research-article

Type-preserving compilation of end-to-end verification of security enforcement

Authors:
Juan Chen

Microsoft Research, Redmond, WA, USA

Microsoft Research, Redmond, WA, USA
View Profile

,
Ravi Chugh

University of California, San Diego, La Jolla, CA, USA

University of California, San Diego, La Jolla, CA, USA
View Profile

,
Nikhil Swamy

Microsoft Research, Redmond, WA, USA

Microsoft Research, Redmond, WA, USA
View Profile

PLDI '10: Proceedings of the 31st ACM SIGPLAN Conference on Programming Language Design and ImplementationJune 2010Pages 412–423https://doi.org/10.1145/1806596.1806643

Published:05 June 2010Publication History

PLDI '10: Proceedings of the 31st ACM SIGPLAN Conference on Programming Language Design and Implementation

Pages 412–423

ABSTRACT

A number of programming languages use rich type systems to verify security properties of code. Some of these languages are meant for source programming, but programs written in these languages are compiled without explicit security proofs, limiting their utility in settings where proofs are necessary, e.g., proof-carrying authorization. Others languages do include explicit proofs, but these are generally lambda calculi not intended for source programming, that must be further compiled to an executable form. A language suitable for source programming backed by a compiler that enables end-to-end verification is missing.

In this paper, we present a type-preserving compiler that translates programs written in FINE, a source-level functional language with dependent refinements and affine types, to DCIL, a new extension of the .NET Common Intermediate Language. FINE is type checked using an external SMT solver to reduce the proof burden on source programmers. We extract explicit LCF-style proof terms from the solver and carry these proof terms in the compilation to DCIL, thereby removing the solver from the trusted computing base. Explicit proofs enable DCIL to be used in a number of important scenarios, including the verification of mobile code, proof-carrying authorization, and evidence-based auditing. We report on our experience using FINE to build reference monitors for several applications, ranging from a plugin-based email client to a conference management server.

References

A. W. Appel and E. W. Felten. Proof-carrying authentication. In phCCS. ACM, 1999. Google ScholarDigital Library
K. Avijit, A. Datta, and R. Harper. Distributed programming with distributed authorization. In TLDI. ACM, 2010. Google ScholarDigital Library
G. Barthe, D. Pichardie, and T. Rezk. A certified lightweight non-interference Java bytecode verifier. In phESOP. Springer, 2007. Google ScholarDigital Library
J. Bengtson, K. Bhargavan, C. Fournet, A. D. Gordon, and S. Maffeis. Refinement types for secure implementations. In phCSF. IEEE, 2008. Google ScholarDigital Library
Y. Bertot and P. Castéran. Coq'Art: Interactive Theorem Proving and Program Development. Springer Verlag, 2004. Google ScholarDigital Library
S. Böhme. Proof reconstruction for Z3 in Isabelle/HOL. In SMT Workshop. Springer, 2009.Google Scholar
L. de Moura and N. Bjorner. Z3: An efficient SMT solver. In TACAS. Springer, 2008. Google ScholarDigital Library
D. J. Dougherty, K. Fisler, and S. Krishnamurthi. Specifying and reasoning about dynamic access-control policies. In LNCS. Springer, 2006.Google ScholarDigital Library
ECMA. Standard ECMA-335: Common language infrastructure, 2006.Google Scholar
C. Flanagan. Hybrid type checking. In POPL. ACM, 2006. Google ScholarDigital Library
C. Flanagan, A. Sabry, B. F. Duba, and M. Felleisen. The essence of compiling with continuations. In PLDI. ACM, 1993. Google ScholarDigital Library
C. Flanagan, S. N. Freund, and A. Tomb. Hybrid types, invariants, and refinements for imperative objects. In phFOOL/WOOD '06, 2006.Google Scholar
L. Jia, J. Vaughan, K. Mazurak, J. Zhao, L. Zarko, J. Schorr, and S. Zdancewic. Aura: A programming language for authorization and audit. In ICFP. ACM, 2008. Google ScholarDigital Library
A. Kennedy and D. Syme. Transposing F to C#: Expressivity of polymorphism in an object-oriented language. Concurrency and Computation: Practice and Experience, 16 (7), 2004. Google ScholarDigital Library
S. Krishnamurthi. The Continue server. In PADL. Springer, 2003.Google Scholar
R. Milner. LCF: A way of doing proofs with a machine. In MFCS, 1979.Google ScholarCross Ref
G. Morrisett, D. Walker, K. Crary, and N. Glew. From System F to typed assembly language. ACM TOPLAS, 21 (3), 1999. Google ScholarDigital Library
G. C. Necula. Proof-carrying code. In POPL'97. ACM, 1997. Google ScholarDigital Library
N. Nystrom, V. Saraswat, J. Palsberg, and C. Grothoff. Constrained types for object-oriented languages. In OOPSLA'08. ACM, 2008. Google ScholarDigital Library
A. Sabelfeld and A. C. Myers. Language-based information-flow security. JSAC, 21 (1): 5--19, Jan. 2003. Google ScholarDigital Library
A. Stump, M. Deters, A. Petcher, T. Schiller, and T. Simpson. Verified programming in Guru. In PLPV. ACM, 2008. Google ScholarDigital Library
N. Swamy, B. J. Corcoran, and M. Hicks. Fable: A language for enforcing user--defined security policies. In S&P. IEEE, 2008.Google Scholar
N. Swamy, J. Chen, and R. Chugh. End-to-end verification of security enforcement is fine. Technical Report MSR-TR-2009-98, MSR, 2009.Google Scholar
N. Swamy, J. Chen, and R. Chugh. Enforcing stateful authorization and information flow policies in Fine. In phESOP. Springer, 2010. Google ScholarDigital Library
D. Syme, A. Granicz, and A. Cisternino. Expert F#. Apress, 2007.Google ScholarCross Ref
J. A. Vaughan, L. Jia, K. Mazurak, and S. Zdancewic. Evidence-based audit. In CSF. IEEE, 2008. Google ScholarDigital Library
D. Yu and N. Islam. A typed assembly language for confidentiality. In ESOP. Springer, 2006. Google ScholarDigital Library
L. Zheng and A. C. Myers. Dynamic security labels and noninterference. In FAST'04. Springer, 2004.Google Scholar

Index Terms

Type-preserving compilation of end-to-end verification of security enforcement
1. Software and its engineering
  1. Software notations and tools
    1. Formal language definitions
2. Theory of computation
  1. Formal languages and automata theory

Recommendations

Type-preserving compilation of end-to-end verification of security enforcement
PLDI '10

A number of programming languages use rich type systems to verify security properties of code. Some of these languages are meant for source programming, but programs written in these languages are compiled without explicit security proofs, limiting ...
Read More
A simple separate compilation mechanism for block-structured languages

A very simple and efficient technique for the introduction of separate compilation facilities into compilers for block-structured languages is presented. Using this technique, programs may be compiled in parts while the compile-time checking advantages ...
Read More
Combinators and type-driven transformers in Objective Caml

We describe an implementation of LDTA 2011 Tool Challenge tasks in Objective Caml language. Instead of using some dedicated domain-specific tools we utilize typical functional programming machinery such as polymorphic functions, monads and combinators; ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
PLDI '10: Proceedings of the 31st ACM SIGPLAN Conference on Programming Language Design and Implementation
June 2010
514 pages
ISBN:9781450300193
DOI:10.1145/1806596
General Chair:
Ben Zorn
Microsoft Research
,
Program Chair:
Alex Aiken
Stanford University
ACM SIGPLAN Notices Volume 45, Issue 6
PLDI '10
June 2010
496 pages
ISSN:0362-1340
EISSN:1558-1160
DOI:10.1145/1809028
Issue’s Table of Contents
Copyright © 2010 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 5 June 2010
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
authorization
bytecode languages
compilers
dependent types
functional programming
information flow
mobile code security
security type systems
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate406of2,067submissions,20%
Upcoming Conference
PLDI '24

Sponsor:

sigplan

ACM SIGPLAN Conference on Programming Language Design and Implementation

June 24 - 28, 2024

Copenhagen , Denmark
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 51
  Total Citations
  View Citations
- 385
  Total Downloads
- Downloads (Last 12 months)5
- Downloads (Last 6 weeks)0
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Type-preserving compilation of end-to-end verification of security enforcement

PLDI '10: Proceedings of the 31st ACM SIGPLAN Conference on Programming Language Design and Implementation

ABSTRACT

References

Cited By

Index Terms

Recommendations

Type-preserving compilation of end-to-end verification of security enforcement

A simple separate compilation mechanism for block-structured languages

Combinators and type-driven transformers in Objective Caml