Skip to main content
NCBI home page
Springer Nature - PMC COVID-19 Collection logoLink to Springer Nature - PMC COVID-19 Collection
. 2020 Apr 18;12075:1–28. doi: 10.1007/978-3-030-44914-8_1

Trace-Relating Compiler Correctness and Secure Compilation

Carmine Abate 9, Roberto Blanco 9, Ștefan Ciobâcă 10, Adrien Durier 9, Deepak Garg 11, Cătălin Hrițcu 9,, Marco Patrignani 12,13, Éric Tanter 9,14, Jérémy Thibault 9
Editor: Peter Müller1
PMCID: PMC7702255

Abstract

Compiler correctness is, in its simplest form, defined as the inclusion of the set of traces of the compiled program into the set of traces of the original program, which is equivalent to the preservation of all trace properties. Here traces collect, for instance, the externally observable events of each execution. This definition requires, however, the set of traces of the source and target languages to be exactly the same, which is not the case when the languages are far apart or when observations are fine-grained. To overcome this issue, we study a generalized compiler correctness definition, which uses source and target traces drawn from potentially different sets and connected by an arbitrary relation. We set out to understand what guarantees this generalized compiler correctness definition gives us when instantiated with a non-trivial relation on traces. When this trace relation is not equality, it is no longer possible to preserve the trace properties of the source program unchanged. Instead, we provide a generic characterization of the target trace property ensured by correctly compiling a program that satisfies a given source property, and dually, of the source trace property one is required to show in order to obtain a certain target property for the compiled code. We show that this view on compiler correctness can naturally account for undefined behavior, resource exhaustion, different source and target values, side-channels, and various abstraction mismatches. Finally, we show that the same generalization also applies to many secure compilation definitions, which characterize the protection of a compiled program against linked adversarial code.

References

  • 1.M. Abadi, A. Banerjee, N. Heintze, and J. G. Riecke. A core calculus of dependency. POPL, 1999.
  • 2.C. Abate, R. Blanco, D. Garg, C. Hriţcu, M. Patrignani, and J. Thibault. Journey beyond full abstraction: Exploring robust property preservation for secure compilation. CSF, 2019.
  • 3.A. Ahmed, D. Garg, C. Hriţcu, and F. Piessens. Secure compilation (Dagstuhl Seminar 18201). Dagstuhl Reports, 8(5), 2018.
  • 4.A. Anand, A. Appel, G. Morrisett, Z. Paraskevopoulou, R. Pollack, O. S. Belanger, M. Sozeau, and M. Weaver. CertiCoq: A verified compiler for Coq. CoqPL Workshop, 2017.
  • 5.K. Backhouse and R. Backhouse. Safety of abstract interpretations for free, via logical relations and Galois connections. Science of Computer Programming, 51(1–2), 2004.
  • 6.G. Barthe, B. Grégoire, and V. Laporte. Secure compilation of side-channel countermeasures: the case of cryptographic “constant-time”. CSF, 2018.
  • 7.L. Beringer, G. Stewart, R. Dockins, and A. W. Appel. Verified compilation for shared-memory C. ESOP, 2014.
  • 8.F. Besson, S. Blazy, and P. Wilke. A verified CompCert front-end for a memory model supporting pointer arithmetic and uninitialised data. Journal of Automated Reasoning, 62(4), 2019.
  • 9.S. Boldo, J. Jourdan, X. Leroy, and G. Melquiond. Verified compilation of floating-point computations. Journal of Automated Reasoning, 54(2), 2015.
  • 10.M. Busi, P. Degano, and L. Galletta. Translation validation for security properties. CoRR, abs/1901.05082, 2019.
  • 11.Q. Cao, L. Beringer, S. Gruetter, J. Dodds, and A. W. Appel. VST-Floyd: A separation logic tool to verify correctness of C programs. Journal of Automated Reasoning, 61(1–4), 2018.
  • 12.Q. Carbonneaux, J. Hoffmann, T. Ramananandro, and Z. Shao. End-to-end verification of stack-space bounds for C programs. PLDI, 2014.
  • 13.C. Cimpanu. Microsoft: 70 percent of all security bugs are memory safety issues. ZDNet, 2019.
  • 14.M. R. Clarkson and F. B. Schneider. Hyperproperties. JCS, 18(6), 2010.
  • 15.P. Cousot. Constructive design of a hierarchy of semantics of a transition system by abstract interpretation. TCS, 277(1–2), 2002.
  • 16.P. Cousot and R. Cousot. Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. POPL, 1977.
  • 17.V. D’Silva, M. Payer, and D. X. Song. The correctness-security gap in compiler optimization. S&P Workshops, 2015.
  • 18.J. Engelfriet. Determinacy implies (observation equivalence = trace equivalence). TCS, 36, 1985.
  • 19.R. Focardi and R. Gorrieri. A taxonomy of security properties for process algebras. JCS, 3(1), 1995.
  • 20.P. H. Gardiner, C. E. Martin, and O. De Moor. An algebraic construction of predicate transformers. Science of Computer Programming, 22(1-2), 1994.
  • 21.R. Giacobazzi and I. Mastroeni. Abstract non-interference: a unifying framework for weakening information-flow. ACM Transactions on Privacy and Security, 21(2), 2018.
  • 22.J. A. Goguen and J. Meseguer. Security policies and security models. S&P, 1982.
  • 23.R. Gu, Z. Shao, J. Kim, X. N. Wu, J. Koenig, V. Sjöberg, H. Chen, D. Costanzo, and T. Ramananandro. Certified concurrent abstraction layers. PLDI, 2018.
  • 24.I. Haller, Y. Jeon, H. Peng, M. Payer, C. Giuffrida, H. Bos, and E. van der Kouwe. TypeSan: Practical type confusion detection. CCS, 2016.
  • 25.Heartbleed. The Heartbleed bug. http://heartbleed.com/, 2014.
  • 26.C. Hriţcu, D. Chisnall, D. Garg, and M. Payer. Secure compilation. SIGPLAN PL Perspectives Blog, 2019.
  • 27.C. Hur and D. Dreyer. A Kripke logical relation between ML and assembly. POPL, 2011.
  • 28.A. Jeffrey and J. Rathke. Java Jr: Fully abstract trace semantics for a core Java language. ESOP, 2005.
  • 29.J. Kang, C. Hur, W. Mansky, D. Garbuzov, S. Zdancewic, and V. Vafeiadis. A formal C memory model supporting integer-pointer casts. PLDI, 2015.
  • 30.J. Kang, Y. Kim, C.-K. Hur, D. Dreyer, and V. Vafeiadis. Lightweight verification of separate compilation. POPL, 2016.
  • 31.L. Lamport and F. B. Schneider. Formal foundation for specification and verification. In Distributed Systems: Methods and Tools for Specification, An Advanced Course, 1984.
  • 32.C. Lattner. What every C programmer should know about undefined behavior #1/3. LLVM Project Blog, 2011.
  • 33.X. Leroy. Formal verification of a realistic compiler. CACM, 52(7), 2009.
  • 34.X. Leroy. A formally verified compiler back-end. JAR, 43(4), 2009.
  • 35.X. Leroy. The formal verification of compilers (DeepSpec Summer School 2017), 2017.
  • 36.I. Mastroeni and M. Pasqua. Verifying bounded subset-closed hyperproperties. SAS, 2018.
  • 37.J. McCarthy and J. Painter. Correctness of a compiler for arithmetic expressions. Mathematical Aspects Of Computer Science 1, 19 of Proceedings of Symposia in Applied Mathematics, 1967.
  • 38.A. Melton, D. A. Schmidt, and G. E. Strecker. Galois connections and computer science applications. In Proceedings of a Tutorial and Workshop on Category Theory and Computer Programming, 1986.
  • 39.Milner, R.: A Calculus of Communicating Systems. Springer-Verlag, Berlin, Heidelberg (1982).
  • 40.R. Milner and R. Weyhrauch. Proving compiler correctness in a mechanized logic. In Proceedings of 7th Annual Machine Intelligence Workshop, volume 7 of Machine Intelligence, 1972.
  • 41.F. L. Morris. Advice on structuring compilers and proving them correct. POPL, 1973.
  • 42.E. Mullen, D. Zuniga, Z. Tatlock, and D. Grossman. Verified peephole optimizations for CompCert. PLDI, 2016.
  • 43.D. A. Naumann. A categorical model for higher order imperative programming. Mathematical Structures in Computer Science, 8(4), 1998.
  • 44.D. A. Naumann and M. Ngo. Whither specifications as programs. In International Symposium on Unifying Theories of Programming. Springer, 2019.
  • 45.G. Neis, C. Hur, J. Kaiser, C. McLaughlin, D. Dreyer, and V. Vafeiadis. Pilsner: a compositionally verified compiler for a higher-order imperative language. ICFP, 2015.
  • 46.M. Pasqua and I. Mastroeni. On topologies for (hyper)properties. CEUR, 2017.
  • 47.M. Patrignani. Why should anyone use colours? or, syntax highlighting beyond code snippets, 2020.
  • 48.M. Patrignani and D. Clarke. Fully abstract trace semantics for protected module architectures. Computer Languages, Systems & Structures, 42, 2015.
  • 49.M. Patrignani and D. Garg. Secure compilation and hyperproperty preservation. CSF, 2017.
  • 50.M. Patrignani and D. Garg. Robustly safe compilation. ESOP, 2019.
  • 51.D. Patterson and A. Ahmed. The next 700 compiler correctness theorems (functional pearl). PACMPL, 3(ICFP), 2019.
  • 52.T. Ramananandro, Z. Shao, S. Weng, J. Koenig, and Y. Fu. A compositional semantics for verified separate compilation and linking. CPP, 2015.
  • 53.J. Regehr. A guide to undefined behavior in C and C++, part 3. Embedded in Academia blog, 2010.
  • 54.A. Sabelfeld and D. Sands. Dimensions and principles of declassification. CSFW, 2005.
  • 55.A. Sabry and P. Wadler. A reflection on call-by-value. ACM Transactions on Programming Languages and Systems, 19(6), 1997.
  • 56.J. Sevcík, V. Vafeiadis, F. Z. Nardelli, S. Jagannathan, and P. Sewell. CompCertTSO: A verified compiler for relaxed-memory concurrency. J. ACM, 60(3), 2013.
  • 57.G. Stewart, L. Beringer, S. Cuellar, and A. W. Appel. Compositional CompCert. POPL, 2015.
  • 58.Y. K. Tan, M. O. Myreen, R. Kumar, A. Fox, S. Owens, and M. Norrish. The verified CakeML compiler backend. Journal of Functional Programming, 29, 2019.
  • 59.X. Wang, H. Chen, A. Cheung, Z. Jia, N. Zeldovich, and M. F. Kaashoek. Undefined behavior: What happened to my code? APSYS, 2012.
  • 60.X. Wang, N. Zeldovich, M. F. Kaashoek, and A. Solar-Lezama. Towards optimization-safe systems: Analyzing the impact of undefined behavior. SOSP, 2013.
  • 61.Y. Wang, P. Wilke, and Z. Shao. An abstract stack based approach to verified compositional compilation to machine code. PACMPL, 3(POPL), 2019.
  • 62.L. Xia, Y. Zakowski, P. He, C. Hur, G. Malecha, B. C. Pierce, and S. Zdancewic. Interaction trees: representing recursive and impure programs in Coq. PACMPL, 4(POPL), 2020.
  • 63.A. Zakinthinos and E. S. Lee. A general theory of security properties. S&P, 1997.
  • 64.J. Zhao, S. Nagarakatte, M. M. K. Martin, and S. Zdancewic. Formalizing the LLVM intermediate representation for verified program transformations. POPL, 2012.

Articles from Programming Languages and Systems are provided here courtesy of Nature Publishing Group

RESOURCES