Verified secure compilation for mixed-sensitivity concurrent programs

IF 1.1 3区计算机科学 Q4 COMPUTER SCIENCE, SOFTWARE ENGINEERING

Journal of Functional Programming Pub Date : 2020-10-27 DOI:10.1017/S0956796821000162

Robert Sison, Toby C. Murray

{"title":"Verified secure compilation for mixed-sensitivity concurrent programs","authors":"Robert Sison, Toby C. Murray","doi":"10.1017/S0956796821000162","DOIUrl":null,"url":null,"abstract":"Abstract Proving only over source code that programs do not leak sensitive data leaves a gap between reasoning and reality that can only be filled by accounting for the behaviour of the compiler. Furthermore, software does not always have the luxury of limiting itself to single-threaded computation with resources statically dedicated to each user to ensure the confidentiality of their data. This results in mixed-sensitivity concurrent programs, which might reuse memory shared between their threads to hold data of different sensitivity levels at different times; for such programs, a compiler must preserve the value-dependent coordination of such mixed-sensitivity reuse despite the impact of concurrency. Here we demonstrate, using Isabelle/HOL, that it is feasible to verify that a compiler preserves noninterference, the strictest kind of confidentiality property, for mixed-sensitivity concurrent programs. First, we present notions of refinement that preserve a concurrent value-dependent notion of noninterference that we have designed to support such programs. As proving noninterference-preserving refinement can be considerably more complex than the standard refinements typically used to verify semantics-preserving compilation, our notions include a decomposition principle that separates the semantics preservation from security preservation concerns. Second, we demonstrate that these refinement notions are applicable to verified secure compilation, by exercising them on a single-pass compiler for mixed-sensitivity concurrent programs that synchronise using mutex locks, from a generic imperative language to a generic RISC-style assembly language. Finally, we execute our compiler on a non-trivial mixed-sensitivity concurrent program modelling a real-world use case, thus preserving its source-level noninterference properties down to an assembly-level model automatically. All results are formalised and proved in the Isabelle/HOL interactive proof assistant. Our work paves the way for more fully featured compilers to offer verified secure compilation support to developers of multithreaded software that must handle data of multiple sensitivity levels.","PeriodicalId":15874,"journal":{"name":"Journal of Functional Programming","volume":"31 1","pages":""},"PeriodicalIF":1.1000,"publicationDate":"2020-10-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1017/S0956796821000162","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Functional Programming","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1017/S0956796821000162","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q4","JCRName":"COMPUTER SCIENCE, SOFTWARE ENGINEERING","Score":null,"Total":0}

引用次数: 1

Abstract

Abstract Proving only over source code that programs do not leak sensitive data leaves a gap between reasoning and reality that can only be filled by accounting for the behaviour of the compiler. Furthermore, software does not always have the luxury of limiting itself to single-threaded computation with resources statically dedicated to each user to ensure the confidentiality of their data. This results in mixed-sensitivity concurrent programs, which might reuse memory shared between their threads to hold data of different sensitivity levels at different times; for such programs, a compiler must preserve the value-dependent coordination of such mixed-sensitivity reuse despite the impact of concurrency. Here we demonstrate, using Isabelle/HOL, that it is feasible to verify that a compiler preserves noninterference, the strictest kind of confidentiality property, for mixed-sensitivity concurrent programs. First, we present notions of refinement that preserve a concurrent value-dependent notion of noninterference that we have designed to support such programs. As proving noninterference-preserving refinement can be considerably more complex than the standard refinements typically used to verify semantics-preserving compilation, our notions include a decomposition principle that separates the semantics preservation from security preservation concerns. Second, we demonstrate that these refinement notions are applicable to verified secure compilation, by exercising them on a single-pass compiler for mixed-sensitivity concurrent programs that synchronise using mutex locks, from a generic imperative language to a generic RISC-style assembly language. Finally, we execute our compiler on a non-trivial mixed-sensitivity concurrent program modelling a real-world use case, thus preserving its source-level noninterference properties down to an assembly-level model automatically. All results are formalised and proved in the Isabelle/HOL interactive proof assistant. Our work paves the way for more fully featured compilers to offer verified secure compilation support to developers of multithreaded software that must handle data of multiple sensitivity levels.

查看原文本刊更多论文

已验证的混合敏感并发程序的安全编译

仅仅通过源代码证明程序不会泄露敏感数据，在推理和现实之间留下了一个缺口，这个缺口只能通过对编译器行为的解释来填补。此外，软件并不总是能够将自己限制为单线程计算，并将资源静态地专用于每个用户，以确保其数据的机密性。这导致了混合灵敏度并发程序，它可能重用线程之间共享的内存，以在不同时间保存不同灵敏度级别的数据;对于这样的程序，编译器必须保留这种混合敏感性重用的依赖于值的协调，尽管存在并发性的影响。在这里，我们使用Isabelle/HOL证明，对于混合灵敏度并发程序，可以验证编译器是否保留了最严格的机密性——不干扰性。首先，我们提出了一些精化的概念，这些概念保留了我们为支持此类程序而设计的并发值相关的不干扰概念。由于证明保持不干扰的细化可能比通常用于验证保持语义的编译的标准细化要复杂得多，因此我们的概念包括一个分解原则，该原则将语义保存与安全保存问题分离开来。其次，我们证明了这些改进概念适用于经过验证的安全编译，通过在使用互斥锁同步的混合灵敏度并发程序的单遍编译器上执行它们，从通用命令式语言到通用risc风格的汇编语言。最后，我们在一个重要的混合灵敏度并发程序上执行编译器，该程序对真实世界的用例进行建模，从而自动将其源代码级的不干扰属性保留到汇编级模型。所有结果都在Isabelle/HOL交互式证明助手中进行形式化和证明。我们的工作为功能更全面的编译器铺平了道路，为多线程软件的开发人员提供经过验证的安全编译支持，这些软件必须处理多个敏感级别的数据。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Journal of Functional Programming 工程技术-计算机：软件工程

CiteScore

1.70

自引率

0.00%

发文量

审稿时长

>12 weeks

期刊介绍： Journal of Functional Programming is the only journal devoted solely to the design, implementation, and application of functional programming languages, spanning the range from mathematical theory to industrial practice. Topics covered include functional languages and extensions, implementation techniques, reasoning and proof, program transformation and synthesis, type systems, type theory, language-based security, memory management, parallelism and applications. The journal is of interest to computer scientists, software engineers, programming language researchers and mathematicians interested in the logical foundations of programming.