Fully abstract trace semantics of low-level isolation mechanisms by Patrignani, Marco & Clarke, Dave
Fully Abstract Trace Semantics
for Low-level Isolation Mechanisms
Marco Patrignani
∗
Dave Clarke
iMinds-DistriNet, Dept. Computer Science, KU Leuven
{first.last}@cs.kuleuven.be
ABSTRACT
Many software systems adopt isolation mechanisms of mod-
ern processors as software security building blocks. Rea-
soning about these building blocks means reasoning about
elaborate assembly code, which can be very complex due to
the loose structure of the code. A way to overcome this com-
plexity is giving the code a more structured semantics. This
paper presents one such semantics, namely a fully abstract
trace semantics, for an assembly language enhanced with
protection mechanisms of modern processors. The trace se-
mantics represents the behaviour of protected assembly code
with simple abstractions, unburdened by low-level details, at
the maximum degree of precision. Additionally, it captures
the capabilities of attackers to protected software and sim-
plifies providing a secure compiler targeting that language.
Categories and Subject Descriptors
D.2.4 [Software/Program Verification]: Formal models
1. INTRODUCTION
Many processors provide isolation mechanisms as software
security building blocks. These are used to withstand low-
level attackers who, through injected assembly code, can
read the whole memory space and access secrets in memory,
violate integrity constraints and so on. With isolation mech-
anisms, attackers cannot directly violate security properties
of isolated software since the isolated memory is not acces-
sible to them. Examples of these protection mechanisms are
fine grained, program counter-based memory access control
mechanism [4, 8, 9, 12, 17, 18, 19], which enforce security
properties at process or lower levels (Ring-1). With this
mechanism, the software to be secured is placed in a pro-
tected memory partition that shields it from the surround-
ing, potentially malicious code. The malicious code cannot
read nor write the protected memory; it can only jump to
specific addresses in protected memory to call functions of
∗Marco Patrignani holds a Ph.D. fellowship from the Re-
search Foundation Flanders (FWO).
Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies are
not made or distributed for profit or commercial advantage and that copies
bear this notice and the full citation on the first page. To copy otherwise, to
republish, to post on servers or to redistribute to lists, requires prior specific
permission and/or a fee.
SAC’14 March , Gyeongju, Korea
Copyright 2014 ACM 978-1-4503-1656-9/13/03 ...$15.00.
the protected code. This protection mechanism makes soft-
ware more resilient against low-level attackers. However,
this does not prevent an attacker from interacting with the
protected code and violating security properties.
To enable reasoning about the behaviour of isolated soft-
ware, this paper firstly introduces an assembly language en-
hanced with a fine grained, program counter-based memory
access control. This protection mechanism was chosen due
to its application in secure compilation [2, 14] and to its re-
cent industrial implementation: the Intel SGX [9]. Then,
this paper explores the design space of trace semantics and
presents two different fully abstract [15] trace semantics for
the protected assembly code. The paper provides a general
proof strategy where full abstraction of the trace semantics
can be proven simply. To the best of the authors’ knowl-
edge, this is the first such result for an assembly language
extended with the said protection mechanism. Moreover,
the results seem applicable to other isolation mechanisms.
The fully abstract trace semantics provides a number of
benefits. Trace semantics uses simple abstractions to repre-
sent the behaviour of protected assembly code, unburdened
by low-level details, at the maximum degree of precision.
So, dually, it models the behaviour of an attacker to the
protected code, since it captures precisely the capabilities of
that attacker. Secondly, without the trace semantics, the be-
haviour of protected assembly code (and thus of an attacker)
is given in terms of low-level contexts. While being precise,
low-level contexts are notoriously difficult to reason about,
since they offer no inductive nor coinductive structure. The
fully abstract trace semantics allows low-level contexts to be
disregarded, since low-level contexts and traces are proven
to be equally precise. Finally, the field of secure compilation
benefits from the trace semantics. Recently, Agten et al. [2]
and Patrignani et al. [14] presented secure compilers to as-
sembly code enhanced with the aforementioned protection
mechanism. Both results assume that the assembly language
has a fully abstract trace semantics, thus the results of this
paper strengthen those secure compilation claims.
In summary, the contributions of this paper are:
• the formalisation of an assembly language modelling
an architecture enhanced with a fine grained, program
counter-based memory access control;
• two different trace semantics for that low-level model;
• the proof that both trace semantics are fully abstract
in a general proof strategy.
Limitations of this work are twofold. Firstly, the trace se-
mantics cannot express side-channel attacks. Secondly, the
formalisation does not consider details of the architecture
such as caches; yet this is a often assumed [2, 11, 14, 16].
The paper is organised as follows. Section 2 introduces
background notions for the work. Section 3 formalises syn-
tax and operational semantics of the assembly language.
Section 4 describes two trace semantics for the language.
Section 5 contains the proof of full abstraction of both trace
semantics. Section 6 describes related work. Section 7 dis-
cusses future works and concludes.
2. BACKGROUND NOTIONS
This section describes the memory access control mecha-
nism. Then, it describes a fully abstract trace semantics for
protected assembly code by turning an imprecise represen-
tation of the behaviour of the code into a precise one.
2.1 The Protection Mechanism, Informally
The assembly language is enhanced with an isolation mech-
anism: a fine-grained, program counter-based memory ac-
cess control mechanism [4, 8, 12, 17, 18, 19]. We review
this mechanism from the work of Strackx and Piessens [18].
However, the techniques presented in this paper can be easily
adapted to reasoning about other isolation mechanisms [4,
8, 17]. The protection mechanism provides a secure envi-
ronment for running code that must be protected from the
code it interacts with. This mechanism assumes that the
memory is logically divided into a protected and an unpro-
tected partition. The protected partition is further divided
into a code and a data section. The code section contains a
variable number of entry points: the only addresses to which
instructions in unprotected memory can jump and execute.
The data section is accessible only from the protected par-
tition. For the sake of simplicity, code in protected memory
cannot read the unprotected one; as discussed in Section 2.2
below. Based on the location of the program counter, in-
structions that violate the access control policy are ruled
out. The table below summarises the access control model
enforced by the protection mechanism.
From\ To Protected Unprotected
Entry Point Code Data
Protected r x r x r w w x
Unprotected x r w x
2.2 Devising Fully Abstract Trace Semantics
Following is the notation used in all code examples through-
out this paper. Every instruction in the code is preceded by
the address where it is located. Call the left program PL
and the right one PR. When PL and PR are executed, they
are placed in a protected memory partition spanning from
address 100 to 200, with a single entry point at address 100.
Example 1.
1 100 sub r0 r1
2 101 movi r3 106
3 102 jl r3
4 103 movi r3 10
5 104 movs r3 r4
6 105 call r2
7 106 movi r11 41
8 107 movi r0 0
9 108 ret
1 100 sub r0 r1
2 101 movi r3 106
3 102 jl r3
4 103 movi r3 10
5 104 movs r3 r5
6 105 call r2
7 106 movi r11 42
8 107 movi r0 0
9 108 ret
Both PL and PR assign to r0 the result of r0−r1 (line 1). If
the result of the operation is not less than 0 (line 3), they re-
spectively write the contents of r4 and r5 at the unprotected
address 10 (lines 4,5) and call a function whose address is
stored in r2 (line 6). Otherwise, they assign different values
to r11 (line 7) and return 0 (lines 8,9).
In order to describe the behaviour of the protected code
of Example 1, this paper defines a traces semantics for it.
The trace semantics gives a simple characterisation of the
behaviour of that code as a set of sequences of labels. In
this paper, trace semantics are devised to capture the exe-
cution of a protected program, which is a program allocated
in the protected memory partition. The execution of a pro-
gram is the evaluation of a sequence of instructions; in order
to abstract over instructions, not all of them generate a la-
bel in a trace. Labels are generated only by call and ret
instructions. If they are executed by unprotected code, they
are named calls and returnbacks, if they are executed by
protected code they are named callbacks and returns [2, 14].
Following is the syntax of labels.
L ::= a | τ a ::= g? | g! g ::= call p(v) | ret v
A label L can be an observable action a or a non-observable
action τ . Decorations ? and ! indicate the direction of
the observable action: from unprotected to protected code
(?) or vice-versa (!). Address p is an address in memory, v
is a list of the contents of all registers and v indicates the
contents of register r0.
Informally, a trace semantics is fully abstract when its
labels capture all that is being communicated between the
protected and the unprotected code. The trace semantics
hinted at above is not fully abstract due to a number of
subtleties, as highlighted by the following traces for the code
of Example 1. Omitted details are indicated using . . .; use ·
to separate actions of the same trace.
a1 = call 100(1, 2, . . .)? · ret 0!
a2 = call 100(2, 1, 40, . . .)? · call 40(. . .)!
Traces a1 and a2 are generated by both PL and PR. Trace
a1 does not capture the different value stored in r11 (line
7), which, even if it is not the returned value of the func-
tion, still constitutes an observable difference between PL
and PR. Trace a2 does not capture the different value writ-
ten at address 10 (line 5), which also constitutes a observable
difference between PL and PR. Since a1 and a2 do not cap-
ture the observable differences between PL and PR, the trace
semantics fails to be fully abstract.
As Curien stated [3], two ways to achieve full abstraction
for a trace semantics exist. The first is to modify the labels
so that they capture more precisely what is communicated
between protected and unprotected code. In this case, labels
should capture the values of all registers and what protected
code writes in unprotected memory. The second is to change
the operational semantics, to restrict what is communicated
to what is captured by the labels. This is achieved by re-
stricting the ways in which communication is performed, e.g.
by preventing writeouts. Both approaches are presented in
Section 4; they rely on an assembly language and on its
operational semantics which are formalised in Section 3.
3. LANGUAGE FORMALISATION
This section formalises the syntax, operational semantics
and contextual equivalence of an assembly language.
3.1 Syntax
The language is run on an architecture that models a Von
Neumann machine consisting of a program counter p, a reg-
ister file r, a flags register f and memory space m. The pro-
gram counter indicates the address of the instruction that
is executed. The register file contains 12 general purpose
registers R0 to R11 and a stack pointer register SP, which
contains the address of the top of the current call stack.
The flags register contains a zero flag ZF and a sign flag SF,
which are set or cleared by arithmetic instructions and are
used by branching instructions. For the sake of simplicity,
assume the architecture targeted by the language works with
` bit-long words, where ` is a power of 2. This allows the
formalisation presented to scale to architectures with words
of different sizes.
Words w ::= i ∈ I Memories m ::= ∅
| v ∈ V | m; a 7→ w
Empty word 0 ::= 0` Numbers n ::= n ∈ N
Addresses a ∈ 0..2` − 1 Programs P ::= (m, s)
Values V ::= {v | v = [0 or 1]` ∧ ∀i ∈ I. v 6= i}
Memory descriptors s ::= (ab, nc, nd, n)
Figure 1: Assembly language formalisation.
Fig. 1 presents elements of the formalisation. Words w
are either instructions i or values v. Values v are elements
of the set V, they are sequences of bits 0 or 1 of length ` that
are different from the encoding of instructions. The expla-
nation of why values are encoded in this way is delayed to
Example 3 in Section 4.1. Instructions i are elements of the
set I and define the programming language executed on the
architecture (Fig. 2). The empty word 0 is a sequence of 0’s
movl rd rs Load the word from the memory address in reg-
ister rs into register rd.
movs rd rs Store the contents of register rs at the address
found in register rd.
movi rd k Load the constant value k into register rd. Note
that k < 2`.
add rd rs Write rd + rs mod 2
` into register rd and set the
ZF flag accordingly.
sub rd rs Write rd − rs mod 2` into register rd and set
both the ZF and the SF flags accordingly.
cmp r1 r2 Calculate r1 − r2 and set both the ZF and the
SF flags accordingly.
jmp ri Jump to the address located in register ri.
je ri If the ZF flag is set, jump to the address in reg-
ister ri.
jl ri If the SF flag is set, jump to the address in reg-
ister ri.
call ri Push the value of the program counter +1 onto
the stack and jump to the address in register ri.
ret Pop a value from the stack and jump to the
popped location.
halt Stop the execution with the result in register r0.
Figure 2: Instruction set I.
whose length is based on the architecture being considered.
Addresses a are natural numbers, ranging from 0 to 2` − 1.
Memories m are maps from addresses to words. Memory
access, denoted as m(a), is defined as follows: m(a) = w if
a 7→ w ∈ m; it is undefined otherwise. Define the domain
of a memory as dom(m) = {a | a 7→ w ∈ m}. If two memo-
ries m and m′ have disjoint domains, they can be merged in
another memory. Formally, if dom(m) ∩ dom(m′) = ∅, then
m + m′ = {a 7→ w | a 7→ w ∈ m or a 7→ w ∈ m′}. Memory
descriptors s are quadruples: (ab, nc, nd, n) that formalise
the concepts of Section 2.1: ab is the address where the pro-
tected memory partition starts, nc and nd are the sizes (in
number of addresses) of the code and data section respec-
tively and n is the number of entry points. Entry points
are allocated starting from the base address ab. Each en-
try point is Ne words long. Assume the entry points do
not overflow the protected code section, thus the constraint
n · Ne < nc holds for the all memory descriptors. Programs
P are pairs of a memory m and a memory descriptor s.
3.2 Operational Semantics
Before introducing the semantics, a number of auxiliary
notions are defined.
Fig. 3 defines the access control enforcement rules in-
formally presented in Section 2.1. Read judgments s `
predicate(a, b, · · · ) as: “according to s, predicate holds
for addresses a, b, · · · ”. Assume s ≡ (ab, nc, nd, n).
(Aux-protected)
ab ≤ p < (ab + nc + nd)
s ` protected(p)
(Aux-unprotected1)
p < ab
s ` unprotected(p)
(Aux-unprotected2)
(ab + nc + nd) ≤ p
s ` unprotected(p)
(Aux-returnEntry)
p = ab + (n− 1) · Ne
s ` returnEntryPoint(p)
(Aux-entryPoint)
p = ab +m · Ne
m ∈ N m < n
s ` entryPoint(p)
(Aux-data)
(ab + nc) ≤ p
p < (ab + nc + nd)
s ` data(p)
(Aux-read-1)
s ` protected(p)
s ` protected(a)
s ` readAllowed(p, a)
(Aux-read-2)
s ` unprotected(p)
s ` unprotected(a)
s ` readAllowed(p, a)
(Aux-write-1)
s ` unprotected(a)
s ` writeAllowed(p, a)
(Aux-write-2)
s ` protected(p)
s ` data(a)
s ` writeAllowed(p, a)
(Aux-entry)
s ` unprotected(p)
s ` entryPoint(p′)
s ` entryJump(p, p′)
(Aux-return)
s ` protected(p)
s ` unprotected(p′)
s ` exitJump(p, p′)
(Aux-internal)
s ` protected(p)
s ` protected(p′)
s 0 data(p′)
s ` intJump(p, p′)
(Aux-external)
s ` unprotected(p)
s ` unprotected(p′)
s ` extJump(p, p′)
Figure 3: Access control enforcement rules.
Define functions msec(m, s) and mext(m, s), which return
the protected and unprotected parts of a memory m accord-
ing to the descriptor s, respectively as: msec(m, s) = {a 7→
w | a 7→ w ∈ m, s ` protected(a)} and mext(m, s) = {a 7→
w | a 7→ w ∈ m, s ` unprotected(a)}.
In the semantics there are two call stacks, one for the
protected code, called the secure stack, and one for the un-
protected code, called the insecure stack. Each stack is pre-
ceded by a word containing the location of the current head
of the stack, let SPsec and SPext indicate the address of the
secure and insecure stack respectively. When the current
stack is changed in the semantics, the stack pointer register
SP is initialised to the right address using SPsec and SPext.
Given a memory descriptor s = (ab, nc, nd, n), the secure
stack starts at the beginning of the protected data section
and the insecure stack starts at the end of the protected
memory partition. Thus SPsec = (ab + nc) and, initially,
SPsec 7→ (ab + nc + 1); analogously, SPext = (ab + nc + nd)
and, initially, SPext 7→ (ab + nc + nd + 1). Call and return
instructions are responsible of setting the SP register to the
correct address when crossing boundaries between protected
and unprotected memory. The value of the program counter
is pushed onto the stack by a call instruction (the stack
grows down), while a ret instruction pops one address from
the top of the stack and jumps to that location. Updating
the stack pointer SP is performed by the auxiliary function
setStack (Fig. 4). In the rules, notation m[a 7→ w] indi-
cates that memory m is updated to a new one that is equal
to m except that the value stored at address a is w. Nota-
tion r[R 7→ w] indicates that the register file r is updated
to a new one that is equal to r except that the value stored
in register R is w. Notation r(R) indicates the value con-
tained in register R in register file r. Given a jump between
(Stack-out-to-in)
s ` entryJump(p, p′)
m′ = m[SPext 7→ r(SP)] r′ = r[SP 7→ m(SPsec)]
s ` unprotected r(SP) s ` protected r′(SP)
p, r,m, s ` setStack↘ p′, r′,m′
(Stack-in-to-out)
s ` exitJump(p, p′)
m′ = m[SPsec 7→ r(SP)] r′ = r[SP 7→ m(SPext)]
s ` protected r(SP) s ` unprotected r′(SP)
p, r,m, s ` setStack↘ p′, r′,m′
(Stack-no-change-i)
s ` intJump(p, p′) s ` protected r(SP)
p, r,m, s ` setStack↘ p′, r,m
(Stack-no-change-e)
s ` extJump(p, p′) s ` unprotected r(SP)
p, r,m, s ` setStack↘ p′, r,m
Figure 4: Stack switch enforcement rules.
addresses p and p′, the stack switch rules produce a new reg-
ister file r′ and a new memory m′ based on old ones r and
m. The memory is updated to store the top of the current
stack, located in SP, in the address storing the top of the
current stack: SPsec or SPext. When the stack is changed,
the register file is updated to initialise SP to the top of the
right stack: the address stored at SPsec or SPext.
The operational semantics is a small step semantics that
describes how each instruction of the language transforms
an execution state into a new one. Thus, the operational
semantics handles programs in the whole memory: both the
protected and unprotected partitions.
Definition 1 (Execution state). An execution state,
denoted as Ω, is a quintuple Ω = (p, r, f,m, s), where p is a
program counter, r is a register file, f is a flags register, m
is a memory and s is a memory descriptor.
Given Ω = (p, r, f,m, s), let bΩc be the state (p, r, f, msec(m, s), s)
and dΩe be the state (p, r, f, mext(m, s), s). Relations →i ⊆
bΩc × bΩc and →e ⊆ dΩe × dΩe describe the evaluation of
instructions that only affect the protected and unprotected
parts of memory respectively. Fig. 5 presents the rules for
→i , rules for →e are obtained by replacing an intJump as-
sumption with an extJump one. Let m(p) = inst denote
that inst is the word allocated in m(p), where inst ∈ I.
To capture termination, the program counter is set to −1
whenever the halt instruction is encountered. This way, no
progress can be made, as m(−1) does not return a valid
instruction: the program is in a stuck state.
Definition 2 (Stuck state). A state Ω = (p, r, f,m, s)
is stuck, denoted as Ω⊥, when the program counter does not
point to a valid instruction: m(p) /∈ I.
The operational semantics of the language is a binary re-
lation over states → ⊆ Ω×Ω defined by the rules of Fig. 6.
Rules Eval-callback and Eval-returnback ensure that the ad-
(Eval-protected)
bΩc →i bΩ′c
Ω→ Ω′
(Eval-unprotected)
dΩe →e dΩ′e
Ω→ Ω′
(Eval-movs-out)
m(p) = (movs rd rs) s ` intJump(p, p+ 1)
s ` writeAllowed(p, r(rd)) s ` unprotected(r(rd))
m′ = m[r(rd) 7→ r(rs)] r(rs) ∈ V
(p, r, f,m, s)→ (p+ 1, r, f,m′, s)
(Eval-callback)
m(p) = (call rd) p
′ = m(r(rd)) s ` exitJump(p, p′)
r′ = r[SP 7→ r(SP) + 1] m′ = m[r(SP) 7→ p+ 1]
p, r′,m′, s ` setStack↘ p′, r′′,m′′
r′′′ = r′′[SP 7→ r′′(SP) + 1] m′′′ = m′′[r′′′(SP) 7→ Arb]
(p, r, f,m, s)→ (p′, r′′′, f,m′′′, s)
(Eval-call)
m(p) = (call rd) p
′ = m(r(rd)) s ` entryJump(p, p′)
p, r,m, s ` setStack↘ p′, r′,m′
r′′ = r′[SP 7→ r′(SP) + 1] m′′ = m′[r′′(SP) 7→ p+ 1]
(p, r, f,m, s)→ (p′, r′′, f,m′′, s)
(Eval-returnback)
m(p) = (ret) p′ = m(r(SP)) = Arb s ` entryJump(p, p′)
r′ = r[SP 7→ r(SP)− 1] p, r′,m, s ` setStack↘ p′, r′′,m′
(p, r, f,m, s)→ (p′, r′′, f,m′, s)
(Eval-return)
m(p) = (ret) p′ = m(r(SP)) s ` exitJump(p, p′)
r′ = r[SP 7→ r(SP)− 1] p, r′,m, s ` setStack↘ p′, r′′,m′
(p, r, f,m, s)→ (p′, r′′, f,m′, s)
Figure 6: Operational semantics of whole programs.
dress to be followed after a callback is stored in the secure
stack and that the address returnback entry point Arb is
pushed on the insecure stack. Thus the unprotected code
always jumps to the returnback entry point when returning
from a callback. Code located at the returnback entry point
must contain a ret instruction in order to correctly resume
the execution. Rule Eval-movs-out ensures that values writ-
ten in unprotected memory are not instructions.
The transitive closure of relation→ is indicated with→∗.
A state Ω performing n reduction steps is indicated as Ω→n
Ω′. The evaluation of program P is a sequence of steps that
takes the initial state of P to another state.
Definition 3 (Initial state). The initial state of a
program (m, s), denoted as Ω0(m, s), is the state (p0, r0, f0,m, s),
where s = (ab, nc, nd, n), p0 = (ab+nc+nd+2), r0 = [SP 7→
m(SPext); ri 7→ 0 i=0..11], and f0 = [ZF 7→ 0;SF 7→ 0].
The evaluation of P terminates if Ω0(P )→∗ Ω⊥; the result
is stored in r0. If the evaluation of program P does not
(Eval-movl)
m(p) = (movl rd rs)
s ` intJump(p, p+ 1)
s ` readAllowed(p, r(rs))
r′ = r[rd 7→ m(r(rs))]
(p, r, f,m, s)→i (p+ 1, r′, f,m, s)
(Eval-movs)
m(p) = (movs rd rs)
s ` intJump(p, p+ 1)
s ` writeAllowed(p, r(rd))
m′ = m[r(rd) 7→ r(rs)]
(p, r, f,m, s)→i (p+ 1, r, f,m′, s)
(Eval-movi)
m(p) = (movi rd i)
s ` intJump(p, p+ 1)
r′ = r[rd 7→ i]
(p, r, f,m, s)→i (p+ 1, r′, f,m, s)
(Eval-compare)
m(p) = (cmp r1 r2) s ` intJump(p, p+ 1)
f ′ = f [ZF 7→ (r1 == r2); SF 7→ (r1 < r2)]
(p, r, f,m, s)→i (p+ 1, r, f ′,m, s)
(Eval-add)
m(p) = (add rd rs) s ` intJump(p, p+ 1)
v = (r(rd) + r(rs))%2
` r′ = r[rd 7→ v] f ′ = f [ZF 7→ (v == 0)]
(p, r, f,m, s)→i (p+ 1, r′, f ′,m, s)
(Eval-sub)
m(p) = (sub rd rs)
s ` intJump(p, p+ 1)
v = (r(rd)− r(rs))%2` r′ = r[rd 7→ v]
f ′ = f [ZF 7→ (v == 0);
SF 7→ (r(rd)− r(rs) < 0)]
(p, r, f,m, s)→i (p+ 1, r′, f ′,m, s)
(Eval-function-call)
m(p) = (call rd) p
′ = r(rd)
s ` intJump(p, p′)
p, r,m, s ` setStack↘ p′, r′,m′
r′′ = r′[SP 7→ r(SP) + 1]
m′′ = m′[r′′(SP) 7→ p+ 1]
(p, r, f,m, s)→i (p′, r′′, f,m′′, s)
(Eval-function-ret)
m(p) = (ret) p′ = r(SP)
s ` intJump(p, p′)
r′ = r[SP 7→ r(SP)− 1]
p, r′,m, s ` setStack↘ p′, r′′,m′
(p, r, f,m, s)→i (p′, r′′, f,m′, s)
(Eval-je-true)
m(p) = (je ri) f(ZF) == 1
p′ = r(ri) s ` intJump(p, p′)
(p, r, f,m, s)→i (p′, r, f,m, s)
(Eval-jl-true)
m(p) = (jl ri) f(SF) == 1
p′ = r(ri) s ` intJump(p, p′)
(p, r, f,m, s)→i (p′, r, f,m, s)
(Eval-je-false)
m(p) = (je ri) f(ZF) == 0
s ` intJump(p, p+ 1)
(p, r, f,m, s)→i (p+ 1, r, f,m, s)
(Eval-jl-false)
m(p) = (jl ri) f(SF) == 0
s ` intJump(p, p+ 1)
(p, r, f,m, s)→i (p+ 1, r, f,m, s)
(Eval-jump)
m(p) = (jmp rd) p
′ = r(rd) s ` intJump(p, p′)
(p, r, f,m, s)→i (p′, r, f,m, s)
(Eval-halt)
m(p) = (halt)
(p, r, f,m, s)→i (−1, r, f,m, s)
Figure 5: Operational semantics of instructions in the protected memory partition.
terminate, P diverges. A program P diverges, denoted as
P⇑, if it executes an unbounded number of reduction steps.
Formally: P⇑ if ∀n ∈ N, ∃Ω′. Ω0(P )→n Ω′.
3.3 Contextual Equivalence
Contextual equivalence relates two programs that can-
not be distinguished by any third program interacting with
them [15]. This notion relies on the concept of contexts,
which is introduced before presenting the equivalence itself.
Since we consider programs P that are placed in protected
memory and interact with arbitrary unprotected code, con-
texts model that unprotected code. Thus for any descriptor
s, contexts M are partial memories with a hole: M = m[·],
where all addresses of M are unprotected. Formally, given s,
∀a ∈ dom(M), s ` unprotected(a). The hole models the pos-
sibility to combine a program P with the memory M iff they
are compatible, denoted as P _M, thus if the memories of
P and M have disjoint domains. Let dom(M) = dom(m) if
M = m[·]; formally, P _M if P = (m′, s) and dom(m′) ∩
dom(M) = ∅. If P and M are compatible, the hole of M can
be filled with P in order to model interaction between P and
M. Formally, if P _M then M[(m′, s)] = (m′ +m, s).
Programs P1 and P2 are contextually equivalent, denoted
as P1 ' P2, when, for all contexts they interact with, P1
diverges if and only if P2 also diverges.
Definition 4 (Contextual equivalence). P1 ' P2
if ∀M. P1_M ∧ M[P1]⇑ ⇐⇒ P2_M ∧ M[P2]⇑.
An implication of this definition is that for P1 and P2 to
be contextually equivalent they must have the same mem-
ory descriptor. For the sake of simplicity we will always
assume the compatibility of a program and the context it is
plugged in, shortening the above definition to: P1 ' P2 if
∀M. M[P1]⇑ ⇐⇒ M[P2]⇑.
Example 2 (Contextually equivalent programs).
The following PL and PR write the values of r1 and r2 re-
spectively at the protected address 150 (line 2) and then re-
turn 0 (line 3). Recall that the protected memory partition
spans from address 100 to 200, with one entry point at ad-
dress 100.
1 100 movi r0 150
2 101 movs r0 r1
3 102 movi r0 0
4 103 ret
1 100 movi r0 150
2 101 movs r0 r2
3 102 movi r0 0
4 103 ret
The only difference between PL and PR is in the value
stored at address 150. However, an unprotected program
cannot read that value. Since that value does not affect the
computation of PL or PR or the unprotected code, PL and
PR are contextually equivalent.
Having defined the assembly language and its operational
semantics, the paper introduces the two different trace se-
mantics. Trace equivalence is also introduced, it will be
proven the same as contextual equivalence in Section 5.
4. TRACE SEMANTICS
This section gives two different trace semantics for pro-
tected programs. The differences stem from the different
ways to achieve full abstraction pointed out by Curien [3].
The first, TrL, possesses more expressive labels, while the
second, TrS, relies on changes to the semantics of programs.
Both are proven to be fully abstract w.r.t. the appropri-
ate operational semantics in Section 5. Finally, this section
defines when two programs are trace equivalent.
As for the operational semantics, a notion of execution
states is required for the trace semantics as well. Execution
states for TrL and TrS, denoted as Θ, are the same as Ω ex-
cept that Θ do not deal with the whole memory but just with
its protected partition. So, the memory m of (p, r, f,m, s)
spans only the protected memory partition indicated by s.
Additionally, Θ can be (unknown,m, s), an unknown state
modelling code executing in unprotected memory.
Definition 5 (Initial state for traces). The initial
state for traces of a program (m, s), denoted as Θ0(m, s), is
the state (unknown,m, s).
4.1 TrL: Expressive Labels
Below are the labels exhibited by the TrL traces semantics.
Λ ::= α | τi α ::= √ | γ? | δ!
γ ::= (r; f)call a | (r; f)ret a δ ::= write(a, v).δ | γ
A label Λ can be either an observable action α or a non-
observable action τi. Action τi indicates the unobservable
action occurred in protected memory. Observable actions
include a tick
√
indicating that the evaluation has termi-
nated. Additionally, observable actions are function calls or
returns to a certain address a, combined with the registers r
and flags f . Registers and flags are in the labels as they con-
vey information on the behaviour of programs. Observable,
!-decorated actions can be prefixed by a number of write-
outs of a value v to address a. They are only !-decorated
since the protection mechanism forbids writes from unpro-
tected to protected memory, as well as read-outs.
Fig. 7 presents the rules defining the relation Θ
α
==⇒⇒ Θ′,
which describe when a state Θ generates trace α and results
in state Θ′. The TrL traces of a program P is defined as
follows: TrL(P ) = {α | ∃Θ′.Θ0(P ) α==⇒⇒ Θ′}.
Example 3 below can now explain why protected code
cannot write instructions in unprotected memory.
Example 3 (Write-outs are not instructions). In
the following example, protected programs can write instruc-
tions in unprotected memory. Recall that the protected mem-
ory partition spans from address 100 to 200, with one entry
point at address 100.
The following PL and PR set r0 to 20 and 10 respectively
(line 1), then write the instruction jmp r0 at address 20 and
10 respectively (line 2). Finally, they jump to the instruction
they just wrote (line 3).
1 100 movi r0 20
2 101 movs r0 “jmp r0”
3 102 call r0
1 100 movi r0 10
2 101 movs r0 “jmp r0”
3 102 call r0
When r0 is set to 20 (resp. 10), the instruction jmp r0
written at address 20 (resp. 10) will diverge. Thus, PL and
PR are contextually equivalent, since no context can differ-
entiate between them. However, PL and PR are trace in-
equivalent, since the following is a trace of PL and not of
PR: (· · · )call 100? · write(20, “jmp r0′′).(· · · )call 20!
Since we are interested in programs that do not extend the
functionality of code in unprotected memory (and since these
programs are the majority of assembly programs), protected
code cannot write instructions in unprotected memory. Thus
the programs of this example are not valid.
4.2 TrS: Changes to the Semantics
The TrS semantics presents different labels from TrL, which
are driven by changes to the operational semantics of pro-
tected programs. These changes are formalised in Fig. 8;
smaller changes to other rules are omitted. When the pro-
(Trace-internal)
(p, r, f,m, s)→i (p′, r′, f ′,m′, s) s ` intJump(p, p′)
(p, r, f,m, s)
τi−−→→ (p′, r′, f ′,m′, s)
(Trace-internal-tick)
(p, r, f,m, s)→i (p′, r′, f ′,m′, s)
s ` protected(p) (p′, r′, f ′,m′, s)⊥
(p, r, f,m, s)
√
−−→ (p′, r′, f ′,m′, s)
(Trace-writeout-accumulate)
s ` intJump(p, p+ 1) m(p) = (movs rd rs)
s ` unprotected(r(rd)) r(rs) ∈ V
(p+ 1, r, f,m, s)
δ!
==⇒⇒ (p′, r′, f ′,m′, s)
(p, r, f,m, s)
write(r(rd),r(rs)).δ!−−−−−−−−−−−−−→ (p′, r′, f ′,m′, s)
(Trace-writeout-discard)
s ` intJump(p, p+ 1) m(p) = (movs rd rs)
s ` unprotected(r(rd))
(p+ 1, r, f,m, s)
√
==⇒⇒ (p′, r′, f ′,m′, s)
(p, r, f,m, s)
√
−−→ (p′, r′, f ′,m′, s)
(Trace-call)
s ` entryPoint(p)
(unknown,m, s)
(r;f)call p?−−−−−−−−−→→ (p, r, f,m, s)
(Trace-returnback)
s ` returnEntryPoint(p)
(unknown,m, s)
(r;f)ret p?−−−−−−−−→ (p, r, f,m, s)
(Trace-callback)
s ` exitJump(p, p′) m(p) = (call p′)
r′ = r[SP 7→ r(SP) + 1] m′ = m[r(SP) 7→ p+ 1]
(p, r, f,m, s)
(r;f)call p′!−−−−−−−−−→→ (unknown,m′, s)
(Trace-return)
p′ = m(SP) s ` exitJump(p, p′) m(p) = (ret)
(p, r, f,m, s)
(r;f)ret p′!−−−−−−−−→→ (unknown,m, s)
(Trace-refl)
Θ

=⇒⇒ Θ
(Trace-tau-i)
Θ
τi−−→→ Θ′
Θ

=⇒⇒ Θ′
(Trace-trans)
Θ
α
==⇒⇒ Θ′′
Θ′′ α
′
==⇒⇒ Θ′
Θ
αα′
===⇒⇒ Θ′
(Trace-action)
Θ
α−−→→ Θ′
Θ
α
==⇒⇒ Θ′
Figure 7: Rules of the TrL trace semantics.
gram counter jumps between the protected and the unpro-
tected memory partitions, or vice-versa, flags are set to 0;
in case of a return, all registers but R0 are also set to 0.
Additionally, write-outs are prohibited.
Following are the labels of TrS; we drop the greek letter
notation and use latin letters in order to immediately differ-
entiate between TrL and TrS. Flags do not appear in traces
because they are always set to 0, as are all registers but R0
in case of a return. Write-outs are prohibited, so there are
no labels that capture them.
L ::= a | τi a ::= √ | g? | g! g ::= call p (r) | ret p r(r0)
Rules defining the relation Θ
a
==⇒⇒ Θ′ for TrS are omit-
ted. They are a subset of the ones defined in Fig. 7, with
a slight modification to the syntax of generated labels. The
TrS traces of a program P is defined as follows: TrS(P ) =
{a | ∃Θ. Θ0(P ) a==⇒⇒ Θ}.
4.3 Trace Equivalence
The notion of trace equivalence is presented generically
for both trace semantics under consideration. Use Tr(P ) to
(Aux-write-1’)
s ` unprotected(p) s ` unprotected(a)
s ` writeAllowed(p, a)
(Stack-out-to-in’)
s ` entryJump(p, p′) m′ = m[SPext 7→ r(SP)]
r′ = r[SP 7→ m(SPsec)] f ′ = [ZF 7→ 0;SF 7→ 0]
s ` unprotected r(SP) s ` protected r′(SP)
p, r, f,m, s ` setStack↘ p′, r′, f ′,m′
(Stack-in-to-out’)
s ` exitJump(p, p′) m′ = m[SPsec 7→ r(SP)]
r′ = r[SP 7→ m(SPext)] f ′ = [ZF 7→ 0;SF 7→ 0]
s ` protected r(SP) s ` unprotected r′(SP)
p, r, f,m, s ` setStack↘ p′, r′, f ′,m′
(Eval-return’)
m(p) = (ret) p′ = m(r(SP)) s ` exitJump(p, p′)
r′ = r[SP 7→ r(SP)− 1;Ri 7→ 0i=0..11]
p, r′, f,m, s ` setStack↘ p′, r′′, f ′,m′
(p, r, f,m, s)→ (p′, r′′, f ′,m′, s)
Figure 8: Changes to auxiliary functions and to the
operational semantics for TrS.
indicate the traces of a program P , be it expressed through
TrL or TrS.
Two programs P1 and P2 are trace-equivalent, denoted
as P1'T P2, if their traces are the same and they have the
same memory descriptor.
Definition 6 (Trace equivalence). P1'T P2 if
Tr(P1) = Tr(P2) and P1 = (m1, s) and P2 = (m2, s).
Following are two examples of trace equivalent and in-
equivalent programs. For the sake of simplicity, we use the
TrL semantics and indicate arbitrary values for registers and
flags with notation (r, f) and an unprotected address with p.
Example 4 (Traces of previous examples). Code in
Example 1 is not trace equivalent; the following trace is gen-
erated by PL but not by PR: (r; f)call 100?·(. . . , 41; f)ret p!·√
. The code of Example 2 is trace equivalent since the trace
semantics of both PL and PR is a set whose sequences are
concatenations of the following trace, each element of the
sequence being parametrised on r and f : (r; f)call 100? ·
(r[R0 7→ 0]; f)ret p!
5. FULL ABSTRACTION THEOREM
This section presents the general proof strategy through
which both TrL and TrS are proven to be fully abstract w.r.t.
the corresponding operational semantics and discusses the
benefits of full abstraction of the trace semantics.
A fully abstract trace semantics is both sound and com-
plete with respect to the operational semantics. Soundness
states that the trace semantics captures all details of the op-
erational semantics. Thus, for all contexts, two trace equiv-
alent programs cannot be told apart. The universal quan-
tification over contexts makes this more difficult to prove.
Completeness states that abstractions of the trace semantics
are preserved in the operational semantics. This is achieved
by proving the contrapositive of the completeness statement.
For this, the proof consists of devising an algorithm that
constructs a program, a “witness”, that tells two trace in-
equivalent programs apart [2, 6, 14]. Since the language is
low-level and untyped, this is not particularly complicated.
Full abstraction of trace semantics is formally stated as:
P1'T P2 ⇐⇒ P1 ' P2; its proof is split in two cases, one
for each direction of the co-implication.
Theorem 1 (Soundness). P1'T P2 ⇒ P1 ' P2.
Call the interface of a state its registers, flags and unpro-
tected memory. Two states Ω1 and Ω2 have the same inter-
face, denoted as Ω1 $ Ω2, if they have the same registers,
flags and unprotected memory. Formally, Ω1 $ Ω2 if Ω1 =
(p1, r, f,m1, s1) and Ω2 = (p2, r, f,m2, s2) and mext(m1, s1) =
mext(m2, s2). Given Ω = (p, r, f,m, s), redefine bΩc to be
state Θ = (p, r, f, msec(m, s), s) if s ` protected(p) and
(unknown,m, s) otherwise.
The proof of Theorem 1 states that an unprotected pro-
gram interacting with P1 cannot distinguish it from P2. This
is because both programs offer the same interface to the un-
protected program. So this proof depends on an interface-
preservation lemma (Lemma 1) which must be proven for
each trace semantics since it depends on the labels of each
trace semantics. Lemma 1 enunciates that two states with
the same interface still have the same interface after they
perform the same observable action. Thus unprotected pro-
grams do not see differences, in terms of flags, registers and
unprotected memory, between P1 and P2.
Lemma 1 (Interface preservation). If Θ1
α
==⇒⇒
α−−→→ Θ′1 and Θ1 = bΩ1c and Ω1 →∗ Ω′1 and Θ′1 = bΩ′1c
and Θ2
α
==⇒⇒ α−−→→ Θ′2 and Θ2 = bΩ2c and Ω2 →∗ Ω′2 and
Θ′2 = bΩ′2c and Ω1 $ Ω2 then Ω′1 $ Ω′2.
Theorem 2 (Completeness). P1 ' P2 ⇒ P1'T P2.
Completeness is equivalently stated as: P1'/T P2 ⇒ P1'/ P2.
This is proven by devising an algorithm that takes as input
two different traces α1 and α2 and the two programs P1
and P2 generating them and outputs a program P that in-
teracts with P1 and P2 and is able to differentiate between
them. The two different traces are generated as follows.
Since P1'/T P2, we have that Tr(P1) 6= Tr(P2), thus there
exists a trace α that belongs to either only Tr(P1) or only
Tr(P2). Assume wlog that α ∈ Tr(P1). The trace α can be
split in two parts αs and αd such that α=αsαd, and so that
there exists a trace α′ ∈ Tr(P2) that can be split in two parts
αs and α′d such that α′=αsα
′
d and αd 6= α′d. Trace α′ always
exists, it could be an empty trace, it could be composed by
an empty αs and, possibly, by an empty α′d. The traces
input for the algorithm are α1 = αsαd and α2 = αsα′d.
The interested reader is referred to the companion tech-
nical report for proofs [13]. This general proof strategy is
presented for both Theorem 1 and Theorem 2. The gen-
eralised approach is tailored to each semantics only in the
relatively simple proof of Lemma 1. Since Theorem 1 and 2
hold for both TrL and TrS, both semantics are fully abstract
w.r.t. the corresponding operational semantics.
5.1 Benefits of the Trace Semantics
Let us now highlight two of the benefits of fully abstract
trace semantics.
Without the trace semantics, the capabilities of an at-
tacker towards protected code are expressed as sequences of
instructions, which can be difficult to reason about. With
the trace semantics, the capabilities of that attacker are cap-
tured via the simple notion of traces. The full abstraction
property ensures that traces express precisely all the capa-
bilities of an attacker, without leaving any out.
The second benefit is in the field of secure compilation.
Given two programs C1 and C2 in a language and indicate
their compilation to an assembly language with C↓1 and C
↓
2
respectively. Proving the compilation scheme secure is for-
mally stated as C1 ' C2 ⇐⇒ C↓1 ' C↓2 [1]. The more com-
plex direction of this proof is C1 ' C2 ⇒ C↓1 ' C↓2 , but it
can be simplified by adopting a fully abstract trace semantics
for the assembly language. That proof is simpler in this way
than by adopting the notion of contextual equivalence and
performing induction on all possible low-level contexts. The
complex direction becomes C1 ' C2 ⇒ C↓1 'T C↓2 , whose
contrapositive is C↓1 '/T C↓2 ⇒ C1'/ C2. This can be proven
similarly to Theorem 2, as Agten et al. [2] and Patrignani et
al. [14] did. Both implicitly use the second trace semantics
where the compiler adds code that enforces the changes to
the operational semantics.
6. RELATED WORK
Full abstraction has been largely studied as a way to state
the correctness of a denotational semantics with respect to
an operational one [15]. This technique has been adopted
for different programming languages paradigms, such as the
λ-calculus [10] and the pi-calculus [5].
Fine grained, program counter-based memory access con-
trol mechanisms have been implemented in several software [8,
17, 18, 19] and hardware forms [4, 12] and recently in the
Intel SGX processor [9]. From the theoretical point of view,
assembly languages extended with these protection mech-
anisms have been recently studied as target languages for
secure compilation schemes [2, 14]. The language and trace
semantics of this paper are inspired by those works. Besides
elaborating on details of their formalisation, this work pro-
vides the first proof of full abstraction of the trace semantics.
A different research area studies logics for assembly lan-
guages: Hoare logics [16] or separation logics [7]. Jensen et
al. [7] present a summary of the most recent advances in
the latter. That research area focusses on providing reason-
ing facilities for assembly code, while this paper focusses on
reasoning on the security of assembly code.
A different protection mechanism that could be employed
at the assembly level is a typed assembly language [11]. To
the best of the authors’ knowledge, no fully abstract trace
semantics has been provided for such languages.
7. CONCLUSION AND FUTURE WORK
This paper studied the characterisation of the behaviour
of isolated programs. To this extent, it formalised an assem-
bly language extended with a fine grained, program counter-
based memory access control mechanism. Then, it provided
two different trace semantics for that language and a general
proof strategy where both semantics are proven to be fully
abstract. These semantics model the capabilities of attack-
ers that inject malicious assembly code and they simplify
proving secure compilation to the assembly language.
Providing a fully abstract trace semantics for a machine
with multiple instances of an isolation mechanism or with
multiple cores seem natural extensions to this work. The
latter seems crucial in order to provide a secure compiler
for concurrent programs to machines using the protection
mechanism presented.
Acknowledgements. The authors would like to thank Tarmo
Uustalu and the reviewers for useful feedback on an earlier draft.
8. REFERENCES
[1] M. Abadi. Protection in programming-language
translations. In Secure Internet programming, pages
19–34. Springer-Verlag, 1999.
[2] P. Agten, R. Strackx, B. Jacobs, and F. Piessens.
Secure compilation to modern processors. In CSF ’12,
pages 171 – 185. IEEE, 2012.
[3] P.-L. Curien. Definability and full abstraction. Electr.
Notes Theor. Comput. Sci., 172:301–310, 2007.
[4] K. Eldefrawy, A. Francillon, D. Perito, and G. Tsudik.
SMART: Secure and Minimal Architecture for
(Establishing a Dynamic) Root of Trust. In NDSS’12.
[5] A. Jeffrey and J. Rathke. Full abstraction for
polymorphic pi-calculus. In FOSSACS’05, pages
266–281. Springer-Verlag, 2005.
[6] A. Jeffrey and J. Rathke. A fully abstract may testing
semantics for concurrent objects. Theor. Comput. Sci.,
338(1-3):17–63, 2005.
[7] J. B. Jensen, N. Benton, and A. Kennedy. High-level
separation logic for low-level code. SIGPLAN Not.,
48(1):301–314, Jan. 2013.
[8] J. M. McCune, B. J. Parno, A. Perrig, M. K. Reiter,
and H. Isozaki. Flicker: an execution infrastructure for
TCB minimization. SIGOPS Oper. Syst. Rev.,
42(4):315–328, 2008.
[9] F. McKeen et al. Innovative instructions and software
model for isolated execution. In HASP ’13, pages
10:1–10:1, New York, NY, USA, 2013. ACM.
[10] R. Milner. Fully abstract models of typed
lambda-calculi. Theor. Comput. Sci., 4(1):1–22, 1977.
[11] G. Morrisett, D. Walker, K. Crary, and N. Glew. From
system F to typed assembly language. ACM Trans.
Program. Lang. Syst., 21(3):527–568, May 1999.
[12] J. Noorman et al. Sancus: Low-cost trustworthy
extensible networked devices with a zero-software
Trusted Computing Base. In Proceedings of the 22nd
USENIX conference on Security symposium, 2013.
[13] M. Patrignani and D. Clarke. Fully Abstract Trace
Semantics of Low-level Protection Mechanisms –
Extended Version. CW Reports CW 651, Dept. of
Computer Science, K.U.Leuven, November 2012.
[14] M. Patrignani, D. Clarke, and F. Piessens. Secure
Compilation of Object-Oriented Components to
Protected Module Architectures. In (APLAS’13),
volume 8301 of LNCS, pages 176–191, 2013.
[15] G. Plotkin. LCF considered as a programming
language. Theor. Comput. Science, 5:223–255, 1977.
[16] A. Saabas and T. Uustalu. A compositional natural
semantics and Hoare logic for low-level languages.
Electr. Notes Theor. Comput. Sci., 156:151–168, 2006.
[17] L. Singaravelu, C. Pu, H. Ha¨rtig, and C. Helmuth.
Reducing TCB complexity for security-sensitive
applications: three case studies. SIGOPS Oper. Syst.
Rev., 40(4):161–174, 2006.
[18] R. Strackx and F. Piessens. Fides: Selectively
hardening software application components against
kernel-level or process-level malware. In CCS 2012,
pages 2–13. ACM Press, October 2012.
[19] R. Strackx, F. Piessens, and B. Preneel. Efficient
isolation of trusted subsystems in embedded systems.
In SecureComm, pages 344–361, 2010.
