Abstract
We propose and study StkTokens: a new calling convention that provably enforces well-bracketed control flow and local state encapsulation on a capability machine. The calling convention is based on linear capabilities: a type of capabilities that are prevented from being duplicated by the hardware. In addition to designing and formalizing this new calling convention, we also contribute a new way to formalize and prove that it effectively enforces well-bracketed control flow and local state encapsulation using what we call a fully abstract overlay semantics.
Supplemental Material
- Martín Abadi. 1999. Protection in programming-language translations. In Secure Internet programming. Springer-Verlag, 19–34. Google Scholar
Digital Library
- Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. 2005a. Control-flow Integrity. In Conference on Computer and Communications Security. ACM, 340–353. Google Scholar
Digital Library
- Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. 2005b. A Theory of Secure Control Flow. In Formal Methods and Software Engineering. Springer Berlin Heidelberg, 111–124. Google Scholar
Digital Library
- Carmine Abate, Arthur Azevedo de Amorim, Roberto Blanco, Ana Nora Evans, Guglielmo Fachini, Catalin Hritcu, Théo Laurent, Benjamin C. Pierce, Marco Stronati, and Andrew Tolmach. 2018. When Good Components Go Bad: Formally Secure Compilation Despite Dynamic Compromise. In Computer and Communications Security (CCS ’18). ACM, 18. Google Scholar
Digital Library
- Lars Birkedal and Aleš Bizjak. 2014. A Taste of Categorical Logic — Tutorial Notes. (2014). http://cs.au.dk/~birke/modures/ tutorial/categorical-logic-tutorial-notes.pdfGoogle Scholar
- Lars Birkedal, Bernhard Reus, Jan Schwinghammer, Kristian Støvring, Jacob Thamsborg, and Hongseok Yang. 2011. Stepindexed Kripke Models over Recursive Worlds. In POPL. ACM, 119–132. Google Scholar
Digital Library
- Nicholas Carlini, Antonio Barresi, Mathias Payer, David Wagner, and Thomas R. Gross. 2015. Control-Flow Bending: On the Effectiveness of Control-Flow Integrity. In USENIX Security. USENIX Association. Google Scholar
Digital Library
- Jack B. Dennis and Earl C. Van Horn. 1966. Programming Semantics for Multiprogrammed Computations. Commun. ACM 9, 3 (March 1966), 143–155. Google Scholar
Digital Library
- Dominique Devriese, Marco Patrignani, Frank Piessens, and Steven Keuchel. 2017. Modular, fully-abstract compilation by approximate back-translation. Logical Methods in Computer Science 13 (10 2017). Issue 4.Google Scholar
- Isaac Evans, Fan Long, Ulziibayar Otgonbaatar, Howard Shrobe, Martin Rinard, Hamed Okhravi, and Stelios SidiroglouDouskos. 2015. Control Jujutsu: On the Weaknesses of Fine-Grained Control Flow Integrity. In Computer and Communications Security. ACM. Google Scholar
Digital Library
- Yannis Juglaret, Cătălin Hriţcu, Arthur Azevedo de Amorim, and Benjamin C. Pierce. 2016. Beyond Good and Evil: Formalizing the Security Guarantees of Compartmentalizing Compilation. In CSF. IEEE Computer Society Press.Google Scholar
- Henry M. Levy. 1984. Capability-Based Computer Systems. Digital Press. https://homes.cs.washington.edu/~levy/capabook/ Google Scholar
Digital Library
- Max S. New, William J. Bowman, and Amal Ahmed. 2016. Fully Abstract Compilation via Universal Embedding. In Proceedings of the 21st ACM SIGPLAN International Conference on Functional Programming (ICFP 2016). ACM, 103– 116. Google Scholar
Digital Library
- Marco Patrignani, Dominique Devriese, and Frank Piessens. 2016. On Modular and Fully Abstract Compilation. In Computer Security Foundations. IEEE.Google Scholar
- Marco Patrignani and Deepak Garg. 2017. Secure compilation and hyperproperty preservation. In Computer Security Foundations. IEEE.Google Scholar
- Lau Skorstengaard, Dominique Devriese, and Lars Birkedal. 2018a. Reasoning About a Machine with Local Capabilities. In Programming Languages and Systems. Springer International Publishing, 475–501.Google Scholar
- Lau Skorstengaard, Dominique Devriese, and Lau Birkedal. 2018b. StkTokens: Enforcing Well-bracketed Control Flow and Stack Encapsulation using Linear Capabilities - Technical Report with Proofs and Details. https://arxiv.org/abs/1811.02787Google Scholar
- Nick Szabo. 1997. Formalizing and Securing Relationships on Public Networks. First Monday 2, 9 (Sept. 1997).Google Scholar
Cross Ref
- Nick Szabo. 2004. Scarce Objects. https://nakamotoinstitute.org/scarce-objects/Google Scholar
- Robert NM Watson, Peter G Neumann, Jonathan Woodruff, Jonathan Anderson, Ross Anderson, Nirav Dave, Ben Laurie, Simon W Moore, Steven J Murdoch, Philip Paeps, and others. 2012. CHERI: A Research Platform Deconflating Hardware Virtualization and Protection. In Workshop on Runtime Environments, Systems, Layering and Virtualized Environments (RESoLVE).Google Scholar
- Robert N. M. Watson, Peter G. Neumann, Jonathan Woodruff, Michael Roe, Jonathan Anderson, David Chisnall, Brooks Davis, Alexandre Joannou, Ben Laurie, Simon W. Moore, Steven J. Murdoch, Robert Norton, and Stacey Son. 2015a. Capability Hardware Enhanced RISC Instructions: CHERI Instruction-Set Architecture. Technical Report UCAM-CL-TR-876. University of Cambridge, Computer Laboratory. http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-876.htmlGoogle Scholar
- R. N. M. Watson, R. M. Norton, J. Woodruff, S. W. Moore, P. G. Neumann, J. Anderson, D. Chisnall, B. Davis, B. Laurie, M. Roe, N. H. Dave, K. Gudka, A. Joannou, A. T. Markettos, E. Maste, S. J. Murdoch, C. Rothwell, S. D. Son, and M. Vadera. 2016. Fast Protection-Domain Crossing in the CHERI Capability-System Architecture. IEEE Micro 36, 5 (Sept. 2016). Google Scholar
Digital Library
- R. N. M. Watson, J. Woodruff, P. G. Neumann, S. W. Moore, J. Anderson, D. Chisnall, N. Dave, B. Davis, K. Gudka, B. Laurie, S. J. Murdoch, R. Norton, M. Roe, S. Son, and M. Vadera. 2015b. CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization. In IEEE Symposium on Security and Privacy. IEEE, 20–37. Google Scholar
Digital Library
- Jonathan Woodruff, Robert N.M. Watson, David Chisnall, Simon W. Moore, Jonathan Anderson, Brooks Davis, Ben Laurie, Peter G. Neumann, Robert Norton, and Michael Roe. 2014. The CHERI Capability Model: Revisiting RISC in an Age of Risk. In International Symposium on Computer Architecuture. IEEE, 457–468. Google Scholar
Digital Library
Index Terms
StkTokens: enforcing well-bracketed control flow and stack encapsulation using linear capabilities
Recommendations
Reasoning about a Machine with Local Capabilities: Provably Safe Stack and Return Pointer Management
Special Issue on ESOP 2018Capability machines provide security guarantees at machine level which makes them an interesting target for secure compilation schemes that provably enforce properties such as control-flow correctness and encapsulation of local state. We provide a ...
Efficient and provable local capability revocation using uninitialized capabilities
Capability machines are a special form of CPUs that offer fine-grained privilege separation using a form of authority-carrying values known as capabilities. The CHERI capability machine offers local capabilities, which could be used as a cheap but ...
Linear capabilities for fully abstract compilation of separation-logic-verified code
Separation logic is a powerful program logic for the static modular verification of imperative programs. However, dynamic checking of separation logic contracts on the boundaries between verified and untrusted modules is hard, because it requires one to ...






Comments