skip to main content

Le temps des cerises: efficient temporal stack safety on capability machines using directed capabilities

Published:29 April 2022Publication History
Skip Abstract Section

Abstract

Capability machines are a type of CPUs that support fine-grained privilege separation using capabilities, machine words that include forms of authority. Formal models of capability machines and associated calling conventions have so far focused on establishing two forms of stack safety properties, namely local state encapsulation and well-bracketed control flow. We introduce a novel kind of directed capabilities and show how to use them to make an earlier suggested calling convention more efficient. In contrast to earlier work on capability machine models we do not only consider integrity properties but also confidentiality properties; we provide a unary logical relation to reason about the former and a binary logical relation to reason about the latter, each expressive enough to reason about temporal stack safety. While the logical relations are useful for reasoning about concrete examples, they do not on their own demonstrate that stack safety holds for a large class of programs. Therefore, we also show full abstraction of a compiler from an overlay semantics that internalizes the calling convention as a single call step and explicitly keeps track of the call stack and frame lifetimes to a base capability machine. All results have been mechanized in Coq.

Skip Supplemental Material Section

Supplemental Material

References

  1. Martín Abadi. 1999. Protection in Programming-Language Translations. In Secure Internet Programming, Security Issues for Mobile and Distributed Objects. 19–34. https://doi.org/10.1007/3-540-48749-2_2 Google ScholarGoogle ScholarCross RefCross Ref
  2. Carmine Abate, Arthur Azevedo de Amorim, Roberto Blanco, Ana Nora Evans, Guglielmo Fachini, Catalin Hritcu, Théo Laurent, Benjamin C. Pierce, Marco Stronati, and Andrew Tolmach. 2018. When Good Components Go Bad: Formally Secure Compilation Despite Dynamic Compromise. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, Toronto, ON, Canada, October 15-19, 2018. 1351–1368. https://doi.org/10.1145/3243734.3243745 Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Amal Ahmed. 2004. Semantics of Types for Mutable State. Ph.D. Dissertation. Princeton University.Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Amal Ahmed, Derek Dreyer, and Andreas Rossberg. 2009. State-dependent representation independence. In Proceedings of the 36th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2009, Savannah, GA, USA, January 21-23, 2009, Zhong Shao and Benjamin C. Pierce (Eds.). ACM, 340–353. https://doi.org/10.1145/1480881.1480925 Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Sean Noble Anderson, Leonidas Lampropoulos, Roberto Blanco, Benjamin C. Pierce, and Andrew Tolmach. 2021. Security Properties for Stack Safety. CoRR, abs/2105.00417 (2021), arxiv:2105.00417. arxiv:2105.00417Google ScholarGoogle Scholar
  6. Arm. 2021. Morello project. https://www.morello-project.org/Google ScholarGoogle Scholar
  7. Arthur Azevedo de Amorim, Nathan Collins, André DeHon, Delphine Demange, Catalin Hritcu, David Pichardie, Benjamin C. Pierce, Randy Pollack, and Andrew Tolmach. 2014. A verified information-flow architecture. In The 41st Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL ’14, San Diego, CA, USA, January 20-21, 2014. 165–178. https://doi.org/10.1145/2535838.2535839 Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Arthur Azevedo de Amorim, Maxime Dénès, Nick Giannarakis, Catalin Hritcu, Benjamin C. Pierce, Antal Spector-Zabusky, and Andrew Tolmach. 2015. Micro-Policies: Formally Verified, Tag-Based Security Monitors. In 2015 IEEE Symposium on Security and Privacy, SP 2015, San Jose, CA, USA, May 17-21, 2015. 813–830. https://doi.org/10.1109/SP.2015.55 Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Arthur Azevedo de Amorim, Catalin Hritcu, and Benjamin C. Pierce. 2018. The Meaning of Memory Safety. In Principles of Security and Trust - 7th International Conference, POST 2018, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2018, Thessaloniki, Greece, April 14-20, 2018, Proceedings, Lujo Bauer and Ralf Küsters (Eds.) (Lecture Notes in Computer Science, Vol. 10804). Springer, 79–105. https://doi.org/10.1007/978-3-319-89722-6_4 Google ScholarGoogle ScholarCross RefCross Ref
  10. Thomas Bauereiss, Brian Campbell, Thomas Sewell, Alasdair Armstrong, Lawrence Esswood, Ian Stark, Graeme Barnes, Robert N. M. Watson, and Peter Sewell. 2022. Verified Security for the Morello Capability-enhanced Prototype Arm Architecture. In Proceedings of the 31st European Symposium on Programming.Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Lars Birkedal, Bernhard Reus, Jan Schwinghammer, Kristian Støvring, Jacob Thamsborg, and Hongseok Yang. 2011. Step-indexed Kripke models over recursive worlds. In Proceedings of the 38th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2011, Austin, TX, USA, January 26-28, 2011, Thomas Ball and Mooly Sagiv (Eds.). ACM, 119–132. https://doi.org/10.1145/1926385.1926401 Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Nicholas P. Carter, Stephen W. Keckler, and William J. Dally. 1994. Hardware Support for Fast Capability-Based Addressing. In International Conference on Architectural Support for Programming Languages and Operating Systems. ACM, 319–327. https://doi.org/10.1145/195473.195579 Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Chromium. 2020. Memory safety. https://www.chromium.org/Home/chromium-security/memory-safetyGoogle ScholarGoogle Scholar
  14. Jack B. Dennis and Earl C. Van Horn. 1966. Programming Semantics for Multiprogrammed Computations. Commun. ACM, 9, 3 (1966), March, 143–155. issn:0001-0782 https://doi.org/10.1145/365230.365252 Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Dominique Devriese, Lars Birkedal, and Frank Piessens. 2016. Reasoning about Object Capabilities with Logical Relations and Effect Parametricity. In IEEE European Symposium on Security and Privacy, EuroS&P 2016, Saarbrücken, Germany, March 21-24, 2016. IEEE, 147–162. https://doi.org/10.1109/EuroSP.2016.22 Google ScholarGoogle Scholar
  16. Derek Dreyer, Amal Ahmed, and Lars Birkedal. 2011. Logical Step-Indexed Logical Relations. LMCS, 7, 2:16 (2011), June, 1–37.Google ScholarGoogle Scholar
  17. Derek Dreyer, Georg Neis, and Lars Birkedal. 2010. The impact of higher-order state and control effects on local relational reasoning. In Proceeding of the 15th ACM SIGPLAN international conference on Functional programming, ICFP 2010, Baltimore, Maryland, USA, September 27-29, 2010, Paul Hudak and Stephanie Weirich (Eds.). ACM, 143–156. https://doi.org/10.1145/1863543.1863566 Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Derek Dreyer, Georg Neis, Andreas Rossberg, and Lars Birkedal. 2010. A relational modal logic for higher-order stateful ADTs. In Proceedings of the 37th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2010, Madrid, Spain, January 17-23, 2010. 185–198. https://doi.org/10.1145/1706299.1706323 Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Akram El-Korashy, Stelios Tsampas, Marco Patrignani, Dominique Devriese, Deepak Garg, and Frank Piessens. 2021. CapablePtrs: Securely Compiling Partial Programs Using the Pointers-as-Capabilities Principle. In 2021 IEEE 34th Computer Security Foundations Symposium (CSF). IEEE Computer Society, Los Alamitos, CA, USA. 421–436. issn:2374-8303 https://doi.org/10.1109/CSF51468.2021.00036 Google ScholarGoogle ScholarCross RefCross Ref
  20. Nathaniel Wesley Filardo, Brett F. Gutstein, Jonathan Woodruff, Sam Ainsworth, Lucian Paul-Trifu, Brooks Davis, Hongyan Xia, Edward Tomasz Napierala, Alexander Richardson, John Baldwin, David Chisnall, Jessica Clarke, Khilan Gudka, Alexandre Joannou, A. Theodore Markettos, Alfredo Mazzinghi, Robert M. Norton, Michael Roe, Peter Sewell, Stacey Son, Timothy M. Jones, Simon W. Moore, Peter G. Neumann, and Robert N. M. Watson. 2020. Cornucopia: Temporal Safety for CHERI Heaps. In IEEE Symposium on Security and Privacy. IEEE.Google ScholarGoogle Scholar
  21. Dan Frumin, Robbert Krebbers, and Lars Birkedal. 2018. ReLoC: A Mechanised Relational Logic for Fine-Grained Concurrency. In Proceedings of the 33rd Annual ACM/IEEE Symposium on Logic in Computer Science, LICS 2018, Oxford, UK, July 09-12, 2018, Anuj Dawar and Erich Grädel (Eds.). ACM, 442–451. https://doi.org/10.1145/3209108.3209174 Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Aïna Linn Georges, Armaël Guéneau, Thomas Van Strydonck, Amin Timany, Alix Trieu, Sander Huyghebaert, Dominique Devriese, and Lars Birkedal. 2021. Efficient and provable local capability revocation using uninitialized capabilities. Proc. ACM Program. Lang., 5, POPL (2021), 1–30. https://doi.org/10.1145/3434287 Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Aïna Linn Georges, Alix Trieu, and Lars Birkedal. 2022. Artifact for Le Temps des Cerises: Efficient Temporal Stack Safety on Capability Machines using Directed Capabilities. https://doi.org/10.5281/zenodo.5821862 Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Aïna Linn Georges, Alix Trieu, and Lars Birkedal. 2022. Le Temps des Cerises: Efficient Temporal Stack Safety on Capability Machines using Directed Capabilities. https://cs.au.dk/~ageorges/publications_pdfs/monotone-technical.pdfGoogle ScholarGoogle Scholar
  25. Nicolas Joly, Saif ElSherei, and Saar Amar. 2020. Security Analysis of CHERI ISA. https://msrc-blog.microsoft.com/2020/10/14/security-analysis-of-cheri-isa/Google ScholarGoogle Scholar
  26. Ralf Jung, Robbert Krebbers, Lars Birkedal, and Derek Dreyer. 2016. Higher-order ghost state. In Proceedings of the 21st ACM SIGPLAN International Conference on Functional Programming, ICFP 2016, Nara, Japan, September 18-22, 2016. 256–269. https://doi.org/10.1145/2951913.2951943 Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Ralf Jung, Robbert Krebbers, Jacques-Henri Jourdan, Ales Bizjak, Lars Birkedal, and Derek Dreyer. 2018. Iris from the ground up: A modular foundation for higher-order concurrent separation logic. J. Funct. Program., 28 (2018), e20. https://doi.org/10.1017/S0956796818000151 Google ScholarGoogle ScholarCross RefCross Ref
  28. Ralf Jung, David Swasey, Filip Sieczkowski, Kasper Svendsen, Aaron Turon, Lars Birkedal, and Derek Dreyer. 2015. Iris: Monoids and Invariants as an Orthogonal Basis for Concurrent Reasoning. In Proceedings of the 42nd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2015, Mumbai, India, January 15-17, 2015. 637–650. https://doi.org/10.1145/2676726.2676980 Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Matthew Kolosick, Shravan Narayan, Conrad Watt, Michael LeMay, Deepak Garg, Ranjit Jhala, and Deian Stefan. 2022. Isolation Without Taxation: Near Zero Cost Transitions for SFI. In ACM SIGPLAN Symposium on Principles of Programming Languages (POPL). ACM.Google ScholarGoogle Scholar
  30. Robbert Krebbers, Jacques-Henri Jourdan, Ralf Jung, Joseph Tassarotti, Jan-Oliver Kaiser, Amin Timany, Arthur Charguéraud, and Derek Dreyer. 2018. MoSeL: a general, extensible modal framework for interactive proofs in separation logic. PACMPL, 2, ICFP (2018), 77:1–77:30. https://doi.org/10.1145/3236772 Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Robbert Krebbers, Ralf Jung, Ales Bizjak, Jacques-Henri Jourdan, Derek Dreyer, and Lars Birkedal. 2017. The Essence of Higher-Order Concurrent Separation Logic. In Programming Languages and Systems - 26th European Symposium on Programming, ESOP 2017, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2017, Uppsala, Sweden, April 22-29, 2017, Proceedings. 696–723. https://doi.org/10.1007/978-3-662-54434-1_26 Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Robbert Krebbers, Amin Timany, and Lars Birkedal. 2017. Interactive proofs in higher-order concurrent separation logic. In Proceedings of the 44th ACM SIGPLAN Symposium on Principles of Programming Languages, POPL 2017, Paris, France, January 18-20, 2017, Giuseppe Castagna and Andrew D. Gordon (Eds.). ACM, 205–217. https://doi.org/10.1145/3009837.3009855 Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Morten Krogh-Jespersen, Kasper Svendsen, and Lars Birkedal. 2017. A relational model of types-and-effects in higher-order concurrent separation logic. In Proceedings of the 44th ACM SIGPLAN Symposium on Principles of Programming Languages, POPL 2017, Paris, France, January 18-20, 2017, Giuseppe Castagna and Andrew D. Gordon (Eds.). ACM, 218–231. https://doi.org/10.1145/3009837.3009877 Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Xavier Leroy. 2009. A Formally Verified Compiler Back-end. J. Autom. Reason., 43, 4 (2009), 363–446. https://doi.org/10.1007/s10817-009-9155-4 Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Henry M. Levy. 1984. Capability-Based Computer Systems. Digital Press. isbn:978-1-4831-0106-4 https://homes.cs.washington.edu/~levy/capabook/Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Kyndylan Nienhuis, Alexandre Joannou, Thomas Bauereiss, Anthony Fox, Michael Roe, Brian Campbell, Matthew Naylor, Robert M. Norton, Simon W. Moore, Peter G. Neumann, Ian Stark, Robert N. M. Watson, and Peter Sewell. 2020. Rigorous engineering for hardware security: Formal modelling and proof in the CHERI design and implementation process. In Proceedings of the 41st IEEE Symposium on Security and Privacy (SP).Google ScholarGoogle ScholarCross RefCross Ref
  37. Marco Patrignani, Amal Ahmed, and Dave Clarke. 2019. Formal Approaches to Secure Compilation: A Survey of Fully Abstract Compilation and Related Work. ACM Comput. Surv., 51, 6 (2019), Article 125, Feb., 36 pages. issn:0360-0300 https://doi.org/10.1145/3280984 Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. Nick Roessler and André DeHon. 2018. Protecting the Stack with Metadata Policies and Tagged Hardware. In 2018 IEEE Symposium on Security and Privacy, SP 2018, Proceedings, 21-23 May 2018, San Francisco, California, USA. IEEE Computer Society, 478–495. https://doi.org/10.1109/SP.2018.00066 Google ScholarGoogle ScholarCross RefCross Ref
  39. Lau Skorstengaard. 2019. Formal Reasoning about Capability Machines. Ph.D. Dissertation. Aarhus University.Google ScholarGoogle Scholar
  40. Lau Skorstengaard, Dominique Devriese, and Lars Birkedal. 2018. Reasoning About a Machine with Local Capabilities - Provably Safe Stack and Return Pointer Management. In Programming Languages and Systems - 27th European Symposium on Programming, ESOP 2018, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2018, Thessaloniki, Greece, April 14-20, 2018, Proceedings. 475–501. https://doi.org/10.1007/978-3-319-89884-1_17 Google ScholarGoogle ScholarCross RefCross Ref
  41. Lau Skorstengaard, Dominique Devriese, and Lars Birkedal. 2019. Reasoning about a Machine with Local Capabilities: Provably Safe Stack and Return Pointer Management. ACM Transactions on Programming Languages and Systems, 42, 1 (2019), Dec., 5:1–5:53. issn:0164-0925 https://doi.org/10.1145/3363519 Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. Lau Skorstengaard, Dominique Devriese, and Lars Birkedal. 2019. StkTokens: Enforcing Well-Bracketed Control Flow and Stack Encapsulation Using Linear Capabilities. Proc. ACM Program. Lang., 3, POPL (2019), Article 19, Jan., 28 pages. https://doi.org/10.1145/3290332 Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. Eijiro Sumii and Benjamin C. Pierce. 2007. A bisimulation for type abstraction and recursion. J. ACM, 54, 5 (2007), 26. https://doi.org/10.1145/1284320.1284325 Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. David Swasey, Deepak Garg, and Derek Dreyer. 2017. Robust and Compositional Verification of Object Capability Patterns. In OOPSLA. ACM. https://people.mpi-sws.org/~swasey/papers/ocpl/ocpl-20170418.pdfGoogle ScholarGoogle Scholar
  45. Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song. 2013. SoK: Eternal War in Memory. In 2013 IEEE Symposium on Security and Privacy, SP 2013, Berkeley, CA, USA, May 19-22, 2013. 48–62. https://doi.org/10.1109/SP.2013.13 Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. Gavin Thomas. 2019. A proactive approach to more secure code. https://msrc-blog.microsoft.com/2019/07/16/a-proactive-approach-to-more-secure-code/Google ScholarGoogle Scholar
  47. Stelios Tsampas, Dominique Devriese, and Frank Piessens. 2019. Temporal Safety for Stack Allocated Memory on Capability Machines. In 32nd IEEE Computer Security Foundations Symposium, CSF 2019, Hoboken, NJ, USA, June 25-28, 2019. 243–255. https://doi.org/10.1109/CSF.2019.00024 Google ScholarGoogle ScholarCross RefCross Ref
  48. Aaron Turon, Derek Dreyer, and Lars Birkedal. 2013. Unifying refinement and Hoare-style reasoning in a logic for higher-order concurrency. In ACM SIGPLAN International Conference on Functional Programming, ICFP’13, Boston, MA, USA - September 25 - 27, 2013. 377–390. https://doi.org/10.1145/2500365.2500600 Google ScholarGoogle ScholarDigital LibraryDigital Library
  49. Thomas Van Strydonck, Frank Piessens, and Dominique Devriese. 2021. Linear capabilities for fully abstract compilation of separation-logic-verified code. J. Funct. Program., 31 (2021), e6. https://doi.org/10.1017/S0956796821000022 Google ScholarGoogle ScholarCross RefCross Ref
  50. Robert Wahbe, Steven Lucco, Thomas E. Anderson, and Susan L. Graham. 1993. Efficient Software-Based Fault Isolation. In Proceedings of the Fourteenth ACM Symposium on Operating System Principles, SOSP 1993, The Grove Park Inn and Country Club, Asheville, North Carolina, USA, December 5-8, 1993. 203–216. https://doi.org/10.1145/168619.168635 Google ScholarGoogle ScholarDigital LibraryDigital Library
  51. Robert N. M. Watson, Peter G. Neumann, Jonathan Woodruff, Michael Roe, Hesham Almatary, Jonathan Anderson, John Baldwin, Graeme Barnes, David Chisnall, Jessica Clarke, Brooks Davis, Lee Eisen, Nathaniel Wesley Filardo, Richard Grisenthwaite, Alexandre Joannou, Ben Laurie, A. Theodore Markettos, Simon W. Moore, Steven J. Murdoch, Kyndylan Nienhuis, Robert Norton, Alexander Richardson, Peter Rugg, Peter Sewell, Stacey Son, and Hongyan Xia. 2020. Capability Hardware Enhanced RISC Instructions: CHERI Instruction-Set Architecture (Version 8). University of Cambridge, Computer Laboratory. https://doi.org/10.48456/tr-951 Google ScholarGoogle Scholar
  52. R. N. M. Watson, J. Woodruff, P. G. Neumann, S. W. Moore, J. Anderson, D. Chisnall, N. Dave, B. Davis, K. Gudka, B. Laurie, S. J. Murdoch, R. Norton, M. Roe, S. Son, and M. Vadera. 2015. CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization. In IEEE Symposium on Security and Privacy. 20–37. https://doi.org/10.1109/SP.2015.9 Google ScholarGoogle ScholarDigital LibraryDigital Library
  53. Jonathan Woodruff, Alexandre Joannou, Hongyan Xia, Anthony C. J. Fox, Robert M. Norton, David Chisnall, Brooks Davis, Khilan Gudka, Nathaniel Wesley Filardo, A. Theodore Markettos, Michael Roe, Peter G. Neumann, Robert N. M. Watson, and Simon W. Moore. 2019. CHERI Concentrate: Practical Compressed Capabilities. IEEE Trans. Computers, 68, 10 (2019), 1455–1469. https://doi.org/10.1109/TC.2019.2914037 Google ScholarGoogle ScholarCross RefCross Ref
  54. Hongyan Xia, Jonathan Woodruff, Sam Ainsworth, Nathaniel W. Filardo, Michael Roe, Alexander Richardson, Peter Rugg, Peter G. Neumann, Simon W. Moore, Robert N. M. Watson, and Timothy M. Jones. 2019. CHERIvoke: Characterising Pointer Revocation Using CHERI Capabilities for Temporal Memory Safety. In IEEE/ACM International Symposium on Microarchitecture. ACM. https://doi.org/10.1145/3352460.3358288 Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Le temps des cerises: efficient temporal stack safety on capability machines using directed capabilities

          Recommendations

          Comments

          Login options

          Check if you have access through your login credentials or your institution to get full access on this article.

          Sign in

          Full Access

          PDF Format

          View or Download as a PDF file.

          PDF

          eReader

          View online with eReader.

          eReader
          About Cookies On This Site

          We use cookies to ensure that we give you the best experience on our website.

          Learn more

          Got it!