Securing Verified IO Programs Against Unverified Code in F*

by   Cezar-Constantin Andrici, et al.

We introduce SCIO*, a formally secure compilation framework for statically verified partial programs performing input-output (IO). The source language is an F* subset in which a verified program interacts with its IO-performing context via a higher-order interface that includes refinement types as well as pre- and post-conditions about past IO events. The target language is a smaller F* subset in which the compiled program is linked with an adversarial context that has an interface without refinement types, pre-conditions, or concrete post-conditions. To bridge this interface gap and make compilation and linking secure we propose a formally verified combination of higher-order contracts and reference monitoring for recording and controlling IO operations. Compilation uses contracts to convert the logical assumptions the program makes about the context into dynamic checks on each context-program boundary crossing. These boundary checks can depend on information about past IO events stored in the state of the monitor. But these checks cannot stop the adversarial target context before it performs dangerous IO operations. Therefore linking in SCIO* additionally forces the context to perform all IO actions via a secure IO library, which uses reference monitoring to dynamically enforce an access control policy before each IO operation. We prove in F* that SCIO* soundly enforces a global trace property for the compiled verified program linked with the untrusted context. Moreover, we prove in F* that SCIO* satisfies by construction Robust Relational Hyperproperty Preservation, a very strong secure compilation criterion. Finally, we illustrate SCIO* at work on a simple web server example.


page 15

page 17

page 20


Journey Beyond Full Abstraction: Exploring Robust Property Preservation for Secure Compilation

Good programming languages provide helpful abstractions for writing secu...

Information Flow Control-by-Construction for an Object-Oriented Language Using Type Modifiers

In security-critical software applications, confidential information mus...

Exploring Robust Property Preservation for Secure Compilation

Good programming languages provide helpful abstractions for writing more...

Conditional Contextual Refinement (CCR)

Contextual refinement (CR) is one of the standard notions of specifying ...

Abstraction Logic: The Marriage of Contextual Refinement and Separation Logic

Contextual refinement and separation logics are successful verification ...

Syntheto: A Surface Language for APT and ACL2

Syntheto is a surface language for carrying out formally verified progra...

Linking Types for Multi-Language Software: Have Your Cake and Eat It Too

Software developers compose systems from components written in many diff...

Please sign up or login with your details

Forgot password? Click here to reset