![Page 1: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/1.jpg)
Journey Beyond Full Abstraction:Exploring Robust Property Preservation
for Secure Compilation
CarmineAbate
DeepakGarg
MarcoPatrignani
CătălinHrițcu
JérémyThibault
MPI-SWS Stanford& CISPA
Inria ParisInria Paris Inria Paris
RobBlanco
Inria Paris
![Page 2: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/2.jpg)
Good programming languages providehelpful abstractions for writing more secure code
2
![Page 3: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/3.jpg)
Good programming languages providehelpful abstractions for writing more secure code
• structured control flow, procedures, modules, interfaces, correctness and security specifications, ...
2
![Page 4: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/4.jpg)
Good programming languages providehelpful abstractions for writing more secure code
• structured control flow, procedures, modules, interfaces, correctness and security specifications, ...
2
abstractions not enforced when compiling and linking with adversarial low-level code
![Page 5: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/5.jpg)
Good programming languages providehelpful abstractions for writing more secure code
• structured control flow, procedures, modules, interfaces, correctness and security specifications, ...
2
abstractions not enforced when compiling and linking with adversarial low-level code
• all source-level security guarantees are lost
![Page 6: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/6.jpg)
HACL* verified cryptographic library, in practice
3
HACL* library
~100.000 LOC in F*
![Page 7: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/7.jpg)
HACL* verified cryptographic library, in practice
3
HACL* library Firefox web browser
~100.000 LOC in F* 16.000.000+ LOC in C/C++ 160x
, in practice
![Page 8: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/8.jpg)
HACL* verified cryptographic library, in practice
3
HACL* library Firefox web browser
ASM ASM
~100.000 LOC in F* 16.000.000+ LOC in C/C++
KreMLin+ CompCert GCC
160x
, in practice
![Page 9: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/9.jpg)
HACL* verified cryptographic library, in practice
3
HACL* library Firefox web browser
ASM ASM
Insecure interoperability: linked code can read and writedata and code, jump to arbitrary instructions, smash the stack, ...
~100.000 LOC in F* 16.000.000+ LOC in C/C++
KreMLin+ CompCert GCC
160x
, in practice
![Page 10: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/10.jpg)
We need secure compilation chains
• Protect source-level abstractionseven against linked adversarial low-level code
4
![Page 11: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/11.jpg)
We need secure compilation chains
• Protect source-level abstractionseven against linked adversarial low-level code– various enforcement mechanisms: processes, SFI, ...
– shared responsibility: compiler, linker, loader, OS, HW
4
![Page 12: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/12.jpg)
We need secure compilation chains
• Protect source-level abstractionseven against linked adversarial low-level code– various enforcement mechanisms: processes, SFI, ...
– shared responsibility: compiler, linker, loader, OS, HW
• Goal: enable source-level security reasoning
4
![Page 13: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/13.jpg)
We need secure compilation chains
• Protect source-level abstractionseven against linked adversarial low-level code– various enforcement mechanisms: processes, SFI, ...
– shared responsibility: compiler, linker, loader, OS, HW
• Goal: enable source-level security reasoning– linked adversarial target code cannot break the security of
compiled program any more than some linked source code
4
![Page 14: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/14.jpg)
We need secure compilation chains
• Protect source-level abstractionseven against linked adversarial low-level code– various enforcement mechanisms: processes, SFI, ...
– shared responsibility: compiler, linker, loader, OS, HW
• Goal: enable source-level security reasoning– linked adversarial target code cannot break the security of
compiled program any more than some linked source code
– no "low-level" attacks
4
![Page 15: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/15.jpg)
Robustly preserving security
5
![Page 16: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/16.jpg)
Robustly preserving security
sourcecontext
source secureprogram
5
sourcecontext∀
![Page 17: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/17.jpg)
Robustly preserving security
sourcecontext
source secureprogram
5
sourcecontext∀
![Page 18: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/18.jpg)
Robustly preserving security
sourcecontext
target context
source
compiled
compiler
secure
secure
program
program
5
sourcecontext∀
targetcontext∀
⇒
![Page 19: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/19.jpg)
Robustly preserving security
sourcecontext
target context
source
compiled
compiler
secure
secure
program
program
no extra powerprotected
5
But what should "secure" mean?
sourcecontext∀
targetcontext∀
⇒
![Page 20: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/20.jpg)
6
What properties should we robustly preserve?
![Page 21: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/21.jpg)
6
What properties should we robustly preserve?
trace properties(safety & liveness)
![Page 22: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/22.jpg)
6
What properties should we robustly preserve?
trace properties(safety & liveness)
hyperproperties(noninterference)
![Page 23: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/23.jpg)
6
What properties should we robustly preserve?
trace properties(safety & liveness)
hyperproperties(noninterference)
relationalhyperproperties(trace equivalence)
![Page 24: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/24.jpg)
6
What properties should we robustly preserve?
trace properties(safety & liveness)
hyperproperties(noninterference)
relationalhyperproperties(trace equivalence)
![Page 25: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/25.jpg)
6
More secure
More efficientto enforce
Easier to prove
What properties should we robustly preserve?
trace properties(safety & liveness)
hyperproperties(noninterference)
relationalhyperproperties(trace equivalence)
No one-size-fits-all security criterion
![Page 26: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/26.jpg)
6
More secure
More efficientto enforce
Easier to prove
What properties should we robustly preserve?
trace properties(safety & liveness)
hyperproperties(noninterference)
relationalhyperproperties(trace equivalence)
only integrity
No one-size-fits-all security criterion
![Page 27: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/27.jpg)
6
More secure
More efficientto enforce
Easier to prove
What properties should we robustly preserve?
trace properties(safety & liveness)
hyperproperties(noninterference)
relationalhyperproperties(trace equivalence)
only integrity
+ data confidentiality
No one-size-fits-all security criterion
![Page 28: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/28.jpg)
6
More secure
More efficientto enforce
Easier to prove
What properties should we robustly preserve?
trace properties(safety & liveness)
hyperproperties(noninterference)
relationalhyperproperties(trace equivalence)
only integrity
+ data confidentiality
+ code confidentiality
No one-size-fits-all security criterion
![Page 29: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/29.jpg)
6
More secure
More efficientto enforce
Easier to prove
What properties should we robustly preserve?
trace properties(safety & liveness)
hyperproperties(noninterference)
relationalhyperproperties(trace equivalence)
only integrity
+ data confidentiality
+ code confidentiality
No one-size-fits-all security criterion
![Page 30: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/30.jpg)
Robust Trace Property Preservation
7
sourcecontext
targetcontext
source program
compiledprogram
sourcecontexttrace t∀
target contexttrace t
∀
.
.
compiler
∀source programs.∀π trace property.
⇒
⇝t⇒ t∈π
property-based characterization
⇝t⇒ t∈π
what one might want to achieve
![Page 31: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/31.jpg)
Robust Trace Property Preservation
7
sourcecontext
targetcontext
source program
compiledprogram
sourcecontext∃
target context∃
.
.
compiler
∀source programs.∀(bad/attack) trace t.
⇒
sourcecontext
targetcontext
source program
compiledprogram
sourcecontexttrace t∀
target contexttrace t
∀
.
.
compiler
∀source programs.∀π trace property.
⇒
⇝t⇒ t∈π
property-based characterization
⇝t⇒ t∈π
property-free characterization
⇔
⇝t
⇝t
back-translation
what one might want to achieve how one can prove it
![Page 32: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/32.jpg)
8
back-translatingprog & context & trace∀P∀CT∀t∃CS...
Some of the proof difficulty is manifest inproperty-free characterization
![Page 33: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/33.jpg)
8
back-translatingfinite trace prefix∀P∀CT∀m≤t∃CS...
back-translatingprog & context & trace∀P∀CT∀t∃CS...
Some of the proof difficulty is manifest inproperty-free characterization
![Page 34: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/34.jpg)
8
back-translatingfinite trace prefix∀P∀CT∀m≤t∃CS...
back-translatingfinite set offinite trace prefixes∀k∀P1..Pk∀CT
∀m1..mk ∃CS...
back-translatingprog & context & trace∀P∀CT∀t∃CS...
Some of the proof difficulty is manifest inproperty-free characterization
![Page 35: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/35.jpg)
8
back-translatingfinite trace prefix∀P∀CT∀m≤t∃CS...
back-translatingprog & context∀P∀CT∃CS∀t...
back-translatingcontext
∀CT∃CS∀P∀t...
back-translatingfinite set offinite trace prefixes∀k∀P1..Pk∀CT
∀m1..mk ∃CS...
back-translatingprog & context & trace∀P∀CT∀t∃CS...
Some of the proof difficulty is manifest inproperty-free characterization
![Page 36: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/36.jpg)
Journey Beyond Full Abstraction
• First to explore space of secure compilation criteriabased on robust property preservation
9
![Page 37: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/37.jpg)
Journey Beyond Full Abstraction
• First to explore space of secure compilation criteriabased on robust property preservation
• Carefully studied the criteria and their relations
– Property-free characterizations
– implications, collapses, separations results
9
![Page 38: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/38.jpg)
Journey Beyond Full Abstraction
• First to explore space of secure compilation criteriabased on robust property preservation
• Carefully studied the criteria and their relations
– Property-free characterizations
– implications, collapses, separations results
• Introduced relational (hyper)properties (new classes!)
9
![Page 39: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/39.jpg)
Journey Beyond Full Abstraction
• First to explore space of secure compilation criteriabased on robust property preservation
• Carefully studied the criteria and their relations
– Property-free characterizations
– implications, collapses, separations results
• Introduced relational (hyper)properties (new classes!)
• Clarified relation to full abstraction ...
9
![Page 40: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/40.jpg)
Journey Beyond Full Abstraction
• First to explore space of secure compilation criteriabased on robust property preservation
• Carefully studied the criteria and their relations
– Property-free characterizations
– implications, collapses, separations results
• Introduced relational (hyper)properties (new classes!)
• Clarified relation to full abstraction ...
• Embraced and extended proof techniques ...
9
![Page 41: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/41.jpg)
Journey Beyond Full Abstraction
• First to explore space of secure compilation criteriabased on robust property preservation
• Carefully studied the criteria and their relations
– Property-free characterizations
– implications, collapses, separations results
• Introduced relational (hyper)properties (new classes!)
• Clarified relation to full abstraction ...
• Embraced and extended proof techniques ...
9https://github.com/secure-compilation/exploring-robust-property-preservation
![Page 42: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/42.jpg)
Where is Full Abstraction?
10
(i.e. robust behavioral equivalence preservation)
![Page 43: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/43.jpg)
without internal nondeterminism,full abstraction is here
Where is Full Abstraction?
10
(i.e. robust behavioral equivalence preservation)
![Page 44: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/44.jpg)
without internal nondeterminism,full abstraction is here
Where is Full Abstraction?
10
doesn't imply any other criterion
(i.e. robust behavioral equivalence preservation)
![Page 45: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/45.jpg)
Full abstraction does not implyany other criterion in our diagram
11
![Page 46: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/46.jpg)
Full abstraction does not implyany other criterion in our diagram
• Intuitive counterexample adapted from Marco&Deepak [CSF'17]
11
![Page 47: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/47.jpg)
Full abstraction does not implyany other criterion in our diagram
• Intuitive counterexample adapted from Marco&Deepak [CSF'17]
• When context passes in bad input value (e.g. ill-typed):
11
![Page 48: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/48.jpg)
Full abstraction does not implyany other criterion in our diagram
• Intuitive counterexample adapted from Marco&Deepak [CSF'17]
• When context passes in bad input value (e.g. ill-typed):
– lunch the missiles - breaks Robust Safety Preservation
11
![Page 49: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/49.jpg)
Full abstraction does not implyany other criterion in our diagram
• Intuitive counterexample adapted from Marco&Deepak [CSF'17]
• When context passes in bad input value (e.g. ill-typed):
– lunch the missiles - breaks Robust Safety Preservation
– or loop forever - breaks Robust Liveness Preservation
11
![Page 50: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/50.jpg)
Full abstraction does not implyany other criterion in our diagram
• Intuitive counterexample adapted from Marco&Deepak [CSF'17]
• When context passes in bad input value (e.g. ill-typed):
– lunch the missiles - breaks Robust Safety Preservation
– or loop forever - breaks Robust Liveness Preservation
– or leak secret inputs - breaks Robust NI Preservation
11
![Page 51: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/51.jpg)
Full abstraction does not implyany other criterion in our diagram
• Intuitive counterexample adapted from Marco&Deepak [CSF'17]
• When context passes in bad input value (e.g. ill-typed):
– lunch the missiles - breaks Robust Safety Preservation
– or loop forever - breaks Robust Liveness Preservation
– or leak secret inputs - breaks Robust NI Preservation
• Yet this doesn't break full abstraction or compiler correctness!
11
![Page 52: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/52.jpg)
Full abstraction does not implyany other criterion in our diagram
• Intuitive counterexample adapted from Marco&Deepak [CSF'17]
• When context passes in bad input value (e.g. ill-typed):
– lunch the missiles - breaks Robust Safety Preservation
– or loop forever - breaks Robust Liveness Preservation
– or leak secret inputs - breaks Robust NI Preservation
• Yet this doesn't break full abstraction or compiler correctness!
• Full abstraction only ensures code confidentiality
– no integrity, no safety, no data confidentiality, ...
11
![Page 53: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/53.jpg)
Embraced and extended™ proof techniques
12
for simple translation from statically to dynamically typed language with first-order functions and I/O
![Page 54: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/54.jpg)
Embraced and extended™ proof techniques
12
back-translatingcontext
∀CT∃CS∀P∀t...
[New et al,ICFP'16]
for simple translation from statically to dynamically typed language with first-order functions and I/O
strongestcriterion
achievable
![Page 55: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/55.jpg)
Embraced and extended™ proof techniques
12
back-translatingcontext
∀CT∃CS∀P∀t...
[New et al,ICFP'16] generic techniqueapplicableback-translatingfinite set offinite trace prefixes∀k∀P1..Pk∀CT
∀m1..mk ∃CS...
[Jeffrey & Rathke, ESOP'05][Patrignani et al,TOPLAS'15]
for simple translation from statically to dynamically typed language with first-order functions and I/O
strongestcriterion
achievable
![Page 56: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/56.jpg)
Some open problems
• Practically achievingsecure interoperability with lower-level code
– more realistic languages and compilation chains
13
![Page 57: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/57.jpg)
Some open problems
• Practically achievingsecure interoperability with lower-level code
– more realistic languages and compilation chains
• Verifying robust satisfaction for source programs
– program logics, logical relations, partial semantics, ...
13
![Page 58: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/58.jpg)
Some open problems
• Practically achievingsecure interoperability with lower-level code
– more realistic languages and compilation chains
• Verifying robust satisfaction for source programs
– program logics, logical relations, partial semantics, ...
• Different traces for source and target semantics
– connected by some arbitrary relation
– mappings between source and target properties
– interesting even for correct compilation
13
![Page 59: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/59.jpg)
My dream: secure compilation at scale
14
HACL*language
![Page 60: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/60.jpg)
My dream: secure compilation at scale
14
HACL*
C language+ components+ memory safety
language
![Page 61: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/61.jpg)
My dream: secure compilation at scale
14
HACL*
C language+ components+ memory safety
language
![Page 62: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/62.jpg)
My dream: secure compilation at scale
14
HACL*
memory safe C component
legacy C component
ASM component
C language+ components+ memory safety
ASM language(RISC-V + micro-policies)
language
![Page 63: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/63.jpg)
My dream: secure compilation at scale
14
HACL*
memory safe C component
legacy C component
ASM component
C language+ components+ memory safety
ASM language(RISC-V + micro-policies)
language
![Page 64: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/64.jpg)
My dream: secure compilation at scale
14
HACL*
memory safe C component
legacy C component
ASM component
C language+ components+ memory safety
ASM language(RISC-V + micro-policies)
language
![Page 65: Journey Beyond Full Abstraction · 2019-06-29 · –shared responsibility: compiler, linker, loader, OS, HW •Goal: enable source-level security reasoning –linked adversarial](https://reader034.vdocuments.net/reader034/viewer/2022042409/5f2560292ae7566057093dfb/html5/thumbnails/65.jpg)
Journey Beyond Full Abstraction
• First to explore space of secure compilation criteriabased on robust property preservation
• Carefully studied the criteria and their relations
– Property-free characterizations
– implications, collapses, separations results
• Introduced relational (hyper)properties (new classes!)
• Clarified relation to full abstraction ...
• Embraced and extended proof techniques ...
15https://github.com/secure-compilation/exploring-robust-property-preservation