Hostname: page-component-76fb5796d-qxdb6 Total loading time: 0 Render date: 2024-04-25T11:55:01.265Z Has data issue: false hasContentIssue false
  • English
  • Français

Verified secure compilation for mixed-sensitivity concurrent programs

Part of: Secure Compilation

Published online by Cambridge University Press:  28 July 2021

ROBERT SISON Open the ORCID record for ROBERT SISON [Opens in a new window]  and
TOBY MURRAY
ROBERT SISON
Affiliation:
School of Computing and Information Systems, University of Melbourne, Australia CSIRO’s Data61 and UNSW Sydney, Australia (e-mail: robert.sison@unimelb.edu.au)
TOBY MURRAY
Affiliation:
School of Computing and Information Systems, University of Melbourne, Australia (e-mail: toby.murray@unimelb.edu.au)
Rights & Permissions [Opens in a new window]

Abstract

Core share and HTML view are not available for this content. However, as you have access to this content, a full PDF is available via the ‘Save PDF’ action button.

Proving only over source code that programs do not leak sensitive data leaves a gap between reasoning and reality that can only be filled by accounting for the behaviour of the compiler. Furthermore, software does not always have the luxury of limiting itself to single-threaded computation with resources statically dedicated to each user to ensure the confidentiality of their data. This results in mixed-sensitivity concurrent programs, which might reuse memory shared between their threads to hold data of different sensitivity levels at different times; for such programs, a compiler must preserve the value-dependent coordination of such mixed-sensitivity reuse despite the impact of concurrency. Here we demonstrate, using Isabelle/HOL, that it is feasible to verify that a compiler preserves noninterference, the strictest kind of confidentiality property, for mixed-sensitivity concurrent programs. First, we present notions of refinement that preserve a concurrent value-dependent notion of noninterference that we have designed to support such programs. As proving noninterference-preserving refinement can be considerably more complex than the standard refinements typically used to verify semantics-preserving compilation, our notions include a decomposition principle that separates the semantics preservation from security preservation concerns. Second, we demonstrate that these refinement notions are applicable to verified secure compilation, by exercising them on a single-pass compiler for mixed-sensitivity concurrent programs that synchronise using mutex locks, from a generic imperative language to a generic RISC-style assembly language. Finally, we execute our compiler on a non-trivial mixed-sensitivity concurrent program modelling a real-world use case, thus preserving its source-level noninterference properties down to an assembly-level model automatically. All results are formalised and proved in the Isabelle/HOL interactive proof assistant. Our work paves the way for more fully featured compilers to offer verified secure compilation support to developers of multithreaded software that must handle data of multiple sensitivity levels.

Type
Research Article
Information
Journal of Functional Programming , Volume 31 , 2021 , e18
Check for updates
Copyright
© CSIRO and The Author(s), 2021. Published by Cambridge University Press.

References

Abate, C., Blanco, R., Garg, D., Hritcu, C., Patrignani, M. & Thibault, J. (2019) Journey beyond full abstraction: Exploring robust property preservation for secure compilation. In 32nd IEEE Computer Security Foundations Symposium, CSF 2019, Hoboken, NJ, USA, June 25–28, 2019, IEEE, pp. 256271.CrossRefGoogle Scholar
Almeida, J. B., Barbosa, M., Barthe, G., Blot, A., Grégoire, B., Laporte, V., Oliveira, T., Pacheco, H., Schmidt, B. & Strub, P.-Y. (2017) Jasmin: High-assurance and high-speed cryptography. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. CCS’17. ACM, pp. 18071823.CrossRefGoogle Scholar
Barthe, G., Basu, A. & Rezk, T. (2004) Security types preserving compilation: (Extended abstract). In Verification, Model Checking, and Abstract Interpretation, 5th International Conference, VMCAI 2004, Venice, Italy, January 11–13, 2004, Proceedings, Steffen, B. & Levi, G. (eds), Lecture Notes in Computer Science, vol. 2937. Springer, pp. 215.Google Scholar
Barthe, G., Blazy, S., Grégoire, B., Hutin, R., Laporte, V., Pichardie, D. & Trieu, A. (2020) Formal verification of a constant-time preserving C compiler. Proc. ACM Program. Lang. 4(POPL), 7:1–7:30.CrossRefGoogle Scholar
Barthe, G., Grégoire, B. & Laporte, V. (2018) Secure compilation of side-channel countermeasures: The case of cryptographic “constant-time”. In 31st IEEE Computer Security Foundations Symposium, CSF 2018, Oxford, United Kingdom, July 9–12, 2018. IEEE Computer Society, pp. 328343.CrossRefGoogle Scholar
Barthe, G., Rezk, T. & Basu, A. (2007b) Security types preserving compilation. Comput. Lang. Syst. Struct. 33(2), 3559.Google Scholar
Barthe, G., Rezk, T., Russo, A. & Sabelfeld, A. (2007a) Security of multithreaded programs by compilation. In Computer Security - ESORICS 2007, 12th European Symposium On Research in Computer Security, Dresden, Germany, September 24–26, 2007, Proceedings, Biskup, J. and López, J. (eds), Lecture Notes in Computer Science, vol. 4734. Springer, pp. 218.Google Scholar
Barthe, G., Rezk, T., Russo, A. & Sabelfeld, A. (2010) Security of multithreaded programs by compilation. ACM Trans. Inf. Syst. Secur. 13(3), 21:1–21:32.CrossRefGoogle Scholar
Beaumont, M., McCarthy, J. & Murray, T. (2016) The cross domain desktop compositor: Using hardware-based video compositing for a multi-level secure user interface. In Proceedings of the 32nd Annual Conference on Computer Security Applications, ACSAC 2016, Los Angeles, CA, USA, December 5–9, 2016, Schwab, S., Robertson, W. K. & Balzarotti, D. (eds). ACM, pp. 533545.Google Scholar
Cavalcanti, A. & Naumann, D. A. (2002) Forward simulation for data refinement of classes. In FME 2002:Formal Methods—Getting IT Right, Eriksson, L.-H. & Lindsay, P. A. (eds). Berlin Heidelberg: Springer, pp. 471490.CrossRefGoogle Scholar
Clarkson, M. R. & Schneider, F. B. (2010) Hyperproperties. J. Comput. Secur. 18(6), 11571210.CrossRefGoogle Scholar
de Roever, W. P. & Engelhardt, K. (1998) Data Refinement: Model-oriented Proof Theories and their Comparison . Cambridge Tracts in Theoretical Computer Science, vol. 46. Cambridge University.Google Scholar
Focardi, R., Gorrieri, R. & Panini, V. (1995) The security checker: A semantics-based tool for the verification of security properties. In Proceedings The Eighth IEEE Computer Security Foundations Workshop, pp. 6069.CrossRefGoogle Scholar
Frumin, D., Krebbers, R. & Birkedal, L. (to appear) Compositional non-interference for fine-grained concurrent programs. In 42nd IEEE Symposium on Security and Privacy (S&P’21); CoRR abs/1910.00905.Google Scholar
Jones, C. B. (1981) Development Methods for Computer Programs including a Notion of Interference. D.Phil. thesis, University of Oxford.Google Scholar
Kaufmann, T., Pelletier, H., Vaudenay, S. & Villegas, K. (2016) When constant-time source yields variable-time binary: Exploiting curve25519-donna built with msvc 2015. In Cryptology and Network Security. Springer International Publishing, pp. 573582.CrossRefGoogle Scholar
Klein, G., Andronick, J., Elphinstone, K., Murray, T., Sewell, T., Kolanski, R. & Heiser, G. (2014) Comprehensive formal verification of an OS microkernel. ACM Transactions on Computer Systems 32(1), 2:1–2:70.CrossRefGoogle Scholar
Kumar, R., Myreen, M., Norrish, M. & Owens, S. (2014) CakeML: A verified implementation of ML. In ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, Sewell, P. (ed). ACM, pp. 179191.CrossRefGoogle Scholar
Leroy, X. (2009) A formally verified compiler back-end. J. Autom. Reason. 43(4), 363446.CrossRefGoogle Scholar
Lochbihler, A. (2018) Mechanising a type-safe model of multithreaded java with a verified compiler. J. Automated Reas. 61(1), 243332.CrossRefGoogle Scholar
Lynch, N. & Vaandrager, F. (1996) Forward and backward simulations. Inf. Comput. 128(1), 125.CrossRefGoogle Scholar
Mantel, H., Müller-Olm, M., Perner, M. & Wenner, A. (2015) Using dynamic pushdown networks to automate a modular information-flow analysis. In 25th International Symposium on Logic Based Program Synthesis and Transformation (LOPSTR).CrossRefGoogle Scholar
Mantel, H., Sands, D. & Sudbrock, H. (2011) Assumptions and guarantees for compositional noninterference. In IEEE Computer Security Foundations Symposium. IEEE, pp. 218232.CrossRefGoogle Scholar
Masticola, S. P. & Ryder, B. G. (1993) Non-concurrency analysis. In Proceedings of the Fourth ACM SIGPLAN Symposium on Principles and Practice of Parallel Programming. PPOPP’93. ACM, pp. 129138.CrossRefGoogle Scholar
Molnar, D., Piotrowski, M., Schultz, D. & Wagner, D. (2006) The program counter security model: Automatic detection and removal of control-flow side channel attacks. In Proceedings of the 8th International Conference on Information Security and Cryptology. ICISC’05. Springer-Verlag, pp. 156168.CrossRefGoogle Scholar
Murray, T. (2015) On high-assurance information-flow-secure programming languages. In ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, pp. 4348.CrossRefGoogle Scholar
Murray, T., Sison, R. & Engelhardt, K. (2018) Covern: A logic for compositional verification of information flow control. In European Symposium on Security and Privacy. IEEE, pp. 1630.CrossRefGoogle Scholar
Murray, T., Sison, R., Pierzchalski, E. & Rizkallah, C. (2016a) Compositional security-preserving refinement for concurrent imperative programs. Archive of Formal Proofs. http://isa-afp.org/entries/Dependent_SIFUM_Refinement.shtml, Formal proof development.Google Scholar
Murray, T., Sison, R., Pierzchalski, E. & Rizkallah, C. (2016b) Compositional verification and refinement of concurrent value-dependent noninterference. In IEEE 29th Computer Security Foundations Symposium, CSF 2016, Lisbon, Portugal, June 27–July 1, 2016. IEEE Computer Society, pp. 417431.CrossRefGoogle Scholar
Murray, T., Sison, R., Pierzchalski, E. & Rizkallah, C. (2016c) A dependent security type system for concurrent imperative programs. Archive of Formal Proofs. http://isa-afp.org/entries/Dependent_SIFUM_Type_Systems.html, Formal proof development.Google Scholar
Patrignani, M., Ahmed, A. & Clarke, D. (2019) Formal approaches to secure compilation: A survey of fully abstract compilation and related work. ACM Comput. Surv. 51(6), 125:1–125:36.CrossRefGoogle Scholar
Patrignani, M. & Garg, D. (2017) Secure compilation and hyperproperty preservation. In IEEE 30th Computer Security Foundations Symposium, CSF 2017, Santa Barbara, USA, August 2125, 2017. CSF’17.CrossRefGoogle Scholar
Patrignani, M. & Garg, D. (2019) Robustly safe compilation. In Programming Languages and Systems. Springer International Publishing, pp. 469498.CrossRefGoogle Scholar
Podkopaev, A., Lahav, O. & Vafeiadis, V. (2019) Bridging the gap between programming languages and hardware weak memory models. Proc. ACM Program. Lang. 3(POPL), 69:1–69:31.CrossRefGoogle Scholar
Sabelfeld, A. & Sands, D. (2000) Probabilistic noninterference for multi-threaded programs. In Proceedings of the 13th IEEE Workshop on Computer Security Foundations. CSFW’00, p. 200. IEEE Computer Society.Google Scholar
Sison, R. (2020) Proving Confidentiality and its Preservation Under Compilation for Mixed-Sensitivity Concurrent Programs. PhD thesis, University of New South Wales, Sydney. http://doi.org/10.26190/5fab5c0a76454.CrossRefGoogle Scholar
Sison, R. & Murray, T. (2019) Verifying that a compiler preserves concurrent value-dependent information-flow security. In 10th International Conference on Interactive Theorem Proving (ITP 2019). Leibniz International Proceedings in Informatics (LIPIcs), Harrison, J., O’Leary, J. & Tolmach, A. (eds), vol. 141. Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik, pp. 27:1–27:19.Google Scholar
Staples, M., Jeffery, R., Andronick, J., Murray, T., Klein, G. & Kolanski, R. (2014) Productivity for proof engineering. In Empirical Software Engineering and Measurement, p. 15.CrossRefGoogle Scholar
Tedesco, F. D., Sands, D. & Russo, A. (2016) Fault-resilient non-interference. In IEEE 29th Computer Security Foundations Symposium, CSF 2016, Lisbon, Portugal, June 27–July 1, 2016. IEEE Computer Society, pp. 401416.CrossRefGoogle Scholar
Terauchi, T. & Aiken, A. (2005) Secure information flow as a safety problem. In Static Analysis, Hankin, C. and Siveroni, I. (eds). Berlin, Heidelberg: Springer, pp. 352367.Google Scholar
Volpano, D. & Smith, G. (1998) Probabilistic noninterference in a concurrent language. In Proceedings. 11th IEEE Computer Security Foundations Workshop (Cat. No.98TB100238), pp. 3443.CrossRefGoogle Scholar
Supplementary material: PDF

Sison and Murray supplementary material

Sison and Murray supplementary material 1

Download Sison and Murray supplementary material(PDF)
PDF 149.6 KB
Supplementary material: File

Sison and Murray supplementary material

Sison and Murray supplementary material 2

Download Sison and Murray supplementary material(File)
File 262.3 KB
Supplementary material: PDF

Sison and Murray supplementary material

Sison and Murray supplementary material 3

Download Sison and Murray supplementary material(PDF)
PDF 1.1 MB
Supplementary material: File

Sison and Murray supplementary material

Sison and Murray supplementary material 4

Download Sison and Murray supplementary material(File)
File 1.2 KB
Submit a response

Discussions

No Discussions have been published for this article.