The Fox and the Hound: Comparing Fully Abstract and Robust Compilation

by   Carmine Abate, et al.
University of Pisa

We prove a theorem relating fully abstract compilation (FAC) to robust compilation (preservation of satisfaction of arbitrary hyperproperties under adversarial contexts), showing that the former implies some variant of the latter, thus making the security guarantees of FAC more explicit. We illustrate our results with a simple example.



There are no comments yet.


page 1

page 2

page 3


Robust Hyperproperty Preservation for Secure Compilation (Extended Abstract)

We map the space of soundness criteria for secure compilation based on t...

Journey Beyond Full Abstraction: Exploring Robust Property Preservation for Secure Compilation

Good programming languages provide helpful abstractions for writing secu...

The Benefit of Being Non-Lazy in Probabilistic λ-calculus

We consider the probabilistic applicative bisimilarity (PAB), a coinduct...

Cantor-Bernstein implies Excluded Middle

We prove in constructive logic that the statement of the Cantor-Bernstei...

Recursion and Sequentiality in Categories of Sheaves

We present a fully abstract model of a call-by-value language with highe...

Formally Secure Compilation of Unsafe Low-Level Components (Extended Abstract)

We propose a new formal criterion for secure compilation, providing stro...

Satisfaction of the Condition of Order Preservation: A Simulation Study

We examine satisfaction of the condition of order preservation (COP) wit...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

High-level programming languages provide abstractions that ease programmers in writing correct and secure code. However, when compiling to a low-level language and linking with adversarial target code, such abstractions may be lost, thus enabling unexpected attacks [durumeric2014matter, dsilva2015correctness].

Secure compilation [patrignani2019formal] devises both principles and proof techniques to ensure that no more attacks are possible on compiled programs than those already possible on source programs. Intuitively, with a secure compiler at hand a programmer can be sure that the guarantees given by the source-level abstractions are preserved after compilation.

Let be a compiler from a source language §to a target .111To ease reading we highlight in blue, sans-serif the elements of §, in red, bold those of and in black the common ones [patrignani2020why]. A context is a program with a hole that models an active attacker and is a partial program for which we would like some guarantee after compilation. Historically, the first principle for secure compilation to be proposed was fully abstract compilation () [abadi1999protection]. We say that is whenever it preserves and reflects contextual equivalence,  iff for any and

where is an equivalence relation capturing the power of the contexts and may come in different flavors [gorla2016full].

Recently, abate2019journey proposed the family of so-called robust criteria, focusing on the preservation of robust satisfaction of hyperproperties,  their satisfaction under any adversarial context.222We refer the reader to [abate2019journey] for a full overview of all these criteria. Let be the set of all traces that can be observed running . A hyperproperty is a set of sets of execution traces [clarkson2010hyperproperties], and satisfy () iff . Among all the robust criteria, in this short paper we consider only [abate2019trace] that requires that if satisfies a source hyperproperty for any , then satisfies its target interpretation for any , in symbols

A natural question concerns the relation between and . has been successfully used to prove the preservation of interesting hyperproperties, like noninterference  [busi2020provably, bowman2015noninterference]. However, does not always imply the preservation of noninterference nor any of the robust criteria, when source and target languages share the same observables and is the identity [patrignani2017secure, abate2019journey]. In this short paper we briefly describe our preliminary results in clarifying the relation between and in general, and we outline our next steps at investigating the link between and the preservation of noninterference.

2 A preliminary answer: vs

For any comparison to be possible the relation must somehow involve observable traces. Therefore, we assume absence of internal nondeterminism for both §and , so that and can be replaced by trace equivalence [engelfriet1985determinacy, abate2019journey]. Hence, iff the sets of traces that can be produced by and in the context coincide, in symbols .

In this setting, we provide the best possible target interpretation of hyperproperties, , such that if satisfies in an arbitrary source context, a compiler ensures that satisfies in an arbitrary target context. []theoremthmrteprhp If is then there exists a map such that is and is minimal with this property. The proof, the definition of and its minimality can be found in the appendix.

3 Conclusion and future work

Above, we briefly outlined our preliminary research in comparing state-of-the-art criteria in secure compilation. We believe section 2 is a promising step in the right direction, but still not a definitive answer. Indeed, although minimal, could map a source hyperproperty to the target hyperproperty containing all possible sets of traces and that is trivially robustly satisfied by all target programs. Similarly, may map a noninterference to an arbitrary hyperproperty. We are investigating conditions that ensure instead that noninterference is mapped to a “noninterference-like” hyperproperty, possibly a declassification of the same, that could be characterized within the framework of abstract noninterference [giacobazzi2004abstract]. Finally, we are trying to relax the hypothesis of determinacy to extend our results to inherently non-deterministic settings, distributed and parallel systems or protocol specification tools built upon the (applied) -calculus [blanchet2016modeling]. To this end, and inspired by the hierarchy of cousot2002constructive, we aim to define over abstract trace semantics enjoying good properties,  being fully abstract, and then interpret in more concrete semantics,  I/O sequences for which the robust criteria look better suited.