Skip to main content Accessibility help
×
Home
Hostname: page-component-99c86f546-swqlm Total loading time: 0.34 Render date: 2021-12-03T20:07:15.326Z Has data issue: true Feature Flags: { "shouldUseShareProductTool": true, "shouldUseHypothesis": true, "isUnsiloEnabled": true, "metricsAbstractViews": false, "figures": true, "newCiteModal": false, "newCitedByModal": true, "newEcommerce": true, "newUsageEvents": true }

Verified secure compilation for mixed-sensitivity concurrent programs

Published online by Cambridge University Press:  28 July 2021

ROBERT SISON
Affiliation:
School of Computing and Information Systems, University of Melbourne, Australia CSIRO’s Data61 and UNSW Sydney, Australia (e-mail: robert.sison@unimelb.edu.au)
TOBY MURRAY
Affiliation:
School of Computing and Information Systems, University of Melbourne, Australia (e-mail: toby.murray@unimelb.edu.au)

Abstract

Proving only over source code that programs do not leak sensitive data leaves a gap between reasoning and reality that can only be filled by accounting for the behaviour of the compiler. Furthermore, software does not always have the luxury of limiting itself to single-threaded computation with resources statically dedicated to each user to ensure the confidentiality of their data. This results in mixed-sensitivity concurrent programs, which might reuse memory shared between their threads to hold data of different sensitivity levels at different times; for such programs, a compiler must preserve the value-dependent coordination of such mixed-sensitivity reuse despite the impact of concurrency. Here we demonstrate, using Isabelle/HOL, that it is feasible to verify that a compiler preserves noninterference, the strictest kind of confidentiality property, for mixed-sensitivity concurrent programs. First, we present notions of refinement that preserve a concurrent value-dependent notion of noninterference that we have designed to support such programs. As proving noninterference-preserving refinement can be considerably more complex than the standard refinements typically used to verify semantics-preserving compilation, our notions include a decomposition principle that separates the semantics preservation from security preservation concerns. Second, we demonstrate that these refinement notions are applicable to verified secure compilation, by exercising them on a single-pass compiler for mixed-sensitivity concurrent programs that synchronise using mutex locks, from a generic imperative language to a generic RISC-style assembly language. Finally, we execute our compiler on a non-trivial mixed-sensitivity concurrent program modelling a real-world use case, thus preserving its source-level noninterference properties down to an assembly-level model automatically. All results are formalised and proved in the Isabelle/HOL interactive proof assistant. Our work paves the way for more fully featured compilers to offer verified secure compilation support to developers of multithreaded software that must handle data of multiple sensitivity levels.

Type
Research Article
Copyright
© CSIRO and The Author(s), 2021. Published by Cambridge University Press.

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

References

Abate, C., Blanco, R., Garg, D., Hritcu, C., Patrignani, M. & Thibault, J. (2019) Journey beyond full abstraction: Exploring robust property preservation for secure compilation. In 32nd IEEE Computer Security Foundations Symposium, CSF 2019, Hoboken, NJ, USA, June 25–28, 2019, IEEE, pp. 256271.CrossRefGoogle Scholar
Almeida, J. B., Barbosa, M., Barthe, G., Blot, A., Grégoire, B., Laporte, V., Oliveira, T., Pacheco, H., Schmidt, B. & Strub, P.-Y. (2017) Jasmin: High-assurance and high-speed cryptography. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. CCS’17. ACM, pp. 18071823.CrossRefGoogle Scholar
Barthe, G., Basu, A. & Rezk, T. (2004) Security types preserving compilation: (Extended abstract). In Verification, Model Checking, and Abstract Interpretation, 5th International Conference, VMCAI 2004, Venice, Italy, January 11–13, 2004, Proceedings, Steffen, B. & Levi, G. (eds), Lecture Notes in Computer Science, vol. 2937. Springer, pp. 215.Google Scholar
Barthe, G., Blazy, S., Grégoire, B., Hutin, R., Laporte, V., Pichardie, D. & Trieu, A. (2020) Formal verification of a constant-time preserving C compiler. Proc. ACM Program. Lang. 4(POPL), 7:1–7:30.CrossRefGoogle Scholar
Barthe, G., Grégoire, B. & Laporte, V. (2018) Secure compilation of side-channel countermeasures: The case of cryptographic “constant-time”. In 31st IEEE Computer Security Foundations Symposium, CSF 2018, Oxford, United Kingdom, July 9–12, 2018. IEEE Computer Society, pp. 328343.CrossRefGoogle Scholar
Barthe, G., Rezk, T. & Basu, A. (2007b) Security types preserving compilation. Comput. Lang. Syst. Struct. 33(2), 3559.Google Scholar
Barthe, G., Rezk, T., Russo, A. & Sabelfeld, A. (2007a) Security of multithreaded programs by compilation. In Computer Security - ESORICS 2007, 12th European Symposium On Research in Computer Security, Dresden, Germany, September 24–26, 2007, Proceedings, Biskup, J. and López, J. (eds), Lecture Notes in Computer Science, vol. 4734. Springer, pp. 218.Google Scholar
Barthe, G., Rezk, T., Russo, A. & Sabelfeld, A. (2010) Security of multithreaded programs by compilation. ACM Trans. Inf. Syst. Secur. 13(3), 21:1–21:32.CrossRefGoogle Scholar
Beaumont, M., McCarthy, J. & Murray, T. (2016) The cross domain desktop compositor: Using hardware-based video compositing for a multi-level secure user interface. In Proceedings of the 32nd Annual Conference on Computer Security Applications, ACSAC 2016, Los Angeles, CA, USA, December 5–9, 2016, Schwab, S., Robertson, W. K. & Balzarotti, D. (eds). ACM, pp. 533545.Google Scholar
Cavalcanti, A. & Naumann, D. A. (2002) Forward simulation for data refinement of classes. In FME 2002:Formal Methods—Getting IT Right, Eriksson, L.-H. & Lindsay, P. A. (eds). Berlin Heidelberg: Springer, pp. 471490.CrossRefGoogle Scholar
Clarkson, M. R. & Schneider, F. B. (2010) Hyperproperties. J. Comput. Secur. 18(6), 11571210.CrossRefGoogle Scholar
de Roever, W. P. & Engelhardt, K. (1998) Data Refinement: Model-oriented Proof Theories and their Comparison . Cambridge Tracts in Theoretical Computer Science, vol. 46. Cambridge University.Google Scholar
Focardi, R., Gorrieri, R. & Panini, V. (1995) The security checker: A semantics-based tool for the verification of security properties. In Proceedings The Eighth IEEE Computer Security Foundations Workshop, pp. 6069.CrossRefGoogle Scholar
Frumin, D., Krebbers, R. & Birkedal, L. (to appear) Compositional non-interference for fine-grained concurrent programs. In 42nd IEEE Symposium on Security and Privacy (S&P’21); CoRR abs/1910.00905.Google Scholar
Jones, C. B. (1981) Development Methods for Computer Programs including a Notion of Interference. D.Phil. thesis, University of Oxford.Google Scholar
Kaufmann, T., Pelletier, H., Vaudenay, S. & Villegas, K. (2016) When constant-time source yields variable-time binary: Exploiting curve25519-donna built with msvc 2015. In Cryptology and Network Security. Springer International Publishing, pp. 573582.CrossRefGoogle Scholar
Klein, G., Andronick, J., Elphinstone, K., Murray, T., Sewell, T., Kolanski, R. & Heiser, G. (2014) Comprehensive formal verification of an OS microkernel. ACM Transactions on Computer Systems 32(1), 2:1–2:70.CrossRefGoogle Scholar
Kumar, R., Myreen, M., Norrish, M. & Owens, S. (2014) CakeML: A verified implementation of ML. In ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, Sewell, P. (ed). ACM, pp. 179191.CrossRefGoogle Scholar
Leroy, X. (2009) A formally verified compiler back-end. J. Autom. Reason. 43(4), 363446.CrossRefGoogle Scholar
Lochbihler, A. (2018) Mechanising a type-safe model of multithreaded java with a verified compiler. J. Automated Reas. 61(1), 243332.CrossRefGoogle Scholar
Lynch, N. & Vaandrager, F. (1996) Forward and backward simulations. Inf. Comput. 128(1), 125.CrossRefGoogle Scholar
Mantel, H., Müller-Olm, M., Perner, M. & Wenner, A. (2015) Using dynamic pushdown networks to automate a modular information-flow analysis. In 25th International Symposium on Logic Based Program Synthesis and Transformation (LOPSTR).CrossRefGoogle Scholar
Mantel, H., Sands, D. & Sudbrock, H. (2011) Assumptions and guarantees for compositional noninterference. In IEEE Computer Security Foundations Symposium. IEEE, pp. 218232.CrossRefGoogle Scholar
Masticola, S. P. & Ryder, B. G. (1993) Non-concurrency analysis. In Proceedings of the Fourth ACM SIGPLAN Symposium on Principles and Practice of Parallel Programming. PPOPP’93. ACM, pp. 129138.CrossRefGoogle Scholar
Molnar, D., Piotrowski, M., Schultz, D. & Wagner, D. (2006) The program counter security model: Automatic detection and removal of control-flow side channel attacks. In Proceedings of the 8th International Conference on Information Security and Cryptology. ICISC’05. Springer-Verlag, pp. 156168.CrossRefGoogle Scholar
Murray, T. (2015) On high-assurance information-flow-secure programming languages. In ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, pp. 4348.CrossRefGoogle Scholar
Murray, T., Sison, R. & Engelhardt, K. (2018) Covern: A logic for compositional verification of information flow control. In European Symposium on Security and Privacy. IEEE, pp. 1630.CrossRefGoogle Scholar
Murray, T., Sison, R., Pierzchalski, E. & Rizkallah, C. (2016a) Compositional security-preserving refinement for concurrent imperative programs. Archive of Formal Proofs. http://isa-afp.org/entries/Dependent_SIFUM_Refinement.shtml, Formal proof development.Google Scholar
Murray, T., Sison, R., Pierzchalski, E. & Rizkallah, C. (2016b) Compositional verification and refinement of concurrent value-dependent noninterference. In IEEE 29th Computer Security Foundations Symposium, CSF 2016, Lisbon, Portugal, June 27–July 1, 2016. IEEE Computer Society, pp. 417431.CrossRefGoogle Scholar
Murray, T., Sison, R., Pierzchalski, E. & Rizkallah, C. (2016c) A dependent security type system for concurrent imperative programs. Archive of Formal Proofs. http://isa-afp.org/entries/Dependent_SIFUM_Type_Systems.html, Formal proof development.Google Scholar
Patrignani, M., Ahmed, A. & Clarke, D. (2019) Formal approaches to secure compilation: A survey of fully abstract compilation and related work. ACM Comput. Surv. 51(6), 125:1–125:36.CrossRefGoogle Scholar
Patrignani, M. & Garg, D. (2017) Secure compilation and hyperproperty preservation. In IEEE 30th Computer Security Foundations Symposium, CSF 2017, Santa Barbara, USA, August 2125, 2017. CSF’17.CrossRefGoogle Scholar
Patrignani, M. & Garg, D. (2019) Robustly safe compilation. In Programming Languages and Systems. Springer International Publishing, pp. 469498.CrossRefGoogle Scholar
Podkopaev, A., Lahav, O. & Vafeiadis, V. (2019) Bridging the gap between programming languages and hardware weak memory models. Proc. ACM Program. Lang. 3(POPL), 69:1–69:31.CrossRefGoogle Scholar
Sabelfeld, A. & Sands, D. (2000) Probabilistic noninterference for multi-threaded programs. In Proceedings of the 13th IEEE Workshop on Computer Security Foundations. CSFW’00, p. 200. IEEE Computer Society.Google Scholar
Sison, R. (2020) Proving Confidentiality and its Preservation Under Compilation for Mixed-Sensitivity Concurrent Programs. PhD thesis, University of New South Wales, Sydney. http://doi.org/10.26190/5fab5c0a76454.CrossRefGoogle Scholar
Sison, R. & Murray, T. (2019) Verifying that a compiler preserves concurrent value-dependent information-flow security. In 10th International Conference on Interactive Theorem Proving (ITP 2019). Leibniz International Proceedings in Informatics (LIPIcs), Harrison, J., O’Leary, J. & Tolmach, A. (eds), vol. 141. Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik, pp. 27:1–27:19.Google Scholar
Staples, M., Jeffery, R., Andronick, J., Murray, T., Klein, G. & Kolanski, R. (2014) Productivity for proof engineering. In Empirical Software Engineering and Measurement, p. 15.CrossRefGoogle Scholar
Tedesco, F. D., Sands, D. & Russo, A. (2016) Fault-resilient non-interference. In IEEE 29th Computer Security Foundations Symposium, CSF 2016, Lisbon, Portugal, June 27–July 1, 2016. IEEE Computer Society, pp. 401416.CrossRefGoogle Scholar
Terauchi, T. & Aiken, A. (2005) Secure information flow as a safety problem. In Static Analysis, Hankin, C. and Siveroni, I. (eds). Berlin, Heidelberg: Springer, pp. 352367.Google Scholar
Volpano, D. & Smith, G. (1998) Probabilistic noninterference in a concurrent language. In Proceedings. 11th IEEE Computer Security Foundations Workshop (Cat. No.98TB100238), pp. 3443.CrossRefGoogle Scholar
Supplementary material: PDF

Sison and Murray supplementary material

Sison and Murray supplementary material 1

Download Sison and Murray supplementary material(PDF)
PDF 150 KB
Supplementary material: File

Sison and Murray supplementary material

Sison and Murray supplementary material 2

Download Sison and Murray supplementary material(File)
File 262 KB
Supplementary material: PDF

Sison and Murray supplementary material

Sison and Murray supplementary material 3

Download Sison and Murray supplementary material(PDF)
PDF 1 MB
Supplementary material: File

Sison and Murray supplementary material

Sison and Murray supplementary material 4

Download Sison and Murray supplementary material(File)
File 1 KB
Submit a response

Discussions

No Discussions have been published for this article.

Send article to Kindle

To send this article to your Kindle, first ensure no-reply@cambridge.org is added to your Approved Personal Document E-mail List under your Personal Document Settings on the Manage Your Content and Devices page of your Amazon account. Then enter the ‘name’ part of your Kindle email address below. Find out more about sending to your Kindle. Find out more about sending to your Kindle.

Note you can select to send to either the @free.kindle.com or @kindle.com variations. ‘@free.kindle.com’ emails are free but can only be sent to your device when it is connected to wi-fi. ‘@kindle.com’ emails can be delivered even when you are not connected to wi-fi, but note that service fees apply.

Find out more about the Kindle Personal Document Service.

Verified secure compilation for mixed-sensitivity concurrent programs
Available formats
×

Send article to Dropbox

To send this article to your Dropbox account, please select one or more formats and confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your <service> account. Find out more about sending content to Dropbox.

Verified secure compilation for mixed-sensitivity concurrent programs
Available formats
×

Send article to Google Drive

To send this article to your Google Drive account, please select one or more formats and confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your <service> account. Find out more about sending content to Google Drive.

Verified secure compilation for mixed-sensitivity concurrent programs
Available formats
×
×

Reply to: Submit a response

Please enter your response.

Your details

Please enter a valid email address.

Conflicting interests

Do you have any conflicting interests? *