Per-Thread Compositional Compilation for Confidentiality-Preserving - - PowerPoint PPT Presentation

per thread compositional compilation for confidentiality
SMART_READER_LITE
LIVE PREVIEW

Per-Thread Compositional Compilation for Confidentiality-Preserving - - PowerPoint PPT Presentation

Jun 13, 2023 290 likes •1.49k views

Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs Robert Sison 13 Jan 2018 THE UNIVERSITY OF NEW SOUTH WALES www.data61.csiro.au A confidentiality-preserving program Cross Domain Desktop Compositor

slide-1
SLIDE 1

THE UNIVERSITY OF NEW SOUTH WALES

Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs

Robert Sison 13 Jan 2018

www.data61.csiro.au

slide-2
SLIDE 2

A confidentiality-preserving program

Cross Domain Desktop Compositor (CDDC)

[Beaumont et al, 2016] Data61/DSTG project for de-duplicating user-facing hardware.

2 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-3
SLIDE 3

A confidentiality-preserving program

Cross Domain Desktop Compositor (CDDC)

[Beaumont et al, 2016] Challenge #1: value-dependent security classifications

2 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-4
SLIDE 4

A confidentiality-preserving program

Cross Domain Desktop Compositor (CDDC)

[Beaumont et al, 2016] Challenge #1: value-dependent security classifications

2 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-5
SLIDE 5

A confidentiality-preserving program

Cross Domain Desktop Compositor (CDDC)

[Beaumont et al, 2016] Challenge #1: value-dependent security classifications

2 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-6
SLIDE 6

A confidentiality-preserving concurrent program

Cross Domain Desktop Compositor (CDDC)

[Beaumont et al, 2016] Challenge #2: shared-variable concurrency

3 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-7
SLIDE 7

A confidentiality-preserving concurrent program

CDDC seL4-based software architecture:

3 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-8
SLIDE 8

A confidentiality-preserving concurrent program

CDDC seL4-based software architecture (simplified model):

3 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-9
SLIDE 9

Per-thread compositional verification compilation

Challenge #3: per-thread compositionality of proofs

4 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-10
SLIDE 10

Per-thread compositional verification compilation

Challenge #3: per-thread compositionality of proofs

Mechanized in Isabelle/HOL. (More to appear: EuroS&P’18.)

4 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-11
SLIDE 11

Per-thread compositional verification compilation

Challenge #3: per-thread compositionality of proofs

4 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-12
SLIDE 12

Per-thread compositional compilation

Challenge #3: per-thread compositionality of proofs

5 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-13
SLIDE 13

Per-thread compositional compilation

Challenge #3: per-thread compositionality of proofs

5 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-14
SLIDE 14

Per-thread compositional compilation

Challenge #3: per-thread compositionality of proofs

5 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-15
SLIDE 15

Per-thread compositional compilation

Challenge #3: per-thread compositionality of proofs

5 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-16
SLIDE 16

Per-thread compositional compilation

Challenge #3: per-thread compositionality of proofs

5 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-17
SLIDE 17

Per-thread compositional compilation

Challenge #3: per-thread compositionality of proofs

5 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-18
SLIDE 18

Per-thread compositional compilation

Challenge #3: per-thread compositionality of proofs

5 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-19
SLIDE 19

This talk a preview

Part 1: Concurrent value-dependent noninterference Part 2: Per-thread compositional refinement Part 3: While-to-RISC compiler verification

6 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-20
SLIDE 20

This talk: a preview

Part 1: Concurrent value-dependent noninterference Part 2: Per-thread compositional refinement Part 3: While-to-RISC compiler verification

6 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-21
SLIDE 21

This talk: a preview

Part 1: Concurrent value-dependent noninterference Part 2: Per-thread compositional refinement Part 3: While-to-RISC compiler verification

6 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-22
SLIDE 22

This talk: a preview

Part 1: Concurrent value-dependent noninterference Part 2: Per-thread compositional refinement Part 3: While-to-RISC compiler verification

6 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-23
SLIDE 23

This talk: a preview

Part 1: Concurrent value-dependent noninterference Part 2: Per-thread compositional refinement Part 3: While-to-RISC compiler verification

6 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-24
SLIDE 24

This talk a preview

Part 1: Concurrent value-dependent noninterference Part 2: Per-thread compositional refinement Part 3: While-to-RISC compiler verification

7 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-25
SLIDE 25

This talka preview

Part 1: Concurrent value-dependent noninterference Part 2: Per-thread compositional refinement Part 3: While-to-RISC compiler verification

7 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-26
SLIDE 26

The confidentiality property

Concurrent value-dependent noninterference.

8 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-27
SLIDE 27

The confidentiality property

Concurrent value-dependent noninterference. Simplest policy: High → Low Low part of state must remain indistinguishable.

8 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-28
SLIDE 28

The confidentiality property

Concurrent value-dependent noninterference. Simplest policy: High → Low Low part of state must remain indistinguishable.

8 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-29
SLIDE 29

The confidentiality property

Concurrent value-dependent noninterference. Simplest policy: High → Low Low part of state must remain indistinguishable. Reflects the attacker model.

8 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-30
SLIDE 30

The confidentiality property

Concurrent value-dependent noninterference. Simplest policy: High → Low Low part of state must remain indistinguishable.

8 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-31
SLIDE 31

The confidentiality property

Concurrent value-dependent noninterference. Simplest policy: High → Low Low part of state must remain indistinguishable.

8 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-32
SLIDE 32

The confidentiality property

Concurrent value-dependent noninterference. Simplest policy: High → Low Low part of state must remain indistinguishable.

8 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-33
SLIDE 33

The confidentiality property

Concurrent value-dependent noninterference. Simplest policy: High → Low Low part of state must remain indistinguishable.

8 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-34
SLIDE 34

The confidentiality property

Concurrent value-dependent noninterference. Simplest policy: High → Low Low part of state must remain indistinguishable.

8 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-35
SLIDE 35

The confidentiality property

Concurrent value-dependent noninterference. Simplest policy: High → Low Low part of state must remain indistinguishable.

8 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-36
SLIDE 36

The confidentiality property

Concurrent value-dependent noninterference. Simplest policy: High → Low Low part of state must remain indistinguishable.

8 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-37
SLIDE 37

The confidentiality property

Concurrent value-dependent noninterference. Simplest policy: High → Low Low part of state must remain indistinguishable.

  • A 2-safety hyperproperty.

8 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-38
SLIDE 38

The confidentiality property

Concurrent value-dependent noninterference. Simplest policy: High → Low Low part of state must remain indistinguishable.

  • A 2-safety hyperproperty.
  • Timing-sensitive. (Want this for concurrency reasons.)

8 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-39
SLIDE 39

The confidentiality property

Concurrent value-dependent noninterference. Simplest policy: High → Low Low part of state must remain indistinguishable. Classification of state as H or L can vary over time.

9 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-40
SLIDE 40

The confidentiality property

Concurrent value-dependent noninterference. Simplest policy: High → Low Low part of state must remain indistinguishable. Classification of state as H or L can vary over time.

9 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-41
SLIDE 41

The confidentiality property

Concurrent value-dependent noninterference. Simplest policy: High → Low Low part of state must remain indistinguishable. Classification of state as H or L can vary over time.

9 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-42
SLIDE 42

The confidentiality property

Concurrent value-dependent noninterference. Simplest policy: High → Low Low part of state must remain indistinguishable. Classification of state as H or L can vary over time.

9 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-43
SLIDE 43

The confidentiality property

Concurrent value-dependent noninterference. Simplest policy: High → Low Low part of state must remain indistinguishable. Classification of state as H or L can vary over time.

9 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-44
SLIDE 44

The confidentiality property

Concurrent value-dependent noninterference. Simplest policy: High → Low Low part of state must remain indistinguishable. Classification of state as H or L can vary over time.

10 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-45
SLIDE 45

The confidentiality property

Concurrent value-dependent noninterference. Simplest policy: High → Low Low part of state must remain indistinguishable. Classification of state as H or L can vary over time.

10 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-46
SLIDE 46

The confidentiality property

Concurrent value-dependent noninterference. Simplest policy: High → Low Low part of state must remain indistinguishable. Classification of state as H or L can vary over time. Per-thread, subject to havoc.

10 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-47
SLIDE 47

The confidentiality property

Concurrent value-dependent noninterference. Simplest policy: High → Low Low, unlocked part of state must remain indistinguishable. Classification of state as H or L can vary over time. Per-thread, subject to havoc that obeys locking discipline.

10 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-48
SLIDE 48

The confidentiality property

Concurrent value-dependent noninterference. Simplest policy: High → Low Low, unlocked part of state must remain indistinguishable. Classification of state as H or L can vary over time. Per-thread compositional property:

10 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-49
SLIDE 49

The confidentiality property

Concurrent value-dependent noninterference. Simplest policy: High → Low Low, unlocked part of state must remain indistinguishable. Classification of state as H or L can vary over time. Per-thread compositional property:

10 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-50
SLIDE 50

The confidentiality property

Concurrent value-dependent noninterference. Simplest policy: High → Low Low, unlocked part of state must remain indistinguishable. Classification of state as H or L can vary over time. Per-thread compositionality theorem [Murray+, CSF’16]: Under the hood: assume-guarantee on variable access.

10 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-51
SLIDE 51

The confidentiality property

Concurrent value-dependent noninterference. Simplest policy: High → Low Low, unlocked part of state must remain indistinguishable. Classification of state as H or L can vary over time. Per-thread compositionality theorem: [Murray+, CSF’16] instantiated with locking primitives.

10 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-52
SLIDE 52

The confidentiality property

Concurrent value-dependent noninterference. Simplest policy: High → Low Low, unlocked part of state must remain indistinguishable. Classification of state as H or L can vary over time. Whole-system property: [Murray+, CSF’16] instantiated with locking primitives.

10 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-53
SLIDE 53

The confidentiality property

Concurrent value-dependent noninterference. Simplest policy: High → Low Low, unlocked part of state must remain indistinguishable. Classification of state as H or L can vary over time. Whole-system property:

10 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-54
SLIDE 54

The confidentiality property

Concurrent value-dependent noninterference. Simplest policy: High → Low Low, unlocked part of state must remain indistinguishable. Classification of state as H or L can vary over time. Whole-system property:

10 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-55
SLIDE 55

The confidentiality property

Concurrent value-dependent noninterference. Simplest policy: High → Low Low, unlocked part of state must remain indistinguishable. Classification of state as H or L can vary over time. Whole-system property: i.e. Locked state still not considered to be observable.

10 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-56
SLIDE 56

This talk

Part 1: Concurrent value-dependent noninterference Part 2: Per-thread compositional refinement Part 3: While-to-RISC compiler verification

11 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-57
SLIDE 57

This talk

Part 1: Concurrent value-dependent noninterference Part 2: Per-thread compositional refinement Part 3: While-to-RISC compiler verification

11 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-58
SLIDE 58

Proof technique for compilation

Per-thread compositional refinement [Murray+, CSF’16]

12 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-59
SLIDE 59

Proof technique for compilation

Per-thread compositional refinement [Murray+, CSF’16]

12 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-60
SLIDE 60

Proof technique for compilation

Per-thread compositional refinement [Murray+, CSF’16] Given bisimulation B establishing the property,

12 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-61
SLIDE 61

Proof technique for compilation

Per-thread compositional refinement [Murray+, CSF’16] Given bisimulation B establishing the property, nominate R, I s.t.:

12 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-62
SLIDE 62

Proof technique for compilation

Per-thread compositional refinement [Murray+, CSF’16] Given bisimulation B establishing the property, nominate R, I s.t.:

12 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-63
SLIDE 63

Proof technique for compilation

Per-thread compositional refinement [Murray+, CSF’16] Given bisimulation B establishing the property, nominate R, I s.t.:

12 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-64
SLIDE 64

Proof technique for compilation

Per-thread compositional refinement [Murray+, CSF’16] Given bisimulation B establishing the property, nominate R, I s.t.:

12 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-65
SLIDE 65

Proof technique for compilation

Per-thread compositional refinement [Murray+, CSF’16] Given bisimulation B establishing the property, nominate R, I s.t.:

12 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-66
SLIDE 66

Proof technique for compilation

Per-thread compositional refinement [Murray+, CSF’16] Then B′ (= BT of B R I) establishes the target-level property:

12 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-67
SLIDE 67

Proof technique for compilation

Simpler proof technique than this!

12 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-68
SLIDE 68

Proof technique for compilation

Simpler proof technique! Nominate R, I, abs steps s.t.

(See: https://www.isa-afp.org/entries/Dependent_SIFUM_Refinement.html)

12 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-69
SLIDE 69

Proof technique for compilation

Simpler proof technique! Nominate R, I, abs steps s.t. Easy to prove if no H-branching in A

(See: https://www.isa-afp.org/entries/Dependent_SIFUM_Refinement.html)

12 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-70
SLIDE 70

Proof technique for compilation

Simpler proof technique! Nominate R, I, abs steps s.t. (I as pc-security) Easy to prove if no H-branching in A, and no new H-branching.

(See: https://www.isa-afp.org/entries/Dependent_SIFUM_Refinement.html)

12 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-71
SLIDE 71

Proof technique for compilation

Simpler proof technique! Nominate R, I, abs steps. Then it suffices to prove: i.e. R a simulation of A’ by A.

12 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-72
SLIDE 72

Proof technique for compilation

Simpler proof technique! Nominate R, I, abs steps. Then it suffices to prove: i.e. R a simulation of A’ by A, with provisos...

12 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-73
SLIDE 73

Proof technique for compilation

Provisos for R, I:

  • R must preserve shared memory contents and locking state.

◮ Under the hood: preserve assumptions and guarantees. 12 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-74
SLIDE 74

Proof technique for compilation

Provisos for R, I:

  • R must preserve shared memory contents and locking state.

◮ Under the hood: preserve assumptions and guarantees. 12 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-75
SLIDE 75

Proof technique for compilation

Provisos for R, I:

  • R must preserve shared memory contents and locking state.

◮ Under the hood: preserve assumptions and guarantees.

+ any new locations permanently locked. i.e. No new shared state.

12 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-76
SLIDE 76

Proof technique for compilation

Provisos for R, I:

  • R must preserve shared memory contents and locking state.

◮ Under the hood: preserve assumptions and guarantees.

  • R must be closed under lock-permitted shared memory havoc.

12 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-77
SLIDE 77

Proof technique for compilation

Provisos for R, I:

  • R must preserve shared memory contents and locking state.

◮ Under the hood: preserve assumptions and guarantees.

  • R must be closed under lock-permitted shared memory havoc.

12 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-78
SLIDE 78

Proof technique for compilation

Provisos for R, I:

  • R must preserve shared memory contents and locking state.

◮ Under the hood: preserve assumptions and guarantees.

  • R must be closed under lock-permitted shared memory havoc.

12 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-79
SLIDE 79

Proof technique for compilation

Provisos for R, I:

  • R must preserve shared memory contents and locking state.

◮ Under the hood: preserve assumptions and guarantees.

  • R must be closed under lock-permitted shared memory havoc.

12 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-80
SLIDE 80

Proof technique for compilation

Provisos for R, I:

  • R must preserve shared memory contents and locking state.

◮ Under the hood: preserve assumptions and guarantees.

  • R must be closed under lock-permitted shared memory havoc.

Similar for I.

12 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-81
SLIDE 81

This talk

Part 1: Concurrent value-dependent noninterference Part 2: Per-thread compositional refinement Part 3: While-to-RISC compiler verification

13 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-82
SLIDE 82

This talk

Part 1: Concurrent value-dependent noninterference Part 2: Per-thread compositional refinement Part 3: While-to-RISC compiler verification

13 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-83
SLIDE 83

Compiler verification

Per-thread simpler compositional refinement [Murray+, AFP], instantiated with R characterising a compiler.

14 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-84
SLIDE 84

Compiler verification

Per-thread simpler compositional refinement [Murray+, AFP], instantiated with R characterising a compiler. Proof of concept: a While-to-RISC compiler

(Note: Constant-time execution steps, no cache effects)

14 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-85
SLIDE 85

Compiler verification

Per-thread simpler compositional refinement [Murray+, AFP], instantiated with R characterising a compiler. Proof of concept: a While-to-RISC compiler Based on Fault-Resilient Non-interference [Tedesco et al, 2016].

14 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-86
SLIDE 86

Compiler verification

Per-thread simpler compositional refinement [Murray+, AFP], instantiated with R characterising a compiler. Proof of concept: a While-to-RISC compiler Based on Fault-Resilient Non-interference [Tedesco et al, 2016]. Implemented in Isabelle/HOL, executable, verified.

14 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-87
SLIDE 87

Compiler verification

Per-thread simpler compositional refinement [Murray+, AFP], instantiated with R characterising a compiler. Proof of concept: a While-to-RISC compiler e.g. R cases for If construct

14 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-88
SLIDE 88

Compiler verification

Per-thread simpler compositional refinement [Murray+, AFP], instantiated with R characterising a compiler. Proof of concept: a While-to-RISC compiler e.g. R cases for If construct

14 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-89
SLIDE 89

Compiler verification

Per-thread simpler compositional refinement [Murray+, AFP], instantiated with R characterising a compiler. Proof of concept: a While-to-RISC compiler e.g. R cases for If construct, c1 case:

14 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-90
SLIDE 90

Compiler verification

Per-thread simpler compositional refinement [Murray+, AFP], instantiated with R characterising a compiler. Proof of concept: a While-to-RISC compiler e.g. R cases for If construct, c1 case: Relation is inductive for smaller program pairs c1, c2

14 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-91
SLIDE 91

Compiler verification

Per-thread simpler compositional refinement [Murray+, AFP], instantiated with R characterising a compiler. Proof of concept: a While-to-RISC compiler e.g. R cases for If construct, c1 case: Relation is inductive for smaller program pairs c1, c2

14 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-92
SLIDE 92

Compiler verification

Per-thread simpler compositional refinement [Murray+, AFP], instantiated with R characterising a compiler. Proof of concept: a While-to-RISC compiler e.g. R cases for If construct, c1 case: Relation is inductive for smaller program pairs c1, c2

14 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-93
SLIDE 93

Compiler verification

Per-thread simpler compositional refinement [Murray+, AFP], instantiated with R characterising a compiler. Proof of concept: a While-to-RISC compiler e.g. R cases for If construct, c1 case: Relation is inductive for smaller program pairs c1, c2

14 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-94
SLIDE 94

Compiler verification

Per-thread simpler compositional refinement [Murray+, AFP], instantiated with R characterising a compiler. Proof of concept: a While-to-RISC compiler

  • Theorem: R preserves per-thread compositional

value-dependent noninterference property

◮ for B produced by our type system (no H-branching). ◮ for I asserting equal pc and program text.

+

14 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-95
SLIDE 95

Compiler verification

Per-thread simpler compositional refinement [Murray+, AFP], instantiated with R characterising a compiler. Proof of concept: a While-to-RISC compiler

  • Theorem: R preserves per-thread compositional

value-dependent noninterference property

◮ for B produced by our type system (no H-branching). ◮ for I asserting equal pc and program text.

  • Theorem: Compiler input is related to its output by R

◮ Started with same observable initial state. ◮ No branching on H values. (Same as for type system.) 14 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-96
SLIDE 96

Compiler verification

Per-thread simpler compositional refinement [Murray+, AFP], instantiated with R characterising a compiler. Proof of concept: a While-to-RISC compiler

14 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-97
SLIDE 97

Compiler verification

Per-thread simpler compositional refinement [Murray+, AFP], instantiated with R characterising a compiler. Proof of concept: a While-to-RISC compiler

14 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-98
SLIDE 98

Compiler verification

Per-thread simpler compositional refinement [Murray+, AFP], instantiated with R characterising a compiler. Proof of concept: a While-to-RISC compiler Exercised on verified Cross Domain Desktop Compositor model.

14 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-99
SLIDE 99

Limitations and future work ideas

  • Optimisations to non-observable shared memory?

15 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-100
SLIDE 100

Limitations and future work ideas

  • Optimisations to non-observable shared memory?

Possibly too strict.

15 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-101
SLIDE 101

Limitations and future work ideas

  • Optimisations to non-observable shared memory?

Possibly too strict.

15 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-102
SLIDE 102

Limitations and future work ideas

  • Optimisations to non-observable shared memory?

Possibly too strict. Relax for shared memory out of reach of attacker model?

15 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-103
SLIDE 103

Limitations and future work ideas

  • Optimisations to non-observable shared memory?

Possibly too strict. Relax for shared memory out of reach of attacker model?

15 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-104
SLIDE 104

Limitations and future work ideas

  • Optimisations to non-observable shared memory?
  • Can existing compilers be proven to satisfy it?

15 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-105
SLIDE 105

Limitations and future work ideas

  • Optimisations to non-observable shared memory?
  • Can existing compilers be proven to satisfy it? CompCert?

◮ small-step semantics, volatile R/W observable ◮ simulation of target by source 15 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-106
SLIDE 106

Limitations and future work ideas

  • Optimisations to non-observable shared memory?
  • Can existing compilers be proven to satisfy it? CompCert?

◮ small-step semantics, volatile R/W observable ◮ simulation of target by source 15 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-107
SLIDE 107

Limitations and future work ideas

  • Optimisations to non-observable shared memory?
  • Can existing compilers be proven to satisfy it? CompCert?

◮ small-step semantics, volatile R/W observable ◮ simulation of target by source

  • Target models right for timing sensitivity?

15 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-108
SLIDE 108

Limitations and future work ideas

  • Optimisations to non-observable shared memory?
  • Can existing compilers be proven to satisfy it? CompCert?

◮ small-step semantics, volatile R/W observable ◮ simulation of target by source

  • Target models right for timing sensitivity? AVR, wasm?

15 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-109
SLIDE 109

Limitations and future work ideas

  • Optimisations to non-observable shared memory?
  • Can existing compilers be proven to satisfy it? CompCert?

◮ small-step semantics, volatile R/W observable ◮ simulation of target by source

  • Target models right for timing sensitivity? AVR, wasm?
  • Branching on H values? Exercise with richer B, I:

+

15 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-110
SLIDE 110

Limitations and future work ideas

  • Optimisations to non-observable shared memory?
  • Can existing compilers be proven to satisfy it? CompCert?

◮ small-step semantics, volatile R/W observable ◮ simulation of target by source

  • Target models right for timing sensitivity? AVR, wasm?
  • Branching on H values? Exercise with richer B, I:

+ Thank you! Q & A

15 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-111
SLIDE 111

Appendix: Co-habiting attacker?

CDDC case study, again.

16 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-112
SLIDE 112

Appendix: Co-habiting attacker?

CDDC case study, again. Untrusted sink: input device event stream out to Low machine.

16 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-113
SLIDE 113

Appendix: Co-habiting attacker?

CDDC case study, again. Untrusted sink: input device event stream out to Low machine. What else can we afford to distrust?

16 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-114
SLIDE 114

Appendix: Co-habiting attacker?

CDDC case study, again. Hypothetically, a co-habiting “attacker”...?

16 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-115
SLIDE 115

Appendix: Co-habiting attacker?

CDDC case study, again. Hypothetically, a co-habiting “attacker”... ... if it in fact cannot see/touch High nor locked part of state.

16 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-116
SLIDE 116

Appendix: Co-habiting attacker?

CDDC case study, again. Hypothetically, a co-habiting “attacker”... ... if it in fact cannot see/touch High nor locked part of state. This may be reasonable in, e.g. a separation kernel environment.

16 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-117
SLIDE 117

Appendix: “Simpler” refinement

No H-branching (“L-shaped”) obligation: Provisos and simulation relation: g

(See: https://www.isa-afp.org/entries/Dependent_SIFUM_Refinement.html)

17 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison

slide-118
SLIDE 118

Appendix: CDDC 3-component architecture verification

Invariant on integrity of Switch’s internal state w.r.t. indicator. To appear: EuroS&P’18.

18 | Per-Thread Compositional Compilation for Confidentiality-Preserving Concurrent Programs | Robert Sison