Fully abstract trace semantics for low-level isolation mechanisms — Extended version by Patrignani, Marco & Clarke, Dave
Fully Abstract Trace Semantics
for Low-level Isolation Mechanisms
– Extended Version
Marco Patrignani Dave Clarke
Report CW651, November 2013
Katholieke Universiteit Leuven
Department of Computer Science
Celestijnenlaan 200A – B-3001 Heverlee (Belgium)
Fully Abstract Trace Semantics
for Low-level Isolation Mechanisms
– Extended Version
Marco Patrignani Dave Clarke
Report CW651, November 2013
Department of Computer Science, K.U.Leuven
Abstract
Many software systems adopt isolation mechanisms of modern
processors as software security building blocks. Reasoning about
these building blocks means reasoning about elaborate assembly
code, which can be very complex due to the loose structure of the
code. One way to overcome this complexity is providing the code
with a more structured semantics. This paper presents one such se-
mantics, namely a fully abstract trace semantics, for an assembly lan-
guage enhanced with protection mechanisms of modern processors.
The trace semantics represents the behaviour of protected assembly
code with simple abstractions, unburdened by low-level details, at
the maximum degree of precision. Furthermore, it captures the ca-
pabilities of attackers to protected software and simplifies providing
a secure compiler targeting the assembly language.
Fully Abstract Trace Semantics
for Low-level Isolation Mechanisms – Extended version
Marco Patrignani ∗ Dave Clarke
iMinds-DistriNet, Dept. Computer Science, KU Leuven
{first.last}@cs.kuleuven.be
Abstract
Many software systems adopt isolation mechanisms of modern pro-
cessors as software security building blocks. Reasoning about these
building blocks means reasoning about elaborate assembly code,
which can be very complex due to the loose structure of the code.
One way to overcome this complexity is providing the code with
a more structured semantics. This paper presents one such seman-
tics, namely a fully abstract trace semantics, for an assembly lan-
guage enhanced with protection mechanisms of modern processors.
The trace semantics represents the behaviour of protected assembly
code with simple abstractions, unburdened by low-level details, at
the maximum degree of precision. Furthermore, it captures the ca-
pabilities of attackers to protected software and simplifies provid-
ing a secure compiler targeting the assembly language.
1. Introduction
Many processors provide isolation mechanisms as software secu-
rity building blocks. These are used to withstand low-level attackers
who, through injected assembly code, can read the whole memory
space and access secrets in memory, violate integrity constraints
and so on. With isolation mechanisms, attackers cannot directly
violate security properties of isolated software since the isolated
memory is not accessible to them. Examples of these protection
mechanisms are fine grained, program counter-based memory ac-
cess control mechanism [4, 10, 11, 14, 18–20], which enforce secu-
rity properties at process or lower levels (Ring-1). With this mech-
anism, the software to be secured is placed in a protected memory
partition that shields it from the surrounding, potentially malicious
code. The malicious code cannot read nor write the protected mem-
ory; it can only jump to specific addresses in protected memory in
order to call functions of the protected code. This protection mech-
anism makes software more resilient against low-level attackers.
However, this does not prevent an attacker from interacting with
the protected code and violating security properties.
To enable reasoning about the behaviour of isolated software,
this paper firstly introduces an assembly language enhanced with a
fine grained, program counter-based memory access control. This
∗Marco Patrignani holds a Ph.D. fellowship from the Research Foundation
Flanders (FWO).
[Copyright notice will appear here once ’preprint’ option is removed.]
protection mechanism was chosen due to its application in secure
compilation [2, 15] and to its recent industrial implementation:
the Intel SGX [11]. Then, this paper explores the design space of
trace semantics and presents two different fully abstract [16] trace
semantics for the protected assembly code. The paper provides a
general proof strategy where full abstraction of the trace semantics
can be proven simply. To the best of the authors’ knowledge, this
is the first such result for an assembly language extended with the
said protection mechanism. Moreover, the results seem applicable
to other isolation mechanisms, modulo technical changes.
The fully abstract trace semantics provides a number of benefits.
Trace semantics uses simple abstractions to represent the behaviour
of protected assembly code, unburdened by low-level details, at the
maximum degree of precision. So, dually, it models the behaviour
of an attacker to the protected code, since it captures precisely the
capabilities of that attacker. Secondly, without the trace semantics,
the behaviour of protected assembly code (and thus of an attacker)
is given in terms of low-level contexts. While being precise, low-
level contexts are notoriously difficult to reason about, since they
offer no inductive nor coinductive structure. The fully abstract
trace semantics allows low-level contexts to be disregarded, since
low-level contexts and traces are proven to be equally precise.
Finally, the field of secure compilation benefits from the trace
semantics. Recently, Agten et al. [2] and Patrignani et al. [15]
presented secure compilers to assembly code enhanced with the
aforementioned protection mechanism. Both results assume that
the assembly language has a fully abstract trace semantics, thus the
results of this paper strengthen those secure compilation claims.
In summary, the contributions of this paper are:
• the formalisation of an assembly language modelling an archi-
tecture enhanced with a fine grained, program counter-based
memory access control;
• two different trace semantics for that low-level model;
• the proof that both trace semantics are fully abstract in a general
proof strategy.
Limitations of this work are twofold. Firstly, the trace semantics
cannot express side-channel attacks. Secondly, the formalisation
does not consider details of the architecture such as caches; yet
this is a often assumed [2, 13, 15, 17].
The paper is organised as follows. Section 2 introduces back-
ground notions for the work. Section 3 formalises syntax and op-
erational semantics of the assembly language. Section 4 describes
two trace semantics for the language. Section 5 contains the proof
of full abstraction of both trace semantics. Section 6 describes re-
lated work. Section 7 discusses future works and concludes. The
appendices present the proofs of the main theorems.
1 2013/11/23
2. Protected Programs and Trace Semantics
This section describes the memory access control mechanism.
Then, it discusses how to turn a trace semantics for protected as-
sembly code into a fully abstract one, thus turning an imprecise
representation of the behaviour of the code into a precise one.
2.1 The Protection Mechanism, Informally
The assembly language is enhanced with an isolation mechanism: a
fine-grained, program counter-based memory access control mech-
anism [4, 10, 14, 18–20]. We review this mechanism from the work
of Strackx and Piessens [19]. However, the techniques presented in
this paper can be easily adapted to reasoning about other isolation
mechanisms [4, 10, 18]. The protection mechanism provides a se-
cure environment for running code that must be protected from the
code it interacts with. This mechanism assumes that the memory is
logically divided into a protected and an unprotected partition. The
protected partition is further divided into a code and a data section.
The code section contains a variable number of entry points: the
only addresses to which instructions in unprotected memory can
jump and execute. The data section is accessible only from the pro-
tected partition. For the sake of simplicity, code in protected mem-
ory cannot read the unprotected one; as discussed in Section 2.2
below. Based on the location of the program counter, instructions
that violate the access control policy are ruled out. The table below
summarises the access control model enforced by the protection
mechanism.
From\ To Protected Unprotected
Entry Point Code Data
Protected r x r x r w w x
Unprotected x r w x
2.2 From Naïve to Fully Abstract Trace Semantics
Following is the notation used in all code examples throughout this
paper. Every instruction in the code is preceded by the address
where it is located. Call the left program PL and the right one
PR. When PL and PR are executed, they are placed in a protected
memory partition spanning from address 100 to 200, with a single
entry point at address 100.
EXAMPLE 1. Both PL and PR assign to r0 the result of r0−r1
(line 1). If the result of the operation is not less than 0 (line 3),
they respectively write the contents of r4 and r5 at the unprotected
address 10 (lines 4,5) and call a function whose address is stored
in r2 (line 6). Otherwise, they assign different values to r11 (line 7)
and return 0 (lines 8,9).
1 100 sub r0 r1
2 101 movi r3 106
3 102 jl r3
4 103 movi r3 10
5 104 movs r3 r4
6 105 call r2
7 106 movi r11 41
8 107 movi r0 0
9 108 ret
1 100 sub r0 r1
2 101 movi r3 106
3 102 jl r3
4 103 movi r3 10
5 104 movs r3 r5
6 105 call r2
7 106 movi r11 42
8 107 movi r0 0
9 108 ret
In order to describe the behaviour of the protected code of Ex-
ample 1, this paper defines a traces semantics for it. The trace se-
mantics gives a simple characterisation of the behaviour of that
code as a set of sequences of labels. In this paper, trace semantics
are devised to capture the execution of a protected program, which
is a program allocated in the protected memory partition. The exe-
cution of a program is the evaluation of a sequence of instructions;
in order to abstract over instructions, not all of them generate a label
in a trace. Labels are generated only by call and ret instructions.
If they are executed by unprotected code, they are named calls and
returnbacks, if they are executed by protected code they are named
callbacks and returns [2, 8]. Following is the syntax of labels.
L ::= a | τ a ::= g? | g! g ::= call p(v) | ret v
A label L can be an observable action a or a non-observable action
τ . Decorations ? and ! indicate the direction of the observable
action: from unprotected to protected code (?) or vice-versa (!).
Address p is an address in memory, v is a list of the contents of
all registers and v indicates the contents of register r0.
Informally, a trace semantics is fully abstract when its labels
capture all that is being communicated between the protected and
the unprotected code. The trace semantics hinted at above is not
fully abstract due to a number of subtleties, as highlighted by the
following traces for the code of Example 1. Omitted details are
indicated using . . .; use · to separate actions of the same trace.
a1 = call 100(1, 2, . . .)? · ret 0!
a2 = call 100(2, 1, 40, . . .)? · call 40(. . .)!
Traces a1 and a2 are generated by both PL and PR. Trace a1
does not capture the different value stored in r11 (line 7), which,
even if it is not the returned value of the function, still constitutes
an observable difference between PL and PR. Trace a2 does not
capture the different value written at address 10 (line 5), which also
constitutes a observable difference between PL and PR. Since a1
and a2 do not capture the observable differences between PL and
PR, the trace semantics fails to be fully abstract.
As Curien stated [3], two ways to achieve full abstraction for a
trace semantics exist. The first is to modify the labels so that they
capture more precisely what is communicated between protected
and unprotected code. In this case, labels should capture the val-
ues of all registers and what protected code writes in unprotected
memory. The second is to change the operational semantics, to
restrict what is communicated to what is captured by the labels.
This is achieved by restricting the ways in which communication is
performed, e.g. by preventing writeouts. Both approaches are pre-
sented in Section 4; they rely on an assembly language and on its
operational semantics which are formalised in Section 3.
Read-outs. As mentioned in Section 2.1, protected memory cannot
read the unprotected one. This is enforced by some protection
mechanisms [10] while it is allowed yet discouraged by others [2,
14, 15, 19]. We briefly discuss the implications of read-outs, to keep
the rest of the paper simple.
Consider two programs that read-out values at two different
locations, disregard those values and return 0. They do not present
an observable difference, but if read-outs generated a visible action,
the two programs would have different traces. This would break full
abstraction so read-outs generate a τ action.
Now consider two programs that read-out values at two different
locations and return those values. The read values must be known
in order to determine the traces of the two programs, so the traces
become parametrised on the read values. This can be achieved in
different ways, to keep the presentation of this paper simple, a more
thorough discussion of the subject is left for future work.
3. Assembly Language Formalisation
This section formalises the syntax and operational semantics of
an assembly language, followed by the definition of contextual
equivalence.
3.1 Syntax
The language is run on an architecture that models a Von Neumann
machine consisting of a program counter p, a register file r, a flags
register f and memory space m. The program counter indicates
2 2013/11/23
the address of the instruction that is executed. The register file
contains 12 general purpose registers R0 to R11 and a stack pointer
register SP, which contains the address of the top of the current
call stack. The flags register contains a zero flag ZF and a sign flag
SF, which are set or cleared by arithmetic instructions and are used
by branching instructions. For the sake of simplicity, assume the
architecture targeted by the language works with ` bit-long words,
where ` is a power of 2. This allows the formalisation presented to
scale to architectures with words of different sizes.
Words w ::= i ∈ I Memories m ::= ∅
| v ∈ V |m; a 7→ w
Empty word 0 ::= 0` Numbers n ::= n ∈ N
Addresses a ∈ 0..2` − 1 Programs P ::= (m, s)
Values V ::= {v | v = [0 or 1]` ∧ ∀i ∈ I. v 6= i}
Memory descriptors s ::= (ab, nc, nd, n)
Figure 1. Elements of the assembly language formalisation.
Fig. 1 presents elements of the formalisation. Words w are
either instructions i or values v. Values v are elements of the set
V , they are sequences of bits 0 or 1 of length ` that are different
from the encoding of instructions. The explanation of why values
are encoded in this way is delayed to Example 3 in Section 4.1.
Instructions i are elements of the set I and define the programming
language executed on the architecture (Fig. 2). The empty word 0
movl rd rs Load the word from the memory address in register
rs into register rd.
movs rd rs Store the contents of register rs at the address found
in register rd.
movi rd k Load the constant value k into register rd. Note that
k < 2`.
add rd rs Write rd + rs mod 2` into register rd and set the ZF
flag accordingly.
sub rd rs Write rd − rs mod 2` into register rd and set both the
ZF and the SF flags accordingly.
cmp r1 r2 Calculate r1 − r2 and set both the ZF and the SF
flags accordingly.
jmp ri Jump to the address located in register ri.
je ri If the ZF flag is set, jump to the address in register ri.
jl ri If the SF flag is set, jump to the address in register ri.
call ri Push the value of the program counter +1 onto the
stack and jump to the address in register ri.
ret Pop a value from the stack and jump to the popped
location.
halt Stop the execution with the result in register r0.
Figure 2. Instruction set I.
is a sequence of 0’s whose length is based on the architecture being
considered. Addresses a are natural numbers, ranging from 0 to
2` − 1. Memories m are maps from addresses to words. Memory
access, denoted as m(a), is defined as follows: m(a) = w if
a 7→ w ∈ m; it is undefined otherwise. Define the domain of
a memory as dom(m) = {a | a 7→ w ∈ m}. If two memories
m and m′ have disjoint domains, they can be merged in another
memory. Formally, if dom(m) ∩ dom(m′) = ∅, then m + m′ =
{a 7→ w | a 7→ w ∈ m or a 7→ w ∈ m′}. Memory descriptors
s are quadruples: (ab, nc, nd, n) that formalise the concepts of
Section 2.1: ab is the address where the protected memory partition
starts, nc and nd are the sizes (in number of addresses) of the
code and data section respectively and n is the number of entry
points. Entry points are allocated starting from the base address ab.
Each entry point isNe words long. Assume the entry points do not
overflow the protected code section, thus the constraint n·Ne < nc
holds for the all memory descriptors. Programs P are pairs of a
memory m and a memory descriptor s.
3.2 Operational Semantics
Before introducing the semantics, a number of auxiliary notions are
defined.
Fig. 3 defines the access control enforcement rules informally
presented in Section 2.1. Read judgments s ` predicate(a, b, · · · )
as: “according to s, predicate holds for addresses a, b, · · · ”.
(Aux-protected)
ab ≤ p < (ab + nc + nd)
s ` protected(p)
(Aux-unprotected1)
p < ab
s ` unprotected(p)
(Aux-unprotected2)
(ab + nc + nd) ≤ p
s ` unprotected(p)
(Aux-returnEntry)
p = ab + (n− 1) · Ne
s ` returnEntryPoint(p)
(Aux-entryPoint)
p = ab +m · Ne
m ∈ N m < n
s ` entryPoint(p)
(Aux-data)
(ab + nc) ≤ p
p < (ab + nc + nd)
s ` data(p)
(Aux-read-1)
s ` protected(p)
s ` protected(a)
s ` readAllowed(p, a)
(Aux-read-2)
s ` unprotected(p)
s ` unprotected(a)
s ` readAllowed(p, a)
(Aux-write-1)
s ` unprotected(a)
s ` writeAllowed(p, a)
(Aux-write-2)
s ` protected(p)
s ` data(a)
s ` writeAllowed(p, a)
(Aux-entry)
s ` unprotected(p)
s ` entryPoint(p′)
s ` entryJump(p, p′)
(Aux-return)
s ` protected(p)
s ` unprotected(p′)
s ` exitJump(p, p′)
(Aux-internal)
s ` protected(p)
s ` protected(p′)
s 0 data(p′)
s ` intJump(p, p′)
(Aux-external)
s ` unprotected(p)
s ` unprotected(p′)
s ` extJump(p, p′)
Figure 3. Access control enforcement rules. Assume s ≡
(ab, nc, nd, n)
Define functions msec(m, s) and mext(m, s), which return the
protected and unprotected parts of a memory m according to the
descriptor s, respectively as: msec(m, s) = {a 7→ w | a 7→ w ∈
m, s ` protected(a)} and mext(m, s) = {a 7→ w | a 7→ w ∈
m, s ` unprotected(a)}.
In the semantics there are two call stacks, one for the protected
code, called the secure stack, and one for the unprotected code,
called the insecure stack. Each stack is preceded by a word con-
taining the location of the current head of the stack, let SPsec and
SPext indicate the address of the secure and insecure stack respec-
tively. When the current stack is changed in the semantics, the stack
pointer register SP is initialised to the right address using SPsec and
SPext. Given a memory descriptor s = (ab, nc, nd, n), the secure
stack starts at the beginning of the protected data section and the
insecure stack starts at the end of the protected memory partition.
Thus SPsec = (ab + nc) and, initially, SPsec 7→ (ab + nc + 1);
analogously, SPext = (ab + nc + nd) and, initially, SPext 7→
3 2013/11/23
(ab + nc + nd + 1). Call and return instructions are responsible of
setting the SP register to the correct address when crossing bound-
aries between protected and unprotected memory. The value of the
program counter is pushed onto the stack by a call instruction
(the stack grows down), while a ret instruction pops one address
from the top of the stack and jumps to that location. Updating the
stack pointer SP is performed by the auxiliary function setStack
(Fig. 4). In the rules, notation m[a 7→ w] indicates that memory
m is updated to a new one that is equal to m except that the value
stored at address a is w. Notation r[R 7→ w] indicates that the reg-
ister file r is updated to a new one that is equal to r except that the
value stored in register R is w. Notation r(R) indicates the value
contained in register R in register file r. Given a jump between ad-
(Stack-out-to-in)
s ` entryJump(p, p′)
m′ = m[SPext 7→ r(SP)] r′ = r[SP 7→ m(SPsec)]
s ` unprotected r(SP) s ` protected r′(SP)
p, r,m, s ` setStack↘ p′, r′,m′
(Stack-in-to-out)
s ` exitJump(p, p′)
m′ = m[SPsec 7→ r(SP)] r′ = r[SP 7→ m(SPext)]
s ` protected r(SP) s ` unprotected r′(SP)
p, r,m, s ` setStack↘ p′, r′,m′
(Stack-no-change-i)
s ` intJump(p, p′) s ` protected r(SP)
p, r,m, s ` setStack↘ p′, r,m
(Stack-no-change-e)
s ` extJump(p, p′) s ` unprotected r(SP)
p, r,m, s ` setStack↘ p′, r,m
Figure 4. Stack switch enforcement rules.
dresses p and p′, the stack switch rules produce a new register file
r′ and a new memory m′ based on old ones r and m. The memory
is updated to store the top of the current stack, located in SP, in the
address storing the top of the current stack: SPsec or SPext. When
the stack is changed, the register file is updated to initialise SP to
the top of the right stack: the address stored at SPsec or SPext.
The operational semantics is a small step semantics that de-
scribes how each instruction of the language transforms an execu-
tion state into a new one. Thus, the operational semantics handles
programs in the whole memory: both the protected and unprotected
partitions.
DEFINITION 1 (Execution state). An execution state, denoted as
Ω, is a quintuple Ω = (p, r, f,m, s), where p is a program counter,
r is a register file, f is a flags register, m is a memory and s is a
memory descriptor.
Given Ω = (p, r, f,m, s), let bΩc be the state (p, r, f, msec(m, s), s)
and dΩe be the state (p, r, f, mext(m, s), s). Relations →i ⊆
bΩc×bΩc and→e ⊆ dΩe×dΩe describe the evaluation of instruc-
tions that only affect the protected and unprotected parts of mem-
ory respectively. Fig. 5 presents the rules for →i , rules for →e are
obtained by replacing an intJump assumption with an extJump
one. Let m(p) = inst denote that inst is the word allocated in
m(p), where inst ∈ I. Note that the program counter is set to−1
whenever the halt instruction is encountered, in order to capture
termination. This way, no progress can be made, as m(−1) does
not return a valid instruction: the program is in a stuck state.
DEFINITION 2 (Stuck state). A state Ω = (p, r, f,m, s) is stuck,
denoted as Ω⊥, when the program counter does not point to a valid
instruction: m(p) /∈ I.
The operational semantics of the language is a binary relation
over states → ⊆ Ω × Ω defined by the rules of Fig. 6. Rules
(Eval-protected)
bΩc →i bΩ′c
Ω→ Ω′
(Eval-unprotected)
dΩe →e dΩ′e
Ω→ Ω′
(Eval-movs-out)
m(p) = (movs rd rs) s ` intJump(p, p+ 1)
s ` writeAllowed(p, r(rd)) s ` unprotected(r(rd))
m′ = m[r(rd) 7→ r(rs)] r(rs) ∈ V
(p, r, f,m, s)→ (p+ 1, r, f,m′, s)
(Eval-callback)
m(p) = (call rd) p
′ = m(r(rd)) s ` exitJump(p, p′)
r′ = r[SP 7→ r(SP) + 1] m′ = m[r(SP) 7→ p+ 1]
p, r′,m′, s ` setStack↘ p′, r′′,m′′
r′′′ = r′′[SP 7→ r′′(SP) + 1] m′′′ = m′′[r′′′(SP) 7→ Arb]
(p, r, f,m, s)→ (p′, r′′′, f,m′′′, s)
(Eval-call)
m(p) = (call rd) p
′ = m(r(rd)) s ` entryJump(p, p′)
p, r,m, s ` setStack↘ p′, r′,m′
r′′ = r′[SP 7→ r′(SP) + 1] m′′ = m′[r′′(SP) 7→ p+ 1]
(p, r, f,m, s)→ (p′, r′′, f,m′′, s)
(Eval-returnback)
m(p) = (ret) p′ = m(r(SP)) = Arb s ` entryJump(p, p′)
r′ = r[SP 7→ r(SP)− 1] p, r′,m, s ` setStack↘ p′, r′′,m′
(p, r, f,m, s)→ (p′, r′′, f,m′, s)
(Eval-return)
m(p) = (ret) p′ = m(r(SP)) s ` exitJump(p, p′)
r′ = r[SP 7→ r(SP)− 1] p, r′,m, s ` setStack↘ p′, r′′,m′
(p, r, f,m, s)→ (p′, r′′, f,m′, s)
Figure 6. Operational semantics of whole programs. Arb is the
address of the returnback entry point.
Eval-callback and Eval-returnback ensure that the address to be
followed after a callback is stored in the secure stack and that
the address returnback entry point Arb is pushed on the insecure
stack. Thus the unprotected code always jumps to the returnback
entry point when returning from a callback. Code located at the
returnback entry point must contain a ret instruction in order to
correctly resume the execution. Rule Eval-movs-out ensures that
the values that protected programs write in unprotected memory
are not instructions.
The transitive closure of relation → is indicated with →∗. A
state Ω performing n reduction steps is indicated as Ω→n Ω′. The
evaluation of program P is a sequence of steps that takes the initial
state of P to another state.
DEFINITION 3 (Initial state). The initial state of a program (m, s),
denoted as Ω0(m, s), is the state (p0, r0, f0,m, s), where s =
(ab, nc, nd, n), p0 = (ab + nc + nd + 2), r0 = [SP 7→
m(SPext); ri 7→ 0 i=0..11], and f0 = [ZF 7→ 0;SF 7→ 0].
The evaluation of P terminates if Ω0(P )→∗ Ω⊥; the result of the
computation is stored in r0. If the evaluation of program P does
not terminate, P diverges. A program P diverges, denoted as P⇑,
if it executes an unbounded number of reduction steps. Formally:
P⇑ if ∀n ∈ N,∃Ω′. Ω0(P )→n Ω′.
3.3 Contextual Equivalence
Contextual equivalence relates two programs that cannot be dis-
tinguished by any third program interacting with them [16]. This
notion relies on the concept of contexts, which is introduced before
presenting the equivalence itself.
4 2013/11/23
(Eval-movl)
m(p) = (movl rd rs)
s ` intJump(p, p+ 1)
s ` readAllowed(p, r(rs))
r′ = r[rd 7→ m(r(rs))]
(p, r, f,m, s)→i (p+ 1, r′, f,m, s)
(Eval-movs)
m(p) = (movs rd rs)
s ` intJump(p, p+ 1)
s ` writeAllowed(p, r(rd))
m′ = m[r(rd) 7→ r(rs)]
(p, r, f,m, s)→i (p+ 1, r, f,m′, s)
(Eval-movi)
m(p) = (movi rd i)
s ` intJump(p, p+ 1)
r′ = r[rd 7→ i]
(p, r, f,m, s)→i (p+ 1, r′, f,m, s)
(Eval-compare)
m(p) = (cmp r1 r2)
s ` intJump(p, p+ 1)
f ′ = f [ZF 7→ (r1 == r2);
SF 7→ (r1 < r2)]
(p, r, f,m, s)→i (p+ 1, r, f ′,m, s)
(Eval-add)
m(p) = (add rd rs)
s ` intJump(p, p+ 1)
v = (r(rd) + r(rs))%2
` r′ = r[rd 7→ v]
f ′ = f [ZF 7→ (v == 0)]
(p, r, f,m, s)→i (p+ 1, r′, f ′,m, s)
(Eval-sub)
m(p) = (sub rd rs)
s ` intJump(p, p+ 1)
v = (r(rd)− r(rs))%2` r′ = r[rd 7→ v]
f ′ = f [ZF 7→ (v == 0);
SF 7→ (r(rd)− r(rs) < 0)]
(p, r, f,m, s)→i (p+ 1, r′, f ′,m, s)
(Eval-function-call)
m(p) = (call rd) p
′ = r(rd)
s ` intJump(p, p′)
p, r,m, s ` setStack↘ p′, r′,m′
r′′ = r′[SP 7→ r(SP) + 1]
m′′ = m′[r′′(SP) 7→ p+ 1]
(p, r, f,m, s)→i (p′, r′′, f,m′′, s)
(Eval-function-ret)
m(p) = (ret) p′ = r(SP)
s ` intJump(p, p′)
r′ = r[SP 7→ r(SP)− 1]
p, r′,m, s ` setStack↘ p′, r′′,m′
(p, r, f,m, s)→i (p′, r′′, f,m′, s)
(Eval-je-true)
m(p) = (je ri) f(ZF) == 1
p′ = r(ri) s ` intJump(p, p′)
(p, r, f,m, s)→i (p′, r, f,m, s)
(Eval-jl-true)
m(p) = (jl ri) f(SF) == 1
p′ = r(ri) s ` intJump(p, p′)
(p, r, f,m, s)→i (p′, r, f,m, s)
(Eval-je-false)
m(p) = (je ri) f(ZF) == 0
s ` intJump(p, p+ 1)
(p, r, f,m, s)→i (p+ 1, r, f,m, s)
(Eval-jl-false)
m(p) = (jl ri) f(SF) == 0
s ` intJump(p, p+ 1)
(p, r, f,m, s)→i (p+ 1, r, f,m, s)
(Eval-jump)
m(p) = (jmp rd) p
′ = r(rd) s ` intJump(p, p′)
(p, r, f,m, s)→i (p′, r, f,m, s)
(Eval-halt)
m(p) = (halt)
(p, r, f,m, s)→i (−1, r, f,m, s)
Figure 5. Operational semantics of instructions in the protected memory partition.
Since we consider programs P that are placed in protected
memory and interact with arbitrary unprotected code, contexts
model that unprotected code. Thus for any descriptor s, contextsM
are partial memories with a hole: M = m[·], where all addresses
of M are unprotected. Formally, given s, ∀a ∈ dom(M), s `
unprotected(a). The hole models the possibility to combine a
program P with the memory M iff they are compatible, denoted
as P _M, thus if the memories of P and M have disjoint do-
mains. Let dom(M) = dom(m) if M = m[·]; formally, P _M
if P = (m′, s) and dom(m′) ∩ dom(M) = ∅. If P and M
are compatible, the hole of M can be filled with P in order to
model interaction between P and M. Formally, if P _M then
M[(m′, s)] = (m′ +m, s).
Programs P1 and P2 are contextually equivalent, denoted as
P1 ' P2, when, for all contexts they interact with, P1 diverges
if and only if P2 also diverges.
DEFINITION 4 (Contextual equivalence). P1 ' P2 if ∀M. P1_M
∧M[P1]⇑ ⇐⇒ P2_M ∧ M[P2]⇑.
An implication of this definition is that for P1 and P2 to be con-
textually equivalent they must have the same memory descriptor.
For the sake of simplicity we will always assume the compatibility
of a program and the context it is plugged in, shortening the above
definition to: P1 ' P2 if ∀M. M[P1]⇑ ⇐⇒ M[P2]⇑.
EXAMPLE 2 (Contextually equivalent programs). The following
PL and PR write the values of r1 and r2 respectively at the pro-
tected address 150 (line 2) and then return 0 (line 3). Recall that
the protected memory partition spans from address 100 to 200, with
one entry point at address 100.
1 100 movi r0 150
2 101 movs r0 r1
3 102 movi r0 0
4 103 ret
1 100 movi r0 150
2 101 movs r0 r2
3 102 movi r0 0
4 103 ret
The only difference between PL and PR is in the value stored
at address 150. However, an unprotected program cannot read that
value. Since that value does not affect the computation of PL or PR
or the unprotected code, PL and PR are contextually equivalent.
Having defined the assembly language and its operational se-
mantics, the paper introduces the two different trace semantics.
Trace equivalence is also introduced, it will be proven the same
as contextual equivalence in Section 5.
4. Trace Semantics
This section gives two different trace semantics for protected pro-
grams. The differences stem from the different ways to achieve full
abstraction pointed out by Curien [3]. The first,TrL, possesses more
expressive labels, while the second,TrS, relies on changes to the se-
mantics of programs. Both are proven to be fully abstract w.r.t. the
appropriate operational semantics in Section 5. Finally, this section
defines when two programs are trace equivalent.
As for the operational semantics, a notion of execution states is
required for the trace semantics as well. Execution states for TrL
and TrS, denoted as Θ, are the same as Ω except that Θ do not deal
with the whole memory but just with its protected partition. So, the
memory m of (p, r, f,m, s) spans only the protected memory par-
tition indicated by s. Additionally, Θ can be (unknown,m, s), an
unknown state that models when code is executing in unprotected
memory [8].
5 2013/11/23
DEFINITION 5 (Initial state for traces). The initial state for traces
of a program (m, s), denoted as Θ0(m, s), is the state (unknown,m, s).
4.1 TrL: Expressive Labels
Below are the labels exhibited by the TrL traces semantics.
Λ ::= α | τi α ::= √ | γ? | δ!
γ ::= (r; f)call a | (r; f)ret a δ ::= write(a, v).δ | γ
A label Λ can be either an observable action α or a non-observable
action τi. Action τi indicates the unobservable action occurred in
protected memory. Observable actions include a tick
√
indicating
that the evaluation has terminated. Additionally, observable actions
are function calls or returns to a certain address a, combined with
the registers r and flags f . Registers and flags are in the labels as
they convey information on the behaviour of programs. Observable,
!-decorated actions can be prefixed by a number of write-outs of a
value v to address a. They are only !-decorated since the protection
mechanism forbids writes from unprotected to protected memory,
as well as read-outs.
Fig. 7 presents the rules defining the relation Θ α=⇒⇒ Θ′,
which describe when a state Θ generates trace α and results in
state Θ′. The TrL traces of a program P is defined as follows:
TrL(P ) = {α | ∃Θ′.Θ0(P ) α=⇒⇒ Θ′}.
Example 3 below can now explain why protected code cannot
write instructions in unprotected memory.
EXAMPLE 3 (Write-outs are not instructions). In the following ex-
ample, protected programs can write instructions in unprotected
memory. Recall that the protected memory partition spans from ad-
dress 100 to 200, with one entry point at address 100.
The following PL and PR set r0 to 20 and 10 respectively
(line 1), then write the instruction jmp r0 at address 20 and 10
respectively (line 2). Finally, they jump to the instruction they just
wrote (line 3).
1 100 movi r0 20
2 101 movs r0 “jmp r0”
3 102 call r0
1 100 movi r0 10
2 101 movs r0 “jmp r0”
3 102 call r0
When r0 is set to 20 (resp. 10), the instruction jmp r0 written
at address 20 (resp. 10) will diverge. Thus, PL and PR are contex-
tually equivalent, since no context can differentiate between them.
However, PL and PR are trace inequivalent, since the following is
a trace of PL and not of PR.
(· · · )call 100? · write(20, “jmp r0′′).(· · · )call 20!
Since we are interested in programs that do not extend the func-
tionality of code in unprotected memory (and since these programs
are the majority of assembly programs), protected code cannot
write instructions in unprotected memory. Thus the programs of
this example are not valid.
4.2 TrS: Changes to the Semantics
The TrS semantics presents different labels from TrL, which are
driven by changes to the operational semantics of protected pro-
grams. These changes are formalised in Fig. 8; smaller changes to
other rules are omitted. When the program counter jumps between
the protected and the unprotected memory partitions, or vice-versa,
flags are set to 0; in case of a return, all registers but R0 are also
set to 0. Additionally, write-outs are prohibited.
Following are the labels ofTrS; we drop the greek letter notation
and use latin letters in order to immediately differentiate between
TrL and TrS. Flags do not appear in traces because they are always
set to 0, as are all registers but R0 in case of a return. Write-outs
(Trace-internal)
(p, r, f,m, s)→i (p′, r′, f ′,m′, s) s ` intJump(p, p′)
(p, r, f,m, s)
τi−−→→ (p′, r′, f ′,m′, s)
(Trace-internal-tick)
(p, r, f,m, s)→i (p′, r′, f ′,m′, s)
s ` protected(p) (p′, r′, f ′,m′, s)⊥
(p, r, f,m, s)
√
−−→ (p′, r′, f ′,m′, s)
(Trace-writeout-accumulate)
s ` intJump(p, p+ 1) m(p) = (movs rd rs)
s ` unprotected(r(rd)) r(rs) ∈ V
(p+ 1, r, f,m, s)
δ!
==⇒⇒ (p′, r′, f ′,m′, s)
(p, r, f,m, s)
write(r(rd),r(rs)).δ!−−−−−−−−−−−−−→ (p′, r′, f ′,m′, s)
(Trace-writeout-discard)
s ` intJump(p, p+ 1) m(p) = (movs rd rs)
s ` unprotected(r(rd))
(p+ 1, r, f,m, s)
√
==⇒⇒ (p′, r′, f ′,m′, s)
(p, r, f,m, s)
√
−−→ (p′, r′, f ′,m′, s)
(Trace-call)
s ` entryPoint(p)
(unknown,m, s)
(r;f)call p?−−−−−−−−→→ (p, r, f,m, s)
(Trace-returnback)
s ` returnEntryPoint(p)
(unknown,m, s)
(r;f)ret p?−−−−−−−−→→ (p, r, f,m, s)
(Trace-callback)
s ` exitJump(p, p′) m(p) = (call p′)
r′ = r[SP 7→ r(SP) + 1] m′ = m[r(SP) 7→ p+ 1]
(p, r, f,m, s)
(r;f)call p′!−−−−−−−−→→ (unknown,m′, s)
(Trace-return)
p′ = m(SP) s ` exitJump(p, p′) m(p) = (ret)
(p, r, f,m, s)
(r;f)ret p′!−−−−−−−−→→ (unknown,m, s)
(Trace-refl)
Θ

=⇒⇒ Θ
(Trace-tau-i)
Θ
τi−−→→ Θ′
Θ

=⇒⇒ Θ′
(Trace-trans)
Θ
α
=⇒⇒ Θ′′
Θ′′ α
′
==⇒⇒ Θ′
Θ
αα′
===⇒⇒ Θ′
(Trace-action)
Θ
α−−→→ Θ′
Θ
α
=⇒⇒ Θ′
Figure 7. Rules of the TrL trace semantics.
are prohibited, so there are no labels that capture them.
L ::= a | τi a ::= √ | g? | g! g ::= call p (r) | ret p r(r0)
Rules defining the relation Θ a=⇒⇒ Θ′ for TrS are omitted. They
are a subset of the ones defined in Fig. 7, with a slight modification
to the syntax of generated labels. The TrS traces of a program P is
defined as follows: TrS(P ) = {a | ∃Θ. Θ0(P ) a=⇒⇒ Θ}.
4.3 Trace Equivalence
The notion of trace equivalence is presented generically for both
trace semantics under consideration. Use Tr(P ) to indicate the
traces of a program P , be it expressed through TrL or TrS. Two
programs P1 and P2 are trace-equivalent, denoted as P1'T P2, if
their traces are the same and they have the same memory descriptor.
DEFINITION 6 (Trace equivalence). P1'T P2 ifTr(P1) = Tr(P2)
and P1 = (m1, s) and P2 = (m2, s).
Following are two examples of trace equivalent and inequivalent
programs. For the sake of simplicity, we use the TrL semantics and
6 2013/11/23
(Aux-write-1’)
s ` unprotected(p) s ` unprotected(a)
s ` writeAllowed(p, a)
(Stack-out-to-in’)
s ` entryJump(p, p′) m′ = m[SPext 7→ r(SP)]
r′ = r[SP 7→ m(SPsec)] f ′ = [ZF 7→ 0;SF 7→ 0]
s ` unprotected r(SP) s ` protected r′(SP)
p, r, f,m, s ` setStack↘ p′, r′, f ′,m′
(Stack-in-to-out’)
s ` exitJump(p, p′) m′ = m[SPsec 7→ r(SP)]
r′ = r[SP 7→ m(SPext)] f ′ = [ZF 7→ 0;SF 7→ 0]
s ` protected r(SP) s ` unprotected r′(SP)
p, r, f,m, s ` setStack↘ p′, r′, f ′,m′
(Eval-return’)
m(p) = (ret) p′ = m(r(SP)) s ` exitJump(p, p′)
r′ = r[SP 7→ r(SP)− 1;Ri 7→ 0i=0..11]
p, r′, f,m, s ` setStack↘ p′, r′′, f ′,m′
(p, r, f,m, s)→ (p′, r′′, f ′,m′, s)
Figure 8. Changes to auxiliary functions and to the operational
semantics for TrS.
indicate arbitrary values for registers and flags with notation (r, f)
and an unprotected address with p.
EXAMPLE 4 (Traces of previous examples). The code of Exam-
ple 1 is not trace equivalent; the following trace is generated by
PL but not by PR:
(r; f)call 100? · (. . . , 41; f)ret p! · √
The code of Example 2 is trace equivalent since the trace se-
mantics of both PL and PR is a set whose sequences are concate-
nations of the following trace, each element of the sequence being
parametrised on r and f :
(r; f)call 100? · (r[R0 7→ 0]; f)ret p!
5. Full Abstraction of the Trace Semantics
This section presents the general proof strategy through which both
TrL and TrS are proven to be fully abstract w.r.t. the corresponding
operational semantics and discusses the benefits of full abstraction
of the trace semantics.
A fully abstract trace semantics is both sound and complete
with respect to the operational semantics. Soundness states that the
trace semantics captures all details of the operational semantics.
Thus, for all contexts, two trace equivalent programs cannot be
told apart. The universal quantification over contexts makes this
more difficult to prove. Completeness states that abstractions of
the trace semantics are preserved in the operational semantics.
This is achieved by proving the contrapositive of the completeness
statement. For this, the proof consists of devising an algorithm that
constructs a program, a “witness”, that tells two trace inequivalent
programs apart [2, 7, 15]. Since the language is low-level and
untyped, this is not particularly complicated.
Full abstraction of trace semantics is formally stated as:P1'T P2
⇐⇒ P1 ' P2; its proof is split in two cases, one for each direction
of the co-implication.
THEOREM 1 (Soundness). P1'T P2 ⇒ P1 ' P2.
Call the interface of a state its registers, flags and unprotected
memory. Two states Ω1 and Ω2 have the same interface, denoted
as Ω1 $ Ω2, if they have the same registers, flags and unprotected
memory. Formally, Ω1 $ Ω2 if Ω1 = (p1, r, f,m1, s1) and Ω2 =
(p2, r, f,m2, s2) and mext(m1, s1) = mext(m2, s2). Given Ω =
(p, r, f,m, s), redefine bΩc to be state Θ = (p, r, f, msec(m, s), s)
if s ` protected(p) and (unknown,m, s) otherwise.
The proof of Theorem 1 states that an unprotected program in-
teracting with P1 cannot distinguish it from P2. This is because
both programs offer the same interface to the unprotected pro-
gram. So this proof depends on an interface-preservation lemma
(Lemma 1) which must be proven for each trace semantics since it
depends on the labels of each trace semantics. Lemma 1 enunciates
that two states with the same interface still have the same interface
after they perform the same observable action. Thus unprotected
programs do not see differences, in terms of flags, registers and un-
protected memory, between P1 and P2.
LEMMA 1 (Interface preservation after same observable action).
If Θ1
α
=⇒⇒ α−−→→ Θ′1 and Θ1 = bΩ1c and Ω1 →∗ Ω′1 and
Θ′1 = bΩ′1c and Θ2 α=⇒⇒ α−−→→ Θ′2 and Θ2 = bΩ2c and Ω2 →∗ Ω′2
and Θ′2 = bΩ′2c and Ω1 $ Ω2 then Ω′1 $ Ω′2.
THEOREM 2 (Completeness). P1 ' P2 ⇒ P1'T P2.
Completeness is equivalently stated as: P1'/T P2 ⇒ P1'/ P2.
This is proven by devising an algorithm that takes as input two dif-
ferent traces α1 and α2 and the two programs P1 and P2 generating
them and outputs a program P that interacts with P1 and P2 and is
able to differentiate between them. The two different traces are gen-
erated as follows. Since P1'/T P2, we have that Tr(P1) 6= Tr(P2),
thus there exists a trace α that belongs to either only Tr(P1) or only
Tr(P2). Assume wlog that α ∈ Tr(P1). The trace α can be split
in two parts αs and αd such that α=αsαd, and so that there exists
a trace α′ ∈ Tr(P2) that can be split in two parts αs and α′d such
that α′=αsα′d and αd 6= α′d. Trace α′ always exists, it could be an
empty trace, it could be composed by an empty αs and, possibly,
by an empty α′d. The traces input for the algorithm are α1 = αsαd
and α2 = αsα′d.
Proof Sketch. This sketch shows how to generate P so that it inter-
acts with P1 or P2 and tells them apart. Let div be a simple program
written at some address X: movi r0 X; jmp r0. Differentiation be-
tween P1 and P2 is done by halting in one case and executing div
in the other.
Input traces α1 and α2 are sequences of actions where even-
numbered ones are messages from P to either P1 or P2 and odd-
numbered ones are messages from either P1 or P2 to P . By hy-
pothesis there exists a different action in the traces, that action is
at an odd-numbered index because it is generated by P1 or P2; P
does not change so it generates the same actions. Thus there exists
j for which α1(j) 6= α2(j). Once executed, P replicates actions
from the traces until the jth, then it performs the differentiation.
Even-numbered actions in α1 and α2 are the same until the
jth one. They are function calls or returns implemented in P .
To replicate them, P sets flags and registers as in the action and
then performs a call to the right address or a return. This code
is placed at the current code location, which is either the initial
address p0 or the address indicated by a callback from P1 or P2.
Odd-numbered actions are carried out in P1 or P2. If these
actions are the same, then no code is added to P . If they are
different, the differentiating code stated above is placed at the
current code location. If both actions are callbacks, the current code
location is updated to the address mentioned in the callback. 2
This general proof strategy is presented for both Theorem 1 and
Theorem 2. The generalised approach is tailored to each semantics
only in the relatively simple proof of Lemma 1. Since Theorem 1
and 2 hold for both TrL and TrS, both semantics are fully abstract
w.r.t. the corresponding operational semantics.
7 2013/11/23
5.1 Benefits of Fully Abstract Trace Semantics
Let us now highlight two of the benefits of fully abstract trace
semantics.
Without the trace semantics, the capabilities of an attacker to-
wards protected code are expressed as sequences of instructions,
which can be difficult to reason about. With the trace semantics,
the capabilities of that attacker are captured via the simple notion
of traces. The full abstraction property ensures that traces express
precisely all the capabilities of an attacker, without leaving any out.
The second benefit is in the field of secure compilation. Given
two programs C1 and C2 in a language and indicate their compila-
tion to an assembly language with C↓1 and C
↓
2 respectively. Prov-
ing the compilation scheme secure is formally stated as C1 ' C2
⇐⇒ C↓1 ' C↓2 [1]. The more complex direction of this proof is
C1 ' C2 ⇒ C↓1 ' C↓2 , but it can be simplified by adopting a fully
abstract trace semantics for the assembly language. That proof is
simpler in this way than by adopting the notion of contextual equiv-
alence and performing induction on all possible low-level contexts.
The complex direction becomes C1 ' C2 ⇒ C↓1 'T C↓2 , whose
contrapositive isC↓1 '/T C↓2 ⇒ C1'/ C2. This can be proven simi-
larly to Theorem 2, as Agten et al. [2] and Patrignani et al. [15] did.
Both implicitly use the second trace semantics where the compiler
adds code that enforces the changes to the operational semantics.
6. Related Work
Full abstraction has been largely studied as a way to state the cor-
rectness of a denotational semantics with respect to an operational
one [16]. This technique has been adopted for different program-
ming languages paradigms, such as the λ-calculus [12] and the pi-
calculus [6]. For example, Ghica and Tzevelekos [5] provided a
fully abstract the trace semantics, with regards to a game opera-
tional semantics, of a C-like language that, unlike this work, does
not present a protection mechanism.
Fine grained, program counter-based memory access control
mechanisms have been implemented in several software [10, 18–
20] and hardware forms [4, 14] and recently by Intel in the
SGX processor [11]. From the theoretical point of view, assem-
bly languages extended with these protection mechanisms have
been recently studied as target languages for secure compilation
schemes [2, 15]. The language and trace semantics of this paper
are inspired by those works. Besides elaborating on details of their
formalisation, this work provides the first proof of full abstraction
of the trace semantics.
A different research area studies logics for assembly languages:
Hoare logics [17] or separation logics [9]. Jensen et al. [9] present
a summary of the most recent advances in the latter. That research
area focusses on providing reasoning facilities for assembly code,
while this paper focusses on reasoning on the security of assembly
code.
A different protection mechanism that could be employed at the
assembly level is a typed assembly language [13]. To the best of
the authors’ knowledge, no fully abstract trace semantics has been
provided for such languages.
7. Conclusion and Future Work
This paper studied the characterisation of the behaviour of isolated
programs. To this extent, it formalised an assembly language ex-
tended with a fine grained, program counter-based memory access
control mechanism. Then, it provided two different trace semantics
for that language and a general proof strategy where both seman-
tics are proven to be fully abstract. These semantics model the ca-
pabilities of attackers that inject malicious assembly code and they
simplify proving secure compilation to the assembly language.
Providing a fully abstract trace semantics for a machine with
multiple instances of an isolation mechanism or with multiple cores
seem natural extensions to this work. The latter seems crucial in
order to provide a secure compiler for concurrent programs to
machines using the protection mechanism presented.
Acknowledgements. The authors would like to thank Tarmo Uustalu
and the anonymous reviewers for useful feedback on an earlier draft.
References
[1] Martín Abadi. Protection in programming-language translations. In
Secure Internet programming, pages 19–34. Springer-Verlag, 1999.
[2] Pieter Agten, Raoul Strackx, Bart Jacobs, and Frank Piessens. Secure
compilation to modern processors. In CSF ’12, pages 171 – 185. IEEE,
2012.
[3] Pierre-Louis Curien. Definability and full abstraction. Electron. Notes
Theor. Comput. Sci., 172:301–310, April 2007.
[4] Karim Eldefrawy, Aurélien Francillon, Daniele Perito, and Gene
Tsudik. SMART: Secure and Minimal Architecture for (Establishing
a Dynamic) Root of Trust. In NDSS’12, 2012.
[5] Dan R. Ghica and Nikos Tzevelekos. A system-level game semantics.
Electr. Notes Theor. Comput. Sci., 286:191–211, 2012.
[6] Alan Jeffrey and Julian Rathke. Full abstraction for polymorphic pi-
calculus. In FOSSACS’05, pages 266–281. Springer-Verlag, 2005.
[7] Alan Jeffrey and Julian Rathke. A fully abstract may testing semantics
for concurrent objects. Theor. Comput. Sci., 338(1-3):17–63, 2005.
[8] Alan Jeffrey and Julian Rathke. Java Jr.: fully abstract trace semantics
for a core java language. In ESOP’05, pages 423–438. Springer-
Verlag, 2005.
[9] Jonas B. Jensen, Nick Benton, and Andrew Kennedy. High-level
separation logic for low-level code. SIGPLAN Not., 48(1):301–314,
January 2013.
[10] Jonathan M. McCune, Bryan J. Parno, Adrian Perrig, Michael K.
Reiter, and Hiroshi Isozaki. Flicker: an execution infrastructure for
TCB minimization. SIGOPS Oper. Syst. Rev., 42(4):315–328, 2008.
[11] Frank McKeen, Ilya Alexandrovich, Alex Berenzon, Carlos V. Rozas,
Hisham Shafi, Vedvyas Shanbhogue, and Uday R. Savagaonkar. In-
novative instructions and software model for isolated execution. In
HASP ’13, pages 10:1–10:1, New York, NY, USA, 2013. ACM.
[12] Robin Milner. Fully abstract models of typed lambda-calculi. Theor.
Comput. Sci., 4(1):1–22, 1977.
[13] Greg Morrisett, David Walker, Karl Crary, and Neal Glew. From
system F to typed assembly language. ACM Trans. Program. Lang.
Syst., 21(3):527–568, May 1999.
[14] Job Noorman, Pieter Agten, Wilfried Daniels, Raoul Strackx, An-
thony Van Herrewege, Christophe Huygens, Bart Preneel, Ingrid Ver-
bauwhede, and Frank Piessens. Sancus: Low-cost trustworthy extensi-
ble networked devices with a zero-software Trusted Computing Base.
In Proceedings of the 22nd USENIX conference on Security sympo-
sium. USENIX Association, 2013.
[15] Marco Patrignani, Dave Clarke, and Frank Piessens. Secure Compi-
lation of Object-Oriented Components to Protected Module Architec-
tures. In (APLAS’13), volume 8301 of LNCS, pages 176–191, 2013.
[16] Gordon D. Plotkin. LCF considered as a programming language.
Theoretical Computer Science, 5:223–255, 1977.
[17] Ando Saabas and Tarmo Uustalu. A compositional natural semantics
and Hoare logic for low-level languages. Electr. Notes Theor. Comput.
Sci., 156:151–168, 2006.
[18] Lenin Singaravelu, Calton Pu, Hermann Härtig, and Christian Hel-
muth. Reducing TCB complexity for security-sensitive applications:
three case studies. SIGOPS Oper. Syst. Rev., 40(4):161–174, 2006.
[19] Raoul Strackx and Frank Piessens. Fides: Selectively hardening
software application components against kernel-level or process-level
malware. In CCS 2012, pages 2–13. ACM Press, October 2012.
8 2013/11/23
[20] Raoul Strackx, Frank Piessens, and Bart Preneel. Efficient isolation
of trusted subsystems in embedded systems. In SecureComm, pages
344–361, 2010.
9 2013/11/23
A. Algorithm description
Let us now give a description of the algorithm mentioned for
Theorem 2.
We drop the differentiation via div and halt and introduce
differentiation via different values (1 and 2 respectively) stored
in r0, followed by halt. The two techniques are equivalent, the
second one leads to an more easily implementable algorithm.
Moreover we assume that there is always enough memory to
write the algorithm.
In the output code P , there must be four functions in order to set
the flags to the right combinations. These function are of the form:
• store r1 and r2 in memory;
• set r1 and r2 to the right values that set the flag in the wanted
combination (e.g, for SF=0; ZF=1, set r1=1 and r2=1);
• execute cmp r1 r2;
• restore r1 and r2 to the corresponding previous values;
• ret.
The algorithm keeps track of where to write instructions in P
with a stack: the current address stack c. Initially, the top of c is set
to p0.
The algorithm scans the traces a1 and a2. By construction, each
even-numbered label is !-decorated; each odd-numbered label is
?-decorated. The algorithm is split in two subroutines based on
what kind of actions it is examining. Each subroutine analyses one
action from each trace and then calls the other subroutine on the
following actions until the differentiation is achieved; in that case
the algorithm terminates.
?-decorated actions. These actions are generated by the unpro-
tected code. The algorithm must output P such that P gener-
ates those traces. Thus, at location c, the algorithm writes code
depending on what action is being considered.
(r; f)call p? Firstly, the algorithm writes a call to the func-
tion that sets the flags to f . Then the top of c is incremented
by 1. Then, all twelve registers are set to the values of r,
thus for all i = 0..11, the following instruction is written:
movi ri ri. Eventually, if the value to be written in a register
is larger than the constant allowed by movi, an add instruc-
tion is used. Then the top of c is incremented by 12. Then
based on which register contains the value p that is where
the call is directed, instruction call rp is written. Then the
top of c is incremented by 1.
(r; f)ret? Firstly, the algorithm writes a call to the function
that sets the flags to f . Then the top of c is incremented
by 1. Then, all twelve registers are set to the values of r,
thus for all i = 0..11, the following instruction is written:
movi ri ri. Then the top of c is incremented by 12. Then
instruction ret is written. Then the top of c is incremented
by 1.
!-decorated actions. These actions are generated by protected
code. If the labels are the same, then no code is added to P .
callbacks. If both actions are of the form (r; f)call p?, then
p is pushed on top of the stack c.
returns. If both actions are of the form (r; f)ret?, then the top
of the stack c is popped.
writeouts. The algorithm adds no code to P .
If the labels are different, then the algorithm writes the differ-
entiating code at address c in P . Differences in the labels can
be of the following type:
different length. Thus one label is
√
and the other one is
α 6= √. In this case, given that α is generated by program
Pi, the algorithm writes movi r0 i and halt at the address
indicated by c.
different actions. Assume wlog that α1 = (r; f)ret! and
α2 = (r; f)call 10!. Then the algorithm writes instruc-
tions movi r0 1; halt at c and instructions movi r0 2; halt
at address 10.
Assume wlog that α1 = write(a, v).δ! and α2 = δ!. Then,
before the code written in P for δ!, the following code is
written to P : movi r0 a; movi r1 u; movs r0 r1, where u
is a different value from v. At address 20, the algorithm
writes the instructions for the following pseudo-code: read
the value of a, subtract v, if the result is 0, then movi r0 1;
halt, otherwise movi r0 2; halt.
different values in the same action. Assume wlog that α1 =
(r; 0, 1)ret! and α2 = (r; 0, 0)ret!. Then the differenti-
ating code is the following: perform a jump (via jl in this
case) to an address a in case the flag is 1. At address a, in-
structions movi r0 1; halt are written. Right after the jump,
instructions movi r0 2; halt are written.
Assume wlog thatα1 = (1, . . . ; f)ret! andα2 = (2, . . . ; f)ret!.
Then the differentiating code is the following: movi r1 1;
sub r0 r1. Now the problem is reduced to different values
in flags, so the previous approach can be used.
Assume wlog that α1 = (r; f)call 10! and α2 =
(r; f)call 20!. Then the algorithm writes instructions
movi r0 1; halt at address 10 and instructions movi r0 2;
halt at address 20.
Assume wlog that α1 = write(a1, v1).δ! and α2 =
write(a2, v2).δ!. The same procedure stated in the last
paragraph for the previous point is applied.
B. Proofs
We overload the hole-filling notation and allow a hole to be filled by
a state Ω = (p, r, f,m, s) as follows:M[Ω] = (p, r, f,m+m′, s),
if (m, s)_M.
Proof. Proof of Theorem 1.
By Definition 4 the thesis P1 ' P2 becomes ∀M.M[P1]⇑ ⇐⇒
M[P2]⇑.
The proof is split in two cases, one for each side of the co-
implication.
1. ⇒
The thesis is ∀M.M[P1]⇑ ⇒M[P2]⇑.
As seen in Section 3.3 the thesis is ∀M.M[Ω0(P1)]⇑ ⇒M[Ω0(P2)]⇑.
Let Ω1 = M[Ω0(P1)] and Ω2 = M[Ω0(P2)].
The thesis is ∀M. ∀n ∈ N. Ω1 →n Ω′1⇒∀m ∈ N. Ω2 →m
Ω′2.
The proof proceeds by induction on m.
Base case: m = 0. Straightforward: Ω2 →0 Ω2.
Inductive case: m = h+ 1. The thesis is: Ω2 →h+1 Ω′2. The
inductive hypothesis (IH) is: ∀M. ∀n ∈ N.M[Ω0(P1)]→n
Ω′1⇒M[Ω0(P2)]→h Ωh2 .
By IH we have that: ∃Ω1.M[Ω0(P1)]→h Ωh1 →n−h Ω′1.
Let Ωh1 = (p1, . . .) and Ωh2 = (p2, . . .).
There are two cases based on p1 and p2 and on the last
executed action.
The last executed action is an actionα such that:M[bΩ0(P1)c]
αα
==⇒⇒ bΩa1c and ∃k ∈ N. Ωa1 →k Ωh1 .
10 2013/11/23
By hypothesis P1'T P2, M[bΩ0(P2)c] αα==⇒⇒ bΩa2c and
∃k ∈ N. Ωa2 →k Ωh2 .
(a) s1 ` protected(p1) and s2 ` protected(p2) and
α = γ?.
There are two cases: ∃α. bΩh1c α=⇒⇒ bΩh
′
1 c or @α. bΩh1c α=⇒
⇒ bΩh′1 c.
i. ∃α. bΩh1c α=⇒⇒ bΩh
′
1 c.
By hypothesis P1'T P2, bΩh2c α=⇒⇒ bΩh
′
2 c.
This, in conjunction with IH, implies the thesis
Ω2 →h+1 Ω′2.
ii. @α. bΩh1c α=⇒⇒ bΩh
′
1 c.
There are two cases: either bΩh1c
√
==⇒⇒ bΩh′1 c or
bΩh1c
√
==⇒/⇒ bΩh′1 c.
A. bΩh1c
√
==⇒⇒ bΩh′1 c.
This case cannot happen as it contradicts the as-
sumption ∀n ∈ N.M[Ω0(P1)]→n Ω′1.
B. bΩh1c
√
==⇒/⇒ bΩh′1 c.
Let Ωh1 = (p1, r1, f1,m + m1, s1) and Ωh2 =
(p2, r2, f2,m+m2, s2).
By hypothesis P1'T P2, bΩh2c
√
==⇒/⇒ bΩh′2 c.
By inspecting rules for generating τ in traces (the
only possible rule that applies in this case), we have
that m1(p1) = i1 ∈ I and m2(p2) = i2 ∈ I.
The thesis holds because Ω2 →h Ωh2 i2−−→ Ω′2.
(b) s1 ` unprotected(p1) and s2 ` unprotected(p2)
and α = γ! or there was no α.
By IH ∃l ≤ h. M[Ω0(P1)] →l Ωl1 and bΩ0(P1)c
αα
==⇒⇒ bΩl1c.
By hypothesis P1'T P2, ∃l ≤ h.M[Ω0(P2)]→l Ωl2.
Additionally, bΩ0(P2)c αα==⇒⇒ bΩl2c.
By Lemma 1, Ωl1 = (pl, rl, f l,Ml +m1, s1) and Ωl2 =
(pl, rl, f l,Ml +m2, s2).
Additionally, Ωl1 →h−l Ωh1 and Ωl2 →h−l Ωh2 .
Since Ml is the same for both P1 and P2, the (h − l)-
steps they perform in unprotected memory are the same
for Ωl1 and Ωl2.
Thus Ωh1 = (ph, rh, fh,Mh + m1, s1) and Ωh2 =
(ph, rh, fh,Mh +m2, s2).
As stated in Section 3.3 p ∈ dom(Mh) implies that
s1 ` unprotected(ph) and s2 ` unprotected(ph).
By hypothesis ∀n ∈ N. M[Ω0(P1)] →n Ω′1: we have
that Ωh1
i−→ Ω′1 and thatMh(ph) ∼= i ∈ I.
This implies the thesis: Ω2 →h+1 Ω′2 since Ω2 →h
Ωh2
i−→ Ω′2.
2. ⇐ As in case 1, mutatis mutandis.
2
Proof. Proof of Lemma 1 for TrL (Implies the proof the same
lemma for TrS).
Straightforward induction on α that leads to a case analysis on
α.
√
. Straightforward: the thesis is Ω1 $ Ω2, which is among the
hypotheses.
?-decorated actions. These actions are done in the same unpro-
tected memory. Moreover they are generated by the same in-
structions (even if they can be at different addresses): call for
a label of the form (r, f)call p? and ret for a label of the form
(r, f)ret?. Neither of those instructions touch the memory, and
they only modify registers and flags in the same way.
Thus, also in this case, the thesis Ω′1 $ Ω′2 holds.
!-decorated actions. These are the subcases for this one, one for
each kind of label that can be !-decorated.
(r; f)call p! This label is generated by a call instruction
which, in a single step, does not change registers (besides
SP) nor flags, nor unprotected memory. As the value of SP
is captured in r, and r is the same for both Ω1 and Ω2, the
interface does not change. Thus, the thesis Ω′1 $ Ω′2 holds.
(r; f)ret p! This label is generated by a ret instruction which,
in a single step, does not change registers (besides SP) nor
flags, nor unprotected memory. The same considerations
made for SP before hold here, thus the thesis Ω′1 $ Ω′2
holds.
Additionally those labels can be preceded by an arbitrary num-
ber of write(a, v)!. This prefix is generated by a movs instruc-
tion which, in a single step, does not change registers nor flags.
Address a is unprotected, so the unprotected memory is changed
but in the same way. Thus, these prefixes do not affect the the-
sis, which holds.
τ actions Unobservable actions can be generated in protected
memory: τi.
Changes to registers and flags made by those actions are cap-
tured in the following, observable action α. Since α is the same
for both Θ1 and Θ2, registers and flag are changed in the same
way.
Changes to unprotected memory that are done by the protected
code are captured by α, thus the protected memory is changed
in the same way.
The proof of Lemma 1 for TrS is a subset of the proof for TrL
since the labels of TrS are a subset of the labels of TrL.
2
11 2013/11/23
