Journey Beyond Full Abstraction: Exploring Robust Property Preservation for Secure Compilation
share
Good programming languages provide helpful abstractions for writing secure code, but the security properties of the source language are generally not preserved when compiling a program and linking it with adversarial code in a low-level target language. By contrast, a fully abstract compilation chain protects source-level abstractions all the way down, ensuring that linked target code cannot observe more about the compiled program than what some linked source code could about the source program. However, while research in this area has so far focused on preserving observational equivalence, as needed for achieving full abstraction, there is a much larger space of security properties one can choose to preserve against linked adversarial code. We are the first to explore a large space of formal secure compilation criteria based on robust property preservation, i.e., the preservation of properties satisfied against arbitrary contexts. We study robustly preserving various classes of trace properties such as safety, of hyperproperties such as noninterference, and of relational hyperproperties such as trace equivalence. This leads to many new secure compilation criteria, some of which are easier to practically achieve and prove than full abstraction, and some provide strictly stronger security guarantees. For each of the studied criteria we propose an equivalent "property-free" characterization that is generally better tailored for proofs. For relational properties and hyperproperties, which relate the behaviors of multiple programs, our formal definitions of the property classes themselves are novel. We, moreover, order all our secure compilation criteria by their relative strength and show several collapses and several separation results. Finally, we show that two existing proof techniques originally developed for full abstraction can be readily adapted to our new criteria. (CROPPED)
READ FULL TEXT