# **Toward Complete Stack Safety for Capability Machines**

March 16, 2021

#### Alix Trieu

Aarhus University

Based on joint work with A. L. Georges, A. Guéneau, T. van Strydonck, A. Timany, D. Devriese, L. Birkedal

Journée "Méthodes Formelles" 2021 du GdR Sécurité Informatique

## Secure Compilation

- Good programming languages provide helpful abstractions for writing more secure code: such as structured control-flow, modules, interfaces, etc.
- However, those abstractions are not enforced when interacting with adversarial low-level code: all source level guarantees are lost.
  - $\circ~$  Internet browsers execute arbitrary Javascript code.
  - Software development nowadays depend on pulling libraries and their dependencies, they may be buggy or even compromised.
  - $\circ~$  Machines in the cloud are shared.

## Secure Compilation

- We need secure compilation: compilers that protect source-level abstractions even in presence of linked low-level machine code.
- This allows security reasoning at the source level which is arguably easier than at the machine code level.
  - Low level linked code cannot break the security of the compiled program any more than source level linked code.
- This seems difficult to achieve without help from the hardware, how do we enforce this ?

Capability machines are a kind of CPUs with fine-grained management of memory, I will show how we can leverage them to enforce a hierarchy of stack safety properties.

- 1. What are capability machines ?
- 2. How can we prove that some simple properties are enforced no matter the context ?
- 3. How can we enforce WBCF and LSE on capability machines ?
- 4. Can we go further and achieve complete stack safety ?

Capability machines are a kind of CPUs with fine-grained management of memory.

- Fairly old idea, starting in the  $\sim 1960 \mathrm{s}.$
- CHERI is a recent implementation (started  $\sim 2010)$  developed at the University of Cambridge and SRI.
- Recent commitment from Arm to develop an experimental CHERI-extended processor<sup>1</sup>, and interest from Microsoft<sup>2</sup>.

<sup>&</sup>lt;sup>1</sup>https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/cheri-morello.html <sup>2</sup>https://msrc-blog.microsoft.com/2020/10/14/security-analysis-of-cheri-isa/

### Capability Machines

Capability machines are a kind of CPUs with fine-grained management of memory that support two kinds of machine words:

- Regular machine integers (e.g., 64 bits integers).
- Capabilities: unforgeable tokens of authority over a range of memory.



p represents a permission, e.g., RX, RWX, RO, O, etc.[b, e] are the bounds of the capability.a is the current address the capability points to.

### Capabilities



Memory operations dynamically check at runtime that

- the access is within bounds;
- the permission is sufficient.

For instance, store rdst rsrc checks that

- rdst contains a capability (p, b, e, a);
- *p* has write permission;
- a is within [b, e[.

### Capabilities

There are some special instructions for manipulating capabilities:

• restrict to decrease the permission of a capability.



• subseg to decrease the range of authority of a capability.



### Enter Capabilities

Capability machines provide a mean to "encapsulate" data and code (code is data!) through enter capabilities.



Enter capabilities (called sealed entry capabilities in CHERI) are completely opaque and cannot be modified in any way, except being copied and jumped to.

### Local State Encapsulation

We can use enter capabilities to enforce state encapsulation. For instance, we can implement closures with them:

```
let n = ref 0 in
(fun () -> n := !n + 1; !n)
                                             (E, b, e, b + 1)
                          n
                                          b + 1
                                                                e
                                     b
                                                 mov r2 pc
                                                 lea r2 (-1)
                                                 load r2 r2
                                                 load r1 r2
                                                 add r1 r1 1
                                                 store r2 r1
                                                 mov r2 0
                                                 jmp rret
```

### Reasoning on a Capability Machine



We want to prove that  $n \ge 0$  no matter what the context is.

How do we even state this property ?

## Reasoning on a Capability Machine

Our methodology is:

- A program logic to describe such a specification and step through the known part of a program.
- A logical relation to define a notion of "capability safety" and give a specification to unknown code.

## A Core Capability Machine

We consider a capability machine with registers and finite memory.

$$\begin{split} \mathsf{RegName} &\coloneqq \mathsf{PC} \mid r_{\mathrm{o}} \mid \cdots \mid r_{\mathfrak{3}\mathfrak{1}} \\ \mathsf{Addr} &\coloneqq [\mathrm{o}, \mathsf{AddrMax}[ \\ \mathsf{Word} &\coloneqq n \mid (p, b, e, a) \\ \mathsf{Reg} &\coloneqq \mathsf{RegName} \to \mathsf{Word} \\ \mathsf{Mem} &\coloneqq \mathsf{Addr} \to \mathsf{Word} \end{split}$$

A state of the machine is just a pair of registers and memory state.

### Syntax

We consider the following instructions.

$$\rho \in \mathbb{Z} + \operatorname{RegName}$$

$$i ::= \operatorname{jmp} r | \operatorname{jnz} r r | \operatorname{move} r \rho |$$

$$| \operatorname{load} r r | \operatorname{store} r \rho | \operatorname{add} r \rho \rho | \operatorname{sub} r \rho \rho |$$

$$| \operatorname{t} r \rho \rho | | \operatorname{lea} r \rho | \operatorname{restrict} r \rho |$$

$$\operatorname{subseg} r \rho \rho | \operatorname{isptr} r r | \operatorname{getP} r r |$$

$$\operatorname{getB} r r | \operatorname{getE} r r | \operatorname{getA} r r | \operatorname{fail} | \operatorname{halt}$$

### Informal Semantics

The informal semantics of the machine is to

- Check that PC contains a capability (p, b, e, a) such that p has execute permission and  $b \le a < e$ ;
- Load word w stored at address a, and decode it into an instruction i and execute it (capabilities cannot be decoded into instructions).

$$\frac{\varphi.\mathsf{pc} = (p, b, e, a) \qquad \mathsf{executable}(p) \qquad a \in [b, e[ \qquad \varphi.\mathsf{mem}(a) = w \qquad \mathsf{decode}(w) = \mathsf{instr}(w) = \mathsf{instr}(w) = \mathsf{instr}(w)$$

### Program Logic for Capability Machines

We use a program logic based on separation logic. We have points-to resources for registers and memory.

| Registers | $r \mapsto w$ |
|-----------|---------------|
| Memory    | $a\mapsto w$  |

The Hoare triples are of the following form:

$$\begin{split} & \mathsf{decode}(w) = i \rightarrow \\ & \mathsf{ValidPC}(p, b, e, a) \rightarrow \\ \{ \ \mathsf{PC} & \mapsto (p, b, e, a) \ast a \mapsto w \ast \cdots \} \\ & \mathsf{SingleStep} \\ \{ \ \mathsf{PC} & \mapsto (p, b, e, a + 1) \ast a \mapsto w \ast \cdots \} \end{split}$$

### Program Logic for Capability Machines

Executing a sequence of instructions

 $\begin{array}{l} \text{map decode } l = prog \rightarrow \\ \text{ValidPCRange}(p,b,e,-)(a_{\mathtt{l}},a_{n}) \rightarrow \end{array}$ 

{ 
$$\mathsf{PC} \mapsto (p, b, e, a_1) * [a_1 - a_n] \mapsto l * \cdots$$
 }  
Repeat SingleStep

$$\{ \mathsf{PC} \mapsto (p, b, e, a_n) * [a_1 - a_n] \mapsto l * \cdots \}$$

### Program Logic for Capability Machines

Executing a macro, or a sequence of instructions within a program

 $\begin{array}{l} \mathsf{map} \ \mathsf{decode} \ l = prog \rightarrow \\ \mathsf{ValidPCRange}(p,b,e,-)(a_{\mathtt{l}},a_{n}) \rightarrow \end{array}$ 

$$\{ \mathsf{PC} \mapsto (p, b, e, a_1) * [a_1 - a_n] \mapsto l * \cdots * \\ \triangleright (\mathsf{PC} \mapsto (p, b, e, a_n) * [a_1 - a_n] \mapsto l * \cdots - * \Phi) \}$$
Repeat SingleStep
$$\{ \Phi \}$$

#### Functional Specification for the Counter Example



map decode  $l = counter\_instrs \rightarrow$ ValidPCRange(RX,  $b, e, -)(b + 1, e) \rightarrow$ 

$$\{ \mathsf{PC} \Leftrightarrow (\mathsf{RX}, b, e, b+1) * [b+1-e] \mapsto l * b \mapsto n * r_{ret} \Rightarrow c * r_1 \Rightarrow w_1 * \cdots * \\ \triangleright (\mathsf{PC} \Rightarrow c * [b+1-e] \mapsto l * b \mapsto (n+1) * r_{ret} \Rightarrow c * r_1 \Rightarrow (n+1) * \cdots \longrightarrow \Phi) \}$$
  
Repeat SingleStep

 $\set{\Phi}$ 

The logical relation defines a contract that capability machine programs must follow. We use this contract as the interface between known secure code, and unknown arbitrary code, when reasoning about the full program.

The logical relation defines what it means to be "capability safe", or more intuitively, what is safe to share to the adversary.

### Logical Relation

- Expression relation
  - $\circ~$  The execution does not get stuck: validity of the registers is sufficient for executing the program.
  - $\circ~$  All registered invariants hold at every step of execution.
- Value relation

$$\begin{array}{c} \overline{\mathcal{E}(w)} & \triangleq \forall \mathsf{reg}, \left\{ \mathsf{PC} \vDash w \ast \bigstar_{(r,v) \in \mathsf{reg}, r \neq \mathsf{PC}} r \rightleftharpoons v \ast \mathcal{V}(v) \right\} \rightsquigarrow \bullet \\ \\ \hline \\ \overline{\mathcal{V}(w)} & \left\{ \begin{array}{c} \mathcal{V}(z) & \triangleq \mathrm{TRUE} \\ \mathcal{V}(\mathrm{E}, b, e, a) & \triangleq \rhd \Box \mathcal{E}(\mathrm{RX}, b, e, a) \\ \mathcal{V}(\mathrm{RO}/\mathrm{RX}, b, e, -) & \triangleq \divideontimes_{a \in [b, e[} \exists P, \exists w, a \mapsto w \ast P(w) ] \ast \\ & \rhd \Box \forall w, P(w) \longrightarrow \mathcal{V}(w) \\ \mathcal{V}(\mathrm{RW}/\mathrm{RWX}, b, e, -) & \triangleq \divideontimes_{a \in [b, e[} \exists w, a \mapsto w \ast \mathcal{V}(w) ] \end{array} \right.$$

### Logical Relation

$$\begin{split} & \text{Theorem (FTLR)} \\ & \text{Let } p \in \mathsf{Perm}, b, e, a \in \mathsf{Addr.} \ \textit{If } \mathcal{V}(p, b, e, a), \ then \ \mathcal{E}(p, b, e, a). \end{split}$$

#### Back to the example



We want to show that no matter the adversary code, the value n stored at address  $a_n$  is such that  $n \ge 0$ .

We can show the following spec.

$$\begin{array}{c} \exists n, a_n \mapsto n * n \geq \mathbf{o} \\ \\ & + \left\{ \begin{array}{c} \mathbf{x}_{(r,v) \in \mathsf{reg}, r \notin \{\mathsf{PC}, r_{ret}\}} r \mapsto v \\ (\mathsf{RX}, b, e, b+1); & * r_{ret} \mapsto w_{ret} * \mathcal{V}(w_{ret}) \\ & * [b+1, e) \mapsto instrs \end{array} \right\} \rightsquigarrow \mathbf{e}$$

#### Back to the example

$$\exists n, a_n \mapsto n * n \ge 0$$

$$\vdash \left\{ \begin{array}{c} \bigstar_{(r,v)\in \operatorname{reg}, r\notin \{\operatorname{PC}, r_{ret}\}} r \rightleftharpoons v \\ (\operatorname{RX}, b, e, b+1); & * r_{ret} \vDash w_{ret} * \mathcal{V}(w_{ret}) \\ & * [b+1, e) \mapsto instrs \end{array} \right\} \leadsto \bullet$$

mov r2 pc

- lea r2 (-1)
- load r2 r2
- load r1 r2
- add r1 r1 1
- store r2 r1
- mov r2 0
- jmp rret

Using the adequacy of the program logic, we can then show that for an initial state (reg, m) where

- $reg(PC) = c_{adv}, reg(r_0) = (E, b, e, b + 1)$  and  $reg(r) \in \mathbb{Z}$  otherwise
- m has been initialized with the code of the program and unknown adversarial code (pointed by  $c_{adv}$ )
- $m(a_n) = n_0$  and  $n_0 \ge 0$

Then for all (reg', m') such that  $(reg, m) \rightarrow^* (reg', m')$  then  $m'(a_n) \ge 0$ .

### WBCF and LSE

Consider the following code known as the "awkward example":

```
void adv(void); // OCaml equivalent
1
  void f(void) { // let x = ref 0 in
2
  static int x = 0; // fun adv ->
3
  x = 0;
                     // x := 0;
 adv();
                     // adv ();
5
                  // x := 1;
 x = 1;
6
                   // adv ();
 adv();
7
  assert (x == 1); // assert (!x = 1)
8
 }
9
```

We need revocation !

Recent capability machines such as CHERI provide so-called local capabilities, capabilities that can only be stored in a restricted way. Concretely, capabalities have now a locality field  $\ell$ :

 $(p, {\color{black}\ell}, b, e, a)$ 

The set of permissions is enriched with write local permissions: RWLX, RWL.

We can combine local capabilities and enter capabilities to enforce well-bracketed control flow and local state encapsulation. The basic idea is to

- Make the stack capability RWLX and local.
- Make return capabilities local.

In this way, we know that any capability pointing to the stack **must necessarily** be stored on the stack.

### A Secure Calling Convention

When calling a function, the caller must:

- clear the part of the stack capability it intends to pass to the callee;
- pass a local enter return capability.

When returning, the callee must clear its own stackframe.

We have shown that using this calling convention, the assertion in the awkward example *cannot be violated*.

### Uninitialized Capabilities

The presented calling convention is quite inefficient, requiring to clear a large amount of memory before each call.

We solve this issue by introducing uninitialized capabilities, a new form of capabilities that is plausibly implementable.



### Secure Calling Convention Using Uninitialized Capabilities



### Toward Complete Stack Safety

The calling convention enforces WBCF and LSE efficiently, what are we missing?

```
int N, K;
1
_{2} void h(int* x) { *x = 0; }
  void g(int* x) {
3
    char* t[K];
4
  h(x): }
5
  void f(int** x) {
6
  char* t[N]; // Example illustrating
7
  int z; // use after reallocate
8
  *x = &z; } // issue
9
  int main(void) {
10
  int* x;
11
  f(&x);
12
  g(x);
13
   return 0; }
14
```

#### Use After Free

```
int compare(char* x, char* y)
int compare_secret(char* in) {
  static char[] secret = ...;
  int x = compare(secret, in);
  return x; }
```

Even by passing a local capability to a callee, we need to clear the whole stack in order to make sure that confidential data are not leftover on the stack, and can be subsequently read by others.

- Pointers/capabilities are used outside of their lifetime.
- We remark that the stack evolve in a specific way, i.e., it grows in one direction.
- We can exploit this: the address on the stack represents implicitly the lifetime of its pointer.

### Monotone Capabilities



Monotone capabilities enforce that capabilities with shorter lifetime cannot be stored using capabilities with longer lifetime.

We can now use instead uninitialized monotone capabilities as stack capability, and we don't need to clear anything anymore!

Dead store elimination is secure for the stack!

How do we prove it?

### Relational Model

Before, we only showed that an adversary could not overwrite some memory.

Now, we need to show it cannot read it!.

This asks for a relational model, we need to show the following programs are (morally) contextually equivalent for instance.

```
int f(void)
int secret = ...;
...;
return;
```

```
1 int f(void)
2 int secret = ...;
3 ...;
4 secret = 0;
5 return;
```

### Conclusion

- There is a "hierarchy" of stack safety properties from simple encapsulation, followed by well-bracketed control-flow, to finally include temporal properties, and these can be enforced using a capability machine.
- I have sketched how one can prove that "simple" encapsulation is enforced in presence of arbitrary code using a program logic and logical relations. This approach can scale to more sophisticated properties.
- This forms a foundation on which a compiler can be built, and transfer source-level guarantees down to compiled code.

#### References

• Efficient and Provable Local Capability Revocation using Uninitialized Capabilities. Aïna Linn Georges, Armaël Guéneau, Thomas Van Strydonck, Amin Timany, Alix Trieu, Sander Huyghebaert, Dominique Devriese, Lars Birkedal. 48th ACM SIGPLAN Symposium on Principles of Programming Languages (POPL), 2021. https://cs.au.dk/-trieu/publications/POPL21.pdf

• Cap' ou pas cap' ? Preuve de programmes pour une machine à capacités en présence de code inconnu. Aïna Linn Georges, Armaël Guéneau, Thomas Van Strydonck, Amin Timany, Alix Trieu, Dominique Devriese, Lars Birkedal. Trente-deuxièmes Journées Francophones des Langages Applicatifs (JFLA), 2021. https://cs.au.dk/-trieu/publications/JFLA21.pdf

• Toward Complete Stack Safety for Capability Machines. Aïna Linn Georges, Armaël Guéneau, Alix Trieu, Lars Birkedal. 5th Workshop on Principles of Secure Compilation (PriSC), 2021. https://cs.au.dk/~trieu/publications/PRISC21.pdf