Trace-Relating Compiler Correctness and Secure Compilation

Compiler correctness is, in its simplest form, defined as the inclusion of the set of traces of the compiled program into the set of traces of the original program, which is equivalent to the preservation of all trace properties. Here traces collect, for instance, the externally observable events of each execution. This definition requires, however, the set of traces of the source and target languages to be exactly the same, which is not the case when the languages are far apart or when observations are fine-grained. To overcome this issue, we study a generalized compiler correctness definition, which uses source and target traces drawn from potentially different sets and connected by an arbitrary relation. We set out to understand what guarantees this generalized compiler correctness definition gives us when instantiated with a non-trivial relation on traces. When this trace relation is not equality, it is no longer possible to preserve the trace properties of the source program unchanged. Instead, we provide a generic characterization of the target trace property ensured by correctly compiling a program that satisfies a given source property, and dually, of the source trace property one is required to show in order to obtain a certain target property for the compiled code. We show that this view on compiler correctness can naturally account for undefined behavior, resource exhaustion, different source and target values, side-channels, and various abstraction mismatches. Finally, we show that the same generalization also applies to many secure compilation definitions, which characterize the protection of a compiled program against linked adversarial code.Comment: ESOP'20 camera ready version together with online appendi

Techniques d'unicité des solutions pour processus concurrents et fonctions

The bisimulation proof method is a landmark of the theory of concurrency and programming languages: it is a proof technique used to establish that two programs, or two distributed protocols, are equal, meaning that they can be freely substituted for one another without modifying the global observable behaviour. Such proofs are often difficult and tedious; hence, many proof techniques have been proposed to enhance this method, simplifying said proofs. We study such a technique based on ’unique solution of equations’. In order to prove that two programs are equal, we show that they are solution of the same recursive equation, as long as the equation has the ’unique solution property’: two of its solutions are always equal. We propose a guarantee to ensure that such equations do have a unique solution. We test this technique against a long- standing open problem: the problem of full abstraction for Milner’s encoding of the call-by-value λ-calculus in the π-calculus.La méthode de preuve par bisimulation est un pilier de la théorie de la concurrence et des langages de programmation. Cette technique permet d’établir que deux programmes, ou deux protocoles distribués, sont égaux, au sens où l’on peut substituer l’un par l’autre sans affecter le comportement global du système. Les preuves par bisimulation sont souvent difficiles et techniquement complexes. De ce fait, diverses techniques ont été proposées pour faciliter de telles preuve. Dans cette thèse, nous étudions une telle technique de preuve pour la bisimulation, fondée sur l’unicité des solutions d’équations. Pour démontrer que deux programmes sont égaux, on prouve qu’ils sont solution de la même équation, à condition que l’équation satisfasse la propriété d’unicité des solutions : deux solutions de l’équation sont nécessairement égales. Nous utilisons cette technique pour répondre à une question ouverte, à savoir le problème de full abstraction pour l’encodage, dû à Milner, du λ-calcul en appel par valeur dans le π-calcul.La bisimulazione è una tecnica di prova fondamentale in teoria della concorrenza e dei linguaggi di programmazione. Questa tecnica viene usata per dimostrare che due programmi, o due protocolli distribuiti, sono uguali, nel senso che l’uno puòsostituire l’altro senza modificare il comportamento globale del sistema. Le prove di bisimulazione sono spesso difficili e tecnicamente pesanti. Per questa ragione, varie tecniche di prova sono state introdotte per facilitare le prove di bisimulazione.In questo documento viene studiata tale tecnica, che sfrutta l’unicità delle soluzioni di equazioni. Per dimostrare che due programmi sono uguali, si stabilisce che sono soluzioni della stessa equazione ricorsiva, dal momento in cuil’equazione soddisfa una proprietà di “unicità delle soluzioni”: ogni due soluzioni di questa equazione sono uguali. Questa tecnica viene usata per rispondere alla questione della full abstraction per l’encodaggio del _-calcolo in call-by-value nel_-calcolo, proposto inizialmente da R. Milner

Divergence and unique solution of equations

We study proof techniques for bisimilarity based on unique solution of equations. We draw inspiration from a result by Roscoe in the denotational setting of CSP and for failure semantics, essentially stating that an equation (or a system of equations) whose infinite unfolding never produces a divergence has the unique-solution property. We transport this result onto the operational setting of CCS and for bisimilarity. We then exploit the operational approach to: refine the theorem, distinguishing between different forms of divergence; derive an abstract formulation of the theorems, on generic LTSs; adapt the theorems to other equivalences such as trace equivalence, and to preorders such as trace inclusion. We compare the resulting techniques to enhancements of the bisimulation proof method (the `up-to techniques'). Finally, we study the theorems in name-passing calculi such as the asynchronous $\pi$-calculus, and use them to revisit the completeness part of the proof of full abstraction of Milner's encoding of the $\lambda$-calculus into the $\pi$-calculus for L\'evy-Longo Trees

Divergence and unique solution of equations

International audienceWe study proof techniques for bisimilarity based on unique solution of equations. We draw inspiration from a result by Roscoe in the denotational setting of CSP and for failure semantics, essentially stating that an equation (or a system of equations) whose infinite unfolding never produces a divergence has the unique-solution property. We transport this result onto the operational setting of CCS and for bisimilarity. We then exploit the operational approach to: refine the theorem , distinguishing between different forms of divergence; derive an abstract formulation of the theorems, on generic LTSs; adapt the theorems to other equivalences such as trace equivalence, and to preorders such as trace inclusion. We compare the resulting techniques to enhancements of the bisimulation proof method (the 'up-to techniques'). Finally, we study the theorems in name-passing calculi such as the asynchronous π-calculus, and revisit the completeness proof of Milner's encoding of the λ-calculus into the π-calculus for Lévy-Longo Trees

Eager Functions as Processes (long version)

We study Milner's encoding of the call-by-value λ-calculus into the π-calculus. We show that, by tuning the encoding to two subcalculi of the π-calculus (Internal π and Asynchronous Local π), the equivalence on λ-terms induced by the encoding coincides with Lassen's eager normalform bisimilarity, extended to handle η-equality. As behavioural equivalence in the π-calculus we consider contextual equivalence and barbed congruence. We also extend the results to preorders. A crucial technical ingredient in the proofs is the recently-introduced technique of unique solutions of equations, further developed in this paper. In this respect, the paper also intends to be an extended case study on the applicability and expressiveness of the technique

Divergence and unique solution of equations

This is an extended version of the paper with the same title published in the proceedings of CONCUR'17International audienceWe study proof techniques for bisimilarity based on unique solution of equations. We draw inspiration from a result by Roscoe in the denotational setting of CSP and for failure semantics, essentially stating that an equation (or a system of equations) whose infinite unfolding never produces a divergence has the unique-solution property. We transport this result onto the operational setting of CCS and for bisimilarity. We then exploit the operational approach to: refine the theorem, distinguishing between different forms of divergence; derive an abstract formulation of the theorems, on generic LTSs; adapt the theorems to other equivalences such as trace equivalence, and to preorders such as trace inclusion. We compare the resulting techniques to enhancements of the bisimulation proof method (the `up-to techniques'). Finally, we study the theorems in name-passing calculi such as the asynchronous $\pi$-calculus, and use them to revisit the completeness part of the proof of full abstraction of Milner's encoding of the $\lambda$-calculus into the $\pi$-calculus for L\'evy-Longo Trees

SecurePtrs: Proving Secure Compilation with Data-Flow Back-Translation and Turn-Taking Simulation

Proving secure compilation of partial programs typically requires back-translating an attack against the compiled program to an attack against the source program. To prove back-translation, one can syntactically translate the target attacker to a source one -- i.e., syntax-directed back-translation -- or show that the interaction traces of the target attacker can also be emitted by source attackers -- i.e., trace-directed back-translation. Syntax-directed back-translation is not suitable when the target attacker may use unstructured control flow that the source language cannot directly represent. Trace-directed back-translation works with such syntactic dissimilarity because only the external interactions of the target attacker have to be mimicked in the source, not its internal control flow. Revealing only external interactions is, however, inconvenient when sharing memory via unforgeable pointers, since information about shared pointers stashed in private memory is not present on the trace. This made prior proofs unnecessarily complex, since the generated attacker had to instead stash all reachable pointers. In this work, we introduce more informative *data-flow traces*, combining the best of syntax- and trace-directed back-translation in a simpler technique that handles both syntactic dissimilarity and memory sharing well, and that is proved correct in Coq. Additionally, we develop a novel *turn-taking simulation* relation and use it to prove a recomposition lemma, which is key to reusing compiler correctness in such secure compilation proofs. We are the first to mechanize such a recomposition lemma in the presence of memory sharing. We use these two innovations in a secure compilation proof for a code generation compiler pass between a source language with structured control flow and a target language with unstructured control flow, both with safe pointers and components.Comment: CSF 2022 pre-print with extra appendice

Trace-Relating Compiler Correctness and Secure Compilation

Compiler correctness is, in its simplest form, defined as the inclusion of the set of traces of the compiled program into the set of traces of the original program, which is equivalent to the preservation of all trace properties. Here traces collect, for instance, the externally observable events of each execution. This definition requires, however, the set of traces of the source and target languages to be exactly the same, which is not the case when the languages are far apart or when observations are fine-grained. To overcome this issue, we study a generalized compiler correctness definition, which uses source and target traces drawn from potentially different sets and connected by an arbitrary relation. We set out to understand what guarantees this generalized compiler correctness definition gives us when instantiated with a non-trivial relation on traces. When this trace relation is not equality, it is no longer possible to preserve the trace properties of the source program unchanged. Instead, we provide a generic characterization of the target trace property ensured by correctly compiling a program that satisfies a given source property, and dually, of the source trace property one is required to show in order to obtain a certain target property for the compiled code. We show that this view on compiler correctness can naturally account for undefined behavior, resource exhaustion, different source and target values, side-channels, and various abstraction mismatches. Finally, we show that the same generalization also applies to many secure compilation definitions, which characterize the protection of a compiled program against linked adversarial code

Eager Functions as Processes

International audienceWe study Milner's encoding of the call-by-value λ-calculus into the π-calculus. We show that, by tuning the encoding to two subcalculi of the π-calculus (Internal π and Asynchronous Local π), the equivalence on λ-terms induced by the encoding coincides with Lassen's eager normal-form bisimilarity, extended to handle η-equality. As behavioural equivalence in the π-calculus we consider contextual equivalence and barbed congruence. We also extend the results to preorders. A crucial technical ingredient in the proofs is the recently-introduced technique of unique solutions of equations, further developed in this paper. In this respect, the paper also intends to be an extended case study on the applicability and expressiveness of the technique