Capability machines such as CHERI provide memory capabilities that can be used by compilers to provide security benefits for compiled code (e.g., memory safety). The existing C to CHERI compiler, for example, achieves memory safety by following a principle called “pointers as capabilities” (PAC). Informally, PAC says that a compiler should represent a source language pointer as a machine code capability. But the security properties of PAC compilers are not yet well understood. We show that memory safety is only one aspect, and that PAC compilers can provide significant additional security guarantees for partial programs: the compiler can provide security guarantees for a compilation unit, even if that compilation unit is later linked to attacker-provided machine code.As such, this paper is the first to study the security of PAC compilers for partial programs formally. We prove for a model of such a compiler that it is fully abstract. The proof uses a novel proof technique (dubbed TrICL, read trickle), which should be of broad interest because it reuses the whole-program compiler correctness relation for full abstraction, thus saving work. We also implement our scheme for C on CHERI, show that we can compile legacy C code with minimal changes, and show that the performance overhead of compiled code is roughly proportional to the number of cross-compilation-unit function calls.

CapablePtrs: Securely Compiling Partial Programs Using the Pointers-as-Capabilities Principle / El-Korashy, Akram; Tsampas, Stelios; Patrignani, Marco; Devriese, Dominique; Garg, Deepak; Piessens, Frank. - 2021-:(2021), pp. 265-280. (Intervento presentato al convegno 34th IEEE Computer Security Foundations Symposium, CSF 2021 tenutosi a Dubrovnik, Croazia nel 21-25 June , 2021) [10.1109/CSF51468.2021.00036].

CapablePtrs: Securely Compiling Partial Programs Using the Pointers-as-Capabilities Principle

Patrignani, Marco;
2021-01-01

Abstract

Capability machines such as CHERI provide memory capabilities that can be used by compilers to provide security benefits for compiled code (e.g., memory safety). The existing C to CHERI compiler, for example, achieves memory safety by following a principle called “pointers as capabilities” (PAC). Informally, PAC says that a compiler should represent a source language pointer as a machine code capability. But the security properties of PAC compilers are not yet well understood. We show that memory safety is only one aspect, and that PAC compilers can provide significant additional security guarantees for partial programs: the compiler can provide security guarantees for a compilation unit, even if that compilation unit is later linked to attacker-provided machine code.As such, this paper is the first to study the security of PAC compilers for partial programs formally. We prove for a model of such a compiler that it is fully abstract. The proof uses a novel proof technique (dubbed TrICL, read trickle), which should be of broad interest because it reuses the whole-program compiler correctness relation for full abstraction, thus saving work. We also implement our scheme for C on CHERI, show that we can compile legacy C code with minimal changes, and show that the performance overhead of compiled code is roughly proportional to the number of cross-compilation-unit function calls.
2021
34th IEEE Computer Security Foundations Symposium, {CSF} 2021, Dubrovnik,Croatia, June 21-25, 2021
Piscataway, NJ USA
IEEE
978-1-7281-7607-9
El-Korashy, Akram; Tsampas, Stelios; Patrignani, Marco; Devriese, Dominique; Garg, Deepak; Piessens, Frank
CapablePtrs: Securely Compiling Partial Programs Using the Pointers-as-Capabilities Principle / El-Korashy, Akram; Tsampas, Stelios; Patrignani, Marco; Devriese, Dominique; Garg, Deepak; Piessens, Frank. - 2021-:(2021), pp. 265-280. (Intervento presentato al convegno 34th IEEE Computer Security Foundations Symposium, CSF 2021 tenutosi a Dubrovnik, Croazia nel 21-25 June , 2021) [10.1109/CSF51468.2021.00036].
File in questo prodotto:
File Dimensione Formato  
main.pdf

Solo gestori archivio

Tipologia: Versione editoriale (Publisher’s layout)
Licenza: Tutti i diritti riservati (All rights reserved)
Dimensione 464.63 kB
Formato Adobe PDF
464.63 kB Adobe PDF   Visualizza/Apri

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11572/336481
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 6
  • ???jsp.display-item.citation.isi??? 2
  • OpenAlex ND
social impact