journey beyond full abstraction - inria · –shared responsibility: compiler, linker, loader, os,...
TRANSCRIPT
![Page 1: Journey Beyond Full Abstraction - Inria · –shared responsibility: compiler, linker, loader, OS, HW •Enable source-level security reasoning –if source program is secure against](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255e3cb794617d101529ef/html5/thumbnails/1.jpg)
Journey Beyond Full Abstraction:Exploring Robust Property Preservation
for Secure Compilation
https://github.com/secure-compilation/exploring-robust-property-preservation
CarmineAbate
DeepakGarg Marco
Patrignani
CătălinHrițcu
JérémyThibault
MPI-SWS
Stanford& CISPA
Inria ParisInria Paris Inria Paris
RobBlanco
Inria Paris
![Page 2: Journey Beyond Full Abstraction - Inria · –shared responsibility: compiler, linker, loader, OS, HW •Enable source-level security reasoning –if source program is secure against](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255e3cb794617d101529ef/html5/thumbnails/2.jpg)
Good programming languages providehelpful abstractions for writing more secure code
2
![Page 3: Journey Beyond Full Abstraction - Inria · –shared responsibility: compiler, linker, loader, OS, HW •Enable source-level security reasoning –if source program is secure against](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255e3cb794617d101529ef/html5/thumbnails/3.jpg)
Good programming languages providehelpful abstractions for writing more secure code
• structured control flow, procedures, modules, interfaces, correctness and security specifications, ...
2
![Page 4: Journey Beyond Full Abstraction - Inria · –shared responsibility: compiler, linker, loader, OS, HW •Enable source-level security reasoning –if source program is secure against](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255e3cb794617d101529ef/html5/thumbnails/4.jpg)
Good programming languages providehelpful abstractions for writing more secure code
• structured control flow, procedures, modules, interfaces, correctness and security specifications, ...
2
abstractions not enforced when compiling and linking with adversarial low-level code
![Page 5: Journey Beyond Full Abstraction - Inria · –shared responsibility: compiler, linker, loader, OS, HW •Enable source-level security reasoning –if source program is secure against](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255e3cb794617d101529ef/html5/thumbnails/5.jpg)
Good programming languages providehelpful abstractions for writing more secure code
• structured control flow, procedures, modules, interfaces, correctness and security specifications, ...
2
abstractions not enforced when compiling and linking with adversarial low-level code• all source-level security guarantees are lost
• linked low-level code can read and write data and code,jump to arbitrary instructions, smash the stack, ...
![Page 6: Journey Beyond Full Abstraction - Inria · –shared responsibility: compiler, linker, loader, OS, HW •Enable source-level security reasoning –if source program is secure against](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255e3cb794617d101529ef/html5/thumbnails/6.jpg)
Secure compilation chains• Protect source-level abstractions
even against linked adversarial low-level code
3
![Page 7: Journey Beyond Full Abstraction - Inria · –shared responsibility: compiler, linker, loader, OS, HW •Enable source-level security reasoning –if source program is secure against](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255e3cb794617d101529ef/html5/thumbnails/7.jpg)
Secure compilation chains• Protect source-level abstractions
even against linked adversarial low-level code– various enforcement mechanisms possible: processes, SFI, ...
– shared responsibility: compiler, linker, loader, OS, HW
3
![Page 8: Journey Beyond Full Abstraction - Inria · –shared responsibility: compiler, linker, loader, OS, HW •Enable source-level security reasoning –if source program is secure against](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255e3cb794617d101529ef/html5/thumbnails/8.jpg)
Secure compilation chains• Protect source-level abstractions
even against linked adversarial low-level code– various enforcement mechanisms possible: processes, SFI, ...
– shared responsibility: compiler, linker, loader, OS, HW
• Enable source-level security reasoning– if source program is secure against all source contexts then
compiled program is secure against all target contexts
3
![Page 9: Journey Beyond Full Abstraction - Inria · –shared responsibility: compiler, linker, loader, OS, HW •Enable source-level security reasoning –if source program is secure against](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255e3cb794617d101529ef/html5/thumbnails/9.jpg)
Secure compilation chains• Protect source-level abstractions
even against linked adversarial low-level code– various enforcement mechanisms possible: processes, SFI, ...
– shared responsibility: compiler, linker, loader, OS, HW
• Enable source-level security reasoning– if source program is secure against all source contexts then
compiled program is secure against all target contexts
– but what should "is secure" mean?
3
![Page 10: Journey Beyond Full Abstraction - Inria · –shared responsibility: compiler, linker, loader, OS, HW •Enable source-level security reasoning –if source program is secure against](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255e3cb794617d101529ef/html5/thumbnails/10.jpg)
4
What properties should we robustly preserve?
![Page 11: Journey Beyond Full Abstraction - Inria · –shared responsibility: compiler, linker, loader, OS, HW •Enable source-level security reasoning –if source program is secure against](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255e3cb794617d101529ef/html5/thumbnails/11.jpg)
4
What properties should we robustly preserve?
trace properties(safety & liveness)
![Page 12: Journey Beyond Full Abstraction - Inria · –shared responsibility: compiler, linker, loader, OS, HW •Enable source-level security reasoning –if source program is secure against](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255e3cb794617d101529ef/html5/thumbnails/12.jpg)
4
What properties should we robustly preserve?
trace properties(safety & liveness)
hyperproperties(noninterference)
![Page 13: Journey Beyond Full Abstraction - Inria · –shared responsibility: compiler, linker, loader, OS, HW •Enable source-level security reasoning –if source program is secure against](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255e3cb794617d101529ef/html5/thumbnails/13.jpg)
4
What properties should we robustly preserve?
trace properties(safety & liveness)
hyperproperties(noninterference)
relationalhyperproperties(trace equivalence)
![Page 14: Journey Beyond Full Abstraction - Inria · –shared responsibility: compiler, linker, loader, OS, HW •Enable source-level security reasoning –if source program is secure against](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255e3cb794617d101529ef/html5/thumbnails/14.jpg)
4
What properties should we robustly preserve?
trace properties(safety & liveness)
hyperproperties(noninterference)
relationalhyperproperties(trace equivalence)
![Page 15: Journey Beyond Full Abstraction - Inria · –shared responsibility: compiler, linker, loader, OS, HW •Enable source-level security reasoning –if source program is secure against](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255e3cb794617d101529ef/html5/thumbnails/15.jpg)
4
More secure
More efficientto enforce
Easier to prove
What properties should we robustly preserve?
trace properties(safety & liveness)
hyperproperties(noninterference)
relationalhyperproperties(trace equivalence)
![Page 16: Journey Beyond Full Abstraction - Inria · –shared responsibility: compiler, linker, loader, OS, HW •Enable source-level security reasoning –if source program is secure against](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255e3cb794617d101529ef/html5/thumbnails/16.jpg)
4
More secure
More efficientto enforce
Easier to prove
What properties should we robustly preserve?
trace properties(safety & liveness)
hyperproperties(noninterference)
relationalhyperproperties(trace equivalence)
only integrity
![Page 17: Journey Beyond Full Abstraction - Inria · –shared responsibility: compiler, linker, loader, OS, HW •Enable source-level security reasoning –if source program is secure against](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255e3cb794617d101529ef/html5/thumbnails/17.jpg)
4
More secure
More efficientto enforce
Easier to prove
What properties should we robustly preserve?
trace properties(safety & liveness)
hyperproperties(noninterference)
relationalhyperproperties(trace equivalence)
only integrity
+ data confidentiality
![Page 18: Journey Beyond Full Abstraction - Inria · –shared responsibility: compiler, linker, loader, OS, HW •Enable source-level security reasoning –if source program is secure against](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255e3cb794617d101529ef/html5/thumbnails/18.jpg)
4
More secure
More efficientto enforce
Easier to prove
What properties should we robustly preserve?
trace properties(safety & liveness)
hyperproperties(noninterference)
relationalhyperproperties(trace equivalence)
only integrity
+ data confidentiality
+ code confidentiality
![Page 19: Journey Beyond Full Abstraction - Inria · –shared responsibility: compiler, linker, loader, OS, HW •Enable source-level security reasoning –if source program is secure against](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255e3cb794617d101529ef/html5/thumbnails/19.jpg)
Journey Beyond Full Abstraction
5
![Page 20: Journey Beyond Full Abstraction - Inria · –shared responsibility: compiler, linker, loader, OS, HW •Enable source-level security reasoning –if source program is secure against](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255e3cb794617d101529ef/html5/thumbnails/20.jpg)
without internal nondeterminism,full abstraction is here
Journey Beyond Full Abstraction
5
![Page 21: Journey Beyond Full Abstraction - Inria · –shared responsibility: compiler, linker, loader, OS, HW •Enable source-level security reasoning –if source program is secure against](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255e3cb794617d101529ef/html5/thumbnails/21.jpg)
without internal nondeterminism,full abstraction is here
Journey Beyond Full Abstraction
5
doesn't imply any of our criteria(even assuming compiler correctness)
![Page 22: Journey Beyond Full Abstraction - Inria · –shared responsibility: compiler, linker, loader, OS, HW •Enable source-level security reasoning –if source program is secure against](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255e3cb794617d101529ef/html5/thumbnails/22.jpg)
without internal nondeterminism,full abstraction is here
Journey Beyond Full Abstraction
5
doesn't imply any of our criteria(even assuming compiler correctness)
no one-size-fits-all criterion!
![Page 23: Journey Beyond Full Abstraction - Inria · –shared responsibility: compiler, linker, loader, OS, HW •Enable source-level security reasoning –if source program is secure against](https://reader034.vdocument.in/reader034/viewer/2022042409/5f255e3cb794617d101529ef/html5/thumbnails/23.jpg)
without internal nondeterminism,full abstraction is here
Journey Beyond Full Abstraction
5
doesn't imply any of our criteria(even assuming compiler correctness)
PostDocs &Starting Researchers@ Inria Paris
no one-size-fits-all criterion!