journey beyond full abstraction - inria · –shared responsibility: compiler, linker, loader, os,...
Post on 06-Jul-2020
3 Views
Preview:
TRANSCRIPT
Journey Beyond Full Abstraction:Exploring Robust Property Preservation
for Secure Compilation
https://github.com/secure-compilation/exploring-robust-property-preservation
CarmineAbate
DeepakGarg Marco
Patrignani
CătălinHrițcu
JérémyThibault
MPI-SWS
Stanford& CISPA
Inria ParisInria Paris Inria Paris
RobBlanco
Inria Paris
Good programming languages providehelpful abstractions for writing more secure code
2
Good programming languages providehelpful abstractions for writing more secure code
• structured control flow, procedures, modules, interfaces, correctness and security specifications, ...
2
Good programming languages providehelpful abstractions for writing more secure code
• structured control flow, procedures, modules, interfaces, correctness and security specifications, ...
2
abstractions not enforced when compiling and linking with adversarial low-level code
Good programming languages providehelpful abstractions for writing more secure code
• structured control flow, procedures, modules, interfaces, correctness and security specifications, ...
2
abstractions not enforced when compiling and linking with adversarial low-level code• all source-level security guarantees are lost
• linked low-level code can read and write data and code,jump to arbitrary instructions, smash the stack, ...
Secure compilation chains• Protect source-level abstractions
even against linked adversarial low-level code
3
Secure compilation chains• Protect source-level abstractions
even against linked adversarial low-level code– various enforcement mechanisms possible: processes, SFI, ...
– shared responsibility: compiler, linker, loader, OS, HW
3
Secure compilation chains• Protect source-level abstractions
even against linked adversarial low-level code– various enforcement mechanisms possible: processes, SFI, ...
– shared responsibility: compiler, linker, loader, OS, HW
• Enable source-level security reasoning– if source program is secure against all source contexts then
compiled program is secure against all target contexts
3
Secure compilation chains• Protect source-level abstractions
even against linked adversarial low-level code– various enforcement mechanisms possible: processes, SFI, ...
– shared responsibility: compiler, linker, loader, OS, HW
• Enable source-level security reasoning– if source program is secure against all source contexts then
compiled program is secure against all target contexts
– but what should "is secure" mean?
3
4
What properties should we robustly preserve?
4
What properties should we robustly preserve?
trace properties(safety & liveness)
4
What properties should we robustly preserve?
trace properties(safety & liveness)
hyperproperties(noninterference)
4
What properties should we robustly preserve?
trace properties(safety & liveness)
hyperproperties(noninterference)
relationalhyperproperties(trace equivalence)
4
What properties should we robustly preserve?
trace properties(safety & liveness)
hyperproperties(noninterference)
relationalhyperproperties(trace equivalence)
4
More secure
More efficientto enforce
Easier to prove
What properties should we robustly preserve?
trace properties(safety & liveness)
hyperproperties(noninterference)
relationalhyperproperties(trace equivalence)
4
More secure
More efficientto enforce
Easier to prove
What properties should we robustly preserve?
trace properties(safety & liveness)
hyperproperties(noninterference)
relationalhyperproperties(trace equivalence)
only integrity
4
More secure
More efficientto enforce
Easier to prove
What properties should we robustly preserve?
trace properties(safety & liveness)
hyperproperties(noninterference)
relationalhyperproperties(trace equivalence)
only integrity
+ data confidentiality
4
More secure
More efficientto enforce
Easier to prove
What properties should we robustly preserve?
trace properties(safety & liveness)
hyperproperties(noninterference)
relationalhyperproperties(trace equivalence)
only integrity
+ data confidentiality
+ code confidentiality
Journey Beyond Full Abstraction
5
without internal nondeterminism,full abstraction is here
Journey Beyond Full Abstraction
5
without internal nondeterminism,full abstraction is here
Journey Beyond Full Abstraction
5
doesn't imply any of our criteria(even assuming compiler correctness)
without internal nondeterminism,full abstraction is here
Journey Beyond Full Abstraction
5
doesn't imply any of our criteria(even assuming compiler correctness)
no one-size-fits-all criterion!
without internal nondeterminism,full abstraction is here
Journey Beyond Full Abstraction
5
doesn't imply any of our criteria(even assuming compiler correctness)
PostDocs &Starting Researchers@ Inria Paris
no one-size-fits-all criterion!
top related