当前位置:
X-MOL 学术
›
arXiv.cs.PL
›
论文详情
Our official English website, www.x-mol.net, welcomes your
feedback! (Note: you will need to create a separate account there.)
Verified Secure Compilation for Mixed-Sensitivity Concurrent Programs
arXiv - CS - Programming Languages Pub Date : 2020-10-27 , DOI: arxiv-2010.14032 Robert Sison (1 and 2 and 3), Toby Murray (1) ((1) University of Melbourne, (2) CSIRO's Data61, (3) UNSW Sydney)
arXiv - CS - Programming Languages Pub Date : 2020-10-27 , DOI: arxiv-2010.14032 Robert Sison (1 and 2 and 3), Toby Murray (1) ((1) University of Melbourne, (2) CSIRO's Data61, (3) UNSW Sydney)
Proving only over source code that programs do not leak sensitive data leaves
a gap between reasoning and reality that can only be filled by accounting for
the behaviour of the compiler. Furthermore, software does not always have the
luxury of limiting itself to single-threaded computation with resources
statically dedicated to each user to ensure the confidentiality of their data.
This results in mixed-sensitivity concurrent programs, which might reuse memory
shared between their threads to hold data of different sensitivity levels at
different times; for such programs, a compiler must preserve the
value-dependent coordination of such mixed-sensitivity reuse despite the impact
of concurrency. Here we demonstrate, using Isabelle/HOL, that it is feasible to verify that a
compiler preserves noninterference, the strictest kind of confidentiality
property, for mixed-sensitivity concurrent programs. First, we present notions
of refinement that preserve a concurrent value-dependent notion of
noninterference that we have designed to support such programs. As proving
noninterference-preserving refinement can be considerably more complex than the
standard refinements typically used to verify semantics -- preserving
compilation, our notions include a decomposition principle that separates the
semantics -- from the security-preservation concerns. Second, we demonstrate
that these refinement notions are applicable to verified secure compilation, by
exercising them on a single-pass compiler for mixed-sensitivity concurrent
programs that synchronise using mutex locks, from a generic imperative language
to a generic RISC-style assembly language. Finally, we execute our compiler on
a nontrivial mixed-sensitivity concurrent program modelling a real-world use
case, thus preserving its source-level noninterference properties down to an
assembly-level model automatically. (See paper for complete abstract.)
中文翻译:
混合敏感性并发程序的验证安全编译
仅通过源代码证明程序不会泄漏敏感数据会在推理和现实之间留下差距,而这种差距只能通过解释编译器的行为来填补。此外,软件并不总是能够将自身限制为单线程计算,资源静态地专用于每个用户以确保其数据的机密性。这导致混合敏感性并发程序,这些程序可能会重用线程之间共享的内存,以在不同时间保存不同敏感性级别的数据;对于这样的程序,编译器必须保留这种混合敏感性重用的依赖于值的协调,尽管有并发的影响。在这里,我们使用 Isabelle/HOL 证明验证编译器保持无干扰是可行的,最严格的保密属性,用于混合敏感性并发程序。首先,我们提出了改进的概念,这些概念保留了我们为支持此类程序而设计的与价值相关的非干扰的并发概念。由于证明非干扰保留改进可能比通常用于验证语义的标准改进(保留编译)复杂得多,因此我们的概念包括将语义与安全保留问题分开的分解原则。其次,我们证明了这些改进概念适用于经过验证的安全编译,通过在单程编译器上为使用互斥锁同步的混合敏感性并发程序(从通用命令式语言到通用 RISC 风格的汇编语言)练习它们。最后,我们在模拟现实世界用例的非平凡混合敏感性并发程序上执行我们的编译器,从而自动将其源级非干扰属性保留到汇编级模型。(完整摘要见论文。)
更新日期:2020-10-28
中文翻译:
混合敏感性并发程序的验证安全编译
仅通过源代码证明程序不会泄漏敏感数据会在推理和现实之间留下差距,而这种差距只能通过解释编译器的行为来填补。此外,软件并不总是能够将自身限制为单线程计算,资源静态地专用于每个用户以确保其数据的机密性。这导致混合敏感性并发程序,这些程序可能会重用线程之间共享的内存,以在不同时间保存不同敏感性级别的数据;对于这样的程序,编译器必须保留这种混合敏感性重用的依赖于值的协调,尽管有并发的影响。在这里,我们使用 Isabelle/HOL 证明验证编译器保持无干扰是可行的,最严格的保密属性,用于混合敏感性并发程序。首先,我们提出了改进的概念,这些概念保留了我们为支持此类程序而设计的与价值相关的非干扰的并发概念。由于证明非干扰保留改进可能比通常用于验证语义的标准改进(保留编译)复杂得多,因此我们的概念包括将语义与安全保留问题分开的分解原则。其次,我们证明了这些改进概念适用于经过验证的安全编译,通过在单程编译器上为使用互斥锁同步的混合敏感性并发程序(从通用命令式语言到通用 RISC 风格的汇编语言)练习它们。最后,我们在模拟现实世界用例的非平凡混合敏感性并发程序上执行我们的编译器,从而自动将其源级非干扰属性保留到汇编级模型。(完整摘要见论文。)