SECOMP Efficient Formally Secure Compilers to a Tagged Architecture. Cătălin Hrițcu INRIA Paris

Transcription

1 SECOMP Efficient Formally Secure Compilers to a Tagged Architecture Cătălin Hrițcu INRIA Paris 1

2 SECOMP Efficient Formally Secure Compilers to a Tagged Architecture Cătălin Hrițcu INRIA Paris 5 year vision 1

3 SECOMP Efficient Formally Secure Compilers to a Tagged Architecture Cătălin Hrițcu INRIA Paris 5 year vision fresh grant 1

4 The problem: devastating low-level attacks 1. inherently insecure low-level languages (C, C++) memory unsafe: any buffer overflow can be catastrophic allowing remote attackers to gain complete control 2

5 The problem: devastating low-level attacks 1. inherently insecure low-level languages (C, C++) memory unsafe: any buffer overflow can be catastrophic allowing remote attackers to gain complete control 2. unsafe interoperability with lower-level code even code written in safer high-level languages (Java, C#, OCaml) has to interoperate with insecure low-level libraries (C, C++, ASM) unsafe interoperability: all high-level safety guarantees lost 2

6 The problem: devastating low-level attacks 1. inherently insecure low-level languages (C, C++) memory unsafe: any buffer overflow can be catastrophic allowing remote attackers to gain complete control 2. unsafe interoperability with lower-level code even code written in safer high-level languages (Java, C#, OCaml) has to interoperate with insecure low-level libraries (C, C++, ASM) unsafe interoperability: all high-level safety guarantees lost Today s languages & compilers plagued by low-level attacks main culprit: hardware provides no appropriate security mechanisms fixing this purely in software would be way too inefficient 2

7 Key enabler: Micro-Policies software-defined, hardware-accelerated, tag-based monitoring 3

8 Key enabler: Micro-Policies software-defined, hardware-accelerated, tag-based monitoring pc r0 r1 mem[0] store r0 r1 mem[2] mem[3] 3

9 Key enabler: Micro-Policies software-defined, hardware-accelerated, tag-based monitoring pc tpc mem[0] tm0 r0 tr0 store r0 r1 tm1 r1 tr1 mem[2] tm2 mem[3] tm3 3

10 Key enabler: Micro-Policies software-defined, hardware-accelerated, tag-based monitoring pc tpc mem[0] tm0 r0 tr0 store r0 r1 tm1 r1 tr1 mem[2] tm2 mem[3] tm3 tpc tr0 tr1 tm3 tm1 store monitor 3

11 Key enabler: Micro-Policies software-defined, hardware-accelerated, tag-based monitoring pc tpc mem[0] tm0 r0 tr0 store r0 r1 tm1 r1 tr1 mem[2] tm2 mem[3] tm3 tpc tr0 tr1 tm3 tm1 = store monitor allow tpc tm3 3

12 Key enabler: Micro-Policies software-defined, hardware-accelerated, tag-based monitoring pc tpc mem[0] tm0 r0 tr0 store r0 r1 tm1 r1 tr1 mem[2] tm2 mem[3] tm3 tpc tr0 tr1 tm3 tm1 = store monitor allow tpc tm3 3

13 Key enabler: Micro-Policies software-defined, hardware-accelerated, tag-based monitoring pc tpc mem[0] tm0 r0 tr0 store r0 r1 tm1 r1 tr1 mem[2] tm2 mem[3] tm3 store tpc tr0 tr1 tm3 tm1 monitor allow = tpc tm3 software monitor s decision is hardware cached 3

14 Key enabler: Micro-Policies software-defined, hardware-accelerated, tag-based monitoring pc tpc mem[0] tm0 r0 tr0 store r0 r1 tm1 r1 tr1 mem[2] tm2 mem[3] tm3 tpc tr0 tr1 tm3 tm1 = store monitor disallow policy violation stopped! (e.g. out of bounds write) 3

15 Micro-policies are cool! low level + fine grained: unbounded per-word metadata, checked & propagated on each instruction 4

16 Micro-policies are cool! low level + fine grained: unbounded per-word metadata, checked & propagated on each instruction flexible: tags and monitor defined by software efficient: hardware caching, <10% overhead heap safety, control-flow integrity, taint tracking expressive: complex policies for secure compilation secure and simple enough to verify security in Coq real: FPGA implementation on top of RISC-V [Oakland 13 & 15, POPL 14, ASPLOS 15] 4

17 SECOMP grand challenge Use micro-policies to build the first efficient formally secure compilers for realistic programming languages 5

18 SECOMP grand challenge Use micro-policies to build the first efficient formally secure compilers for realistic programming languages 1. Provide secure semantics for low-level languages C with protected components and memory safety 5

19 SECOMP grand challenge Use micro-policies to build the first efficient formally secure compilers for realistic programming languages 1. Provide secure semantics for low-level languages C with protected components and memory safety 2. Enforce secure interoperability with lower-level code ASM, C, and F* [F* = ML + verification] 5

20 Formally verify: full abstraction holy grail of secure compilation, enforcing abstractions all the way down 6

21 Formally verify: full abstraction holy grail of secure compilation, enforcing abstractions all the way down whole program behavior source compiler correctness (e.g. CompCert) compiler whole program behavior target 6

22 Formally verify: full abstraction holy grail of secure compilation, enforcing abstractions all the way down whole program behavior source component compiler correctness (e.g. CompCert) not enough compiler full abstraction whole program behavior target component low-level attacker 6

23 Formally verify: full abstraction holy grail of secure compilation, enforcing abstractions all the way down whole program behavior source component high-level attacker compiler correctness (e.g. CompCert) not enough compiler full abstraction whole program behavior target component low-level attacker 6

24 Formally verify: full abstraction holy grail of secure compilation, enforcing abstractions all the way down whole program behavior source component high-level attacker compiler correctness (e.g. CompCert) not enough compiler full abstraction whole program behavior target component protected low-level attacker no extra power 6

25 Formally verify: full abstraction holy grail of secure compilation, enforcing abstractions all the way down whole program behavior source component high-level attacker secure compiler correctness (e.g. CompCert) not enough full abstraction whole program behavior secure Benefit: sound security reasoning in the source language forget about compiler chain (linker, loader, runtime system) forget that libraries are written in a lower-level language 6

26 SECOMP: achieving full abstraction at scale F* language (ML + verification) mitls* C language + memory safety + components 7

27 SECOMP: achieving full abstraction at scale F* language (ML + verification) C language + memory safety + components SecF* + SecML mitls* 7

28 SECOMP: achieving full abstraction at scale F* language (ML + verification) C language + memory safety + components SecF* + SecML mitls* memory safe C component 7

29 SECOMP: achieving full abstraction at scale F* language (ML + verification) C language + memory safety + components SecF* + SecML mitls* memory safe C component 7

30 SECOMP: achieving full abstraction at scale F* language (ML + verification) C language + memory safety + components SecF* + SecML CompSec + mitls* memory safe C component ASM language (RISC-V + micro-policies) 7

31 SECOMP: achieving full abstraction at scale F* language (ML + verification) mitls* SecF* + SecML C language + memory safety + components CompSec + memory safe C component legacy C component CompSec ASM language (RISC-V + micro-policies) ASM component 7

32 SECOMP: achieving full abstraction at scale F* language (ML + verification) mitls* SecF* + SecML C language + memory safety + components CompSec + memory safe C component legacy C component CompSec ASM language (RISC-V + micro-policies) ASM component protecting component boundaries 7

33 SECOMP: achieving full abstraction at scale F* language (ML + verification) mitls* SecF* + SecML C language + memory safety + components CompSec + memory safe C component legacy C component CompSec ASM language (RISC-V + micro-policies) ASM component protecting component boundaries 7

34 SECOMP: achieving full abstraction at scale F* language (ML + verification) protecting higher-level abstractions mitls* SecF* + SecML C language + memory safety + components CompSec + memory safe C component legacy C component CompSec ASM language (RISC-V + micro-policies) ASM component protecting component boundaries 7

35 Protecting component boundaries Add mutually distrustful components to C interacting only via strictly enforced interfaces 8

36 Protecting component boundaries Add mutually distrustful components to C interacting only via strictly enforced interfaces CompSec compiler chain (based on CompCert) propagate interface information to produced binary 8

37 Protecting component boundaries Add mutually distrustful components to C interacting only via strictly enforced interfaces CompSec compiler chain (based on CompCert) propagate interface information to produced binary Micro-policy simultaneously enforcing component separation type-safe procedure call and return discipline 8

38 Protecting component boundaries Add mutually distrustful components to C interacting only via strictly enforced interfaces CompSec compiler chain (based on CompCert) propagate interface information to produced binary Micro-policy simultaneously enforcing component separation type-safe procedure call and return discipline Interesting attacker model extending full abs. to mutual distrust + unsafe source 8

39 Protecting component boundaries Add mutually distrustful components to C interacting only via strictly enforced interfaces CompSec compiler chain (based on CompCert) propagate interface information to produced binary Micro-policy simultaneously enforcing component separation type-safe procedure call and return discipline Interesting attacker model extending full abs. to mutual distrust + unsafe source Recent preliminary work, joint with Yannis Juglaret et al 8

40 Compartmentalization micro-policy memory registers Jal pc... r C @EntryPoint Store r a r m... C 2 Load r m r a Jump r a [Towards a Fully Abstract Compiler Using Micro-Policies, Juglaret, Hritcu, et al, TR 2015] 9

41 Compartmentalization micro-policy C 1 C 2 memory Jal r @entrypoint Store r a r m... Load r m r a Jump r pc stack level current color registers... r [Towards a Fully Abstract Compiler Using Micro-Policies, Juglaret, Hritcu, et al, TR 2015] 9

42 Compartmentalization micro-policy memory registers Jal pc... r C stack level current color cross-component call only allowed at EntryPoint...@EntryPoint Store r a r m... C 2 Load r m r a Jump r a [Towards a Fully Abstract Compiler Using Micro-Policies, Juglaret, Hritcu, et al, TR 2015] 9

43 Compartmentalization micro-policy memory registers C 1 C 2 Jal r @entrypoint pc r a... Store r a r m... Load r m n Jump r a [Towards a Fully Abstract Compiler Using Micro-Policies, Juglaret, Hritcu, et al, TR 2015] 9

44 Compartmentalization micro-policy memory registers C 1 C 2 Jal r @entrypoint pc r a... increment Store r a r m... Load r m r a linear return n changed Jump r a [Towards a Fully Abstract Compiler Using Micro-Policies, Juglaret, Hritcu, et al, TR 2015] 9

45 Compartmentalization micro-policy C 1 C 2 memory Jal r @entrypoint Store r a r m... Load r m r a Jump r a registers linear return pc r a r m [Towards a Fully Abstract Compiler Using Micro-Policies, Juglaret, Hritcu, et al, TR 2015] 9

46 Compartmentalization micro-policy C 1 C 2 memory Jal r @entrypoint Store r a r m... Load r m r a Jump r a registers linear return pc r a r m loads and stores to the same component always allowed 9

47 Compartmentalization micro-policy memory registers Jal r C linear return n...@entrypoint Store r a r pc r a r m C 2 Load r m r a Jump r a 9

48 Compartmentalization micro-policy C 1 memory Jal r linear return n n invariant: at most one return capability per call stack level...@entrypoint Store r a r pc r a r m C 2 Load r m r a Jump r a 9

49 Compartmentalization micro-policy C 1 memory Jal r linear return n n invariant: at most one return capability per call stack level...@entrypoint Store r a r m... C 2 Load r m r a Jump r pc r a r m 9

50 Compartmentalization micro-policy C 1 memory Jal r linear return n n invariant: at most one return capability per call stack level...@entrypoint Store r a r m... cross-component return only allowed via return capability C 2 Load r m r a Jump r pc r a r m 9

51 Secure compartmentalizing compilation compromise scenarios. i 1 i 2 i 3 i 4 i 5 C 1 C 2 C 3 C 4 C 5 10

52 Secure compartmentalizing compilation compromise scenarios. i 1 i 2 i 3 i 4 i 5 i 1 i 2 i 3 i 4 i 5 C 1 C 2 C 3 C 4 C 5 L D 1 C 2 D 3 C 4 C 5 10

53 Secure compartmentalizing compilation compromise scenarios. i 1 i 2 i 3 i 4 i 5 C 1 A 2 C 3 A 4 A 5 H i 1 i 2 i 3 i 4 i 5 D 1 A 2 D 3 A 4 A 5 low-level attack from compromised C 2, C 4, C 5 high-level attack from some fully defined A 2, A 4, A 5 i 1 i 2 i 3 i 4 i 5 i 1 i 2 i 3 i 4 i 5 C 1 C 2 C 3 C 4 C 5 L D 1 C 2 D 3 C 4 C 5 10

54 Secure compartmentalizing compilation compromise scenarios. i 1 i 2 i 3 i 4 i 5 C 1 A 2 C 3 A 4 A 5 H i 1 i 2 i 3 i 4 i 5 D 1 A 2 D 3 A 4 A 5 low-level attack from compromised C 2, C 4, C 5 high-level attack from some fully defined A 2, A 4, A 5 i 1 i 2 i 3 i 4 i 5 i 1 i 2 i 3 i 4 i 5 C 1 C 2 C 3 C 4 C 5 L D 1 C 2 D 3 C 4 C 5 follows from structured full abstraction for unsafe languages + separate compilation [Beyond Good and Evil, Juglaret, Hritcu, et al, CSF 16] 10

55 Protecting higher-level abstractions ML abstractions we want to enforce with micro-policies types, value immutability, opaqueness of closures, parametricity (dynamic sealing), GC vs malloc/free,... 11

56 Protecting higher-level abstractions ML abstractions we want to enforce with micro-policies types, value immutability, opaqueness of closures, parametricity (dynamic sealing), GC vs malloc/free,... F*: enforcing full specifications using micro-policies some can be turned into contracts, checked dynamically fully abstract compilation of F* to ML trivial for ML interfaces (because F* allows and tracks effects, as opposed to Coq) 11

57 Protecting higher-level abstractions ML abstractions we want to enforce with micro-policies types, value immutability, opaqueness of closures, parametricity (dynamic sealing), GC vs malloc/free,... F*: enforcing full specifications using micro-policies some can be turned into contracts, checked dynamically fully abstract compilation of F* to ML trivial for ML interfaces (because F* allows and tracks effects, as opposed to Coq) Limits of purely-dynamic enforcement functional purity, termination, relational reasoning 11

58 Protecting higher-level abstractions ML abstractions we want to enforce with micro-policies types, value immutability, opaqueness of closures, parametricity (dynamic sealing), GC vs malloc/free,... F*: enforcing full specifications using micro-policies some can be turned into contracts, checked dynamically fully abstract compilation of F* to ML trivial for ML interfaces (because F* allows and tracks effects, as opposed to Coq) Limits of purely-dynamic enforcement functional purity, termination, relational reasoning push these limits further and combine with static analysis 11

59 Micro-policies: remaining fundamental challenges 12

60 Micro-policies: remaining fundamental challenges Micro-policies for C and ML needed for vertical compiler composition will put micro-policies in the hands of programmers 12

61 Micro-policies: remaining fundamental challenges Micro-policies for C and ML needed for vertical compiler composition will put micro-policies in the hands of programmers Secure micro-policy composition micro-policies are interferent reference monitors one micro-policy s behavior can break another s guarantees e.g. composing anything with IFC can leak 12

62 SECOMP in a nutshell We need more secure languages, compilers, hardware 13

63 SECOMP in a nutshell We need more secure languages, compilers, hardware Key enabler: micro-policies (software-hardware protection) Grand challenge: the first efficient formally secure compilers for realistic programming languages (C, ML, F*) 13

64 SECOMP in a nutshell We need more secure languages, compilers, hardware Key enabler: micro-policies (software-hardware protection) Grand challenge: the first efficient formally secure compilers for realistic programming languages (C, ML, F*) Answering challenging fundamental questions attacker models, composition, micro-policies for C and ML 13

65 SECOMP in a nutshell We need more secure languages, compilers, hardware Key enabler: micro-policies (software-hardware protection) Grand challenge: the first efficient formally secure compilers for realistic programming languages (C, ML, F*) Answering challenging fundamental questions attacker models, composition, micro-policies for C and ML Achieving strong security properties like full abstraction + testing and proving formally that this is the case 13

66 SECOMP in a nutshell We need more secure languages, compilers, hardware Key enabler: micro-policies (software-hardware protection) Grand challenge: the first efficient formally secure compilers for realistic programming languages (C, ML, F*) Answering challenging fundamental questions attacker models, composition, micro-policies for C and ML Achieving strong security properties like full abstraction + testing and proving formally that this is the case Measuring & lowering the cost of secure compilation 13

67 SECOMP in a nutshell We need more secure languages, compilers, hardware Key enabler: micro-policies (software-hardware protection) Grand challenge: the first efficient formally secure compilers for realistic programming languages (C, ML, F*) Answering challenging fundamental questions attacker models, composition, micro-policies for C and ML Achieving strong security properties like full abstraction + testing and proving formally that this is the case Measuring & lowering the cost of secure compilation Most of this is vaporware at this point but... trying to build a community and looking for collaborators & students & PostDocs to try to make some of this real 13