice
We need secure compilation chainsProtect source-level abstractionseven against linked adversarial low-level codevarious enforcement mechanisms: processes, SFI, ...shared responsibility: compiler, linker, loader, OS, HWGoal: enable source-level security reasoning linked adversarial target code cannot break the security of compiled program any more than some linked source code no "low-level" attacks4
Robustly preserving security source context target context source compiled compiler secure secure program program no extra power protected 5 But what should "secure" mean? source context ∀ target context ∀ ⇒
6 More secure More efficient to enforceEasier to prove What properties should we robustly preserve? trace properties(safety & liveness) hyperproperties(noninterference) relationalhyperproperties (trace equivalence)only integrity + data confidentiality + code confidentiality No one-size-fits-all security criterion
Robust Trace Property Preservation7 source context target context source program compiled program source context ∃ target context ∃ . . compiler ∀ source programs. ∀ (bad/attack) trace t. ⇒ source context target context source program compiled program source context trace t ∀ target context trace t ∀ . . compiler ∀ source programs. ∀ π trace property. ⇒ ⇝ t ⇒ t ∈ π property-based characterization ⇝ t ⇒ t ∈ π property-free characterization ⇔ ⇝ t ⇝ t back- translation what one might want to achieve how one can prove it
8back-translatingfinite trace prefix ∀ P∀CT ∀m≤t∃C S... back-translatingprog & context ∀ P∀CT ∃CS ∀t... back-translatingcontext ∀C T ∃CS ∀P∀t ...back-translating finite set offinite trace prefixes∀k∀P 1 ..Pk ∀C T ∀m1 ..mk ∃C S ... back-translating prog & context & trace ∀ P∀C T ∀t ∃C S ... Some of the proof difficulty is manifest in property-free characterization
Journey Beyond Full AbstractionFirst to explore space of secure compilation criteria based on robust property preservationCarefully studied the criteria and their relationsProperty-free characterizationsimplications, collapses , separations results Introduced relational (hyper)properties (new classes!) Clarified relation to full abstraction ...Embraced and extended proof techniques ... 9 https:// github.com/secure-compilation/exploring-robust-property-preservation
without internal nondeterminism,full abstraction is hereWhere is Full Abstraction? 10 doesn't imply any other criterion (i.e. robust behavioral equivalence preservation)
Full abstraction does not implyany other criterion in our diagramIntuitive counterexample adapted from Marco&Deepak [CSF'17]When context passes in bad input value (e.g. ill-typed): lunch the missiles - breaks Robust Safety Preservationor loop forever - breaks Robust Liveness Preservationor leak secret inputs - breaks Robust NI Preservation Yet this doesn't break full abstraction or compiler correctness! Full abstraction only ensures code confidentialityno integrity, no safety, no data confidentiality, ...11
Embraced and extended™ proof techniques12 back-translating context∀ C T∃C S∀P∀t ... [New et al,ICFP'16] generic techniqueapplicableback-translatingfinite set offinite trace prefixes∀k∀P 1..P k ∀CT ∀m 1..m k ∃C S... [Jeffrey & Rathke, ESOP'05][Patrignani et al,TOPLAS'15] for simple translation from statically to dynamically typed language with first-order functions and I/O strongest criterion achievable
Some open problemsPractically achievingsecure interoperability with lower-level codemore realistic languages and compilation chains Verifying robust satisfaction for source programsprogram logics, logical relations, partial semantics, ... Different traces for source and target semanticsconnected by some arbitrary relationmappings between source and target propertiesinteresting even for correct compilation 13
My dream: secure compilation at scale14 HACL* memory safe C component legacy C component ASM component C language + components + memory safety ASM language (RISC-V + micro-policies) language
Journey Beyond Full AbstractionFirst to explore space of secure compilation criteria based on robust property preservationCarefully studied the criteria and their relationsProperty-free characterizationsimplications, collapses , separations results Introduced relational (hyper)properties (new classes!) Clarified relation to full abstraction ...Embraced and extended proof techniques ... 15 https:// github.com/secure-compilation/exploring-robust-property-preservation