the quest for formally secure compartmentalizing compilation · 2019-01-29 · –shared...
TRANSCRIPT
The Quest for Formally Secure Compartmentalizing Compilation
Cătălin Hrițcu
1
Habilitation Defense
My research in the last 7 years
Program Verification
3
Property-Based TestingTag-based Monitoring
Secure Compilation
My research in the last 7 years
Program Verification
3
Property-Based TestingTag-based Monitoring
Secure Compilation
Devastating low-level attacks
4
Devastating low-level attacks
inherently insecure languages like C/C++
– e.g. memory unsafe: any buffer overflow is catastrophicallowing remote attackers to gain complete control
4
Devastating low-level attacks
inherently insecure languages like C/C++
– e.g. memory unsafe: any buffer overflow is catastrophicallowing remote attackers to gain complete control
– ~100 different undefined behaviors in usual C compiler
4
Devastating low-level attacks
inherently insecure languages like C/C++
– e.g. memory unsafe: any buffer overflow is catastrophicallowing remote attackers to gain complete control
– ~100 different undefined behaviors in usual C compiler
insecure interoperability with lower-level code
– even code in more secure languages (Java, OCaml, Rust)has to interoperate with low-level code (C, C++, ASM)
– insecure interoperability: all source-level guarantees lost
4
Devastating low-level attacks
inherently insecure languages like C/C++
– e.g. memory unsafe: any buffer overflow is catastrophicallowing remote attackers to gain complete control
– ~100 different undefined behaviors in usual C compiler
insecure interoperability with lower-level code
– even code in more secure languages (Java, OCaml, Rust)has to interoperate with low-level code (C, C++, ASM)
– insecure interoperability: all source-level guarantees lost
4Part 1: formalize what it means to solve this problem
Devastating low-level attacks
inherently insecure languages like C/C++
– e.g. memory unsafe: any buffer overflow is catastrophicallowing remote attackers to gain complete control
– ~100 different undefined behaviors in usual C compiler
insecure interoperability with lower-level code
– even code in more secure languages (Java, OCaml, Rust)has to interoperate with low-level code (C, C++, ASM)
– insecure interoperability: all source-level guarantees lost
4Part 1: formalize what it means to solve this problem
Part 2: give meaning to compartmentalization mitigation
Secure Interoperabilitywith Lower-Level Code
Part 1 of 2
5
Secure Interoperabilitywith Lower-Level Code
Part 1 of 2
5
CarmineAbate
DeepakGarg Marco
Patrignani
CătălinHrițcu
JérémyThibault
MPI-SWS
Stanford& CISPA
Inria ParisInria Paris Inria Paris
RobBlanco
Journey Beyond Full Abstractionhttps://arxiv.org/abs/1807.04603
Inria Paris
Good programming languages providehelpful abstractions for writing more secure code
6
Good programming languages providehelpful abstractions for writing more secure code
• e.g. HACL* and miTLS written in Low* which provides:
6
Good programming languages providehelpful abstractions for writing more secure code
• e.g. HACL* and miTLS written in Low* which provides:
– low-level abstractions of safe C programs• structured control flow, procedures, abstract memory model
6
Good programming languages providehelpful abstractions for writing more secure code
• e.g. HACL* and miTLS written in Low* which provides:
– low-level abstractions of safe C programs• structured control flow, procedures, abstract memory model
– higher-level abstractions of ML-like languages• modules, interfaces, and parametric polymorphism
6
Good programming languages providehelpful abstractions for writing more secure code
• e.g. HACL* and miTLS written in Low* which provides:
– low-level abstractions of safe C programs• structured control flow, procedures, abstract memory model
– higher-level abstractions of ML-like languages• modules, interfaces, and parametric polymorphism
– specifications of a verification system like Coq and Dafny• effects, dependent types, refinements, logical pre- and post-conditions
6
Good programming languages providehelpful abstractions for writing more secure code
• e.g. HACL* and miTLS written in Low* which provides:
– low-level abstractions of safe C programs• structured control flow, procedures, abstract memory model
– higher-level abstractions of ML-like languages• modules, interfaces, and parametric polymorphism
– specifications of a verification system like Coq and Dafny• effects, dependent types, refinements, logical pre- and post-conditions
– coding patterns specific to cryptographic code• abstract types and interfaces for defending against side-channel attacks
6
7
But abstractions not enforced when compiling and linking with adversarial low-level code
8
HACL* library
~20.000 LOC in Low*
But abstractions not enforced when compiling and linking with adversarial low-level code
8
HACL* library Firefox web browser
~20.000 LOC in Low* 16.000.000+ LOC in C/C++
But abstractions not enforced when compiling and linking with adversarial low-level code
8
HACL* library Firefox web browser
ASM ASM
~20.000 LOC in Low* 16.000.000+ LOC in C/C++
KreMLin+ CompCert GCC
Verified
But abstractions not enforced when compiling and linking with adversarial low-level code
8
HACL* library Firefox web browser
ASM ASM
Insecure interoperability: linked code can read and writedata and code, jump to arbitrary instructions, smash the stack, ...
~20.000 LOC in Low* 16.000.000+ LOC in C/C++
KreMLin+ CompCert GCC
Verified
Secure compilation chains
• Protect source-level abstractionseven against linked adversarial low-level code– various enforcement mechanisms: processes, SFI, ...
– shared responsibility: compiler, linker, loader, OS, HW
9
Secure compilation chains
• Protect source-level abstractionseven against linked adversarial low-level code– various enforcement mechanisms: processes, SFI, ...
– shared responsibility: compiler, linker, loader, OS, HW
• Goal: enable source-level security reasoning
9
Secure compilation chains
• Protect source-level abstractionseven against linked adversarial low-level code– various enforcement mechanisms: processes, SFI, ...
– shared responsibility: compiler, linker, loader, OS, HW
• Goal: enable source-level security reasoning– adversarial target-level context cannot break the security of
compiled program any more than some source-level context
9
Secure compilation chains
• Protect source-level abstractionseven against linked adversarial low-level code– various enforcement mechanisms: processes, SFI, ...
– shared responsibility: compiler, linker, loader, OS, HW
• Goal: enable source-level security reasoning– adversarial target-level context cannot break the security of
compiled program any more than some source-level context
– no "low-level" attacks
9
Robustly preserving security
10
Robustly preserving security
sourcecontext
source secureprogram
10
sourcecontext∀
Robustly preserving security
sourcecontext
target context
source
compiled
compiler
secure
secure
program
program
10
sourcecontext∀
targetcontext∀
⇒
Robustly preserving security
sourcecontext
target context
source
compiled
compiler
secure
secure
program
program
no extra powerprotected
10
sourcecontext∀
targetcontext∀
⇒
Robustly preserving security
sourcecontext
target context
source
compiled
compiler
secure
secure
program
program
no extra powerprotected
10
But what should "secure" mean?
sourcecontext∀
targetcontext∀
⇒
11
What properties should we robustly preserve?
11
What properties should we robustly preserve?
trace properties(safety & liveness)
11
What properties should we robustly preserve?
trace properties(safety & liveness)
hyperproperties(noninterference)
11
What properties should we robustly preserve?
trace properties(safety & liveness)
hyperproperties(noninterference)
relationalhyperproperties(trace equivalence)
11
What properties should we robustly preserve?
trace properties(safety & liveness)
hyperproperties(noninterference)
relationalhyperproperties(trace equivalence)
11
More secure
More efficientto enforce
Easier to prove
What properties should we robustly preserve?
trace properties(safety & liveness)
hyperproperties(noninterference)
relationalhyperproperties(trace equivalence)
No one-size-fits-all security criterion
11
More secure
More efficientto enforce
Easier to prove
What properties should we robustly preserve?
trace properties(safety & liveness)
hyperproperties(noninterference)
relationalhyperproperties(trace equivalence)
only integrity
No one-size-fits-all security criterion
11
More secure
More efficientto enforce
Easier to prove
What properties should we robustly preserve?
trace properties(safety & liveness)
hyperproperties(noninterference)
relationalhyperproperties(trace equivalence)
only integrity
+ data confidentiality
No one-size-fits-all security criterion
11
More secure
More efficientto enforce
Easier to prove
What properties should we robustly preserve?
trace properties(safety & liveness)
hyperproperties(noninterference)
relationalhyperproperties(trace equivalence)
only integrity
+ data confidentiality
+ code confidentiality
No one-size-fits-all security criterion
11
More secure
More efficientto enforce
Easier to prove
What properties should we robustly preserve?
trace properties(safety & liveness)
hyperproperties(noninterference)
relationalhyperproperties(trace equivalence)
only integrity
+ data confidentiality
+ code confidentiality
No one-size-fits-all security criterion
Robust Trace Property Preservation
43
sourcecontext
targetcontext
source program
compiledprogram
sourcecontext∃
target context∃
.
.
compiler
∀source programs.∀(bad/attack) trace t.
⇒
sourcecontext
targetcontext
source program
compiledprogram
sourcecontexttrace t∀
target contexttrace t
∀
.
.
compiler
∀source programs.∀π trace property.
⇒
⇝t⇒ t∈π
property-based characterization
⇝t⇒ t∈π
property-free characterization
⇔
⇝t
⇝t
back-translation
what one can achieve how one can prove it
13
back-translatingprog & context & trace∀P∀CT∀t∃CS...
Some of the proof difficulty is manifest inproperty-free characterization
13
back-translatingfinite trace prefix∀P∀CT∀m≤t∃CS...
back-translatingprog & context & trace∀P∀CT∀t∃CS...
Some of the proof difficulty is manifest inproperty-free characterization
13
back-translatingfinite trace prefix∀P∀CT∀m≤t∃CS...
back-translatingfinite set offinite trace prefixes∀k∀P1..Pk∀CT
∀m1..mk ∃CS...
back-translatingprog & context & trace∀P∀CT∀t∃CS...
Some of the proof difficulty is manifest inproperty-free characterization
13
back-translatingfinite trace prefix∀P∀CT∀m≤t∃CS...
back-translatingprog & context∀P∀CT∃CS∀t...
back-translatingcontext
∀CT∃CS∀P∀t...
back-translatingfinite set offinite trace prefixes∀k∀P1..Pk∀CT
∀m1..mk ∃CS...
back-translatingprog & context & trace∀P∀CT∀t∃CS...
Some of the proof difficulty is manifest inproperty-free characterization
Journey Beyond Full Abstraction
• First to explore space of secure compilation criteriabased on robust property preservation
14
Journey Beyond Full Abstraction
• First to explore space of secure compilation criteriabased on robust property preservation
• Carefully study the criteria and their relations
– Property-free characterizations
– implications, collapses, separations results
14
Journey Beyond Full Abstraction
• First to explore space of secure compilation criteriabased on robust property preservation
• Carefully study the criteria and their relations
– Property-free characterizations
– implications, collapses, separations results
• Introduce relational (hyper)properties (new classes!)
14
Journey Beyond Full Abstraction
• First to explore space of secure compilation criteriabased on robust property preservation
• Carefully study the criteria and their relations
– Property-free characterizations
– implications, collapses, separations results
• Introduce relational (hyper)properties (new classes!)
• Formally study relation to full abstraction ...
14
Journey Beyond Full Abstraction
• First to explore space of secure compilation criteriabased on robust property preservation
• Carefully study the criteria and their relations
– Property-free characterizations
– implications, collapses, separations results
• Introduce relational (hyper)properties (new classes!)
• Formally study relation to full abstraction ...
• Embraced and extended proof techniques ...
14
Where is Full Abstraction?
15
(i.e. robust behavioral equivalence preservation)
without internal nondeterminism,full abstraction is here
Where is Full Abstraction?
15
(i.e. robust behavioral equivalence preservation)
without internal nondeterminism,full abstraction is here
Where is Full Abstraction?
15
doesn't imply any of our criteria(even assuming compiler correctness)
(i.e. robust behavioral equivalence preservation)
without internal nondeterminism,full abstraction is here
Where is Full Abstraction?
15
doesn't imply any of our criteria(even assuming compiler correctness)
no one-size-fits-all criterion!
(i.e. robust behavioral equivalence preservation)
Embraced and extended™ proof techniques
16
for simple translation from statically to dynamically typed language with first-order functions and I/O
Embraced and extended™ proof techniques
16
back-translatingcontext
∀CT∃CS∀P∀t...
for simple translation from statically to dynamically typed language with first-order functions and I/O
strongestcriterion
achievable
Embraced and extended™ proof techniques
16
back-translatingcontext
∀CT∃CS∀P∀t... generic techniqueapplicableback-translatingfinite set offinite trace prefixes∀k∀P1..Pk∀CT
∀m1..mk ∃CS...
for simple translation from statically to dynamically typed language with first-order functions and I/O
strongestcriterion
achievable
Some open problems
• Practically achievingsecure interoperability with lower-level code
– More realistic languages and compilation chains
17
Some open problems
• Practically achievingsecure interoperability with lower-level code
– More realistic languages and compilation chains
• Verifying robust satisfaction for source programs
– partial semantics, program logics, logical relations, ...
17
Some open problems
• Practically achievingsecure interoperability with lower-level code
– More realistic languages and compilation chains
• Verifying robust satisfaction for source programs
– partial semantics, program logics, logical relations, ...
• Exploring other kinds of secure compilation
– target observations richer than source observations
– generalize noninterference preservation with side-channels?
17
Secure Compilation for Unsafe Languages
When Good Components Go Bad (CCS 2018)Beyond Good and Evil (CSF 2016)Micro-Policies (IEEE S&P 2015)A verified information-flow architecture (POPL 2014)
Part 2 of 2
18
When Good Components Go BadComputer and Communications Security (CCS 2018)
CătălinHrițcu
MarcoStronati
ArthurAzevedo
de Amorim
Ana NoraEvans
AndrewTolmach
BenjaminPierce
ThéoLaurent
CarmineAbate
Inria Paris CMU U. Virginia Portland State UPenn
GuglielmoFachini
19
RobBlanco
Inherently insecure languages like C
– any buffer overflow can be catastrophic
20
Inherently insecure languages like C
– any buffer overflow can be catastrophic
– ~100 different undefined behaviorsin the usual C compiler:• use after frees and double frees, invalid casts,
signed integer overflows, ...............................
20
Inherently insecure languages like C
– any buffer overflow can be catastrophic
– ~100 different undefined behaviorsin the usual C compiler:• use after frees and double frees, invalid casts,
signed integer overflows, ...............................
– root cause, but very challenging to fix:
• efficiency, precision, scalability,
backwards compatibility, deployment
20
Compartmentalization mitigation
• Break up security-critical applications into mutually distrustful components with clearly specified privileges
21
Compartmentalization mitigation
• Break up security-critical applications into mutually distrustful components with clearly specified privileges
• Protect source abstractions all the way down
– separation, static privileges, call-return discipline, types, ...
21
Compartmentalization mitigation
• Break up security-critical applications into mutually distrustful components with clearly specified privileges
• Protect source abstractions all the way down
– separation, static privileges, call-return discipline, types, ...
• Compartmentalizing compilation chain:
– compiler, linker, loader, runtime, system, hardware
21
Compartmentalization mitigation
• Break up security-critical applications into mutually distrustful components with clearly specified privileges
• Protect source abstractions all the way down
– separation, static privileges, call-return discipline, types, ...
• Compartmentalizing compilation chain:
– compiler, linker, loader, runtime, system, hardware
• Base this on efficient enforcement mechanisms:
– OS processes (all web browsers) — hardware enclaves (SGX)
– WebAssembly (web browsers) — capability machines
– software fault isolation (SFI) — tagged architectures
21
Strong security!?
22
Strong security!?
• Security guarantees one can make fully water-tight
– beyond just "increasing attacker effort"
22
Strong security!?
• Security guarantees one can make fully water-tight
– beyond just "increasing attacker effort"
• Intuitively, if we use compartmentalization ...
... a vulnerability in one component does not immediately
destroy the security of the whole application
22
Strong security!?
• Security guarantees one can make fully water-tight
– beyond just "increasing attacker effort"
• Intuitively, if we use compartmentalization ...
... a vulnerability in one component does not immediately
destroy the security of the whole application
... since each component is protected from all the others
22
Strong security!?
• Security guarantees one can make fully water-tight
– beyond just "increasing attacker effort"
• Intuitively, if we use compartmentalization ...
... a vulnerability in one component does not immediately
destroy the security of the whole application
... since each component is protected from all the others
... and each component receives protection as long as
it has not been compromised (e.g. by a buffer overflow)
22
Can we formalize this intuition?
23
Can we formalize this intuition?
23
What is a compartmentalizing compilation chain supposed to enforce precisely?
Can we formalize this intuition?
23
We answer this question:
Formal definition expressing theend-to-end security guaranteesof compartmentalization
What is a compartmentalizing compilation chain supposed to enforce precisely?
Challenge formalizing security of mitigations
• We want source-level security reasoning principles
– easier to reason about security in the source languageif and application is compartmentalized
24
Challenge formalizing security of mitigations
• We want source-level security reasoning principles
– easier to reason about security in the source languageif and application is compartmentalized
• ... even in the presence of undefined behavior
– can't be expressed at all by source language semantics!
24
Challenge formalizing security of mitigations
• We want source-level security reasoning principles
– easier to reason about security in the source languageif and application is compartmentalized
• ... even in the presence of undefined behavior
– can't be expressed at all by source language semantics!
– what does the following program do?
24
#include <string.h>
int main (int argc, char **argv) {
char c[12];
strcpy(c, argv[1]);
return 0;
}
Challenge formalizing security of mitigations
• We want source-level security reasoning principles
– easier to reason about security in the source languageif and application is compartmentalized
• ... even in the presence of undefined behavior
– can't be expressed at all by source language semantics!
– what does the following program do?
24
#include <string.h>
int main (int argc, char **argv) {
char c[12];
strcpy(c, argv[1]);
return 0;
}
Compartmentalizing compilation should ...
• Restrict spatial scope of undefined behavior
– mutually-distrustful components• each component protected from all the others
25
Compartmentalizing compilation should ...
• Restrict spatial scope of undefined behavior
– mutually-distrustful components• each component protected from all the others
• Restrict temporal scope of undefined behavior
– dynamic compromise• each component gets guarantees
as long as it has not encountered undefined behavior
• i.e. the mere existence of vulnerabilities doesn'tnecessarily make a component compromised
25
i0 i1 i2
C0 C1 C2↓ ↓ ↓ ⇝ tIf then
26
Securitydefinition:
i0 i1 i2
C0 C1 C2
∃ a sequence of component compromises explaining the finite trace tin the source language, for instance t=m1·m2·m3 and
↓ ↓ ↓ ⇝ t
i0 i1 i2
C0 C1 C2⇝* m1·Undef(C1)
↯(1)
If then
26
Securitydefinition:
i0 i1 i2
C0 C1 C2
∃ a sequence of component compromises explaining the finite trace tin the source language, for instance t=m1·m2·m3 and
↓ ↓ ↓ ⇝ t
i0 i1 i2
C0 C1 C2⇝* m1·Undef(C1)
↯(1)
(2)i0 i1 i2
C0 A1 C2⇝* m1·m2·Undef(C2)
↯∃A1.
If then
26
Securitydefinition:
i0 i1 i2
C0 C1 C2
∃ a sequence of component compromises explaining the finite trace tin the source language, for instance t=m1·m2·m3 and
↓ ↓ ↓ ⇝ t
i0 i1 i2
C0 C1 C2⇝* m1·Undef(C1)
↯(1)
(2)i0 i1 i2
C0 A1 C2⇝* m1·m2·Undef(C2)
↯
(3)i0 i1 i2
C0 A1 A2⇝ m1·m2·m3
∃A1.
∃A2.
If then
26
Securitydefinition:
i0 i1 i2
C0 C1 C2
∃ a sequence of component compromises explaining the finite trace tin the source language, for instance t=m1·m2·m3 and
↓ ↓ ↓ ⇝ t
i0 i1 i2
C0 C1 C2⇝* m1·Undef(C1)
↯(1)
(2)i0 i1 i2
C0 A1 C2⇝* m1·m2·Undef(C2)
↯
(3)i0 i1 i2
C0 A1 A2⇝ m1·m2·m3
Finite trace records which component encounteredundefined behavior and allows us to rewind execution
∃A1.
∃A2.
If then
26
Securitydefinition:
How can we prove this?
27
How can we prove this?
27
When compilation and back-translation are compositional, previous definition reduces to (a variant of)Robust Safety Preservation
How can we prove this?
27
back-translatingfinite trace prefix∀P∀CT∀m≤t∃CS...
When compilation and back-translation are compositional, previous definition reduces to (a variant of)Robust Safety Preservation
Proof-of-concept formallysecure compilation chain in Coq
Illustrates our formal definition
28
Compartmentalized unsafe source
Compartmentalized abstract machine
Micro-policy machine
Bare-bonemachine
software fault isolation
29
Compartmentalized unsafe source
Compartmentalized abstract machine
Buffers, procedures, componentsinteracting via strictly enforced interfaces
Micro-policy machine
Bare-bonemachine
software fault isolation
29
Compartmentalized unsafe source
Compartmentalized abstract machine
Buffers, procedures, componentsinteracting via strictly enforced interfaces
Micro-policy machine
Bare-bonemachine
Simple RISC abstract machine with
build-in compartmentalization
software fault isolation
29
Compartmentalized unsafe source
Compartmentalized abstract machine
Buffers, procedures, componentsinteracting via strictly enforced interfaces
Micro-policy machine
Bare-bonemachine
Simple RISC abstract machine with
build-in compartmentalization
software fault isolation
Tag-based reference monitor enforcing:- component separation- procedure call and return discipline(linear capabilities / linear entry points)
29
Compartmentalized unsafe source
Compartmentalized abstract machine
Buffers, procedures, componentsinteracting via strictly enforced interfaces
Micro-policy machine
Bare-bonemachine
Simple RISC abstract machine with
build-in compartmentalization
Inline reference monitor enforcing:- component separation- procedure call and return discipline(program rewriting, shadow call stack)
software fault isolation
Tag-based reference monitor enforcing:- component separation- procedure call and return discipline(linear capabilities / linear entry points)
29
Compartmentalized unsafe source
Compartmentalized abstract machine
Buffers, procedures, componentsinteracting via strictly enforced interfaces
Micro-policy machine
Bare-bonemachine
Simple RISC abstract machine with
build-in compartmentalization
Inline reference monitor enforcing:- component separation- procedure call and return discipline(program rewriting, shadow call stack)
software fault isolation
Tag-based reference monitor enforcing:- component separation- procedure call and return discipline(linear capabilities / linear entry points)
Verified
29
generic proof technique 26K lines of Coq, mostly proofs
Compartmentalized unsafe source
Compartmentalized abstract machine
Buffers, procedures, componentsinteracting via strictly enforced interfaces
Micro-policy machine
Bare-bonemachine
Simple RISC abstract machine with
build-in compartmentalization
Inline reference monitor enforcing:- component separation- procedure call and return discipline(program rewriting, shadow call stack)
software fault isolation
Tag-based reference monitor enforcing:- component separation- procedure call and return discipline(linear capabilities / linear entry points)
Verified
Systematically tested (with QuickChick)29
generic proof technique 26K lines of Coq, mostly proofs
When Good Components Go Bad
• Formalized security of compartmentalization
– first definition supporting dynamic compromise
– restricting undefined behavior spatially and temporally
30
When Good Components Go Bad
• Formalized security of compartmentalization
– first definition supporting dynamic compromise
– restricting undefined behavior spatially and temporally
• Proof-of-concept secure compilation chain in Coq
– software fault isolation or tag-based reference monitor
30
When Good Components Go Bad
• Formalized security of compartmentalization
– first definition supporting dynamic compromise
– restricting undefined behavior spatially and temporally
• Proof-of-concept secure compilation chain in Coq
– software fault isolation or tag-based reference monitor
• Generic definition and proof technique
– we expect them to extend and scale well
30
Making this more practical ... next steps:
31
Making this more practical ... next steps:
• Scale formally secure compilation chain to C language– allow shared memory (ongoing) and pointer passing (capabilities)
– eventually support enough of C to measure and lower overhead
– check whether hardware support (tagged architecture) is faster
31
Making this more practical ... next steps:
• Scale formally secure compilation chain to C language– allow shared memory (ongoing) and pointer passing (capabilities)
– eventually support enough of C to measure and lower overhead
– check whether hardware support (tagged architecture) is faster
• Extend all this to dynamic component creation– rewind to when compromised component was created
31
Making this more practical ... next steps:
• Scale formally secure compilation chain to C language– allow shared memory (ongoing) and pointer passing (capabilities)
– eventually support enough of C to measure and lower overhead
– check whether hardware support (tagged architecture) is faster
• Extend all this to dynamic component creation– rewind to when compromised component was created
• ... and dynamic privileges:– capabilities, dynamic interfaces, history-based access control, ...
31
Making this more practical ... next steps:
• Scale formally secure compilation chain to C language– allow shared memory (ongoing) and pointer passing (capabilities)
– eventually support enough of C to measure and lower overhead
– check whether hardware support (tagged architecture) is faster
• Extend all this to dynamic component creation– rewind to when compromised component was created
• ... and dynamic privileges:– capabilities, dynamic interfaces, history-based access control, ...
• From robust safety to hypersafety (e.g. confidentiality)
31
Making this more practical ... next steps:
• Scale formally secure compilation chain to C language– allow shared memory (ongoing) and pointer passing (capabilities)
– eventually support enough of C to measure and lower overhead
– check whether hardware support (tagged architecture) is faster
• Extend all this to dynamic component creation– rewind to when compromised component was created
• ... and dynamic privileges:– capabilities, dynamic interfaces, history-based access control, ...
• From robust safety to hypersafety (e.g. confidentiality)
• Secure compilation of Low* using components, contracts, sealing, ...
31
My dream: secure compilation at scale
32
miTLSLow* language
(safe C subset in F*)
C language+ components+ memory safety
My dream: secure compilation at scale
32
miTLSLow* language
(safe C subset in F*)
C language+ components+ memory safety
My dream: secure compilation at scale
32
miTLS
memory safe C component
Low* language(safe C subset in F*)
C language+ components+ memory safety
My dream: secure compilation at scale
32
miTLS
memory safe C component
Low* language(safe C subset in F*)
C language+ components+ memory safety
My dream: secure compilation at scale
32
miTLS
memory safe C component
Low* language(safe C subset in F*)
C language+ components+ memory safety
ASM language(RISC-V + micro-policies)
My dream: secure compilation at scale
32
miTLS
memory safe C component
legacy C component
ASM component
Low* language(safe C subset in F*)
C language+ components+ memory safety
ASM language(RISC-V + micro-policies)
My dream: secure compilation at scale
32
miTLS
memory safe C component
legacy C component
ASM component
Low* language(safe C subset in F*)
C language+ components+ memory safety
ASM language(RISC-V + micro-policies)
My dream: secure compilation at scale
32
miTLS
memory safe C component
legacy C component
ASM component
Low* language(safe C subset in F*)
C language+ components+ memory safety
ASM language(RISC-V + micro-policies)
My dream: secure compilation at scale
32
miTLS
memory safe C component
legacy C component
ASM component
Low* language(safe C subset in F*)
C language+ components+ memory safety
ASM language(RISC-V + micro-policies)
PostDocs &Researchers
Past group members:Alejandro AguirreAna Nora EvansAnna BednarikArthur Azevedo de AmorimClément Pit-ClaudelDanel AhmanDiane Gallois-WongGuglielmo FachiniLi-yao XiaMarco StronatiNick GiannarakisSimon ForestTomer LibalVictor DumitrescuYannis JuglaretZoe Paraskevopoulou
Thank you Current group:Carmine AbateExe RivasFlorian GroultGuido MartínezJérémy ThibaultKenji MaillardRob BlancoThéo Laurent
Prosecco team:Benjamin BeurdoucheBenjamin LippBruno BlanchetDenis MerigouxElizabeth LabradaÉric TanterGraham SteelHarry HalpinKarthik BhargavanMarina PolubelovaMathieu MoureyPrasad Naldurg
Jury:David PointchevalFrank PiessensGilles BartheThomas JensenDavid PichardieKarthik BhargavanTamara RezkXavier Leroy
Family:Beate BrockmannGabriela MerticariuIoan HrițcuStela Hrițcu