6,521 research outputs found
Exorcising Spectres with Secure Compilers
Attackers can access sensitive information of programs by exploiting the
side-effects of speculatively-executed instructions using Spectre attacks. To
mitigate theses attacks, popular compilers deployed a wide range of
countermeasures. The security of these countermeasures, however, has not been
ascertained: while some of them are believed to be secure, others are known to
be insecure and result in vulnerable programs. To reason about the security
guarantees of these compiler-inserted countermeasures, this paper presents a
framework comprising several secure compilation criteria characterizing when
compilers produce code resistant against Spectre attacks. With this framework,
we perform a comprehensive security analysis of compiler-level countermeasures
against Spectre attacks implemented in major compilers. This work provides
sound foundations to formally reason about the security of compiler-level
countermeasures against Spectre attacks as well as the first proofs of security
and insecurity of said countermeasures
Control-flow flattening preserves the constant-time policy
Obfuscating compilers protect a software by obscuring its meaning and impeding the reconstruction of its original source code. The typical concern when defining such compilers is their robustness against reverse engineering and the performance of the produced code. Little work has been done in studying whether the security properties of a program are preserved under obfuscation. In this paper we start addressing this problem: we consider control-flow flattening, a popular obfuscation technique used in industrial compilers, and a specific security policy, namely constant-time. We prove that this obfuscation preserves the policy, i.e., that every program satisfying the policy still does after the transformation
Securing Verified IO Programs Against Unverified Code in F*
We introduce SCIO*, a formally secure compilation framework for statically
verified partial programs performing input-output (IO). The source language is
an F* subset in which a verified program interacts with its IO-performing
context via a higher-order interface that includes refinement types as well as
pre- and post-conditions about past IO events. The target language is a smaller
F* subset in which the compiled program is linked with an adversarial context
that has an interface without refinement types, pre-conditions, or concrete
post-conditions. To bridge this interface gap and make compilation and linking
secure we propose a formally verified combination of higher-order contracts and
reference monitoring for recording and controlling IO operations. Compilation
uses contracts to convert the logical assumptions the program makes about the
context into dynamic checks on each context-program boundary crossing. These
boundary checks can depend on information about past IO events stored in the
state of the monitor. But these checks cannot stop the adversarial target
context before it performs dangerous IO operations. Therefore linking in SCIO*
additionally forces the context to perform all IO actions via a secure IO
library, which uses reference monitoring to dynamically enforce an access
control policy before each IO operation. We prove in F* that SCIO* soundly
enforces a global trace property for the compiled verified program linked with
the untrusted context. Moreover, we prove in F* that SCIO* satisfies by
construction Robust Relational Hyperproperty Preservation, a very strong secure
compilation criterion. Finally, we illustrate SCIO* at work on a simple web
server example.Comment: POPL'24 camera-ready versio
- …