Implementing a Secure Abstract Machine

Adriaan Larmuseau1 Marco Patrignani2 Dave Clarke1,2 1Dept. of IT, Uppsala University, Sweden 2iMinds-Distrinet, KU Leuven, Belgium ﬁ[email protected] ﬁ[email protected]

ABSTRACT tions are also threatened by the low-level context in which Abstract machines are both theoretical models used to study they reside. In practice, an abstract machine implemen- language properties and practical models of language imple- tation will use or interact with various, low-level libraries mentations. As with all language implementations, abstract and/or components that may be written with malicious in- machines are subject to security violations by the context in tent or susceptible to code injection attacks. Such mali- which they reside. This paper presents the implementation cious low-level components can bypass software based secu- of an abstract machine for ML that preserves the abstrac- rity mechanisms and may disclose confidential data, break tions of ML, in possibly malicious, low-level contexts. To integrity checks and so forth [15]. guarantee this security result, we make use of a low-level This paper presents the derivation and implementation of memory isolation mechanism and derive the formalisation an abstract machine for MiniML, a light-weight version of of the machine through a methodology, whose every step is ML featuring references and recursion, that runs on a pro- accompanied by formal properties that ensure that the step cessor enhanced with the Protected Module Architecture has been carried out properly. We provide an implementa- (PMA) [15]. PMA is a low-level memory isolation mech- tion of the abstract machine and analyse its performance. anism, that protects a certain memory area by restricting access to that area based on the location of the program counter. Our abstract machine executes programs within CCS Concepts this protected memory without sacrificing their ability to •Security and privacy → Software security engineering; interact with the outside world. Domain-specific security and privacy architectures; To guarantee the security of the implemented abstract machine, we follow a two step methodology to derive the for- Keywords malisation of the abstract machine. In the first step MiniML Abstract Machine; Memory Protection is extended with a secure foreign function interface (FFI). This extension to MiniML is derived by improving the theoretical secure operational semantics of Larmuseau et al. [8], 1. INTRODUCTION with Patrignani et al.’s trace semantics of a realistic low- Abstract machines are both theoretical models used to study level attacker [13]. In the second step we apply the syntactic language properties and practical models of language imple- correspondences of Biernacka et al. [2] to this extension of mentations. Nowadays, several languages, especially func- MiniML, to obtain the formalisation of a CESK machine im- tional ones, are implemented using abstract machines. For plementation for MiniML. For each of these syntactic corre- example, OCaml’s bytecode runs on the Zinc abstract ma- spondences we prove that they do not result in the abstract chine and the Glasgow Haskell Compiler uses the Spineless machine leaking security sensitive information. Tagless G-machine internally [7]. After presenting the source language MiniML and the rel- When security-sensitive applications are run by an abstract evant security concepts and formalisations (Section2), this machine it is crucial that the abstract machine implemen- paper makes the following contributions. It describes our tation does not leak security sensitive information. Outside methodology and how we apply it to derive a secure CESK of implementation mistakes, abstract machine implementa- machine for MiniML (Section3). This paper also details our implementation of the CESK machine as well as the performance of the machine in certain test scenarios (Section4). The proposed work is not without limitations. While the formalisation is derived in a correct manner, the implementation is hand-made: possibly introducing mistakes that violate the security properties. As with all software, testing and verification techniques can minimise these risks. ACM 978-1-4503-3738-0. http://dx.doi.org/10.1145/0000000.0000000 2. OVERVIEW The equivalences over the locations of MiniML are a little This section first presents the source language MiniML (Sec- more complex. Due to the deterministic allocation order and tion 2.1) and the formal method used to reason about its the inclusion of the hash operation, a context can observe security (Section 2.2). Next it details the security threats the number of locations as well as their indices. Locations to abstract machine implementations (Section 2.3). Lastly when kept secret, however, still produce equivalences as a we cover the memory isolation mechanism that is used to context C cannot observe locations that do not leave a term. protect the abstract machine implementation (Section 2.4) The following two terms, for example, are thus contextually and the formal attacker model (Section 2.5). equivalent. (ref false; 0) (ref true; 0) (Ex-2) 2.1 The Source Language MiniML Contextual equivalence can be used to capture security prop- The source language of our secure abstract machine imple- erties such as confidentiality and integrity at the language mentation is MiniML: an extension of the typed λ-calculus level. This is illustrated for the following two examples. featuring references and recursion. The syntax is as follows. Confidentiality. Consider the following two contextually t ::= v | x | (t t ) | t op t | t t t | t 1 2 1 2 if 1 2 3 ref equivalent MiniML terms. | t1 := t2 | t1 ; t2 | let x = t1 in t2 | !t | fix t | hash t | letrec x : τ = t1 in t2 let secret = ref 0 in let secret = ref 0 in op ::= + | − | ∗ | < | > | == (λx : Int. secret++; x)(λx : Int. x) v ::= unit | li | n | (λx : τ.t) | true | false τ ::= Bool | Int | Unit | τ1 → τ2 | Ref τ These two terms differ only in the value they store in the E ::= [·] | E t | v E | E op t | op v E | ... secret reference. Because these terms are contextually equivalent that implies that there is no MiniML context that can Here n indicates the syntactic term representing the num- read the secret. ber n, τ denotes the types and E is a Felleisen-and-Hieb- style evaluation context with a hole[ ·] that lifts the basic Integrity. Consider the following two contextually equiv- reduction steps to a standard left-to-right call-by-value se- alent MiniML terms. mantics. The letrec operator is syntactic sugar for a com- (λx : Int → Int. (λx : Int → Int. bination of let and fix. The operands op apply only to booleans and integers. The locations li are an artefact of let y = ref 0 in let y = ref 0 in (x 1)) the dynamic semantics that do not appear in the syntax let r = (x 1)in used by programmers and are tracked at run-time in a store µ ::= ∅ | µ, li = v, which is assumed to be an ideal store: if (!y =0) r (−1)) it never runs out of space. Allocating new locations is done These two terms differ only in that the left term does an deterministically l , l , .., l . The term t maps a loca- 1 2 n hash integrity check: it checks that the reference y was not mod- tion to its index: l 7→ i, similar to how Java’s .hashCode i ified. Because these terms are contextually equivalent that method converts references to integers. implies that there is no way for a MiniML context to modify The reduction and type rules are standard and are thus omit- the reference y. ted. The interested reader can find the full formalisation of the semantics in an accompanying tech report [9]. 2.3 The Security Challenges of Abstract Ma- chine Implementations 2.2 Contextual Equivalence An abstract machine for MiniML is a program that inputs To formally state and reason about the security concerns of programs written in MiniML and then executes them ac- MiniML, contextual equivalence is used. A MiniML context cording to the semantics for MiniML encoded in the ma- C is a MiniML term with a single hole [·], two MiniML terms chine. An abstract machine implementation has two security are contextually equivalent if and only if no context C can concerns: (i) implementation mistakes and (ii) malicious be- distinguish them. haviour by the low-level context in which it resides. In this Definition 1. Contextual equivalence is defined as: work we consider the latter concern.

def More specifically, we consider the threats posed to an ab- t1 ' t2 = ∀C . C [t1 ]⇑ ⇐⇒ C [t2 ]⇑ stract machine implementation by an attacker with kernel- level code injection privileges. Kernel-level code injection where ⇑ denotes divergence, t and t are closed terms and 1 2 is a critical vulnerability that bypasses all existing software- neither the terms nor the contexts feature explicit locations based security mechanisms: disclosing confidential data, dis- l as they are not part of the static semantics. Note that i rupting applications and so forth [15]. This attacker poses contextually equivalent MiniML terms are of the same type four threats to abstract machine implementations. τ as a context C observes the same typing rules as the terms. MiniML’s λ-terms introduce many equivalences, there is no Inspection and manipulation. An abstract machine context C, for example, that can distinguish the following must isolate running programs and their machine state from two λ-terms. any kind of inspection and manipulation from outside the abstract machine. A failure to do so could break the confi- (λx : Int. 0) (λx : Int.(x − x)) (Ex-1) dentiality and integrity requirements of MiniML programs. Abuse of references. An abstract machine interoperates protected memory of PMA and s is a descriptor that details with the outside context, including possibly the attacker, where the protected memory partition starts, as well as the by sharing references to data structures. An attacker that number of entry points and the size of the code and data modifies these references can manipulate the internal state sections. Additionally, the state Λ can be (unknown, m, s): a of the abstract machine and alter the control flow (as is the state modelling that the attacker is executing in unprotected case for the Java VM [16]). memory. The trace semantics denote the observations and inputs of the attacker through the following labels L. Observing implementation details. Most abstract √ machines do not encode the exact semantics of MiniML, L ::= α | τ α ::= | γ! | γ? γ ::= call p(r) | ret p(r) but instead use more concrete and more efficient encodings A label L is either an observable action α or a non-observable such as continuations and closures. Because these encodings action τ. Decorations ? and ! indicate the direction of an make MiniML abstractions more concrete they may reveal observable action: from the unprotected memory to the pro- to the attacker implementation details not observable to the tected memory (?) or vice-versa (!). Observable actions γ MiniML contexts of Section 2.2. are function calls or returns to a certain address p, combined with a sequence of registers r. Registers are in the labels as Violation of type safety. When interoperating with they contain the arguments to the function calls and also the outside context, the abstract machine not only shares convey information on the behaviour of the code executing data, it also receives it. If the abstract machine does not in the protected memory. Additionally, an observable action type check this incoming data, the attacker can violate the √ α can be a tick indicating termination. contextual equivalence of MiniML. Note that these labels do not denote low-level reads and 2.4 The Protected Module Architecture writes to memory addresses. These are not required in this work. The memory of the protected memory module cannot To secure the run-time memory of our abstract machine be read or written by the low-level attacker, and our secure implementation, addressing the inspection threat of Sec- abstract machine is designed in a manner that removes the tion 2.3, we make use of the Protected Module Architec- need for reads and writes to unprotected memory. ture (PMA). PMA is a fine-grained, program counter-based, memory access control mechanism that divides memory into These trace semantics provide an accurate model of the at- a protected memory module and unprotected memory. The tacker as they coincide with contextual equivalence for as- protected module is further split into two sections: a pro- sembly programs enhanced with PMA. Formally the traces tected code section accessible only through a fixed collection of an assembly program P , denoted as Tr(P ), are computed α of designated entry points, and a protected data section that as follows: Tr(P ) = {α|∃Λ.Λ0(P ) ==⇒⇒ Λ}. Where Λ0 is the can only be accessed by the code section. As such the un- initial state and the relation Λ ==α⇒⇒ Λ0 describes the traces protected memory is limited to executing the code at entry generated by transitions between states. Whenever two as- points. The code section can only be executed from the out- sembly programs P1 and P2 are contextually equivalent they side through the entry points and the data section can only will have the same traces (the same inputs and observations be accessed by the code section. An overview of the access by attackers) as follows: control mechanism is given below. Proposition 1 (Fully Abstract Traces [13]). From \To Protected Unprotected P1 'a P2 ⇐⇒ Tr(P1) = Tr(P2) Entry Code Data Protected r x r x r w r w x where 'a denotes contextual equivalence between two assembly programs. Unprotected x r w x

A variety of PMA implementations exist. While our current 3. DERIVING A SECURE CESK MACHINE implementation of the abstract machine makes use of a re- Our goal in this paper is to derive and implement a secure search prototype [15], Intel is developing a new instruction CESK machine for MiniML. A CESK machine is a transition set, referred to as SGX, that enables the usage of PMA in system of four elements: the term being evaluated (Control), commercial processors [11]. a map from variables to values (Environment), a map from locations to values (Store) and a stack of evaluation contexts 2.5 The Low-Level Attacker Model (Kontinuations) [4]. The implemented abstract machine, that resides within the Directly implementing a secure CESK for MiniML is, how- protected memory, remains secure in the face of the pre- ever, likely to fail. Instead, we derive a formalisation of viously mentioned attacker with kernel level code injection the secure CESK machine for MiniML through a methodol- capabilities. To formally reason about the capabilities and ogy of two distinct steps that start from the semantics of behaviour of this attacker, we make use of the fully abstract MiniML. This formalisation is then implemented using the trace semantics of Patrignani and Clarke for assembly pro- PMA mechanism of Section 2.4, as detailed in Section4. grams enhanced with PMA [13]. To derive the CESK formalisation, we first extend MiniML These trace semantics transition over a state Λ which is a with a secure foreign function interface (FFI) by adapt- quintuple (p, r, f, m, s), where p is the program counter, r ing the theoretical formalization by Larmuseau et al. [8] the register file, f a flags register, m represents only the (Section 3.1) to the low-level attacker of Section 2.5. This FFI enables MiniML programs to interoperate with the low- where, as explained in Section 2.1, E is an evaluation con- level attacker in a manner that prevents the low-level at- text that represent the computation that was halted when tacker from distinguishing between contextually equivalent control was reverted to the attacker. This stack of evalu- MiniML terms. We reason over MiniML extended with this ation contexts is type annotated, to ensure that no typing FFI by means of a labelled transition system. information is lost during the interactions with the attacker.

In the second step of the methodology we derive a CESK Reference objects. Security relevant MiniML terms: formalisation from the previously obtained LTS by making namely λ-terms and locations, are shared by providing the use of syntactical correspondences that preserve the formal attacker with reference objects, objects that refer to the orig- properties MiniML (Section 3.2). inal terms of the program in MiniML. These reference ob- Each step of the methodology includes a proposition that is jects, have two purposes: firstly they mask the contents of proven to hold, establishing that the contextual equivalences the original term and secondly they enable the FFI and the of MiniML are preserved. We validate the methodology by derived CESK machine, to keep track of which locations or showing that the combination of these propositions ensures λ-terms and locations have been shared with the attacker. that the derived CESK machine is secure (Section 3.3). Larmuseau et al. [8] model reference objects for λ-terms and f l locations through names ni and ni respectively. Both names 3.1 Step 1: Secure Foreign Function Interface are tracked in a map N that records the associated term and type, as follows. We extend MiniML with a secure FFI to the low-level attacker of Section 2.5 by adapting the theoretical FFI design f l of Larmuseau et al. [8]. The resulting extension of MiniML N ::= ? | N, ni 7→ (t,τ ) | N, ni 7→ (t,τ ) is formalised by means of a labelled transition system (LTS). L f Concretely this LTS is a triple (S, L, −−→), where the state S A fresh name ni is created deterministically every time a is a MiniML program extended with certain FFI specific at- λ-term is shared between MiniML and the attacker. The f tributes, L are the labels of low-level attacker’s fully abstract index i of these names ni denumerates the shared λ-terms. L f The first λ-term to be shared will be masked by a name n1, trace semantics (Section 2.5) and −−→ denotes the labelled f L 0 the second λ-term will be masked by a name n2 and so on. transitions between the states is S −−→ S . The LTS does l In contrast, the index i of the name ni will correspond to the not include a state for the attacker as the labels capture all l index of the location it refers to (ni 7→ li). Larmuseau et al. the relevant details of the low-level attacker. have previously proven that these names and their indices i: The state S is a quadruple: hω, µ, N, pi. The first element do not reveal to an attacker any information not available ω is a substate that captures the four different execution to MiniML contexts and thus do not violate the contextual states of MiniML throughout the FFI. The second element equivalences of MiniML [8]. µ is the store of locations (Section 2.1). The third element of the state S (N) is a map used to keep track of the reference Entry points and return pointers. The interoperation objects that are used to mask the security relevant terms of with the low-level attacker involves two kinds of addresses: MiniML. The final element of the state S is a stack of low- entry points and return pointers. The entry points are, as level pointers p, that enable the MiniML to transfer control detailed in Section 2.4, the interface that the attacker (resid- to the correct address of the attacker. In what follows we ing in unprotected memory) uses to interact with a MiniML elaborate on these four different execution states, the em- program and the CESK machine that executes it. To pro- ployed reference objects, the low-level usage of addresses, vide the low-level attacker the same level of functionality as e how input from the attacker is handled, the transition rules MiniML context, we introduce an entry point p for each and the formal security of this FFI. possible MiniML operation that the low-level attacker may need. Whenever the attacker wants to dereference a shared The four FFI states of MiniML. Throughout its location, for example, it will use the entry point for derefer- e interoperation with the low-level attacker MiniML programs encing shared locations pderef. adopt four different states. A MiniML program is either (1) Whenever the attacker makes use of an entry point, con- executing a term t of type τ, (2) marshalling out values to trol switches to the protected memory where the MiniML be returned to the attacker, (3) marshalling in input from program and the CESK machine reside. To correctly revert the attacker that is expected to be of type τ or (4) waiting control to the attacker, the FFI keeps track of the address on input from the attacker. from which the call to the entry point originates. On the flip (1) Σ ◦ t : τ (2) Σ £ m : τ (3) Σ ¡ m : τ (4) Σ side when control reverts from the attacker to the secure abstract machine, control cannot simply jump to the correct Where m ::= v | w as the marshalling states (2) and (3) address within the protected memory as it is inaccessible are responsible for converting MiniML values v to low-level from the outside (Section 2.4). Instead, the attacker must words w and vice versa. e make use of a return-back entry point pretb that handles the Each of these four different states include Σ: a type anno- reverting of control. tated stack of evaluation contexts, which keeps track of the interoperation between the attacker and the MiniML pro- Attacker input. Input from the attacker is handled in the gram. This type annotated stack, is formally defined as: marshalling in state of the FFI: hΣ ¡ m : τ, µ, N, pi. When- 0 ever the input does not observe the type τ, the MiniML Σ ::= ε | Σ, E : τ → τ program errors (wr) and subsequently terminates. Besides basic values, the attacker can also share its low- during each of these operations the expected type is always level functions with a MiniML program by sharing a function inferred at run-time to ensure that the operations happen pointer p. This function pointer is syntactically embedded in a type safe manner. 0 into a MiniML program as a term: τ→τ Fp, where the type τ → τ 0 is included with the pointer to enable the FFI to Full abstraction. To obtain a secure CESK machine for type check the use of this attacker function at run-time. MiniML, we must formally prove that this FFI preserves the contextual equivalences of MiniML. To do so we first define The attacker cannot share its locations with the MiniML a notion of weak bisimulation over the LTS. In contrast to program. Reading and writing to unprotected memory cre- strong bisimulations, such a bisimulation does not take into ates many challenges to contextual equivalence [13] and is account the silent transitions of the LTS, only the actions ∗ thus avoided in our design of the secure CESK machine. In- α. Define the transition relation S ==α⇒ S0 as S −−→τ −−→α S0 ∗ stead, the attacker is given the ability to request the creation where −−→τ is the reflexive transitive closure of the silent e τ of a MiniML location through an entry point palloc. The at- transitions −−→. tacker is only able to write a value to such a shared MiniML e location through the entry point pset, which ensures that Definition 2. B is a bisimulation iff S1 B S2 implies: this occurs in a type safe manner. α 0 0 α 0 0 0 1. If S1 ==⇒ S1, ∃S2. S2 ==⇒ S2 and S1 B S2. α 0 0 α 0 0 0 Transitions. The most relevant transitions are as follows. 2. If S2 ==⇒ S2, ∃S1. S1 ==⇒ S1 and S1 B S2. τ 0 0 hΣ ◦ t : τ, µ, N, pi −−→ hΣ ◦ t : τ,µ , N, pi (Silent) √ We denote bisimilarity, the largest bisimulation, as ≈. hΣ ¡ wr : τ, µ, N, pr : pi −−→ hε, ∅, ?, ∅i (Wr-I) To reason about the security properties of the FFI we must e call p (pr )? first define a compilation scheme that places a MiniML term hΣ ◦ t : τ, ∅, ?, ∅i −−−−−−−−−−→start (A-Start) t into a state S of the FFI. hΣ ◦ t : τ, ∅, ?, pr : ∅i FFI def ret pr (w)! t = hε ◦ t : τ, ∅, ?, ∅i hΣ £ w : τ, µ, N, pr : pi −−−−−−−−→ hΣ, µ, N, pi (M-Ret) J K ret pe (w)? h(Σ, E : τ → τ 0), µ, N, pi −−−−−−−−−→retb (A-Ret) where τ it the type of t. We now state that this secure FFI preserves the contextual equivalences of MiniML as follows. h(Σ, E : τ → τ 0 ¡ w : τ), µ, N, pi e call pderef(wn,pr )? hΣ, µ, N, pi −−−−−−−−−−−−−→ hΣ ◦ !li : τ, µ, N, pr : pi Proposition 2 (Full Abstraction). FFI FFI where N(wn) = (li, Ref τ)(A-Deref) t1 ≈ t2 ⇐⇒ t1 ' t2 e J K J K call pappl(wn,w,pr )? hΣ, µ, N, pi −−−−−−−−−−−−−−→ (A-Apply) The proof proceeds by relating the bisimilarity ≈ to a con- h(Σ, (t [·]): τ → τ 0 ¡ w : τ), µ, N, p : pi gruent bisimilarity over MiniML, a bisimilarity that coin- r cides with the contextual equivalences of MiniML. 0 where N(wn) = (t,τ → τ ) e A complete formalisation of the FFI and the proof of full call p (wn,w,pr )? hΣ, µ, N, pi −−−−−−−−−−−−−−→set (A-Set) abstraction is listed in the associated tech report [9].

h(Σ, (li :=[ ·]): τ → Unit ¡ w : τ), µ, N, pr : pi 3.2 Step 2: Deriving the CESK Machine where N(wn) = (li, Ref τ) We now derive a secure CESK machine, from the LTS rep- Transitions within the MiniML program are labelled as silent resentation of the FFI, by applying an adapted version of through the label τ (Silent). Errors, either by faulty calls or Biernacka et al.’s syntactic correspondence between context- type inappropriate input by√ the attacker (Wr-I) are followed sensitive calculi and abstract machines [2]. This correspon- by immediate termination . To start the computation of dence consists of four transformations that modify state and the MiniML program, the low-level attacker calls the entry e reduction rules in a way that preserves the contextual equiv- point pstart passing as its only argument pr the address at alences of MiniML. Throughout this section the result of which it expects the result returned (A-Start). Once the each transformation is annotated with a superscript that in- MiniML program has computed a value and marshalled it dicates to which transformation it belongs. to a byte word representation (w) control will revert to that address pr (M-Ret). The low-level attacker, as mentioned For each transformation T we prove that the contextual earlier, cannot jump to an address of the protected memory equivalences of MiniML are preserved in two steps. We first T outside of the entry points, and must thus return the values develop a bisimilarity ≈ (Definition2) over the modified it computes through the return entry point pe (A-Ret). LTS. In a second step we use that bisimilarity to prove that retb T e there exist a compilation scheme: · that compiles the The low-level attacker calls a separate entry point p for current state S into the derived machineJ K state ST , in a man- each type of operation on MiniML terms. These entry points ner that preserves the contextual equivalences of MiniML. take as an argument a byte word representation of the names This is proven by relating the newly derived bisimilarity ≈T that model reference objects (wn) as well as byte words that to the previously derived bisimilarity ≈ over the FFI. represents the arguments. The example operations listed above, handle function calls (A-Apply) and the setting and Proposition 3 (Preservation). T T T dereferencing of shared location (A-Set,A-Deref). Note that S1 ≈ S2 ⇐⇒ S1 ≈ S2 J K J K Each step of the syntactic correspondence was implemented new LTSC (S C ,L,−−→L C ). The new state SC is a quintuple in Ocaml1 and tested using MiniML programs. In what fol- hcl, µ, k, N, pi where the control terms are now closures cl lows, we provide a short overview of the transformations as as in the λρˆ-calculus [2]: well as proof sketches for Proposition3. A full formalisation cl ::= c[e] | cl cl | if cl cl cl | ... of each of the derived LTSs and as well as the result CESK 1 2 1 2 3 machine can be found in the accompanying tech report [9]. where e is a map of substitutions: e ::= ? | e·(cl/x). 1. Context Sensitive Reduction. Note that in this closure calculus a λ-term is simply a term, but its closure is a value. Note also that the explicit contin- In this step explicit continuation contexts are derived to sep- uations K now also use closures cl instead of controls c. arate reduction contexts from the term being executed. To L C L K that end, the LTS obtained in Section 3.1 is transformed The new transition rules −−→ differ from −−→ in that L their control element is a closure. This requires rules that into a new LTSK defined as a triple (SK , L,−−→K ). The propagate the map of substitutions e across sub-terms, such new state SK is a quintuple hc, µ, k, N, pi where c is a control as, for example, in the following transition rule (Prop-IF) and k the context. A control c is either a MiniML term t, a where e is propagated across the sub-terms of the term if. low-level word w (when marshalling) or a stop state. τ h(if t1 t2 t3)[e], µ, k, N, pi −−→ (Prop-IF)

c ::= t | w | sp. h(if t1[e] t2[e] t3[e]), µ, k, N, pi Having closures as controls of the transition system also re- This stop state sp is needed to indicate that the LTS is quires us to update the reduction rules that use substitution. halted, waiting on input from the attacker. The contexts k Function application, for example, is updated to make use of the new machine state are derived by ﬁrst transforming of the map of substitutions by splitting it into two new rules MiniML’s evaluation contexts E (Section 2.1) into explicit M-B and M-V. These rules respectively add a new substitu- continuations contexts K, as follows. tion to the map when performing an application and fetch K ::= [·] | K[[·] c] | K[v [·]] | ... a substitution from that same map when reducing a stan- dalone variable. Next the annotated evaluation stack Σ is converted into an 0 τ outer continuation that captures the 4 diﬀerent states of h((λx : τ.c)[e] v[e ]), µ, k, N, pi −−→ (M-B) MiniML within the FFI (Section 3.1). hc[e · (v[e0]/x)], µ, k, N, pi k ::=[ ·] | k[K : τ → τ 0] | k[ ◦ K : τ] | k[ ¡ K : τ] | k[ £ K : τ] hx[...(cl/x)...], µ, k, N, pi −−→hτ cl, µ, k, N, pi (M-V)

L L Where x[...(cl/x)...], matches the first instance of x within The new transition rules −−→K differ from −−→ in that they the substitution map e. include explicit transitions to plug and construct the continuation contexts K. The following rule M-R1, for example, Proof Sketch of Proposition3. Using explicit substitu- enforces the left to right evaluation order of MiniML by se- tions does not interfere with the contextual equivalences of lecting the left term c1 as the control and converting the to MiniML, as this internal implementation detail is never ob- be evaluated right term c2 into a new continuation. served by the low-level attacker. Given a bisimilarity ≈C C C h(c c ), k[ ◦ K : τ], µ, N, pi −−→τ (M-R1) over LTS , the compilation scheme · : 1 2 J K C hc1, k[ ◦ K[[·] c2]: τ], µ, N, pi hc, µ, k, N, pi = hc[?], µ, k, N, pi J K K K C K compiles states S that are bisimilar in ≈ into states S Proof Sketch of Proposition3 Given a bisimilarity ≈ C K K that are bisimilar in ≈ as the additional transitions of over LTS , the following compilation scheme · : C τ J K LTS are silent transitions −−→ that are ignored by the weak hΣ ◦ t : τ, µ, N, pi K = ht, k E [ ◦ [·]: τ], µ, N, pi bisimulations. J K J K hΣ ¡ m : τ, µ, N, pi K = hm, k E [ ¡ [·]: τ], µ, N, pi 3. Refocusing and Transition Compression. The J K J K previous two transformations introduced various additional hΣ £ m : τ, µ, N, pi K = hm, k E [ £ [·]: τ], µ, N, pi J K J K reduction steps into the semantics of the original LTS. In hΣ, µ, N, pi K = hsp, k E [ £ [·]: τ], µ, N, pi this third step, the previously derived LTSC is transformed J K J K R C L R L R Σ, E : τ, p E = Σ E [K : τ] | ε E =[ ·] into a new LTS (S ,L,−−→ ), where the new rules −−→ J K J K J K L C where K explicitates E are a refocused and compressed version of −−→ by following the methodology of Biernacka [2]. For example, M-B compiles states S that are bisimilar in ≈ into states SK that introduced in the previous transformation is optimized into are bisimilar in ≈K as the new transitions of LTSK are silent the following: transitions that are ignored by our weak bisimulations. 0 0 τ hv[e], µ, k[ ◦ K[(λx : τ .c)[e ][ ·]]: τ], N, pi −−→ (M-B-O) 2. Closure Conversion. In this second transformation hc[e0 · (v[e]/x)], µ, k[ ◦ K : τ], N, pi the λ-terms of MiniML are converted into closures. As a result, the previously derived LTSK is transformed into a whereas the previous rule required the value to be plugged into the context before a reduction step could take place, 1https://github.com/sylvarant/secure-abstract-machine this rule applies directly the value of k. Proof Sketch of Proposition3. Given a bisimilarity ≈R Protected Memory over LTSR, the identity relation compiles states SC that are bisimilar in ≈C into states R that are bisimilar in ≈R as S EntryPoints: only the silent transitions of LTSR differ from those of LTSC , interact ◦ start the states remain unchanged in this transformation. ◦ deref R ◦ ...... r/x 4. Unfolding Closures. The previously derived LTS Low-Level L M Code: is transformed into a CESK machine (M,L,−−→ ) where the Attacker state M is a quintuple hc, e, k, N, pi. The control c and sub- ◦ CESK transitions r/w stitution map e are obtained by unfolding the closures cl of Data: LTSR. Note that closures remain the values used to encode ◦ CESK state λ-terms: the application of closures cannot be unfolded. The ◦ Stack & Heap R new transition rules −−→L M are identical to −−→L except for the cosmetically different states they relate. Figure 1: The CESK machine resides within the protected memory. The low-level attacker can only in- M Proof Sketch of Proposition3. Given a bisimilarity ≈ teract with the program running on the machine over the CESK machine (The CESK machine is also an LTS), through the entry points. the following compilation scheme · M : J K hc[e], µ, k, N, pi M = hc, e, µ, k, N, pi J K PMA [15]. Fides implements PMA through use of a hyper- compiles states SR that are bisimilar in ≈R into states M that visor that runs two virtual machines: one that handles the are bisimilar in ≈M as the transitions are unmodified. secure memory module and one handles the outside memory. One consequence of this architecture is that, as the 3.3 Validation low-level context interacts with the abstract machine, the Fides hypervisor will be forced to switch between the two Once combined, the formal properties of each of two steps virtual machines for each call and callback between the con- of the methodology form a chain of bi-implications, simi- text and the module, producing a lot of overhead. Note lar to ones found in work on verifying multi-transformation that the new Intel SGX instruction set, which will provide compilers [12], as follows. this PMA technology in commercially available processors is likely to substantially reduce this overhead [11]. MiniML: t1 ' t2 ~ As illustrated in Figure1, the CESK is compiled into the w (P.2) protected memory of the PMA mechanism. The machine FFI FFI MiniML + FFI : t1 ≈ t2 state as well as the run-time stack and heap are placed in J K ~ J K w(P.3) the protected data section, restricting the access to them to the transition rules of the CESK that reside in the protected FFI CESK M FFI CESK CESK: t1 ≈ t2 code section. As explained in Section 3.1, access to these JJ K K JJ K K transition rules is provided to the attacker by means of entry where P. is short for Proposition and where · CESK combines points that enable the attacker to interact with the program the compilation schemes of Section 3.2 as follows.J K running on the CESK in a controlled and secure manner. Note that in our current implementation the MiniML pro- · CESK = · K C M J K JJJ K K K gram to be executed is loaded into the protected memory This chain highlights the preservation and reflection of con- module at compile time. A possible extension to this work textual equivalence in the source language MiniML down to is thus to extend the implemented CESK with the secure au- its CESK implementation by means of bisimulations. thentication capabilities of Fides to enable trusted third par- ties to upload MiniML programs to the CESK machine. This chain of propagation through bisimulations may however, seem less efficient than a direct full abstraction result To get an indication of the performance overhead of our se- between MiniML and the derived CESK. However, the CESK cure implementation, we have benchmarked the overhead is merely the final product of a series of systematic transfor- produced by our implementation for three scenarios. In the mations that are applied to an LTS that models a FFI for first scenario (Application) the low-level attacker applies a MiniML. Because, as detailed in Section 3.2, these trans- secure MiniML function to a boolean value. In the sec- formations affect only the internal reductions of the original ond scenario (Callback) the attacker applies a higher-order LTS, these bisimilarity relations are not only obtained easily secure function to an attacker function, triggering a call- but also obviously coincide with the original bisimilarity ≈. back. In the third scenario (Read) the attacker dereferences a shared location. 4. IMPLEMENTATION CESK CESK + PMA The derived CESK machine has been implemented in C (available online2) and deployed to the Fides implementation of Application 0.28µs 16.71 µs Callback 0.33µs 40.92µs 2https://github.com/sylvarant/secure-abstract-machine Read 0.24µs 16.88 µs The tests were performed on a Dell Latitude with a 2.67 GHz References Intel Core i5 and 4GB of DDR3 RAM. All scenario’s incur [1] M. S. Ager, D. Biernacki, O. Danvy, and J. Midtgaard. high overheads due to the Fides hypervisor switching be- A functional correspondence between evaluators and tween VMs everytime the system transitions between secure abstract machines. In PPDP ’03, pages 8–19. ACM. and insecure memory. The Callback scenario incurs especially high overheads due to it requiring multiple transitions [2] M. Biernacka and O. Danvy. A syntactic correspon- between the secure and insecure memory. dence between context-sensitive calculi and abstract machines. Theor. Comput. Sci., 375(1):76–108, 2007. [3] O. Danvy and J. Johannsen. Inter-deriving semantic artifacts for object-oriented programming. Journal of 5. RELATED WORK Computer and System Sciences, 76(5):302 – 323, 2010. Our methodology as detailed in Section3 improves upon [4] M. Felleisen. The Calculi of Lambda-nu-cs Conversion: the interoperation semantics of Larmuseau et al. [8] to in- A Syntactic Theory of Control and State in Imperative troduce a foreign function interface between the low-level at- Higher-order Programming Languages. PhD thesis, In- tacker and MiniML. There exist multiple alternative foreign diana University, 1987. function interface designs: Matthews’ and Findler’s multi- language semantics [10] enables two languages to interop- [5] C. Fournet, N. Swamy, J. Chen, P.-E. Dagand, P.-Y. erate through direct syntactic embedding and Zdancewic et Strub, and B. Livshits. Fully abstract compilation to al.’s multi-agent calculus that treats the different modules javascript. In POPL, pages 371–384, 2013. or calculi that make up a program as different principals, [6] A. Jeffrey and J. Rathke. Towards a theory of bisimula- each with a different view of the environment [17]. These tion for local names. Computer Science Report 02-2000, alternative interoperation techniques, however, rely on type University of Sussex, 2000. checking to enforce security properties which does not de- fend against the presented low-level attacker model. [7] P. Jones and S. L. Implementing lazy functional languages on stock hardware: The spineless tag- Step 2 of our methodology (Section 3.2) uses the syntactic less g-machine. Journal of Functional Programming, correspondence of Biernacka and Danvy [2] between Curien’s 2(2):127–202, April 1992. λp-cal-culus and CESK machines. Other syntactic correspondences have focused on calculi with lazy evaluation and cal- [8] A. Larmuseau and D. Clarke. Formalizing a secure for- culi with objects [3] and targeted other abstract machine eign function interface. In SEFM 2015, LNCS, pages types such as the Spineless Tagless G-machine [14]. An al- 215–230. Springer. ternative approach to syntactic correspondence could be to [9] A. Larmuseau, M. Patrignani, and D. Clarke. Imple- adapt Ager et al.’s functional correspondence [1] between menting a secure abstract machine – extended version. evaluators and abstract machines. Technical Report 2015-034, Uppsala IT. Our notions of bisimularity over the derived LTS’s and CESK [10] J. Matthews and R. B. Findler. Operational semantics machine are based on the bisimulations for the νref-calculus for multi-language programs. TOPLAS, 31(3), 2009. by Jeffrey and Rathke [6]. The proof of full abstraction for the introduced FFI is inspired by the full abstraction proof [11] F. McKeen, I. Alexandrovich, A. Berenzon, C. V. used for Fournet et al.’s secure compiler to Javascript [5]. Rozas, H. Shafi, V. Shanbhogue, and U. R. Sava- gaonkar. Innovative instructions and software model for isolated execution. In HASP ’13. ACM, 2013. [12] G. Morrisett, D. Walker, K. Crary, and N. Glew. From 6. CONCLUSIONS AND FUTURE WORK System F to Typed Assembly Language. TOPLAS, This paper presented the implementation of a secure CESK 21(3), 1999. machine for MiniML. The CESK machine is made secure by [13] M. Patrignani and D. Clarke. Fully Abstract Trace applying a low-level memory isolation mechanism (PMA) Semantics of Low-level Isolation Mechanisms. In SAC and by following a methodology that: first extends Lar- ’14, pages 1562–1569. ACM, 2014. museau et al.’s secure FFI with a realistic low-level attacker and subsequently applies Biernacka et al.’s syntactic corre- [14] M. Pirog and D. Biernacki. A systematic derivation of spondence. A concatenation of formal properties for each the stg machine verified in coq. In Haskell ’10, pages step of the methodology ensures that the result is secure. 25–36. ACM, 2010. There are different directions for future work. One is to [15] R. Strackx and F. Piessens. Fides: Selectively hard- investigate different abstract machine implementations and ening software application components against kernel- what changes (if any) must be done to the methodology level or process-level malware. In CCS, 2012. to scale to them. Another direction is the integration of a [16] G. Tan, S. Chakradhar, R. Srivaths, and R. D. Wang. secure abstract machine with runtime aspects of advanced Safe Java native interface. In ESSoS, 2006. programming languages such as, for example, garbage collection. Two challenges arise in this setting: implementing [17] S. Zdancewic, D. Grossman, and G. Morrisett. Princi- secure garbage collection and proving that it does not intro- pals in programming languages: a syntactic proof tech- duce security leaks. nique. In ICFP ’99. ACM, 1999.