When Good Components Go Bad: Formally Secure Compilation Despite Dynamic Compromise

@article{Fachini2018WhenGC,
  title={When Good Components Go Bad: Formally Secure Compilation Despite Dynamic Compromise},
  author={Guglielmo Fachini and Catalin Hritcu and Marco Stronati and Arthur Azevedo de Amorim and Ana Nora Evans and Carmine Abate and Roberto Blanco and Th{\'e}o Laurent and Benjamin C. Pierce and Andrew P. Tolmach},
  journal={Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security},
  year={2018}
}
We propose a new formal criterion for evaluating secure compilation schemes for unsafe languages, expressing end-to-end security guarantees for software components that may become compromised after encountering undefined behavior---for example, by accessing an array out of bounds. Our criterion is the first to model dynamic compromise in a system of mutually distrustful components with clearly specified privileges. It articulates how each component should be protected from all the others---in… 
View on ACM
dl.acm.org
29 Citations
Highly Influential Citations
4
Background Citations
18
Methods Citations
6

Figures from this paper

29 Citations

The Quest for Formally Secure Compartmentalizing Compilation

This work proposes several formal definitions that characterize what it means for a compartmentalizing compilation chain to be secure, and proposes a new formal criterion for secure compilation schemes from such unsafe languages, expressing end-to-end security guarantees for software components that may become compromised after encountering undefined behavior.

Exploring Robust Property Preservation for Secure Compilation

A large space of formal secure compilation criteria based on the preservation of properties that are robustly satisfied against arbitrary adversarial contexts is thoroughly explored, and it is illustrated that for proving the robust preservation of most relational safety properties including safety, noninterference, and sometimes trace equivalence, a less powerful but more generic technique can back-translate a finite set of finite execution prefixes into a source context.

Formal Approaches to Secure Compilation

This article provides a survey of the existing literature on formal approaches to secure compilation with a focus on those that prove fully abstract compilation, which has been the criterion adopted by much of the literature thus far.

Towards formally verified compilation of tag-based policy enforcement

Tagine is a small prototype compiler that translates a simple tagged WHILE language to a tagged register transfer language and performs simple optimizations and is written and verified in Coq, a first step toward verification of a full-scale compiler for a realistic tagged source language.

Robustly Safe Compilation, an Efficient Form of Secure Compilation

This article explores a different criterion for secure compilation called robustly safe compilation or RSC, which means that the compiled code preserves relevant safety properties of the source program against all adversarial contexts interacting with the compiled program.

CapablePtrs: Securely Compiling Partial Programs Using the Pointers-as-Capabilities Principle

This paper is the first to study the security of PAC compilers for partial programs formally and proves for a model of such a compiler that it is fully abstract, and implements the scheme for C on CHERI, and shows that the performance overhead of compiled code is roughly proportional to the number of cross-compilation-unit function calls.

Robustly Safe Compilation or, Efficient, Provably Secure Compilation

This paper explores a different criterion for secure compilation called robustly safe compilation or RSC, which means that the compiled code preserves relevant safety properties of the source program against all adversarial contexts interacting with said program.

SecurePtrs: Proving Secure Compilation with Data-Flow Back-Translation and Turn-Taking Simulation

More informative data-flow traces are introduced, combining the best of syntax- and trace-directed back-translation in a simpler technique that handles both syntactic dissimilarity and memory sharing well, and that is proved correct in Coq.

Nanopass Back-Translation of Multiple Traces for Secure Compilation Proofs

A novel back-translation technique for back-translating a finite set of finite trace prefixes into a single source context, and a convenient way to prove its correctness is proposed.

Preventing Dynamic Library Compromise on Node.js via RWX-Based Privilege Reduction

Mir is presented, a system addressing dynamic compromise by introducing a fine-grained read-write-execute (RWX) permission model at the boundaries of libraries: every field of every free variable name in the context of an imported library is governed by a permission set.

110 References

Beyond Good and Evil: Formalizing the Security Guarantees of Compartmentalizing Compilation

This work proposes a new security property, secure compartmentalizing compilation (SCC), that formally characterizes the guarantees provided by compartmentalization compilation and clarifies its attacker model.

Towards a Fully Abstract Compiler Using Micro-Policies: Secure Compilation for Mutually Distrustful Components

This work proposes a new attacker model for secure compilation that extends the well-known notion of full abstraction to ensure protection for mutually distrustful components, and devise a compiler chain and a novel security monitor that together defend against this strong attacker model.

Exploring Robust Property Preservation for Secure Compilation

A large space of formal secure compilation criteria based on the preservation of properties that are robustly satisfied against arbitrary adversarial contexts is thoroughly explored, and it is illustrated that for proving the robust preservation of most relational safety properties including safety, noninterference, and sometimes trace equivalence, a less powerful but more generic technique can back-translate a finite set of finite execution prefixes into a source context.

Access Control Based on Execution History

The run-time rights of a piece of code are determined by examining the attributes of any pieces of code that have run and any explicit requests to augment rights, which should be incorporated in libraries or (even better) in programming languages.

seL4: From General Purpose to a Proof of Information Flow Enforcement

This is the first complete, formal, machine-checked verification of information flow security for the implementation of a general-purpose microkernel; namely seL4, and describes precisely how the general purpose kernel should be configured to enforce isolation and mandatory information flow control.

A Type Discipline for Authorization in Distributed Systems

This work proposes a conformance criterion, safety despite compromised principals, such that an invalid authorization decision at an uncompromised node can arise only when nodes on which the decision logically depends are compromised.

On Modular and Fully-Abstract Compilation

This paper first analyses the attacks arising when compiled programs are linked together, identifying security threats that are due to linking, and defines a compiler from an object-based language with method calls and dynamic memory allocation to untyped assembly language extended with a memory isolation mechanism.

Towards Automatic Compartmentalization of C Programs on Capability Machines

This paper reports on the work-in-progress on the definition, implementation and evaluation of a compiler that automatically compartmentalizes the programs it compiles, essentially by executing each C compilation unit in a separate protection domain.

Robustly Safe Compilation or, Efficient, Provably Secure Compilation

This paper explores a different criterion for secure compilation called robustly safe compilation or RSC, which means that the compiled code preserves relevant safety properties of the source program against all adversarial contexts interacting with said program.

A Methodology For Micro-Policies

This thesis proposes a formal methodology for defining, specifying, and reasoning about micropolicies—security policies based on fine-grained tagging that include forms of access control, memory safety, compartmentalization, and information-flow control, and proves a classic notion of termination-insensitive noninterference.
...