ABSTRACT
A number of programming languages use rich type systems to verify security properties of code. Some of these languages are meant for source programming, but programs written in these languages are compiled without explicit security proofs, limiting their utility in settings where proofs are necessary, e.g., proof-carrying authorization. Others languages do include explicit proofs, but these are generally lambda calculi not intended for source programming, that must be further compiled to an executable form. A language suitable for source programming backed by a compiler that enables end-to-end verification is missing.
In this paper, we present a type-preserving compiler that translates programs written in FINE, a source-level functional language with dependent refinements and affine types, to DCIL, a new extension of the .NET Common Intermediate Language. FINE is type checked using an external SMT solver to reduce the proof burden on source programmers. We extract explicit LCF-style proof terms from the solver and carry these proof terms in the compilation to DCIL, thereby removing the solver from the trusted computing base. Explicit proofs enable DCIL to be used in a number of important scenarios, including the verification of mobile code, proof-carrying authorization, and evidence-based auditing. We report on our experience using FINE to build reference monitors for several applications, ranging from a plugin-based email client to a conference management server.
- A. W. Appel and E. W. Felten. Proof-carrying authentication. In phCCS. ACM, 1999. Google ScholarDigital Library
- K. Avijit, A. Datta, and R. Harper. Distributed programming with distributed authorization. In TLDI. ACM, 2010. Google ScholarDigital Library
- G. Barthe, D. Pichardie, and T. Rezk. A certified lightweight non-interference Java bytecode verifier. In phESOP. Springer, 2007. Google ScholarDigital Library
- J. Bengtson, K. Bhargavan, C. Fournet, A. D. Gordon, and S. Maffeis. Refinement types for secure implementations. In phCSF. IEEE, 2008. Google ScholarDigital Library
- Y. Bertot and P. Castéran. Coq'Art: Interactive Theorem Proving and Program Development. Springer Verlag, 2004. Google ScholarDigital Library
- S. Böhme. Proof reconstruction for Z3 in Isabelle/HOL. In SMT Workshop. Springer, 2009.Google Scholar
- L. de Moura and N. Bjorner. Z3: An efficient SMT solver. In TACAS. Springer, 2008. Google ScholarDigital Library
- D. J. Dougherty, K. Fisler, and S. Krishnamurthi. Specifying and reasoning about dynamic access-control policies. In LNCS. Springer, 2006.Google ScholarDigital Library
- ECMA. Standard ECMA-335: Common language infrastructure, 2006.Google Scholar
- C. Flanagan. Hybrid type checking. In POPL. ACM, 2006. Google ScholarDigital Library
- C. Flanagan, A. Sabry, B. F. Duba, and M. Felleisen. The essence of compiling with continuations. In PLDI. ACM, 1993. Google ScholarDigital Library
- C. Flanagan, S. N. Freund, and A. Tomb. Hybrid types, invariants, and refinements for imperative objects. In phFOOL/WOOD '06, 2006.Google Scholar
- L. Jia, J. Vaughan, K. Mazurak, J. Zhao, L. Zarko, J. Schorr, and S. Zdancewic. Aura: A programming language for authorization and audit. In ICFP. ACM, 2008. Google ScholarDigital Library
- A. Kennedy and D. Syme. Transposing F to C#: Expressivity of polymorphism in an object-oriented language. Concurrency and Computation: Practice and Experience, 16 (7), 2004. Google ScholarDigital Library
- S. Krishnamurthi. The Continue server. In PADL. Springer, 2003.Google Scholar
- R. Milner. LCF: A way of doing proofs with a machine. In MFCS, 1979.Google ScholarCross Ref
- G. Morrisett, D. Walker, K. Crary, and N. Glew. From System F to typed assembly language. ACM TOPLAS, 21 (3), 1999. Google ScholarDigital Library
- G. C. Necula. Proof-carrying code. In POPL'97. ACM, 1997. Google ScholarDigital Library
- N. Nystrom, V. Saraswat, J. Palsberg, and C. Grothoff. Constrained types for object-oriented languages. In OOPSLA'08. ACM, 2008. Google ScholarDigital Library
- A. Sabelfeld and A. C. Myers. Language-based information-flow security. JSAC, 21 (1): 5--19, Jan. 2003. Google ScholarDigital Library
- A. Stump, M. Deters, A. Petcher, T. Schiller, and T. Simpson. Verified programming in Guru. In PLPV. ACM, 2008. Google ScholarDigital Library
- N. Swamy, B. J. Corcoran, and M. Hicks. Fable: A language for enforcing user--defined security policies. In S&P. IEEE, 2008.Google Scholar
- N. Swamy, J. Chen, and R. Chugh. End-to-end verification of security enforcement is fine. Technical Report MSR-TR-2009-98, MSR, 2009.Google Scholar
- N. Swamy, J. Chen, and R. Chugh. Enforcing stateful authorization and information flow policies in Fine. In phESOP. Springer, 2010. Google ScholarDigital Library
- D. Syme, A. Granicz, and A. Cisternino. Expert F#. Apress, 2007.Google ScholarCross Ref
- J. A. Vaughan, L. Jia, K. Mazurak, and S. Zdancewic. Evidence-based audit. In CSF. IEEE, 2008. Google ScholarDigital Library
- D. Yu and N. Islam. A typed assembly language for confidentiality. In ESOP. Springer, 2006. Google ScholarDigital Library
- L. Zheng and A. C. Myers. Dynamic security labels and noninterference. In FAST'04. Springer, 2004.Google Scholar
Index Terms
- Type-preserving compilation of end-to-end verification of security enforcement
Recommendations
Type-preserving compilation of end-to-end verification of security enforcement
PLDI '10A number of programming languages use rich type systems to verify security properties of code. Some of these languages are meant for source programming, but programs written in these languages are compiled without explicit security proofs, limiting ...
A simple separate compilation mechanism for block-structured languages
A very simple and efficient technique for the introduction of separate compilation facilities into compilers for block-structured languages is presented. Using this technique, programs may be compiled in parts while the compile-time checking advantages ...
Combinators and type-driven transformers in Objective Caml
We describe an implementation of LDTA 2011 Tool Challenge tasks in Objective Caml language. Instead of using some dedicated domain-specific tools we utilize typical functional programming machinery such as polymorphic functions, monads and combinators; ...
Comments