![Page 1: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/1.jpg)
The Quest for Formally Secure Compartmentalizing Compilation
Cătălin Hrițcu
1
Habilitation Defense
![Page 2: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/2.jpg)
My research in the last 7 years
Program Verification
3
Property-Based TestingTag-based Monitoring
Secure Compilation
![Page 3: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/3.jpg)
My research in the last 7 years
Program Verification
3
Property-Based TestingTag-based Monitoring
Secure Compilation
![Page 4: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/4.jpg)
Devastating low-level attacks
4
![Page 5: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/5.jpg)
Devastating low-level attacks
inherently insecure languages like C/C++
– e.g. memory unsafe: any buffer overflow is catastrophicallowing remote attackers to gain complete control
4
![Page 6: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/6.jpg)
Devastating low-level attacks
inherently insecure languages like C/C++
– e.g. memory unsafe: any buffer overflow is catastrophicallowing remote attackers to gain complete control
– ~100 different undefined behaviors in usual C compiler
4
![Page 7: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/7.jpg)
Devastating low-level attacks
inherently insecure languages like C/C++
– e.g. memory unsafe: any buffer overflow is catastrophicallowing remote attackers to gain complete control
– ~100 different undefined behaviors in usual C compiler
insecure interoperability with lower-level code
– even code in more secure languages (Java, OCaml, Rust)has to interoperate with low-level code (C, C++, ASM)
– insecure interoperability: all source-level guarantees lost
4
![Page 8: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/8.jpg)
Devastating low-level attacks
inherently insecure languages like C/C++
– e.g. memory unsafe: any buffer overflow is catastrophicallowing remote attackers to gain complete control
– ~100 different undefined behaviors in usual C compiler
insecure interoperability with lower-level code
– even code in more secure languages (Java, OCaml, Rust)has to interoperate with low-level code (C, C++, ASM)
– insecure interoperability: all source-level guarantees lost
4Part 1: formalize what it means to solve this problem
![Page 9: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/9.jpg)
Devastating low-level attacks
inherently insecure languages like C/C++
– e.g. memory unsafe: any buffer overflow is catastrophicallowing remote attackers to gain complete control
– ~100 different undefined behaviors in usual C compiler
insecure interoperability with lower-level code
– even code in more secure languages (Java, OCaml, Rust)has to interoperate with low-level code (C, C++, ASM)
– insecure interoperability: all source-level guarantees lost
4Part 1: formalize what it means to solve this problem
Part 2: give meaning to compartmentalization mitigation
![Page 10: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/10.jpg)
Secure Interoperabilitywith Lower-Level Code
Part 1 of 2
5
![Page 11: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/11.jpg)
Secure Interoperabilitywith Lower-Level Code
Part 1 of 2
5
CarmineAbate
DeepakGarg Marco
Patrignani
CătălinHrițcu
JérémyThibault
MPI-SWS
Stanford& CISPA
Inria ParisInria Paris Inria Paris
RobBlanco
Journey Beyond Full Abstractionhttps://arxiv.org/abs/1807.04603
Inria Paris
![Page 12: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/12.jpg)
Good programming languages providehelpful abstractions for writing more secure code
6
![Page 13: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/13.jpg)
Good programming languages providehelpful abstractions for writing more secure code
• e.g. HACL* and miTLS written in Low* which provides:
6
![Page 14: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/14.jpg)
Good programming languages providehelpful abstractions for writing more secure code
• e.g. HACL* and miTLS written in Low* which provides:
– low-level abstractions of safe C programs• structured control flow, procedures, abstract memory model
6
![Page 15: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/15.jpg)
Good programming languages providehelpful abstractions for writing more secure code
• e.g. HACL* and miTLS written in Low* which provides:
– low-level abstractions of safe C programs• structured control flow, procedures, abstract memory model
– higher-level abstractions of ML-like languages• modules, interfaces, and parametric polymorphism
6
![Page 16: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/16.jpg)
Good programming languages providehelpful abstractions for writing more secure code
• e.g. HACL* and miTLS written in Low* which provides:
– low-level abstractions of safe C programs• structured control flow, procedures, abstract memory model
– higher-level abstractions of ML-like languages• modules, interfaces, and parametric polymorphism
– specifications of a verification system like Coq and Dafny• effects, dependent types, refinements, logical pre- and post-conditions
6
![Page 17: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/17.jpg)
Good programming languages providehelpful abstractions for writing more secure code
• e.g. HACL* and miTLS written in Low* which provides:
– low-level abstractions of safe C programs• structured control flow, procedures, abstract memory model
– higher-level abstractions of ML-like languages• modules, interfaces, and parametric polymorphism
– specifications of a verification system like Coq and Dafny• effects, dependent types, refinements, logical pre- and post-conditions
– coding patterns specific to cryptographic code• abstract types and interfaces for defending against side-channel attacks
6
![Page 18: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/18.jpg)
7
![Page 19: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/19.jpg)
But abstractions not enforced when compiling and linking with adversarial low-level code
8
HACL* library
~20.000 LOC in Low*
![Page 20: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/20.jpg)
But abstractions not enforced when compiling and linking with adversarial low-level code
8
HACL* library Firefox web browser
~20.000 LOC in Low* 16.000.000+ LOC in C/C++
![Page 21: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/21.jpg)
But abstractions not enforced when compiling and linking with adversarial low-level code
8
HACL* library Firefox web browser
ASM ASM
~20.000 LOC in Low* 16.000.000+ LOC in C/C++
KreMLin+ CompCert GCC
Verified
![Page 22: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/22.jpg)
But abstractions not enforced when compiling and linking with adversarial low-level code
8
HACL* library Firefox web browser
ASM ASM
Insecure interoperability: linked code can read and writedata and code, jump to arbitrary instructions, smash the stack, ...
~20.000 LOC in Low* 16.000.000+ LOC in C/C++
KreMLin+ CompCert GCC
Verified
![Page 23: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/23.jpg)
Secure compilation chains
• Protect source-level abstractionseven against linked adversarial low-level code– various enforcement mechanisms: processes, SFI, ...
– shared responsibility: compiler, linker, loader, OS, HW
9
![Page 24: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/24.jpg)
Secure compilation chains
• Protect source-level abstractionseven against linked adversarial low-level code– various enforcement mechanisms: processes, SFI, ...
– shared responsibility: compiler, linker, loader, OS, HW
• Goal: enable source-level security reasoning
9
![Page 25: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/25.jpg)
Secure compilation chains
• Protect source-level abstractionseven against linked adversarial low-level code– various enforcement mechanisms: processes, SFI, ...
– shared responsibility: compiler, linker, loader, OS, HW
• Goal: enable source-level security reasoning– adversarial target-level context cannot break the security of
compiled program any more than some source-level context
9
![Page 26: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/26.jpg)
Secure compilation chains
• Protect source-level abstractionseven against linked adversarial low-level code– various enforcement mechanisms: processes, SFI, ...
– shared responsibility: compiler, linker, loader, OS, HW
• Goal: enable source-level security reasoning– adversarial target-level context cannot break the security of
compiled program any more than some source-level context
– no "low-level" attacks
9
![Page 27: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/27.jpg)
Robustly preserving security
10
![Page 28: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/28.jpg)
Robustly preserving security
sourcecontext
source secureprogram
10
sourcecontext∀
![Page 29: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/29.jpg)
Robustly preserving security
sourcecontext
target context
source
compiled
compiler
secure
secure
program
program
10
sourcecontext∀
targetcontext∀
⇒
![Page 30: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/30.jpg)
Robustly preserving security
sourcecontext
target context
source
compiled
compiler
secure
secure
program
program
no extra powerprotected
10
sourcecontext∀
targetcontext∀
⇒
![Page 31: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/31.jpg)
Robustly preserving security
sourcecontext
target context
source
compiled
compiler
secure
secure
program
program
no extra powerprotected
10
But what should "secure" mean?
sourcecontext∀
targetcontext∀
⇒
![Page 32: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/32.jpg)
11
What properties should we robustly preserve?
![Page 33: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/33.jpg)
11
What properties should we robustly preserve?
trace properties(safety & liveness)
![Page 34: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/34.jpg)
11
What properties should we robustly preserve?
trace properties(safety & liveness)
hyperproperties(noninterference)
![Page 35: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/35.jpg)
11
What properties should we robustly preserve?
trace properties(safety & liveness)
hyperproperties(noninterference)
relationalhyperproperties(trace equivalence)
![Page 36: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/36.jpg)
11
What properties should we robustly preserve?
trace properties(safety & liveness)
hyperproperties(noninterference)
relationalhyperproperties(trace equivalence)
![Page 37: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/37.jpg)
11
More secure
More efficientto enforce
Easier to prove
What properties should we robustly preserve?
trace properties(safety & liveness)
hyperproperties(noninterference)
relationalhyperproperties(trace equivalence)
No one-size-fits-all security criterion
![Page 38: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/38.jpg)
11
More secure
More efficientto enforce
Easier to prove
What properties should we robustly preserve?
trace properties(safety & liveness)
hyperproperties(noninterference)
relationalhyperproperties(trace equivalence)
only integrity
No one-size-fits-all security criterion
![Page 39: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/39.jpg)
11
More secure
More efficientto enforce
Easier to prove
What properties should we robustly preserve?
trace properties(safety & liveness)
hyperproperties(noninterference)
relationalhyperproperties(trace equivalence)
only integrity
+ data confidentiality
No one-size-fits-all security criterion
![Page 40: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/40.jpg)
11
More secure
More efficientto enforce
Easier to prove
What properties should we robustly preserve?
trace properties(safety & liveness)
hyperproperties(noninterference)
relationalhyperproperties(trace equivalence)
only integrity
+ data confidentiality
+ code confidentiality
No one-size-fits-all security criterion
![Page 41: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/41.jpg)
11
More secure
More efficientto enforce
Easier to prove
What properties should we robustly preserve?
trace properties(safety & liveness)
hyperproperties(noninterference)
relationalhyperproperties(trace equivalence)
only integrity
+ data confidentiality
+ code confidentiality
No one-size-fits-all security criterion
![Page 42: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/42.jpg)
Robust Trace Property Preservation
43
sourcecontext
targetcontext
source program
compiledprogram
sourcecontext∃
target context∃
.
.
compiler
∀source programs.∀(bad/attack) trace t.
⇒
sourcecontext
targetcontext
source program
compiledprogram
sourcecontexttrace t∀
target contexttrace t
∀
.
.
compiler
∀source programs.∀π trace property.
⇒
⇝t⇒ t∈π
property-based characterization
⇝t⇒ t∈π
property-free characterization
⇔
⇝t
⇝t
back-translation
what one can achieve how one can prove it
![Page 43: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/43.jpg)
13
back-translatingprog & context & trace∀P∀CT∀t∃CS...
Some of the proof difficulty is manifest inproperty-free characterization
![Page 44: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/44.jpg)
13
back-translatingfinite trace prefix∀P∀CT∀m≤t∃CS...
back-translatingprog & context & trace∀P∀CT∀t∃CS...
Some of the proof difficulty is manifest inproperty-free characterization
![Page 45: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/45.jpg)
13
back-translatingfinite trace prefix∀P∀CT∀m≤t∃CS...
back-translatingfinite set offinite trace prefixes∀k∀P1..Pk∀CT
∀m1..mk ∃CS...
back-translatingprog & context & trace∀P∀CT∀t∃CS...
Some of the proof difficulty is manifest inproperty-free characterization
![Page 46: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/46.jpg)
13
back-translatingfinite trace prefix∀P∀CT∀m≤t∃CS...
back-translatingprog & context∀P∀CT∃CS∀t...
back-translatingcontext
∀CT∃CS∀P∀t...
back-translatingfinite set offinite trace prefixes∀k∀P1..Pk∀CT
∀m1..mk ∃CS...
back-translatingprog & context & trace∀P∀CT∀t∃CS...
Some of the proof difficulty is manifest inproperty-free characterization
![Page 47: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/47.jpg)
Journey Beyond Full Abstraction
• First to explore space of secure compilation criteriabased on robust property preservation
14
![Page 48: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/48.jpg)
Journey Beyond Full Abstraction
• First to explore space of secure compilation criteriabased on robust property preservation
• Carefully study the criteria and their relations
– Property-free characterizations
– implications, collapses, separations results
14
![Page 49: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/49.jpg)
Journey Beyond Full Abstraction
• First to explore space of secure compilation criteriabased on robust property preservation
• Carefully study the criteria and their relations
– Property-free characterizations
– implications, collapses, separations results
• Introduce relational (hyper)properties (new classes!)
14
![Page 50: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/50.jpg)
Journey Beyond Full Abstraction
• First to explore space of secure compilation criteriabased on robust property preservation
• Carefully study the criteria and their relations
– Property-free characterizations
– implications, collapses, separations results
• Introduce relational (hyper)properties (new classes!)
• Formally study relation to full abstraction ...
14
![Page 51: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/51.jpg)
Journey Beyond Full Abstraction
• First to explore space of secure compilation criteriabased on robust property preservation
• Carefully study the criteria and their relations
– Property-free characterizations
– implications, collapses, separations results
• Introduce relational (hyper)properties (new classes!)
• Formally study relation to full abstraction ...
• Embraced and extended proof techniques ...
14
![Page 52: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/52.jpg)
Where is Full Abstraction?
15
(i.e. robust behavioral equivalence preservation)
![Page 53: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/53.jpg)
without internal nondeterminism,full abstraction is here
Where is Full Abstraction?
15
(i.e. robust behavioral equivalence preservation)
![Page 54: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/54.jpg)
without internal nondeterminism,full abstraction is here
Where is Full Abstraction?
15
doesn't imply any of our criteria(even assuming compiler correctness)
(i.e. robust behavioral equivalence preservation)
![Page 55: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/55.jpg)
without internal nondeterminism,full abstraction is here
Where is Full Abstraction?
15
doesn't imply any of our criteria(even assuming compiler correctness)
no one-size-fits-all criterion!
(i.e. robust behavioral equivalence preservation)
![Page 56: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/56.jpg)
Embraced and extended™ proof techniques
16
for simple translation from statically to dynamically typed language with first-order functions and I/O
![Page 57: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/57.jpg)
Embraced and extended™ proof techniques
16
back-translatingcontext
∀CT∃CS∀P∀t...
for simple translation from statically to dynamically typed language with first-order functions and I/O
strongestcriterion
achievable
![Page 58: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/58.jpg)
Embraced and extended™ proof techniques
16
back-translatingcontext
∀CT∃CS∀P∀t... generic techniqueapplicableback-translatingfinite set offinite trace prefixes∀k∀P1..Pk∀CT
∀m1..mk ∃CS...
for simple translation from statically to dynamically typed language with first-order functions and I/O
strongestcriterion
achievable
![Page 59: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/59.jpg)
Some open problems
• Practically achievingsecure interoperability with lower-level code
– More realistic languages and compilation chains
17
![Page 60: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/60.jpg)
Some open problems
• Practically achievingsecure interoperability with lower-level code
– More realistic languages and compilation chains
• Verifying robust satisfaction for source programs
– partial semantics, program logics, logical relations, ...
17
![Page 61: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/61.jpg)
Some open problems
• Practically achievingsecure interoperability with lower-level code
– More realistic languages and compilation chains
• Verifying robust satisfaction for source programs
– partial semantics, program logics, logical relations, ...
• Exploring other kinds of secure compilation
– target observations richer than source observations
– generalize noninterference preservation with side-channels?
17
![Page 62: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/62.jpg)
Secure Compilation for Unsafe Languages
When Good Components Go Bad (CCS 2018)Beyond Good and Evil (CSF 2016)Micro-Policies (IEEE S&P 2015)A verified information-flow architecture (POPL 2014)
Part 2 of 2
18
![Page 63: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/63.jpg)
When Good Components Go BadComputer and Communications Security (CCS 2018)
CătălinHrițcu
MarcoStronati
ArthurAzevedo
de Amorim
Ana NoraEvans
AndrewTolmach
BenjaminPierce
ThéoLaurent
CarmineAbate
Inria Paris CMU U. Virginia Portland State UPenn
GuglielmoFachini
19
RobBlanco
![Page 64: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/64.jpg)
Inherently insecure languages like C
– any buffer overflow can be catastrophic
20
![Page 65: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/65.jpg)
Inherently insecure languages like C
– any buffer overflow can be catastrophic
– ~100 different undefined behaviorsin the usual C compiler:• use after frees and double frees, invalid casts,
signed integer overflows, ...............................
20
![Page 66: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/66.jpg)
Inherently insecure languages like C
– any buffer overflow can be catastrophic
– ~100 different undefined behaviorsin the usual C compiler:• use after frees and double frees, invalid casts,
signed integer overflows, ...............................
– root cause, but very challenging to fix:
• efficiency, precision, scalability,
backwards compatibility, deployment
20
![Page 67: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/67.jpg)
Compartmentalization mitigation
• Break up security-critical applications into mutually distrustful components with clearly specified privileges
21
![Page 68: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/68.jpg)
Compartmentalization mitigation
• Break up security-critical applications into mutually distrustful components with clearly specified privileges
• Protect source abstractions all the way down
– separation, static privileges, call-return discipline, types, ...
21
![Page 69: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/69.jpg)
Compartmentalization mitigation
• Break up security-critical applications into mutually distrustful components with clearly specified privileges
• Protect source abstractions all the way down
– separation, static privileges, call-return discipline, types, ...
• Compartmentalizing compilation chain:
– compiler, linker, loader, runtime, system, hardware
21
![Page 70: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/70.jpg)
Compartmentalization mitigation
• Break up security-critical applications into mutually distrustful components with clearly specified privileges
• Protect source abstractions all the way down
– separation, static privileges, call-return discipline, types, ...
• Compartmentalizing compilation chain:
– compiler, linker, loader, runtime, system, hardware
• Base this on efficient enforcement mechanisms:
– OS processes (all web browsers) — hardware enclaves (SGX)
– WebAssembly (web browsers) — capability machines
– software fault isolation (SFI) — tagged architectures
21
![Page 71: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/71.jpg)
Strong security!?
22
![Page 72: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/72.jpg)
Strong security!?
• Security guarantees one can make fully water-tight
– beyond just "increasing attacker effort"
22
![Page 73: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/73.jpg)
Strong security!?
• Security guarantees one can make fully water-tight
– beyond just "increasing attacker effort"
• Intuitively, if we use compartmentalization ...
... a vulnerability in one component does not immediately
destroy the security of the whole application
22
![Page 74: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/74.jpg)
Strong security!?
• Security guarantees one can make fully water-tight
– beyond just "increasing attacker effort"
• Intuitively, if we use compartmentalization ...
... a vulnerability in one component does not immediately
destroy the security of the whole application
... since each component is protected from all the others
22
![Page 75: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/75.jpg)
Strong security!?
• Security guarantees one can make fully water-tight
– beyond just "increasing attacker effort"
• Intuitively, if we use compartmentalization ...
... a vulnerability in one component does not immediately
destroy the security of the whole application
... since each component is protected from all the others
... and each component receives protection as long as
it has not been compromised (e.g. by a buffer overflow)
22
![Page 76: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/76.jpg)
Can we formalize this intuition?
23
![Page 77: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/77.jpg)
Can we formalize this intuition?
23
What is a compartmentalizing compilation chain supposed to enforce precisely?
![Page 78: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/78.jpg)
Can we formalize this intuition?
23
We answer this question:
Formal definition expressing theend-to-end security guaranteesof compartmentalization
What is a compartmentalizing compilation chain supposed to enforce precisely?
![Page 79: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/79.jpg)
Challenge formalizing security of mitigations
• We want source-level security reasoning principles
– easier to reason about security in the source languageif and application is compartmentalized
24
![Page 80: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/80.jpg)
Challenge formalizing security of mitigations
• We want source-level security reasoning principles
– easier to reason about security in the source languageif and application is compartmentalized
• ... even in the presence of undefined behavior
– can't be expressed at all by source language semantics!
24
![Page 81: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/81.jpg)
Challenge formalizing security of mitigations
• We want source-level security reasoning principles
– easier to reason about security in the source languageif and application is compartmentalized
• ... even in the presence of undefined behavior
– can't be expressed at all by source language semantics!
– what does the following program do?
24
#include <string.h>
int main (int argc, char **argv) {
char c[12];
strcpy(c, argv[1]);
return 0;
}
![Page 82: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/82.jpg)
Challenge formalizing security of mitigations
• We want source-level security reasoning principles
– easier to reason about security in the source languageif and application is compartmentalized
• ... even in the presence of undefined behavior
– can't be expressed at all by source language semantics!
– what does the following program do?
24
#include <string.h>
int main (int argc, char **argv) {
char c[12];
strcpy(c, argv[1]);
return 0;
}
![Page 83: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/83.jpg)
Compartmentalizing compilation should ...
• Restrict spatial scope of undefined behavior
– mutually-distrustful components• each component protected from all the others
25
![Page 84: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/84.jpg)
Compartmentalizing compilation should ...
• Restrict spatial scope of undefined behavior
– mutually-distrustful components• each component protected from all the others
• Restrict temporal scope of undefined behavior
– dynamic compromise• each component gets guarantees
as long as it has not encountered undefined behavior
• i.e. the mere existence of vulnerabilities doesn'tnecessarily make a component compromised
25
![Page 85: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/85.jpg)
i0 i1 i2
C0 C1 C2↓ ↓ ↓ ⇝ tIf then
26
Securitydefinition:
![Page 86: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/86.jpg)
i0 i1 i2
C0 C1 C2
∃ a sequence of component compromises explaining the finite trace tin the source language, for instance t=m1·m2·m3 and
↓ ↓ ↓ ⇝ t
i0 i1 i2
C0 C1 C2⇝* m1·Undef(C1)
↯(1)
If then
26
Securitydefinition:
![Page 87: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/87.jpg)
i0 i1 i2
C0 C1 C2
∃ a sequence of component compromises explaining the finite trace tin the source language, for instance t=m1·m2·m3 and
↓ ↓ ↓ ⇝ t
i0 i1 i2
C0 C1 C2⇝* m1·Undef(C1)
↯(1)
(2)i0 i1 i2
C0 A1 C2⇝* m1·m2·Undef(C2)
↯∃A1.
If then
26
Securitydefinition:
![Page 88: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/88.jpg)
i0 i1 i2
C0 C1 C2
∃ a sequence of component compromises explaining the finite trace tin the source language, for instance t=m1·m2·m3 and
↓ ↓ ↓ ⇝ t
i0 i1 i2
C0 C1 C2⇝* m1·Undef(C1)
↯(1)
(2)i0 i1 i2
C0 A1 C2⇝* m1·m2·Undef(C2)
↯
(3)i0 i1 i2
C0 A1 A2⇝ m1·m2·m3
∃A1.
∃A2.
If then
26
Securitydefinition:
![Page 89: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/89.jpg)
i0 i1 i2
C0 C1 C2
∃ a sequence of component compromises explaining the finite trace tin the source language, for instance t=m1·m2·m3 and
↓ ↓ ↓ ⇝ t
i0 i1 i2
C0 C1 C2⇝* m1·Undef(C1)
↯(1)
(2)i0 i1 i2
C0 A1 C2⇝* m1·m2·Undef(C2)
↯
(3)i0 i1 i2
C0 A1 A2⇝ m1·m2·m3
Finite trace records which component encounteredundefined behavior and allows us to rewind execution
∃A1.
∃A2.
If then
26
Securitydefinition:
![Page 90: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/90.jpg)
How can we prove this?
27
![Page 91: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/91.jpg)
How can we prove this?
27
When compilation and back-translation are compositional, previous definition reduces to (a variant of)Robust Safety Preservation
![Page 92: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/92.jpg)
How can we prove this?
27
back-translatingfinite trace prefix∀P∀CT∀m≤t∃CS...
When compilation and back-translation are compositional, previous definition reduces to (a variant of)Robust Safety Preservation
![Page 93: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/93.jpg)
Proof-of-concept formallysecure compilation chain in Coq
Illustrates our formal definition
28
![Page 94: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/94.jpg)
Compartmentalized unsafe source
Compartmentalized abstract machine
Micro-policy machine
Bare-bonemachine
software fault isolation
29
![Page 95: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/95.jpg)
Compartmentalized unsafe source
Compartmentalized abstract machine
Buffers, procedures, componentsinteracting via strictly enforced interfaces
Micro-policy machine
Bare-bonemachine
software fault isolation
29
![Page 96: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/96.jpg)
Compartmentalized unsafe source
Compartmentalized abstract machine
Buffers, procedures, componentsinteracting via strictly enforced interfaces
Micro-policy machine
Bare-bonemachine
Simple RISC abstract machine with
build-in compartmentalization
software fault isolation
29
![Page 97: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/97.jpg)
Compartmentalized unsafe source
Compartmentalized abstract machine
Buffers, procedures, componentsinteracting via strictly enforced interfaces
Micro-policy machine
Bare-bonemachine
Simple RISC abstract machine with
build-in compartmentalization
software fault isolation
Tag-based reference monitor enforcing:- component separation- procedure call and return discipline(linear capabilities / linear entry points)
29
![Page 98: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/98.jpg)
Compartmentalized unsafe source
Compartmentalized abstract machine
Buffers, procedures, componentsinteracting via strictly enforced interfaces
Micro-policy machine
Bare-bonemachine
Simple RISC abstract machine with
build-in compartmentalization
Inline reference monitor enforcing:- component separation- procedure call and return discipline(program rewriting, shadow call stack)
software fault isolation
Tag-based reference monitor enforcing:- component separation- procedure call and return discipline(linear capabilities / linear entry points)
29
![Page 99: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/99.jpg)
Compartmentalized unsafe source
Compartmentalized abstract machine
Buffers, procedures, componentsinteracting via strictly enforced interfaces
Micro-policy machine
Bare-bonemachine
Simple RISC abstract machine with
build-in compartmentalization
Inline reference monitor enforcing:- component separation- procedure call and return discipline(program rewriting, shadow call stack)
software fault isolation
Tag-based reference monitor enforcing:- component separation- procedure call and return discipline(linear capabilities / linear entry points)
Verified
29
generic proof technique 26K lines of Coq, mostly proofs
![Page 100: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/100.jpg)
Compartmentalized unsafe source
Compartmentalized abstract machine
Buffers, procedures, componentsinteracting via strictly enforced interfaces
Micro-policy machine
Bare-bonemachine
Simple RISC abstract machine with
build-in compartmentalization
Inline reference monitor enforcing:- component separation- procedure call and return discipline(program rewriting, shadow call stack)
software fault isolation
Tag-based reference monitor enforcing:- component separation- procedure call and return discipline(linear capabilities / linear entry points)
Verified
Systematically tested (with QuickChick)29
generic proof technique 26K lines of Coq, mostly proofs
![Page 101: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/101.jpg)
When Good Components Go Bad
• Formalized security of compartmentalization
– first definition supporting dynamic compromise
– restricting undefined behavior spatially and temporally
30
![Page 102: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/102.jpg)
When Good Components Go Bad
• Formalized security of compartmentalization
– first definition supporting dynamic compromise
– restricting undefined behavior spatially and temporally
• Proof-of-concept secure compilation chain in Coq
– software fault isolation or tag-based reference monitor
30
![Page 103: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/103.jpg)
When Good Components Go Bad
• Formalized security of compartmentalization
– first definition supporting dynamic compromise
– restricting undefined behavior spatially and temporally
• Proof-of-concept secure compilation chain in Coq
– software fault isolation or tag-based reference monitor
• Generic definition and proof technique
– we expect them to extend and scale well
30
![Page 104: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/104.jpg)
Making this more practical ... next steps:
31
![Page 105: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/105.jpg)
Making this more practical ... next steps:
• Scale formally secure compilation chain to C language– allow shared memory (ongoing) and pointer passing (capabilities)
– eventually support enough of C to measure and lower overhead
– check whether hardware support (tagged architecture) is faster
31
![Page 106: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/106.jpg)
Making this more practical ... next steps:
• Scale formally secure compilation chain to C language– allow shared memory (ongoing) and pointer passing (capabilities)
– eventually support enough of C to measure and lower overhead
– check whether hardware support (tagged architecture) is faster
• Extend all this to dynamic component creation– rewind to when compromised component was created
31
![Page 107: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/107.jpg)
Making this more practical ... next steps:
• Scale formally secure compilation chain to C language– allow shared memory (ongoing) and pointer passing (capabilities)
– eventually support enough of C to measure and lower overhead
– check whether hardware support (tagged architecture) is faster
• Extend all this to dynamic component creation– rewind to when compromised component was created
• ... and dynamic privileges:– capabilities, dynamic interfaces, history-based access control, ...
31
![Page 108: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/108.jpg)
Making this more practical ... next steps:
• Scale formally secure compilation chain to C language– allow shared memory (ongoing) and pointer passing (capabilities)
– eventually support enough of C to measure and lower overhead
– check whether hardware support (tagged architecture) is faster
• Extend all this to dynamic component creation– rewind to when compromised component was created
• ... and dynamic privileges:– capabilities, dynamic interfaces, history-based access control, ...
• From robust safety to hypersafety (e.g. confidentiality)
31
![Page 109: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/109.jpg)
Making this more practical ... next steps:
• Scale formally secure compilation chain to C language– allow shared memory (ongoing) and pointer passing (capabilities)
– eventually support enough of C to measure and lower overhead
– check whether hardware support (tagged architecture) is faster
• Extend all this to dynamic component creation– rewind to when compromised component was created
• ... and dynamic privileges:– capabilities, dynamic interfaces, history-based access control, ...
• From robust safety to hypersafety (e.g. confidentiality)
• Secure compilation of Low* using components, contracts, sealing, ...
31
![Page 110: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/110.jpg)
My dream: secure compilation at scale
32
miTLSLow* language
(safe C subset in F*)
C language+ components+ memory safety
![Page 111: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/111.jpg)
My dream: secure compilation at scale
32
miTLSLow* language
(safe C subset in F*)
C language+ components+ memory safety
![Page 112: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/112.jpg)
My dream: secure compilation at scale
32
miTLS
memory safe C component
Low* language(safe C subset in F*)
C language+ components+ memory safety
![Page 113: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/113.jpg)
My dream: secure compilation at scale
32
miTLS
memory safe C component
Low* language(safe C subset in F*)
C language+ components+ memory safety
![Page 114: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/114.jpg)
My dream: secure compilation at scale
32
miTLS
memory safe C component
Low* language(safe C subset in F*)
C language+ components+ memory safety
ASM language(RISC-V + micro-policies)
![Page 115: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/115.jpg)
My dream: secure compilation at scale
32
miTLS
memory safe C component
legacy C component
ASM component
Low* language(safe C subset in F*)
C language+ components+ memory safety
ASM language(RISC-V + micro-policies)
![Page 116: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/116.jpg)
My dream: secure compilation at scale
32
miTLS
memory safe C component
legacy C component
ASM component
Low* language(safe C subset in F*)
C language+ components+ memory safety
ASM language(RISC-V + micro-policies)
![Page 117: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/117.jpg)
My dream: secure compilation at scale
32
miTLS
memory safe C component
legacy C component
ASM component
Low* language(safe C subset in F*)
C language+ components+ memory safety
ASM language(RISC-V + micro-policies)
![Page 118: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/118.jpg)
My dream: secure compilation at scale
32
miTLS
memory safe C component
legacy C component
ASM component
Low* language(safe C subset in F*)
C language+ components+ memory safety
ASM language(RISC-V + micro-policies)
PostDocs &Researchers
![Page 119: The Quest for Formally Secure Compartmentalizing Compilation · 2019-01-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning](https://reader031.vdocument.in/reader031/viewer/2022011904/5f255d8db7acb33b633aee05/html5/thumbnails/119.jpg)
Past group members:Alejandro AguirreAna Nora EvansAnna BednarikArthur Azevedo de AmorimClément Pit-ClaudelDanel AhmanDiane Gallois-WongGuglielmo FachiniLi-yao XiaMarco StronatiNick GiannarakisSimon ForestTomer LibalVictor DumitrescuYannis JuglaretZoe Paraskevopoulou
Thank you Current group:Carmine AbateExe RivasFlorian GroultGuido MartínezJérémy ThibaultKenji MaillardRob BlancoThéo Laurent
Prosecco team:Benjamin BeurdoucheBenjamin LippBruno BlanchetDenis MerigouxElizabeth LabradaÉric TanterGraham SteelHarry HalpinKarthik BhargavanMarina PolubelovaMathieu MoureyPrasad Naldurg
Jury:David PointchevalFrank PiessensGilles BartheThomas JensenDavid PichardieKarthik BhargavanTamara RezkXavier Leroy
Family:Beate BrockmannGabriela MerticariuIoan HrițcuStela Hrițcu