SecurePtrs: Proving Secure Compilation with Data-Flow Back-Translation and Turn-Taking Simulation

TL;DR

This paper introduces data-flow traces and turn-taking simulation techniques to simplify and strengthen proofs of secure compilation, especially in scenarios involving unstructured control flow and shared memory, with formal verification in Coq.

Contribution

It presents a novel data-flow trace method combining syntax- and trace-directed back-translation, and a new turn-taking simulation relation with a recomposition lemma, both mechanized in Coq.

Findings

Data-flow traces effectively handle syntactic dissimilarity and memory sharing.

The turn-taking simulation enables proof reuse in secure compilation.

Mechanized proofs demonstrate correctness for complex control flow and memory sharing.

Abstract

Proving secure compilation of partial programs typically requires back-translating an attack against the compiled program to an attack against the source program. To prove back-translation, one can syntactically translate the target attacker to a source one -- i.e., syntax-directed back-translation -- or show that the interaction traces of the target attacker can also be emitted by source attackers -- i.e., trace-directed back-translation. Syntax-directed back-translation is not suitable when the target attacker may use unstructured control flow that the source language cannot directly represent. Trace-directed back-translation works with such syntactic dissimilarity because only the external interactions of the target attacker have to be mimicked in the source, not its internal control flow. Revealing only external interactions is, however, inconvenient when sharing memory via unforgeable pointers, since information about shared pointers stashed in private memory is not present on the trace. This made prior proofs unnecessarily complex, since the generated attacker had to instead stash all reachable pointers. In this work, we introduce more informative *data-flow traces*, combining the best of syntax- and trace-directed back-translation in a simpler technique that handles both syntactic dissimilarity and memory sharing well, and that is proved correct in Coq. Additionally, we develop a novel *turn-taking simulation* relation and use it to prove a recomposition lemma, which is key to reusing compiler correctness in such secure compilation proofs. We are the first to mechanize such a recomposition lemma in the presence of memory sharing. We use these two innovations in a secure compilation proof for a code generation compiler pass between a source language with structured control flow and a target language with unstructured control flow, both with safe pointers and components.