posted on 2023-11-29, 18:11authored byCarmine Abate, Roberto Blanco, Deepak Garg, Catalin Hritcu, Marco Patrignani, Jeremy Thibault
—Good programming languages provide helpful abstractions for writing secure code, but the security properties of
the source language are generally not preserved when compiling a
program and linking it with adversarial code in a low-level target
language (e.g., a library or a legacy application). Linked target
code that is compromised or malicious may, for instance, read and
write the compiled program’s data and code, jump to arbitrary
memory locations, or smash the stack, blatantly violating any
source-level abstraction. By contrast, a fully abstract compilation
chain protects source-level abstractions all the way down, ensuring that linked adversarial target code cannot observe more about
the compiled program than what some linked source code could
about the source program. However, while research in this area
has so far focused on preserving observational equivalence, as
needed for achieving full abstraction, there is a much larger space
of security properties one can choose to preserve against linked
adversarial code. And the precise class of security properties one
chooses crucially impacts not only the supported security goals
and the strength of the attacker model, but also the kind of
protections a secure compilation chain has to introduce.
We are the first to thoroughly explore a large space of formal
secure compilation criteria based on robust property preservation, i.e., the preservation of properties satisfied against arbitrary
adversarial contexts. We study robustly preserving various classes
of trace properties such as safety, of hyperproperties such as
noninterference, and of relational hyperproperties such as trace
equivalence. This leads to many new secure compilation criteria,
some of which are easier to practically achieve and prove than
full abstraction, and some of which provide strictly stronger
security guarantees. For each of the studied criteria we propose an equivalent “property-free” characterization that clarifies
which proof techniques apply. For relational properties and
hyperproperties, which relate the behaviors of multiple programs,
our formal definitions of the property classes themselves are
novel. We order our criteria by their relative strength and show
several collapses and separation results. Finally, we adapt existing
proof techniques to show that even the strongest of our secure
compilation criteria, the robust preservation of all relational
hyperproperties, is achievable for a simple translation from a
statically typed to a dynamically typed language.
History
Preferred Citation
Carmine Abate, Roberto Blanco, Deepak Garg, Catalin Hritcu, Marco Patrignani and Jeremy Thibault. Journey Beyond Full Abstraction: Exploring Robust Property Preservation for Secure Compilation. In: IEEE Computer Security Foundations Symposium (CSF). 2019.
@inproceedings{cispa_all_3043,
title = "Journey Beyond Full Abstraction: Exploring Robust Property Preservation for Secure Compilation",
author = "Abate, Carmine and Blanco, Roberto and Garg, Deepak and Hritcu, Catalin and Patrignani, Marco and Thibault, Jeremy",
booktitle="{IEEE Computer Security Foundations Symposium (CSF)}",
year="2019",
}