Enforcing Well-Bracketed Control Flow on a Capability ...cs.au.dk/~lask/scm17-slides.pdf ·...
Transcript of Enforcing Well-Bracketed Control Flow on a Capability ...cs.au.dk/~lask/scm17-slides.pdf ·...
![Page 1: Enforcing Well-Bracketed Control Flow on a Capability ...cs.au.dk/~lask/scm17-slides.pdf · Enforcing Well-Bracketed Control Flow on a Capability Machine using Local Capabilities](https://reader034.fdocuments.in/reader034/viewer/2022051719/5a72c0ce7f8b9ab1538dd040/html5/thumbnails/1.jpg)
1/18
Enforcing Well-Bracketed Control Flow on aCapability Machine using Local Capabilities
Lau Skorstengaard1 Dominique Devriese2 Lars Birkedal1
1Aarhus University
2imec-DistriNet, KU Leuven
SCM, January 15, 2017
![Page 2: Enforcing Well-Bracketed Control Flow on a Capability ...cs.au.dk/~lask/scm17-slides.pdf · Enforcing Well-Bracketed Control Flow on a Capability Machine using Local Capabilities](https://reader034.fdocuments.in/reader034/viewer/2022051719/5a72c0ce7f8b9ab1538dd040/html5/thumbnails/2.jpg)
2/18
Why capability machines?
I Interesting compilation targetI C-like calling conventionI Enforcement of well-bracketed calls
I Subject of systems researchI CHERI
![Page 3: Enforcing Well-Bracketed Control Flow on a Capability ...cs.au.dk/~lask/scm17-slides.pdf · Enforcing Well-Bracketed Control Flow on a Capability Machine using Local Capabilities](https://reader034.fdocuments.in/reader034/viewer/2022051719/5a72c0ce7f8b9ab1538dd040/html5/thumbnails/3.jpg)
3/18
Talk outline
A simple capability machine
ApplicationsEnforcing well-bracketedness
Semantic modelKripke worldsLogical relationInteresting properties
Conclusion
![Page 4: Enforcing Well-Bracketed Control Flow on a Capability ...cs.au.dk/~lask/scm17-slides.pdf · Enforcing Well-Bracketed Control Flow on a Capability Machine using Local Capabilities](https://reader034.fdocuments.in/reader034/viewer/2022051719/5a72c0ce7f8b9ab1538dd040/html5/thumbnails/4.jpg)
4/18
Road map
A simple capability machine
ApplicationsEnforcing well-bracketedness
Semantic modelKripke worldsLogical relationInteresting properties
Conclusion
![Page 5: Enforcing Well-Bracketed Control Flow on a Capability ...cs.au.dk/~lask/scm17-slides.pdf · Enforcing Well-Bracketed Control Flow on a Capability Machine using Local Capabilities](https://reader034.fdocuments.in/reader034/viewer/2022051719/5a72c0ce7f8b9ab1538dd040/html5/thumbnails/5.jpg)
5/18
Memory capabilities
Challenge:
I Low-level machines provide no means to enforce fine-grainedaccess control.
Solution:
I Assembly language that uses capabilities instead of pointers
I Tagged memoryI Capabilities (perm, base, end , a)
I Permission e.g. read (r), write (w), execute (x)I Range of authorityI Pointer
I Capability aware instructions enforce capability permissions
Jstore r1 r2K (Φ) =
![Page 6: Enforcing Well-Bracketed Control Flow on a Capability ...cs.au.dk/~lask/scm17-slides.pdf · Enforcing Well-Bracketed Control Flow on a Capability Machine using Local Capabilities](https://reader034.fdocuments.in/reader034/viewer/2022051719/5a72c0ce7f8b9ab1538dd040/html5/thumbnails/6.jpg)
5/18
Memory capabilities
Challenge:
I Low-level machines provide no means to enforce fine-grainedaccess control.
Solution:
I Assembly language that uses capabilities instead of pointers
I Tagged memoryI Capabilities (perm, base, end , a)
I Permission e.g. read (r), write (w), execute (x)I Range of authorityI Pointer
I Capability aware instructions enforce capability permissions
Jstore r1 r2K (Φ) =
![Page 7: Enforcing Well-Bracketed Control Flow on a Capability ...cs.au.dk/~lask/scm17-slides.pdf · Enforcing Well-Bracketed Control Flow on a Capability Machine using Local Capabilities](https://reader034.fdocuments.in/reader034/viewer/2022051719/5a72c0ce7f8b9ab1538dd040/html5/thumbnails/7.jpg)
5/18
Memory capabilities
Challenge:
I Low-level machines provide no means to enforce fine-grainedaccess control.
Solution:
I Assembly language that uses capabilities instead of pointers
I Tagged memory
I Capabilities (perm, base, end , a)I Permission e.g. read (r), write (w), execute (x)I Range of authorityI Pointer
I Capability aware instructions enforce capability permissions
Jstore r1 r2K (Φ) =
![Page 8: Enforcing Well-Bracketed Control Flow on a Capability ...cs.au.dk/~lask/scm17-slides.pdf · Enforcing Well-Bracketed Control Flow on a Capability Machine using Local Capabilities](https://reader034.fdocuments.in/reader034/viewer/2022051719/5a72c0ce7f8b9ab1538dd040/html5/thumbnails/8.jpg)
5/18
Memory capabilities
Challenge:
I Low-level machines provide no means to enforce fine-grainedaccess control.
Solution:
I Assembly language that uses capabilities instead of pointers
I Tagged memoryI Capabilities (perm, base, end , a)
I Permission e.g. read (r), write (w), execute (x)I Range of authorityI Pointer
I Capability aware instructions enforce capability permissions
Jstore r1 r2K (Φ) =
![Page 9: Enforcing Well-Bracketed Control Flow on a Capability ...cs.au.dk/~lask/scm17-slides.pdf · Enforcing Well-Bracketed Control Flow on a Capability Machine using Local Capabilities](https://reader034.fdocuments.in/reader034/viewer/2022051719/5a72c0ce7f8b9ab1538dd040/html5/thumbnails/9.jpg)
5/18
Memory capabilities
Challenge:
I Low-level machines provide no means to enforce fine-grainedaccess control.
Solution:
I Assembly language that uses capabilities instead of pointers
I Tagged memoryI Capabilities (perm, base, end , a)
I Permission e.g. read (r), write (w), execute (x)I Range of authorityI Pointer
I Capability aware instructions enforce capability permissions
Jstore r1 r2K (Φ) =
![Page 10: Enforcing Well-Bracketed Control Flow on a Capability ...cs.au.dk/~lask/scm17-slides.pdf · Enforcing Well-Bracketed Control Flow on a Capability Machine using Local Capabilities](https://reader034.fdocuments.in/reader034/viewer/2022051719/5a72c0ce7f8b9ab1538dd040/html5/thumbnails/10.jpg)
5/18
Memory capabilities
Challenge:
I Low-level machines provide no means to enforce fine-grainedaccess control.
Solution:
I Assembly language that uses capabilities instead of pointers
I Tagged memoryI Capabilities (perm, base, end , a)
I Permission e.g. read (r), write (w), execute (x)I Range of authorityI Pointer
I Capability aware instructions enforce capability permissions
w = Φ.reg(r2)
Jstore r1 r2K (Φ) = Φ[mem.? 7→ w ]
![Page 11: Enforcing Well-Bracketed Control Flow on a Capability ...cs.au.dk/~lask/scm17-slides.pdf · Enforcing Well-Bracketed Control Flow on a Capability Machine using Local Capabilities](https://reader034.fdocuments.in/reader034/viewer/2022051719/5a72c0ce7f8b9ab1538dd040/html5/thumbnails/11.jpg)
5/18
Memory capabilities
Challenge:
I Low-level machines provide no means to enforce fine-grainedaccess control.
Solution:
I Assembly language that uses capabilities instead of pointers
I Tagged memoryI Capabilities (perm, base, end , a)
I Permission e.g. read (r), write (w), execute (x)I Range of authorityI Pointer
I Capability aware instructions enforce capability permissions
w = Φ.reg(r2) Φ.reg(r1) = (perm, base, end , a)
Jstore r1 r2K (Φ) = Φ[mem.a 7→ w ]
![Page 12: Enforcing Well-Bracketed Control Flow on a Capability ...cs.au.dk/~lask/scm17-slides.pdf · Enforcing Well-Bracketed Control Flow on a Capability Machine using Local Capabilities](https://reader034.fdocuments.in/reader034/viewer/2022051719/5a72c0ce7f8b9ab1538dd040/html5/thumbnails/12.jpg)
5/18
Memory capabilities
Challenge:
I Low-level machines provide no means to enforce fine-grainedaccess control.
Solution:
I Assembly language that uses capabilities instead of pointers
I Tagged memoryI Capabilities (perm, base, end , a)
I Permission e.g. read (r), write (w), execute (x)I Range of authorityI Pointer
I Capability aware instructions enforce capability permissions
w = Φ.reg(r2) Φ.reg(r1) = (perm, base, end , a)perm ∈ {rw, rwx}Jstore r1 r2K (Φ) = Φ[mem.a 7→ w ]
![Page 13: Enforcing Well-Bracketed Control Flow on a Capability ...cs.au.dk/~lask/scm17-slides.pdf · Enforcing Well-Bracketed Control Flow on a Capability Machine using Local Capabilities](https://reader034.fdocuments.in/reader034/viewer/2022051719/5a72c0ce7f8b9ab1538dd040/html5/thumbnails/13.jpg)
5/18
Memory capabilities
Challenge:
I Low-level machines provide no means to enforce fine-grainedaccess control.
Solution:
I Assembly language that uses capabilities instead of pointers
I Tagged memoryI Capabilities (perm, base, end , a)
I Permission e.g. read (r), write (w), execute (x)I Range of authorityI Pointer
I Capability aware instructions enforce capability permissions
w = Φ.reg(r2) Φ.reg(r1) = (perm, base, end , a)perm ∈ {rw, rwx} base ≤ a ≤ end
Jstore r1 r2K (Φ) = Φ[mem.a 7→ w ]
![Page 14: Enforcing Well-Bracketed Control Flow on a Capability ...cs.au.dk/~lask/scm17-slides.pdf · Enforcing Well-Bracketed Control Flow on a Capability Machine using Local Capabilities](https://reader034.fdocuments.in/reader034/viewer/2022051719/5a72c0ce7f8b9ab1538dd040/html5/thumbnails/14.jpg)
6/18
Enter capabilities
Challenge:
I Execute capabilities provide no encapsulation: how can wegive the callee more authority than caller?
Solution (from M-Machine):I Enter capability:
I Completely opaque, you can only jump to itI Becomes rx when jumped to
I ∼ encapsulated closure
I Security boundaries
I Modularisation
![Page 15: Enforcing Well-Bracketed Control Flow on a Capability ...cs.au.dk/~lask/scm17-slides.pdf · Enforcing Well-Bracketed Control Flow on a Capability Machine using Local Capabilities](https://reader034.fdocuments.in/reader034/viewer/2022051719/5a72c0ce7f8b9ab1538dd040/html5/thumbnails/15.jpg)
6/18
Enter capabilities
Challenge:
I Execute capabilities provide no encapsulation: how can wegive the callee more authority than caller?
Solution (from M-Machine):I Enter capability:
I Completely opaque, you can only jump to itI Becomes rx when jumped to
I ∼ encapsulated closure
I Security boundaries
I Modularisation
![Page 16: Enforcing Well-Bracketed Control Flow on a Capability ...cs.au.dk/~lask/scm17-slides.pdf · Enforcing Well-Bracketed Control Flow on a Capability Machine using Local Capabilities](https://reader034.fdocuments.in/reader034/viewer/2022051719/5a72c0ce7f8b9ab1538dd040/html5/thumbnails/16.jpg)
7/18
Local capabilities
Challenge:
I Capabilities are irrevocable.
Solution (from CHERI):
I Local capabilities (form of temporal information-flow control)
I Capabilities extended with a local tag and a permit write localpermission (wl)
I Local capabilities can only be written to memory through a wlcapability
I (to make it useful:) wl-capabilities must be local themselves
w = Φ.reg(r2) Φ.reg(r1) = ((perm, g), base, end , a)perm ∈ {rw, rwx, }
base ≤ a ≤ end
Jstore r1 r2K (Φ) = Φ[mem.a 7→ w ]
![Page 17: Enforcing Well-Bracketed Control Flow on a Capability ...cs.au.dk/~lask/scm17-slides.pdf · Enforcing Well-Bracketed Control Flow on a Capability Machine using Local Capabilities](https://reader034.fdocuments.in/reader034/viewer/2022051719/5a72c0ce7f8b9ab1538dd040/html5/thumbnails/17.jpg)
7/18
Local capabilities
Challenge:
I Capabilities are irrevocable.
Solution (from CHERI):
I Local capabilities (form of temporal information-flow control)
I Capabilities extended with a local tag and a permit write localpermission (wl)
I Local capabilities can only be written to memory through a wlcapability
I (to make it useful:) wl-capabilities must be local themselves
w = Φ.reg(r2) Φ.reg(r1) = ((perm, g), base, end , a)perm ∈ {rw, rwx, }
base ≤ a ≤ end
Jstore r1 r2K (Φ) = Φ[mem.a 7→ w ]
![Page 18: Enforcing Well-Bracketed Control Flow on a Capability ...cs.au.dk/~lask/scm17-slides.pdf · Enforcing Well-Bracketed Control Flow on a Capability Machine using Local Capabilities](https://reader034.fdocuments.in/reader034/viewer/2022051719/5a72c0ce7f8b9ab1538dd040/html5/thumbnails/18.jpg)
7/18
Local capabilities
Challenge:
I Capabilities are irrevocable.
Solution (from CHERI):
I Local capabilities (form of temporal information-flow control)
I Capabilities extended with a local tag and a permit write localpermission (wl)
I Local capabilities can only be written to memory through a wlcapability
I (to make it useful:) wl-capabilities must be local themselves
w = Φ.reg(r2) Φ.reg(r1) = ((perm, g), base, end , a)perm ∈ {rw, rwx, }
base ≤ a ≤ end
Jstore r1 r2K (Φ) = Φ[mem.a 7→ w ]
![Page 19: Enforcing Well-Bracketed Control Flow on a Capability ...cs.au.dk/~lask/scm17-slides.pdf · Enforcing Well-Bracketed Control Flow on a Capability Machine using Local Capabilities](https://reader034.fdocuments.in/reader034/viewer/2022051719/5a72c0ce7f8b9ab1538dd040/html5/thumbnails/19.jpg)
7/18
Local capabilities
Challenge:
I Capabilities are irrevocable.
Solution (from CHERI):
I Local capabilities (form of temporal information-flow control)
I Capabilities extended with a local tag and a permit write localpermission (wl)
I Local capabilities can only be written to memory through a wlcapability
I (to make it useful:) wl-capabilities must be local themselves
w = Φ.reg(r2) Φ.reg(r1) = ((perm, g), base, end , a)perm ∈ {rw, rwx, rwl, rwlx}
base ≤ a ≤ end
Jstore r1 r2K (Φ) = Φ[mem.a 7→ w ]
![Page 20: Enforcing Well-Bracketed Control Flow on a Capability ...cs.au.dk/~lask/scm17-slides.pdf · Enforcing Well-Bracketed Control Flow on a Capability Machine using Local Capabilities](https://reader034.fdocuments.in/reader034/viewer/2022051719/5a72c0ce7f8b9ab1538dd040/html5/thumbnails/20.jpg)
7/18
Local capabilities
Challenge:
I Capabilities are irrevocable.
Solution (from CHERI):
I Local capabilities (form of temporal information-flow control)
I Capabilities extended with a local tag and a permit write localpermission (wl)
I Local capabilities can only be written to memory through a wlcapability
I (to make it useful:) wl-capabilities must be local themselves
w = Φ.reg(r2) Φ.reg(r1) = ((perm, g), base, end , a)perm ∈ {rw, rwx, rwl, rwlx}
base ≤ a ≤ end w = (( , local), , , )
Jstore r1 r2K (Φ) = Φ[mem.a 7→ w ]
![Page 21: Enforcing Well-Bracketed Control Flow on a Capability ...cs.au.dk/~lask/scm17-slides.pdf · Enforcing Well-Bracketed Control Flow on a Capability Machine using Local Capabilities](https://reader034.fdocuments.in/reader034/viewer/2022051719/5a72c0ce7f8b9ab1538dd040/html5/thumbnails/21.jpg)
7/18
Local capabilities
Challenge:
I Capabilities are irrevocable.
Solution (from CHERI):
I Local capabilities (form of temporal information-flow control)
I Capabilities extended with a local tag and a permit write localpermission (wl)
I Local capabilities can only be written to memory through a wlcapability
I (to make it useful:) wl-capabilities must be local themselves
w = Φ.reg(r2) Φ.reg(r1) = ((perm, g), base, end , a)perm ∈ {rw, rwx, rwl, rwlx}
base ≤ a ≤ end w = (( , local), , , )⇒ perm ∈ {rwl, rwlx}Jstore r1 r2K (Φ) = Φ[mem.a 7→ w ]
![Page 22: Enforcing Well-Bracketed Control Flow on a Capability ...cs.au.dk/~lask/scm17-slides.pdf · Enforcing Well-Bracketed Control Flow on a Capability Machine using Local Capabilities](https://reader034.fdocuments.in/reader034/viewer/2022051719/5a72c0ce7f8b9ab1538dd040/html5/thumbnails/22.jpg)
8/18
Road map
A simple capability machine
ApplicationsEnforcing well-bracketedness
Semantic modelKripke worldsLogical relationInteresting properties
Conclusion
![Page 23: Enforcing Well-Bracketed Control Flow on a Capability ...cs.au.dk/~lask/scm17-slides.pdf · Enforcing Well-Bracketed Control Flow on a Capability Machine using Local Capabilities](https://reader034.fdocuments.in/reader034/viewer/2022051719/5a72c0ce7f8b9ab1538dd040/html5/thumbnails/23.jpg)
9/18
Enforcing well-bracketedness (without a trusted stack)
Basic idea:
I Return pointer as local enter-capabilityI Stack pointer as local rwlx-capability
I Only place one can store local capabilities
Many details to get right:
I Clear non-argument registers before jumps to untrusted code
I Clear part of the stack the callee gains control over
I Adversary callbacks must be global
Results:
I Provably enforce well-bracketed control flow and local stateencapsulation, without a trusted stack!
I (Even with a trusted stack, some points above still needed.)
![Page 24: Enforcing Well-Bracketed Control Flow on a Capability ...cs.au.dk/~lask/scm17-slides.pdf · Enforcing Well-Bracketed Control Flow on a Capability Machine using Local Capabilities](https://reader034.fdocuments.in/reader034/viewer/2022051719/5a72c0ce7f8b9ab1538dd040/html5/thumbnails/24.jpg)
9/18
Enforcing well-bracketedness (without a trusted stack)
Basic idea:
I Return pointer as local enter-capabilityI Stack pointer as local rwlx-capability
I Only place one can store local capabilities
Many details to get right:
I Clear non-argument registers before jumps to untrusted code
I Clear part of the stack the callee gains control over
I Adversary callbacks must be global
Results:
I Provably enforce well-bracketed control flow and local stateencapsulation, without a trusted stack!
I (Even with a trusted stack, some points above still needed.)
![Page 25: Enforcing Well-Bracketed Control Flow on a Capability ...cs.au.dk/~lask/scm17-slides.pdf · Enforcing Well-Bracketed Control Flow on a Capability Machine using Local Capabilities](https://reader034.fdocuments.in/reader034/viewer/2022051719/5a72c0ce7f8b9ab1538dd040/html5/thumbnails/25.jpg)
9/18
Enforcing well-bracketedness (without a trusted stack)
Basic idea:
I Return pointer as local enter-capabilityI Stack pointer as local rwlx-capability
I Only place one can store local capabilities
Many details to get right:
I Clear non-argument registers before jumps to untrusted code
I Clear part of the stack the callee gains control over
I Adversary callbacks must be global
Results:
I Provably enforce well-bracketed control flow and local stateencapsulation, without a trusted stack!
I (Even with a trusted stack, some points above still needed.)
![Page 26: Enforcing Well-Bracketed Control Flow on a Capability ...cs.au.dk/~lask/scm17-slides.pdf · Enforcing Well-Bracketed Control Flow on a Capability Machine using Local Capabilities](https://reader034.fdocuments.in/reader034/viewer/2022051719/5a72c0ce7f8b9ab1538dd040/html5/thumbnails/26.jpg)
9/18
Enforcing well-bracketedness (without a trusted stack)
Basic idea:
I Return pointer as local enter-capabilityI Stack pointer as local rwlx-capability
I Only place one can store local capabilities
Many details to get right:
I Clear non-argument registers before jumps to untrusted code
I Clear part of the stack the callee gains control over
I Adversary callbacks must be global
Results:
I Provably enforce well-bracketed control flow and local stateencapsulation, without a trusted stack!
I (Even with a trusted stack, some points above still needed.)
![Page 27: Enforcing Well-Bracketed Control Flow on a Capability ...cs.au.dk/~lask/scm17-slides.pdf · Enforcing Well-Bracketed Control Flow on a Capability Machine using Local Capabilities](https://reader034.fdocuments.in/reader034/viewer/2022051719/5a72c0ce7f8b9ab1538dd040/html5/thumbnails/27.jpg)
10/18
Road map
A simple capability machine
ApplicationsEnforcing well-bracketedness
Semantic modelKripke worldsLogical relationInteresting properties
Conclusion
![Page 28: Enforcing Well-Bracketed Control Flow on a Capability ...cs.au.dk/~lask/scm17-slides.pdf · Enforcing Well-Bracketed Control Flow on a Capability Machine using Local Capabilities](https://reader034.fdocuments.in/reader034/viewer/2022051719/5a72c0ce7f8b9ab1538dd040/html5/thumbnails/28.jpg)
11/18
Kripke worlds
I Recursive Kripke worldI Collection of regions
I Regions model evolvable invariants (protocols) on memoryI State machines with public and private transitions
I A future world is an extension of a world
![Page 29: Enforcing Well-Bracketed Control Flow on a Capability ...cs.au.dk/~lask/scm17-slides.pdf · Enforcing Well-Bracketed Control Flow on a Capability Machine using Local Capabilities](https://reader034.fdocuments.in/reader034/viewer/2022051719/5a72c0ce7f8b9ab1538dd040/html5/thumbnails/29.jpg)
11/18
Kripke worlds
I Recursive Kripke worldI Collection of regions
I Regions model evolvable invariants (protocols) on memoryI State machines with public and private transitions
I A future world is an extension of a world
![Page 30: Enforcing Well-Bracketed Control Flow on a Capability ...cs.au.dk/~lask/scm17-slides.pdf · Enforcing Well-Bracketed Control Flow on a Capability Machine using Local Capabilities](https://reader034.fdocuments.in/reader034/viewer/2022051719/5a72c0ce7f8b9ab1538dd040/html5/thumbnails/30.jpg)
11/18
Kripke worlds
I Recursive Kripke worldI Collection of regions
I Regions model evolvable invariants (protocols) on memoryI State machines with public and private transitions
I A future world is an extension of a world
![Page 31: Enforcing Well-Bracketed Control Flow on a Capability ...cs.au.dk/~lask/scm17-slides.pdf · Enforcing Well-Bracketed Control Flow on a Capability Machine using Local Capabilities](https://reader034.fdocuments.in/reader034/viewer/2022051719/5a72c0ce7f8b9ab1538dd040/html5/thumbnails/31.jpg)
11/18
Kripke worlds
Challenge: we want to reuse memory e.g., on the stack
I Permanent regions, remain present in any future world
I Temporary regions, may be revoked in private future worlds
I Revoked regions
![Page 32: Enforcing Well-Bracketed Control Flow on a Capability ...cs.au.dk/~lask/scm17-slides.pdf · Enforcing Well-Bracketed Control Flow on a Capability Machine using Local Capabilities](https://reader034.fdocuments.in/reader034/viewer/2022051719/5a72c0ce7f8b9ab1538dd040/html5/thumbnails/32.jpg)
11/18
Kripke worlds
Permanent:
Temporary:
Challenge: we want to reuse memory e.g., on the stack
I Permanent regions, remain present in any future world
I Temporary regions, may be revoked in private future worlds
I Revoked regions
![Page 33: Enforcing Well-Bracketed Control Flow on a Capability ...cs.au.dk/~lask/scm17-slides.pdf · Enforcing Well-Bracketed Control Flow on a Capability Machine using Local Capabilities](https://reader034.fdocuments.in/reader034/viewer/2022051719/5a72c0ce7f8b9ab1538dd040/html5/thumbnails/33.jpg)
11/18
Kripke worlds
Permanent:
Temporary:
Challenge: we want to reuse memory e.g., on the stack
I Permanent regions, remain present in any future world
I Temporary regions, may be revoked in private future worlds
I Revoked regions
![Page 34: Enforcing Well-Bracketed Control Flow on a Capability ...cs.au.dk/~lask/scm17-slides.pdf · Enforcing Well-Bracketed Control Flow on a Capability Machine using Local Capabilities](https://reader034.fdocuments.in/reader034/viewer/2022051719/5a72c0ce7f8b9ab1538dd040/html5/thumbnails/34.jpg)
11/18
Kripke worlds
Permanent:
Temporary:
Revoked:
Challenge: we want to reuse memory e.g., on the stack
I Permanent regions, remain present in any future world
I Temporary regions, may be revoked in private future worlds
I Revoked regions
![Page 35: Enforcing Well-Bracketed Control Flow on a Capability ...cs.au.dk/~lask/scm17-slides.pdf · Enforcing Well-Bracketed Control Flow on a Capability Machine using Local Capabilities](https://reader034.fdocuments.in/reader034/viewer/2022051719/5a72c0ce7f8b9ab1538dd040/html5/thumbnails/35.jpg)
11/18
Kripke worlds
Permanent:
Temporary:
Revoked:
Relation to local capabilities
I Local capabilitiesI Can depend on temporary and permanent regions
I Global capabilitiesI Can only depend on permanent regions
![Page 36: Enforcing Well-Bracketed Control Flow on a Capability ...cs.au.dk/~lask/scm17-slides.pdf · Enforcing Well-Bracketed Control Flow on a Capability Machine using Local Capabilities](https://reader034.fdocuments.in/reader034/viewer/2022051719/5a72c0ce7f8b9ab1538dd040/html5/thumbnails/36.jpg)
11/18
Kripke worlds
Permanent:
Temporary:
Revoked:
Local capability:
Relation to local capabilitiesI Local capabilities
I Can depend on temporary and permanent regions
I Global capabilitiesI Can only depend on permanent regions
![Page 37: Enforcing Well-Bracketed Control Flow on a Capability ...cs.au.dk/~lask/scm17-slides.pdf · Enforcing Well-Bracketed Control Flow on a Capability Machine using Local Capabilities](https://reader034.fdocuments.in/reader034/viewer/2022051719/5a72c0ce7f8b9ab1538dd040/html5/thumbnails/37.jpg)
11/18
Kripke worlds
Permanent:
Temporary:
Revoked:
Local capability:
Global capability:
Relation to local capabilitiesI Local capabilities
I Can depend on temporary and permanent regions
I Global capabilitiesI Can only depend on permanent regions
![Page 38: Enforcing Well-Bracketed Control Flow on a Capability ...cs.au.dk/~lask/scm17-slides.pdf · Enforcing Well-Bracketed Control Flow on a Capability Machine using Local Capabilities](https://reader034.fdocuments.in/reader034/viewer/2022051719/5a72c0ce7f8b9ab1538dd040/html5/thumbnails/38.jpg)
11/18
Kripke worlds
Permanent:
Temporary:
Revoked:
Local capability:
Global capability:
Relation to local capabilitiesI Local capabilities
I Can depend on temporary and permanent regions
I Global capabilitiesI Can only depend on permanent regions
![Page 39: Enforcing Well-Bracketed Control Flow on a Capability ...cs.au.dk/~lask/scm17-slides.pdf · Enforcing Well-Bracketed Control Flow on a Capability Machine using Local Capabilities](https://reader034.fdocuments.in/reader034/viewer/2022051719/5a72c0ce7f8b9ab1538dd040/html5/thumbnails/39.jpg)
12/18
Logical relation
V(W )def= {(n, i) | i ∈ Z}
∪{
(n, ((r, g), base, end , a)) |(n, (base, end)) ∈ readCondition(g)(W )
}∪ · · ·
R(W )def= {(n, reg) | ∀r ∈ RegisterName \ {pc}. (n, reg(r)) ∈ V(W )}
E(W )def=
{(n, pc)
∣∣∣∣∀n′ ≤ n,(n′, reg
)∈ R(W ),ms :n′ W .(
n′, (reg [pc 7→ pc],ms))∈ O(W )
}
I Semantic model of well-behaved programsI Captures the safe behaviour of the system
I e.g., no global permit-write-local capabilities
I Uses PL techniques known from high-level languages
![Page 40: Enforcing Well-Bracketed Control Flow on a Capability ...cs.au.dk/~lask/scm17-slides.pdf · Enforcing Well-Bracketed Control Flow on a Capability Machine using Local Capabilities](https://reader034.fdocuments.in/reader034/viewer/2022051719/5a72c0ce7f8b9ab1538dd040/html5/thumbnails/40.jpg)
12/18
Logical relation
V(W )def= {(n, i) | i ∈ Z}
∪{
(n, ((r, g), base, end , a)) |(n, (base, end)) ∈ readCondition(g)(W )
}∪ · · ·
R(W )def= {(n, reg) | ∀r ∈ RegisterName \ {pc}. (n, reg(r)) ∈ V(W )}
E(W )def=
{(n, pc)
∣∣∣∣∀n′ ≤ n,(n′, reg
)∈ R(W ),ms :n′ W .(
n′, (reg [pc 7→ pc],ms))∈ O(W )
}
I Semantic model of well-behaved programsI Captures the safe behaviour of the system
I e.g., no global permit-write-local capabilities
I Uses PL techniques known from high-level languages
![Page 41: Enforcing Well-Bracketed Control Flow on a Capability ...cs.au.dk/~lask/scm17-slides.pdf · Enforcing Well-Bracketed Control Flow on a Capability Machine using Local Capabilities](https://reader034.fdocuments.in/reader034/viewer/2022051719/5a72c0ce7f8b9ab1538dd040/html5/thumbnails/41.jpg)
12/18
Logical relation
V(W )def= {(n, i) | i ∈ Z}
∪{
(n, ((r, g), base, end , a)) |(n, (base, end)) ∈ readCondition(g)(W )
}∪ · · ·
R(W )def= {(n, reg) | ∀r ∈ RegisterName \ {pc}. (n, reg(r)) ∈ V(W )}
E(W )def=
{(n, pc)
∣∣∣∣∀n′ ≤ n,(n′, reg
)∈ R(W ),ms :n′ W .(
n′, (reg [pc 7→ pc],ms))∈ O(W )
}I Semantic model of well-behaved programsI Captures the safe behaviour of the system
I e.g., no global permit-write-local capabilities
I Uses PL techniques known from high-level languages
![Page 42: Enforcing Well-Bracketed Control Flow on a Capability ...cs.au.dk/~lask/scm17-slides.pdf · Enforcing Well-Bracketed Control Flow on a Capability Machine using Local Capabilities](https://reader034.fdocuments.in/reader034/viewer/2022051719/5a72c0ce7f8b9ab1538dd040/html5/thumbnails/42.jpg)
12/18
Logical relation
V(W )def= {(n, i) | i ∈ Z}
∪{
(n, ((r, g), base, end , a)) |(n, (base, end)) ∈ readCondition(g)(W )
}∪ · · ·
R(W )def= {(n, reg) | ∀r ∈ RegisterName \ {pc}. (n, reg(r)) ∈ V(W )}
E(W )def=
{(n, pc)
∣∣∣∣∀n′ ≤ n,(n′, reg
)∈ R(W ),ms :n′ W .(
n′, (reg [pc 7→ pc],ms))∈ O(W )
}I Semantic model of well-behaved programsI Captures the safe behaviour of the system
I e.g., no global permit-write-local capabilities
I Uses PL techniques known from high-level languages
![Page 43: Enforcing Well-Bracketed Control Flow on a Capability ...cs.au.dk/~lask/scm17-slides.pdf · Enforcing Well-Bracketed Control Flow on a Capability Machine using Local Capabilities](https://reader034.fdocuments.in/reader034/viewer/2022051719/5a72c0ce7f8b9ab1538dd040/html5/thumbnails/43.jpg)
12/18
Logical relation
V(W )def= {(n, i) | i ∈ Z}
∪{
(n, ((r, g), base, end , a)) |(n, (base, end)) ∈ readCondition(g)(W )
}∪ · · ·
R(W )def= {(n, reg) | ∀r ∈ RegisterName \ {pc}. (n, reg(r)) ∈ V(W )}
E(W )def=
{(n, pc)
∣∣∣∣∀n′ ≤ n,(n′, reg
)∈ R(W ),ms :n′ W .(
n′, (reg [pc 7→ pc],ms))∈ O(W )
}I Semantic model of well-behaved programsI Captures the safe behaviour of the system
I e.g., no global permit-write-local capabilities
I Uses PL techniques known from high-level languages
![Page 44: Enforcing Well-Bracketed Control Flow on a Capability ...cs.au.dk/~lask/scm17-slides.pdf · Enforcing Well-Bracketed Control Flow on a Capability Machine using Local Capabilities](https://reader034.fdocuments.in/reader034/viewer/2022051719/5a72c0ce7f8b9ab1538dd040/html5/thumbnails/44.jpg)
13/18
Interesting properties
Lemma (Revoke temporary memory satisfaction)
If ms :n W , then ms = ms ′ ]msr and ms ′ :n revokeTemp(W )
Lemma (Double monotonicity of value relation)
I If (n,w) ∈ V(W ) and W ′ wpub W then (n,w) ∈ V(W ′).
I If (n,w) ∈ V(W ) and W ′ wpriv W and w is not a localcapability, then (n,w) ∈ V(W ′).
![Page 45: Enforcing Well-Bracketed Control Flow on a Capability ...cs.au.dk/~lask/scm17-slides.pdf · Enforcing Well-Bracketed Control Flow on a Capability Machine using Local Capabilities](https://reader034.fdocuments.in/reader034/viewer/2022051719/5a72c0ce7f8b9ab1538dd040/html5/thumbnails/45.jpg)
13/18
Interesting properties
Lemma (Revoke temporary memory satisfaction)
If ms :n W , then ms = ms ′ ]msr and ms ′ :n revokeTemp(W )
Lemma (Double monotonicity of value relation)
I If (n,w) ∈ V(W ) and W ′ wpub W then (n,w) ∈ V(W ′).
I If (n,w) ∈ V(W ) and W ′ wpriv W and w is not a localcapability, then (n,w) ∈ V(W ′).
![Page 46: Enforcing Well-Bracketed Control Flow on a Capability ...cs.au.dk/~lask/scm17-slides.pdf · Enforcing Well-Bracketed Control Flow on a Capability Machine using Local Capabilities](https://reader034.fdocuments.in/reader034/viewer/2022051719/5a72c0ce7f8b9ab1538dd040/html5/thumbnails/46.jpg)
14/18
Fundamental theorem of logical relations
I General statement of the guarantees provided by thecapability machine.
I Intuitively: any program is safe as long as it only has access tosafe values.
Theorem (FTLR)
Ifperm = rx ∧ (n, (base, end)) ∈ readCondition(g)(W )
(or similarly for rwx and rwlx),then
(n, ((perm, g), base, end , a)) ∈ E(W )
![Page 47: Enforcing Well-Bracketed Control Flow on a Capability ...cs.au.dk/~lask/scm17-slides.pdf · Enforcing Well-Bracketed Control Flow on a Capability Machine using Local Capabilities](https://reader034.fdocuments.in/reader034/viewer/2022051719/5a72c0ce7f8b9ab1538dd040/html5/thumbnails/47.jpg)
15/18
Road map
A simple capability machine
ApplicationsEnforcing well-bracketedness
Semantic modelKripke worldsLogical relationInteresting properties
Conclusion
![Page 48: Enforcing Well-Bracketed Control Flow on a Capability ...cs.au.dk/~lask/scm17-slides.pdf · Enforcing Well-Bracketed Control Flow on a Capability Machine using Local Capabilities](https://reader034.fdocuments.in/reader034/viewer/2022051719/5a72c0ce7f8b9ab1538dd040/html5/thumbnails/48.jpg)
16/18
Conclusion
I Reasoning about a capability machineI Logical relation with some interesting novel aspects
I local capabilities require public/private future worlds, used innew way
I Provably enforce well-bracketed control flow using (just) localcapabilities
I Several details to get right
![Page 49: Enforcing Well-Bracketed Control Flow on a Capability ...cs.au.dk/~lask/scm17-slides.pdf · Enforcing Well-Bracketed Control Flow on a Capability Machine using Local Capabilities](https://reader034.fdocuments.in/reader034/viewer/2022051719/5a72c0ce7f8b9ab1538dd040/html5/thumbnails/49.jpg)
17/18
Questions/discussion
![Page 50: Enforcing Well-Bracketed Control Flow on a Capability ...cs.au.dk/~lask/scm17-slides.pdf · Enforcing Well-Bracketed Control Flow on a Capability Machine using Local Capabilities](https://reader034.fdocuments.in/reader034/viewer/2022051719/5a72c0ce7f8b9ab1538dd040/html5/thumbnails/50.jpg)
18/18
Recursive domain equation (simplified)
Wor ≈ Region∗
Region::=revoked
| (temp, s, (φpub, φ),H) with H ∈ State→ (Wormon, ne−−−−−→wpub
UPred(MemSegment))
| (perm, s, (φpub, φ),H) with H ∈ State→ (Wormon, ne−−−−−→wpriv
UPred(MemSegment))