skip to main content
research-article
Free Access

Reasoning about a Machine with Local Capabilities: Provably Safe Stack and Return Pointer Management

Published:10 December 2019Publication History
Skip Abstract Section

Abstract

Capability machines provide security guarantees at machine level which makes them an interesting target for secure compilation schemes that provably enforce properties such as control-flow correctness and encapsulation of local state. We provide a formalization of a representative capability machine with local capabilities and study a novel calling convention. We provide a logical relation that semantically captures the guarantees provided by the hardware (a form of capability safety) and use it to prove control-flow correctness and encapsulation of local state. The logical relation is not specific to our calling convention and can be used to reason about arbitrary programs.

References

  1. Martín Abadi. 1998. Protection in programming-language translations: Mobile object systems. In European Conference on Object-Oriented Programming (Lecture Notes in Computer Science), Vol. 1543. Springer Berlin, 291--291. DOI:https://doi.org/10.1007/3-540-49255-0_70Google ScholarGoogle ScholarCross RefCross Ref
  2. Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. 2005. Control-flow integrity. In Conference on Computer and Communications Security. ACM, 340--353. DOI:https://doi.org/10.1145/1102120.1102165Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Amal Ahmed, Derek Dreyer, and Andreas Rossberg. 2009. State-dependent representation independence. In Principles of Programming Languages. ACM, 340--353.Google ScholarGoogle Scholar
  4. Amal Jamil Ahmed. 2004. Semantics of types for mutable state. Ph.D Dissertation. Princeton University.Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Pierre America and Jan J. M. M. Rutten. 1989. Solving reflexive domain equations in a category of complete metric spaces. J. Comput. Syst. Sci. 39, 3 (1989), 343--375.Google ScholarGoogle ScholarCross RefCross Ref
  6. Andrew W. Appel and David McAllester. 2001. An indexed model of recursive types for foundational proof-carrying code. ACM Trans. Program. Lang. Syst. 23, 5 (Sept. 2001), 657--683. DOI:https://doi.org/10.1145/504709.504712Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Nick Benton and Chung-Kil Hur. 2009. Biorthogonality, step-indexing and compiler correctness. In International Conference on Functional Programming. ACM, 97--108. DOI:https://doi.org/10.1145/1596550.1596567Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Lars Birkedal and Aleš Bizjak. 2014. A Taste of Categorical Logic - Tutorial Notes. http://cs.au.dk/∼birke/modures/tutorial/categorical-logic-tutorial-notes.pdf.Google ScholarGoogle Scholar
  9. Lars Birkedal, Bernhard Reus, Jan Schwinghammer, Kristian Støvring, Jacob Thamsborg, and Hongseok Yang. 2011. Step-indexed kripke models over recursive worlds. In Principles of Programming Languages. ACM, 119--132. DOI:https://doi.org/10.1145/1926385.1926401Google ScholarGoogle Scholar
  10. Lars Birkedal, Kristian Støvring, and Jacob Thamsborg. 2010. The category-theoretic solution of recursive metric-space equations. Theoret. Comput. Sci. 411, 47 (2010), 4102--4122. DOI:https://doi.org/10.1016/j.tcs.2010.07.010Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Aleš Bizjak. 2017. Some Theorems about Mutually Recursive Domain Equations in the Category of Preordered COFEs. (Feb. 2017). Manuscript. Available at http://alesb.com/documents/notes/mutually-recursive-domain-eq.pdf.Google ScholarGoogle Scholar
  12. Nicholas P. Carter, Stephen W. Keckler, and William J. Dally. 1994. Hardware support for fast capability-based addressing. In Architectural Support for Programming Languages and Operating Systems. ACM, 319--327. DOI:https://doi.org/10.1145/195473.195579Google ScholarGoogle Scholar
  13. David Chisnall, Brooks Davis, Khilan Gudka, David Brazdil, Alexandre Joannou, Jonathan Woodruff, A. Theodore Markettos, J. Edward Maste, Robert Norton, Stacey Son, Michael Roe, Simon W. Moore, Peter G. Neumann, Ben Laurie, and Robert N. M. Watson. 2017. CHERI JNI: Sinking the Java security model into the C. In International Conference on Architectural Support for Programming Languages and Operating Systems. ACM. DOI:https://doi.org/10.1145/3037697.3037725Google ScholarGoogle Scholar
  14. Jack B. Dennis and Earl C. Van Horn. 1966. Programming semantics for multiprogrammed computations. Commun. ACM 9, 3 (March 1966), 143--155. DOI:https://doi.org/10.1145/365230.365252Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Dominique Devriese, Lars Birkedal, and Frank Piessens. 2016. Reasoning about object capabilities using logical relations and effect parametricity. In European Symposium on Security and Privacy. IEEE.Google ScholarGoogle Scholar
  16. Derek Dreyer, Georg Neis, and Lars Birkedal. 2012. The impact of higher-order state and control effects on local relational reasoning. J. Funct. Program. 22, 4--5 (2012), 477--528.Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Akram El-Korashy. 2016. A Formal Model for Capability Machines: An Illustrative Case Study towards Secure Compilation to CHERI.Master’s thesis. Saarland University. https://people.mpi-sws.org/ elkorashy/files/Thesis.pdf.Google ScholarGoogle Scholar
  18. Stephanie Forrest, Anil Somayaji, and David H. Ackley. 1997. Building diverse computer systems. In Hot Topics in Operating Systems. IEEE, 67--72. DOI:https://doi.org/10.1109/HOTOS.1997.595185Google ScholarGoogle Scholar
  19. Chung-Kil Hur and Derek Dreyer. 2011. A Kripke logical relation between ML and assembly. In Principles of Programming Languages. ACM, 133--146. DOI:https://doi.org/10.1145/1926385.1926402Google ScholarGoogle Scholar
  20. Alexandre Joannou, Jonathan Woodruff, Robert Kovacsics, Simon W. Moore, Alex Bradbury, Hongyan Xia, Robert N. M. Watson, David Chisnall, Michael Roe, Brooks Davis, Edward Napierala, John Baldwin, Khilan Gudka, Peter G. Neumann, Alfredo Mazzinghi, Alex Richardson, Stacey D. Son, and A. Theodore Markettos. 2017. Efficient tagged memory. In International Conference on Computer Design. IEEE, 641--648. DOI:https://doi.org/10.1109/ICCD.2017.112Google ScholarGoogle Scholar
  21. Yannis Juglaret, Catalin Hritcu, Arthur Azevedo de Amorim, and Benjamin C. Pierce. 2016. Beyond good and evil: Formalizing the security guarantees of compartmentalizing compilation. In Computer Security Foundations. IEEE, 45--60. DOI:https://doi.org/10.1109/CSF.2016.11Google ScholarGoogle Scholar
  22. Ralf Jung, Robbert Krebbers, Lars Birkedal, and Derek Dreyer. 2016. Higher-order ghost state. In International Conference on Functional Programming. ACM, 256--269.Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Ralf Jung, David Swasey, Filip Sieczkowski, Kasper Svendsen, Aaron Turon, Lars Birkedal, and Derek Dreyer. 2015. Iris: Monoids and invariants as an orthogonal basis for concurrent reasoning. In Principles of Programming Languages. ACM, 637--650.Google ScholarGoogle Scholar
  24. Robbert Krebbers, Ralf Jung, Aleš Bizjak, Jacques-Henri Jourdan, Derek Dreyer, and Lars Birkedal. 2017a. The essence of higher-order concurrent separation logic. In European Symposium on Programming. Springer, Berlin, Heidelberg.Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Robbert Krebbers, Amin Timany, and Lars Birkedal. 2017b. Interactive proofs in higher-order concurrent separation logic. In Principles of Programming Languages. ACM.Google ScholarGoogle Scholar
  26. Jean-Louis Krivine. 1994. Classical logic, storage operators and second-order lambda-calculus. Annals of Pure and Applied Logic 68, 1 (June 1994), 53--78. DOI:https://doi.org/10.1016/0168-0072(94)90047-7Google ScholarGoogle ScholarCross RefCross Ref
  27. Henry M. Levy. 1984. Capability-based Computer Systems. Vol. 12. Digital Press Bedford.Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Tim Lindholm, Frank Yellin, Gilad Bracha, and Alex Buckley. 2014. The Java Virtual Machine Specification. Pearson Education.Google ScholarGoogle Scholar
  29. Sergio Maffeis, John C. Mitchell, and Ankur Taly. 2010. Object capabilities and isolation of untrusted web applications. In S8P. IEEE, 125--140. DOI:https://doi.org/10.1109/SP.2010.16Google ScholarGoogle Scholar
  30. Greg Morrisett, David Walker, Karl Crary, and Neal Glew. 1999. From system F to typed assembly language. ACM Trans. Program. Lang. Syst. 21, 3 (May 1999), 527--568. DOI:https://doi.org/10.1145/319301.319345Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Zhaozhong Ni and Zhong Shao. 2006. Certified assembly programming with embedded code pointers. In Principles of Programming Languages. ACM.Google ScholarGoogle Scholar
  32. Leo Osvald, Grégory Essertel, Xilun Wu, Lilliam I. González Alayón, and Tiark Rompf. 2016. Gentrification gone too far? Affordable 2Nd-class values for fun and (co-)effect. In Object-Oriented Programming, Systems, Languages, and Applications. ACM, 234--251. DOI:https://doi.org/10.1145/2983990.2984009Google ScholarGoogle Scholar
  33. Marco Patrignani, Amal Ahmed, and Dave Clarke. 2019. Formal approaches to secure compilation: A survey of fully abstract compilation and related work. ACM Comput. Surv. 51, 6, Article 125 (Feb. 2019), 36 pages. DOI:https://doi.org/10.1145/3280984Google ScholarGoogle Scholar
  34. Marco Patrignani, Dominique Devriese, and Frank Piessens. 2016. On modular and fully-abstract compilation. In Computer Security Foundations. IEEE, 17--30. DOI:https://doi.org/10.1109/CSF.2016.9Google ScholarGoogle Scholar
  35. Andrew M. Pitts and Ian D. B. Stark. 1998. Operational reasoning for functions with local state. In Higher Order Operational Techniques in Semantics, Andrew D. Gordon and Andrew M. Pitts (Eds.). Cambridge University Press, 227--274.Google ScholarGoogle Scholar
  36. Thomas Sewell, Simon Winwood, Peter Gammie, Toby Murray, June Andronick, and Gerwin Klein. 2011. seL4 enforces integrity. In Interactive Theorem Proving, Marko van Eekelen, Herman Geuvers, Julien Schmaltz, and Freek Wiedijk (Eds.). Springer Berlin, 325--340.Google ScholarGoogle Scholar
  37. Jonathan S. Shapiro, Jonathan M. Smith, and David J. Farber. 1999. EROS: A fast capability system. In Symposium on Operating Systems Principles. ACM, 170--185. DOI:https://doi.org/10.1145/319151.319163Google ScholarGoogle Scholar
  38. Lau Skorstengaard, Dominique Devriese, and Lars Birkedal. 2018. Reasoning about a machine with local capabilities. In European Symposium on Programming. Springer, 475--501.Google ScholarGoogle ScholarCross RefCross Ref
  39. Lau Skorstengaard, Dominique Devriese, and Lars Birkedal. 2019a. Reasoning about a Machine with Local Capabilities: Provably Safe Stack and Return Pointer Management - Technical Appendix Including Proofs and Details. Technical Report. Dept. of Computer Science, Aarhus University. https://arxiv.org/abs/1902.05283Google ScholarGoogle Scholar
  40. Lau Skorstengaard, Dominique Devriese, and Lars Birkedal. 2019b. StkTokens: Enforcing well-bracketed control flow and stack encapsulation using linear capabilities. Proc. ACM Program. Lang. 3, POPL, Article 19 (Jan. 2019), 19:1--19:28 pages. DOI:https://doi.org/10.1145/3290332Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. David Swasey, Deepak Garg, and Derek Dreyer. 2017. Robust and compositional verification of object capability patterns. In OOPSLA. ACM. DOI:https://doi.org/10.1145/3133913Google ScholarGoogle Scholar
  42. Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song. 2013. SoK: Eternal war in memory. In Security and Privacy. IEEE Computer Society, 48--62. DOI:https://doi.org/10.1109/SP.2013.13Google ScholarGoogle Scholar
  43. Jacob Thamsborg and Lars Birkedal. 2011. A kripke logical relation for effect-based program transformations. In International Conference on Functional Programming. ACM, 445--456. DOI:https://doi.org/10.1145/2034773.2034831Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. Robert Wahbe, Steven Lucco, Thomas E. Anderson, and Susan L. Graham. 1993. Efficient software-based fault isolation. In Symposium on Operating Systems Principles. ACM, 203--216. DOI:https://doi.org/10.1145/168619.168635Google ScholarGoogle Scholar
  45. Robert N. M. Watson, Jonathan Woodruff, Peter G. Neumann, Simon W. Moore, Jonathan Anderson, David Chisnall, Nirav H. Dave, Brooks Davis, Khilan Gudka, Ben Laurie, Steven J. Murdoch, Robert Norton, Michael Roe, Stacey D. Son, and Munraj Vadera. 2015. CHERI: A hybrid capability-system architecture for scalable software compartmentalization. In Security and Privacy. IEEE, 20--37. DOI:https://doi.org/10.1109/SP.2015.9Google ScholarGoogle Scholar
  46. Jonathan Woodruff, Robert N. M. Watson, David Chisnall, Simon W. Moore, Jonathan Anderson, Brooks Davis, Ben Laurie, Peter G. Neumann, Robert Norton, and Michael Roe. 2014. The CHERI capability model: Revisiting RISC in an age of risk. In International Symposium on Computer Architecture. IEEE, 457--468.Google ScholarGoogle ScholarCross RefCross Ref

Index Terms

  1. Reasoning about a Machine with Local Capabilities: Provably Safe Stack and Return Pointer Management

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      HTML Format

      View this article in HTML Format .

      View HTML Format
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!