What You Get is What You C: Controlling Side Effects in Mainstream C Compilers

2019 IEEE 32nd Computer Security Foundations Symposium (CSF)

Dang²,

Jensen³

2019

Correct compilers perform program transformations preserving input/output behaviours of programs. Though mandatory, correctness is not sufficient to prevent program optimisations from introducing information-flow leaks that would make the target program more vulnerable to side-channel attacks than the source program. To tackle this problem, we propose a notion of Information-Flow Preserving (IFP) program transformation which ensures that a target program is no more vulnerable to passive side-channel attacks than a source program. To protect against a wide range of attacks, we model an attacker who is granted arbitrary memory accesses for a pre-defined set of observation points. We propose a compositional proof principle for proving that a transformation is IFP. Using this principle, we show how a translation validation technique can be used to automatically verify and even close information-flow leaks introduced by standard compiler passes such as deadstore elimination and register allocation. The technique has been experimentally validated on the CompCert C compiler.

Section: Conditionsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Information-Flow Preservation in Compiler Optimisations

2019 IEEE 32nd Computer Security Foundations Symposium (CSF)

Dang²,

Jensen³

2019

“…The challenge is then to ensure that the security, enforced at an intermediate representation of the code, still holds for the running code. Indeed, compiler optimisation often breaks such security [33]. The insight of Kroll et al is that a safety theorem of the compiled code (i.e., that its behaviour is well-defined) can be exploited to obtain a security theorem for that same compiled code, guaranteeing that it makes no memory accesses outside its sandbox.…”

Section: Challenges In Formally Verified Sfimentioning

confidence: 99%

Compiling Sandboxes: Formally Verified Software Fault Isolation

Programming Languages and Systems

Blazy

Dang

et al. 2019

Software Fault Isolation (SFI) is a security-enhancing program transformation for instrumenting an untrusted binary module so that it runs inside a dedicated isolated address space, called a sandbox. To ensure that the untrusted module cannot escape its sandbox, existing approaches such as Google's Native Client rely on a binary verifier to check that all memory accesses are within the sandbox. Instead of relying on a posteriori verification, we design, implement and prove correct a program instrumentation phase as part of the formally verified compiler CompCert that enforces a sandboxing security property a priori. This eliminates the need for a binary verifier and, instead, leverages the soundness proof of the compiler to prove the security of the sandboxing transformation. The technical contributions are a novel sandboxing transformation that has a well-defined C semantics and which supports arbitrary function pointers, and a formally verified C compiler that implements SFI. Experiments show that our formally verified technique is a competitive way of implementing SFI.

“…They also propose a secure DSE implementation for LLVM which verifies our IFP property. Simon, Chisnall and Anderson [19] investigate how compilers may break the security of cryptographic code. They propose compiler support for the secure erasure of secret which improves the security of the generated code.…”

Section: Related Workmentioning

confidence: 99%

“…They also propose a secured version of Dead Store Elimination, the optimisation responsible for removing the memset. Simon et al [19] take another stance at the problem and propose to insert a compiler pass which secures the code by zeroing stack frames on context switches. These works provide in-depth empirical studies but do not formalise the end-to-end security property they intend to preserve or enforce.…”

Section: Introductionmentioning

confidence: 99%

Securing Compilation Against Memory Probing

Proceedings of the 13th Workshop on Programming Languages and Analysis for Security

Dang

Jensen

2018

A common security recommendation is to reduce the in-memory lifetime of secret values, in order to reduce the risk that an attacker can obtain secret data by probing memory. To mitigate this risk, secret values can be overwritten, at source level, after their last use. The problem we address here is how to ensure that a compiler preserve these mitigation efforts and thus that secret values are not easier to obtain at assembly level than at source level. We propose a formal definition of Information Flow Preserving program Transformations in which we model the information leak of a program using the notion of Attacker Knowledge. Program transformations are validated by relating the knowledge of the attacker before and after the transformation. We consider two classic compiler passes (Dead Store Elimination and Register Allocation) and show how to validate and, if needed, modify these transformations in order to be information flow preserving.