86 research outputs found
Modular, Fully-abstract Compilation by Approximate Back-translation
A compiler is fully-abstract if the compilation from source language programs
to target language programs reflects and preserves behavioural equivalence.
Such compilers have important security benefits, as they limit the power of an
attacker interacting with the program in the target language to that of an
attacker interacting with the program in the source language. Proving compiler
full-abstraction is, however, rather complicated. A common proof technique is
based on the back-translation of target-level program contexts to
behaviourally-equivalent source-level contexts. However, constructing such a
back- translation is problematic when the source language is not strong enough
to embed an encoding of the target language. For instance, when compiling from
STLC to ULC, the lack of recursive types in the former prevents such a
back-translation.
We propose a general and elegant solution for this problem. The key insight
is that it suffices to construct an approximate back-translation. The
approximation is only accurate up to a certain number of steps and conservative
beyond that, in the sense that the context generated by the back-translation
may diverge when the original would not, but not vice versa. Based on this
insight, we describe a general technique for proving compiler full-abstraction
and demonstrate it on a compiler from STLC to ULC. The proof uses asymmetric
cross-language logical relations and makes innovative use of step-indexing to
express the relation between a context and its approximate back-translation.
The proof extends easily to common compiler patterns such as modular
compilation and it, to the best of our knowledge, it is the first compiler full
abstraction proof to have been fully mechanised in Coq. We believe this proof
technique can scale to challenging settings and enable simpler, more scalable
proofs of compiler full-abstraction
Transpension: The Right Adjoint to the Pi-type
Presheaf models of dependent type theory have been successfully applied to
model HoTT, parametricity, and directed, guarded and nominal type theory. There
has been considerable interest in internalizing aspects of these presheaf
models, either to make the resulting language more expressive, or in order to
carry out further reasoning internally, allowing greater abstraction and
sometimes automated verification. While the constructions of presheaf models
largely follow a common pattern, approaches towards internalization do not.
Throughout the literature, various internal presheaf operators (,
, , , ,
, the strictness axiom and locally fresh names) can be found and
little is known about their relative expressivenes. Moreover, some of these
require that variables whose type is a shape (representable presheaf, e.g. an
interval) be used affinely.
We propose a novel type former, the transpension type, which is right adjoint
to universal quantification over a shape. Its structure resembles a dependent
version of the suspension type in HoTT. We give general typing rules and a
presheaf semantics in terms of base category functors dubbed multipliers.
Structural rules for shape variables and certain aspects of the transpension
type depend on characteristics of the multiplier. We demonstrate how the
transpension type and the strictness axiom can be combined to implement all and
improve some of the aforementioned internalization operators (without formal
claim in the case of locally fresh names)
CapablePtrs: Securely Compiling Partial Programs using the Pointers-as-Capabilities Principle
Capability machines such as CHERI provide memory capabilities that can be
used by compilers to provide security benefits for compiled code (e.g., memory
safety). The C to CHERI compiler, for example, achieves memory safety by
following a principle called "pointers as capabilities" (PAC). Informally, PAC
says that a compiler should represent a source language pointer as a machine
code capability. But the security properties of PAC compilers are not yet well
understood. We show that memory safety is only one aspect, and that PAC
compilers can provide significant additional security guarantees for partial
programs: the compiler can provide guarantees for a compilation unit, even if
that compilation unit is later linked to attacker-controlled machine code. This
paper is the first to study the security of PAC compilers for partial programs
formally. We prove for a model of such a compiler that it is fully abstract.
The proof uses a novel proof technique (dubbed TrICL, read trickle), which is
of broad interest because it reuses and extends the compiler correctness
relation in a natural way, as we demonstrate. We implement our compiler on top
of the CHERI platform and show that it can compile legacy C code with minimal
code changes. We provide performance benchmarks that show how performance
overhead is proportional to the number of cross-compilation-unit function
calls
Formalizing, Verifying and Applying ISA Security Guarantees as Universal Contracts
Progress has recently been made on specifying instruction set architectures
(ISAs) in executable formalisms rather than through prose. However, to date,
those formal specifications are limited to the functional aspects of the ISA
and do not cover its security guarantees. We present a novel, general method
for formally specifying an ISAs security guarantees to (1) balance the needs of
ISA implementations (hardware) and clients (software), (2) can be
semi-automatically verified to hold for the ISA operational semantics,
producing a high-assurance mechanically-verifiable proof, and (3) support
informal and formal reasoning about security-critical software in the presence
of adversarial code. Our method leverages universal contracts: software
contracts that express bounds on the authority of arbitrary untrusted code.
Universal contracts can be kept agnostic of software abstractions, and strike
the right balance between requiring sufficient detail for reasoning about
software and preserving implementation freedom of ISA designers and CPU
implementers. We semi-automatically verify universal contracts against Sail
implementations of ISA semantics using our Katamaran tool; a semi-automatic
separation logic verifier for Sail which produces machine-checked proofs for
successfully verified contracts. We demonstrate the generality of our method by
applying it to two ISAs that offer very different security primitives: (1)
MinimalCaps: a custom-built capability machine ISA and (2) a (somewhat
simplified) version of RISC-V with PMP. We verify a femtokernel using the
security guarantee we have formalized for RISC-V with PMP
Abstract Congruence Criteria for Weak Bisimilarity
We introduce three general compositionality criteria over operational
semantics and prove that, when all three are satisfied together, they guarantee
weak bisimulation being a congruence. Our work is founded upon Turi and
Plotkin's mathematical operational semantics and the coalgebraic approach to
weak bisimulation by Brengos. We demonstrate each criterion with various
examples of success and failure and establish a formal connection with the
simply WB cool rule format of Bloom and van Glabbeek. In addition, we show that
the three criteria induce lax models in the sense of Bonchi et al
- …