The high-level benefits of low-level sandboxing

Sammler, Michael; Garg, Deepak; Dreyer, Derek; Litak, Tadeusz

doi:10.1145/3371100

Cited by 20 publications

(16 citation statements)

References 36 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Sammler et al [36] use robust safety to demonstrate the end-to-end security property of sandboxing. Sandboxing is a common technique that allows trusted and untrusted components to interact safely [19,34].…”

Section: Robust Safetymentioning

confidence: 99%

See 1 more Smart Citation

Robust Safety for Move

Patrignani¹,

Blackshear²

2021

Preprint

View full text Add to dashboard Cite

A program that maintains key safety properties even when interacting with arbitrary untrusted code is said to enjoy robust safety. Proving that a program written in a mainstream language is robustly safe is typically challenging because it requires static verification tools that work precisely even in the presence of language features like dynamic dispatch and shared mutability. The emerging Move programming language was designed to support strong encapsulation and static verification in the service of secure smart contract programming. However, the language design has not been analyzed using a theoretical framework like robust safety.In this paper, we define robust safety for the Move language and introduce a generic framework for static tools that wish to enforce it. Our framework consists of two abstract components: a program verifier that can prove an invariant holds in a closed-world setting (e.g., the Move Prover [43]), and a novel encapsulator that checks if the verifier's result generalizes to an open-world setting. We formalise an escape analysis as an instantiation of the encapsulator and prove that it attains the required security properties.Finally, we implement our encapsulator as an extension to the Move Prover and use the combination to analyze a representative benchmark set of real-world Move programs. This toolchain certifies >99% of the Move modules we analyze, validating that automatic enforcement of strong security properties like robust safety is practical for Move.

show abstract

Section: Robust Safetymentioning

confidence: 99%

“…There are many techniques for enforcing robust safety: sandboxing [36], process isolation, programming patterns such as object capabilites [32], and specialized hardware [41]. A promising, but less common approach to robust safety is enforcement at the language level.…”

Section: Introductionmentioning

confidence: 99%

Robust Safety for Move

Patrignani¹,

Blackshear²

2021

Preprint

View full text Add to dashboard Cite

show abstract

“…More concretely, Skorstengaard et al (2018Skorstengaard et al ( , 2019 encode the guarantees obtained when executing adversarial assembly code in the fundamental theorem of their logical relations. The semantic type systems defined by and Sammler et al (2020) are similarly used to specify the behavior of arbitrary untrusted code. The lowval predicate, used to describe safely shareable values, defined by Swasey et al (2017), again serves a similar purpose.…”

Section: Related Workmentioning

confidence: 99%

Linear capabilities for fully abstract compilation of separation-logic-verified code

2021

View full text Add to dashboard Cite

Separation logic is a powerful program logic for the static modular verification of imperative programs. However, dynamic checking of separation logic contracts on the boundaries between verified and untrusted modules is hard because it requires one to enforce (among other things) that outcalls from a verified to an untrusted module do not access memory resources currently owned by the verified module. This paper proposes an approach to dynamic contract checking by relying on support for capabilities, a well-studied form of unforgeable memory pointers that enables fine-grained, efficient memory access control. More specifically, we rely on a form of capabilities called linear capabilities for which the hardware enforces that they cannot be copied. We formalize our approach as a fully abstract compiler from a statically verified source language to an unverified target language with support for linear capabilities. The key insight behind our compiler is that memory resources described by spatial separation logic predicates can be represented at run time by linear capabilities. The compiler is separation-logic-proof-directed: it uses the separation logic proof of the source program to determine how memory accesses in the source program should be compiled to linear capability accesses in the target program. The full abstraction property of the compiler essentially guarantees that compiled verified modules can interact with untrusted target language modules as if they were compiled from verified code as well. This article is an extended version of one that was presented at ICFP 2019 (Van Strydonck et al., 2019).

show abstract

“…Using Iris, [Sammler et al 2019] establishes guarantee of desired properties on observable traces (i.e., a sequence of system calls), instead of safety guarantee, in the presence of unverified contexts, but in a restricted setting that does not allow the contexts to invoke system calls.…”

Section: Specifications As Programsmentioning

confidence: 99%

Abstraction Logic: The Marriage of Contextual Refinement and Separation Logic

Song¹,

Cho²,

Lee³

et al. 2021

Preprint

View full text Add to dashboard Cite

Contextual refinement and separation logics are successful verification techniques that are very different in nature. First, the former guarantees behavioral refinement between a concrete program and an abstract program while the latter guarantees safety of a concrete program under certain conditions (expressed in terms of pre and post conditions). Second, the former does not allow any assumption about the context when locally reasoning about a module while the latter allows rich assumptions.In this paper, we present a new verification technique, called abstraction logic (AL), that inherently combines contextual refinement and separation logics such as Iris and VST, thereby taking the advantages of both. Specifically, AL allows us to locally verify a concrete module against an abstract module under separationlogic-style pre and post conditions about external modules. AL are fully formalized in Coq and provides a proof mode that supports a combination of simulation-style reasoning using our own tactics and SL-style reasoning using IPM (Iris Proof Mode). Using the proof mode, we verified various examples to demonstrate reasoning about ownership (based on partial commutative monoids) and purity (𝑖.𝑒., termination with no system call), cyclic and higher-order reasoning about mutual recursion and function pointers, and reusable and gradual verification via intermediate abstractions. Also, the verification results are combined with CompCert, so that we formally establish behavioral refinement from top-level abstract programs, all the way down to their assembly code.

show abstract

The high-level benefits of low-level sandboxing

Cited by 20 publications

References 36 publications

Robust Safety for Move

Robust Safety for Move

Linear capabilities for fully abstract compilation of separation-logic-verified code

Abstraction Logic: The Marriage of Contextual Refinement and Separation Logic

Contact Info

Product

Resources

About