open access publication

Article, 2024

Cerise: Program Verification on a Capability Machine in the Presence of Untrusted Code

Journal of the ACM, ISSN 0004-5411, 1557-735X, Volume 71, 1, Pages 1-59, 10.1145/3623510

Contributors

Georges, Aïna Linn 0000-0002-5951-4642 [1] Guéneau, Armaël 0000-0003-3072-4045 (Corresponding author) [2] Van Strydonck, Thomas [3] Timany, Amin 0000-0002-2237-851X [4] Trieu, Alix 0000-0002-8239-8125 [5] Devriese, Dominique 0000-0002-3862-6856 [3] Birkedal, Lars 0000-0003-1320-0098 [4]

Affiliations

  1. [1] Max Planck Institute for Software Systems
    2. [NORA names: Germany; Europe, EU; OECD];
  2. [2] Université Paris-Saclay, CNRS, ENS Paris-Saclay, Inria, Laboratoire Méthodes Formelles, France
    3. [NORA names: France; Europe, EU; OECD];
  3. [3] KU Leuven
    4. [NORA names: Belgium; Europe, EU; OECD];
  4. [4] Aarhus University
    5. [NORA names: AU Aarhus University; University; Denmark; Europe, EU; Nordic; OECD];
  5. [5] ANSSI, France
    6. [NORA names: France; Europe, EU; OECD]

Abstract

A capability machine is a type of CPU allowing fine-grained privilege separation using capabilities , machine words that represent certain kinds of authority. We present a mathematical model and accompanying proof methods that can be used for formal verification of functional correctness of programs running on a capability machine, even when they invoke and are invoked by unknown (and possibly malicious) code. We use a program logic called Cerise for reasoning about known code, and an associated logical relation, for reasoning about unknown code. The logical relation formally captures the capability safety guarantees provided by the capability machine. The Cerise program logic, logical relation, and all the examples considered in the paper have been mechanized using the Iris program logic framework in the Coq proof assistant. The methodology we present underlies recent work of the authors on formal reasoning about capability machines [Georges et al. 2021 ; Skorstengaard et al. 2019a ; Van Strydonck et al. 2022 ], but was left somewhat implicit in those publications. In this paper we present a pedagogical introduction to the methodology, in a simpler setting (no exotic capabilities), and starting from minimal examples. We work our way up to new results about a heap-based calling convention and implementations of sophisticated object-capability patterns of the kind previously studied for high-level languages with object-capabilities, demonstrating that the methodology scales to such reasoning.

Keywords

CPU, Cerise, CoQ, Convention, Coq proof assistant, assistance, authors, calling conventions, capability, capability machine, code, correction, examples, framework, functional correctness, guarantees, implementation, implicit, introduction, iris, language, logic, logical framework, logical relations, machine, machine word, mathematical model, method, methodology, methodology scales, minimal example, model, paper, patterns, pedagogical introduction, presence, privilege, privilege separation, program, program logic, program logic framework, program verification, proof assistant, publications, reasons, relations, results, safety guarantees, scale, separation, verification, words

Funders

  • Danish Agency for Science and Higher Education
  • Research Foundation - Flanders
  • United States Air Force Office of Scientific Research
  • United States Air Force
  • The Velux Foundations

Data Provider: Digital Science

LINKS
-

Matching Records in NORA

SUBJECTS
+

METRICS
+