Journey Beyond Full Abstraction: Exploring Robust Property Preservation for Secure Compilation

Abate, Carmine; Blanco, Roberto; Garg, Deepak; Hriţcu, Cătălin; Patrignani, Marco; Thibault, Jérémy

doi:10.1109/csf.2019.00025

Cited by 44 publications

(94 citation statements)

References 94 publications

(276 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The statement of SC = can therefore be read as "whenever W↓ violates a safety property, then W does". By contraposition it has been shown that this is equivalent to the preservation of arbitrary safety properties [2]:…”

Section: Preserving Safety Propertiesmentioning

confidence: 99%

“…To account for this scenario, Abate et al [2] describe a class of secure compilation criteria based on the preservation of classes of properties against arbitrary target context. For each of these criteria, they give an equivalent "property-free" criterion, in the same manner as the duality between TP and CC.…”

Section: Trace-relating Secure Compilationmentioning

confidence: 99%

“…Abate et al [2] propose many more equivalent pairs of criteria, each one preserving different classes of (hyper)properties we discussed earlier: properties, safety properties, hypersafety properties, subset-closed hyperproperties, hyperproperties and more. However, all these criteria are stated in a setting where source and target traces are the same.…”

Section: Trace-relating Secure Compilationmentioning

confidence: 99%

“…For each secure compilation definition we again propose both a propertyfree characterization in the style of CC ∼ , and two characterizations in terms of preserving a class of source or target properties satisfied against arbitrary adversarial contexts. The additional quantification over contexts allows for finer distinctions when considering different property classes, so we study mapping classes not only of trace properties and hyperproperties, but also of relational hyperproperties [2]. An example secure compiler accounting for a target that can produce additional observations that are not possible in the source illustrates this approach.…”

mentioning

confidence: 99%

See 3 more Smart Citations

Trace-Relating Compiler Correctness and Secure Compilation

Abate

Blanco

Ciobâcă³

et al. 2020

Programming Languages and Systems

Self Cite

View full text Add to dashboard Cite

Compiler correctness is, in its simplest form, defined as the inclusion of the set of traces of the compiled program into the set of traces of the original program, which is equivalent to the preservation of all trace properties. Here traces collect, for instance, the externally observable events of each execution. This definition requires, however, the set of traces of the source and target languages to be exactly the same, which is not the case when the languages are far apart or when observations are fine grained. To overcome this issue, we study a generalized compiler correctness definition, which uses source and target traces drawn from potentially different sets and connected by an arbitrary relation. We set out to understand what guarantees this generalized compiler correctness definition gives us when instantiated with a non-trivial relation on traces. When this trace relation is not equality, it is no longer possible to preserve the trace properties of the source program unchanged. Instead, we provide a generic characterization of the target trace property ensured by correctly compiling a program that satisfies a given source property, and dually, of the source trace property one is required to show in order to obtain a certain target property for the compiled code. We show that this view on compiler correctness can naturally account for undefined behavior, resource exhaustion, different source and target values, side-channels, and various abstraction mismatches. Finally, we show that the same generalization also applies to a large class of secure compilation definitions, which characterize the protection of a compiled program against linked adversarial code. INTRODUCTIONCompiler correctness is an old idea [28,30,31] that has seen a significant revival in the recent past. This new wave was started by the creation of the CompCert verified C compiler [25] and continued by the proposal of many significant extensions and variants of CompCert [7,13,21,22,32,42,47,49,53] and the success of many other milestone compiler verification projects, including Vellvm [54], Pilsner [33], CakeML [50], Jasmin [5], CertiCoq [6], etc. Yet, even for these verified compilers, the precise statement of correctness matters. Since proof assistants are used to conduct the verification, an external observer does not have to understand the proofs in order to trust them, but one still has to deeply understand the statement that was proved. And this is true not just for correct compilation, but also for secure compilation, which is the more recent idea that our compilation chains should do more to also ensure the security of our programs [4,16].Basic Compiler Correctness. The gold standard for compiler correctness is semantic preservation, which intuitively says that the semantics of a compiled program (in the target language) is compatible with the semantics of the original program (in the source language). For practical verified compilers, such as CompCert [25] and CakeML [50], semantic preservation is stated extrinsically, by refer...

show abstract

Section: Preserving Safety Propertiesmentioning

confidence: 99%

Section: Trace-relating Secure Compilationmentioning

confidence: 99%

Section: Trace-relating Secure Compilationmentioning

confidence: 99%

mentioning

confidence: 99%

See 2 more Smart Citations

Trace-Relating Compiler Correctness and Secure Compilation

Abate

Blanco

Ciobâcă³

et al. 2020

Programming Languages and Systems

Self Cite

View full text Add to dashboard Cite

show abstract

“…Generalizing unary properties, which describe single program runs, relational properties describe relations between multiple runs of one or more programs [Abate et al 2019;Clarkson and Schneider 2010]. Formally verifying relational properties has a broad range of practical applications.…”

Section: Introductionmentioning

confidence: 99%

The next 700 relational program logics

Maillard

Hriţcu

Rivas

et al. 2019

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

We propose the first framework for defining relational program logics for arbitrary monadic effects. The framework is embedded within a relational dependent type theory and is highly expressive. At the semantic level, we provide an algebraic characterization for relational specifications as a class of relative monads, and link computations and specifications by introducing relational effect observations, which map pairs of monadic computations to relational specifications in a way that respects the algebraic structure. For an arbitrary relational effect observation, we generically define the core of a sound relational program logic, and explain how to complete it to a full-fledged logic for the monadic effect at hand. We show that by instantiating our framework with state and unbounded iteration we can embed a variant of Benton's Relational Hoare Logic, and also sketch how to reconstruct Relational Hoare Type Theory. Finally, we identify and overcome conceptual challenges that prevented previous relational program logics from properly dealing with effects such as exceptions, and are the first to provide a proper semantic foundation and a relational program logic for exceptions.

show abstract

Robustly Safe Compilation

Patrignani

Garg

2019

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Secure compilers generate compiled code that withstands many target-level attacks such as alteration of control flow, data leaks or memory corruption. Many existing secure compilers are proven to be fully abstract, meaning that they reflect and preserve observational equivalence. Fully abstract compilation is strong and useful but, in certain cases, comes at the cost of requiring expensive runtime constructs in compiled code. These constructs may have no relevance for security, but are needed to accommodate differences between the source and target languages that fully abstract compilation necessarily needs. As an alternative to fully abstract compilation, this paper explores a different criterion for secure compilation called robustly safe compilation or RSC. Briefly, this criterion means that the compiled code preserves relevant safety properties of the source program against all adversarial contexts interacting with the compiled program. We show that RSC can be proved more easily than fully abstract compilation and also often results in more efficient code. We also develop two illustrative robustlysafe compilers and, through them, illustrate two different proof techniques for establishing that a compiler attains RSC. Based on these, we argue that proving RSC can be simpler than proving fully abstraction.

show abstract

Journey Beyond Full Abstraction: Exploring Robust Property Preservation for Secure Compilation

Cited by 44 publications

References 94 publications

Trace-Relating Compiler Correctness and Secure Compilation

Trace-Relating Compiler Correctness and Secure Compilation

The next 700 relational program logics

Robustly Safe Compilation

Contact Info

Product

Resources

About