1,835 research outputs found
Robust Hyperproperty Preservation for Secure Compilation (Extended Abstract)
We map the space of soundness criteria for secure compilation based on the
preservation of hyperproperties in arbitrary adversarial contexts, which we
call robust hyperproperty preservation. For this, we study the preservation of
several classes of hyperproperties and for each class we propose an equivalent
"property-free" characterization of secure compilation that is generally better
tailored for proofs. Even the strongest of our soundness criteria, the robust
preservation of all hyperproperties, seems achievable for simple
transformations and provable using context back-translation techniques
previously developed for showing fully abstract compilation. While proving the
robust preservation of hyperproperties that are not safety requires such
powerful context back-translation techniques, for preserving safety
hyperproperties robustly, translating each finite trace prefix back to a source
context seems to suffice.Comment: PriSC'18 final versio
Memory Safety Preservation for WebAssembly
WebAssembly (Wasm) is a next-generation portable compilation target for
deploying applications written in high-level languages on the web. In order to
protect their memory from untrusted code, web browser engines confine the
execution of compiled Wasm programs in a memory-safe sandbox. Unfortunately,
classic memory-safety vulnerabilities (e.g., buffer overflows and
use-after-free) can still corrupt the memory within the sandbox and allow Wasm
code to mount severe attacks. To prevent these attacks, we study a class of
secure compilers that eliminate (different kinds of) of memory safety
violations. Following a rigorous approach, we discuss memory safety in terms of
hypersafety properties, which let us identify suitable secure compilation
criteria for memory-safety-preserving compilers. We conjecture that, barring
some restrictions at module boundaries, the existing security mechanisms of
Wasm may suffice to enforce memory-safety preservation, in the short term. In
the long term, we observe that certain features proposed in the design of a
memory-safe variant of Wasm could allow compilers to lift these restrictions
and enforce relaxed forms of memory safety
Exorcising Spectres with Secure Compilers
Attackers can access sensitive information of programs by exploiting the
side-effects of speculatively-executed instructions using Spectre attacks. To
mitigate theses attacks, popular compilers deployed a wide range of
countermeasures. The security of these countermeasures, however, has not been
ascertained: while some of them are believed to be secure, others are known to
be insecure and result in vulnerable programs. To reason about the security
guarantees of these compiler-inserted countermeasures, this paper presents a
framework comprising several secure compilation criteria characterizing when
compilers produce code resistant against Spectre attacks. With this framework,
we perform a comprehensive security analysis of compiler-level countermeasures
against Spectre attacks implemented in major compilers. This work provides
sound foundations to formally reason about the security of compiler-level
countermeasures against Spectre attacks as well as the first proofs of security
and insecurity of said countermeasures
Modular, Fully-abstract Compilation by Approximate Back-translation
A compiler is fully-abstract if the compilation from source language programs
to target language programs reflects and preserves behavioural equivalence.
Such compilers have important security benefits, as they limit the power of an
attacker interacting with the program in the target language to that of an
attacker interacting with the program in the source language. Proving compiler
full-abstraction is, however, rather complicated. A common proof technique is
based on the back-translation of target-level program contexts to
behaviourally-equivalent source-level contexts. However, constructing such a
back- translation is problematic when the source language is not strong enough
to embed an encoding of the target language. For instance, when compiling from
STLC to ULC, the lack of recursive types in the former prevents such a
back-translation.
We propose a general and elegant solution for this problem. The key insight
is that it suffices to construct an approximate back-translation. The
approximation is only accurate up to a certain number of steps and conservative
beyond that, in the sense that the context generated by the back-translation
may diverge when the original would not, but not vice versa. Based on this
insight, we describe a general technique for proving compiler full-abstraction
and demonstrate it on a compiler from STLC to ULC. The proof uses asymmetric
cross-language logical relations and makes innovative use of step-indexing to
express the relation between a context and its approximate back-translation.
The proof extends easily to common compiler patterns such as modular
compilation and it, to the best of our knowledge, it is the first compiler full
abstraction proof to have been fully mechanised in Coq. We believe this proof
technique can scale to challenging settings and enable simpler, more scalable
proofs of compiler full-abstraction
CapablePtrs: Securely Compiling Partial Programs using the Pointers-as-Capabilities Principle
Capability machines such as CHERI provide memory capabilities that can be
used by compilers to provide security benefits for compiled code (e.g., memory
safety). The C to CHERI compiler, for example, achieves memory safety by
following a principle called "pointers as capabilities" (PAC). Informally, PAC
says that a compiler should represent a source language pointer as a machine
code capability. But the security properties of PAC compilers are not yet well
understood. We show that memory safety is only one aspect, and that PAC
compilers can provide significant additional security guarantees for partial
programs: the compiler can provide guarantees for a compilation unit, even if
that compilation unit is later linked to attacker-controlled machine code. This
paper is the first to study the security of PAC compilers for partial programs
formally. We prove for a model of such a compiler that it is fully abstract.
The proof uses a novel proof technique (dubbed TrICL, read trickle), which is
of broad interest because it reuses and extends the compiler correctness
relation in a natural way, as we demonstrate. We implement our compiler on top
of the CHERI platform and show that it can compile legacy C code with minimal
code changes. We provide performance benchmarks that show how performance
overhead is proportional to the number of cross-compilation-unit function
calls
Universal Composability is Secure Compilation
Universal composability is a framework for the specification and analysis of
cryptographic protocols with a strong compositionality guarantee: UC protocols
are secure even when composed with other protocols. Secure compilation tells
whether compiled programs are as secure as their source-level counterparts, no
matter what target-level code they interact with. These two disciplines are
studied in isolation, but we believe there is a deeper connection between them
with benefits from both worlds to reap. This paper outlines the connection
between universal composability and robust compilation, the latest of secure
compilation theories. We show how to read the universal composability theorem
in terms of a robust compilation theorem and vice-versa. This, in turn, shows
which elements of one theory corresponds to which element in the other theory.
We believe this is the first step towards understanding how can secure
compilation theories be used in universal composability settings and
vice-versa
- …