已验证的混合敏感并发程序的安全编译

IF 1.1 3区 计算机科学 Q4 COMPUTER SCIENCE, SOFTWARE ENGINEERING
Robert Sison, Toby C. Murray
{"title":"已验证的混合敏感并发程序的安全编译","authors":"Robert Sison, Toby C. Murray","doi":"10.1017/S0956796821000162","DOIUrl":null,"url":null,"abstract":"Abstract Proving only over source code that programs do not leak sensitive data leaves a gap between reasoning and reality that can only be filled by accounting for the behaviour of the compiler. Furthermore, software does not always have the luxury of limiting itself to single-threaded computation with resources statically dedicated to each user to ensure the confidentiality of their data. This results in mixed-sensitivity concurrent programs, which might reuse memory shared between their threads to hold data of different sensitivity levels at different times; for such programs, a compiler must preserve the value-dependent coordination of such mixed-sensitivity reuse despite the impact of concurrency. Here we demonstrate, using Isabelle/HOL, that it is feasible to verify that a compiler preserves noninterference, the strictest kind of confidentiality property, for mixed-sensitivity concurrent programs. First, we present notions of refinement that preserve a concurrent value-dependent notion of noninterference that we have designed to support such programs. As proving noninterference-preserving refinement can be considerably more complex than the standard refinements typically used to verify semantics-preserving compilation, our notions include a decomposition principle that separates the semantics preservation from security preservation concerns. Second, we demonstrate that these refinement notions are applicable to verified secure compilation, by exercising them on a single-pass compiler for mixed-sensitivity concurrent programs that synchronise using mutex locks, from a generic imperative language to a generic RISC-style assembly language. Finally, we execute our compiler on a non-trivial mixed-sensitivity concurrent program modelling a real-world use case, thus preserving its source-level noninterference properties down to an assembly-level model automatically. All results are formalised and proved in the Isabelle/HOL interactive proof assistant. Our work paves the way for more fully featured compilers to offer verified secure compilation support to developers of multithreaded software that must handle data of multiple sensitivity levels.","PeriodicalId":15874,"journal":{"name":"Journal of Functional Programming","volume":"31 1","pages":""},"PeriodicalIF":1.1000,"publicationDate":"2020-10-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1017/S0956796821000162","citationCount":"1","resultStr":"{\"title\":\"Verified secure compilation for mixed-sensitivity concurrent programs\",\"authors\":\"Robert Sison, Toby C. Murray\",\"doi\":\"10.1017/S0956796821000162\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Abstract Proving only over source code that programs do not leak sensitive data leaves a gap between reasoning and reality that can only be filled by accounting for the behaviour of the compiler. Furthermore, software does not always have the luxury of limiting itself to single-threaded computation with resources statically dedicated to each user to ensure the confidentiality of their data. This results in mixed-sensitivity concurrent programs, which might reuse memory shared between their threads to hold data of different sensitivity levels at different times; for such programs, a compiler must preserve the value-dependent coordination of such mixed-sensitivity reuse despite the impact of concurrency. Here we demonstrate, using Isabelle/HOL, that it is feasible to verify that a compiler preserves noninterference, the strictest kind of confidentiality property, for mixed-sensitivity concurrent programs. First, we present notions of refinement that preserve a concurrent value-dependent notion of noninterference that we have designed to support such programs. As proving noninterference-preserving refinement can be considerably more complex than the standard refinements typically used to verify semantics-preserving compilation, our notions include a decomposition principle that separates the semantics preservation from security preservation concerns. Second, we demonstrate that these refinement notions are applicable to verified secure compilation, by exercising them on a single-pass compiler for mixed-sensitivity concurrent programs that synchronise using mutex locks, from a generic imperative language to a generic RISC-style assembly language. Finally, we execute our compiler on a non-trivial mixed-sensitivity concurrent program modelling a real-world use case, thus preserving its source-level noninterference properties down to an assembly-level model automatically. All results are formalised and proved in the Isabelle/HOL interactive proof assistant. Our work paves the way for more fully featured compilers to offer verified secure compilation support to developers of multithreaded software that must handle data of multiple sensitivity levels.\",\"PeriodicalId\":15874,\"journal\":{\"name\":\"Journal of Functional Programming\",\"volume\":\"31 1\",\"pages\":\"\"},\"PeriodicalIF\":1.1000,\"publicationDate\":\"2020-10-27\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"https://sci-hub-pdf.com/10.1017/S0956796821000162\",\"citationCount\":\"1\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Journal of Functional Programming\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://doi.org/10.1017/S0956796821000162\",\"RegionNum\":3,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q4\",\"JCRName\":\"COMPUTER SCIENCE, SOFTWARE ENGINEERING\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Functional Programming","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1017/S0956796821000162","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q4","JCRName":"COMPUTER SCIENCE, SOFTWARE ENGINEERING","Score":null,"Total":0}
引用次数: 1

摘要

仅仅通过源代码证明程序不会泄露敏感数据,在推理和现实之间留下了一个缺口,这个缺口只能通过对编译器行为的解释来填补。此外,软件并不总是能够将自己限制为单线程计算,并将资源静态地专用于每个用户,以确保其数据的机密性。这导致了混合灵敏度并发程序,它可能重用线程之间共享的内存,以在不同时间保存不同灵敏度级别的数据;对于这样的程序,编译器必须保留这种混合敏感性重用的依赖于值的协调,尽管存在并发性的影响。在这里,我们使用Isabelle/HOL证明,对于混合灵敏度并发程序,可以验证编译器是否保留了最严格的机密性——不干扰性。首先,我们提出了一些精化的概念,这些概念保留了我们为支持此类程序而设计的并发值相关的不干扰概念。由于证明保持不干扰的细化可能比通常用于验证保持语义的编译的标准细化要复杂得多,因此我们的概念包括一个分解原则,该原则将语义保存与安全保存问题分离开来。其次,我们证明了这些改进概念适用于经过验证的安全编译,通过在使用互斥锁同步的混合灵敏度并发程序的单遍编译器上执行它们,从通用命令式语言到通用risc风格的汇编语言。最后,我们在一个重要的混合灵敏度并发程序上执行编译器,该程序对真实世界的用例进行建模,从而自动将其源代码级的不干扰属性保留到汇编级模型。所有结果都在Isabelle/HOL交互式证明助手中进行形式化和证明。我们的工作为功能更全面的编译器铺平了道路,为多线程软件的开发人员提供经过验证的安全编译支持,这些软件必须处理多个敏感级别的数据。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
Verified secure compilation for mixed-sensitivity concurrent programs
Abstract Proving only over source code that programs do not leak sensitive data leaves a gap between reasoning and reality that can only be filled by accounting for the behaviour of the compiler. Furthermore, software does not always have the luxury of limiting itself to single-threaded computation with resources statically dedicated to each user to ensure the confidentiality of their data. This results in mixed-sensitivity concurrent programs, which might reuse memory shared between their threads to hold data of different sensitivity levels at different times; for such programs, a compiler must preserve the value-dependent coordination of such mixed-sensitivity reuse despite the impact of concurrency. Here we demonstrate, using Isabelle/HOL, that it is feasible to verify that a compiler preserves noninterference, the strictest kind of confidentiality property, for mixed-sensitivity concurrent programs. First, we present notions of refinement that preserve a concurrent value-dependent notion of noninterference that we have designed to support such programs. As proving noninterference-preserving refinement can be considerably more complex than the standard refinements typically used to verify semantics-preserving compilation, our notions include a decomposition principle that separates the semantics preservation from security preservation concerns. Second, we demonstrate that these refinement notions are applicable to verified secure compilation, by exercising them on a single-pass compiler for mixed-sensitivity concurrent programs that synchronise using mutex locks, from a generic imperative language to a generic RISC-style assembly language. Finally, we execute our compiler on a non-trivial mixed-sensitivity concurrent program modelling a real-world use case, thus preserving its source-level noninterference properties down to an assembly-level model automatically. All results are formalised and proved in the Isabelle/HOL interactive proof assistant. Our work paves the way for more fully featured compilers to offer verified secure compilation support to developers of multithreaded software that must handle data of multiple sensitivity levels.
求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
Journal of Functional Programming
Journal of Functional Programming 工程技术-计算机:软件工程
CiteScore
1.70
自引率
0.00%
发文量
9
审稿时长
>12 weeks
期刊介绍: Journal of Functional Programming is the only journal devoted solely to the design, implementation, and application of functional programming languages, spanning the range from mathematical theory to industrial practice. Topics covered include functional languages and extensions, implementation techniques, reasoning and proof, program transformation and synthesis, type systems, type theory, language-based security, memory management, parallelism and applications. The journal is of interest to computer scientists, software engineers, programming language researchers and mathematicians interested in the logical foundations of programming.
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信