Abstract
Capability machines provide security guarantees at machine level which makes them an interesting target for secure compilation schemes that provably enforce properties such as control-flow correctness and encapsulation of local state. We provide a formalization of a representative capability machine with local capabilities and study a novel calling convention. We provide a logical relation that semantically captures the guarantees provided by the hardware (a form of capability safety) and use it to prove control-flow correctness and encapsulation of local state. The logical relation is not specific to our calling convention and can be used to reason about arbitrary programs.
- Martín Abadi. 1998. Protection in programming-language translations: Mobile object systems. In European Conference on Object-Oriented Programming (Lecture Notes in Computer Science), Vol. 1543. Springer Berlin, 291--291. DOI:https://doi.org/10.1007/3-540-49255-0_70Google Scholar
Cross Ref
- Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. 2005. Control-flow integrity. In Conference on Computer and Communications Security. ACM, 340--353. DOI:https://doi.org/10.1145/1102120.1102165Google Scholar
Digital Library
- Amal Ahmed, Derek Dreyer, and Andreas Rossberg. 2009. State-dependent representation independence. In Principles of Programming Languages. ACM, 340--353.Google Scholar
- Amal Jamil Ahmed. 2004. Semantics of types for mutable state. Ph.D Dissertation. Princeton University.Google Scholar
Digital Library
- Pierre America and Jan J. M. M. Rutten. 1989. Solving reflexive domain equations in a category of complete metric spaces. J. Comput. Syst. Sci. 39, 3 (1989), 343--375.Google Scholar
Cross Ref
- Andrew W. Appel and David McAllester. 2001. An indexed model of recursive types for foundational proof-carrying code. ACM Trans. Program. Lang. Syst. 23, 5 (Sept. 2001), 657--683. DOI:https://doi.org/10.1145/504709.504712Google Scholar
Digital Library
- Nick Benton and Chung-Kil Hur. 2009. Biorthogonality, step-indexing and compiler correctness. In International Conference on Functional Programming. ACM, 97--108. DOI:https://doi.org/10.1145/1596550.1596567Google Scholar
Digital Library
- Lars Birkedal and Aleš Bizjak. 2014. A Taste of Categorical Logic - Tutorial Notes. http://cs.au.dk/∼birke/modures/tutorial/categorical-logic-tutorial-notes.pdf.Google Scholar
- Lars Birkedal, Bernhard Reus, Jan Schwinghammer, Kristian Støvring, Jacob Thamsborg, and Hongseok Yang. 2011. Step-indexed kripke models over recursive worlds. In Principles of Programming Languages. ACM, 119--132. DOI:https://doi.org/10.1145/1926385.1926401Google Scholar
- Lars Birkedal, Kristian Støvring, and Jacob Thamsborg. 2010. The category-theoretic solution of recursive metric-space equations. Theoret. Comput. Sci. 411, 47 (2010), 4102--4122. DOI:https://doi.org/10.1016/j.tcs.2010.07.010Google Scholar
Digital Library
- Aleš Bizjak. 2017. Some Theorems about Mutually Recursive Domain Equations in the Category of Preordered COFEs. (Feb. 2017). Manuscript. Available at http://alesb.com/documents/notes/mutually-recursive-domain-eq.pdf.Google Scholar
- Nicholas P. Carter, Stephen W. Keckler, and William J. Dally. 1994. Hardware support for fast capability-based addressing. In Architectural Support for Programming Languages and Operating Systems. ACM, 319--327. DOI:https://doi.org/10.1145/195473.195579Google Scholar
- David Chisnall, Brooks Davis, Khilan Gudka, David Brazdil, Alexandre Joannou, Jonathan Woodruff, A. Theodore Markettos, J. Edward Maste, Robert Norton, Stacey Son, Michael Roe, Simon W. Moore, Peter G. Neumann, Ben Laurie, and Robert N. M. Watson. 2017. CHERI JNI: Sinking the Java security model into the C. In International Conference on Architectural Support for Programming Languages and Operating Systems. ACM. DOI:https://doi.org/10.1145/3037697.3037725Google Scholar
- Jack B. Dennis and Earl C. Van Horn. 1966. Programming semantics for multiprogrammed computations. Commun. ACM 9, 3 (March 1966), 143--155. DOI:https://doi.org/10.1145/365230.365252Google Scholar
Digital Library
- Dominique Devriese, Lars Birkedal, and Frank Piessens. 2016. Reasoning about object capabilities using logical relations and effect parametricity. In European Symposium on Security and Privacy. IEEE.Google Scholar
- Derek Dreyer, Georg Neis, and Lars Birkedal. 2012. The impact of higher-order state and control effects on local relational reasoning. J. Funct. Program. 22, 4--5 (2012), 477--528.Google Scholar
Digital Library
- Akram El-Korashy. 2016. A Formal Model for Capability Machines: An Illustrative Case Study towards Secure Compilation to CHERI.Master’s thesis. Saarland University. https://people.mpi-sws.org/ elkorashy/files/Thesis.pdf.Google Scholar
- Stephanie Forrest, Anil Somayaji, and David H. Ackley. 1997. Building diverse computer systems. In Hot Topics in Operating Systems. IEEE, 67--72. DOI:https://doi.org/10.1109/HOTOS.1997.595185Google Scholar
- Chung-Kil Hur and Derek Dreyer. 2011. A Kripke logical relation between ML and assembly. In Principles of Programming Languages. ACM, 133--146. DOI:https://doi.org/10.1145/1926385.1926402Google Scholar
- Alexandre Joannou, Jonathan Woodruff, Robert Kovacsics, Simon W. Moore, Alex Bradbury, Hongyan Xia, Robert N. M. Watson, David Chisnall, Michael Roe, Brooks Davis, Edward Napierala, John Baldwin, Khilan Gudka, Peter G. Neumann, Alfredo Mazzinghi, Alex Richardson, Stacey D. Son, and A. Theodore Markettos. 2017. Efficient tagged memory. In International Conference on Computer Design. IEEE, 641--648. DOI:https://doi.org/10.1109/ICCD.2017.112Google Scholar
- Yannis Juglaret, Catalin Hritcu, Arthur Azevedo de Amorim, and Benjamin C. Pierce. 2016. Beyond good and evil: Formalizing the security guarantees of compartmentalizing compilation. In Computer Security Foundations. IEEE, 45--60. DOI:https://doi.org/10.1109/CSF.2016.11Google Scholar
- Ralf Jung, Robbert Krebbers, Lars Birkedal, and Derek Dreyer. 2016. Higher-order ghost state. In International Conference on Functional Programming. ACM, 256--269.Google Scholar
Digital Library
- Ralf Jung, David Swasey, Filip Sieczkowski, Kasper Svendsen, Aaron Turon, Lars Birkedal, and Derek Dreyer. 2015. Iris: Monoids and invariants as an orthogonal basis for concurrent reasoning. In Principles of Programming Languages. ACM, 637--650.Google Scholar
- Robbert Krebbers, Ralf Jung, Aleš Bizjak, Jacques-Henri Jourdan, Derek Dreyer, and Lars Birkedal. 2017a. The essence of higher-order concurrent separation logic. In European Symposium on Programming. Springer, Berlin, Heidelberg.Google Scholar
Digital Library
- Robbert Krebbers, Amin Timany, and Lars Birkedal. 2017b. Interactive proofs in higher-order concurrent separation logic. In Principles of Programming Languages. ACM.Google Scholar
- Jean-Louis Krivine. 1994. Classical logic, storage operators and second-order lambda-calculus. Annals of Pure and Applied Logic 68, 1 (June 1994), 53--78. DOI:https://doi.org/10.1016/0168-0072(94)90047-7Google Scholar
Cross Ref
- Henry M. Levy. 1984. Capability-based Computer Systems. Vol. 12. Digital Press Bedford.Google Scholar
Digital Library
- Tim Lindholm, Frank Yellin, Gilad Bracha, and Alex Buckley. 2014. The Java Virtual Machine Specification. Pearson Education.Google Scholar
- Sergio Maffeis, John C. Mitchell, and Ankur Taly. 2010. Object capabilities and isolation of untrusted web applications. In S8P. IEEE, 125--140. DOI:https://doi.org/10.1109/SP.2010.16Google Scholar
- Greg Morrisett, David Walker, Karl Crary, and Neal Glew. 1999. From system F to typed assembly language. ACM Trans. Program. Lang. Syst. 21, 3 (May 1999), 527--568. DOI:https://doi.org/10.1145/319301.319345Google Scholar
Digital Library
- Zhaozhong Ni and Zhong Shao. 2006. Certified assembly programming with embedded code pointers. In Principles of Programming Languages. ACM.Google Scholar
- Leo Osvald, Grégory Essertel, Xilun Wu, Lilliam I. González Alayón, and Tiark Rompf. 2016. Gentrification gone too far? Affordable 2Nd-class values for fun and (co-)effect. In Object-Oriented Programming, Systems, Languages, and Applications. ACM, 234--251. DOI:https://doi.org/10.1145/2983990.2984009Google Scholar
- Marco Patrignani, Amal Ahmed, and Dave Clarke. 2019. Formal approaches to secure compilation: A survey of fully abstract compilation and related work. ACM Comput. Surv. 51, 6, Article 125 (Feb. 2019), 36 pages. DOI:https://doi.org/10.1145/3280984Google Scholar
- Marco Patrignani, Dominique Devriese, and Frank Piessens. 2016. On modular and fully-abstract compilation. In Computer Security Foundations. IEEE, 17--30. DOI:https://doi.org/10.1109/CSF.2016.9Google Scholar
- Andrew M. Pitts and Ian D. B. Stark. 1998. Operational reasoning for functions with local state. In Higher Order Operational Techniques in Semantics, Andrew D. Gordon and Andrew M. Pitts (Eds.). Cambridge University Press, 227--274.Google Scholar
- Thomas Sewell, Simon Winwood, Peter Gammie, Toby Murray, June Andronick, and Gerwin Klein. 2011. seL4 enforces integrity. In Interactive Theorem Proving, Marko van Eekelen, Herman Geuvers, Julien Schmaltz, and Freek Wiedijk (Eds.). Springer Berlin, 325--340.Google Scholar
- Jonathan S. Shapiro, Jonathan M. Smith, and David J. Farber. 1999. EROS: A fast capability system. In Symposium on Operating Systems Principles. ACM, 170--185. DOI:https://doi.org/10.1145/319151.319163Google Scholar
- Lau Skorstengaard, Dominique Devriese, and Lars Birkedal. 2018. Reasoning about a machine with local capabilities. In European Symposium on Programming. Springer, 475--501.Google Scholar
Cross Ref
- Lau Skorstengaard, Dominique Devriese, and Lars Birkedal. 2019a. Reasoning about a Machine with Local Capabilities: Provably Safe Stack and Return Pointer Management - Technical Appendix Including Proofs and Details. Technical Report. Dept. of Computer Science, Aarhus University. https://arxiv.org/abs/1902.05283Google Scholar
- Lau Skorstengaard, Dominique Devriese, and Lars Birkedal. 2019b. StkTokens: Enforcing well-bracketed control flow and stack encapsulation using linear capabilities. Proc. ACM Program. Lang. 3, POPL, Article 19 (Jan. 2019), 19:1--19:28 pages. DOI:https://doi.org/10.1145/3290332Google Scholar
Digital Library
- David Swasey, Deepak Garg, and Derek Dreyer. 2017. Robust and compositional verification of object capability patterns. In OOPSLA. ACM. DOI:https://doi.org/10.1145/3133913Google Scholar
- Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song. 2013. SoK: Eternal war in memory. In Security and Privacy. IEEE Computer Society, 48--62. DOI:https://doi.org/10.1109/SP.2013.13Google Scholar
- Jacob Thamsborg and Lars Birkedal. 2011. A kripke logical relation for effect-based program transformations. In International Conference on Functional Programming. ACM, 445--456. DOI:https://doi.org/10.1145/2034773.2034831Google Scholar
Digital Library
- Robert Wahbe, Steven Lucco, Thomas E. Anderson, and Susan L. Graham. 1993. Efficient software-based fault isolation. In Symposium on Operating Systems Principles. ACM, 203--216. DOI:https://doi.org/10.1145/168619.168635Google Scholar
- Robert N. M. Watson, Jonathan Woodruff, Peter G. Neumann, Simon W. Moore, Jonathan Anderson, David Chisnall, Nirav H. Dave, Brooks Davis, Khilan Gudka, Ben Laurie, Steven J. Murdoch, Robert Norton, Michael Roe, Stacey D. Son, and Munraj Vadera. 2015. CHERI: A hybrid capability-system architecture for scalable software compartmentalization. In Security and Privacy. IEEE, 20--37. DOI:https://doi.org/10.1109/SP.2015.9Google Scholar
- Jonathan Woodruff, Robert N. M. Watson, David Chisnall, Simon W. Moore, Jonathan Anderson, Brooks Davis, Ben Laurie, Peter G. Neumann, Robert Norton, and Michael Roe. 2014. The CHERI capability model: Revisiting RISC in an age of risk. In International Symposium on Computer Architecture. IEEE, 457--468.Google Scholar
Cross Ref
Index Terms
Reasoning about a Machine with Local Capabilities: Provably Safe Stack and Return Pointer Management
Recommendations
Efficient and provable local capability revocation using uninitialized capabilities
Capability machines are a special form of CPUs that offer fine-grained privilege separation using a form of authority-carrying values known as capabilities. The CHERI capability machine offers local capabilities, which could be used as a cheap but ...
StkTokens: enforcing well-bracketed control flow and stack encapsulation using linear capabilities
We propose and study StkTokens: a new calling convention that provably enforces well-bracketed control flow and local state encapsulation on a capability machine. The calling convention is based on linear capabilities: a type of capabilities that are ...
Linear capabilities for CHERI: an exploration of the design space
SPLASH Companion 2019: Proceedings Companion of the 2019 ACM SIGPLAN International Conference on Systems, Programming, Languages, and Applications: Software for HumanityCHERI is an instruction set extension that adds capability-based addressing. With capability-based addressing, forgeable pointers are replaced by capabilities. Programs have to be able to show they possess an appropriate capability before they can ...






Comments