Exploring Robust Property Preservation for Secure Compilation
Journey Beyond Full Abstraction:
Exploring Robust Property Preservation
for Secure Compilation
Carmine
Abate
Deepak
Garg
Marco
Patrignani
C
ătălin
Hrițcu
Jérémy
Thibault
MPI-SWS
Stanford
& CISPA
Inria Paris
Inria Paris
Inria Paris
Rob
Blanco
Inria Paris
Good programming languages
provide
helpful abstractions
for
writing more secure code
•
structured control flow, procedures, modules, interfaces,
correctness and security specifications, ...
2
abstractions not enforced
when compiling
and linking with
adversarial low-level code
•
all source-level security guarantees are lost
HACL* verified cryptographic library
, in practice
3
ASM
ASM
Insecure interoperability:
linked code can read and write
data and code
,
jump to arbitrary instructions
,
smash the stack
, ...
~100.000 LOC in F*
16.000.000+ LOC in C/C++
KreMLin
+ CompCert
GCC
160x
, in practice
We need secure compilation chains
•
Protect source-level abstractions
even against linked adversarial low-level code
–
various
enforcement mechanisms
: processes, SFI, ...
–
shared responsibility: compiler, linker, loader, OS, HW
•
Goal: enable source-level security reasoning
–
linked adversarial target code cannot break the security of
compiled program
any more than some linked source code
–
no "low-level" attacks
4
Robustly preserving security
source
context
target
context
source
compiled
compiler
secure
secure
program
program
no extra power
protected
5
But what should
"secure"
mean?
source
context
∀
target
context
∀
⇒
6
What properties should we robustly preserve?
trace properties
(safety & liveness)
hyperproperties
(noninterference)
relational
hyperproperties
(trace equivalence)
only integrity
+ data confidentiality
+ code confidentiality
No one-size-fits-all security criterion
Robust Trace Property Preservation
7
source
context
target
context
source
program
compiled
program
source
context
∃
target
context
∃
.
.
compiler
∀
s
o
u
r
c
e
p
r
o
g
r
a
m
s
.
∀
(
b
a
d
/
a
t
t
a
c
k
)
t
r
a
c
e
t
.
⇒
source
context
target
context
source
program
compiled
program
source
context
trace
t
∀
target
context
trace
t
∀
.
.
compiler
∀
s
o
u
r
c
e
p
r
o
g
r
a
m
s
.
∀
π
t
r
a
c
e
p
r
o
p
e
r
t
y
.
⇒
⇝
t
⇒
t
∈
π
property-based characterization
⇝
t
⇒
t
∈
π
property-free characterization
⇔
⇝
t
⇝
t
back-
translation
what
one might want to achieve
how
one can prove it
8
back-translating
finite trace prefix
∀
P
∀
C
T
∀
m
≤
t
∃
C
S
.
.
.
back-translating
p
r
o
g
&
c
o
n
t
e
x
t
∀
P
∀
C
T
∃
C
S
∀
t
.
.
.
back-translating
context
∀
C
T
∃
C
S
∀
P
∀
t
.
.
.
back-translating
finite set of
finite trace prefixes
∀
k
∀
P
1
.
.
P
k
∀
C
T
∀
m
1
.
.
m
k
∃
C
S
.
.
.
back-translating
prog & context & trace
∀
P
∀
C
T
∀
t
∃
C
S
.
.
.
Some of the proof difficulty is manifest in
property-free characterization
Journey Beyond Full Abstraction
•
First to explore space of secure compilation criteria
based on robust property preservation
•
Carefully studied the criteria and their relations
–
Property-free characterizations
–
implications,
collapses
,
separations results
•
Introduced relational (hyper)properties (new classes!)
•
Clarified relation to full abstraction ...
•
Embraced and extended proof techniques ...
9
https://github.com/secure-compilation/exploring-robust-property-preservation
without internal nondeterminism,
full abstraction is here
Where is Full Abstraction?
10
doesn't imply any other criterion
(i.e. robust behavioral equivalence preservation)
Full abstraction
does not
imply
any other criterion in our diagram
•
Intuitive counterexample
adapted from Marco&Deepak
[CSF'17]
•
When context passes in bad input value
(e.g. ill-typed):
–
lunch the missiles
- breaks Robust Safety Preservation
–
or
loop forever
- breaks Robust Liveness Preservation
–
or
leak secret inputs
- breaks Robust NI Preservation
•
Yet this doesn't break
full abstraction
or
compiler correctness!
•
Full abstraction only ensures
code confidentiality
–
no
integrity,
no
safety,
no
data confidentiality, ...
11
Embraced and extended™ proof techniques
12
back-translating
context
∀
C
T
∃
C
S
∀
P
∀
t
.
.
.
[New et al,ICFP'16]
generic technique
applicable
back-translating
finite set of
finite trace prefixes
∀
k
∀
P
1
.
.
P
k
∀
C
T
∀
m
1
.
.
m
k
∃
C
S
.
.
.
[Jeffrey & Rathke, ESOP'05]
[Patrignani et al,TOPLAS'15]
for simple translation from statically to dynamically typed
language with first-order functions and I/O
strongest
criterion
achievable
Some open problems
•
Practically achieving
secure interoperability with lower-level code
–
more realistic languages and compilation chains
•
Verifying robust satisfaction for source programs
–
program logics, logical relations, partial semantics, ...
•
Different traces for source and target semantics
–
connected by some arbitrary relation
–
mappings between source and target properties
–
interesting even for correct compilation
13
My dream: secure compilation at scale
14
HACL*
memory safe
C component
legacy C
component
ASM
component
C language
+ components
+ memory safety
ASM language
(RISC-V + micro-policies)
language
Journey Beyond Full Abstraction
•
First to explore space of secure compilation criteria
based on robust property preservation
•
Carefully studied the criteria and their relations
–
Property-free characterizations
–
implications,
collapses
,
separations results
•
Introduced relational (hyper)properties (new classes!)
•
Clarified relation to full abstraction ...
•
Embraced and extended proof techniques ...
15
https://github.com/secure-compilation/exploring-robust-property-preservation
This exploration delves into the importance of preserving security properties throughout the compilation process to maintain the integrity and security of software programs. It discusses the challenges posed by adversarial low-level code and the need for secure compilation chains. The focus is on enhancing source-level security reasoning and protecting against potential attacks that can compromise the security of compiled programs.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
Journey Beyond Full Abstraction: Exploring Robust Property Preservation for Secure Compilation Carmine Abate Inria Paris Rob Blanco Inria Paris Deepak Garg MPI-SWS C t lin Hri cu Inria Paris J r my Thibault Inria Paris Marco Patrignani Stanford & CISPA
Good programming languages provide helpful abstractions for writing more secure code structured control flow, procedures, modules, interfaces, correctness and security specifications, ... abstractions not enforced when compiling and linking with adversarial low-level code all source-level security guarantees are lost 2
HACL* verified cryptographic library, in practice , in practice 16.000.000+ LOC in C/C++ 160x ~100.000 LOC in F* HACL* library Firefox web browser KreMLin + CompCert GCC ASM ASM Insecure interoperability: linked code can read and write data and code, jump to arbitrary instructions, smash the stack, ... 3
We need secure compilation chains Protect source-level abstractions even against linked adversarial low-level code variousenforcement mechanisms: processes, SFI, ... shared responsibility: compiler, linker, loader, OS, HW Goal: enable source-level security reasoning linked adversarial target code cannot break the security of compiled program any more than some linked source code no "low-level" attacks 4
Robustly preserving security source context source source secure context program compiler target context program target context secure compiled no extra power protected But what should "secure" mean? 5
What properties should we robustly preserve? No one-size-fits-all security criterion relational hyperproperties (trace equivalence) More secure + code confidentiality hyperproperties (noninterference) + data confidentiality More efficient to enforce Easier to prove trace properties (safety & liveness) only integrity 6
Robust Trace Property Preservation property-based characterization property-free characterization source programs. trace property. source programs. (bad/attack) trace t. source context trace t source source context source source source t t t . . context program context program compiler back- translation compiler target context trace t compiled target compiled target t t t target context . context program context program . how one can prove it what one might want to achieve 7
Some of the proof difficulty is manifest in property-free characterization back-translating context P t... CT C CS S P t back-translating finite set of finite trace prefixes k P1..Pk CT m m1 1..m ..mk k C back-translating prog & context P CT C CS S t t... CS S... back-translating finite trace prefix P CT m t C m t CS S... back-translating prog & context & trace P CT t C t CS S... 8
Journey Beyond Full Abstraction First to explore space of secure compilation criteria based on robust property preservation Carefully studied the criteria and their relations Property-free characterizations implications, collapses, separations results Introduced relational (hyper)properties (new classes!) Clarified relation to full abstraction ... Embraced and extended proof techniques ... https://github.com/secure-compilation/exploring-robust-property-preservation 9
Where is Full Abstraction? (i.e. robust behavioral equivalence preservation) without internal nondeterminism, full abstraction is here doesn't imply any other criterion 10
Full abstraction does notimply any other criterion in our diagram Intuitive counterexample adapted from Marco&Deepak [CSF'17] When context passes in bad input value (e.g. ill-typed): lunch the missiles - breaks Robust Safety Preservation or loop forever - breaks Robust Liveness Preservation or leak secret inputs - breaks Robust NI Preservation Yet this doesn't break full abstraction or compiler correctness! Full abstraction only ensures code confidentiality no integrity, no safety, no data confidentiality, ... 11
Embraced and extended proof techniques for simple translation from statically to dynamically typed strongest criterion achievable language with first-order functions and I/O back-translating context P t... CT C [New et al,ICFP'16] CS S P t generic technique applicable back-translating finite set of finite trace prefixes k P1..Pk CT m m1 1..m ..mk k C [Jeffrey & Rathke, ESOP'05] [Patrignani et al,TOPLAS'15] CS S... 12
Some open problems Practically achieving secure interoperability with lower-level code more realistic languages and compilation chains Verifying robust satisfaction for source programs program logics, logical relations, partial semantics, ... Different traces for source and target semantics connected by some arbitrary relation mappings between source and target properties interesting even for correct compilation 13
My dream: secure compilation at scale language HACL* C language + components + memory safety legacy C component memory safe C component ASM language (RISC-V + micro-policies) ASM component 14
Journey Beyond Full Abstraction First to explore space of secure compilation criteria based on robust property preservation Carefully studied the criteria and their relations Property-free characterizations implications, collapses, separations results Introduced relational (hyper)properties (new classes!) Clarified relation to full abstraction ... Embraced and extended proof techniques ... https://github.com/secure-compilation/exploring-robust-property-preservation 15
