ABSTRACT
A number of programming languages use rich type systems to verify security properties of code. Some of these languages are meant for source programming, but programs written in these languages are compiled without explicit security proofs, limiting their utility in settings where proofs are necessary, e.g., proof-carrying authorization. Others languages do include explicit proofs, but these are generally lambda calculi not intended for source programming, that must be further compiled to an executable form. A language suitable for source programming backed by a compiler that enables end-to-end verification is missing.
In this paper, we present a type-preserving compiler that translates programs written in FINE, a source-level functional language with dependent refinements and affine types, to DCIL, a new extension of the .NET Common Intermediate Language. FINE is type checked using an external SMT solver to reduce the proof burden on source programmers. We extract explicit LCF-style proof terms from the solver and carry these proof terms in the compilation to DCIL, thereby removing the solver from the trusted computing base. Explicit proofs enable DCIL to be used in a number of important scenarios, including the verification of mobile code, proof-carrying authorization, and evidence-based auditing. We report on our experience using FINE to build reference monitors for several applications, ranging from a plugin-based email client to a conference management server.
- A. W. Appel and E. W. Felten. Proof-carrying authentication. In phCCS. ACM, 1999. Google Scholar
Digital Library
- K. Avijit, A. Datta, and R. Harper. Distributed programming with distributed authorization. In TLDI. ACM, 2010. Google Scholar
Digital Library
- G. Barthe, D. Pichardie, and T. Rezk. A certified lightweight non-interference Java bytecode verifier. In phESOP. Springer, 2007. Google Scholar
Digital Library
- J. Bengtson, K. Bhargavan, C. Fournet, A. D. Gordon, and S. Maffeis. Refinement types for secure implementations. In phCSF. IEEE, 2008. Google Scholar
Digital Library
- Y. Bertot and P. Castéran. Coq'Art: Interactive Theorem Proving and Program Development. Springer Verlag, 2004. Google Scholar
Digital Library
- S. Böhme. Proof reconstruction for Z3 in Isabelle/HOL. In SMT Workshop. Springer, 2009.Google Scholar
- L. de Moura and N. Bjorner. Z3: An efficient SMT solver. In TACAS. Springer, 2008. Google Scholar
Digital Library
- D. J. Dougherty, K. Fisler, and S. Krishnamurthi. Specifying and reasoning about dynamic access-control policies. In LNCS. Springer, 2006.Google Scholar
Digital Library
- ECMA. Standard ECMA-335: Common language infrastructure, 2006.Google Scholar
- C. Flanagan. Hybrid type checking. In POPL. ACM, 2006. Google Scholar
Digital Library
- C. Flanagan, A. Sabry, B. F. Duba, and M. Felleisen. The essence of compiling with continuations. In PLDI. ACM, 1993. Google Scholar
Digital Library
- C. Flanagan, S. N. Freund, and A. Tomb. Hybrid types, invariants, and refinements for imperative objects. In phFOOL/WOOD '06, 2006.Google Scholar
- L. Jia, J. Vaughan, K. Mazurak, J. Zhao, L. Zarko, J. Schorr, and S. Zdancewic. Aura: A programming language for authorization and audit. In ICFP. ACM, 2008. Google Scholar
Digital Library
- A. Kennedy and D. Syme. Transposing F to C#: Expressivity of polymorphism in an object-oriented language. Concurrency and Computation: Practice and Experience, 16 (7), 2004. Google Scholar
Digital Library
- S. Krishnamurthi. The Continue server. In PADL. Springer, 2003.Google Scholar
- R. Milner. LCF: A way of doing proofs with a machine. In MFCS, 1979.Google Scholar
Cross Ref
- G. Morrisett, D. Walker, K. Crary, and N. Glew. From System F to typed assembly language. ACM TOPLAS, 21 (3), 1999. Google Scholar
Digital Library
- G. C. Necula. Proof-carrying code. In POPL'97. ACM, 1997. Google Scholar
Digital Library
- N. Nystrom, V. Saraswat, J. Palsberg, and C. Grothoff. Constrained types for object-oriented languages. In OOPSLA'08. ACM, 2008. Google Scholar
Digital Library
- A. Sabelfeld and A. C. Myers. Language-based information-flow security. JSAC, 21 (1): 5--19, Jan. 2003. Google Scholar
Digital Library
- A. Stump, M. Deters, A. Petcher, T. Schiller, and T. Simpson. Verified programming in Guru. In PLPV. ACM, 2008. Google Scholar
Digital Library
- N. Swamy, B. J. Corcoran, and M. Hicks. Fable: A language for enforcing user--defined security policies. In S&P. IEEE, 2008.Google Scholar
- N. Swamy, J. Chen, and R. Chugh. End-to-end verification of security enforcement is fine. Technical Report MSR-TR-2009-98, MSR, 2009.Google Scholar
- N. Swamy, J. Chen, and R. Chugh. Enforcing stateful authorization and information flow policies in Fine. In phESOP. Springer, 2010. Google Scholar
Digital Library
- D. Syme, A. Granicz, and A. Cisternino. Expert F#. Apress, 2007.Google Scholar
Cross Ref
- J. A. Vaughan, L. Jia, K. Mazurak, and S. Zdancewic. Evidence-based audit. In CSF. IEEE, 2008. Google Scholar
Digital Library
- D. Yu and N. Islam. A typed assembly language for confidentiality. In ESOP. Springer, 2006. Google Scholar
Digital Library
- L. Zheng and A. C. Myers. Dynamic security labels and noninterference. In FAST'04. Springer, 2004.Google Scholar
Index Terms
Type-preserving compilation of end-to-end verification of security enforcement
Recommendations
Type-preserving compilation of end-to-end verification of security enforcement
PLDI '10A number of programming languages use rich type systems to verify security properties of code. Some of these languages are meant for source programming, but programs written in these languages are compiled without explicit security proofs, limiting ...
Combinators and type-driven transformers in Objective Caml
We describe an implementation of LDTA 2011 Tool Challenge tasks in Objective Caml language. Instead of using some dedicated domain-specific tools we utilize typical functional programming machinery such as polymorphic functions, monads and combinators; ...
A simple separate compilation mechanism for block-structured languages
A very simple and efficient technique for the introduction of separate compilation facilities into compilers for block-structured languages is presented. Using this technique, programs may be compiled in parts while the compile-time checking advantages ...







Comments