Abstract
Separation logic is a powerful program logic for the static modular verification of imperative programs. However, dynamic checking of separation logic contracts on the boundaries between verified and untrusted modules is hard, because it requires one to enforce (among other things) that outcalls from a verified to an untrusted module do not access memory resources currently owned by the verified module.
This paper proposes an approach to dynamic contract checking by relying on support for capabilities, a well-studied form of unforgeable memory pointers that enables fine-grained, efficient memory access control. More specifically, we rely on a form of capabilities called linear capabilities for which the hardware enforces that they cannot be copied.
We formalize our approach as a fully abstract compiler from a statically verified source language to an unverified target language with support for linear capabilities. The key insight behind our compiler is that memory resources described by spatial separation logic predicates can be represented at run time by linear capabilities. The compiler is separation-logic-proof-directed: it uses the separation logic proof of the source program to determine how memory accesses in the source program should be compiled to linear capability accesses in the target program.
The full abstraction property of the compiler essentially guarantees that compiled verified modules can interact with untrusted target language modules as if they were compiled from verified code as well.
Supplemental Material
- Martín Abadi. 1999. Protection in programming-language translations. In Secure Internet programming. Springer-Verlag, 19–34. Google Scholar
Digital Library
- Martín Abadi and Gordon D. Plotkin. 2012. On Protection by Layout Randomization. ACM Trans. Inf. Syst. Secur. 15, 2 (2012), 8:1–8:29. Google Scholar
Digital Library
- Pieter Agten, Bart Jacobs, and Frank Piessens. 2015. Sound Modular Verification of C Code Executing in an Unverified Context. In Symposium on Principles of Programming Languages (POPL ’15). ACM, New York, NY, USA, 581–594. Google Scholar
Digital Library
- Johannes Bader, Jonathan Aldrich, and Éric Tanter. 2018. Gradual Program Verification. In Verification, Model Checking, and Abstract Interpretation (Lecture Notes in Computer Science). Springer International Publishing.Google Scholar
- Josh Berdine, Cristiano Calcagno, Byron Cook, Dino Distefano, Peter W. O’Hearn, Thomas Wies, and Hongseok Yang. 2007. Shape analysis for composite data structures. In International Conference on Computer Aided Verification. Springer, 178–192. Google Scholar
Digital Library
- Josh Berdine, Cristiano Calcagno, and Peter W. O’Hearn. 2005. Smallfoot: Modular Automatic Assertion Checking with Separation Logic. In Formal Methods for Components and Objects (Lecture Notes in Computer Science). Springer, Berlin, Heidelberg, 115–137. Google Scholar
Digital Library
- Josh Berdine, Byron Cook, and Samin Ishtiaq. 2011. SLAyer: Memory safety for systems-level code. In Computer Aided Verification. Springer, 178–183. Google Scholar
Digital Library
- Cristiano Calcagno, Dino Distefano, Jérémy Dubreil, Dominik Gabi, Pieter Hooimeijer, Martino Luca, Peter W. O’Hearn, Irene Papakonstantinou, Jim Purbrick, and Dulma Rodriguez. 2015. Moving Fast with Software Verification. 15 (2015), 3–11.Google Scholar
- David Chisnall, Colin Rothwell, Robert N. M. Watson, Jonathan Woodruff, Munraj Vadera, Simon W. Moore, Michael Roe, Brooks Davis, and Peter G. Neumann. 2015. Beyond the PDP-11: Architectural Support for a Memory-Safe C Abstract Machine. In Proceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS ’15, Istanbul, Turkey, March 14-18, 2015. 117–130. Google Scholar
Digital Library
- Adam Chlipala. 2017. Formal Reasoning About Programs.Google Scholar
- Victor Costan and Srinivas Devadas. 2016. Intel SGX Explained. Technical Report 086. https://eprint.iacr.org/2016/086Google Scholar
- Arthur Azevedo de Amorim, Nathan Collins, André DeHon, Delphine Demange, Catalin Hritcu, David Pichardie, Benjamin C. Pierce, Randy Pollack, and Andrew Tolmach. 2016. A verified information-flow architecture. Journal of Computer Security 24, 6 (2016), 689–734. Google Scholar
Digital Library
- Arthur Azevedo de Amorim, Maxime Dénès, Nick Giannarakis, Catalin Hritcu, Benjamin C. Pierce, Antal Spector-Zabusky, and Andrew Tolmach. 2015. Micro-Policies: Formally Verified, Tag-Based Security Monitors. In 2015 IEEE Symposium on Security and Privacy, SP 2015, San Jose, CA, USA, May 17-21, 2015. 813–830. Google Scholar
Digital Library
- Dominique Devriese, Marco Patrignani, and Frank Piessens. 2016. Fully-abstract compilation by approximate back-translation. In Symposium on Principles of Programming Languages, POPL 2016, St. Petersburg, FL, USA, January 20 - 22, 2016. 164–177. Google Scholar
Digital Library
- Christos Dimoulas, Max S. New, Robert Bruce Findler, and Matthias Felleisen. 2016. Oh Lord, please don’t let contracts be misunderstood (functional pearl). In International Conference on Functional Programming, ICFP 2016, Nara, Japan, September 18-22, 2016. 117–131. Google Scholar
Digital Library
- Dino Distefano, Peter O’Hearn, and Hongseok Yang. 2006. A local shape analysis based on separation logic. (2006), 287–302. Google Scholar
Digital Library
- Cédric Fournet, Nikhil Swamy, Juan Chen, Pierre-Évariste Dagand, Pierre-Yves Strub, and Benjamin Livshits. 2013. Fully abstract compilation to JavaScript. In Symposium on Principles of Programming Languages, POPL ’13. 371–384. Google Scholar
Digital Library
- Ronald Garcia, Alison M. Clark, and Éric Tanter. 2016. Abstracting Gradual Typing. In Principles of Programming Languages. ACM, 429–442. Google Scholar
Digital Library
- Deepak Garg, Catalin Hritcu, Marco Patrignani, Marco Stronati, and David Swasey. 2017. Robust Hyperproperty Preservation for Secure Compilation (Extended Abstract). (2017). arXiv: 1710.07309 http://arxiv.org/abs/1710.07309Google Scholar
- Gianluca Insolvibile. 2003. Garbage Collection in C Programs. 2003, 113 (2003), 7–. http://dl.acm.org/citation.cfm?id= 882036.882043 Google Scholar
Digital Library
- Bart Jacobs and Frank Piessens. 2008. The VeriFast program verifier. (2008). https://lirias.kuleuven.be/handle/123456789/ 197789Google Scholar
- Bart Jacobs, Jan Smans, and Frank Piessens. 2010. A quick tour of the VeriFast program verifier. In Programming Languages and Systems. Lecture Notes in Computer Science, Vol. 6461. Springer Berlin Heidelberg, 304–311. Google Scholar
Digital Library
- Henry M. Levy. 1984. Capability-Based Computer Systems. Digital Press. https://homes.cs.washington.edu/~levy/capabook/ Google Scholar
Digital Library
- Max S. New, William J. Bowman, and Amal Ahmed. 2016. Fully abstract compilation via universal embedding. In International Conference on Functional Programming, ICFP 2016, Nara, Japan, September 18-22, 2016. 103–116. Google Scholar
Digital Library
- Huu Hai Nguyen, Viktor Kuncak, and Wei-Ngan Chin. 2008. Runtime Checking for Separation Logic. In Verification, Model Checking, and Abstract Interpretation, 9th International Conference. 203–217. Google Scholar
Digital Library
- Job Noorman, Pieter Agten, Wilfried Daniels, Raoul Strackx, Anthony Van Herrewege, Christophe Huygens, Bart Preneel, Ingrid Verbauwhede, and Frank Piessens. 2013. Sancus: Low-cost Trustworthy Extensible Networked Devices with a Zero-software Trusted Computing Base.. In USENIX Security Symposium. 479–494. Google Scholar
Digital Library
- Peter W. O’Hearn. 2012. A Primer on Separation Logic (and Automatic Program Verification and Analysis). In Software Safety and Security - Tools for Analysis and Verification. 286–318.Google Scholar
- Marco Patrignani, Pieter Agten, Raoul Strackx, Bart Jacobs, Dave Clarke, and Frank Piessens. 2015. Secure Compilation to Protected Module Architectures. ACM Trans. Program. Lang. Syst. 37, 2 (April 2015). Google Scholar
Digital Library
- Marco Patrignani, Amal Ahmed, and Dave Clarke. 2019. Formal Approaches to Secure Compilation: A Survey of Fully Abstract Compilation and Related Work. ACM Comput. Surv. 51, 6 (Feb. 2019), 125:1–125:36. Google Scholar
Digital Library
- M. Patrignani and D. Garg. 2017. Secure Compilation and Hyperproperty Preservation. In Computer Security Foundations Symposium. IEEE, 392–404.Google Scholar
- Marco Patrignani and Deepak Garg. 2018. Robustly Safe Compilation or, Efficient, Provably Secure Compilation. (April 2018). https://arxiv.org/abs/1804.00489v3Google Scholar
- John C. Reynolds. 2002. Separation logic: A logic for shared mutable data structures. In Logic in Computer Science. IEEE, 55–74. Google Scholar
Digital Library
- Lau Skorstengaard, Dominique Devriese, and Lars Birkedal. 2019. StkTokens: Enforcing Well-Bracketed Control Flow and Stack Encapsulation Using Linear Capabilities. Proc. ACM Program. Lang. 3, POPL (Jan. 2019), 19:1–19:28. Google Scholar
Digital Library
- Raoul Strackx, Frank Piessens, and Bart Preneel. 2010. Efficient Isolation of Trusted Subsystems in Embedded Systems. In Security and Privacy in Communication Networks (Lecture Notes). Springer, Berlin, Heidelberg, 344–361.Google Scholar
- David Swasey, Deepak Garg, and Derek Dreyer. 2017. Robust and Compositional Verification of Object Capability Patterns. Proc. ACM Program. Lang. 1, OOPSLA, Article 89 (Oct. 2017), 89:1–89:26 pages. Google Scholar
Digital Library
- Neline van Ginkel, Raoul Strackx, and Frank Piessens. 2017. Automatically Generating Secure Wrappers for SGX Enclaves from Separation Logic Specifications. In Programming Languages and Systems, Bor-Yuh Evan Chang (Ed.). Springer International Publishing, Cham, 105–123.Google Scholar
- Frédéric Vogels, Bart Jacobs, and Frank Piessens. 2015. Featherweight VeriFast. Logical Methods in Computer Science 11, 3 (2015).Google Scholar
- R. N. M. Watson, J. Woodruff, P. G. Neumann, S. W. Moore, J. Anderson, D. Chisnall, N. Dave, B. Davis, K. Gudka, B. Laurie, S. J. Murdoch, R. Norton, M. Roe, S. Son, and M. Vadera. 2015. CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization. In IEEE Symposium on Security and Privacy. 20–37. Google Scholar
Digital Library
Index Terms
Linear capabilities for fully abstract compilation of separation-logic-verified code
Recommendations
Higher-Order Separation Logic in Isabelle/HOLCF
We formalize higher-order separation logic for a first-order imperative language with procedures and local variables in Isabelle/HOLCF. The assertion language is modeled in such a way that one may use any theory defined in Isabelle/HOLCF to construct ...
Verifying executable object-oriented specifications with separation logic
ECOOP'10: Proceedings of the 24th European conference on Object-oriented programmingSpecifications of Object-Oriented programs conventionally employ Boolean expressions of the programming language for assertions. Programming errors can be discovered by checking at runtime whether an assertion, such as a precondition or class invariant, ...
Fully abstract compilation via universal embedding
ICFP 2016: Proceedings of the 21st ACM SIGPLAN International Conference on Functional ProgrammingA fully abstract compiler guarantees that two source components are observationally equivalent in the source language if and only if their translations are observationally equivalent in the target. Full abstraction implies the translation is secure: ...






Comments