A categorical approach to secure compilation
Stelios Tsampas, Andreas Nuyts, Dominique Devriese, Frank Piessens
aa r X i v : . [ c s . P L ] A p r A categorical approach to secure compilation
Stelios Tsampas , Andreas Nuyts , Dominique Devriese , and Frank Piessens KU Leuven, Leuven, Belgium [email protected] Vrije Universiteit Brussel, Brussels, Belgium [email protected]
Abstract.
We introduce a novel approach to secure compilation basedon maps of distributive laws. We demonstrate through four examples thatthe coherence criterion for maps of distributive laws can potentially be aviable alternative for compiler security instead of full abstraction, whichis the preservation and reflection of contextual equivalence. To that end,we also make use of the well-behavedness properties of distributive lawsto construct a categorical argument for the contextual connotations ofbisimilarity.
Keywords:
Secure compilation · Distributive laws · Structural Opera-tional Semantics
As a field, secure compilation is the study of compilers that formally preserveabstractions across languages. Its roots can be tracked back to the seminal obser-vation made by Abadi [1], namely that compilers which do not protect high-levelabstractions against low-level contexts might introduce security vulnerabilities.But it was the advent of secure architectures like the Intel SGX [15] and an ever-increasing need for computer security that motivated researchers to eventuallywork on formally proving compiler security.The most prominent [16, 18, 49, 35, 37, 32, 45] formal criterion for compilersecurity is full abstraction : A compiler is fully abstract if it preserves and reflectsMorris-style contextual equivalence [31], i.e. indistinguishability under all pro-gram contexts, which are usually defined as programs with a hole. The intuitionis that contexts represent the ways an attacker can interact with programs and sofull abstraction ensures that such interactions are consistent between languages.Full abstraction is arguably a strong and useful property but it is also notori-ously hard to prove for realistic compilers, mainly due to the inherent challengeof having to reason directly about program contexts [37, 18, 9, 24]. There isthus a need for better formal methods, a view shared in the scientific commu-nity [10, 33]. While recent work has proposed generalizing from full abstractiontowards the so-called robust properties [36, 2], the main challenge of quantifyingover program contexts remains, which manifests when directly translating targetcontexts to the source ( back-translation ). Other techniques, such as trace seman-tics [35] or logical relations [17], require complex correctness and completenessproofs w.r.t. contextual equivalence in order to be applicable.
Tsampas et al.
In this paper we introduce a novel, categorical approach to secure compi-lation. The approach has two main components: the elegant representation ofStructural Operational Semantics (SOS) [38] using category-theoretic distribu-tive laws [48] and also maps of distributive laws [40, 50, 27] as secure compilersthat preserve bisimilarity. Our method aims to be unifying, in that there is ageneral, shared formalism for operational semantics, and simplifying, in thatthe formal criterion for compiler security, the coherence criterion for maps ofdistributive laws, is straightforward and relatively easy to prove.The starting point of our contributions is an abstract proof on how coalge-braic bisimilarity under distributive laws holds contextual meaning in a mannersimilar to contextual equivalence (Section 4.3). We argue that this justifies theuse of the coherence criterion for testing compiler security as long as bisimilarityadequately captures the underlying threat model. We then demonstrate the ef-fectiveness of our approach by appeal to four examples of compiler (in)security.The examples model classic, non-trivial problems in secure compilation: – An example of an extra processor register in the target language that conveysadditional information about computations (Section 5). – A datatype mismatch between the type of variable (Section 6). – The introduction of illicit control flow in the target language (Section 7) – A case of incorrect local state encapsulation (Section 8).For each of these examples we present an insecure compiler that fails the co-herence criterion, then introduce security primitives in the target language andconstruct a secure compiler that respects it. We also examine how bisimilaritycan be both a blessing and a curse as its strictness and rigidity sometimes lead torelatively contrived solutions. Finally, in Section 9, we discuss related work andpoint out potential avenues for further development of the underlying theory.
On the structure and style of the paper
This work is presented mainlyin the style of programming language semantics but its ideas are deeply rootedin category theory. We follow an “on-demand” approach when it comes to im-portant categorical concepts: we begin the first example by introducing the baselanguage used throughout the paper,
While , and gradually present distributivelaws when required. From the second example in Section 6 and on, we relax thecategorical notation and mostly remain within the style of PL semantics.
While language
We begin by defining the set of arithmetic expressions. h expr i ::= lit N | var N | h expr i h bin i h expr i | h un i h expr i The authors use the term “Mathematical Operational Semantics”. The term “Bial-gebraic Semantics” is also used in the literature. categorical approach to secure compilation 3
The constructors are respectively literals, a dereference operator var , binaryarithmetic operations as well as unary operations. We let S be the set of listsof natural numbers. The role of S is that of a run-time store whose entries arereferred by their index on the list using constructor var . We define function eval : S × E → N inductively on the structure of expressions. Definition 1 (Evaluation of expressions in
While ). eval store ( lit n ) = n eval store ( var l ) = get store l eval store ( e b e ) = ( eval store e ) [[ b ]] ( eval store e ) eval store ( u e ) = [[ u ]] ( eval store e )Programs in While language are generated by the following grammar: h prog i ::= skip | N := h expr i | h prog i ; h prog i | while h expr i h prog i The operational semantics of our
While language are introduced in Figure 1.We are using the notation s, x ⇓ s ′ to denote that program x , when suppliedwith s : S , terminates producing store s ′ . Similarly, s, x → s ′ , x ′ means thatprogram x , supplied with s , evaluates to x ′ and produces new store s ′ . s, skip ⇓ s s, l := e ⇓ update s l ( eval s e ) s, p ⇓ s ′ s, p ; q → s ′ , qs, p → s ′ , p ′ s, p ; q → s ′ , p ′ ; q eval s e = 0 s, while e p → s, skip eval s e = 0 s, while e p → s, p ; while e p Fig. 1.
Semantics of the
While language.
While , categorically
The categorical representation of operational semantics has various forms ofincremental complexity but for our purposes we only need to use the most im-portant one, that of
GSOS laws [48].
Definition 2.
Given a syntax functor Σ and a behavior functor B , a GSOSlaw of Σ over B is a natural transformation ρ : Σ (Id × B ) = ⇒ BΣ ∗ , where ( Σ ∗ , η, µ ) is the monad freely generated by Σ .Example 1. Let E be the set of expressions of the While -language. Then thesyntax functor Σ : Set → Set for
While is given by ΣX = ⊤ ⊎ ( N × E ) ⊎ ( X × X ) ⊎ ( E × X ) where ⊎ denotes a disjoint (tagged) union. The elements could bedenoted as skip , l := e , x ; x and while e x respectively. The free monad Σ ∗ satisfies Σ ∗ X ∼ = X ⊎ ΣΣ ∗ X , i.e. its elements are programs featuring programvariables from X . Since While -programs run in interaction with a store and canterminate, the behavior functor is BX = S → ( S × Maybe X ), where S is the set Tsampas et al. of lists of natural numbers and X → Y denotes the exponential object (internalHom) Y X .The GSOS specification of While determines ρ . A premise s, p → s ′ , p ′ de-notes an element ( p, b ) ∈ (Id × B ) X where b ( s ) = ( s ′ , just p ′ ), and a premise s, p ⇓ s ′ denotes an element ( p, b ) where b ( s ) = ( s ′ , nothing). A conclusion s, p → s ′ , p ′ (where p ∈ ΣX is further decorated above the line to ¯ p ∈ Σ (Id × B ) X )specifies that ρ (¯ p ) ∈ BΣ ∗ X sends s to ( s ′ , just p ′ ), whereas a conclusion s, p ⇓ s ′ specifies that s is sent to ( s ′ , nothing). Concretely, ρ X : Σ ( X × BX ) → BΣ ∗ X is the function (partially from [47]): skip λ s. ( s, nothing) l := e λ s. ( update s l ( eval s e ) , nothing) while e ( x, f ) λ s. ( ( s, just ( x ; while e x )) if eval s e = 0( s, just ( skip )) if eval s e = 0( x, f ) ; ( y, g ) λ s. ( ( s ′ , just ( x ′ ; y )) if f ( s ) = ( s ′ , just x ′ )( s ′ , just y ) if f ( s ) = ( s ′ , nothing)It has been shown by Lenisa et al. [28] that there is a one-to-one correspon-dence between GSOS laws of Σ over B and distributive laws of the free monad Σ ∗ over the cofree copointed endofunctor [28] Id × B . Definition 3 (In [26]).
A distributive law of a monad ( T, η, µ ) over a copointedfunctor ( H, ǫ ) is a natural transformation λ : T H = ⇒ HT subject to the follow-ing laws: λ ◦ η = Hη , ǫ ◦ λ = T ǫ and λ ◦ µ = Hµ ◦ λ ◦ T λ . Given any GSOS law, it is straightforward to obtain the corresponding dis-tributive law via structural induction (In [50], prop. 2.7 and 2.8). By convention,we shall be using the notation ρ for GSOS laws and ρ ∗ for the equivalent dis-tributive laws unless stated otherwise.A distributive law λ based on a GSOS law ρ gives a category λ -Bialg of λ -bialgebras [48], which are pairs ΣX h −→ X k −→ BX subject to the pentagonal law k ◦ h = Bh ∗ ◦ ρ X ◦ Σ [ id, k ], where h ∗ is the inductive extension of h . Morphisms in λ -Bialg are arrows X → Y that are both algebra and coalgebra homomorphismsat the same time. The trivial initial B-coalgebra ⊥ → B ⊥ lifts uniquely to theinitial λ -bialgebra ΣΣ ∗ ⊥ a −→ Σ ∗ ⊥ h λ −−→ BΣ ∗ ⊥ , while the trivial final Σ -algebra Σ ⊤ → ⊤ lifts uniquely to the final λ -bialgebra ΣB ∞ ⊤ g λ −→ B ∞ ⊤ z −→ BB ∞ ⊤ .Since Σ ∗ ⊥ is the set of programs generated by Σ and B ∞ ⊤ the set of behaviorscofreely generated by B , the unique bialgebra morphism f : Σ ∗ ⊥ → B ∞ ⊤ isthe interpretation function induced by ρ . Remark 1.
We write A for Σ ∗ ⊥ and Z for B ∞ ⊤ , and refer to h λ : A → BA asthe operational model for λ and to g λ : ΣZ → Z as the denotational model [48].Note also that a : ΣA ∼ = A and z : Z ∼ = BZ are invertible. A copointed endofunctor is an endofunctor F equipped with a natural transformation F = ⇒ Id. We write B ∞ for the cofree comonad over B, which satisfies B ∞ X ∼ = X × BB ∞ X . categorical approach to secure compilation 5 Example 2.
Continuing Example 1, the initial bialgebra A is just the set ofall While -programs. Meanwhile, the final bialgebra Z , which has the meaningof the set of behaviors, satisfies Z ∼ = ( S → S × Maybe Z ). In other words,our attacker model is that of an attacker who can count execution steps andmoreover, between any two steps, read out and modify the state. In Section 9,we discuss how we hope to consider weaker attackers in the future. Let us consider the scenario where a malicious party can observe more informa-tion about the execution state of a program, either because information is beingleaked to the environment or the programs are run by a more powerful machine.A typical example is the presence of an extra flags register that logs the resultof a computation [34, 8, 35]. This is the intuition behind the augmented versionof
While with additional observational capabilities,
While ֠ .The main difference is in the behavior so the notation for transitions has toslightly change. The two main transition types, s, x ⇓ v s ′ and s, x → v s ′ , x ′ worksimilarly to While except for the label v : N produced when evaluating expres-sions. We also allow language terms to interact with the labels by introducingthe constructor obs N h prog i . When terms evaluate inside an obs block, thelabels are sequentially placed in the run-time store. The rest of the constructorsare identical but the distinction between the two languages should be clear.While the expressions are the same as before, the syntax functor is now Σ ֠ X = ΣX ⊎ N × X , and the behavior functor is B ֠ = S → N × S × Maybe X .The full semantics can be found in Figure 2. As for While , they specify a GSOSlaw ρ ֠ : Σ ֠ (Id × B ֠ ) = ⇒ B ֠ Σ ∗ ֠ . s, skip ⇓ s v = eval s es, l := e ⇓ v update s l v v = eval s e v = 0 s, while e p → v s, skip s, p ⇓ v s ′ s, p ; q → v s ′ , q s, p ⇓ v s ′ s ′′ = update s ′ n vs, obs n p → v s ′′ , skip s, p → v s ′ , p ′ s, p ; q → v s ′ , p ′ ; qs, p → v s ′ , p ′ s ′′ = update s ′ n vs, obs n p → v s ′′ , obs ( n + 1) p ′ v = eval s e v = 0 s, while e p → v s, p ; while e p Fig. 2.
Semantics of
While ֠ . Traditionally, the (in)security of a compiler has been a matter of full ab-straction ; a compiler is fully abstract if it preserves and reflects Morris-style [31]contextual equivalence. For our threat model, where the attacker can directlyobserve labels, it makes sense to define contextual equivalence in
While ֠ as: Definition 4. p ∼ = ֠ q ⇐⇒ ∀ c : C ֠ . c J p K ⇓⇐⇒ c J q K ⇓ Where C is the set of one-hole contexts, J K : C ֠ × A ֠ → A ֠ denotes theplugging function and we write p ⇓ when p eventually terminates. Contextual Tsampas et al. equivalence for
While is defined analogously. It is easy to show that the simple“embedding” compiler from
While to While ֠ is not fully abstract by examiningterms a , while ( var [0]) (0 :=
0) and b , while ( var [0] ∗
2) (0 := a ∼ = b but a ֠ ≇ ֠ b ֠ . A context c , ( obs while ( var [ ] − skip will logthe result of the while condition in a ֠ and b ֠ in var [1] and then either divergeor terminate depending on the value of var [1]. An initial var [0] value of 1 willcause c J a K to terminate but c J b K to diverge. Securely extending
While ֠ To deter malicious contexts from exploiting theextra information, we introduce sandboxing primitives to help hide it. We addan additional constructor in
While ֠ , * h progr i + , and the following inference rulesto form the secure version While X of While ֠ . s, p ⇓ v s ′ s, * p + ⇓ s ′ s, p → v s ′ , p ′ s, * p + → s ′ , * p ′ + We now consider the compiler from
While to While X which, along with theobvious embedding, wraps the the translated terms in sandboxes. This looks tobe effective as programs a and b are now contextually equivalent and the extrainformation is adequately hidden. We will show that this compiler is indeed a map of distributive laws between While and
While X but to do so we need a briefintroduction on the underlying theory. Assume two GSOS laws ρ : Σ (Id × B ) = ⇒ B Σ ∗ and ρ : Σ (Id × B ) = ⇒ B Σ ∗ , where ( Σ ∗ , η , µ ) and ( Σ ∗ , η , µ ) are the monads freely generated by Σ and Σ respectively. We shall regard pairs of natural transformations ( σ : Σ ∗ = ⇒ Σ ∗ , b : B = ⇒ B ) as compilers between the two semantics, where σ acts as a syntactic translation and b as a translation between behaviors. Remark 2. If A and A are the sets of terms freely generated by Σ and Σ ,we can get the compiler c : A → A from σ . On the other hand, b generates afunction d : Z → Z between behaviors via finality. Remark 3.
We shall be writing B c for the cofree copointed endofunctor Id × B over B and b c : B c = ⇒ B c for id × b . Definition 5 (Adapted from [50]).
A map of GSOS laws from ρ to ρ con-sists of a natural transformation σ : Σ ∗ = ⇒ Σ ∗ subject to the monad laws σ ◦ η = η and σ ◦ µ = µ ◦ Σ ∗ σ ◦ σ paired with a natural transformation b : B = ⇒ B that satisfies the following coherence criterion : Σ ∗ B c B c Σ ∗ Σ ∗ B c B c Σ ∗ ρ ∗ σ ◦ Σ ∗ b c b c ◦ B c σρ ∗ categorical approach to secure compilation 7 Remark 4.
A natural transformation σ : Σ ∗ = ⇒ Σ ∗ subject to the monad lawsis equivalent to a natural transformation t : Σ = ⇒ Σ ∗ . Theorem 1. If σ and b constitute a map of GSOS laws, then we get a compiler c : A → A and behavior transformation d : Z → Z satisfying d ◦ f = f ◦ c : A → Z . As bisimilarity is exactly equality in the final coalgebra (i.e. equalityunder f i : A i → Z i ), c preserves bisimilarity [50]. If d is a monomorphism(which, under mild conditions, is the case in Set if every component of b is amonomorphism), then c also reflects bisimilarity. What is very important though, is that the well-behavedness properties ofthe two GSOS laws bestow contextual meaning to bisimilarity. Recall that thegold standard for secure compilation is contextual equivalence (Definition 4),which is precisely what is observable through program contexts. Bisimilarity isgenerally not the same as contextual equivalence, but we can instead show thatin the case of GSOS laws or other forms of distributive laws, bisimilarity definesthe upper bound (most fine-grained distinction) of observability up to programcontexts. We shall do so abstractly in the next subsections.
The informal notion of a context in a programming language is that of a programwith a hole [31]. Thus contexts are a syntactic construct that models externalinteractions with a program: a single context is an experiment whose outcomeis the evaluation of the subject program plugged in the context.Na¨ıvely, one may hope to represent contexts by a functor H sending a setof variables X to the set HX of terms in ΣX that may have holes in them.A complication is that contexts may have holes at any depth (i.e. any numberof operators may have been applied to a hole), whereas ΣX is the set of termsthat have exactly one operator in them, immediately applied to variables. Onesolution is to think of Y in HY as a set of variables that do not stand for terms,but for contexts. This approach is fine for multi-hole contexts, but if we alsowant to consider single-hole contexts and a given single-hole context c is not thehole itself, then precisely one variable in c should stand for a single-hole context,and all other variables should stand for terms. Thus, in order to support bothsingle- and multi-hole contexts, we make H a two-argument functor, where H X Y is the set of contexts with term variables from X and context variables from Y . Definition 6.
Let C be a distributive category [14] with products × , coproducts ⊎ , initial object ⊥ and terminal object ⊤ , as is the case for Set . A context functor for a syntax functor Σ : C → C , is a functor H : C × C → C (with applicationto ( X, Y ) denoted as H X Y ) such that there exist natural transformations hole : ∀ ( X, Y ) . ⊤ → H X Y and con : ∀ X.X × H X X → X ⊎ ΣX making the followingdiagram commute for all X : X × ⊤ XX × H X X X ⊎ ΣX π ∼ =id X × hole ( X,X ) i con X Tsampas et al.
The idea of the transformation con is the following: it takes as input a variable x ∈ X to be plugged into the hole, and a context c ∈ H X X with one layer ofsyntax. The functor H X is applied again to X rather than Y because x is assumedto have been recursively plugged into the context placeholders y ∈ Y already.We then make a case distinction: if c is the hole itself, then i x is returned.Otherwise, i c is returned. Definition 7.
Let C be a category as in Definition 6 and assume a syntax func-tor Σ with context functor H . If Σ has an initial algebra ( A, q A ) (the set ofprograms) and H A has a strong initial algebra ( C A , q C A ) [23] (the set of con-texts), then we define the plugging function [[ ]] : A × C A → A as the “stronginductive extension” [23] of the algebra structure [id A , q A ] ◦ con A : A × H A A → A on A , i.e. as the unique morphism that makes the following diagram commute: A × H A C A A × C A A × H A ( A × C A ) A × H A A A ⊎ ΣA A id × q CA ∼ =( π,st ) [[ ]] id × H A [[ ]]con A [id ,q A ] The above definition of contextual functors is satisfied by both single-holeand multi-hole contexts, the construction of which we discuss below.
Multi-hole contexts
Given a syntax functor Σ , its multi-hole context functoris simply H X Y = ⊤ ⊎ ΣY . The contextual natural transformation con is theobvious map that returns the pluggee if the given context is a hole, and otherwisethe context itself (which is then a program):con : ∀ X.X × ( ⊤ ⊎ ΣX ) → X ⊎ ΣX con ◦ (id × i ) = i ◦ π : ∀ X.X × ⊤ → X ⊎ ΣX con ◦ (id × i ) = i ◦ π : ∀ X.X × ΣX → X ⊎ ΣX The ‘pattern matching’ is justified by distributivity of C . For hole = i : ⊤ →⊤ ⊎ ΣX , we can see that con ◦ (id × hole) = i ◦ π as required by the definitionof a context functor. Single-hole contexts
It was observed by McBride [29] that for inductive types,i.e. least fixpoints / initial algebras µF of certain endofunctors F called contain-ers [4] or simply polynomials , their single-hole contexts are lists of ∂F ( µF ) where ∂F is the derivative of F . Derivatives for containers, which were developed by The list operator itself arises from the derivative of the free monad operator. categorical approach to secure compilation 9
Abbott et al. in [5], enable us to give a categorical interpretation of single-holecontexts as long as the syntax functor Σ is a container.It would be cumbersome to lay down the entire theory of containers and theirderivatives, so we shall instead focus on the more restricted set of Simple Polyno-mial Functors [22] (or SPF), used to model both syntax and behavior. Crucially,SPF’s are differentiable and hence compatible with McBride’s construction.
Definition 8 (Simple Polynomial Functors).
The collection of SPF is theleast set of functors C → C satisfying the following rules: id Id ∈ SPF const J ∈ Obj( C ) K J ∈ SPF prod
F, G ∈ SPF F × G ∈ SPF coprod
F, G ∈ SPF F ⊎ G ∈ SPF comp
F, G ∈ SPF F ◦ G ∈ SPFWe can now define the differentiation action ∂ : SPF → SPF by structuralinduction. Interestingly, it resembles simple derivatives for polynomial functions.
Definition 9 (SPF derivation rules). ∂ Id = ⊤ , ∂K J = ⊥ , ∂ ( G ⊎ H ) = ∂G ⊎ ∂H,∂ ( G × H ) = ( ∂G × H ) ⊎ ( G × ∂H ) , ∂ ( G ◦ H ) = ( ∂G ◦ H ) × ∂H. Example 3.
The definition of con for single-hole contexts might look a bit crypticat first sight so we shall use a small example from [29] to shed some light. In thecase of binary trees, locating a hole in a context can be thought of as traversingthrough a series of nodes, choosing left or right according to the placement of thehole until it is found. At the same time a record of the trees at the non-chosenbranches must be kept so that in the end the entire structure can be reproduced.Now, considering that the set of binary trees is the least fixed point of functor ⊤ ⊎ (Id × Id), then the type of “abstract” choice at each intersection is thefunctor K Bool × Id, where K Bool stands for a choice of left or right and the Idpart represents the passed structure. Lists of ( K Bool × Id) BinTree are exactlythe sort of record we need to keep, i.e. they contain the same information as atree with a single hole. And indeed K Bool × Id is (up to natural isomorphism)the derivative of ⊤ ⊎ (Id × Id)!Using derivatives we can define the context functor H X Y = ⊤⊎ (( ∂Σ X ) × Y )for syntax functor Σ . Then the initial algebra C A of H A is indeed List (( ∂Σ ) A ),the set of single-hole contexts for A ∼ = ΣA . Plugging
Before defining con, we define an auxiliary function conStep : ∂Σ × Id = ⇒ Σ . We defer the reader to [29] for the full definition of conStep, which isinductive on the SPF Σ , and shall instead only define the case for coproducts.So, for ∂ ( F ⊎ G ) = ∂F ⊎ ∂G we have:conStep F ⊎ G : ( ∂F ⊎ ∂G ) × Id = ⇒ F ⊎ G conStep F ⊎ G ◦ ( i × id) = i ◦ conStep F : ∂F × Id = ⇒ F ⊎ G conStep F ⊎ G ◦ ( i × id) = i ◦ conStep G : ∂G × Id = ⇒ F ⊎ G We may now define con : X × H X X → X ⊎ ΣX as follows:con : ∀ X.X × ( ⊤ ⊎ ( ∂Σ X × X )) → X ⊎ ΣX con ◦ (id × i ) = i ◦ π : ∀ X.X × ⊤ → X ⊎ ΣX con ◦ (id × i ) = i ◦ conStep Σ ◦ π : ∀ X.X × ( ∂Σ X × X ) → X ⊎ ΣX By setting hole = i : ⊤ → ⊤ ⊎ ( ∂Σ X × X ) we can see that con ◦ (id × hole) = i ◦ π as required by Definition 6. Having established a categorical notion of contexts, we can now move towardsformulating contextual categorical arguments about bisimilarity. We assume acontext functor H for Σ such that H A has strong initial algebra ( C A , q C A ) (theobject containing all contexts).First, since we prefer to work in more general categories than just Set , wewill encode relations R ⊆ X × Y as spans X r ←− R r −→ Y . One may wish toconsider only spans for which ( r , r ) : R → X × Y is a monomorphism, thoughthis is not necessary for our purposes.We want to reason about contextually closed relations on the set of terms A , which are relations such that a R a implies ( c J a K ) R ( c J a K ) for allcontexts c ∈ C A . Contextual equivalence will typically be defined as the co-closure of equitermination: the greatest contextually closed relation that impliesequitermination. For spans, this becomes: Definition 10.
In a category as in Definition 6, a span A r ←− R r −→ A is calledcontextually closed if there is a morphism J K : C A × R → R making the followingdiagram commute: C A × A C A × R C A × AA R A
J K id × r id × r J K J K r r The contextual co-closure A ¯ r ←− ¯ R ¯ r −→ A of an arbitrary span A r ←− R r −→ A isthe final contextually closed span on A with a span morphism ¯ R → R . We call terms bisimilar if the operational semantics f : A → Z assigns themequal behaviors: Definition 11.
We define (strong) bisimilarity ∼ bis as the pullback of the equal-ity span (id Z , id Z ) : Z → Z × Z along f × f : A × A → Z × Z (if existent). Theorem 2.
Under the assumptions of 7, bisimilarity (if existent) is contextu-ally closed.Proof.
We need to give a morphism of spans from C A × ( ∼ bis ) to ( ∼ bis ): categorical approach to secure compilation 11 C A × A C A × ( ∼ bis ) C A × AA ( ∼ bis ) AZ Z Z.
J K id × r id × r J K f r r w f id Z id Z By definition of ( ∼ bis ), it suffices to give a morphism of spans to the equalityspan on Z , i.e. to prove that f ◦ J K ◦ (id × r ) = f ◦ J K ◦ (id × r ). To this end,consider the following diagram (parameterized by i ∈ { , } ), in which everypolygon is easily seen to commute: ( ∼ bis ) × H A C A ( ∼ bis ) × C A A × H A C A A × C A ( ∼ bis ) × H A ( A × C A ) A × H A ( A × C A )( ∼ bis ) × H A A A × H A A A ⊎ ΣA A ( ∼ bis ) × H A Z ( ∼ bis ) × H Z Z Z × H Z Z Z ⊎ ΣZ Z id × q CA ∼ = r i × id( π ,H A ( r i × id) ◦ st) r i × idid × q CA ∼ =( π , st) J K r i × idid × H A J K id × H A J K r i × idid × H A f con A f × H f f [id ,q A ] f ⊎ Σf f id × H f id Z w × id con Z [id ,q Z ] The bottom-right square stems from the underlying GSOS law: it is the algebrahomomorphism part of the bialgebra morphism between the initial and the finalbialgebras. Commutativity of the outer diagram reveals that f ◦ J K ◦ ( r i × id) is,regardless of i , the strong inductive extension of [id Z , q Z ] ◦ con Z ◦ ( w × H f id Z ) :( ∼ bis ) × H A Z → Z . Thus, it is independent of i . ⊓⊔ Corollary 1. In Set , bisimilarity is its own contextual coclosure: a ∼ bis b ⇐⇒∀ c ∈ C A . c J a K ∼ bis c J b K Corollary 2. In Set , bisimilarity implies contextual equivalence. Proof.
Bisimilarity implies equitermination. This yields an implication betweentheir coclosures. ⊓⊔ Comparing Corollary 1 to contextual equivalence in Definition 4 reveals theirkey difference. Contextual equivalence makes minimal assumptions on the un-derlying observables, which are simply divergence and termination. On the other Note that we can not conclude that preservation of bisimilarity would imply preser-vation of contextual equivalence.2 Tsampas et al. hand, the contextual coclosure of bisimilarity assumes maximum observability(as dictated by the behavior functor) and in that sense it represents the upperbound of what can be observed through contexts. Consequently, this criterion isuseful if the observables adequately capture the threat model, which is true forthe examples that follow.This theorem echoes similar results in the broader study of coalgebraic bisim-ulation [11, 41]. There are, however, two differences. The first is that our theoremallows for extra flexibility in the definition of contexts as the theorem is paramet-ric on the context functor. Second, by making the context construction explicitwe can directly connect (the contextual coclosure of) bisimilarity to contextualequivalence (Corollary 2) and so have a more convincing argument for usingmaps of distributive laws as secure compilers.
The next step is to define the syntax and behavior natural transformations. Thefirst compiler, σ ֠ : Σ = ⇒ Σ ֠ , is a very simple mapping of constructors in While to their
While ֠ counterparts. The second natural transformation, σ X : Σ = ⇒ Σ ∗ X , is more complex as it involves an additional layer of syntax in While X . Definition 12 (Sandboxing natural transformation).
Consider the natu-ral transformation e : Σ = ⇒ Σ X which embeds Σ in Σ X . Using PL notation,we define σ X : ΣX → Σ ∗ X X : p * e ( p ) + . This yields a monad morphism σ ∗ X : Σ ∗ → Σ ∗ X (Remark 4). Defining the natural translations between behaviors is a matter of choosing adesignated value for the added observable label. The only constraint is that thechosen value has to coincide with the label that the sandbox produces. B ֠ and B X are identical so we need a single natural transformation b : B = ⇒ B ֠ / X : b : ∀ X. ( S → S × Maybe X ) → S → N × S × Maybe
Xb f = λ ( s : S ) → (0 , f ( s )) While to While ֠ We now have the natural translation pairs ( σ ֠ , b ) and( σ X , b ), which allows us to check the coherence criterion from Section 4.1. Weshall be using a graphical notation that provides for a good intuition as to whatfailure or success of the criterion means . For example, Fig. 3 shows failure of thecoherence criterion for the first pair. l := e v = eval s es ⇓ update s l vl := e v = eval s es ⇓ v/ update s l vρ ∗ σ ∗ ֠ ◦ Σ ∗ b c b c ◦ B c σ ∗ ֠ ρ ∗ ֠ Fig. 3.
Failure of the criterion for ( σ ֠ , b ). The horizontal arrows in the di-agram represent the two semantics, ρ ∗ and ρ ∗ ֠ , while the vertical ar-rows are the two horizontal composi-tions of the natural translation pair.The top-left node holds an elementof Σ ∗ (Id × B ), which in this case is categorical approach to secure compilation 13 an assignment operation. The two rightmost nodes represent behaviors, so thesyntactic element is missing from the left side of the transition arrows.In the upper path, the term is first applied to the GSOS law ρ ∗ and theresult is then passed to the translation pair, thus producing the designated label0, typeset in blue for convenience. In the lower path, the term is first applied tothe translation and then goes through the target semantics, ρ ∗ ֠ , where the label v is produced. It is easy to find such an s so that v = 0. l := e v = eval s es ⇓ update s l v * l := e + v = eval s es, l := e ⇓ v update s l vs ⇓ update s l vρ ∗ σ ∗ X ◦ Σ ∗ b c b c ◦ B c σ ∗ X ρ ∗ X Fig. 4.
The coherence criterion for ( σ X , b ). While to While X The same ex-ample is investigated for the sec-ond translation pair ( σ X , b ). Fig-ure 4 shows what happens whenwe test the same case as before.Applying ρ ∗ X to * l := e + is simi-lar to ρ X acting twice. The inner-most transition is the intermedi-ate step and as it only appears in the bottom path it is typeset in red. This timethe diagram commutes as the label produced in the inner layer, v , is effectivelyerased by the sandboxing rules of While X . An endo-compiler for
While X If A X is the set of closed terms for While X ,the compiler u : A X → A X , which “escapes” While X terms from their sandboxescan be elegantly modeled using category theory. As before, it is not possible toexpress it using a simple natural transformation Σ X = ⇒ Σ X . We can, however,use the free pointed endofunctor [28] over Σ X , Id ⊎ Σ X . What we want is tomap non-sandboxed terms to themselves and lift the extra layer of syntax fromsandboxed terms. Intuitively, for a set of variables X , Σ X X is one layer of syntax“populated” with elements of X . If X ⊎ Σ X X is the union of Σ X X with the setof variables X , lifting the sandboxing layer is mapping the X in * X + to the leftof X ⊎ Σ X X and the rest to themselves at the right. s, p → v s ′ , q * p + s → s ′ , * q + s, p → v s ′ , qp s → v/ s ′ , qρ ∗ X σ ∗ u B c σ ∗ u ρ ∗ X Fig. 5.
Failure of the criterion for σ u . This is obviously not a secure com-piler as it allows discerning previ-ously indistinguishable programs. Aswe can see in Figure 5, the coherencecriterion fails in the expected manner.
Having established our categorical foundations, we shall henceforth focus onexamples. The first one involves a compiler where the target machine is not nec-essarily more powerful than the source machine, but the target value primitivesare not isomorphic to the ones used in the source. This is a well-documentedproblem [37], which has led to failure of full abstraction before [8, 18, 25].For example, we can repeat the development of
While except we substitutenatural numbers with integers. We call this new version
While Z . h expr i ::= lit Z | var N | h expr i h bin i h expr i | h un i h expr i The behavior functor also differs in that the store type S is substituted with S Z ,the set of lists of integers. We can define the behavioral natural transformation b Z : B = ⇒ B Z as the best “approximation” between the two behaviors. In Set : b Z : ∀ X. ( S → S × ( ⊤ ⊎ X )) → S Z → S Z × ( ⊤ ⊎ X ) b Z f = [to Z , id] ◦ f ◦ to N [ n ] ⇓ [0] [ − ⇓ [ − / ρ ∗ Σ ∗ b c Z b c Z ρ ∗ Z Fig. 6.
Failure of the criterion for (id , b Z ). Where to N replaces all negativenumbers in the store with 0 andto Z typecasts S to S Z . It is easy tosee that the identity compiler from While to While Z is not fully abstract.For example, the expressions 0 and min ( var [0] ,
0) are identical in
While but can be distinguished in
While Z (if var [0] is negative). This is reflected in thecoherence criterion diagram for the identity compiler in Figure 6, when initiatingthe store with a negative integer. [ n ] ⇓ [0] h i [ − ⇓ [0] ρ ∗ σ ∗ Z ◦ Σ ∗ b c Z b c Z ◦ B c σ ∗ Z ρ ∗ Z Fig. 7.
The coherence criterion for ( σ Z , b Z ). The solution is to create a specialenvironment where
While Z forgetsabout negative integers, in essencecopying what b Z does on the variablestore. This is a special kind of sand-box, written h i , for which we intro-duce the following rules:to N ( s ) , p ⇓ s ′ s, h p i ⇓ s ′ to N ( s ) , p → s ′ , p ′ s, h p i → s ′ , h p ′ i We may now repeat the construction from Definition 12 to define the compiler σ Z . We can easily verify that the pair ( σ Z , b Z ) constitutes a map of distributivelaws. For instance, Figure 7 demonstrates how the previous failing case nowworks under ( σ Z , b Z ). Many low-level languages support unrestricted control flow in the form of jump-ing or branching to an address. On the other hand, control flow in high-levellanguages is usually restricted (think if-statements or function calls). A compilerfrom the high-level to the low-level might be insecure as it exposes source-levelprograms to illicit control flow. This is another important and well-documentedexample of failure of full abstraction [8, 37, 3, 33].We introduce low-level language
Low , the programs of which are non-emptylists of instructions.
Low differs significantly from
While and its derivatives inboth syntax and semantics. For the syntax, we define the set of instructions h inst i and set of programs h asm i . categorical approach to secure compilation 15 s, , stop [ ;; x ] ⇓ s, v = eval s e s ′ = update s n vs, , assign n v [ ;; x ] → s ′ , , assign n v [ ;; x ] PC ≥ s, PC , x ⇓ s ′ , PC ′ s, PC + 1 , i ;; x ⇓ s ′ , PC ′ + 1 v = eval s e v = 0 s, , br e z [ ;; x ] → s, , br e z [ ;; x ] v = eval s e v = 0 s, , br e z [ ;; x ] → s, z, br e z [ ;; x ] PC < s, PC , i ;; x ⇓ s, PC p = nop [ ;; x ] s, , p → s, , p PC ≥ s, PC , x → s ′ , PC ′ , x ′ s, PC + 1 , i ;; x → s ′ , PC ′ + 1 , i ;; x ′ PC = 0 s, PC , i ⇓ s, PC Fig. 8.
Semantics of the
Low language. Elements in square brackets are optional. h inst i ::= nop | stop | assign N h expr i | br h expr i Z h asm i ::= h inst i | h inst i ;; h asm i Instruction nop is the no-operation, stop halts execution and assign is anal-ogous to the assignment operation in
While . The br instruction is what reallydefines Low , as it stands for bidirectional relative branching. (Bialgebraic) Semantics for
Low
Figure 8 shows the operational semanticsof
Low . The execution state of a running program consists of a run-time storeand the program counter register PC ∈ Z that points at the instruction beingprocessed. If the program counter is zero, the leftmost instruction is executed. Ifthe program counter is greater than zero, then the current instruction is furtherto the right. Otherwise, the program counter is out-of-bounds and executionstops. The categorical interpretation suggests a GSOS law ρ L of syntax functor Σ L X = inst ⊎ (inst × X ) over behavior functor B L X = S × Z → S × Z × Maybe X . An insecure compiler
This time we start with the behavioral translation,which is less obvious as we have to go from BX = S → S × Maybe X to B L X = S × Z → S × Z × Maybe X . The increased arity in B L poses aninteresting question as to what the program counter should mean in While . Itmakes sense to consider the program counter in
While as zero since a programin
While is treated uniformly as a single statement. b L : ∀ X. ( S → S × Maybe X ) → S × Z → S × Z × Maybe Xb L f ( s,
0) = ( ( s ′ , , nothing) if f s = ( s ′ , nothing)( s ′ , , just y ) if f s = ( s ′ , just y ) b L f ( s, n = 0) = ( s, n, nothing)When it comes to translating terms, a typical compiler from While to Low would untangle the tree-like structure of
While and convert it to a list of
Low instructions. For while statements, the compiler would use branching to simulatelooping in the low-level.
Example 4.
Let us look at a simple case of a loop. The
While program while ( var <
2) (1 := var +
1) is compiled to br ! ( var <
2) 3 ;; assign var + ;; br ( lit
1) -2 while ( lit
0) (0 := lit s → s, skipbr !( lit
0) 3 ;;assign lit ;;br ( lit − s, ⇓ s, s, → s [0 , ...hc L B L c L ◦ b A h L Fig. 9. c L is not a coalgebra homomorphism. This compiler, called c L ,cannot be defined in terms ofa natural transformation Σ = ⇒ Σ ∗ L as per Remark 4, but it isinductive on the terms of thesource language. In this case wecan directly compare the two op-erational models b A ◦ h : A → B L A (where h : A → BA ) and h L : A L → B L A L and notice that c L : A → A L is not a coalgebra homomorphism(Figure 9). The key is that the program counter in Low allows for finer obser-vations on programs. Take for example the case for while ( lit
0) (0 := lit
Low , we can still access the loop body bysimply pointing the program counter to it. This is a realistic attack scenariobecause
Low allows manipulation of the program counter via the br instruction. Solution
By comparing the semantics between
While in Figure 1 and
Low in Figure 8 we find major differences. The first one is the reliance of
Low to aprogram counter which keeps track of execution, whereas
While executes state-ments from left to right. Second, the sequencing rule in
While dictates thatstatements are removed from the program state upon completion. On the otherhand, Low keeps the program state intact at all times. Finally, there is a starkcontrast between the two languages in the way they handle while loops.To address the above issues we introduce a new sequencing primitive ;; c and a new looping primitive loop for Low , which prohibit illicit control flow andproperly propagate the internal state. Furthermore, we change the semantics ofthe singleton assign instruction so that it mirrors the peculiarity of its
While counterpart. The additions can be found in Figure 10. PC = 0 s, PC , x ;; c y ⇓ s ′ , PC s, , x ⇓ s ′ , zs, , x ;; c y → s ′ , , y s, , x → s ′ , z, x ′ s, , x ;; c y → s ′ , , x ′ ;; c y PC = 0 s, PC , loop e x ⇓ s, PC v = eval s e v = 0 s, , loop e x → s, , stop v = eval s e v = 0 s, , loop e x → s, , x ;; c loop e x v = eval s e s ′ = update s n vs, , assign n v ⇓ s ′ , Fig. 10.
Secure primitives for the
Low language.
We may now define the simple “embedding” natural transformation σ E : Σ = ⇒ Σ L , which maps skip to stop , assignments to assign , sequencing to ;; c and while to loop . We are not referring to the store, but to the internal, algebraic state. categorical approach to secure compilation 17 while ( lit
0) p s → s, skiploop ( lit 0 ) p s, ⇓ s, ρ ∗ σ ∗ E ◦ Σ ∗ b cL b cL ◦ B c σ ∗ E ρ ∗ L Fig. 11.
The coherence criterion for ( σ E , b L ). Figure 11 shows success of thecoherence criterion for the while case. Since the diagram commutesfor all cases, ( σ E , b E ) is a mapof GSOS laws between While andthe secure version of
Low . Thisguarantees that, remarkably, de-spite the presence of branching, a low-level attacker cannot illicitly access codethat is unreachable on the high-level. Regardless, the solution is a bit contrivedin that the new
Low primitives essentially copy what
While does. This is partlybecause the above are complex issues involving radically different languages butalso due to the current limitations of the underlying theory. We elaborate furtheron said limitations, as well as advantages and future improvements, at Section 9.
High-level programming language abstractions often involve some sort of privatestate space that is protected from other objects. Basic examples include func-tions with local variables and objects with private members. Low-level languagesdo not offer such abstractions but when it comes to secure architectures , there issome type of hardware sandboxing to facilitate the need for local state encap-sulation . Compilation schemes that respect confidentiality properties have beena central subject in secure compilation work [37, 8, 18, 46], dating all the wayback to Abadi’s seminal paper [1].In this example we will explore how local state encapsulation fails due tolack of stack clearing [46, 44]. We begin by extending While to support blockswhich have their own private state, thus introducing
While B . More precisely, weadd the frame and return commands that denote the beginning and end of anew block. We also have to modify the original behavior functor B to act on astack of stores by simply specifying B B X = [ S ] → [ S ] × Maybe X , where [ S ]denotes a list of stores. For reasons that will become apparent later on, we shallhenceforth consider stores of a certain length, say L . m, skip ⇓ m v = eval’ m e m ′ = update’ m l vm, l := e ⇓ m ′ m, p ⇓ m ′ m, p ; q → m ′ , qm, p → m ′ , p ′ m, p ; q → m ′ , p ′ ; q eval’ m e = 0 m, while e p → m, skipeval’ m e = 0 m, while e p → m, p ; while e p s = [0 , , . . . , m, frame ⇓ s :: m s :: m, return ⇓ m Fig. 12.
Semantics of the
While B language. The semantics for
While B can be found in Figure 12. Command frame allo-cates a new private store by appending one to the stack of stores while return Examples of this are enclaves in Intel SGX [15] and object capabilities in CHERI [51].8 Tsampas et al. pops the top frame from the stack. This built-in, automatic (de)allocation offrames guarantees that there are no traces of activity, in the form of stored val-ues, of past blocks. The rest of the semantics are similar to
While , only nowevaluating an expression and updating the state acts on a stack of stores insteadof a single, infinite store and var expressions act on the active, topmost frame. m ′ = update m ( l + L ∗ sp ) ( evalSP m sp e )( m, sp ) , l := e ⇓ ( m ′ , sp ) sp > m, sp ) , return ⇓ ( m, sp − m, sp ) , p ⇓ ( m ′ , sp )( m, sp ) , p ; q → ( m ′ , sp ) , q ( m, sp ) , p → ( m ′ , sp ) , p ′ ( m, sp ) , p ; q → ( m ′ , sp ) , p ′ ; q ( m, sp ) , skip ⇓ ( m, sp ) evalSP m sp e = 0( m, sp ) , while e p → ( m, sp ) , skipevalSP m sp e = 0( m, sp ) , while e p → ( m, sp ) , p ; while e p ( m, sp ) , frame ⇓ ( m, sp + 1) Fig. 13.
Semantics of the
Stack language.
In typical low-level instruction sets like the Intel x86 [21] or MIPS [30] thereis a single, continuous memory which is partitioned in frames by using processorregisters. Figure 13 shows the semantics of
Stack , a variant of
While B with thesame syntax and which uses a simplified low-level stack mechanism. The differ-ence is that the stack frames are all sized L , the same size as each individual storein While B , so at each frame and return we need only increment and decrementthe stack pointer . The presence of the stack pointer, which is essentially a naturalnumber, means that the behavior of Stack is B S X = S × N → S × N × Maybe X .The new evaluation function, evalSP , works similarly to eval in Definition 1,except for var l expressions that dereference values at offset l + L ∗ sp . An insecure compiler
While B and Stack share the same syntax so we onlyneed a behavioral translation, which is all about relating the two different notionsof stack. We thus define natural transformation b B : B B = ⇒ B S : b B : ∀ X. ([ S L ] → [ S L ] × Maybe X ) → S → N → S × N × Maybe Xb B f s sp = (override (join m ) s, len m, y ) where ( m, y ) = f (div s sp )div s sp = (take L s ) :: (div (drop
L s ) ( sp − s ′ s = s ′ ++ drop (len s ′ ) s We “divide” an infinite list by the number of stack frames, feed the result tothe behavior function f and join (“flatten”) it back together while keeping theoriginal part of the infinite list which extends beyond the active stack intact.Note that in the case of the frame command f adds a new frame to the listof stores. The problem is that in While B the new frame is initialized to 0 in categorical approach to secure compilation 19 frame [] ⇓ [ s ] frame s ′ = override s s ( s, ⇓ ( s/s ′ , ρ ∗ B Σ ∗ B b cB b cB ρ ∗ St Fig. 14.
Failure of the criterion for ( id, b B ). contrast to Stack where frame does not initialize new frames. This leads to afailure of the coherence criterion for ( id, b B ) as we can see in Figure 14.Failure of the criterion is meaningful in that it underlines key problems ofthis compiler which can be exploited by a low-level attacker. First, the low-levelcalling convention indirectly allows terms to access expired stack frames. Second,violating the assumption in While B that new frames are properly initializedbreaks behavioral equivalence. For example, programs a , frame ; 0 := var [0]+1and b , frame ; 0 := While B but not in Stack . Solution
It is clear that the lack of stack frame initialization in
Stack is thelead cause of failure so we introduce the following fix in the frame rule. m ′ = (take ( L ∗ sp ) m ) ++ s ++ (drop (( L + 1) ∗ sp ) m )( m, sp ) , frame ⇓ ( m ′ , sp + 1) frame [] ⇓ [ s ] frame s ′ = s ++ (drop L s )( s, ⇓ ( s ′ , ρ ∗ B Σ ∗ B b cB b cB ρ ∗ St Fig. 15.
The coherence criterion for ( id, b B )under the new frame rule. The idea behind the new frame rule is that the L-sized block in posi-tion sp , which is going to be the newstack frame, has all its values replacedby zeroes. As we can see in Figure 15,the coherence criterion is now satis-fied and the example described earlierno longer works. On Mathematical Operational Semantics
The cases we covered in thispaper are presented using Plotkin’s Structural Operational Semantics [38], yettheir foundations are deeply categorical [48]. Consequently, for one to use themethods presented in this paper, the semantics involved must fall within theframework of distributive laws, the generality of which has been explored in thepast [47, 50], albeit not exhaustively. To the best of our knowledge, Section 7and Section 8 show the first instances of distributive laws as low-level machines.Bialgebraic semantics are well-behaved in that bisimilarity is a congruence [19].We used that to show that two bisimilar programs will remain bisimilar irrespec-tive of the context they are plugged into, which is not the same as contextual equivalence. However, full abstraction is but one of a set of proposed characteri-zations of secure compilation [36, 2] and the key intuition is that our frameworkis suitable as long as bisimilarity adequately captures the threat model. Whilethis is the case in the examples, we can imagine situations where the threatmodel is weaker than the one implied by bisimilarity.For example, language
While ֠ in Section 3 includes labels in its transitionstructure and the underlying model is accurate in that While ֠ terms can manip-ulate said labels. However, if we were to remove obs statements from the syntax,the threat model becomes weaker than the one implied by bisimilarity. Similarlyin Section 7 and Low , where our threat model assumes that the program countercan be manipulated by a low-level attacker. If we impose a few constraints on thethreat model, for instance by disallowing arbitrary branching and only considerthe initial program counter to be zero, bisimilarity is suddenly too strong.This issue can be classified as part of the broader effort towards coalgebraicweak bisimilarity, a hard problem which has been an object of intense, ongoingscientific research [42, 39, 20, 13, 43, 42, 12]. Of particular interest is the workby Abou-Saleh and Pattinson [7, 6] about bialgebraic semantics, where they usetechniques introduced in [20] to obtain a more appropriate semantic domain foreffectful languages as a final coalgebra in the Kleisli category of a suitable monad.This method is thus a promising avenue towards exploring weaker equivalencesin bialgebraic semantics, as long as these can be described by a monad.
On Maps of Distributive Laws
Maps of distributive laws were first men-tioned by Power and Watanabe [40], then elaborated as
Well-behaved transla-tions by Watanabe [50] and more recently by Klin and Nachyla [27]. Despite thefew examples presented in [50, 27], this paper is the first major attempt towardsapplying the theory behind maps of distributive laws in a concrete problem, letalone in secure compilation.From a theoretical standpoint, maps of distributive laws have remained largelythe same since their introduction. This comes despite the interesting develop-ments discussed in Section 9 regarding distributive laws, which of course arethe subjects of maps of distributive laws. We speculate the existence of
Kleisli maps of distributive laws that guarantee preservation of equivalences weakerthan bisimilarity. We plan to develop this notion and explore its applicability infuture work.
Conclusion
It is evident that the systematic approach presented in this workmay significantly simplify proving compiler security as it involves a single, sim-ple coherence criterion. Explicit reasoning about program contexts is no longernecessary, but that does not mean that contexts are irrelevant. On the contrary,the guarantees are implicitly contextual due to the well-behavedness of the se-mantics. Finally, while the overall usability and eventual success of our methodremains a question mark as it depends on the expressiveness of the threat model,the body of work in coalgebraic weak bisimilarity and distributive laws in Kleislicategories suggests that there are many promising avenues for further progress. categorical approach to secure compilation 21
References [1] Mart´ın Abadi. “Protection in Programming-Language Translations”. In:
Secure Internet Programming, Security Issues for Mobile and DistributedObjects . 1999, pp. 19–34. doi : 10.1007/3-540-48749-2 \ url : https://doi.org/10.1007/3-540-48749-2 \ Journey Beyond Full Abstraction: Exploring RobustProperty Preservation for Secure Compilation . 2018. arXiv: 1807.04603 [cs.PL] .[3] Carmine Abate et al. “When Good Components Go Bad: Formally Se-cure Compilation Despite Dynamic Compromise”. In:
Proceedings of the2018 ACM SIGSAC Conference on Computer and Communications Se-curity, CCS 2018, Toronto, ON, Canada, October 15-19, 2018 . Ed. byDavid Lie et al. ACM, 2018, pp. 1351–1368. isbn : 978-1-4503-5693-0. doi :10.1145/3243734.3243745. url : https://doi.org/10.1145/3243734.3243745.[4] Michael Gordon Abbott, Thorsten Altenkirch, and Neil Ghani. “Contain-ers: Constructing strictly positive types”. In:
Theor. Comput. Sci. doi : 10.1016/j.tcs.2005.06.002. url : https://doi.org/10.1016/j.tcs.2005.06.002.[5] Michael Gordon Abbott et al. “for Data: Differentiating Data Structures”.In:
Fundam. Inform. url : http://content.iospress.com/articles/fundamenta-informaticae/fi65-1-2-02.[6] Faris Abou-Saleh. “A coalgebraic semantics for imperative programminglanguages”. PhD thesis. Imperial College London, UK, 2014. url : http://hdl.handle.net/10044/1/13693.[7] Faris Abou-Saleh and Dirk Pattinson. “Towards Effects in MathematicalOperational Semantics”. In:
Electr. Notes Theor. Comput. Sci.
276 (2011),pp. 81–104. doi : 10.1016/j.entcs.2011.09.016. url : https://doi.org/10.1016/j.entcs.2011.09.016.[8] Pieter Agten et al. “Secure Compilation to Modern Processors”. In: . Ed. by Stephen Chong. IEEE Computer Soci-ety, 2012, pp. 171–185. isbn : 978-1-4673-1918-8. doi : 10.1109/CSF.2012.12. url : https://doi.org/10.1109/CSF.2012.12.[9] Amal Ahmed and Matthias Blume. “An equivalence-preserving CPS trans-lation via multi-language semantics”. In:
Proceeding of the 16th ACM SIG-PLAN international conference on Functional Programming, ICFP 2011,Tokyo, Japan, September 19-21, 2011 . Ed. by Manuel M. T. Chakravarty,Zhenjiang Hu, and Olivier Danvy. ACM, 2011, pp. 431–444. isbn : 978-1-4503-0865-6. doi : 10.1145/2034773.2034830. url : https://doi.org/10.1145/2034773.2034830.[10] Amal Ahmed et al. “Secure Compilation (Dagstuhl Seminar 18201)”. In:
Dagstuhl Reports issn :2192-5283. doi : 10.4230/DagRep.8.5.1. url : http://drops.dagstuhl.de/opus/volltexte/2018/9891.[11] Falk Bartels.
On Generalised Coinduction and Probabilistic SpecificationFormats: Distributive Laws in Coalgebraic Modelling . 2004.[12] Filippo Bonchi et al. “Lax Bialgebras and Up-To Techniques for WeakBisimulations”. In: . Ed. by Luca Acetoand David de Frutos-Escrig. Vol. 42. LIPIcs. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik, 2015, pp. 240–253. isbn : 978-3-939897-91-0. doi :10.4230/LIPIcs.CONCUR.2015.240. url : https://doi.org/10.4230/LIPIcs.CONCUR.2015.240. [13] Tomasz Brengos. “Weak bisimulation for coalgebras over order enrichedmonads”. In:
Logical Methods in Computer Science doi : 10.2168/LMCS-11(2:14)2015. url : https://doi.org/10.2168/LMCS-11(2:14)2015.[14] J. Robin B. Cockett. “Introduction to Distributive Categories”. In:
Math-ematical Structures in Computer Science doi :10.1017/S0960129500000232. url : https://doi.org/10.1017/S0960129500000232.[15] Victor Costan and Srinivas Devadas. “Intel SGX Explained”. In:
IACRCryptology ePrint Archive url : http://eprint.iacr.org/2016/086.[16] Dominique Devriese, Marco Patrignani, and Frank Piessens. “Fully-abstractcompilation by approximate back-translation”. In:
Proceedings of the 43rdAnnual ACM SIGPLAN-SIGACT Symposium on Principles of Program-ming Languages, POPL 2016, St. Petersburg, FL, USA, January 20 - 22,2016 . 2016, pp. 164–177. doi : 10.1145/2837614.2837618. url : https://doi.org/10.1145/2837614.2837618.[17] Derek Dreyer, Amal Ahmed, and Lars Birkedal. “Logical Step-IndexedLogical Relations”. In:
Logical Methods in Computer Science doi : 10.2168/LMCS-7(2:16)2011. url : https://doi.org/10.2168/LMCS-7(2:16)2011.[18] C´edric Fournet et al. “Fully abstract compilation to JavaScript”. In:
The40th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Pro-gramming Languages, POPL ’13, Rome, Italy - January 23 - 25, 2013 .2013, pp. 371–384. doi : 10.1145/2429069.2429114. url : https://doi.org/10.1145/2429069.2429114.[19] Jan Friso Groote and Frits W. Vaandrager. “Structured Operational Se-mantics and Bisimulation as a Congruence”. In:
Inf. Comput. doi : 10.1016/0890-5401(92)90013-6. url : https://doi.org/10.1016/0890-5401(92)90013-6.[20] Ichiro Hasuo, Bart Jacobs, and Ana Sokolova. “Generic Trace Semanticsvia Coinduction”. In:
Logical Methods in Computer Science doi : 10.2168/LMCS-3(4:11)2007. url : https://doi.org/10.2168/LMCS-3(4:11)2007.[21]
Intel 64 and IA-32 Architectures Software Developer’s Manual . Intel Cor-poration. 2016. url
Introduction to Coalgebra: Towards Mathematics of Statesand Observation . Vol. 59. Cambridge Tracts in Theoretical Computer Sci-ence. Cambridge University Press, 2016. isbn : 9781316823187. doi : 10.1017/CBO9781316823187. url : https://doi.org/10.1017/CBO9781316823187.[23] Bart Jacobs. “Parameters and Parametrization in Specification, Using Dis-tributive Categories”. In:
Fundam. Inform. doi :10.3233/FI-1995-2431. url : https://doi.org/10.3233/FI-1995-2431.[24] Radha Jagadeesan et al. “Local Memory via Layout Randomization”. In:
Proceedings of the 24th IEEE Computer Security Foundations Symposium,CSF 2011, Cernay-la-Ville, France, 27-29 June, 2011 . IEEE Computer So-ciety, 2011, pp. 161–174. isbn : 978-1-61284-644-6. doi : 10.1109/CSF.2011.18. url : https://doi.org/10.1109/CSF.2011.18.[25] Andrew Kennedy. “Securing the .NET programming model”. In:
Theor.Comput. Sci. doi : 10.1016/j.tcs.2006.08.014. url : https://doi.org/10.1016/j.tcs.2006.08.014. categorical approach to secure compilation 23 [26] Bartek Klin. “Bialgebras for structural operational semantics: An intro-duction”. In:
Theor. Comput. Sci. doi :10.1016/j.tcs.2011.03.023. url : https://doi.org/10.1016/j.tcs.2011.03.023.[27] Bartek Klin and Beata Nachyla. “Presenting Morphisms of DistributiveLaws”. In: . 2015,pp. 190–204. doi : 10.4230/LIPIcs.CALCO.2015.190. url : https://doi.org/10.4230/LIPIcs.CALCO.2015.190.[28] Marina Lenisa, John Power, and Hiroshi Watanabe. “Distributivity forendofunctors, pointed and co-pointed endofunctors, monads and comon-ads”. In:
Electr. Notes Theor. Comput. Sci.
33 (2000), pp. 230–260. doi :10.1016/S1571-0661(05)80350-0. url : https://doi.org/10.1016/S1571-0661(05)80350-0.[29] Conor Mcbride.
The Derivative of a Regular Type is its Type of One-HoleContexts (Extended Abstract) . 2001.[30]
MIPS Architecture for Programmers Volume II-A: The MIPS32 Instruc-tion Set Manual . MIPS Technologies. 2016. url : https://s3-eu-west-1.amazonaws.com/downloads-mips/documents/MD00086-2B-MIPS32BIS-AFP-6.06.pdf.[31] James H. Morris. “Lambda-Calculus Models of Programming Languages”.PhD thesis. Massachusetts Institute of Technology, 1968.[32] Max S. New, William J. Bowman, and Amal Ahmed. “Fully abstract com-pilation via universal embedding”. In:
Proceedings of the 21st ACM SIG-PLAN International Conference on Functional Programming, ICFP 2016,Nara, Japan, September 18-22, 2016 . Ed. by Jacques Garrigue, GabrieleKeller, and Eijiro Sumii. ACM, 2016, pp. 103–116. isbn : 978-1-4503-4219-3. doi : 10.1145/2951913.2951941. url : https://doi.org/10.1145/2951913.2951941.[33] Marco Patrignani, Amal Ahmed, and Dave Clarke. “Formal Approaches toSecure Compilation: A Survey of Fully Abstract Compilation and RelatedWork”. In:
ACM Comput. Surv. issn : 0360-0300. doi : 10.1145/3280984.[34] Marco Patrignani, Dave Clarke, and Frank Piessens. “Secure Compilationof Object-Oriented Components to Protected Module Architectures”. In:
Programming Languages and Systems - 11th Asian Symposium, APLAS2013, Melbourne, VIC, Australia, December 9-11, 2013. Proceedings . Ed.by Chung-chieh Shan. Vol. 8301. Lecture Notes in Computer Science.Springer, 2013, pp. 176–191. isbn : 978-3-319-03541-3. doi : 10.1007/978-3-319-03542-0 \ url : https://doi.org/10.1007/978-3-319-03542-0 \ IEEE 29th Computer SecurityFoundations Symposium, CSF 2016, Lisbon, Portugal, June 27 - July 1,2016 . IEEE Computer Society, 2016, pp. 17–30. isbn : 978-1-5090-2607-4. doi : 10.1109/CSF.2016.9. url : https://doi.org/10.1109/CSF.2016.9.[36] Marco Patrignani and Deepak Garg. “Robustly Safe Compilation”. In:
Programming Languages and Systems - 28th European Symposium on Pro-gramming, ESOP 2019, Held as Part of the European Joint Conferenceson Theory and Practice of Software, ETAPS 2019, Prague, Czech Republic,April 6-11, 2019, Proceedings . 2019, pp. 469–498. doi : 10.1007/978-3-030-17184-1 \ url : https://doi.org/10.1007/978-3-030-17184-1 \ [37] Marco Patrignani et al. “Secure Compilation to Protected Module Archi-tectures”. In: ACM Trans. Program. Lang. Syst. doi :10.1145/2699503. url : https://doi.org/10.1145/2699503.[38] Gordon D. Plotkin. “A structural approach to operational semantics”. In:
J. Log. Algebr. Program.
Algebra and Coal-gebra in Computer Science, Third International Conference, CALCO 2009,Udine, Italy, September 7-10, 2009. Proceedings . 2009, pp. 157–172. doi :10.1007/978-3-642-03741-2 \ url : https://doi.org/10.1007/978-3-642-03741-2 \ Electr. Notes Theor. Comput. Sci.
19 (1999), p. 102. doi :10.1016/S1571-0661(05)80271-3. url : https://doi.org/10.1016/S1571-0661(05)80271-3.[41] Jurriaan Rot et al. “Enhanced coalgebraic bisimulation”. In:
MathematicalStructures in Computer Science doi : 10.1017/S0960129515000523. url : https://doi.org/10.1017/S0960129515000523.[42] Jan Rothe and Dragan Masulovic. “Towards Weak Bisimulation For Coal-gebras”. In:
Electr. Notes Theor. Comput. Sci. doi :10.1016/S1571-0661(04)80499-7. url : https://doi.org/10.1016/S1571-0661(04)80499-7.[43] Jan J. M. M. Rutten. “A note on coinduction and weak bisimilarity forwhile programs”. In:
ITA doi : 10.1051/ita:1999125. url : https://doi.org/10.1051/ita:1999125.[44] Lau Skorstengaard, Dominique Devriese, and Lars Birkedal. “ReasoningAbout a Machine with Local Capabilities - Provably Safe Stack and ReturnPointer Management”. In:
Programming Languages and Systems - 27thEuropean Symposium on Programming, ESOP 2018, Held as Part of theEuropean Joint Conferences on Theory and Practice of Software, ETAPS2018, Thessaloniki, Greece, April 14-20, 2018, Proceedings . Ed. by AmalAhmed. Vol. 10801. Lecture Notes in Computer Science. Springer, 2018,pp. 475–501. isbn : 978-3-319-89883-4. doi : 10.1007/978-3-319-89884-1 \ url : https://doi.org/10.1007/978-3-319-89884-1 \ Proc. ACM Program. Lang. issn : 2475-1421. doi : 10.1145/3290332.[46] Stelios Tsampas, Dominique Devriese, and Frank Piessens. “TemporalSafety for Stack Allocated Memory on Capability Machines”. In: . IEEE, 2019, pp. 243–255. isbn : 978-1-7281-1407-1. doi : 10.1109/CSF.2019.00024. url : https://doi.org/10.1109/CSF.2019.00024.[47] Daniele Turi. “Categorical Modelling of Structural Operational Rules: CaseStudies”. In:
Category Theory and Computer Science, 7th InternationalConference, CTCS ’97, Santa Margherita Ligure, Italy, September 4-6,1997, Proceedings . 1997, pp. 127–146. doi : 10.1007/BFb0026985. url :https://doi.org/10.1007/BFb0026985. categorical approach to secure compilation 25 [48] Daniele Turi and Gordon D. Plotkin. “Towards a Mathematical Oper-ational Semantics”. In:
Proceedings, 12th Annual IEEE Symposium onLogic in Computer Science, Warsaw, Poland, June 29 - July 2, 1997 . 1997,pp. 280–291. doi : 10.1109/LICS.1997.614955. url : https://doi.org/10.1109/LICS.1997.614955.[49] Thomas Van Strydonck, Frank Piessens, and Dominique Devriese. “LinearCapabilities for Fully Abstract Compilation of Separation-Logic-VerifiedCode”. In:
Proc. ACM Program. Lang.
ICFP (2019). accepted.[50] Hiroshi Watanabe. “Well-behaved Translations between Structural Op-erational Semantics”. In:
Electr. Notes Theor. Comput. Sci. doi : 10.1016/S1571-0661(04)80372-4. url : https://doi.org/10.1016/S1571-0661(04)80372-4.[51] Robert N. M. Watson et al. “CHERI: A Hybrid Capability-System Ar-chitecture for Scalable Software Compartmentalization”. In: . IEEE Computer Society, 2015, pp. 20–37. isbn : 978-1-4673-6949-7. doi : 10.1109/SP.2015.9. urlurl