13. – 18. Mai 2018, Dagstuhl Seminar 18201
Auskunft zu diesem Dagstuhl Seminar erteilen
Annette Beyer zu administrativen Fragen
Marc Herbstritt zu wissenschaftlichen Fragen
Today's computer systems are distressingly insecure. The correct semantics of mainstream low-level languages like C is inherently insecure, and even for safer languages, establishing security with respect to a high-level semantics does not prevent devastating low-level attacks. All the abstraction and security guarantees of the source language are currently lost when interacting with lower-level code, for instance when using low-level libraries. For a concrete example, all modern languages provide a notion of structured control flow and an invoked procedure is expected to return to the right place. However, today's compiler chains (compilers, linkers, loaders, runtime systems, hardware) cannot efficiently enforce this abstraction: linked low-level code can call and return to arbitrary instructions or smash the stack, blatantly violating the high-level abstraction.
Secure compilation is an emerging field that puts together advances in security, programming languages, compilers, verification, systems, and hardware architectures in order to devise secure compiler chains that eliminate many of today's low-level vulnerabilities. Secure compilation aims to protect high-level language abstractions in compiled code, even against adversarial low-level contexts, and to allow sound reasoning about security in the source language. The emerging secure compilation community aims to achieve this by:
- Identifying and formalizing compiler security properties and attacker models. What are the properties we want secure compilers to have, and under what attacker models? Should a secure compiler preserve observational equivalence of programs? Should it preserve some class of security properties of the source programs? Should it guarantee invariants on the run-time state of the compiled program (like for instance well-formedness of the call-stack)? And what are realistic attacker models? Can attackers only interact with compiled programs by providing input and reading output? Or can they link arbitrary target level code to the program? Well-studied notions like fully abstraction compilation provide partial answers: a fully abstract compiler chain preserves observational equivalence under an attacker model where attackers are target level contexts. But this can be too hard to enforce: for instance in cases where target level contexts can measure time, this would imply resistance against timing side-channel attacks.
- Efficient enforcement mechanisms. The main reason today's compiler chains are not secure is that providing a secure semantics and enforcing abstractions in low-level compiled code can be very inefficient. In order to overcome this problem, the secure compilation community is investigating various efficient security enforcement mechanisms: from the use of static checking of low-level code to rule out linking with ill-behaved attackers, to software rewriting (e.g. software fault isolation), dynamic monitoring, and randomization. One key enabler is that hardware support to aid security is steadily increasing.
- Developing effective formal verification techniques. Secure compilation properties like full abstraction are much harder to prove than compiler correctness. Intuitively, in order to show full abstraction one has to be able to back-translate any low-level context attacking the compiled code to an equivalent high-level context that can attack the original source code. This back-translation is, however, nontrivial, and while several proof techniques have been proposed (e.g. based on logical relations, bisimulation, game semantics, multi-language semantics, embedded interpreters, etc), scaling these techniques to realistic secure compilers is a challenging research problem. This challenge becomes even more pronounced if one expects a strong level of assurance, as provided by formal verification using a proof assistant.
This Dagstuhl Seminar will take a broad and inclusive view of secure compilation and will provide a forum for discussion on the topic. The goal is to identify interesting research directions and open challenges by bringing together people interested in working on building secure compilers, on developing proof techniques and verification tools, and on designing security mechanisms.
Creative Commons BY 3.0 DE
Amal Ahmed and Deepak Garg and Catalin Hritcu and Frank Piessens
- Programming Languages / Compiler
- Security / Cryptology
- Secure compilation
- Low-level attacks and defenses
- Security architectures
- Compiler verification
- Full abstraction