## 1 Introduction

High-level programming languages provide abstractions that ease programmers in writing correct and secure code. However, when compiling to a low-level language and linking with adversarial target code, such abstractions may be lost, thus enabling unexpected attacks [durumeric2014matter, dsilva2015correctness].

*Secure compilation* [patrignani2019formal] devises both principles and proof techniques
to ensure that no more attacks are possible on compiled programs than
those already possible on source programs.
Intuitively, with a secure compiler at hand a programmer can be sure that the guarantees given by
the source-level abstractions are preserved after compilation.

Let be a compiler from a source language §to a target
.^{1}^{1}1To ease reading we highlight in blue, sans-serif the elements of §, in red, bold those of and in black the common ones [patrignani2020why].
A context is a program with a hole that models an active attacker
and is a partial program for which we would like some guarantee
after compilation.
Historically, the first principle for secure compilation to be
proposed was *fully abstract compilation*
() [abadi1999protection].
We say that is whenever it preserves and reflects
contextual equivalence, *iff* for any and

where is an equivalence relation capturing the power of the contexts and may come in different flavors [gorla2016full].

Recently, abate2019journey proposed the family of so-called
*robust criteria*, focusing on the preservation of robust
satisfaction of hyperproperties, their satisfaction under any adversarial context.^{2}^{2}2We refer the reader
to [abate2019journey] for a full overview of all these
criteria.
Let be the set of all traces that can be observed running .
A hyperproperty is a set of sets of execution traces [clarkson2010hyperproperties], and satisfy () iff .
Among all the robust criteria, in this short paper we consider only
[abate2019trace] that requires that if
satisfies a source hyperproperty for any
, then satisfies its target interpretation
for any , in symbols

A natural question concerns the relation between and . has been successfully used to prove the preservation of interesting hyperproperties, like noninterference [busi2020provably, bowman2015noninterference]. However, does not always imply the preservation of noninterference nor any of the robust criteria, when source and target languages share the same observables and is the identity [patrignani2017secure, abate2019journey]. In this short paper we briefly describe our preliminary results in clarifying the relation between and in general, and we outline our next steps at investigating the link between and the preservation of noninterference.

## 2 A preliminary answer: vs

For any comparison to be possible the relation must somehow involve observable traces. Therefore, we assume absence of internal nondeterminism for both §and , so that and can be replaced by trace equivalence [engelfriet1985determinacy, abate2019journey]. Hence, iff the sets of traces that can be produced by and in the context coincide, in symbols .

In this setting, we provide the best possible target interpretation of hyperproperties, , such that if satisfies in an arbitrary source context, a compiler ensures that satisfies in an arbitrary target context. []theoremthmrteprhp If is then there exists a map such that is and is minimal with this property. The proof, the definition of and its minimality can be found in the appendix.

## 3 Conclusion and future work

Above, we briefly outlined our preliminary research in comparing
state-of-the-art criteria in secure compilation. We
believe section 2 is a promising step in the right
direction, but still not a definitive answer.
Indeed, although *minimal*, could map a source
hyperproperty to the target hyperproperty containing all possible sets
of traces and that is trivially robustly satisfied by *all*
target programs.
Similarly, may map a noninterference to an arbitrary
hyperproperty.
We are investigating conditions that ensure instead that
noninterference is mapped to a “noninterference-like” hyperproperty,
possibly a declassification of the same, that could be characterized
within the framework of *abstract
noninterference* [giacobazzi2004abstract].
Finally, we are trying to relax the hypothesis of determinacy to extend
our results to inherently non-deterministic settings, distributed and parallel systems or protocol specification tools built
upon the (applied) -calculus [blanchet2016modeling].
To this end, and inspired by the hierarchy of
cousot2002constructive, we aim to define over abstract
trace semantics enjoying good properties, being fully abstract,
and then interpret in more concrete semantics, I/O sequences
for which the robust criteria look better suited.

Comments

There are no comments yet.