research-article

Open access

Reasoning about a Machine with Local Capabilities: Provably Safe Stack and Return Pointer Management

Authors:

Lau Skorstengaard,

Dominique Devriese,

Lars BirkedalAuthors Info & Claims

ACM Transactions on Programming Languages and Systems (TOPLAS), Volume 42, Issue 1

Article No.: 5, Pages 1 - 53

https://doi.org/10.1145/3363519

Published: 10 December 2019 Publication History

All formats PDF

Abstract

Capability machines provide security guarantees at machine level which makes them an interesting target for secure compilation schemes that provably enforce properties such as control-flow correctness and encapsulation of local state. We provide a formalization of a representative capability machine with local capabilities and study a novel calling convention. We provide a logical relation that semantically captures the guarantees provided by the hardware (a form of capability safety) and use it to prove control-flow correctness and encapsulation of local state. The logical relation is not specific to our calling convention and can be used to reason about arbitrary programs.

References

[1]

Martín Abadi. 1998. Protection in programming-language translations: Mobile object systems. In European Conference on Object-Oriented Programming (Lecture Notes in Computer Science), Vol. 1543. Springer Berlin, 291--291.

[2]

Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. 2005. Control-flow integrity. In Conference on Computer and Communications Security. ACM, 340--353.

Digital Library

[3]

Amal Ahmed, Derek Dreyer, and Andreas Rossberg. 2009. State-dependent representation independence. In Principles of Programming Languages. ACM, 340--353.

[4]

Amal Jamil Ahmed. 2004. Semantics of types for mutable state. Ph.D Dissertation. Princeton University.

Digital Library

[5]

Pierre America and Jan J. M. M. Rutten. 1989. Solving reflexive domain equations in a category of complete metric spaces. J. Comput. Syst. Sci. 39, 3 (1989), 343--375.

[6]

Andrew W. Appel and David McAllester. 2001. An indexed model of recursive types for foundational proof-carrying code. ACM Trans. Program. Lang. Syst. 23, 5 (Sept. 2001), 657--683.

Digital Library

[7]

Nick Benton and Chung-Kil Hur. 2009. Biorthogonality, step-indexing and compiler correctness. In International Conference on Functional Programming. ACM, 97--108.

Digital Library

[8]

Lars Birkedal and Aleš Bizjak. 2014. A Taste of Categorical Logic - Tutorial Notes. http://cs.au.dk/&sim;birke/modures/tutorial/categorical-logic-tutorial-notes.pdf.

[9]

Lars Birkedal, Bernhard Reus, Jan Schwinghammer, Kristian Støvring, Jacob Thamsborg, and Hongseok Yang. 2011. Step-indexed kripke models over recursive worlds. In Principles of Programming Languages. ACM, 119--132.

Digital Library

[10]

Lars Birkedal, Kristian Støvring, and Jacob Thamsborg. 2010. The category-theoretic solution of recursive metric-space equations. Theoret. Comput. Sci. 411, 47 (2010), 4102--4122.

Digital Library

[11]

Aleš Bizjak. 2017. Some Theorems about Mutually Recursive Domain Equations in the Category of Preordered COFEs. (Feb. 2017). Manuscript. Available at http://alesb.com/documents/notes/mutually-recursive-domain-eq.pdf.

[12]

Nicholas P. Carter, Stephen W. Keckler, and William J. Dally. 1994. Hardware support for fast capability-based addressing. In Architectural Support for Programming Languages and Operating Systems. ACM, 319--327.

Digital Library

[13]

David Chisnall, Brooks Davis, Khilan Gudka, David Brazdil, Alexandre Joannou, Jonathan Woodruff, A. Theodore Markettos, J. Edward Maste, Robert Norton, Stacey Son, Michael Roe, Simon W. Moore, Peter G. Neumann, Ben Laurie, and Robert N. M. Watson. 2017. CHERI JNI: Sinking the Java security model into the C. In International Conference on Architectural Support for Programming Languages and Operating Systems. ACM.

Digital Library

[14]

Jack B. Dennis and Earl C. Van Horn. 1966. Programming semantics for multiprogrammed computations. Commun. ACM 9, 3 (March 1966), 143--155.

Digital Library

[15]

Dominique Devriese, Lars Birkedal, and Frank Piessens. 2016. Reasoning about object capabilities using logical relations and effect parametricity. In European Symposium on Security and Privacy. IEEE.

[16]

Derek Dreyer, Georg Neis, and Lars Birkedal. 2012. The impact of higher-order state and control effects on local relational reasoning. J. Funct. Program. 22, 4--5 (2012), 477--528.

Digital Library

[17]

Akram El-Korashy. 2016. A Formal Model for Capability Machines: An Illustrative Case Study towards Secure Compilation to CHERI.Master’s thesis. Saarland University. https://people.mpi-sws.org/ elkorashy/files/Thesis.pdf.

[18]

Stephanie Forrest, Anil Somayaji, and David H. Ackley. 1997. Building diverse computer systems. In Hot Topics in Operating Systems. IEEE, 67--72.

[19]

Chung-Kil Hur and Derek Dreyer. 2011. A Kripke logical relation between ML and assembly. In Principles of Programming Languages. ACM, 133--146.

Digital Library

[20]

Alexandre Joannou, Jonathan Woodruff, Robert Kovacsics, Simon W. Moore, Alex Bradbury, Hongyan Xia, Robert N. M. Watson, David Chisnall, Michael Roe, Brooks Davis, Edward Napierala, John Baldwin, Khilan Gudka, Peter G. Neumann, Alfredo Mazzinghi, Alex Richardson, Stacey D. Son, and A. Theodore Markettos. 2017. Efficient tagged memory. In International Conference on Computer Design. IEEE, 641--648.

[21]

Yannis Juglaret, Catalin Hritcu, Arthur Azevedo de Amorim, and Benjamin C. Pierce. 2016. Beyond good and evil: Formalizing the security guarantees of compartmentalizing compilation. In Computer Security Foundations. IEEE, 45--60.

[22]

Ralf Jung, Robbert Krebbers, Lars Birkedal, and Derek Dreyer. 2016. Higher-order ghost state. In International Conference on Functional Programming. ACM, 256--269.

Digital Library

[23]

Ralf Jung, David Swasey, Filip Sieczkowski, Kasper Svendsen, Aaron Turon, Lars Birkedal, and Derek Dreyer. 2015. Iris: Monoids and invariants as an orthogonal basis for concurrent reasoning. In Principles of Programming Languages. ACM, 637--650.

[24]

Robbert Krebbers, Ralf Jung, Aleš Bizjak, Jacques-Henri Jourdan, Derek Dreyer, and Lars Birkedal. 2017a. The essence of higher-order concurrent separation logic. In European Symposium on Programming. Springer, Berlin, Heidelberg.

Digital Library

[25]

Robbert Krebbers, Amin Timany, and Lars Birkedal. 2017b. Interactive proofs in higher-order concurrent separation logic. In Principles of Programming Languages. ACM.

[26]

Jean-Louis Krivine. 1994. Classical logic, storage operators and second-order lambda-calculus. Annals of Pure and Applied Logic 68, 1 (June 1994), 53--78.

[27]

Henry M. Levy. 1984. Capability-based Computer Systems. Vol. 12. Digital Press Bedford.

Digital Library

[28]

Tim Lindholm, Frank Yellin, Gilad Bracha, and Alex Buckley. 2014. The Java Virtual Machine Specification. Pearson Education.

[29]

Sergio Maffeis, John C. Mitchell, and Ankur Taly. 2010. Object capabilities and isolation of untrusted web applications. In S8P. IEEE, 125--140.

Digital Library

[30]

Greg Morrisett, David Walker, Karl Crary, and Neal Glew. 1999. From system F to typed assembly language. ACM Trans. Program. Lang. Syst. 21, 3 (May 1999), 527--568.

Digital Library

[31]

Zhaozhong Ni and Zhong Shao. 2006. Certified assembly programming with embedded code pointers. In Principles of Programming Languages. ACM.

[32]

Leo Osvald, Grégory Essertel, Xilun Wu, Lilliam I. González Alayón, and Tiark Rompf. 2016. Gentrification gone too far? Affordable 2Nd-class values for fun and (co-)effect. In Object-Oriented Programming, Systems, Languages, and Applications. ACM, 234--251.

Digital Library

[33]

Marco Patrignani, Amal Ahmed, and Dave Clarke. 2019. Formal approaches to secure compilation: A survey of fully abstract compilation and related work. ACM Comput. Surv. 51, 6, Article 125 (Feb. 2019), 36 pages.

Digital Library

[34]

Marco Patrignani, Dominique Devriese, and Frank Piessens. 2016. On modular and fully-abstract compilation. In Computer Security Foundations. IEEE, 17--30.

[35]

Andrew M. Pitts and Ian D. B. Stark. 1998. Operational reasoning for functions with local state. In Higher Order Operational Techniques in Semantics, Andrew D. Gordon and Andrew M. Pitts (Eds.). Cambridge University Press, 227--274.

[36]

Thomas Sewell, Simon Winwood, Peter Gammie, Toby Murray, June Andronick, and Gerwin Klein. 2011. seL4 enforces integrity. In Interactive Theorem Proving, Marko van Eekelen, Herman Geuvers, Julien Schmaltz, and Freek Wiedijk (Eds.). Springer Berlin, 325--340.

[37]

Jonathan S. Shapiro, Jonathan M. Smith, and David J. Farber. 1999. EROS: A fast capability system. In Symposium on Operating Systems Principles. ACM, 170--185.

Digital Library

[38]

Lau Skorstengaard, Dominique Devriese, and Lars Birkedal. 2018. Reasoning about a machine with local capabilities. In European Symposium on Programming. Springer, 475--501.

[39]

Lau Skorstengaard, Dominique Devriese, and Lars Birkedal. 2019a. Reasoning about a Machine with Local Capabilities: Provably Safe Stack and Return Pointer Management - Technical Appendix Including Proofs and Details. Technical Report. Dept. of Computer Science, Aarhus University. https://arxiv.org/abs/1902.05283

[40]

Lau Skorstengaard, Dominique Devriese, and Lars Birkedal. 2019b. StkTokens: Enforcing well-bracketed control flow and stack encapsulation using linear capabilities. Proc. ACM Program. Lang. 3, POPL, Article 19 (Jan. 2019), 19:1--19:28 pages.

Digital Library

[41]

David Swasey, Deepak Garg, and Derek Dreyer. 2017. Robust and compositional verification of object capability patterns. In OOPSLA. ACM.

Digital Library

[42]

Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song. 2013. SoK: Eternal war in memory. In Security and Privacy. IEEE Computer Society, 48--62.

Digital Library

[43]

Jacob Thamsborg and Lars Birkedal. 2011. A kripke logical relation for effect-based program transformations. In International Conference on Functional Programming. ACM, 445--456.

Digital Library

[44]

Robert Wahbe, Steven Lucco, Thomas E. Anderson, and Susan L. Graham. 1993. Efficient software-based fault isolation. In Symposium on Operating Systems Principles. ACM, 203--216.

Digital Library

[45]

Robert N. M. Watson, Jonathan Woodruff, Peter G. Neumann, Simon W. Moore, Jonathan Anderson, David Chisnall, Nirav H. Dave, Brooks Davis, Khilan Gudka, Ben Laurie, Steven J. Murdoch, Robert Norton, Michael Roe, Stacey D. Son, and Munraj Vadera. 2015. CHERI: A hybrid capability-system architecture for scalable software compartmentalization. In Security and Privacy. IEEE, 20--37.

Digital Library

[46]

Jonathan Woodruff, Robert N. M. Watson, David Chisnall, Simon W. Moore, Jonathan Anderson, Brooks Davis, Ben Laurie, Peter G. Neumann, Robert Norton, and Michael Roe. 2014. The CHERI capability model: Revisiting RISC in an age of risk. In International Symposium on Computer Architecture. IEEE, 457--468.

Cited By

Georges AGuéneau AVan Strydonck TTimany ATrieu ADevriese DBirkedal L(2024)Cerise: Program Verification on a Capability Machine in the Presence of Untrusted CodeJournal of the ACM10.1145/362351071:1(1-59)Online publication date: 11-Feb-2024
https://dl.acm.org/doi/10.1145/3623510
Bhattacharyya AHofhammer FLi YGupta SSanchez AFalsafi BPayer M(2023)SecureCells: A Secure Compartmentalized Architecture2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179472(2921-2939)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179472
Anderson SBlanco RLampropoulos LPierce BTolmach A(2023)Formalizing Stack Safety as a Security Property2023 IEEE 36th Computer Security Foundations Symposium (CSF)10.1109/CSF57540.2023.00037(356-371)Online publication date: Jul-2023
https://doi.org/10.1109/CSF57540.2023.00037
Show More Cited By

Index Terms

Reasoning about a Machine with Local Capabilities: Provably Safe Stack and Return Pointer Management
1. Security and privacy
  1. Formal methods and theory of security
    1. Logic and verification
2. Software and its engineering
  1. Software organization and properties
    1. Software functional properties
      1. Formal methods
        Software verification

Recommendations

Efficient and provable local capability revocation using uninitialized capabilities

Capability machines are a special form of CPUs that offer fine-grained privilege separation using a form of authority-carrying values known as capabilities. The CHERI capability machine offers local capabilities, which could be used as a cheap but ...
StkTokens: enforcing well-bracketed control flow and stack encapsulation using linear capabilities

We propose and study StkTokens: a new calling convention that provably enforces well-bracketed control flow and local state encapsulation on a capability machine. The calling convention is based on linear capabilities: a type of capabilities that are ...
Cerise: Program Verification on a Capability Machine in the Presence of Untrusted Code
A capability machine is a type of CPU allowing fine-grained privilege separation using capabilities, machine words that represent certain kinds of authority. We present a mathematical model and accompanying proof methods that can be used for formal ...

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Programming Languages and Systems

ACM Transactions on Programming Languages and Systems Volume 42, Issue 1

Special Issue on ESOP 2018

March 2020

215 pages

ISSN:0164-0925

EISSN:1558-4593

DOI:10.1145/3373084

Editor:
Andrew Myers
Cornell University, USA

Issue’s Table of Contents

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 10 December 2019

Accepted: 01 August 2019

Revised: 01 August 2019

Received: 01 May 2018

Published in TOPLAS Volume 42, Issue 1

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Funding Sources

STSM
ModuRes Sapere Aude Advanced Grant from The Danish Council for Independent Research for the Natural Sciences (FNU)
COST Action EUTypes
Research Foundation Flanders (FWO)

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

8
Total Citations
View Citations
548
Total Downloads

Downloads (Last 12 months)108
Downloads (Last 6 weeks)14

Reflects downloads up to 26 Jul 2024

Other Metrics

View Author Metrics

Citations

Cited By

Georges AGuéneau AVan Strydonck TTimany ATrieu ADevriese DBirkedal L(2024)Cerise: Program Verification on a Capability Machine in the Presence of Untrusted CodeJournal of the ACM10.1145/362351071:1(1-59)Online publication date: 11-Feb-2024
https://dl.acm.org/doi/10.1145/3623510
Bhattacharyya AHofhammer FLi YGupta SSanchez AFalsafi BPayer M(2023)SecureCells: A Secure Compartmentalized Architecture2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179472(2921-2939)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179472
Anderson SBlanco RLampropoulos LPierce BTolmach A(2023)Formalizing Stack Safety as a Security Property2023 IEEE 36th Computer Security Foundations Symposium (CSF)10.1109/CSF57540.2023.00037(356-371)Online publication date: Jul-2023
https://doi.org/10.1109/CSF57540.2023.00037
Baty MWilke PHiet GFontaine ATrieu A(2023)A Generic Framework to Develop and Verify Security Mechanisms at the Microarchitectural Level: Application to Control-Flow Integrity2023 IEEE 36th Computer Security Foundations Symposium (CSF)10.1109/CSF57540.2023.00029(372-387)Online publication date: Jul-2023
https://doi.org/10.1109/CSF57540.2023.00029
Georges ATrieu ABirkedal L(2022)Le temps des cerises: efficient temporal stack safety on capability machines using directed capabilitiesProceedings of the ACM on Programming Languages10.1145/35273186:OOPSLA1(1-30)Online publication date: 29-Apr-2022
https://dl.acm.org/doi/10.1145/3527318
Bauereiss TCampbell BSewell TArmstrong AEsswood LStark IBarnes GWatson RSewell P(2022)Verified Security for the Morello Capability-enhanced Prototype Arm ArchitectureProgramming Languages and Systems10.1007/978-3-030-99336-8_7(174-203)Online publication date: 5-Apr-2022
https://dl.acm.org/doi/10.1007/978-3-030-99336-8_7
Patrignani MGuarnieri MKim YKim JVigna GShi E(2021)Exorcising Spectres with Secure CompilersProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484534(445-461)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3484534
Georges AGuéneau AVan Strydonck TTimany ATrieu AHuyghebaert SDevriese DBirkedal L(2021)Efficient and provable local capability revocation using uninitialized capabilitiesProceedings of the ACM on Programming Languages10.1145/34342875:POPL(1-30)Online publication date: 4-Jan-2021
https://dl.acm.org/doi/10.1145/3434287

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Media

Figures

Other

Tables

View Issue’s Table of Contents