The paper introduces SECOMP, a formally secure compiler for compartmentalized C programs. SECOMP extends the CompCert verified C compiler with isolated compartments that can only interact via well-defined interfaces. The key contributions are:
Extending CompCert's languages, including RISC-V assembly, with compartments and adapting the compiler passes and optimizations to this setting. This includes a novel shadow stack mechanism to enforce the well-bracketedness of cross-compartment control flow in RISC-V.
Developing a secure compilation proof for SECOMP, from Clight to RISC-V assembly, that achieves the RSCDC^MD secure compilation criterion of Abate et al. This is the first time such a strong secure compilation criterion is proven for a mainstream programming language.
Introducing several proof engineering novelties to scale up the secure compilation proofs, including the use of CompCert's sophisticated memory injections, informative events to track memory deltas, and a principled approach to proving recomposition using simulation diagrams.
Designing and prototyping an unverified backend using a variant of the CHERI capability machine to enforce the compartment isolation abstraction at a lower level.
The SECOMP compiler and its machine-checked proofs are available as an artifact.
Naar een andere taal
vanuit de broninhoud
arxiv.org
Belangrijkste Inzichten Gedestilleerd Uit
by Jéré... om arxiv.org 04-17-2024
https://arxiv.org/pdf/2401.16277.pdfDiepere vragen