39,862 research outputs found
Contextual equivalence for state and control via nested data
We consider contextual equivalence in an ML-like language, where contexts have access to both general references and continuations. We show that in a finitary setting, i.e. when the base types are finite and there is no recursion, the problem is decidable for all programs with first-order references and continuations, assuming they have continuation- and reference-free interfaces. This is the best one can hope for in this case, because the addition of references to functions, to continuations or to references makes the problem undecidable.
The result is notable since, unlike earlier work in the area, we need not impose any restrictions on type-theoretic order or the use of first-order references inside terms. In particular, the programs concerned can generate unbounded heaps.
Our decidability argument relies on recasting the corresponding fully abstract trace semantics of terms as instances of automata with a decidable equivalence problem. The automata used for this purpose belong to the family of automata over infinite alphabets (aka data automata), where the infinite alphabet (dataset) has the shape of a forest
CapablePtrs: Securely Compiling Partial Programs using the Pointers-as-Capabilities Principle
Capability machines such as CHERI provide memory capabilities that can be
used by compilers to provide security benefits for compiled code (e.g., memory
safety). The C to CHERI compiler, for example, achieves memory safety by
following a principle called "pointers as capabilities" (PAC). Informally, PAC
says that a compiler should represent a source language pointer as a machine
code capability. But the security properties of PAC compilers are not yet well
understood. We show that memory safety is only one aspect, and that PAC
compilers can provide significant additional security guarantees for partial
programs: the compiler can provide guarantees for a compilation unit, even if
that compilation unit is later linked to attacker-controlled machine code. This
paper is the first to study the security of PAC compilers for partial programs
formally. We prove for a model of such a compiler that it is fully abstract.
The proof uses a novel proof technique (dubbed TrICL, read trickle), which is
of broad interest because it reuses and extends the compiler correctness
relation in a natural way, as we demonstrate. We implement our compiler on top
of the CHERI platform and show that it can compile legacy C code with minimal
code changes. We provide performance benchmarks that show how performance
overhead is proportional to the number of cross-compilation-unit function
calls
Formal Verification of Security Protocol Implementations: A Survey
Automated formal verification of security protocols has been mostly focused on analyzing high-level abstract models which, however, are significantly different from real protocol implementations written in programming languages. Recently, some researchers have started investigating techniques that bring automated formal proofs closer to real implementations. This paper surveys these attempts, focusing on approaches that target the application code that implements protocol logic, rather than the libraries that implement cryptography. According to these approaches, libraries are assumed to correctly implement some models. The aim is to derive formal proofs that, under this assumption, give assurance about the application code that implements the protocol logic. The two main approaches of model extraction and code generation are presented, along with the main techniques adopted for each approac
Beyond Good and Evil: Formalizing the Security Guarantees of Compartmentalizing Compilation
Compartmentalization is good security-engineering practice. By breaking a
large software system into mutually distrustful components that run with
minimal privileges, restricting their interactions to conform to well-defined
interfaces, we can limit the damage caused by low-level attacks such as
control-flow hijacking. When used to defend against such attacks,
compartmentalization is often implemented cooperatively by a compiler and a
low-level compartmentalization mechanism. However, the formal guarantees
provided by such compartmentalizing compilation have seen surprisingly little
investigation.
We propose a new security property, secure compartmentalizing compilation
(SCC), that formally characterizes the guarantees provided by
compartmentalizing compilation and clarifies its attacker model. We reconstruct
our property by starting from the well-established notion of fully abstract
compilation, then identifying and lifting three important limitations that make
standard full abstraction unsuitable for compartmentalization. The connection
to full abstraction allows us to prove SCC by adapting established proof
techniques; we illustrate this with a compiler from a simple unsafe imperative
language with procedures to a compartmentalized abstract machine.Comment: Nit
A Model of Cooperative Threads
We develop a model of concurrent imperative programming with threads. We
focus on a small imperative language with cooperative threads which execute
without interruption until they terminate or explicitly yield control. We
define and study a trace-based denotational semantics for this language; this
semantics is fully abstract but mathematically elementary. We also give an
equational theory for the computational effects that underlie the language,
including thread spawning. We then analyze threads in terms of the free algebra
monad for this theory.Comment: 39 pages, 5 figure
A Graph Model for Imperative Computation
Scott's graph model is a lambda-algebra based on the observation that
continuous endofunctions on the lattice of sets of natural numbers can be
represented via their graphs. A graph is a relation mapping finite sets of
input values to output values.
We consider a similar model based on relations whose input values are finite
sequences rather than sets. This alteration means that we are taking into
account the order in which observations are made. This new notion of graph
gives rise to a model of affine lambda-calculus that admits an interpretation
of imperative constructs including variable assignment, dereferencing and
allocation.
Extending this untyped model, we construct a category that provides a model
of typed higher-order imperative computation with an affine type system. An
appropriate language of this kind is Reynolds's Syntactic Control of
Interference. Our model turns out to be fully abstract for this language. At a
concrete level, it is the same as Reddy's object spaces model, which was the
first "state-free" model of a higher-order imperative programming language and
an important precursor of games models. The graph model can therefore be seen
as a universal domain for Reddy's model
Uniform Labeled Transition Systems for Nondeterministic, Probabilistic, and Stochastic Process Calculi
Labeled transition systems are typically used to represent the behavior of
nondeterministic processes, with labeled transitions defining a one-step state
to-state reachability relation. This model has been recently made more general
by modifying the transition relation in such a way that it associates with any
source state and transition label a reachability distribution, i.e., a function
mapping each possible target state to a value of some domain that expresses the
degree of one-step reachability of that target state. In this extended
abstract, we show how the resulting model, called ULTraS from Uniform Labeled
Transition System, can be naturally used to give semantics to a fully
nondeterministic, a fully probabilistic, and a fully stochastic variant of a
CSP-like process language.Comment: In Proceedings PACO 2011, arXiv:1108.145
- …