research-article

Open Access

Secure Compilation to Protected Module Architectures

Authors:
Marco Patrignani

iMinds-DistriNet, Dept. Computer Science, KU Leuven, Belgium

iMinds-DistriNet, Dept. Computer Science, KU Leuven, Belgium
View Profile

,
Pieter Agten

iMinds-DistriNet, Dept. Computer Science, KU Leuven, Belgium

iMinds-DistriNet, Dept. Computer Science, KU Leuven, Belgium
View Profile

,
Raoul Strackx

iMinds-DistriNet, Dept. Computer Science, KU Leuven, Belgium

iMinds-DistriNet, Dept. Computer Science, KU Leuven, Belgium
View Profile

,
Bart Jacobs

iMinds-DistriNet, Dept. Computer Science, KU Leuven, Belgium

iMinds-DistriNet, Dept. Computer Science, KU Leuven, Belgium
View Profile

,
Dave Clarke

Dept. Information Technology, Uppsala, Sweden and iMinds-DistriNet, Dept. Computer Science, KU Leuven, Belgium

Dept. Information Technology, Uppsala, Sweden and iMinds-DistriNet, Dept. Computer Science, KU Leuven, Belgium
View Profile

,
Frank Piessens

iMinds-DistriNet, Dept. Computer Science, KU Leuven, Belgium

iMinds-DistriNet, Dept. Computer Science, KU Leuven, Belgium
View Profile

ACM Transactions on Programming Languages and Systems Volume 37 Issue 2Article No.: 6pp 1–50https://doi.org/10.1145/2699503

Published:16 April 2015Publication History

ACM Transactions on Programming Languages and Systems

Abstract

A fully abstract compiler prevents security features of the source language from being bypassed by an attacker operating at the target language level. Unfortunately, developing fully abstract compilers is very complex, and it is even more so when the target language is an untyped assembly language. To provide a fully abstract compiler that targets untyped assembly, it has been suggested to extend the target language with a protected module architecture—an assembly-level isolation mechanism which can be found in next-generation processors. This article provides a fully abstract compilation scheme whose source language is an object-oriented, high-level language and whose target language is such an extended assembly language. The source language enjoys features such as dynamic memory allocation and exceptions. Secure compilation of first-order method references, cross-package inheritance, and inner classes is also presented. Moreover, this article contains the formal proof of full abstraction of the compilation scheme. Measurements of the overhead introduced by the compilation scheme indicate that it is negligible.

References

Martín Abadi. 1999. Protection in programming-language translations. In Secure Internet Programming. Springer-Verlag, London, UK, 19--34. Google ScholarDigital Library
Martín Abadi and Gordon D. Plotkin. 2012. On protection by layout randomization. ACM Trans. Inf. Syst. Secur. 15, 2, Article 8 (July 2012), 29 pages. DOI:http://dx.doi.org/10.1145/2240276.2240279 Google ScholarDigital Library
Saleh E. Abdullahi and Graem A. Ringwood. 1998. Garbage collecting the internet: A survey of distributed garbage collection. ACM Comput. Surv. 30, 3 (Sept. 1998), 330--373. DOI:http://dx.doi.org/10.1145/292469.292471 Google ScholarDigital Library
Pieter Agten, Bart Jacobs, and Frank Piessens. 2015. Sound modular verification of C code executing in an unverified context. In Proceedings of the 42nd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’15). Google ScholarDigital Library
Pieter Agten, Raoul Strackx, Bart Jacobs, and Frank Piessens. 2012. Secure compilation to modern processors. In Proceedings of the 2012 IEEE 25th Computer Security Foundations Symposium (CSF’12). IEEE Computer Society, Washington, DC, Article 12, 15 pages. DOI:http://dx.doi.org/10.1109/CSF.2012.12 Google ScholarDigital Library
Amal Ahmed and Matthias Blume. 2011. An equivalence-preserving CPS translation via multi-language semantics. SIGPLAN Not. 46, 9, Article 30 (Sept. 2011), 14 pages. DOI:http://dx.doi.org/10.1145/2034574.2034830 Google ScholarDigital Library
Ittai Anati, Shay Gueron, S. Johnson, and V. Scarlata. 2013. Innovative technology for CPU based attestation and sealing. In Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy (HASP’13), Vol. 13.Google Scholar
Niels Avonds, Raoul Strackx, Pieter Agten, and Frank Piessens. 2013. Salus: Non-hierarchical memory access rights to enforce the principle of least privilege. In Security and Privacy in Communication Networks (SecureComm’13).Google Scholar
Adam Chlipala. 2007. A certified type-preserving compiler from lambda calculus to assembly language. SIGPLAN Not. 42, 6, Article 5 (June 2007), 12 pages. DOI:http://dx.doi.org/10.1145/1273442.1250742 Google ScholarDigital Library
Pierre-Louis Curien. 2007. Definability and full abstraction. Electron. Notes Theor. Comput. Sci. 172 (April 2007), 301--310. DOI:http://dx.doi.org/10.1016/j.entcs.2007.02.011 Google ScholarDigital Library
Frank S. de Boer, Marcello M. Bonsangue, Martin Steffen, and Erika ÁbrahÁm. 2005. A fully abstract semantics for UML components. In Proceedings of the 3rd International Conference on Formal Methods for Components and Objects (FMCO’04). Springer-Verlag, Berlin, 49--69. DOI:http://dx.doi.org/10.1007/11561163&lowbar;3 Google ScholarDigital Library
Roland Ducournau. 2011. Implementing statically typed object-oriented programming languages. ACM Comput. Surv. 43, 3, Article 18 (April 2011), 48 pages. DOI:http://dx.doi.org/10.1145/1922649.1922655 Google ScholarDigital Library
Karim Eldefrawy, Aurélien Francillon, Daniele Perito, and Gene Tsudik. 2012. SMART: Secure and minimal architecture for (establishing a dynamic) root of trust. In Proceedings of the 19th Annual Network and Distributed System Security Symposium (NDSS’12).Google Scholar
Ulfar Erlingsson, Yves Younan, and Frank Piessens. 2010. Low-level software security by example. In Handbook of Information and Communication Security. Springer, Berlin, 663--658.Google Scholar
David Flanagan. 1998. Java in a Nutshell. Deutsche Ausgabe der 2. A. O’Reilly.Google Scholar
Cedric Fournet, Nikhil Swamy, Juan Chen, Pierre-Evariste Dagand, Pierre-Yves Strub, and Benjamin Livshits. 2013. Fully abstract compilation to JavaScript. SIGPLAN Not. 48, 1, Article 26 (Jan. 2013), 14 pages. DOI:http://dx.doi.org/10.1145/2480359.2429114 Google ScholarDigital Library
J. A. Halderman, S. D. Schoen, N. Heninger, W. Clarkson, W. Paul, J. A. Calandrino, A. J. Feldman, J. Appelbaum, and E. W. Felten. 2008. Lest we remember: Cold boot attacks on encryption keys. In Proceedings of the USENIX Security Symposium. 45--60. Google ScholarDigital Library
Matthew Hoekstra, Reshma Lal, Pradeep Pappachan, Vinay Phegade, and Juan Del Cuvillo. 2013. Using innovative instructions to create trustworthy software solutions. In Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy. ACM, 11. Retrieved from Google ScholarDigital Library
Andrei Homescu, Steven Neisius, Per Larsen, Stefan Brunthaler, and Michael Franz. 2013. Profile-guided automated software diversity. In Proceedings of the 2013 IEEE/ACM International Symposium on Code Generation and Optimization (CGO’13). IEEE Computer Society, Washington, DC, 1--11. DOI:http://dx.doi.org/10.1109/CGO.2013.6494997 Google ScholarDigital Library
Intel Corporation. 2013. Software Guard Extensions Programming Reference. Retrieved from http://software.intel.com/sites/default/files/329298-001.pdf.Google Scholar
Radha Jagadeesan, Corin Pitcher, Julian Rathke, and James Riely. 2011. Local memory via layout randomization. In Proceedings of the 2011 IEEE 24th Computer Security Foundations Symposium (CSF’11). IEEE Computer Society, Washington, DC, 161--174. DOI:http://dx.doi.org/10.1109/CSF.2011.18 Google ScholarDigital Library
Alan Jeffrey and Julian Rathke. 2005a. A fully abstract may testing semantics for concurrent objects. Theor. Comput. Sci. 338, 1--3 (June 2005), 17--63. DOI:http://dx.doi.org/10.1016/j.tcs.2004.10.012 Google ScholarDigital Library
Alan Jeffrey and Julian Rathke. 2005b. Java Jr.: Fully abstract trace semantics for a core Java language. In ESOP’05 (LNCS), Vol. 3444. Springer, 423--438. DOI:http://dx.doi.org/10.1007/978-3-540-31987-0&lowbar;29 Google ScholarCross Ref
Andrew Kennedy. 2006. Securing the .NET programming model. Theor. Comput. Sci. 364, 3 (Nov. 2006), 311--317. DOI:http://dx.doi.org/10.1016/j.tcs.2006.08.014 Google ScholarDigital Library
Per Larsen, Stefan Brunthaler, and Michael Franz. 2014. Security through diversity: Are we there yet&quest; IEEE Security & Privacy 12, 2 (2014), 28--35. DOI:http://dx.doi.org/10.1109/MSP.2013.129Google ScholarCross Ref
Chris Lattner and Vikram Adve. 2004. LLVM: A compilation framework for lifelong program analysis & transformation. In Proceedings of the 2004 International Symposium on Code Generation and Optimization (CGO’’04). Google ScholarDigital Library
Xavier Leroy. 2009. A formally verified compiler back-end. J. Autom. Reason. 43, 4 (Dec. 2009), 363--446. DOI:http://dx.doi.org/10.1007/s10817-009-9155-4 Google ScholarDigital Library
Jonathan M. McCune, Yanlin Li, Ning Qu, Zongwei Zhou, Anupam Datta, Virgil Gligor, and Adrian Perrig. 2010. TrustVisor: Efficient TCB reduction and attestation. In SP’10. IEEE, Washington, DC, 143--158. DOI:http://dx.doi.org/10.1109/SP.2010.17 Google ScholarDigital Library
Jonathan M. McCune, Bryan J. Parno, Adrian Perrig, Michael K. Reiter, and Hiroshi Isozaki. 2008. Flicker: An execution infrastructure for TCB minimization. SIGOPS Oper. Syst. Rev. 42, 4, Article 24 (April 2008), 14 pages. DOI:http://dx.doi.org/10.1145/1357010.1352625 Google ScholarDigital Library
Frank McKeen, Ilya Alexandrovich, Alex Berenzon, Carlos V. Rozas, Hisham Shafi, Vedvyas Shanbhogue, and Uday R. Savagaonkar. 2013. Innovative instructions and software model for isolated execution. In HASP’13. ACM, Article 10, 1 pages. DOI:http://dx.doi.org/10.1145/2487726.2488368 Google ScholarDigital Library
Greg Morrisett, David Walker, Karl Crary, and Neal Glew. 1999. From system f to typed assembly language. ACM Trans. Program. Lang. Syst. 21, 3 (May 1999), 527--568. DOI:http://dx.doi.org/10.1145/319301.319345 Google ScholarDigital Library
Job Noorman, Pieter Agten, Wilfried Daniels, Raoul Strackx, Anthony Van Herrewege, Christophe Huygens, Bart Preneel, Ingrid Verbauwhede, and Frank Piessens. 2013. Sancus: Low-cost trustworthy extensible networked devices with a zero-software Trusted Computing Base. In Proceedings of the 22nd USENIX Conference on Security Symposium. USENIX Association. Google ScholarDigital Library
Marco Patrignani and Dave Clarke. 2014. Fully abstract trace semantics of low-level isolation mechanisms. In Proceedings of the 29th Annual ACM Symposium on Applied Computing (SAC’14). Google ScholarDigital Library
Marco Patrignani, Dave Clarke, and Frank Piessens. 2013. Secure compilation of object-oriented components to protected module architectures. In APLAS’13 (LNCS), Vol. 8301. 176--191. Google ScholarDigital Library
Gordon D. Plotkin. 1977. LCF considered as a programming language. Theoretical Computer Science 5 (1977), 223--255.Google ScholarCross Ref
Ryan Roemer, Erik Buchanan, Hovav Shacham, and Stefan Savage. 2012. Return-oriented programming: Systems, languages, and applications. ACM Trans. Inf. Syst. Secur. 15, 1, Article 2 (March 2012), 34 pages. DOI:http://dx.doi.org/10.1145/2133375.2133377 Google ScholarDigital Library
Hovav Shacham, Matthew Page, Ben Pfaff, Eu-Jin Goh, Nagendra Modadugu, and Dan Boneh. 2004. On the effectiveness of address-space randomization. In Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS’04). ACM, New York, NY, 298--307. DOI:http://dx.doi.org/10.1145/1030083.1030124 Google ScholarDigital Library
Lenin Singaravelu, Calton Pu, Hermann Härtig, and Christian Helmuth. 2006. Reducing TCB complexity for security-sensitive applications: Three case studies. SIGOPS Oper. Syst. Rev. 40, 4, Article 13 (April 2006), 14 pages. DOI:http://dx.doi.org/10.1145/1218063.1217951 Google ScholarDigital Library
Raoul Strackx, Job Noorman, Ingrid Verbauwhede, Bart Preneel, and Frank Piessens. 2013. Protected software module architectures. In Proceedings of the ISSE 2013 Securing Electronic Business Processes, Helmut Reimer, Norbert Pohlmann, and Wolfgang Schneider (Eds.). Springer, 241--251. DOI:http://dx.doi.org/10.1007/978-3-658-03371-2&lowbar;21Google ScholarCross Ref
Raoul Strackx and Frank Piessens. 2012. Fides: Selectively hardening software application components against kernel-level or process-level Malware. In Proceedings of the 2012 ACM conference on Computer and Communications Security (CCS’12). ACM, New York, NY, 2--13. DOI:http://dx.doi.org/10.1145/2382196.2382200 Google ScholarDigital Library
Raoul Strackx, Frank Piessens, and Bart Preneel. 2010. Efficient isolation of trusted subsystems in embedded systems. In SecureComm. 344--361.Google Scholar
Raoul Strackx, Yves Younan, Pieter Philippaerts, Frank Piessens, Sven Lachmund, and Thomas Walter. 2009. Breaking the memory secrecy assumption. In Proceedings of the 2nd European Workshop on System Security (EUROSEC’09). ACM, New York, NY. DOI:http://dx.doi.org/10.1145/1519144.1519145 Google ScholarDigital Library
Marko van Dooren, Dave Clarke, and Bart Jacobs. 2013. Subobject-oriented programming. In Formal Methods for Components and Objects (Lecture Notes in Computer Science), Vol. 7866. Springer, Berlin, 38--82. DOI:http://dx.doi.org/10.1007/978-3-642-40615-7&lowbar;2Google ScholarCross Ref
Amit Vasudevan, Sagar Chaki, Limin Jia, Jonathan McCune, James Newsome, and Anupam Datta. 2013. Design, implementation and verification of an extensible and modular hypervisor framework. In Proceedings of the 2013 IEEE Symposium on Security and Privacy (SP’13). IEEE Computer Society, Washington, DC, 430--444. DOI:http://dx.doi.org/10.1109/SP.2013.36 Google ScholarDigital Library
Richard Wartell, Vishwath Mohan, Kevin W. Hamlen, and Zhiqiang Lin. 2012. Binary stirring: Self-randomizing instruction addresses of legacy x86 binary code. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS’12). ACM, New York, NY, 157--168. DOI:http://dx.doi.org/10.1145/2382196.2382216 Google ScholarDigital Library
Johannes Winter and Kurt Dietrich. 2012. A hijacker’s guide to the LPC bus., In Proceedings of the 8th European conference on Public Key Infrastructures, Services, and Applications (EuroPKI’11). 176--193. Google ScholarDigital Library
Emmett Witchel, Josh Cates, and Krste Asanović. 2002. Mondrian memory protection. SIGPLAN Not. 37, 10 (Oct. 2002), 304--316. DOI:http://dx.doi.org/10.1145/605432.605429 Google ScholarDigital Library
Yves Younan. 2008. Efficient Countermeasures for Software Vulnerabilities due to Memory Management Errors. Ph.D. Dissertation. Informatics Section, Department of Computer Science, Faculty of Engineering Science.Google Scholar
Yves Younan, Wouter Joosen, and Frank Piessens. 2012. Runtime countermeasures for code injection attacks against C and C++ programs. Comput. Surveys 44, 3 (2012), 17:1--17:28. Google ScholarDigital Library

Index Terms

Recommendations

Robustly Safe Compilation, an Efficient Form of Secure Compilation

Security-preserving compilers generate compiled code that withstands target-level attacks such as alteration of control flow, data leaks, or memory corruption. Many existing security-preserving compilers are proven to be fully abstract, meaning that they ...
Read More
Formal Approaches to Secure Compilation: A Survey of Fully Abstract Compilation and Related Work

Secure compilation is a discipline aimed at developing compilers that preserve the security properties of the source programs they take as input in the target programs they produce as output. This discipline is broad in scope, targeting languages with a ...
Read More
Fully abstract compilation via universal embedding
ICFP 2016: Proceedings of the 21st ACM SIGPLAN International Conference on Functional Programming

A fully abstract compiler guarantees that two source components are observationally equivalent in the source language if and only if their translations are observationally equivalent in the target. Full abstraction implies the translation is secure: ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM Transactions on Programming Languages and Systems Volume 37, Issue 2
April 2015
106 pages
ISSN:0164-0925
EISSN:1558-4593
DOI:10.1145/2764452
Editor:
Jens Palsberg
University of California, Los Angeles, USA
Issue’s Table of Contents
Copyright © 2015 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 16 April 2015
- Accepted: 1 October 2014
- Revised: 1 July 2014
- Received: 1 January 2014
Published in toplas Volume 37, Issue 2

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Fully abstract compilation
protected module architecture
Qualifiers
- research-article
- Research
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 59
  Total Citations
  View Citations
- 632
  Total Downloads
- Downloads (Last 12 months)90
- Downloads (Last 6 weeks)13
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Secure Compilation to Protected Module Architectures

ACM Transactions on Programming Languages and Systems

Abstract

References

Cited By

Index Terms

Recommendations

Robustly Safe Compilation, an Efficient Form of Secure Compilation

Formal Approaches to Secure Compilation: A Survey of Fully Abstract Compilation and Related Work

Fully abstract compilation via universal embedding

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Funding Sources

Other Metrics

Article Metrics

Other Metrics

Cited By

PDF Format

eReader

Digital Edition

Caption

Secure Compilation to Protected Module Architectures

ACM Transactions on Programming Languages and Systems

Abstract

References

Cited By

Index Terms

Recommendations

Robustly Safe Compilation, an Efficient Form of Secure Compilation

Formal Approaches to Secure Compilation: A Survey of Fully Abstract Compilation and Related Work

Fully abstract compilation via universal embedding

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Funding Sources

Article Metrics

Other Metrics

PDF Format

eReader

Digital Edition

Share this Publication link

Share on Social Media