Verified secure compilation for mixed-sensitivity concurrent programs

Sison, Robert; Murray, Toby

doi:10.1017/s0956796821000162

Cited by 3 publications

(10 citation statements)

References 34 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Secure compilation of information-flow guarantees A long line of work [8,9,10,11,12,34,44,45] develops proof techniques and verified compilers to ensure that information flow properties like non-interference, the constant-time policy, or side-channel resistance are preserved by compilation. These techniques, however, are all concerned with whole-programs, unlike our work that starts with the premise that partial programs will interact with untrusted code.…”

Section: Related Workmentioning

confidence: 99%

SecurePtrs: Proving Secure Compilation with Data-Flow Back-Translation and Turn-Taking Simulation

El-Korashy¹,

Blanco²,

Thibault³

et al. 2021

Preprint

View full text Add to dashboard Cite

Proving secure compilation of partial programs typically requires back-translating a target attack against the compiled program to an attack against the source program. To prove this back-translation step, one can syntactically translate the target attacker to a source one-i.e., syntax-directed backtranslation-or show that the interaction traces of the target attacker can also be produced by source attackers-i.e., tracedirected back-translation.Syntax-directed back-translation is not suitable when the target attacker uses unstructured control flow that the source language cannot directly represent. Trace-directed back-translation works with such syntactic dissimilarity because only the external interactions of the target attacker have to be mimicked in the source, not its internal control flow. Revealing only external interactions is, however, inconvenient when sharing memory via unforgeable pointers, since information about stashed pointers to shared memory gets lost. This made prior proofs complex, since the generated attacker had to stash all reachable pointers.In this work, we introduce more informative data-flow traces, which allow us to combine the best of syntax-directed and trace-directed back-translation. Our data-flow back-translation is simple, handles both syntactic dissimilarity and memory sharing well, and we have proved it correct in Coq.We, moreover, develop a novel turn-taking simulation relation and use it to prove a recomposition lemma, which is key to reusing compiler correctness in such secure compilation proofs. We are the first to mechanize such a recomposition lemma in a proof assistant in the presence of memory sharing.We put these two key innovations to use in a secure compilation proof for a code generation compiler pass between a safe source language with pointers and components, and a target language with unstructured control flow.

show abstract

Section: Related Workmentioning

confidence: 99%

SecurePtrs: Proving Secure Compilation with Data-Flow Back-Translation and Turn-Taking Simulation

El-Korashy¹,

Blanco²,

Thibault³

et al. 2021

Preprint

View full text Add to dashboard Cite

show abstract

“…Discharging this once-off noncompositional proof obligation is crucial in enabling both composition of per-thread noninterference properties (using Theorem 2.8), and compositional whole-system secure refinement noninterference down to RISC by our compiler (using Theorem 2.23). Further details on the proof techniques for the per-thread noninterference and local-mode-compliance properties are relegated to Sison (2020), as well as Murray et al (2016b,c) from which they were adapted.…”

Section: Respects-own-guarantees (Tpsmentioning

confidence: 99%

“…To ensure that the While evaluation semantics is defined for all possible configurations, the LOCKINVALID rule defines a stuttering evaluation step for attempts to unlock(k) that are an apparent violation of the locking discipline due to not having previously acquired the lock k. Program developers can rely on a local mode compliance check to reject programs that misbehave in attempting to do this; details are relegated to Sison (2020).…”

Section: Locking Discipline and Its Semanticsmentioning

confidence: 99%

“…Disallowing lock-variables from being control variables thus simplifies the proof of soundness of the local compliance check, as lock(k) and unlock(k) (which only access lock-variable k) cannot violate any guarantees active for program-variables. Details are relegated to Sison (2020).…”

Section: ∀K (Lock K) /mentioning

confidence: 99%

“…This section will present proof that global-modes-compatibility (Definition 2.12) holds as an invariant for concurrent While programs (Section 3.3) when initialised to have no locks held (Section 3.4). Consequently, it is sufficient for a developer to use a local compliance check (Sison, 2020) to obtain the sound-mode-use condition (Definition 2.10) needed for per-thread security proofs to be compositional via Theorem 2.8. Recall from Section 2.2 that this compatibility requirement formalises that for all reachable global configurations of a concurrent program, any assumptions made by any of the threads must be met by corresponding guarantees made by all of the other threads: Definition 2.12 (Global modes compatibility).…”

Section: Proof Of Global Modes Compatibility As An Invariantmentioning

confidence: 99%

See 2 more Smart Citations

Verified Secure Compilation for Mixed-Sensitivity Concurrent Programs

Sison,

Murray

2020

Preprint

Self Cite

View full text Add to dashboard Cite

Proving only over source code that programs do not leak sensitive data leaves a gap between reasoning and reality that can only be filled by accounting for the behaviour of the compiler. Furthermore, software does not always have the luxury of limiting itself to single-threaded computation with resources statically dedicated to each user to ensure the confidentiality of their data. This results in mixed-sensitivity concurrent programs, which might reuse memory shared between their threads to hold data of different sensitivity levels at different times; for such programs, a compiler must preserve the value-dependent coordination of such mixed-sensitivity reuse despite the impact of concurrency.Here we demonstrate, using Isabelle/HOL, that it is feasible to verify that a compiler preserves noninterference, the strictest kind of confidentiality property, for mixed-sensitivity concurrent programs. First, we present notions of refinement that preserve a concurrent value-dependent notion of noninterference that we have designed to support such programs. As proving noninterferencepreserving refinement can be considerably more complex than the standard refinements typically used to verify semantics-preserving compilation, our notions include a decomposition principle that separates the semantics-from the security-preservation concerns. Second, we demonstrate that these refinement notions are applicable to verified secure compilation, by exercising them on a singlepass compiler for mixed-sensitivity concurrent programs that synchronise using mutex locks, from a generic imperative language to a generic RISC-style assembly language. Finally, we execute our compiler on a nontrivial mixed-sensitivity concurrent program modelling a real-world use case, thus preserving its source-level noninterference properties down to an assembly-level model automatically. All results are formalised and proved in the Isabelle/HOL interactive proof assistant.Our work paves the way for more fully featured compilers to offer verified secure compilation support to developers of multithreaded software that must handle data of multiple sensitivity levels.

show abstract