Cerise: Program Verification on a Capability Machine in the Presence of Untrusted Code

IF 2.3 2区计算机科学 Q2 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE

Journal of the ACM Pub Date : 2023-09-14 DOI:10.1145/3623510

Aïna Linn Georges, Armaël Guéneau, Thomas Van Strydonck, Amin Timany, Alix Trieu, Dominique Devriese, Lars Birkedal

{"title":"Cerise: Program Verification on a Capability Machine in the Presence of Untrusted Code","authors":"Aïna Linn Georges, Armaël Guéneau, Thomas Van Strydonck, Amin Timany, Alix Trieu, Dominique Devriese, Lars Birkedal","doi":"10.1145/3623510","DOIUrl":null,"url":null,"abstract":"A capability machine is a type of CPU allowing fine-grained privilege separation using capabilities , machine words that represent certain kinds of authority. We present a mathematical model and accompanying proof methods that can be used for formal verification of functional correctness of programs running on a capability machine, even when they invoke and are invoked by unknown (and possibly malicious) code. We use a program logic called Cerise for reasoning about known code, and an associated logical relation, for reasoning about unknown code. The logical relation formally captures the capability safety guarantees provided by the capability machine. The Cerise program logic, logical relation, and all the examples considered in the paper have been mechanized using the Iris program logic framework in the Coq proof assistant. The methodology we present underlies recent work of the authors on formal reasoning about capability machines [15, 33, 37], but was left somewhat implicit in those publications. In this paper we present a pedagogical introduction to the methodology, in a simpler setting (no exotic capabilities), and starting from minimal examples. We work our way up to new results about a heap-based calling convention and implementations of sophisticated object-capability patterns of the kind previously studied for high-level languages with object-capabilities, demonstrating that the methodology scales to such reasoning.","PeriodicalId":50022,"journal":{"name":"Journal of the ACM","volume":"22 1","pages":"0"},"PeriodicalIF":2.3000,"publicationDate":"2023-09-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of the ACM","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3623510","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}

引用次数: 3

Abstract

A capability machine is a type of CPU allowing fine-grained privilege separation using capabilities , machine words that represent certain kinds of authority. We present a mathematical model and accompanying proof methods that can be used for formal verification of functional correctness of programs running on a capability machine, even when they invoke and are invoked by unknown (and possibly malicious) code. We use a program logic called Cerise for reasoning about known code, and an associated logical relation, for reasoning about unknown code. The logical relation formally captures the capability safety guarantees provided by the capability machine. The Cerise program logic, logical relation, and all the examples considered in the paper have been mechanized using the Iris program logic framework in the Coq proof assistant. The methodology we present underlies recent work of the authors on formal reasoning about capability machines [15, 33, 37], but was left somewhat implicit in those publications. In this paper we present a pedagogical introduction to the methodology, in a simpler setting (no exotic capabilities), and starting from minimal examples. We work our way up to new results about a heap-based calling convention and implementations of sophisticated object-capability patterns of the kind previously studied for high-level languages with object-capabilities, demonstrating that the methodology scales to such reasoning.

查看原文本刊更多论文

Cerise:存在不可信代码的能力机器上的程序验证

能力机器是一种CPU类型，允许使用能力进行细粒度的特权分离，机器字代表某些类型的权限。我们提出了一个数学模型和附带的证明方法，可以用于正式验证在功能机器上运行的程序的功能正确性，即使它们调用未知(可能是恶意的)代码并被调用。我们使用名为Cerise的程序逻辑来对已知代码进行推理，并使用相关的逻辑关系来对未知代码进行推理。逻辑关系正式地捕获由能力机器提供的能力安全保证。在Coq证明助手中，使用Iris程序逻辑框架实现了Cerise程序逻辑、逻辑关系以及本文所考虑的所有示例的机械化。我们提出的方法是作者最近关于能力机器的形式推理工作的基础[15,33,37]，但在这些出版物中有些隐含。在本文中，我们以一个更简单的设置(没有外来的能力)，从最小的例子开始，对该方法进行了教学介绍。我们通过自己的努力得到了关于基于堆的调用约定和复杂的对象能力模式的实现的新结果，这些模式是以前为具有对象能力的高级语言研究过的，并证明了该方法可以扩展到这样的推理。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Journal of the ACM 工程技术-计算机：理论方法

CiteScore

7.50

自引率

0.00%

发文量

审稿时长

3 months

期刊介绍： The best indicator of the scope of the journal is provided by the areas covered by its Editorial Board. These areas change from time to time, as the field evolves. The following areas are currently covered by a member of the Editorial Board: Algorithms and Combinatorial Optimization; Algorithms and Data Structures; Algorithms, Combinatorial Optimization, and Games; Artificial Intelligence; Complexity Theory; Computational Biology; Computational Geometry; Computer Graphics and Computer Vision; Computer-Aided Verification; Cryptography and Security; Cyber-Physical, Embedded, and Real-Time Systems; Database Systems and Theory; Distributed Computing; Economics and Computation; Information Theory; Logic and Computation; Logic, Algorithms, and Complexity; Machine Learning and Computational Learning Theory; Networking; Parallel Computing and Architecture; Programming Languages; Quantum Computing; Randomized Algorithms and Probabilistic Analysis of Algorithms; Scientific Computing and High Performance Computing; Software Engineering; Web Algorithms and Data Mining