skip to main content
research-article
Open Access

StkTokens: enforcing well-bracketed control flow and stack encapsulation using linear capabilities

Published:02 January 2019Publication History
Skip Abstract Section

Abstract

We propose and study StkTokens: a new calling convention that provably enforces well-bracketed control flow and local state encapsulation on a capability machine. The calling convention is based on linear capabilities: a type of capabilities that are prevented from being duplicated by the hardware. In addition to designing and formalizing this new calling convention, we also contribute a new way to formalize and prove that it effectively enforces well-bracketed control flow and local state encapsulation using what we call a fully abstract overlay semantics.

Skip Supplemental Material Section

Supplemental Material

a19-devriese.webm

References

  1. Martín Abadi. 1999. Protection in programming-language translations. In Secure Internet programming. Springer-Verlag, 19–34. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. 2005a. Control-flow Integrity. In Conference on Computer and Communications Security. ACM, 340–353. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. 2005b. A Theory of Secure Control Flow. In Formal Methods and Software Engineering. Springer Berlin Heidelberg, 111–124. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Carmine Abate, Arthur Azevedo de Amorim, Roberto Blanco, Ana Nora Evans, Guglielmo Fachini, Catalin Hritcu, Théo Laurent, Benjamin C. Pierce, Marco Stronati, and Andrew Tolmach. 2018. When Good Components Go Bad: Formally Secure Compilation Despite Dynamic Compromise. In Computer and Communications Security (CCS ’18). ACM, 18. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Lars Birkedal and Aleš Bizjak. 2014. A Taste of Categorical Logic — Tutorial Notes. (2014). http://cs.au.dk/~birke/modures/ tutorial/categorical-logic-tutorial-notes.pdfGoogle ScholarGoogle Scholar
  6. Lars Birkedal, Bernhard Reus, Jan Schwinghammer, Kristian Støvring, Jacob Thamsborg, and Hongseok Yang. 2011. Stepindexed Kripke Models over Recursive Worlds. In POPL. ACM, 119–132. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Nicholas Carlini, Antonio Barresi, Mathias Payer, David Wagner, and Thomas R. Gross. 2015. Control-Flow Bending: On the Effectiveness of Control-Flow Integrity. In USENIX Security. USENIX Association. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Jack B. Dennis and Earl C. Van Horn. 1966. Programming Semantics for Multiprogrammed Computations. Commun. ACM 9, 3 (March 1966), 143–155. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Dominique Devriese, Marco Patrignani, Frank Piessens, and Steven Keuchel. 2017. Modular, fully-abstract compilation by approximate back-translation. Logical Methods in Computer Science 13 (10 2017). Issue 4.Google ScholarGoogle Scholar
  10. Isaac Evans, Fan Long, Ulziibayar Otgonbaatar, Howard Shrobe, Martin Rinard, Hamed Okhravi, and Stelios SidiroglouDouskos. 2015. Control Jujutsu: On the Weaknesses of Fine-Grained Control Flow Integrity. In Computer and Communications Security. ACM. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Yannis Juglaret, Cătălin Hriţcu, Arthur Azevedo de Amorim, and Benjamin C. Pierce. 2016. Beyond Good and Evil: Formalizing the Security Guarantees of Compartmentalizing Compilation. In CSF. IEEE Computer Society Press.Google ScholarGoogle Scholar
  12. Henry M. Levy. 1984. Capability-Based Computer Systems. Digital Press. https://homes.cs.washington.edu/~levy/capabook/ Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Max S. New, William J. Bowman, and Amal Ahmed. 2016. Fully Abstract Compilation via Universal Embedding. In Proceedings of the 21st ACM SIGPLAN International Conference on Functional Programming (ICFP 2016). ACM, 103– 116. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Marco Patrignani, Dominique Devriese, and Frank Piessens. 2016. On Modular and Fully Abstract Compilation. In Computer Security Foundations. IEEE.Google ScholarGoogle Scholar
  15. Marco Patrignani and Deepak Garg. 2017. Secure compilation and hyperproperty preservation. In Computer Security Foundations. IEEE.Google ScholarGoogle Scholar
  16. Lau Skorstengaard, Dominique Devriese, and Lars Birkedal. 2018a. Reasoning About a Machine with Local Capabilities. In Programming Languages and Systems. Springer International Publishing, 475–501.Google ScholarGoogle Scholar
  17. Lau Skorstengaard, Dominique Devriese, and Lau Birkedal. 2018b. StkTokens: Enforcing Well-bracketed Control Flow and Stack Encapsulation using Linear Capabilities - Technical Report with Proofs and Details. https://arxiv.org/abs/1811.02787Google ScholarGoogle Scholar
  18. Nick Szabo. 1997. Formalizing and Securing Relationships on Public Networks. First Monday 2, 9 (Sept. 1997).Google ScholarGoogle ScholarCross RefCross Ref
  19. Nick Szabo. 2004. Scarce Objects. https://nakamotoinstitute.org/scarce-objects/Google ScholarGoogle Scholar
  20. Robert NM Watson, Peter G Neumann, Jonathan Woodruff, Jonathan Anderson, Ross Anderson, Nirav Dave, Ben Laurie, Simon W Moore, Steven J Murdoch, Philip Paeps, and others. 2012. CHERI: A Research Platform Deconflating Hardware Virtualization and Protection. In Workshop on Runtime Environments, Systems, Layering and Virtualized Environments (RESoLVE).Google ScholarGoogle Scholar
  21. Robert N. M. Watson, Peter G. Neumann, Jonathan Woodruff, Michael Roe, Jonathan Anderson, David Chisnall, Brooks Davis, Alexandre Joannou, Ben Laurie, Simon W. Moore, Steven J. Murdoch, Robert Norton, and Stacey Son. 2015a. Capability Hardware Enhanced RISC Instructions: CHERI Instruction-Set Architecture. Technical Report UCAM-CL-TR-876. University of Cambridge, Computer Laboratory. http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-876.htmlGoogle ScholarGoogle Scholar
  22. R. N. M. Watson, R. M. Norton, J. Woodruff, S. W. Moore, P. G. Neumann, J. Anderson, D. Chisnall, B. Davis, B. Laurie, M. Roe, N. H. Dave, K. Gudka, A. Joannou, A. T. Markettos, E. Maste, S. J. Murdoch, C. Rothwell, S. D. Son, and M. Vadera. 2016. Fast Protection-Domain Crossing in the CHERI Capability-System Architecture. IEEE Micro 36, 5 (Sept. 2016). Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. R. N. M. Watson, J. Woodruff, P. G. Neumann, S. W. Moore, J. Anderson, D. Chisnall, N. Dave, B. Davis, K. Gudka, B. Laurie, S. J. Murdoch, R. Norton, M. Roe, S. Son, and M. Vadera. 2015b. CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization. In IEEE Symposium on Security and Privacy. IEEE, 20–37. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Jonathan Woodruff, Robert N.M. Watson, David Chisnall, Simon W. Moore, Jonathan Anderson, Brooks Davis, Ben Laurie, Peter G. Neumann, Robert Norton, and Michael Roe. 2014. The CHERI Capability Model: Revisiting RISC in an Age of Risk. In International Symposium on Computer Architecuture. IEEE, 457–468. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. StkTokens: enforcing well-bracketed control flow and stack encapsulation using linear capabilities

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in

        Full Access

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader
        About Cookies On This Site

        We use cookies to ensure that we give you the best experience on our website.

        Learn more

        Got it!