SECOMP: Formally Secure Compilation of Compartmentalized C Programs
Authors: 
Jérémy Thibault, Roberto Blanco, Dongjae Lee, Sven Argo, 
Arthur Azevedo de Amorim, Aïna Linn Georges, 
Cătălin Hriţcu, Andrew TolmachAuthors Info & Claims
Jérémy Thibault, Roberto Blanco, Dongjae Lee, Sven Argo, Arthur Azevedo de Amorim, Aïna Linn Georges, Cătălin Hriţcu, Andrew TolmachAuthors Info & ClaimsPages 1061 - 1075
Abstract
Undefined behavior in C often causes devastating security vulnerabilities. One practical mitigation is compartmentalization, which allows developers to structure large programs into mutually distrustful compartments with clearly specified privileges and interactions. In this paper we introduce SECOMP, a compiler for compartmentalized C code that comes with machine-checked proofs guaranteeing that the scope of undefined behavior is restricted to the compartments that encounter it and become dynamically compromised. These guarantees are formalized as the preservation of safety properties against adversarial contexts, a secure compilation criterion similar to full abstraction, and this is the first time such a strong criterion is proven for a mainstream programming language. To achieve this we extend the languages of the CompCert verified C compiler with isolated compartments that can only interact via procedure calls and returns, as specified by cross-compartment interfaces. We adapt the passes and optimizations of CompCert as well as their correctness proofs to this compartment-aware setting. We then use compiler correctness as an ingredient in a larger secure compilation proof that involves several proof engineering novelties, needed to scale formally secure compilation up to a C compiler.
References
[1]
The WebAssembly component model.
[2]
M. Abadi and C. Fournet. Access control based on execution history. NDSS. The Internet Society, 2003.
[3]
M. Abadi. Protection in programming-language translations. Secure Internet Programming. 1999.
[4]
C. Abate, A. Azevedo de Amorim, R. Blanco, A. N. Evans, G. Fachini, C. Hritcu, T. Laurent, B. C. Pierce, M. Stronati, and A. Tolmach. When good components go bad: Formally secure compilation despite dynamic compromise. CCS. 2018.
[5]
C. Abate, R. Blanco, S. Ciobâca, A. Durier, D. Garg, C. Hrit,cu, M. Patrignani, É. Tanter, and J. Thibault. An extended account of trace-relating compiler correctness and secure compilation, 2021.
[6]
C. Abate, R. Blanco, D. Garg, C. Hritcu, M. Patrignani, and J. Thibault. Journey beyond full abstraction: Exploring robust property preservation for secure compilation. CSF, 2019.
[7]
P. Agten, R. Strackx, B. Jacobs, and F. Piessens. Secure compilation to modern processors. CSF. 2012.
[8]
S. N. Anderson, R. Blanco, L. Lampropoulos, B. C. Pierce, and A. Tolmach. Formalizing stack safety as a security property. CSF. 2023.
[9]
C.-C. Andrici, Stefan Ciobâca, C. Hritcu, G. Martínez, E. Rivas, Éric Tanter, and T. Winterhalter. Securing verified IO programs against unverified code in F*. Proc. ACM Program. Lang., 8(POPL):2226--2259, 2024.
[10]
A. Azevedo de Amorim, M. Dénès, N. Giannarakis, C. Hritcu, B. C. Pierce, A. Spector-Zabusky, and A. Tolmach. Micro-policies: Formally verified, tag-based security monitors. Oakland S&P. 2015.
[11]
G. Barthe, S. Blazy, B. Grégoire, R. Hutin, V. Laporte, D. Pichardie, and A. Trieu. Formal verification of a constant-time preserving C compiler. Proc. ACM Program. Lang., 4(POPL):7:1--7:30, 2020.
[12]
G. Barthe, B. Grégoire, V. Laporte, and S. Priya. Structured leakage and applications to cryptographic constant-time and cost. CCS. 2021.
[13]
T. Bauereiss, B. Campbell, T. Sewell, A. Armstrong, L. Esswood, I. Stark, G. Barnes, R. N. M. Watson, and P. Sewell. Verified security for the Morello capability-enhanced prototype Arm architecture. ESOP. 2022.
[14]
F. Besson, S. Blazy, A. Dang, T. Jensen, and P. Wilke. Compiling sandboxes: Formally verified software fault isolation. ESOP, 2019.
[15]
F. Besson, A. Dang, and T. P. Jensen. Information-flow preservation in compiler optimisations. 2019. 2019.
[16]
A. Bittau, P. Marchenko, M. Handley, and B. Karp. Wedge: Splitting applications into reduced-privilege compartments. USENIX NSDI, 2008.
[17]
J. Bosamiya, W. S. Lim, and B. Parno. Provably-safe multilingual software sand-boxing using WebAssembly. USENIX Security. 2022.
[18]
M. Busi, J. Noorman, J. V. Bulck, L. Galletta, P. Degano, J. T. Mühlberg, and F. Piessens. Securing interruptible enclaved execution on small microprocessors. ACM Trans. Program. Lang. Syst., 43(3):12:1--12:77, 2021.
[19]
F. Derakhshan, Z. Zhang, A. Vasudevan, and L. Jia. Towards end-to-end verified TEEs via verified interface conformance and certified compilers. CSF. 2023.
[20]
D. Devriese, M. Patrignani, and F. Piessens. Parametricity versus the universal type. PACMPL, 2(POPL):38:1--38:23, 2018.
[21]
D. Devriese, M. Patrignani, F. Piessens, and S. Keuchel. Modular, fully-abstract compilation by approximate back-translation. LMCS, 13(4), 2017.
[22]
U. Dhawan, C. Hritcu, R. Rubin, N. Vasilakis, S. Chiricescu, J. M. Smith, T. F. Knight, Jr., B. C. Pierce, and A. DeHon. Architectural support for software-defined metadata processing. ASPLOS. 2015.
[23]
A. El-Korashy, R. Blanco, J. Thibault, A. Durier, D. Garg, and C. Hritcu. SecurePtrs: Proving secure compilation with data-flow back-translation and turn-taking simulation. CSF, 2022.
[24]
A. El-Korashy, S. Tsampas, M. Patrignani, D. Devriese, D. Garg, and F. Piessens. CapablePtrs: Securely compiling partial programs using the pointers-as-capabilities principle. CSF. 2021.
[25]
J. Engelfriet. Determinacy implies (observation equivalence = trace equivalence). TCS, 36:21--25, 1985.
[26]
D. Gao. Compartmentalisation models. Principles of Capability Languages workshop, 2024.
[27]
A. L. Georges, A. Guéneau, T. V. Strydonck, A. Timany, A. Trieu, S. Huyghebaert, D. Devriese, and L. Birkedal. Efficient and provable local capability revocation using uninitialized capabilities. PACMPL, 5(POPL):1--30, 2021.
[28]
A. L. Georges, A. Trieu, and L. Birkedal. Le temps des cerises: efficient temporal stack safety on capability machines using directed capabilities. PACMPL, 6(OOPSLA):1--30, 2022.
[29]
K. Gudka, R. N. M. Watson, J. Anderson, D. Chisnall, B. Davis, B. Laurie, I. Marinos, P. G. Neumann, and A. Richardson. Clean application compartmentalization with SOAAP. CCS. 2015.
[30]
A. Haas, A. Rossberg, D. L. Schuff, B. L. Titzer, M. Holman, D. Gohman, L. Wagner, A. Zakai, and J. F. Bastien. Bringing the web up to speed with WebAssembly. PLDI, 2017.
[31]
S. Huyghebaert, S. Keuchel, C. D. Roover, and D. Devriese. Formalizing, verifying and applying ISA security guarantees as universal contracts. CCS. 2023.
[32]
K. Jacobs, D. Devriese, and A. Timany. Purity of an ST monad: full abstraction by semantically typed back-translation. PACMPL, 6(OOPSLA1):1--27, 2022.
[33]
Y. Juglaret, C. Hritcu, A. Azevedo de Amorim, B. Eng, and B. C. Pierce. Beyond good and evil: Formalizing the security guarantees of compartmentalizing compilation. CSF, 2016.
[34]
J. Kang, Y. Kim, C.-K. Hur, D. Dreyer, and V. Vafeiadis. Lightweight verification of separate compilation. POPL, 2016.
[35]
D. Kilpatrick. Privman: A library for partitioning applications. USENIX FREENIX. 2003.
[36]
J. Koenig and Z. Shao. CompCertO: compiling certified open C components. PLDI. 2021.
[37]
J. Kroll, G. Stewart, and A. Appel. Portable software fault isolation. CSF. 2014.
[38]
D. Kästner, U. Wünsche, J. Barrho, M. Schlickling, B. Schommer, M. Schmidt, C. Ferdinand, X. Leroy, and S. Blazy. CompCert: Practical experience on integrating and qualifying a formally verified optimizing compiler. ERTS. 2018.
[39]
L. Lamport and F. B. Schneider. Formal foundation for specification and verification. In Distributed Systems: Methods and Tools for Specification, An Advanced Course, April 3--12, 1984 and April 16--25, 1985 Munich, 1984.
[40]
X. Leroy. A formally verified compiler back-end. JAR, 43(4):363--446, 2009.
[41]
X. Leroy and S. Blazy. Formal verification of a C-like memory model and its uses for verifying program transformations. JAR, 41(1):1--31, 2008.
[42]
M. Miller. Trends, challenges, and strategic shifts in the software vulnerability mitigation landscape. BlueHat IL, 2019.
[43]
D. Monniaux and S. Boulmé. The trusted computing base of the CompCert verified compiler. ESOP. 2022.
[44]
G. Morrisett, G. Tan, J. Tassarotti, J.-B. Tristan, and E. Gan. RockSalt: Better, faster, stronger SFI for the x86. PLDI. 2012.
[45]
T. C. Murray, D. Matichuk, M. Brassil, P. Gammie, T. Bourke, S. Seefried, C. Lewis, X. Gao, and G. Klein. seL4: From general purpose to a proof of information flow enforcement. IEEE S&P. 2013.
[46]
S. Narayan, T. Garfinkel, M. Taram, J. Rudek, D. Moghimi, E. Johnson, C. Fallin, A. Vahldiek-Oberwagner, M. LeMay, R. Sahita, D. M. Tullsen, and D. Stefan. Going beyond the limits of SFI: flexible and secure hardware-assisted in-process isolation with HFI. ASPLOS. 2023.
[47]
K. Nienhuis, A. Joannou, T. Bauereiss, A. C. J. Fox, M. Roe, B. Campbell, M. Naylor, R. M. Norton, S. W. Moore, P. G. Neumann, I. Stark, R. N. M. Watson, and P. Sewell. Rigorous engineering for hardware security: Formal modelling and proof in the CHERI design and implementation process. IEEE S&P. 2020.
[48]
M. Patrignani, P. Agten, R. Strackx, B. Jacobs, D. Clarke, and F. Piessens. Secure compilation to protected module architectures. TOPLAS, 2015.
[49]
M. Patrignani, A. Ahmed, and D. Clarke. Formal approaches to secure compilation: A survey of fully abstract compilation and related work. ACM Computing Surveys, 2019.
[50]
M. Patrignani and D. Clarke. Fully abstract trace semantics for protected module architectures. CL, 42:22--45, 2015.
[51]
M. Patrignani and D. Garg. Robustly safe compilation, an efficient form of secure compilation. ACM Trans. Program. Lang. Syst., 43(1), 2021.
[52]
M. Patrignani and M. Guarnieri. Exorcising spectres with secure compilers. CCS. 2021.
[53]
C. Reis and S. D. Gribble. Isolating web programs in modern browser architectures. EuroSys. 2009.
[54]
M. Sammler, S. Spies, Y. Song, E. D'Osualdo, R. Krebbers, D. Garg, and D. Dreyer. DimSum: A decentralized approach to multi-language semantics and verification. Proc. ACM Program. Lang., 7(POPL):775--805, 2023.
[55]
L. Skorstengaard, D. Devriese, and L. Birkedal. Reasoning about a machine with local capabilities: Provably safe stack and return pointer management. TOPLAS, 42(1):5:1--5:53, 2020.
[56]
L. Skorstengaard, D. Devriese, and L. Birkedal. StkTokens: Enforcing well-bracketed control flow and stack encapsulation using linear capabilities. JFP, 31:e9, 2021.
[57]
Y. Song, M. Cho, D. Kim, Y. Kim, J. Kang, and C. Hur. CompCertM: CompCert with C-assembly linking and lightweight modular verification. Proc. ACM Program. Lang., 4(POPL):23:1--23:31, 2020.
[58]
T. V. Strydonck, A. L. Georges, A. Guéneau, A. Trieu, A. Timany, F. Piessens, L. Birkedal, and D. Devriese. Proving full-system security properties under multiple attacker models on capability machines. CSF. 2022.
[59]
N. Swamy, C. Hritcu, C. Keller, A. Rastogi, A. Delignat-Lavaud, S. Forest, K. Bhargavan, C. Fournet, P.-Y. Strub, M. Kohlweiss, J.-K. Zinzindohoue, and S. Zanella-Béguelin. Dependent types and multi-monadic effects in F*. POPL. 2016.
[60]
G. Tan. Principles and implementation techniques of software-based fault isolation. FTSEC, 1(3):137--198, 2017.
[61]
The Chromium Project. Memory safety. chromium.org.
[62]
J. Thibault and C. Hritcu. Nanopass back-translation of multiple traces for secure compilation proofs. PriSC, 2021.
[63]
S. Tsampas, D. Devriese, and F. Piessens. Temporal safety for stack allocated memory on capability machines. CSF. 2019.
[64]
A. Vahldiek-Oberwagner, E. Elnikety, N. O. Duarte, M. Sammler, P. Druschel, and D. Garg. ERIM: secure, efficient in-process isolation with protection keys (MPK). USENIX Security. 2019.
[65]
L. Wagner. What is a WebAssembly component (and why'). WebAssembly Workshop (WAW), 2024.
[66]
R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham. Efficient software-based fault isolation. SOSP, 1993.
[67]
Y. Wang, P. Wilke, and Z. Shao. An abstract stack based approach to verified compositional compilation to machine code. PACMPL, 3(POPL):62:1--62:30, 2019.
[68]
Y. Wang, X. Xu, P. Wilke, and Z. Shao. CompCertELF: verified separate compilation of C programs into ELF object files. Proc. ACM Program. Lang., 4(OOPSLA):197:1--197:28, 2020.
[69]
R. N. M. Watson, P. G. Neumann, J. Woodruff, M. Roe, H. Almatary, J. Anderson, J. Baldwin, G. Barnes, D. Chisnall, J. Clarke, B. Davis, L. Eisen, N. W. Filardo, R. Grisenthwaite, A. Joannou, B. Laurie, A. T. Markettos, S. W. Moore, S. J. Murdoch, K. Nienhuis, R. Norton, A. Richardson, P. Rugg, P. Sewell, S. Son, and H. Xia. Capability Hardware Enhanced RISC Instructions: CHERI Instruction-Set Architecture (Version 8). Technical Report UCAM-CL-TR-951, University of Cambridge, Computer Laboratory, 2020.
[70]
R. N. M. Watson, J. Woodruff, P. G. Neumann, S. W. Moore, J. Anderson, D. Chisnall, N. H. Dave, B. Davis, K. Gudka, B. Laurie, S. J. Murdoch, R. Norton, M. Roe, S. Son, and M. Vadera. CHERI: A hybrid capability-system architecture for scalable software compartmentalization. S&P. 2015.
[71]
B. Yee, D. Sehr, G. Dardyk, J. B. Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar. Native Client: A sandbox for portable, untrusted x86 native code. CACM, 53(1):91--99, 2010.
[72]
L. Zhang, Y. Wang, J. Wu, J. Koenig, and Z. Shao. Fully composable and adequate verified compilation with direct refinements between open modules. Proc. ACM Program. Lang., 8(POPL):2160--2190, 2024.
[73]
L. Zhao, G. Li, B. D. Sutter, and J. Regehr. ARMor: Fully verified software fault isolation. EMSOFT. 2011.
Index Terms
- SECOMP: Formally Secure Compilation of Compartmentalized C Programs
Recommendations
When Good Components Go Bad: Formally Secure Compilation Despite Dynamic Compromise
CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications SecurityWe propose a new formal criterion for evaluating secure compilation schemes for unsafe languages, expressing end-to-end security guarantees for software components that may become compromised after encountering undefined behavior---for example, by ...
Lightweight verification of separate compilation
POPL '16: Proceedings of the 43rd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming LanguagesMajor compiler verification efforts, such as the CompCert project, have traditionally simplified the verification problem by restricting attention to the correctness of whole-program compilation, leaving open the question of how to verify the ...
Lightweight verification of separate compilation
POPL '16Major compiler verification efforts, such as the CompCert project, have traditionally simplified the verification problem by restricting attention to the correctness of whole-program compilation, leaving open the question of how to verify the ...
Comments
Information & Contributors
Information
Published In
December 2024
5188 pages
ISBN:9798400706363
DOI:10.1145/3658644
- General Chairs:
- Bo Luo,
- Xiaojing Liao,
- Jun Xu,
- Program Chairs:
- Engin Kirda,
- David Lie
Copyright © 2024 Owner/Author.
This work is licensed under a Creative Commons Attribution International 4.0 License.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 09 December 2024
Check for updates
Badges
Author Tags
Qualifiers
- Research-article
Funding Sources
Conference
CCS '24
Sponsor:
CCS '24: ACM SIGSAC Conference on Computer and Communications Security
October 14 - 18, 2024
UT, Salt Lake City, USA
Acceptance Rates
Overall Acceptance Rate 1,261 of 6,999 submissions, 18%
Upcoming Conference
CCS '25
- Sponsor:
- sigsac
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 80Total Downloads
- Downloads (Last 12 months)80
- Downloads (Last 6 weeks)80
Reflects downloads up to 06 Jan 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in