formally secure compilation · 2018-02-26 · –compiler, linker, loader, runtime, system,...
TRANSCRIPT
![Page 1: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/1.jpg)
Formally Secure Compilationof Unsafe Low-level Components
Cătălin Hrițcu
Inria Paris, Prosecco team
1
https://secure-compilation.github.io
![Page 2: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/2.jpg)
Collaborators
CătălinHrițcu
MarcoStronati
ArthurAzevedo
de Amorim
Ana NoraEvans
AndrewTolmach
BenjaminPierce
ThéoLaurent
BorisEngCarmine
Abate
Inria Paris CMU U. Virginia U. Trento Paris 7 ENS Paris Portland State UPenn MPI-SWS
YannisJuglaret Guglielmo
Fachini
DeepakGarg Marco
Patrignani
2
RobBlanco
![Page 3: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/3.jpg)
Devastating low-level vulnerabilities
3
![Page 4: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/4.jpg)
Devastating low-level vulnerabilities
• Inherently insecure C/C++-like languages
– type and memory unsafe:e.g. any buffer overflow is catastrophic
3
![Page 5: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/5.jpg)
Devastating low-level vulnerabilities
• Inherently insecure C/C++-like languages
– type and memory unsafe:e.g. any buffer overflow is catastrophic
– root cause, but challenging to fix:
• efficiency
• precision
• scalability
• backwards compatibility
• deployment
3
![Page 6: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/6.jpg)
Practical mitigation: compartmentalization
4
![Page 7: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/7.jpg)
Practical mitigation: compartmentalization
• Main idea:
– break up security-critical C applications intomutually distrustful components running withleast privilege & interacting via strictly enforced interfaces
4
![Page 8: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/8.jpg)
Practical mitigation: compartmentalization
• Main idea:
– break up security-critical C applications intomutually distrustful components running withleast privilege & interacting via strictly enforced interfaces
• Strong security guarantees & interesting attacker model
– "a vulnerability in one component should not immediately
destroy the security of the whole application"
4
![Page 9: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/9.jpg)
Practical mitigation: compartmentalization
• Main idea:
– break up security-critical C applications intomutually distrustful components running withleast privilege & interacting via strictly enforced interfaces
• Strong security guarantees & interesting attacker model
– "a vulnerability in one component should not immediately
destroy the security of the whole application"
– "components can be compromised by buffer overflows"
4
![Page 10: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/10.jpg)
Practical mitigation: compartmentalization
• Main idea:
– break up security-critical C applications intomutually distrustful components running withleast privilege & interacting via strictly enforced interfaces
• Strong security guarantees & interesting attacker model
– "a vulnerability in one component should not immediately
destroy the security of the whole application"
– "components can be compromised by buffer overflows"
– "each component should be protected from all the others"
4
![Page 11: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/11.jpg)
Practical mitigation: compartmentalization
• Main idea:
– break up security-critical C applications intomutually distrustful components running withleast privilege & interacting via strictly enforced interfaces
• Strong security guarantees & interesting attacker model
– "a vulnerability in one component should not immediately
destroy the security of the whole application"
– "components can be compromised by buffer overflows"
– "each component should be protected from all the others"
4
Goal 1: Formalize this
![Page 12: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/12.jpg)
Goal 2: Build secure compilation chains
5
![Page 13: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/13.jpg)
Goal 2: Build secure compilation chains
• Add components to C
– interacting only via strictly enforced interfaces
5
![Page 14: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/14.jpg)
Goal 2: Build secure compilation chains
• Add components to C
– interacting only via strictly enforced interfaces
• Enforce "component C" abstractions:
– component separation, call-return discipline, ...
5
![Page 15: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/15.jpg)
Goal 2: Build secure compilation chains
• Add components to C
– interacting only via strictly enforced interfaces
• Enforce "component C" abstractions:
– component separation, call-return discipline, ...
• Secure compilation chain:
– compiler, linker, loader, runtime, system, hardware
5
![Page 16: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/16.jpg)
Goal 2: Build secure compilation chains
• Add components to C
– interacting only via strictly enforced interfaces
• Enforce "component C" abstractions:
– component separation, call-return discipline, ...
• Secure compilation chain:
– compiler, linker, loader, runtime, system, hardware
• Use efficient enforcement mechanisms:– OS processes (all web browsers) — WebAssembly (web browsers)
– software fault isolation (SFI) — capability machines
– hardware enclaves (SGX) — tagged architectures
5
![Page 17: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/17.jpg)
Goal 2: Build secure compilation chains
• Add components to C
– interacting only via strictly enforced interfaces
• Enforce "component C" abstractions:
– component separation, call-return discipline, ...
• Secure compilation chain:
– compiler, linker, loader, runtime, system, hardware
• Use efficient enforcement mechanisms:– OS processes (all web browsers) — WebAssembly (web browsers)
– software fault isolation (SFI) — capability machines
– hardware enclaves (SGX) — tagged architectures
• Practical need for all this– e.g. crypto libraries/protocols ... verified (HACL*/miTLS*) or not
5
![Page 18: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/18.jpg)
Goal 1: Formalizing the security of compartmentalizing compilation
6
![Page 19: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/19.jpg)
Goal 1: Formalizing the security of compartmentalizing compilation
C
ASM
compiler
program trace
program trace
compilercorrectness
(e.g. CompCert)
6
![Page 20: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/20.jpg)
Goal 1: Formalizing the security of compartmentalizing compilation
C
ASM
compiler
program trace
program trace
compilercorrectness
(e.g. CompCert)
component
component
6
![Page 21: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/21.jpg)
Goal 1: Formalizing the security of compartmentalizing compilation
maliciouscomponents
C
ASM
compiler
program trace
program trace
compilercorrectness
(e.g. CompCert)
component
component
notenough
e.g. compromised ASM obtained from C
6
![Page 22: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/22.jpg)
Goal 1: Formalizing the security of compartmentalizing compilation
well-defined Ccomponents
maliciouscomponents
C
ASM
compiler
program trace
program trace
compilercorrectness
(e.g. CompCert)
securecompilation
component
component
notenough
e.g. compromised ASM obtained from C
6
![Page 23: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/23.jpg)
Goal 1: Formalizing the security of compartmentalizing compilation
well-defined Ccomponents
maliciouscomponents
C
ASM
compiler
program trace
program trace
compilercorrectness
(e.g. CompCert)
securecompilation
component
component
notenough
no extra powerprotected e.g. compromised ASM obtained from C
6
![Page 24: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/24.jpg)
Goal 1: Formalizing the security of compartmentalizing compilation
well-defined Ccomponents
C
Benefit: sound security reasoningin the source language
secure
secure
program trace
program trace
compilercorrectness
(e.g. CompCert)
securecompilation
component
notenough
6
![Page 25: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/25.jpg)
Fully abstract compilation
7
low-levelattacker
1st high-level component
1st compiledcomponent
low-levelattacker∃ .
compiler
preservation of observational equivalence
![Page 26: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/26.jpg)
Fully abstract compilation
7
low-levelattacker
1st high-level component
1st compiledcomponent
low-levelattacker
2nd high-level component
2nd compiledcomponent
low-levelattacker∃ . ≁
compiler compiler
preservation of observational equivalence
![Page 27: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/27.jpg)
Fully abstract compilation
7
high-levelattacker
low-levelattacker
1st high-level component
1st compiledcomponent
high-levelattacker
low-levelattacker
2nd high-level component
2nd compiledcomponent
≁high-levelattacker∃
low-levelattacker∃
.
. ≁
compiler compiler
preservation of observational equivalence
![Page 28: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/28.jpg)
Fully abstract compilation
7
high-levelattacker
low-levelattacker
1st high-level component
1st compiledcomponent
high-levelattacker
low-levelattacker
2nd high-level component
2nd compiledcomponent
≁high-levelattacker∃
low-levelattacker∃
.
. ≁
compiler compiler
preservation of observational equivalence
![Page 29: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/29.jpg)
Undefined behavior#include <string.h>
int main (int argc, char **argv) {
char c[12];
strcpy(c, argv[1]);
return 0;
}
![Page 30: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/30.jpg)
Undefined behavior#include <string.h>
int main (int argc, char **argv) {
char c[12];
strcpy(c, argv[1]);
return 0;
}
$ gcc target.c$ ./a.out haha
Buffer overflow
![Page 31: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/31.jpg)
Undefined behavior#include <string.h>
int main (int argc, char **argv) {
char c[12];
strcpy(c, argv[1]);
return 0;
}
$ gcc target.c$ ./a.out haha$ ./a.out hahahahahahahahahahazsh: segmentation fault (core dumped)
Buffer overflow
![Page 32: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/32.jpg)
Undefined behavior#include <string.h>
int main (int argc, char **argv) {
char c[12];
strcpy(c, argv[1]);
return 0;
}
$ gcc target.c$ ./a.out haha$ ./a.out hahahahahahahahahahazsh: segmentation fault (core dumped)$ ./exploit.sh | a.out
Buffer overflow
![Page 33: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/33.jpg)
Undefined behavior#include <string.h>
int main (int argc, char **argv) {
char c[12];
strcpy(c, argv[1]);
return 0;
}
$ gcc target.c$ ./a.out haha$ ./a.out hahahahahahahahahahazsh: segmentation fault (core dumped)$ ./exploit.sh | a.out
Buffer overflow
![Page 34: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/34.jpg)
Source reasoning vs undefined behavior
• Source reasoning
= We want to reason formally about securitywith respect to source language semantics
![Page 35: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/35.jpg)
Source reasoning vs undefined behavior
• Source reasoning
= We want to reason formally about securitywith respect to source language semantics
• Undefined behavior
= can't be expressed at all by source language semantics!
![Page 36: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/36.jpg)
Source reasoning vs undefined behavior
• Source reasoning
= We want to reason formally about securitywith respect to source language semantics
• Undefined behavior
= can't be expressed at all by source language semantics!
• Problem: observational equivalencedoesn't work with undefined behavior!?
– int buf[5]; buf[42] ~? int buf[5]; buf[43]
![Page 37: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/37.jpg)
Source reasoning vs undefined behavior
• Source reasoning
= We want to reason formally about securitywith respect to source language semantics
• Undefined behavior
= can't be expressed at all by source language semantics!
• Problem: observational equivalencedoesn't work with undefined behavior!?
– int buf[5]; buf[42] ~? int buf[5]; buf[43]
• Can we somehow avoid undefined behavior?
![Page 38: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/38.jpg)
Full abstraction for mutually distrustful components
i1 i2 i3 i4 i5
C1 C2 C3 C4 C5↓ ↓ ↓ ↓ ↓
∀compromise scenarios.
[Beyond Good and Evil - Juglaret, Hrițcu, Azevedo de Amorim, Eng, Pierce, CSF’16]
if C1, C3, D1, D3 fully defined and
∃ low-level attack from compromised C2↓, C4↓, C5↓
≁i1 i2 i3 i4 i5
D1 C2 D3 C4 C5↓ ↓ ↓ ↓ ↓
![Page 39: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/39.jpg)
Full abstraction for mutually distrustful components
i1 i2 i3 i4 i5
C1 C2 C3 C4 C5↓ ↓ ↓ ↓ ↓
i1 i2 i3 i4 i5
C1 A2 C3 A4 A5
∀compromise scenarios.
[Beyond Good and Evil - Juglaret, Hrițcu, Azevedo de Amorim, Eng, Pierce, CSF’16]
if C1, C3, D1, D3 fully defined and
∃ high-level attack from some fully defined A2, A4, A5
∃ low-level attack from compromised C2↓, C4↓, C5↓
≁
≁
i1 i2 i3 i4 i5
D1 A2 D3 A4 A5
i1 i2 i3 i4 i5
D1 C2 D3 C4 C5↓ ↓ ↓ ↓ ↓
![Page 40: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/40.jpg)
Full abstraction for mutually distrustful components
i1 i2 i3 i4 i5
C1 C2 C3 C4 C5↓ ↓ ↓ ↓ ↓
i1 i2 i3 i4 i5
C1 A2 C3 A4 A5
∀compromise scenarios.
[Beyond Good and Evil - Juglaret, Hrițcu, Azevedo de Amorim, Eng, Pierce, CSF’16]
if C1, C3, D1, D3 fully defined and
∃ high-level attack from some fully defined A2, A4, A5
∃ low-level attack from compromised C2↓, C4↓, C5↓
Limitation: static compromise model: C1, C3, D1, D3 get guarantees only if perfectly safe(i.e. fully defined = do not exhibit undefined behavior in any context)
≁
≁
i1 i2 i3 i4 i5
D1 A2 D3 A4 A5
i1 i2 i3 i4 i5
D1 C2 D3 C4 C5↓ ↓ ↓ ↓ ↓
![Page 41: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/41.jpg)
Full abstraction for mutually distrustful components
i1 i2 i3 i4 i5
C1 C2 C3 C4 C5↓ ↓ ↓ ↓ ↓
i1 i2 i3 i4 i5
C1 A2 C3 A4 A5
∀compromise scenarios.
[Beyond Good and Evil - Juglaret, Hrițcu, Azevedo de Amorim, Eng, Pierce, CSF’16]
if C1, C3, D1, D3 fully defined and
∃ high-level attack from some fully defined A2, A4, A5
∃ low-level attack from compromised C2↓, C4↓, C5↓
Limitation: static compromise model: C1, C3, D1, D3 get guarantees only if perfectly safe(i.e. fully defined = do not exhibit undefined behavior in any context)
This is the most we were able to achieve on top of full abstraction!
≁
≁
i1 i2 i3 i4 i5
D1 A2 D3 A4 A5
i1 i2 i3 i4 i5
D1 C2 D3 C4 C5↓ ↓ ↓ ↓ ↓
![Page 42: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/42.jpg)
Static compromise not good enough
![Page 43: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/43.jpg)
Static compromise not good enoughneither C1 not C2 are fully defined
![Page 44: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/44.jpg)
Static compromise not good enoughneither C1 not C2 are fully defined
yet C1 is protected until calling C1.parse
![Page 45: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/45.jpg)
Static compromise not good enoughneither C1 not C2 are fully defined
yet C1 is protected until calling C1.parse
and C2 can't actually be compromised
![Page 46: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/46.jpg)
We build instead on Robust Compilation
12
low-levelattacker
high-level component
compiledcomponent
low-levelattackercausing t
∃ .
compiler
∀(bad attack) trace t
![Page 47: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/47.jpg)
We build instead on Robust Compilation
12
high-levelattacker
low-levelattacker
high-level component
compiledcomponent
high-levelattackercausing t
∃
low-levelattackercausing t
∃
.
.
compiler
∀(bad attack) trace t⇒
![Page 48: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/48.jpg)
We build instead on Robust Compilation
12
high-levelattacker
low-levelattacker
high-level component
compiledcomponent
high-levelattackercausing t
∃
low-levelattackercausing t
∃
.
.
compiler
∀(bad attack) trace t⇒
![Page 49: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/49.jpg)
We build instead on Robust Compilation
12
high-levelattacker
low-levelattacker
high-level component
compiledcomponent
high-levelattackercausing t
∃
low-levelattackercausing t
∃
.
.
compiler
∀(bad attack) trace t⇒
![Page 50: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/50.jpg)
We build instead on Robust Compilation
robust trace property preservation(robust = in adversarial context)
12
high-levelattacker
low-levelattacker
high-level component
compiledcomponent
high-levelattackercausing t
∃
low-levelattackercausing t
∃
.
.
compiler
∀(bad attack) trace t⇒
![Page 51: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/51.jpg)
We build instead on Robust Compilation
robust trace property preservation(robust = in adversarial context)
intuition:– stronger than compiler correctness
(i.e. trace property preservation)
12
high-levelattacker
low-levelattacker
high-level component
compiledcomponent
high-levelattackercausing t
∃
low-levelattackercausing t
∃
.
.
compiler
∀(bad attack) trace t⇒
![Page 52: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/52.jpg)
We build instead on Robust Compilation
robust trace property preservation(robust = in adversarial context)
intuition:– stronger than compiler correctness
(i.e. trace property preservation)
– confidentiality not preserved(i.e. no hyperproperties)
12
high-levelattacker
low-levelattacker
high-level component
compiledcomponent
high-levelattackercausing t
∃
low-levelattackercausing t
∃
.
.
compiler
∀(bad attack) trace t⇒
![Page 53: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/53.jpg)
We build instead on Robust Compilation
robust trace property preservation(robust = in adversarial context)
intuition:– stronger than compiler correctness
(i.e. trace property preservation)
– confidentiality not preserved(i.e. no hyperproperties)
– less extensional than fully abstract compilation
12
high-levelattacker
low-levelattacker
high-level component
compiledcomponent
high-levelattackercausing t
∃
low-levelattackercausing t
∃
.
.
compiler
∀(bad attack) trace t⇒
![Page 54: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/54.jpg)
We build instead on Robust Compilation
robust trace property preservation(robust = in adversarial context)
intuition:– stronger than compiler correctness
(i.e. trace property preservation)
– confidentiality not preserved(i.e. no hyperproperties)
– less extensional than fully abstract compilation
12
high-levelattacker
low-levelattacker
high-level component
compiledcomponent
high-levelattackercausing t
∃
low-levelattackercausing t
∃
.
.
compiler
∀(bad attack) trace t
Advantages: easier to realistically achieve and prove at scale
useful: preservation of invariants and other integrity properties
more intuitive to security people (generalizes to hyperproperties!)
⇒
![Page 55: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/55.jpg)
We build instead on Robust Compilation
robust trace property preservation(robust = in adversarial context)
intuition:– stronger than compiler correctness
(i.e. trace property preservation)
– confidentiality not preserved(i.e. no hyperproperties)
– less extensional than fully abstract compilation
12
high-levelattacker
low-levelattacker
high-level component
compiledcomponent
high-levelattackercausing t
∃
low-levelattackercausing t
∃
.
.
compiler
∀(bad attack) trace t
Advantages: easier to realistically achieve and prove at scale
useful: preservation of invariants and other integrity properties
more intuitive to security people (generalizes to hyperproperties!)
extends to unsafe languages, supporting dynamic compromise
⇒
![Page 56: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/56.jpg)
Dynamic compromise
[When Good Components Go Bad - Fachini, Stronati, Hrițcu, et al]
![Page 57: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/57.jpg)
↓
Dynamic compromise
[When Good Components Go Bad - Fachini, Stronati, Hrițcu, et al]
i0 i1 i2
C0 C1 C2↓ ↓ ↓ ⇓ t
![Page 58: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/58.jpg)
↓Dynamic compromise
[When Good Components Go Bad - Fachini, Stronati, Hrițcu, et al]
i0 i1 i2
C0 C1 C2
∃ a dynamic compromise scenario explaining t in source language
↓
↓
↓ ⇓ t
![Page 59: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/59.jpg)
↓
Dynamic compromise
[When Good Components Go Bad - Fachini, Stronati, Hrițcu, et al]
i0 i1 i2
C0 C1 C2
∃ a dynamic compromise scenario explaining t in source languagefor instance leading to the following compromise sequence:
↓ ↓ ↓ ⇓ t
i0 i1 i2
C0 C1 C2⇓ m1;Undef(C1)
↯(0)
![Page 60: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/60.jpg)
↓Dynamic compromise
[When Good Components Go Bad - Fachini, Stronati, Hrițcu, et al]
i0 i1 i2
C0 C1 C2
∃ a dynamic compromise scenario explaining t in source languagefor instance leading to the following compromise sequence:
↓
↓
↓ ⇓ t
i0 i1 i2
C0 C1 C2⇓ m1;Undef(C1)
↯(0)
(1)i0 i1 i2
C0 A1 C2⇓ m2;Undef(C2)
↯≤
∃A1.
![Page 61: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/61.jpg)
↓
Dynamic compromise
[When Good Components Go Bad - Fachini, Stronati, Hrițcu, et al]
i0 i1 i2
C0 C1 C2
∃ a dynamic compromise scenario explaining t in source languagefor instance leading to the following compromise sequence:
↓ ↓ ↓ ⇓ t
i0 i1 i2
C0 C1 C2⇓ m1;Undef(C1)
↯(0)
(1)i0 i1 i2
C0 A1 C2⇓ m2;Undef(C2)
↯
(2)i0 i1 i2
C0 A1 A2⇓ t
≤
≤
∃A1.
∃A2.
![Page 62: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/62.jpg)
↓Dynamic compromise
[When Good Components Go Bad - Fachini, Stronati, Hrițcu, et al]
i0 i1 i2
C0 C1 C2
∃ a dynamic compromise scenario explaining t in source languagefor instance leading to the following compromise sequence:
↓
↓
↓ ⇓ t
i0 i1 i2
C0 C1 C2⇓ m1;Undef(C1)
↯(0)
(1)i0 i1 i2
C0 A1 C2⇓ m2;Undef(C2)
↯
(2)i0 i1 i2
C0 A1 A2⇓ t
≤
≤
∃A1.
∃A2.
![Page 63: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/63.jpg)
↓
Dynamic compromise
[When Good Components Go Bad - Fachini, Stronati, Hrițcu, et al]
i0 i1 i2
C0 C1 C2
∃ a dynamic compromise scenario explaining t in source languagefor instance leading to the following compromise sequence:
↓ ↓ ↓ ⇓ t
i0 i1 i2
C0 C1 C2⇓ m1;Undef(C1)
↯(0)
(1)i0 i1 i2
C0 A1 C2⇓ m2;Undef(C2)
↯
(2)i0 i1 i2
C0 A1 A2⇓ t
≤
≤
Trace is very helpful- detect undefined behavior- rewind execution
∃A1.
∃A2.
![Page 64: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/64.jpg)
Restricting undefined behavior
• Mutually-distrustful components– restrict spatial scope of undefined behavior
![Page 65: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/65.jpg)
Restricting undefined behavior
• Mutually-distrustful components– restrict spatial scope of undefined behavior
• Dynamic compromise– restrict temporal scope of undefined behavior
![Page 66: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/66.jpg)
Restricting undefined behavior
• Mutually-distrustful components– restrict spatial scope of undefined behavior
• Dynamic compromise– restrict temporal scope of undefined behavior
– undefined behavior = observable trace event
– effects of undefined behaviorshouldn't percolate before earlier observable events• careful with code motion, backwards static analysis, ...
![Page 67: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/67.jpg)
Restricting undefined behavior
• Mutually-distrustful components– restrict spatial scope of undefined behavior
• Dynamic compromise– restrict temporal scope of undefined behavior
– undefined behavior = observable trace event
– effects of undefined behaviorshouldn't percolate before earlier observable events• careful with code motion, backwards static analysis, ...
– CompCert already offers this saner temporal model
![Page 68: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/68.jpg)
Restricting undefined behavior
• Mutually-distrustful components– restrict spatial scope of undefined behavior
• Dynamic compromise– restrict temporal scope of undefined behavior
– undefined behavior = observable trace event
– effects of undefined behaviorshouldn't percolate before earlier observable events• careful with code motion, backwards static analysis, ...
– CompCert already offers this saner temporal model
– GCC and LLVM currently violate this model
![Page 69: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/69.jpg)
Now we know what these words mean!
Mutual distrust C1 A2 C3 A4 A5
(at least in the setting of compartmentalization for unsafe low-level languages)
![Page 70: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/70.jpg)
Now we know what these words mean!
Mutual distrust
Dynamic compromise
C1 A2 C3 A4 A5
C0 A1 C2 ⇓ m2; Undef(C2)↯
(at least in the setting of compartmentalization for unsafe low-level languages)
![Page 71: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/71.jpg)
Now we know what these words mean!
Mutual distrust
Dynamic compromise
Static privilege
C1 A2 C3 A4 A5
C0 A1 C2 ⇓ m2; Undef(C2)↯
i0 i1 i2
C0 A1 C2
(at least in the setting of compartmentalization for unsafe low-level languages)
![Page 72: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/72.jpg)
Towards Secure Compilation ChainCompartmentalized
unsafe source
Compartmentalized abstract machine
Micro-policy machine
16
![Page 73: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/73.jpg)
Towards Secure Compilation ChainCompartmentalized
unsafe source
Compartmentalized abstract machine
Buffers, procedures, componentsinteracting via strictly enforced interfaces
Micro-policy machine
16
![Page 74: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/74.jpg)
Towards Secure Compilation ChainCompartmentalized
unsafe source
Compartmentalized abstract machine
Buffers, procedures, componentsinteracting via strictly enforced interfaces
Micro-policy machine
Simple RISC abstract machine with
build-in compartmentalization
16
![Page 75: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/75.jpg)
Towards Secure Compilation ChainCompartmentalized
unsafe source
Compartmentalized abstract machine
Buffers, procedures, componentsinteracting via strictly enforced interfaces
Micro-policy machine
Simple RISC abstract machine with
build-in compartmentalization
Tag-based reference monitor enforcing:- component separation- procedure call and return discipline(linear capabilities / linear entry points)
16
![Page 76: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/76.jpg)
Towards Secure Compilation ChainCompartmentalized
unsafe source
Compartmentalized abstract machine
Buffers, procedures, componentsinteracting via strictly enforced interfaces
Micro-policy machine
Bare-bonemachine
Simple RISC abstract machine with
build-in compartmentalization
Inline reference monitor enforcing:- component separation- procedure call and return discipline(program rewriting, shadow call stack)
software fault isolation
Tag-based reference monitor enforcing:- component separation- procedure call and return discipline(linear capabilities / linear entry points)
16
![Page 77: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/77.jpg)
Towards Secure Compilation ChainCompartmentalized
unsafe source
Compartmentalized abstract machine
Buffers, procedures, componentsinteracting via strictly enforced interfaces
Micro-policy machine
Bare-bonemachine
Simple RISC abstract machine with
build-in compartmentalization
Inline reference monitor enforcing:- component separation- procedure call and return discipline(program rewriting, shadow call stack)
software fault isolation
Tag-based reference monitor enforcing:- component separation- procedure call and return discipline(linear capabilities / linear entry points)
(mostly)
Verified(in Coq)
16
![Page 78: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/78.jpg)
Towards Secure Compilation ChainCompartmentalized
unsafe source
Compartmentalized abstract machine
Buffers, procedures, componentsinteracting via strictly enforced interfaces
Micro-policy machine
Bare-bonemachine
Simple RISC abstract machine with
build-in compartmentalization
Inline reference monitor enforcing:- component separation- procedure call and return discipline(program rewriting, shadow call stack)
software fault isolation
Tag-based reference monitor enforcing:- component separation- procedure call and return discipline(linear capabilities / linear entry points)
(mostly)
Verified(in Coq)
Systematically tested (with QuickChick) 16
![Page 79: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/79.jpg)
Next steps towards making this practical
17
![Page 80: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/80.jpg)
Next steps towards making this practical
• Scale up secure compilation to more of C
– first step: allow pointer passing (capabilities)
17
![Page 81: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/81.jpg)
Next steps towards making this practical
• Scale up secure compilation to more of C
– first step: allow pointer passing (capabilities)
• Verify compartmentalized applications
– put the source-level reasoning principles to work
17
![Page 82: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/82.jpg)
Next steps towards making this practical
• Scale up secure compilation to more of C
– first step: allow pointer passing (capabilities)
• Verify compartmentalized applications
– put the source-level reasoning principles to work
• Extend all this to dynamic component creation
17
![Page 83: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/83.jpg)
Next steps towards making this practical
• Scale up secure compilation to more of C
– first step: allow pointer passing (capabilities)
• Verify compartmentalized applications
– put the source-level reasoning principles to work
• Extend all this to dynamic component creation
• ... and dynamic privileges: capabilities, HBAC, ...
17
![Page 84: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/84.jpg)
Next steps towards making this practical
• Scale up secure compilation to more of C
– first step: allow pointer passing (capabilities)
• Verify compartmentalized applications
– put the source-level reasoning principles to work
• Extend all this to dynamic component creation
• ... and dynamic privileges: capabilities, HBAC, ...
• Achieve confidentiality (hypersafety) preservation
– in a realistic attacker model with side-channels
17
![Page 85: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/85.jpg)
Next steps towards making this practical
• Scale up secure compilation to more of C
– first step: allow pointer passing (capabilities)
• Verify compartmentalized applications
– put the source-level reasoning principles to work
• Extend all this to dynamic component creation
• ... and dynamic privileges: capabilities, HBAC, ...
• Achieve confidentiality (hypersafety) preservation
– in a realistic attacker model with side-channels
• Devise scalable proof techniques for(hyper)liveness preservation (possible?)
17
![Page 86: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/86.jpg)
Grand Challenge
Build the first efficient formally secure compilers for
realistic programming languages
18
![Page 87: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/87.jpg)
Grand Challenge
Build the first efficient formally secure compilers for
realistic programming languages
18
1. Provide secure semantics for low-level languages
– C with protected components and memory safety
![Page 88: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/88.jpg)
Grand Challenge
Build the first efficient formally secure compilers for
realistic programming languages
18
1. Provide secure semantics for low-level languages
– C with protected components and memory safety
2. Enforce secure interoperability with unsafe code
– ASM, C, and Low*
[= safe C subset embedded in F* for verification]
![Page 89: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/89.jpg)
Goal: achieve secure compilation at scale
19
miTLS*Low* language
(safe C subset in F*)
C language+ components+ memory safety
![Page 90: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/90.jpg)
Goal: achieve secure compilation at scale
19
miTLS*
KremSec
Low* language(safe C subset in F*)
C language+ components+ memory safety
![Page 91: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/91.jpg)
Goal: achieve secure compilation at scale
19
miTLS*
KremSec
memory safe C component
Low* language(safe C subset in F*)
C language+ components+ memory safety
![Page 92: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/92.jpg)
Goal: achieve secure compilation at scale
19
miTLS*
KremSec
memory safe C component
Low* language(safe C subset in F*)
C language+ components+ memory safety
![Page 93: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/93.jpg)
Goal: achieve secure compilation at scale
19
miTLS*
CompSec+
KremSec
memory safe C component
Low* language(safe C subset in F*)
C language+ components+ memory safety
ASM language(RISC-V + micro-policies)
![Page 94: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/94.jpg)
Goal: achieve secure compilation at scale
19
miTLS*
CompSec+
KremSec
memory safe C component
legacy C component
CompSec
ASM component
Low* language(safe C subset in F*)
C language+ components+ memory safety
ASM language(RISC-V + micro-policies)
![Page 95: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/95.jpg)
Goal: achieve secure compilation at scale
19
miTLS*
CompSec+
KremSec
memory safe C component
protecting component boundaries
legacy C component
CompSec
ASM component
Low* language(safe C subset in F*)
C language+ components+ memory safety
ASM language(RISC-V + micro-policies)
![Page 96: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/96.jpg)
Goal: achieve secure compilation at scale
19
miTLS*
CompSec+
KremSec
memory safe C component
protecting component boundaries
legacy C component
CompSec
ASM component
Low* language(safe C subset in F*)
C language+ components+ memory safety
ASM language(RISC-V + micro-policies)
![Page 97: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/97.jpg)
Goal: achieve secure compilation at scale
19
miTLS*
CompSec+
KremSec
memory safe C component
protecting component boundaries
legacy C component
CompSec
ASM component
Low* language(safe C subset in F*)
C language+ components+ memory safety
ASM language(RISC-V + micro-policies)
![Page 98: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/98.jpg)
Goal: achieve secure compilation at scale
19
miTLS*
CompSec+
KremSec
memory safe C component
protecting component boundaries
legacy C component
CompSec
ASM component
Low* language(safe C subset in F*)
C language+ components+ memory safety
ASM language(RISC-V + micro-policies)
protecting higher-level abstractions
![Page 99: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/99.jpg)
Beyond robust safety preservationLegend Trace property = set of tracesHyperproperty = set of sets of traces
![Page 100: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/100.jpg)
Beyond robust safety preservationLegend Trace property = set of tracesHyperproperty = set of sets of traces
[Robust Hyperproperty Preservation for Secure Compilation - Garg, Hrițcu, Patrignani, et al]
![Page 101: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/101.jpg)
Beyond robust safety preservationLegend Trace property = set of tracesHyperproperty = set of sets of traces
back-translatingfinite trace prefixes∀P∀CT∀m≤t∃CS...
[Robust Hyperproperty Preservation for Secure Compilation - Garg, Hrițcu, Patrignani, et al]
![Page 102: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/102.jpg)
Beyond robust safety preservationLegend Trace property = set of tracesHyperproperty = set of sets of traces
back-translatingfinite trace prefixes∀P∀CT∀m≤t∃CS...
[Robust Hyperproperty Preservation for Secure Compilation - Garg, Hrițcu, Patrignani, et al]
back-translatingfinite sets offinite trace prefixes∀k∀P1..Pk∀CT
∀m1..mk ∃CS...
![Page 103: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/103.jpg)
Beyond robust safety preservationLegend Trace property = set of tracesHyperproperty = set of sets of traces
back-translatingfinite trace prefixes∀P∀CT∀m≤t∃CS...
back-translatingcontexts & progs∀P∀CT∃CS∀t...
[Robust Hyperproperty Preservation for Secure Compilation - Garg, Hrițcu, Patrignani, et al]
back-translatingfinite sets offinite trace prefixes∀k∀P1..Pk∀CT
∀m1..mk ∃CS...
![Page 104: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/104.jpg)
Beyond robust safety preservationLegend Trace property = set of tracesHyperproperty = set of sets of tracesRel. Hyperprop. = set of sets of (t, P)
back-translatingfinite trace prefixes∀P∀CT∀m≤t∃CS...
back-translatingcontexts & progs∀P∀CT∃CS∀t...
[Robust Hyperproperty Preservation for Secure Compilation - Garg, Hrițcu, Patrignani, et al]
back-translatingcontexts
∀CT∃CS∀P∀t...
back-translatingfinite sets offinite trace prefixes∀k∀P1..Pk∀CT
∀m1..mk ∃CS...
![Page 105: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/105.jpg)
Most of this is either work in progress... or wild speculation ... but ...
![Page 106: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/106.jpg)
Most of this is either work in progress... or wild speculation ... but ...
• Working on it!
– team at Inria Paris: Rob Blanco (PostDoc),Carmine Abate (Intern), Jérémy Thibault (Intern)
– collaborators at UPenn, MPI-SWS, MSR, Draper, Portland, ...
![Page 107: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/107.jpg)
Most of this is either work in progress... or wild speculation ... but ...
• Working on it!
– team at Inria Paris: Rob Blanco (PostDoc),Carmine Abate (Intern), Jérémy Thibault (Intern)
– collaborators at UPenn, MPI-SWS, MSR, Draper, Portland, ...
• We're hiring!
– Interns, PhD students, PostDocs, Researchers
![Page 108: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/108.jpg)
Most of this is either work in progress... or wild speculation ... but ...
• Working on it!
– team at Inria Paris: Rob Blanco (PostDoc),Carmine Abate (Intern), Jérémy Thibault (Intern)
– collaborators at UPenn, MPI-SWS, MSR, Draper, Portland, ...
• We're hiring!
– Interns, PhD students, PostDocs, Researchers
• Open to new collaborations
![Page 109: Formally Secure Compilation · 2018-02-26 · –compiler, linker, loader, runtime, system, hardware • Use efficient enforcement mechanisms: – OS processes (all web browsers)](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255d8db7acb33b633aee09/html5/thumbnails/109.jpg)
Most of this is either work in progress... or wild speculation ... but ...
• Working on it!
– team at Inria Paris: Rob Blanco (PostDoc),Carmine Abate (Intern), Jérémy Thibault (Intern)
– collaborators at UPenn, MPI-SWS, MSR, Draper, Portland, ...
• We're hiring!
– Interns, PhD students, PostDocs, Researchers
• Open to new collaborations
• Building a community
– Workshop on Principles of Secure Compilation (PriSC) @ POPL
– Dagstuhl Seminar on Secure Compilation in May