4,365 research outputs found
Robustly Safe Compilation
Secure compilers generate compiled code that withstands many target-level attacks such as alteration of control flow, data leaks or memory corruption. Many existing secure compilers are proven to be fully abstract, meaning that they reflect and preserve observational equivalence. Fully abstract compilation is strong and useful but, in certain cases, comes at the cost of requiring expensive runtime constructs in compiled code. These constructs may have no relevance for security, but are needed to accommodate differences between the source and target languages that fully abstract compilation necessarily needs
Robust Hyperproperty Preservation for Secure Compilation (Extended Abstract)
We map the space of soundness criteria for secure compilation based on the
preservation of hyperproperties in arbitrary adversarial contexts, which we
call robust hyperproperty preservation. For this, we study the preservation of
several classes of hyperproperties and for each class we propose an equivalent
"property-free" characterization of secure compilation that is generally better
tailored for proofs. Even the strongest of our soundness criteria, the robust
preservation of all hyperproperties, seems achievable for simple
transformations and provable using context back-translation techniques
previously developed for showing fully abstract compilation. While proving the
robust preservation of hyperproperties that are not safety requires such
powerful context back-translation techniques, for preserving safety
hyperproperties robustly, translating each finite trace prefix back to a source
context seems to suffice.Comment: PriSC'18 final versio
Robust Hyperproperty Preservation for Secure Compilation (Extended Abstract)
We map the space of soundness criteria for secure compilation based on the preservation of hyperproperties in arbitrary adversarial contexts, which we call robust hyperproperty preservation. For this, we study the preservation of several classes of hyperproperties and for each class we propose an equivalent "property-free" characterization of secure compilation that is generally better tailored for proofs. Even the strongest of our soundness criteria, the robust preservation of all hyperproperties, seems achievable for simple transformations and provable using context back-translation techniques previously developed for showing fully abstract compilation. While proving the robust preservation of hyperproperties that are not safety requires such powerful context back-translation techniques, for preserving safety hyperproperties robustly, translating each finite trace prefix back to a source context seems to suffice
Validating a Web Service Security Abstraction by Typing
An XML web service is, to a first approximation, an RPC service in which
requests and responses are encoded in XML as SOAP envelopes, and transported
over HTTP. We consider the problem of authenticating requests and responses at
the SOAP-level, rather than relying on transport-level security. We propose a
security abstraction, inspired by earlier work on secure RPC, in which the
methods exported by a web service are annotated with one of three security
levels: none, authenticated, or both authenticated and encrypted. We model our
abstraction as an object calculus with primitives for defining and calling web
services. We describe the semantics of our object calculus by translating to a
lower-level language with primitives for message passing and cryptography. To
validate our semantics, we embed correspondence assertions that specify the
correct authentication of requests and responses. By appeal to the type theory
for cryptographic protocols of Gordon and Jeffrey's Cryptyc, we verify the
correspondence assertions simply by typing. Finally, we describe an
implementation of our semantics via custom SOAP headers.Comment: 44 pages. A preliminary version appears in the Proceedings of the
Workshop on XML Security 2002, pp. 18-29, November 200
Memory Safety Preservation for WebAssembly
WebAssembly (Wasm) is a next-generation portable compilation target for
deploying applications written in high-level languages on the web. In order to
protect their memory from untrusted code, web browser engines confine the
execution of compiled Wasm programs in a memory-safe sandbox. Unfortunately,
classic memory-safety vulnerabilities (e.g., buffer overflows and
use-after-free) can still corrupt the memory within the sandbox and allow Wasm
code to mount severe attacks. To prevent these attacks, we study a class of
secure compilers that eliminate (different kinds of) of memory safety
violations. Following a rigorous approach, we discuss memory safety in terms of
hypersafety properties, which let us identify suitable secure compilation
criteria for memory-safety-preserving compilers. We conjecture that, barring
some restrictions at module boundaries, the existing security mechanisms of
Wasm may suffice to enforce memory-safety preservation, in the short term. In
the long term, we observe that certain features proposed in the design of a
memory-safe variant of Wasm could allow compilers to lift these restrictions
and enforce relaxed forms of memory safety
Journey Beyond Full Abstraction: Exploring Robust Property Preservation for Secure Compilation
—Good programming languages provide helpful abstractions for writing secure code, but the security properties of
the source language are generally not preserved when compiling a
program and linking it with adversarial code in a low-level target
language (e.g., a library or a legacy application). Linked target
code that is compromised or malicious may, for instance, read and
write the compiled program’s data and code, jump to arbitrary
memory locations, or smash the stack, blatantly violating any
source-level abstraction. By contrast, a fully abstract compilation
chain protects source-level abstractions all the way down, ensuring that linked adversarial target code cannot observe more about
the compiled program than what some linked source code could
about the source program. However, while research in this area
has so far focused on preserving observational equivalence, as
needed for achieving full abstraction, there is a much larger space
of security properties one can choose to preserve against linked
adversarial code. And the precise class of security properties one
chooses crucially impacts not only the supported security goals
and the strength of the attacker model, but also the kind of
protections a secure compilation chain has to introduce.
We are the first to thoroughly explore a large space of formal
secure compilation criteria based on robust property preservation, i.e., the preservation of properties satisfied against arbitrary
adversarial contexts. We study robustly preserving various classes
of trace properties such as safety, of hyperproperties such as
noninterference, and of relational hyperproperties such as trace
equivalence. This leads to many new secure compilation criteria,
some of which are easier to practically achieve and prove than
full abstraction, and some of which provide strictly stronger
security guarantees. For each of the studied criteria we propose an equivalent “property-free” characterization that clarifies
which proof techniques apply. For relational properties and
hyperproperties, which relate the behaviors of multiple programs,
our formal definitions of the property classes themselves are
novel. We order our criteria by their relative strength and show
several collapses and separation results. Finally, we adapt existing
proof techniques to show that even the strongest of our secure
compilation criteria, the robust preservation of all relational
hyperproperties, is achievable for a simple translation from a
statically typed to a dynamically typed language
A brief tour of formally secure compilation
Modern programming languages provide helpful high-level abstractions and mechanisms (e.g. types, module, automatic memory management) that enforce good programming practices and are crucial when writing correct and secure code. However, the security guarantees provided by such abstractions are not preserved when a compiler translates a source program into object code. Formally secure compilation is an emerging research field concerned with the design and the implementation of compilers that preserve source-level security properties at the object level. This paper presents a short guided tour of the relevant literature on secure compilation. Our goal is to help newcomers to grasp the basic concepts of this field and, for this reason, we rephrase and present the most relevant results in the literature in a common setting
- …