Hostname: page-component-77f85d65b8-v2srd Total loading time: 0 Render date: 2026-04-21T11:01:25.441Z Has data issue: false hasContentIssue false
  • English
  • Français

StkTokens: Enforcing well-bracketed control flow and stack encapsulation using linear capabilities

Part of: Secure Compilation

Published online by Cambridge University Press:  15 April 2021

LAU SKORSTENGAARD ,
DOMINIQUE DEVRIESE Open the ORCID record for DOMINIQUE DEVRIESE [Opens in a new window]  and
LARS BIRKEDAL
LAU SKORSTENGAARD
Affiliation:
Toitware, Aarhus, Denmark (e-mail: lau.skorstengaard@gmail.com)
DOMINIQUE DEVRIESE
Affiliation:
Department of Computer Science, Vrije Universiteit Brussel, Brussels, Belgium (e-mail: dominique.devriese@vub.be)
LARS BIRKEDAL
Affiliation:
Department of Computer Science, Aarhus University, Aarhus, Denmark (e-mail: birkedal@cs.au.dk)
Rights & Permissions [Opens in a new window]

Abstract

Core share and HTML view are not available for this content. However, as you have access to this content, a full PDF is available via the 'Save PDF' action button.

We propose and study StkTokens: a new calling convention that provably enforces well-bracketed control flow and local state encapsulation on a capability machine. The calling convention is based on linear capabilities: a type of capabilities that are prevented from being duplicated by the hardware. In addition to designing and formalizing this new calling convention, we also contribute a new way to formalize and prove that it effectively enforces well-bracketed control flow and local state encapsulation using what we call a fully abstract overlay semantics.

Information

Type
Research Article
Information
Journal of Functional Programming , Volume 31 , 2021 , e9
Check for updates
Copyright
© The Author(s), 2021. Published by Cambridge University Press

Footnotes

*

Research performed while the author was affiliated with Aarhus University.

References

Abadi, M. (1998) Protection in programming-language translations: Mobile object systems. In European Conference on Object-Oriented Programming, Lecture Notes in Computer Science. Springer Berlin Heidelberg, pp. 291–291.CrossRefGoogle Scholar
Abadi, M. (1999) Protection in programming-language translations. In Secure Internet Programming. Springer-Verlag, pp. 19–34.CrossRefGoogle Scholar
Abadi, M., Budiu, M., Erlingsson, Ú. & Ligatti, J. (2005a) Control-flow integrity. In Conference on Computer and Communications Security. ACM, pp. 340353.Google Scholar
Abadi, M., Budiu, M., Erlingsson, Ú. & Ligatti, J. (2005b) A theory of secure control flow. In Formal Methods and Software Engineering. Berlin, Heidelberg: Springer, pp. 111124.CrossRefGoogle Scholar
Abate, C., Azevedo de Amorim, A., Blanco, R., Evans, A. N., Fachini, G., Hritcu, C., Laurent, T., Pierce, B. C., Stronati, M. & Tolmach, A. (2018) When good components go bad: Formally secure compilation despite dynamic compromise. In Computer and Communications Security. CCS’18. ACM.Google Scholar
Abate, C., Blanco, R., Garg, D., Hritcu, C., Patrignani, M. & Thibault, J. (2019) Journey beyond full abstraction: Exploring robust property preservation for secure compilation. In Computer Security Foundations Symposium. IEEE Computer Society Press.Google Scholar
Ahmed, A. & Blume, M. (2011) An equivalence-preserving CPS translation via multi-language semantics. In International Conference on Functional Programming. ACM, pp. 431–444.CrossRefGoogle Scholar
Ahmed, A. J. (2004) Semantics of Types for Mutable State. PhD thesis, Princeton University.Google Scholar
America, P. & Rutten, J. J. M. M. (1989) Solving reflexive domain equations in a category of complete metric spaces. J. Comput. Syst. Sci. 39, 343375.CrossRefGoogle Scholar
Azevedo de Amorim, A., Collins, N., DeHon, A., Demange, D., Hritcu, C., Pichardie, D., Pierce, B. C., Pollack, R. & Tolmach, A. (2016) A verified information-flow architecture. J. Comput. Secur. 24(6), 689734.CrossRefGoogle Scholar
Azevedo de Amorim, A., Dénès, M., Giannarakis, N., Hritcu, C., Pierce, B. C., Spector-Zabusky, A. & Tolmach, A. (2015) Micro-policies: Formally verified, tag-based security monitors. In 2015 IEEE Symposium on Security and Privacy, SP 2015, San Jose, CA, USA, May 17–21, 2015, pp. 813–830.Google Scholar
Barthe, G., Blazy, S., Grégoire, B., Hutin, R., Laporte, V., Pichardie, D. & Trieu, A. (2019) Formal verification of a constant-time preserving C compiler. Proc. ACM Program. Lang. 4(POPL), 7:17:30.Google Scholar
Birkedal, L. & Bizjak, A. (2014) A Taste of Categorical Logic — Tutorial Notes.Google Scholar
Birkedal, L., Reus, B., Schwinghammer, J., Støvring, K., Thamsborg, J. & Yang, H. (2011) Step-indexed Kripke models over recursive worlds. In POPL. ACM, pp. 119132.CrossRefGoogle Scholar
Carlini, N., Barresi, A., Payer, M., Wagner, D. & Gross, T. R. (2015) Control-flow bending: On the effectiveness of control-flow integrity. In USENIX Security. USENIX Association.Google Scholar
Dennis, J. B. & Van Horn, E. C. (1966) Programming semantics for multiprogrammed computations. Commun. ACM 9(3), 143155.CrossRefGoogle Scholar
Devriese, D., Patrignani, M., Piessens, F. & Keuchel, S. (2017) Modular, fully-abstract compilation by approximate back-translation. Logical Methods Comput. Sci. 13(10), 138.Google Scholar
Evans, I., Long, F., Otgonbaatar, U., Shrobe, H., Rinard, M., Okhravi, H. & Sidiroglou-Douskos, S. (2015) Control jujutsu: On the weaknesses of fine-grained control flow integrity. In Computer and Communications Security. ACM.Google Scholar
Georges, A. L., Guéneau, A., Van Strydonck, T., Timany, A., Trieu, A., Huyghebaert, S., Devriese, D. & Birkedal, L. (2021) Efficient and provable local capability revocation using uninitialized capabilities. Proc. ACM Program. Lang. 5(POPL), 6:1–6:30.Google Scholar
Joannou, A., Woodruff, J., Kovacsics, R., Moore, S. W., Bradbury, A., Xia, H., Watson, R. N. M., Chisnall, D., Roe, M., Davis, B., Napierala, E., Baldwin, J., Gudka, K., Neumann, P. G., Mazzinghi, A., Richardson, A., Son, S. & Markettos, A. T. (2017) Efficient tagged memory. In IEEE International Conference on Computer Design (ICCD). IEEE.Google Scholar
Juglaret, Y., Hricu, C., Azevedo de Amorim, A. & Pierce, B. C. (2016) Beyond good and evil: Formalizing the security guarantees of compartmentalizing compilation. In CSF. IEEE Computer Society Press.Google Scholar
Jung, R., Krebbers, R., Jourdan, J.-H., Bizjak, A., Birkedal, L. & Dreyer, D. (2018) Iris from the ground up: A modular foundation for higher-order concurrent separation logic. J. Funct. Program. 28, 173.Google Scholar
Laird, J. (2005) Game semantics and linear CPS interpretation. Theor. Comput. Sci. 333(1), 199224.CrossRefGoogle Scholar
Levy, H. M. (1984) Capability-Based Computer Systems. Digital Press.Google Scholar
New, M. S., Bowman, W. J. & Ahmed, A. (2016) Fully abstract compilation via universal embedding. In Proceedings of the 21st ACM SIGPLAN International Conference on Functional Programming. ICFP 2016. ACM, pp. 103116.CrossRefGoogle Scholar
Patrignani, M., Ahmed, A. & Clarke, D. (2019) Formal approaches to secure compilation: A survey of fully abstract compilation and related work. ACM Comput. Surv. 51, 1730.CrossRefGoogle Scholar
Patrignani, M., Devriese, D. & Piessens, F. (2016) On modular and fully abstract compilation. In Computer Security Foundations. IEEE.Google Scholar
Patrignani, M. & Garg, D. (2017) Secure compilation and hyperproperty preservation. In Computer Security Foundations. IEEE.Google Scholar
Roessler, N. & DeHon, A. (2018) Protecting the stack with metadata policies and tagged hardware. In 2018 IEEE Symposium on Security and Privacy (SP), pp. 478495.CrossRefGoogle Scholar
Scott, D. S. (1976) Data types as lattices. SIAM J. Comput. 5, 522587.Google Scholar
Skorstengaard, L. (2019) Formal Reasoning about Capability Machines. PhD thesis, Aarhus University.Google Scholar
Skorstengaard, L., Devriese, D. & Birkedal, L. (2018a) Reasoning about a machine with local capabilities. In Programming Languages and Systems. Springer International Publishing, pp. 475501.CrossRefGoogle Scholar
Skorstengaard, L., Devriese, D. & Birkedal, L. (2018b) StkTokens: Enforcing Well-bracketed Control Flow and Stack Encapsulation using Linear Capabilities. Technical Report with Proofs and Details.Google Scholar
Skorstengaard, L., Devriese, D. & Birkedal, L. (2019a) Reasoning about a machine with local capabilities: Provably safe stack and return pointer management. ACM Trans. Program. Lang. Syst. 42(1), 5:15:53.Google Scholar
Skorstengaard, L., Devriese, D. & Birkedal, L. (2019b) StkTokens: Enforcing well-bracketed control flow and stack encapsulation using linear capabilities. Proc. ACM Program. Lang. 3(POPL), 19:119:28.CrossRefGoogle Scholar
Szabo, N. (1997) Formalizing and securing relationships on public networks. First Monday 2(9).CrossRefGoogle Scholar
Szabo, N. (2004) Scarce Objects.Google Scholar
Thamsborg, J. & Birkedal, L. (2011) A kripke logical relation for effect-based program transformations. In Proceeding of the 16th ACM SIGPLAN international conference on Functional Programming, ICFP 2011, Tokyo, Japan, September 19–21, 2011.CrossRefGoogle Scholar
Tsampas, S., Devriese, D. & Piessens, F. (2019) Temporal safety for stack allocated memory on capability machines. In 2019 IEEE 32nd Computer Security Foundations Symposium. IEEE Computer Society Press.CrossRefGoogle Scholar
van der Veen, V., Andriesse, D., Stamatogiannakis, M., Chen, X., Bos, H. & Giuffrdia, C. (2017) The dynamics of innocent flesh on the bone: Code reuse ten years later. In ACM SIGSAC Conference on Computer and Communications Security. CCS’17. Association for Computing Machinery, pp. 1675–1689.CrossRefGoogle Scholar
Van Strydonck, T., Piessens, F. & Devriese, D. (2019) Linear capabilities for fully abstract compilation of separation-logic-verified code. Proc. ACM Program. Lang. ICFP. accepted.Google Scholar
Watson, R. N. M., Neumann, P. G., Woodruff, J., Roe, M., Almatary, H., Anderson, J., Baldwin, J., Barnes, G., Chisnall, D., Clarke, J., Davis, B., Eisen, L., Filardo, N. W., Grisenthwaite, R., Joannou, A., Laurie, B., Markettos, A. T., Moore, S. W., Murdoch, S. J., Nienhuis, K., Norton, R., Richardson, A., Rugg, P., Sewell, P., Son, S. & Xia, H. (2020) Capability Hardware Enhanced RISC Instructions: CHERI Instruction-Set Architecture (Version 8). Technical report UCAM-CL-TR-951. University of Cambridge, Computer Laboratory.Google Scholar
Watson, R. N. M., Neumann, P. G., Woodruff, J., Roe, M., Anderson, J., Chisnall, D., Davis, B., Joannou, A., Laurie, B., Moore, S. W., Murdoch, S. J., Norton, R. & Son, S. (2015b) Capability Hardware Enhanced RISC Instructions: CHERI Instruction-Set Architecture. Technical report UCAM-CL-TR-876. University of Cambridge, Computer Laboratory.Google Scholar
Watson, R. N. M., Norton, R. M., Woodruff, J., Moore, S. W., Neumann, P. G., Anderson, J., Chisnall, D., Davis, B., Laurie, B., Roe, M., Dave, N. H., Gudka, K., Joannou, A., Markettos, A. T., Maste, E., Murdoch, S. J., Rothwell, C., Son, S. D. & Vadera, M. (2016) Fast protection-domain crossing in the CHERI capability-system architecture. IEEE Micro 36(5).CrossRefGoogle Scholar
Watson, R. N. M., Woodruff, J., Neumann, P. G., Moore, S. W., Anderson, J., Chisnall, D., Dave, N., Davis, B., Gudka, K., Laurie, B., Murdoch, S. J., Norton, R., Roe, M., Son, S. & Vadera, M. (2015a) CHERI: A hybrid capability-system architecture for scalable software compartmentalization. In IEEE Symposium on Security and Privacy. IEEE, pp. 2037.Google Scholar
Watson, R. N., Neumann, P. G., Woodruff, J., Anderson, J., Anderson, R., Dave, N., Laurie, B., Moore, S. W., Murdoch, S. J., Paeps, P., Roe, M. & Saidi, H. (2012) CHERI: A research platform deconflating hardware virtualization and protection. In Workshop on Runtime Environments, Systems, Layering and Virtualized Environments (RESoLVE).Google Scholar
Woodruff, J., Watson, R. N., Chisnall, D., Moore, S. W., Anderson, J., Davis, B., Laurie, B., Neumann, P. G., Norton, R. & Roe, M. (2014) The CHERI capability model: Revisiting RISC in an age of risk. In International Symposium on Computer Architecuture. IEEE, pp. 457468.Google Scholar
Submit a response

Discussions

No Discussions have been published for this article.