Modular, Fully-abstract Compilation by Approximate Back-translation

A compiler is fully-abstract if the compilation from source language programs to target language programs reflects and preserves behavioural equivalence. Such compilers have important security benefits, as they limit the power of an attacker interacting with the program in the target language to that of an attacker interacting with the program in the source language. Proving compiler full-abstraction is, however, rather complicated. A common proof technique is based on the back-translation of target-level program contexts to behaviourally-equivalent source-level contexts. However, constructing such a back- translation is problematic when the source language is not strong enough to embed an encoding of the target language. For instance, when compiling from STLC to ULC, the lack of recursive types in the former prevents such a back-translation. We propose a general and elegant solution for this problem. The key insight is that it suffices to construct an approximate back-translation. The approximation is only accurate up to a certain number of steps and conservative beyond that, in the sense that the context generated by the back-translation may diverge when the original would not, but not vice versa. Based on this insight, we describe a general technique for proving compiler full-abstraction and demonstrate it on a compiler from STLC to ULC. The proof uses asymmetric cross-language logical relations and makes innovative use of step-indexing to express the relation between a context and its approximate back-translation. The proof extends easily to common compiler patterns such as modular compilation and it, to the best of our knowledge, it is the first compiler full abstraction proof to have been fully mechanised in Coq. We believe this proof technique can scale to challenging settings and enable simpler, more scalable proofs of compiler full-abstraction

Liquidity risk in securities settlement

This paper studies the potential impact on securities settlement systems (SSSs) of a major market disruption, caused by the default of the largest player. A multiperiod, multisecurity model with intraday credit is used to simulate direct and second-round settlement failures triggered by the default, as well as the dynamics of settlement failures, arising from a lag in settlement relative to the date of trades. The effects of the defaulter's net trade position, the numbers of securities and participants in the market, and participants' trading behavior are also analyzed. We show that in SSSs - contrary to payment systems - large and persistent settlement failures are possible even when ample liquidity is provided. Central bank liquidity support to SSSs thus cannot eliminate settlement failures due to major market disruptions. This is due to the fact that securities transactions involve a cash leg and a securities leg, and liquidity can affect only the cash side of a transaction. Whereas a broad program of securities borrowing and lending might help, it is precisely during periods of market disruption that participants will be least willing to lend securities. Settlement failures can continue to occur beyond the period corresponding to the lag in settlement. This is due to the fact that, upon observation of a default, market participants must form expectations about the impact of the default, and these expectations affect current trading behavior. If, ex post, fewer of the previous trades settle than expected, new settlement failures will occur. This result has interesting implications for financial stability. On the one hand, conservative reactions by market participants to a default - for example by limiting the volume of trades - can result in a more rapid return of the settlement system to a normal level of efficiency. On the other hand, limitation of trading by market participants can reduce market liquidity, which may have a negative impact on financial stability.Securities settlement, liquity risk, contagion

CapablePtrs: Securely Compiling Partial Programs using the Pointers-as-Capabilities Principle

Capability machines such as CHERI provide memory capabilities that can be used by compilers to provide security benefits for compiled code (e.g., memory safety). The C to CHERI compiler, for example, achieves memory safety by following a principle called "pointers as capabilities" (PAC). Informally, PAC says that a compiler should represent a source language pointer as a machine code capability. But the security properties of PAC compilers are not yet well understood. We show that memory safety is only one aspect, and that PAC compilers can provide significant additional security guarantees for partial programs: the compiler can provide guarantees for a compilation unit, even if that compilation unit is later linked to attacker-controlled machine code. This paper is the first to study the security of PAC compilers for partial programs formally. We prove for a model of such a compiler that it is fully abstract. The proof uses a novel proof technique (dubbed TrICL, read trickle), which is of broad interest because it reuses and extends the compiler correctness relation in a natural way, as we demonstrate. We implement our compiler on top of the CHERI platform and show that it can compile legacy C code with minimal code changes. We provide performance benchmarks that show how performance overhead is proportional to the number of cross-compilation-unit function calls

Liquidity risk in securities settlement

This paper studies the potential impact on securities settlement systems (SSSs) of a major market disruption, caused by the default of the largest player. A multiperiod, multisecurity model with intraday credit is used to simulate direct and second-round settlement failures triggered by the default, as well as the dynamics of settlement failures, arising from a lag in settlement relative to the date of trades. The effects of the defaulter's net trade position, the numbers of securities and participants in the market, and participants' trading behavior are also analyzed. We show that in SSSs - contrary to payment systems - large and persistent settlement failures are possible even when ample liquidity is provided. Central bank liquidity support to SSSs thus cannot eliminate settlement failures due to major market disruptions. This is due to the fact that securities transactions involve a cash leg and a securities leg, and liquidity can affect only the cash side of a transaction. Whereas a broad program of securities borrowing and lending might help, it is precisely during periods of market disruption that participants will be least willing to lend securities. Settlement failures can continue to occur beyond the period corresponding to the lag in settlement. This is due to the fact that, upon observation of a default, market participants must form expectations about the impact of the default, and these expectations affect current trading behavior. If, ex post, fewer of the previous trades settle than expected, new settlement failures will occur. This result has interesting implications for financial stability. On the one hand, conservative reactions by market participants to a default - for example by limiting the volume of trades - can result in a more rapid return of the settlement system to a normal level of efficiency. On the other hand, limitation of trading by market participants can reduce market liquidity, which may have a negative impact on financial stability