Table Of ContentSystem M: A Program Logic for
Code Sandboxing and Identification
LiminJia ShayakSen DeepakGarg
ECE&INI CS MaxPlanckInstitutefor
CarnegieMellonUniversity CarnegieMellonUniversity SoftwareSystems
[email protected] [email protected] [email protected]
5
1 AnupamDatta
0
CS&ECE
2
CarnegieMellonUniversity
n
[email protected]
a
J
2
2
] Abstract hypervisors,andothersecurity-criticalsystems.Second,codeiden-
R tificationmechanisms areused toinfer that anuntrusted piece of
Security-sensitive applications that execute untrusted code often
C codeisinfactsyntacticallyequaltoaknownpieceofcode.These
checkthecode’sintegritybycomparingitssyntaxtoaknowngood
mechanismsincludedistributionofsignedcode,andtrustedcom-
. valueorsandboxthecodetocontainitseffects.SystemMisanew
s putingmechanisms[32]thatleveragehardwaresupport toenable
programlogicforreasoningaboutsuchsecurity-sensitiveapplica-
c remotepartiestochecktheidentityofcodeonanuntrustedcom-
[ tions.SystemMextendsHoareTypeTheory(HTT)totracesafety
propertiesand,additionally,containstwonewreasoningprinciples. puter. Motivated by these systems, we present a program logic,
1 First,itstypesysteminternalizeslogicalequality,facilitatingrea- called System M, for modeling and proving safety properties of
v soningaboutapplicationsthatcheckcodeintegrity.Second,acon- systems that securely execute adversary-supplied code via sand-
3 finementruleassignsaneffecttypetoacomputationbasedsolely boxingandcodeidentification.
7 onknowledgeofthecomputation’ssandbox.Weprovethesound- SystemM’sdesignisinspiredbyHoareTypeTheory(HTT)[21–
6 nessofSystemMrelativetoastep-indexed trace-basedsemantic 23].LikeHTT,amonad separatescomputations withside-effects
5 model. We illustrate both new reasoning principles of System M frompureexpressions,andamonadictypebothspecifiesthereturn
type of a computation and includes apostcondition that specifies
0 byverifyingthemainintegritypropertyofthedesignofMemoir,
the computation’s side-effects. The postcondition of a computa-
. apreviouslyproposedtrustedcomputingsystemforensuringstate
1 tiontypeinSystemMusespredicatesovertheentiretraceofthe
continuityofisolatedsecurity-sensitiveapplications.
0 computation.Thisismotivatedbyourdesiretoverifysafetyprop-
5 erties[18],whichare,bydefinition,predicatesontraces.Further,
1 1. Introduction the postcondition contains not one but two predicates on traces.
: Onepredicate,thestandardpartialcorrectnessassertion,holdsif
v Software systems, such as Web browsers, smartphone platforms,
thecomputation completes. Theother, calledtheinvariant asser-
Xi andextensibleoperatingsystemsandhypervisors,aredesignedto tion, holds at all intermediate points of the computation, even if
provide subtle security properties in the presence of adversaries
the computation is stuck or divergent. The invariant assertion is
r whocansupplycode,whichisthenexecutedwiththeprivilegesof
a directlyusedtorepresentsafetyproperties.
thetrustedsystem.Forexample,webpagesroutinelyexecutethird-
To thisbasic infrastructure, we add twonovel reasoning prin-
partyJavaScriptwithfullaccesstotheircontent;smartphonesex-
ciplesthatinternalizetherationalebehindcommonly usedmech-
ecute apps from open app stores, often with very lax sandboxes;
anismsforensuring secureexecutionof adversary-supplied code:
operating systemkernels include untrusted(and oftenbuggy) de-
code identification and sandboxing. These rules derive effects of
vicedrivers;andtrustedcomputingplatformsloadprogramsfrom
untypedcodepotentiallyprovidedbyanadversaryand,hence,en-
diskandonlylaterverifyloadedprogramsusingtheTrustedPlat-
able the typing derivation of the trusted code to include as sub-
formModule(TPM)[32].Despiteexecutingpotentiallyadversar-
derivations,thereasoningofeffectsoftheadversarialcode.
ialcode,allthesesystemshavesecurity-relatedgoals,oftensafety
Thefirstprinciple,arulecalledEQ,ascribesthetypeofapro-
propertiesovertraces[18].Forexample,ahypervisormustensure gram to another program e′: if e is syntactically equal to e′ and
thatanuntrustedguestoperatingsystemrunningontopofitcan- e:τ,thene′ :τ.Thisruleisusefulfortypingprogramsreadfrom
notmodifythehypervisor’spagetable,awebpagemustensurethat
adversary-modifiable memory locations when separate reasoning
anembeddeduntrustedadvertisementcannotaccessauser’spass-
canestablishthatthevaluestoredinthelocationis,infact,syntacti-
word, and trusted computing mechanisms must enable a remote
callyequaltosomeknownexpressionwithaknowntype.Depend-
party to check that an expected software stack was loaded in the
ingontheapplication,suchreasoningmaybebasedinadynamic
expectedorderonanuntrustedserver.
check(e.g.,insecureboot[27]thehashofatextualreificationof
Secureexecution of untrustedcode intrustedcontextsrelyon
aprogramreadfromadversary-accessiblememoryiscomparedto
twocommonmechanisms.First,untrustedcodeisoftenruninside
thecorresponding hashofaknown programbeforeexecutingthe
asandboxthatconfinesitsinteractionwithkeysystemresourcesto
read program) or it may be based in a logical proof showing the
arestrictedsetofinterfaces.ThispracticeisseeninWebbrowsers,
inability of the adversary to write the location in question (e.g., Basevalues bv ::= tt|ff|ι|ℓ|n
showingthatguestscannotwritetohypervisormemory). Expressions e ::= x|bv|λx.e|ΛX.e
Oursecondreasoningprinciple,manifestinarulecalledCON- | e1 e2|e · |comp(c)
FINE,allowsustotypepartiallyspecifiedadversary-suppliedcode Actions a ::= A|ae|a·
fromknowledgeofthesandboxinwhichthecodewillexecute.The Computations c ::= act(a)|ret(e)|fixf(x).c|ce
intuitionbehindthisruleisthatifallside-effectinginterfacesavail- | letc(c1,x.c2)|lete(e1,x.c2)
able to a computation maintain a certain invariant on the shared | c1;c2|e1;c2|ifethenc1elsec2
state,thenthatcomputationcannotviolatethatinvariant,irrespec-
Figure1. TermSyntax
tiveofitsactualcode.TheCONFINErulegeneralizespriorworkof
Gargetal.onreasoningaboutinterface-confinedadversarialcode
in a first-order language [14]. The main difference from Garg et
al.[14]isthatinthispapertrustedinterfacescanreceiveandexe-
cutecode,inadditiontodata,fromtheadversaryandothertrusted A basic computation is either an atomic action (act(a)) or
components. Our useof the CONFINE rulestresses our view that ret(e)thatreturnsthepureexpressioneimmediately.fixf(x).c
assumptionsmadeaboutadversarialcodeshouldbeminimized.In is a fixpoint operator. f, which represents a suspended fixpoint
contrast,alotofwork,e.g.,proof-carryingcode[25],requiresthat computation, may appear free in the body c. Computation (c e)
is the application of a fixpoint computation to its argument.
adversarial codebechecked inarichtypesystempriortoexecu-
tion,whicheliminatestheneedforarulelikeCONFINE.Section3 letc(c1,x.c2) denotes the sequential composition of c1 and c2,
explainsintuitionsbehindthesetwoprinciplesinmoredetail. while lete(e1,x.c2) is the sequential composition of the sus-
We show soundness of System M relative to a step-indexed pended computation to which e1 reduces and c2. In both cases,
model [2] built over syntactic traces. As in some prior work [8– the expression returned by the first computation is bound to x,
10, 14], our semantics of assertions and postconditions account whichmayoccurfreeinc2.Wesometimesusethealternatesyntax
forinterleavingactionsfromconcurrentlyexecutingprogramsin- x ← c1;c2andletx = e1;c2.Whentheexpressionreturnedby
cluding adversarial programs and, hence, our soundness theorem thefirstcomputationisnotusedc2,wewritec1;c2ande1;c2.
The operational semantics of System M are small-step and
implies that all verified properties hold in the presence of adver-
basedoninterleavingofconcurrentthreads.
saries,whichisavariantofrobustsafety,proposed byGordonet
al.[15].SystemMsupportscompositionalproofs—securityproofs Stack K ::= []|x.c::K
of sequentially composed programs arebuiltfromproofs of their Thread T ::= hι;K;ci|hι;K;ei|hι;stucki
sub-programs. System M also admits concurrent composition— Configuration C ::= σ⊲T ,...,T
1 n
properties proved of aprogram holdwhen that program executes
AthreadT isaunitofsequentialexecution.Anon-stuckthread
concurrentlywithother,evenadversarial,programs.
is a triple hι;K;ci or hι;K;ei, where ι is a unique identifier of
SystemMisthefirstprogramlogicthatallowsproofsofsafety
that thread (drawn from a set I of such identifiers), K is the
for programs that execute adversary-supplied code with adequate
execution(continuation)stack,andcandearethecomputationand
precautions, but does not force the adversarial code to be com-
expressioncurrentlybeingevaluated.Athreadpermanentlyenters
pletely available for typing. Other frameworks like Bhargavan et
astuckstate,denotedhι;stucki,afterperforminganillegalaction,
al’scontextualtheorems[4]forF7achieveexpressivenesssimilar
such as accessing an unallocated memory location. An execution
totheCONFINEruleforaslightlylimitedselectionoftraceproper-
stackisalistofframesoftheformx.crecordingthereturnpoints
ties.(WecomparetorelatedworkinSection7.)Ourstep-indexed
ofsequencingstatementsintheenclosingcontext.Inaframex.c,
modelofHoaretypesisalsonovel;althoughourexclusionofpre-
x binds the return expression of the computation preceding c. A
conditions,ouruseofcall-by-nameβ-reduction,andtheinclusion
configuration of the system is a shared state σ and a set of all
ofadversary-suppliedcodemakethemodelnonstandard.
threads. σ is application-specific; for the rest of this paper, we
System M can be used to model and verify protocols as well
assumethatitisastandardheapmappingpointerstoexpressions,
as system designs. We demonstrate the reasoning principles of
butthischoiceisnotessential.Forexample,inmodelingnetwork
SystemMbyverifyingthestatecontinuitypropertyofthedesign
protocols, the heap could be replaced by the set of undelivered
ofMemoir[28],apreviouslyproposedtrustedcomputingsystem.
(pending)messagesonthenetwork.
Forreasons of space, weelideproofs, some technical detailsand
For pure expressions, we use call-by-name β-reduction → .
several typing rules from this paper. These are presented in the β
Thischoicesimplifiestheoperationalsemanticsandthesoundness
accompanyingtechnicalappendix.
proofs,asexplainedinSections6.Weelidethestandardrulesfor
→ .Thesmall-steptransitionsfor threadsandsystemconfigura-
2. TermLanguageandOperationalSemantics β
tionsareshowninFigure2.Therelationσ⊲T ֒→σ′⊲T′defines
WesummarizeSystemM’stermsyntaxinFigure1.Pureexpres- asmall-steptransitionofasinglethread.C −→ C′denotesasmall-
sions, denoted e, are distinguished from effectful computations, steptransitionforconfigurationC;itresultsfromthereductionof
denoted c. An expression can be a variable, a constant, a func- anysinglethreadinC.
tion, a polymorphic function, a function application, a polymor- The rules for σ ⊲ T ֒→ σ′ ⊲ T′ are mostly straightforward.
phicfunctioninstantiation,orasuspendedcomputation.Constants Therulesforevaluatinganatomicaction(R-ACTSandR-ACTF)
canbeBooleans(tt,ff),naturalnumbers(n ∈ N),threadiden- relyonafunctionnextthattakesthecurrentstoreσandanaction
tifiers (ι ∈ I), and memory locations (ℓ ∈ L). We use · as the a,andreturnsanewstoreandanexpression,whicharetheresult
place holder for the typein apolymorphic function instantiation. oftheaction.Iftheactionisillegal,thennext(σ,a)=(σ′,stuck).
Suspended computations comp(c) constitutea monad withreturn Iftheactionreturnsanon-stuckexpressione(ruleR-ACTS),then
ret(e)andbindlete(e ,x.c ). thetopframe(x.c)ispoppedoffthestack,andc[e/x]becomesthe
1 2
SystemMisparametrizedoverasetofactionsymbolsA,which current computation of the thread. If next returns stuck (rule R-
areinstantiatedwithconcreteactionsbasedonspecificapplication ACTF),thenthethreadentersthestuckstateandpermanentlyre-
domains.Forinstance,Amaybeinstantiatedwithmemoryopera- mainsthere.Whenasequencingstatementlete(e ,x.c )isevalu-
1 2
tionssuchasreadandwrite.Anaction,denoteda,istheapplica- ated,theframex.c ispushedontothestack,ande isfirstreduced
2 1
tionofanactionsymbolAtoexpressionarguments. toasuspendedcomputationcomp(c );thenc isevaluated.When
1 1
σ⊲T ֒→σ′ ⊲T′ 1 runmodule(srvc,snap,req,Nloc)=
2 ···
next(σ,a)=(σ′,e) e6=stuck 3 (skey,freshness tag)←act(NVRAMreadNloc);
σ⊲hι;x.c::K;act(a)i֒→σ′⊲hι;K;c[e/x]i R-ACTS 4 service state←check decrypt snapshot (snap);
5 ···
next(σ,a)=(σ′,stuck) 6 (state′,resp)
σ⊲hι;x.c::K;act(a)i֒→σ′⊲hι;stucki R-ACTF ←(srvcExtendPCRResetPCR ···)(state,req);
7 ···
σ⊲hι;stucki֒→σ⊲hι;stucki R-STUCK Figure3. Snippetofinvokationcode
R-RET
σ⊲hι;x.c::K;ret(e)i֒→σ⊲hι;K;c[e/x]i
takesasargumentavaluevandupdatesthevalueofthePCR
e→ e′ tothehashoftheconcatenationofitscurrentvaluewithv.
β
′ R-SEQE2 • Late launch is a command that can be used to securely load
σ⊲hι;K;ei֒→ σ⊲hι;K;ei
β
aprogram. Itextendsthehashofthetextualreificationofthe
R-SEQE3 programintoaspecialPCR(PCR17).Combinedwiththeguar-
σ⊲hι;x.c ::K;comp(c )i֒→σ⊲hι;x.c ::K;c i
2 1 2 1 antees provided by a PCR,latelaunch provides a mechanism
forprecisecodeidentification.
R-FIX
σ⊲hι;K;(fixf(x).c)ei
• Non-volatile RAM (NVRAM) provides persistent storage that
֒→σ⊲hι;K;c[λz.comp(fix(f(x).c)z)/f][e/x]i
allows access control based on PCR measurements. Specifi-
cally,permissionsonNVRAMlocationscanbetiedtoaPCR
Figure 2. Selected small-step reduction semantics of configura- pandvaluevsuchthatthelocationcanonlybereadwhenthe
tions valuecontainedinpisv.
Memoir has two phases: service initialization and service in-
afixpoint(fixf(x).c);eisevaluated,f issubstitutedwithafunc- vokation.Duringinitialization,theMemoirmoduleisassignedan
tionwhosebodyisasuspensionoffixf(x).c. NVRAMblock. It isalso given a service to protect. The module
Any finite execution of a configuration results in a trace T, generatesanewsymmetrickeythatisusedthroughoutthelifetime
definedasafinitesequenceofreductions.Witheachreductionwe oftheservice.ItsetsthepermissionsonaccessestotheNVRAM
associate atimepoint u, alsocalled a(logical) timepoint. These blocktobetiedtothehashstoredinPCR17,whichcontainsthe
time points on the trace are monotonically increasing. A trace hashofthecodeforMemoirandtheservice.Topreventrollback
annotatedwithtimeiswritten−u→0 C −u→1 C ...−u−→n C ,where attacks, it uses a freshness tag which is a chain of hashes of all
0 1 n
u ≤u .WefollowtheconventionthatthereductionfromC to therequestsreceivedsofar.Thesecretkeyandaninitialfreshness
i i+1 i
C happensattimeu andthatitseffectsoccurimmediately. tagarestoredinthedesignatedNVRAMlocation.Theservicethen
i+1 i+1
Thusthestateattimeu isthestateinC . runsforthefirsttimetogenerateaninitialstate,whichalongwith
i i
thefreshnesstagisencryptedwiththesecretkeyandstoredtodisk.
Thisencryptionoftheservice’sstatealongwiththefreshnesstag
3. MotivatingApplication iscalledasnapshot.
Afterinitialization,aservicecanbeinvokedbyprovidingMem-
WebrieflyreviewMemoir[28],ourmainapplication,andhighlight
oir with an NVRAM block, a piece of service code, and a snap-
the challenges in analyzing Memoir to motivate the novel typing
shot. In Figure 3, we show a snippet of the Memoir service in-
rulesforderivingpropertiesofadverary-suppliedcodeusingcode
vokation code. Memoir retrieves the key and freshness tag from
identificationandsandboxing.
theNVRAM.Memoirthendecryptsthesnapshotandverifiesthat
the freshness tag in the provided state matches the one stored in
3.1 OverviewofMemoir
NVRAM. If the verification succeeds, Memoir computes a new
Memoir provides state-integrity guarantees for stateful security- freshnesstagandupdatestheNVRAM.Next,itexecutestheser-
sensitive services invoked by potentially malicious parties. Such vicetogenerateanewstateandaresponse.Thenewsnapshotcor-
services often rely on untrusted storage to store their persistent respondingtothenewstateandfreshnesstagisstoredtodisk.
state.Anexampleofsuchaserviceisapasswordmanagerthatre- ThesecuritypropertyweproveaboutMemoiristhattheservice
spondswithastoredpasswordwhenitreceivesarequestcontaining can onlybe invoked onthe stategenerated by thelast completed
aURLandausername.Theservicewouldwanttoensuresecrecy instanceoftheservice.TheproofofsecurityforMemoirrequires
andintegrityofitsstate;inthiscase,thesetofstoredpasswords. reasoningabouttheeffectstheservice,whichisprovidedbypoten-
Simply encrypting and signing the service’s state cannot prevent tiallymaliciousparties.
theattackerfrominvokingtheservicewithavalidbutoldstate,and Toderivepropertiesoftherunmodule codeshownaboveone
consequentlymountingservicerollbackattacks.Forthepassword needstoassignatypetosrvc,whichisprovidedbyanadversary.
managerservice,thisattackcouldcausetheservicetorespondwith The service srvc, run on line 6, is a function that contains no
old(possiblycompromised) passwords. Memoir solvesthisprob- freeactions.However,srvctakesasargumentsinterfacefunctions
lembyusingtheTPMtoprovidestateintegrityguarantees.Memoir corresponding toeveryatomicactioninour model.Shownabove
reliesonthefollowingTPMfeatures: are ExtendPCR and ResetPCR which are simply wrappers for
thecorrespondingatomicactions.
• Platformconfigurationregisters(PCRs)contain20-bytehashes
For example, the proof requires deriving the following two
knownasmeasurementsthatsummarizethecurrentconfigura-
invariantpropertiesaboutsrvc:
tionofthesystem.Thevaluetheycontaincanonlybeupdated
intwoways: (1) areset operation whichsetsthevalueof the 1. Itdoesnot changethevalueof thePCRtoastatethatallows
PCR to a fixed default value; (2) an extend operation which theadversarytolaterreadtheNVRAM.
2. Itdoesnotleakthesecretkey. Exprtypes τ ::= X|b|Πx:τ1.τ2|∀X.τ |comp(ηc)|any
The first invariant is derived using the fact that the service is Comptypes η ::= x:τ.ϕ|ϕ|(x:τ.ϕ,ϕ′)
confinedtotheinterfaceexposedbytheTPM.Thesecondinvariant Closedctypes ηc ::= u1.u2.i.(x:τ.ϕ1,ϕ2)
isderivedinthreesteps:(i)provethatsrvc issyntacticallyequal | Πx:τ.u1.u2.i.(y:τ.ϕ1,ϕ2)
to the initial service; (ii) assume that the initial service does not Assertions ϕ ::= P |e1=e2|ϕe|⊤|⊥|¬ϕ
leakthesecretkey;and(iii)henceinferthatsrvcdoesnotleakthe | ϕ1 ∧ϕ2|ϕ1 ∨ϕ2|∀x:τ.ϕ|∃x:τ.ϕ
secret key. Wenext describe SystemM’stypingrulesthat enable ActionKinds α ::= Act(ηc)|Πx:τ.α|∀X.α
suchreasoning. Typevarctx Θ ::= ·|Θ,X
Signatures Σ ::= ·|Σ,A::α
3.2 TypingAdversarySuppliedCode
Logicvarctx ΓL ::= ·|ΓL,x:b|ΓL,x:any
Reasoningabouteffectsofconfinement Inanalyzingprograms Typingctx Γ ::= ·|Γ,x:τ
thatexecuteadversary-supplied code,oneoftenencounters apar- Formulactx ∆ ::= ·|∆,ϕ
tiallytrustedprogram,whosecodeisunknown,butwhichisknown Execctx Ξ ::= ub :b,ue :b,i:b
orassumedtobeconfinedtotheuseofaspecificsetofinterfaces
toperformactionsonsharedstate.InourMemoirexample,every Figure4. Typesandtypingcontexts
program on the machine is confined to the interface provided by
theTPM.Usingjust thisconfinement information, wecansome-
ofthePCR,thenusingtheCONFINErule,wecanclaimthatsrvc,
timesdeduceausefuleffect-typeforthepartiallytrustedprogram.
when applied to these primitives does not reset the value of the
Suppose c is a closed computation, which syntactically does not
PCR.WerevisitthisproofwithspecificdetailsinSection4.2.
contain any actions and can invoke as subprocedures the compu-
Intyping astaticallyunknown expression usingthe CONFINE
tationsc ,...,c only(i.e.,cisconfined toc ,...,c ).Ifallac-
1 n 1 n rule we assume that the expression is syntactically free of ac-
tionsperformedbyc ,...,c satisfyapredicateϕ,thentheactions
1 n tions and that all of itsfree variables arein Γ. These arereason-
performedbycmustalsosatisfyϕ,irrespectiveof thecodeof c.
ableassumptionsforuntrustedcodetobesandboxed.Inanimple-
Hence,wecanstaticallyspecifytheeffectsofc,withoutknowing
mentationtheseassumptionscanbedischargedeitherbydynamic
itscode,butknowingtheeffectsofc ,...,c .
1 n checksduringexecution,bystaticchecksduringprogramlinking,
WeformalizethisintuitioninatypingrulecalledCONFINE.To
or by hardware-enforced interface confinement. For example, in
explainthisrule,weintroduce somenotation.Letτ denote types
ourMemoiranalysis,thehardwareensuresthatTPMstatecanbe
in System M that include postconditions for computations and,
modifiedbytheserviceonlyusingtheTPMinterface.
specifically,letcmp(τ,ϕ)denotethemonadictypeofcomputations
thatreturnavalueoftypeτ andwhoseactionssatisfythepredicate Deriving properties based on code integrity Next we need to
ϕ.(Thenotationcmp(τ,ϕ)issimplerthanouractualcomputation showthatsrvc doesnotleakitssecretkey.Weassumethisprop-
types,butitsufficesfortheexplanationhere.) ertyabouttheinitialserviceMemoirwasinvokedwith.(Thisprop-
AsanillustrationofourCONFINErule,consideranyclosedex- ertycouldbeverifiedeitherbymanual auditsorautomated static
pressione.Assumethatedoesnotcontainanyprimitiveactions. analysisoftheservicecode).However,inourmodeltheadversary
Then, we claim that for any ϕ, e has the type cmp(bool,ϕ) → couldinvokeMemoironmaliciousservicecode(e.g.,replacinga
cmp(bool,ϕ).Tounderstandthisclaim,assumethatϕistheprop- legitimatepasswordmanagerservicewithcodeoftheadversary’s
erty “the action is not a write to memory”. To show that e : choice). In thiscase, we can show with additional reasoning that
cmp(bool,ϕ) → cmp(bool,ϕ), we must show that for any v : srvc invokedlatermustbethesameprogramastheintialservice.
cmp(bool,ϕ),ev : cmp(bool,ϕ).Hence,wemustshowthatthe Toallowtypingsrvc,basedontheproofofequalitywiththeinitial
actionsperformedbythecomputation,sayc,thatevevaluatesto serviceandanassumedtypefortheinitialservice,weaddanew
donotincludewrite.Thiscanbearguedeasily:Becauseeisclosed rulecalledEQ.
and does not contain any actions, the only way this computation Γ⊢e:τ Γ⊢e=e′ true
ccouldwriteisbyinvokingthecomputationv.However,because ′ EQ
Γ⊢e :τ
v:cmp(bool,ϕ),vdoesnotwrite.Hence,ev:cmp(bool,ϕ).
Infact,wecanassigneanytype,includinghigher-orderfunc- TheEQruleassignsthetypeτ ofanyexpressionetoanyother
expressione′,whichisknowntobesyntacticallyequaltoe.This
tiontypes,aslongastheeffectsinthattypeareϕ.Letthepredicate
confine(τ)(ϕ)meanthatϕ = ϕ′forallnestedtypesoftheform ruleistriviallysound.
comp(τ′,ϕ′)inτ.Letconfine(Γ)(ϕ)meanthateverytypeτ that Thispatternoffirstestablishing codeidentity(identifyanun-
known code with some known code) and then using it to refine
Γ maps to satisfies confine (τ) (ϕ). Let fa(e) = ∅ mean that e
typesisquitecommoninproofsofsecurity-relevantproperties.A
syntactically does not contain any actions. Then, the ideaof typ-
similar pattern arises in analysis of systems that rely on memory
ingthroughconfinementiscapturedbythefollowingrule.Therule
protectionstoensurethatcodereadfromthesharedmemoryisthe
saysthatforanyewithoutanyactions,ifτ’snestedeffectsareϕ,
sameasapieceoftrustedcode,andtherefore,safetoexecute.In
andthetypesofthefreevariablesinealsoonlyhaveϕaseffects,
Dattaetal.’sworkonanalysisofremoteattestationprotocols[10],
thene : τ withanypredicateϕ.(Ouractualtypingrule,shownin
similarpatternsarisefortypingpotentiallymodifiedsoftwareexe-
Section4.1aftermorenotationhasbeenintroduced,ismorecom-
cutedinamachine’sbootsequence.Theirmodelisuntyped,butif
plex.Theactualrulealsoadmitspredicatesovertraces,whichare
moregeneralthanpredicatesoverindividualactionsthatwehave itweretobetyped,EQcouldbeusedtocompletetheproofs.
consideredhere.)
4. TypeSystemandAssertionLogic
fa(e)=∅ fv(e)∈Γ
confine(τ)(ϕ) confine(Γ)(ϕ) The syntax for System M types is shown in Figure 4. Types for
CONFINE expressions, denoted τ, include type variables (X), a base type
Γ⊢e:τ
b,dependentfunctiontypes(Πx:τ .τ ),andpolymorphicfunction
1 2
InourMemoirexample,weusetheCONFINEruletoderivethe types(∀X.τ).SinceSystemMfocusesonderivingtraceproperties
invariantsoftheserviceinvokedbytheattacker.Forinstance,ifwe ofprograms, thedifferencebetweenbasetypessuchasunitand
can show that each of the TPM primitives do not reset the value bool is of little significance. Therefore, System M has one base
type b to classify all first-order terms. The type any contains all Silentthreads Reductionsonatracecanbecategorizedintothose
syntacticallywell-formedexpressions(anystandsfor“untyped”). inducedbytherulesR-ACTSandR-ACTFinFigure2andthose
Memoryalwaysstoresexpressionsoftypeanybecausetheadver- inducedbyotherrules.Wecalltheformereffectfulandthelatter
sarycouldpotentiallywritetoanymemorylocation. non-effectful or silent.Thetyping judgment Ξ;Θ;Σ;ΓL;Γ;∆ ⊢
SimilartoHTT,asuspendedcomputationcomp(c)isassigneda ϕ silent specifies properties of threads while they perform only
monadictypecomp(ηc),whereηcisaclosedcomputationtype.A silentreductionsordonotreduceatall.Thejudgmentisauxiliary
closed computation type u .u .i.(x:τ.ϕ ,ϕ ) contains two post- inproofsofbothpartialcorrectnessandinvariantassertions,aswill
1 2 1 2
conditions, ϕ1 andϕ2.BothareinterpretedrelativetoatraceT. becomeclearsoon.Thefollowingrulestatesthatifϕistrue,then
ϕ1,thepartialcorrectness assertion, holdswhenever acomputa- atracecontainingathread’ssilentcomputationsatisfiesϕ.
tionofthistypefinishesexecutiononthetrace.Itisparametrized
by the id i of the thread that runs the computation, the interval Ξ;Θ;Σ;ΓL;Γ;∆⊢ϕtrue
(u ,u ]duringwhichthecomputationrunsandthereturnvaluex Ξ;Θ;Σ;ΓL;Γ;∆⊢ϕok
b e
ofthecomputation.ϕ2,calledtheinvariantassertion,holdswhilea Ξ;Θ;Σ;ΓL;Γ;∆⊢ϕsilent SILENT
computationofthecomputationtypeisstillexecuting(orisstuck),
but has not returned. It is parametrized by the id i of the thread The type system may be extended with other sound rules for
runningthecomputationandthetimeinterval(ub,ue]overwhich thisjudgment. Forinstance,thefollowingisatriviallysoundrule:
thecomputationhasexecuted.Formally,asuspendedcomputation u .u .i;Θ;Σ;ΓL;Γ;∆⊢(∀l,t,u <t≤u ⇒¬Readilt)silent.
b e b e
comp(c)hastypecomp(u1.u2.i.(x:τ.ϕ1,ϕ2))ifthefollowingtwo If a thread i is not performing any action during time interval
propertiesholdforeverytraceT:(1)ifathreadιontraceT begins (u ,u ],thenitdoesnotreadmemoryduringthattimeinterval.
b e
toruncattimeU andattimeU ,creturnsanexpressione,then
1 2
ehastypeτ,andT satisfiesϕ [U ,U ,ι,e/u ,u ,i,x];(2),ifa
1 1 2 1 2 Partialcorrectnesstypingforcomputations Figure5showsse-
threadιontraceT beginstoruncattimeU andattimeU ,chas
1 2 lected rules for establishing partial correctness postconditions of
notfinished,thenT satisfiesϕ [U ,U ,ι/u ,u ,i].Themeaning
2 1 2 1 2 computations.Thejudgmentu ,u ,i;Θ;Σ;ΓL;Γ;∆⊢c:x:τ.ϕ
ofalltypesismadepreciseinSection5.2. 1 2
meansthatifintraceT anythreadwithidιbeginstoexecutecom-
The type η may be either a partial correctness assertion,
putation c at time U , and at time U , c returns an expression e,
an invariant assertion, or a pair of both. Fixpoint computations 1 2
andT satisfiesalltheformulasin∆,thenehastypeτ,andT also
have the type Πx:τ.u .u .i.(y:τ.ϕ ,ϕ ), discussed in more de-
1 2 1 2 satisfiesϕ[U ,U ,ι,e/u ,u ,i,x].
tail with typing rules. If f has this type, then for any e : τ, 1 2 1 2
(f e) is a recursive computation of closed computation type InruleACT,thetypeofanatomicactionisdirectlyderivedfrom
thespecificationoftheactionsymbol ina.Weeliderulesforthe
u .u .i.(y:τ.ϕ ,ϕ )[e/x].
1 2 1 2 judgmenta :: Act(u .u .i.(x:τ.ϕ ,ϕ )),whichderivestypesfor
Assertions,denotedϕ,arestandardfirst-orderlogicalformulas 1 2 1 2
actionsbasedonthespecificationsinΣ.Weexplaintheinvariant
interpretedovertraces.AtomicassertionsaredenotedP.
assertions for actions with the discussion of invariant typing for
Wewriteαtocategorizeactions.Afullyappliedactionhasthe
computations. Whentyping a,the logical variable typingcontext
typeAct(η ),whereη denotestheaction’seffects.
c c includesu :bandi:b,becausetheymayappearfreeinΓand∆.
2
Forbrevity,weelidethetypesforvariablesoftypeb,astheyare
4.1 TypingRules
obviousfromthecontext.
Our typing judgments use several contexts. Θ is a list of type Rule RET assigns e’s type to ret(e). The trace T containing
variables.ThesignatureΣcontainsspecificationsforactionsym- theevaluationofret(e)satisfiestwoproperties,whichappear in
bols. ΓL contains logical variable type bindings. These variables the postcondition of ret(e). First, the return expression, which
can only be of the type b or any. Γ contains dependent variable is bound to x, is e (assertion (x = e)). Second, T satisfies any
typebindings. ∆ containslogical assertions. Theordered context propertyϕsuch thatϕ silent holds. Thisisbecause reduction of
Ξ = ub,ue,i provides reference time points and a thread id to ret(e)issilent.Hereeistypedunderthetimepointu2,indicating
typing judgments for computations. When typing a computation, thatecanonlybeevaluatedafteru .
2
(ub,ue]areparametersrepresentingtheintervalduringwhichthe Rule SEQC types the sequential composition letc(c1,x.c2).
computation executes and i is a parameter representing the id of Starting at time point u and returning at u , the execution of
0 3
thethreadthatexecutesthecomputation.Asummaryofthetyping letc(c ,x.c )inanythreadicanbedividedintothreesegments
1 2
judgmentsisshownbelow. for some u ,u : between time u and u , where thread i takes
1 2 0 1
u:b;Θ;Σ;ΓL;Γ;∆⊢Q e:τ expressionehastypeτ onlyasilentstep,pushingx.c2ontothestack;betweentimeu1and
u:b;Θ;Σ;ΓL;Γ;∆⊢Q c:ηc fixed-pointcomputationchastypeηc u2,wherethecomputationc1 runs;andbetweentimeu2 andu3,
Ξ;Θ;Σ;ΓL;Γ;∆⊢Qc:η computationchastypeη wherec2runs.ThefirstthreepremisesofSEQCasserttheeffectsof
Ξ;Θ;Σ;ΓL;Γ;∆⊢ϕsilent ϕholdswhilereductionsare eachthesethreesegments.Whentypecheckingc2,thefactslearned
fromtheexecutionsofar(ϕ andϕ )areincludedinthecontext.
non-effectful 0 1
Thefourthpremisechecksthatϕisthelogicalconsequenceofthe
Θ;Σ;ΓL;Γ;∆⊢ϕtrue ϕistrue
conjunctionofthethreeevaluationsegments’properties.
Whentypingexpressionsandfixpointcomputations,uisearli- The above rules have the same qualifier Q in the premises
esttimepointwhenthetermcanbeevaluatedonthetrace.Thefirst and the conclusion. Rule SEQCCOMPcombines derivations with
threejudgmentsareindexedbyaqualifierQ,whichcaneitherbe differentqualifiersinasequencingstatement.TheΓcontextinthe
emptyorub.ue.i.ϕ,whichwecallaninvariant.Variablesub,ue, typingofc1andc2mustbeempty.Becausethefreevariablesinc1
andihavethesamemeaningasthecontextΞ,andmayappearfree areplaceholdersforexpressionsthatsatisfyaninvariantϕ1,while
inϕ.Rulesindexedwithub.ue.i.ϕareusedforderivingproperties thefreevariablesinc2areforonesthatsatisfyadifferentinvariant
ofprogramsthatexecuteadversarialcode. Roughlyspeaking, the ϕ ,c andc cannotsharefreevariablesexceptthoseinΓL.Note
2 1 2
context Γ in these rules contains variables that are place holders thatbothQandQ2canbeempty.Thisruleisnecessaryfortyping
forexpressionsthatsatisfytheinvariantϕ.Weexplainheresome thesequentialcompositionoftwoprogramsthatcontaindifferently
selectedrulesofourtypesystem;theremainingrulesarelistedin sandboxedcode:c executessandboxedcodethatsatisfiesϕ and
1 1
theaccompanyingtechnicalappendix. c eithercontainsnosandboxedprograms,oronesthatsatisfyϕ .
2 2
Partialcorrectnesstyping returns.Therefore,theinvariantassertionoftheactionisthecon-
u ;Θ;Σ;ΓL,u ,i;Γ;∆⊢ a::Act(u .u .j.(x:τ.ϕ ,ϕ )) junctionoftheinvariantspecifiedinΣandtheeffectofbeingsilent.
u1,u ,i;Θ;Σ;2ΓL;Γ;∆⊢Qϕsilent b e 1 2 Next,weexplaintheruleSEQCIforthesequencingstatement
1 2 letc(c ,x.c ).Weneedtoconsiderthreecaseswhenderivingthe
fv(a)∈dom(Γ) letγ =[u ,u ,i/u ,u ,j] 1 2
1 2 b e invariantassertionϕofletc(c ,x.c )intheinterval(u ,u ]:(1)
d;Σ;ΓL;Γ⊢u1.u2.i.(x:τ.ϕ1γ,ϕ2γ ∧ϕ)ok ACT the computation has not starte1d unt2il u3 (2) the compu0tati3on c1
u1,u2,i;Θ;Σ;ΓL;Γ;∆⊢Qact(a):(x:τ.ϕ1γ,ϕ2γ ∧ϕ) started but has not returned until u3, (3) the computation c1 has
returned, but c has not returned until u . Thefirstfive premises
2 3
u ;Θ;Σ;ΓL,u ,i;Γ;∆⊢ e:τ of rule SEQCI establish properties of a silent thread, the partial
u2,u ,i;Θ;Σ;1ΓL;Γ;∆⊢Qϕsilent fv(e)⊆dom(Γ) correctnessandinvariant assertionsofthecomputationinc1,and
1 2 RET theinvariantassertionofc2.Thenextthreejudgmentscheckthat
u1,u2,i;Θ;Σ;ΓL;Γ;∆⊢Q ret(e):x:τ.((x=e)∧ϕ) ineachofthethreecases(1)–(3),thefinalassertionϕholds.
For example, comp(letc(act(read e),x.retx)) can be as-
u ,u ,i;Θ;Σ;ΓL;u ,Γ;∆,u ≤u ⊢ϕ silent signed the following type. Predicate (mem l v u) is true when
0 1 3 0 1 0
u ,u ,i;Θ;Σ;ΓL,u :b,u ;Γ;∆,u <u ,ϕ attimeu,memorylocationlisallocatedandstorestheexpression
1⊢2 c :x:τ.ϕ 0 3 1 2 0 v. Predicate eval e e′ is true if e β-reduces to e′, which cannot
Q 1 1
u ,u ,i;Θ;Σ;ΓL,u ,u ;Γ,x:τ;∆,u <u ,ϕ ,ϕ reducefurther.Writeιl eustatesthatthreadιwritestoaddress
2 3 ′ 0 1 2 3 0 1 l expression e at time u. The partial correctness assertion states
⊢ c :y:τ .ϕ
Q 2 2 thatthissuspendedcomputationreturnswhat’sstoredintheloca-
Θ;Σ;ΓL,u ,u ,u ,u ,i;Γ,x:τ,y:τ′;∆
1 2 0 3 tionthatereducesto.Theinvariantassertionstatesthatduringits
⊢(ϕ ∧ϕ ∧ϕ )⇒ϕtrue
0 1 2 execution,thethreadexecutingitdoesnotwritetothememory.
Θ;Σ;ΓL,u0,u3,i;Γ,y:τ′⊢ϕok comp(ub.ue.i.(r:any.∀l,v,evalel∧memlvue ⇒y=e,
fvu(0l,eut3c,(ic;1Θ,;xΣ.c;2Γ))L;⊆Γ;d∆om⊢(ΓQ)letc(c1,x.c2):y:τ′.ϕ SEQC Fixpointcompu∀tla,tvio,nu,uTbh<efiux≤pouineti⇒sty¬pwedrituendielrvauti)m)epointu,
whichistheearliesttimewhenthefixpointisunrolled.
u0,u1,i;Θ;Σ;ΓL,u3;·;∆,u0 ≤u1 ⊢ϕ0 silent Γ1 =y:τ,f :Πy:τ.comp(u1.u3.i.(x:τ1.ϕ,ϕ′))
u1,u2,i;Θ;Σ;ΓL,u0 :b,u3;·;ϕ0,u1 ≤u2 u1,u2,i;Θ;Σ;ΓL;Γ;∆,u≤u1 ≤u2 ⊢ϕ0 silent
⊢Qc1 :x:τ.ϕ1 u2,u3,i;Θ;Σ;ΓL,u1,u;Γ,Γ1;∆,u2 <u3,ϕ0 ⊢Q c:x:τ1.ϕ1
u2,u3,i;Θ;Σ;Γ′L;u0,u1;x:τ;∆,u2 ≤u3,ϕ0,ϕ1 u2,u3,i;Θ;Σ;ΓL;u1,u;Γ,Γ1;∆,u2 ≤u3,ϕ0 ⊢Q c:ϕ2
⊢Q2 c2 :y:τ .ϕ2 Θ;Σ;ΓL,u ,u,u ,u ,i;Γ,Γ ,x:τ ;∆⊢(ϕ ∧ϕ )⇒ϕtrue
Θ;Σ;ΓL;u0,u3,i;Γ,u1,u2,y:τ′;∆ Θ;Σ;ΓL,u1,u ,u2 ,i3,u;Γ,Γ1;∆⊢1(ϕ ∧ϕ 0⇒ϕ′1)true
⊢(ϕ0 ∧ϕ1 ∧ϕ2)⇒ϕtrue Θ;Σ;ΓL,u1,u2,i,3u;Γ,y:τ;1∆⊢ϕ [u0 /u ]2⇒ϕ′ true
Θ;Σu0;,ΓuL3;,ui;0Θ,u;3Σ,;i,ΓΓL,;yΓ:;∆τ′⊢⊢Qϕ2o(ck1;c2):y:τ′.ϕ SEQCCOMP Θfv;(Σfi;Γx(Lf,(uy1;)Γ.c)⊢3)Π∈yd:τo.mu(1Γ.)u3.i.(x:τ1.ϕ0,ϕ3′)o2k
Invarianttyping u;Θ;Σ;ΓL;Γ;∆⊢ fix(f(y).c):Πy:τ.u .u .i.(x:τ .ϕ,ϕ′) FIX
Q 1 3 1
RuleFIXsimultaneouslyestablishesthepartialcorrectnessand
Θ;Σ;ΓL,u ,u ,i;Γ;∆⊢ϕok
0 3 invariantassertionsofafixpoint.Thethirdandfourthpremiseses-
u0,u1,i;Θ;Σ;ΓL,u3;Γ;∆,u0 ≤u1 ⊢ϕ0 silent tablishthepartialcorrectnessandinvariantassertionsofthebody
u0,u3,i;Θ;Σ;ΓL;Γ;∆,u0 ≤u3 ⊢ϕ′0 silent c of the fixpoint. The fifth premise checks that the specified par-
u ,u ,i;Θ;Σ;ΓL,u :b,u ;Γ;∆,u <u ,ϕ tial correctness assertion ϕ is entailed by the conjunction of the
1 2 0 3 1 2 0
⊢ c :x:τ.ϕ assertions of a silent thread and the assertion of the body. The
Q 1 1
u ,u ,i;Θ;Σ;ΓL;Γ;∆,u :b,u ≤u ,ϕ ⊢ c :ϕ′ next two premises check the invariant assertion ϕ′. For example,
1 3 0 1 3 0 Q 1 1
u ,u ,i;Θ;Σ;ΓL;Γ;∆,u ,u ,x:τ,u ≤u ,ϕ ,ϕ fixf(x).writex0;readx;lete(f(x+1);z.retz)hasthetype:
2 3 0 1 2 3 0 1
Πx:b.u .u .i.(y:any.⊥,
⊢ c :ϕ b e
Q 2 2
ΘΘ;;ΣΣ;;ΓΓLL,,uu0,,uu3,,ii;;ΓΓ;,∆u ;⊢∆ϕ⊢′0 ⇒(ϕϕ∧trϕue′)⇒ϕtrue ∀u,l,v,⇒ub <∃uu′,u≤′u<eu∧∧rewadritieliulvu′)
0 3 1 0 1
Θ;Σ;ΓL,u ,u ,i;Γ,u ,u ,x:τ;∆ Expressiontyping Similartothefixpoint,theexpressiontyping
0 3 1 2
⊢(ϕ ∧ϕ ∧ϕ )⇒ϕtrue judgmentisparameterizedoveratimepointu,whichistheearliest
0 1 2
fv(letc(c ,x.c ))⊆dom(Γ) timepointthateisevaluated.Recallthatthetypingruleforret(e)
1 2
u ,u ,i;Θ;Σ;ΓL;Γ;∆⊢ letc(c ,x.c ):ϕ SEQCI typeseunderthetimepointwhenret(e)returns.Thisisbecausee
0 3 Q 1 2 canonlybeevaluatedafterret(e)finishes.Mostexpressiontyping
rulesarestandard.ArepresentativesubsetislistedinFigure6.
Figure5. SelectedRulesforComputationTyping RuleCOMPassignsamonadictypetoasuspendedcomputation
bycheckingthecomputation.Sincethesuspendedcomputationcan
only execute after u , thelogical context of thefirst premise can
e
Invarianttypingforcomputations Themeaningoftheinvariant safelyassumethatthebeginningtimepointofcisnoearlierthan
typingjudgmentu ,u ,i;Θ;Σ;ΓL;Γ;∆⊢c:ϕisthefollowing: u .Asusual,therulealsobuilds-inweakeningofpostconditions.
1 2 e
AssumingthatonatraceT,threadιbeginstoexecutecattimeU1, TheruleEQ,motivatedinSection3.1,assignsanexpressione′,
andattimeU chasnotyetreturned(thisincludesthepossibility thetypeofe,ifeissyntacticallyequaltoe′.
2
thatcisloopingindefinitelyorisstuck),ifT satisfiesassumptions TheruleCONFINE,motivatedinSection3.1,allowsustotype
in∆,thenT alsosatisfiesϕ[U ,U ,ι/u ,u ,i]. anexpression fromtheknowledge that itcontainsnoactionsand
1 2 1 2
Wefirstexplaintheinvariantassertionsforactions(ruleACT). that its free variables will be substituted with expressions with
Thethreadexecuting the atomicactionissilentbefore theaction effectϕ.Themaingeneralizationfromthesimplerrulepresented
invariant, so they can be narrowed down to any invariant. The
u ,u ,i;Θ;Σ;ΓL;u ,Γ;∆,u ≥u ⊢ c:(x:τ.ϕ ,ϕ )
1 2 e 1 e Q 1 2 conclusion must be tagged with the invariant ϕ, because: (1) τ
Θ;Σ;ΓL,ue:b,u1:b,u2:b,i:b;Γ,x:τ;∆⊢ϕ1 ⇒ϕ′1 true could be a base type, in which case, the invariant is not evident
Θ;Σ;ΓL,ue:b,u1:b,u2:b,i:b;Γ;∆⊢ϕ2 ⇒ϕ′2 true in e’s type; and (2) the types in Γ are allowed to contain nested
Θ;Σ;ΓL,u :b;Γ⊢u .u .i.(x:τ.ϕ′,ϕ′)ok effectsthatarenotϕ.Reason(1)isalsowhytheconclusionofthe
e 1 2 1 2
fv(c)⊆dom(Γ) CONFINEruleisindexed.
u ;Θ;Σ;ΓL;Γ;∆⊢ comp(c):comp(u .u .i.(x:τ.ϕ′,ϕ′)) COMP Finally,thetimepointenablesexpressiontypestoincludefacts
e Q 1 2 1 2 thatareestablishedbyprogramsexecutedearlier.Forexample,the
return type of letc(a ;z.ret(comp(a ))) can be the following,
u;Θ;Σ;ΓL;Γ;∆⊢Q e:τ assumingthattheeffec1tofactiona isA2 iu,anda isA iu.
Θ;Σ;ΓL,u;Γ;∆⊢e=e′true fv(e′)⊆dom(Γ) comp(u .u .i.(r:b.∃u,u <u≤u 1∧A1iu∧∃j,u2′,u′<2u∧A ju′,
u;Θ;Σ;ΓL;Γ;∆⊢ e′:τ EQ b e ⊤)). b e 2 1
Q
We wouldn’t have been able to know that A happens before
1
ϕistracecomposable A withoutthetimepointintheexpressiontypingrules.
2
u ,u ,i;Θ;Σ;ΓL,u;Γ;∆⊢ϕsilent
b e
u :b,u :b,i:b⊢ϕok fa(e)=∅ fv(e)⊆Γ LogicalReasoning SystemMincludesaproof systemforfirst-
b e
confine(τ)(u .u .i.ϕ) confine(Γ)(u .u .i.ϕ) order logic, most of which is standard. We show here the rule
b e b e
u;Θ;Σ;ΓL;Γ;∆⊢ e:τ CONFINE HONEST,whichallowsustodeducepropertiesof athreadbased
ub.ue.i.ϕ ontheinvariantassertionofthecomputationitexecutes.
u;Θ;Σ;ΓL;Γ;∆⊢e:τ u :b,u :b,i:b⊢ϕok u1,u2,i;Θ;Σ;ΓL;·;∆⊢c:ϕ
b e CONF-SUB Θ;Σ;ΓL;·;∆⊢start(I,c,u)true
u;Θ;Σ;ΓL;Γ;∆⊢ub.ue.i.ϕ e:τ Θ;Σ⊢ΓL,Γok
Figure6. Selectedexpressiontypingrules Θ;Σ;ΓL;Γ;∆⊢∀u′:b.(u′>u)⇒ϕ[u,u′,I/u1,u2,i]true HONEST
Ifweknowthatathreadιstartsexecutingattimeuwithpayload
inSection 3.1isthat now ϕisapredicate over an interval and a
computation c (premise start(ι,c,u)) and computation c has an
threadinatrace,notjustapredicateoverindividual actions.The
invariant postcondition ϕ, then we can conclude that at any later
intuitiveideabehindtheruleissimilar:Ifcisacomputationthat
point u′, ϕ holds for the interval (u,u′]. The condition that c
isfreeofactionsandconfinedtousethecomputationsc ,...,c
1 n be typed under an empty Γ context is required by the soundness
forinteractionwiththesharedstate,andeachofthecomputations
proofs,whichwediscussinSection5.4.
c ,...,c maintainatraceinvariantϕwhiletheyexecute,thenas
1 n
cexecutes,itmaintainsϕ.
Technically, because ϕ also accepts as arguments any inter- 4.2 Examples
val on a trace (it has free variables ub,ue), we require that ϕ be We prove the following state continuity property of Memoir. It
tracecomposable,meaningthatifϕholdsontwoconsecutivein- statesthataftertheservicehasbeeninitializedattimeu withthe
i
tervals of a trace, then it hold across the union of the intervals. key skey, whenever we invoke the service with state at a time
Formally,ϕistracecomposableif∀u1,u2,u3,i. (ϕ(u1,u2,i) ∧ pointu,laterthanui,itmustbethecasethat,theservicewaseither
ϕ(u2,u3,i)) ⇒ ϕ(u1,u3,i). Further ϕ has to hold on inter- initializedorproducedthestatestateatatimepointu′.Moreover,
vals when thread i is silent. This prevents us from derving arbi- thereisnoinvokationsoftheservicebetweenu′andu.
trary properties of untrusted code. For instance, ϕ cannot be ⊥. ∀u ,state,state′,skey,i ,s
i init init
(No trace can satisfy the invariant ⊥.) This rule relies on check- service init(i ,skey,service,s )@u ⇒
init init i
ing that τ relates to the invariant ϕ, represented as the relation ∀u>u .service try(i,skey,state,state′)@u⇒
i
confine(τ)(ub.ue.i.ϕ).Thisrelationmeansthatϕisboththepar- ∃j,u′ <u.((∃s.service invoke(j,skey,s,state)@u′
tialcorrectnessassertionandtheinvariantassertionineverycom- ∨service try(j,skey,state)@u′
putationtypecomp(ηc)occurringinτ.Similarly,Γisrequiredto ∨service init(j,skey,state)@u′)
mapeveryfreevariableinetoatypethatsatisfiedthesamerela- ∧(∀j′.¬service invoke(j′,skey,···)◦(u′,u)]))
tion.Theconclusionisindexedbytheinvariantu .u .i.ϕtorecord
b e
thefactthatallsubstitutionsforvariablesinΓneedtosatisfyϕ. Theexpressivenessofthefirst-orderlogicenablesustospecify
theaboveproperty,wheretheorderingofeventsiscrucial.Forthe
confine(b)(u .u .i.ϕ) fullproofs,wereferthereadertoourtechnicalappendix.Wenow
b e
revisitourdiscussioninSection3andhighlightcriticalusesofthe
confine(τ )(u .u .i.ϕ) confine(τ )(u .u .i.ϕ)
1 b e 2 b e SystemMprogramlogicintheproof.RecallthatMemoirhastwo
confine(Π :τ1.τ2)(ub.ue.i.ϕ) phases:serviceinitializationandserviceinvocation.Duringinitial-
ization,weassumethattheMemoirmodulerunmodule(Figure3)
confine(τ)(u .u .i.ϕ)
b e isassignedNVRAMlocationNloc andserviceservice.Theper-
confine(comp(ub.ue.i.(x:τ.ϕ,ϕ)))(ub.ue.i.ϕ) missionforaccessingNloc(whichstoresthesecretkeyusedtoen-
The CONFINE rule itself does not stipulate any conditions on cryptstateandthefreshnesstag)issettothevalueofPCR17.This
thepredicate ϕ, other than requiringthat ϕbe tracecomposable. PCRstoresanestedhashs hash = H(h||code hash(service)).
However, if e isof function type, and expects some interfaces as Here,thetermH(x)denoteshashofx,||denotesconcatenation,
arguments,theninapplyingCONFINEtoe,wemustchooseaϕto hisanyvalueandcode hash(x)isahashofthetextualreification
matchtheactualeffectsofthoseinterfaces,elsetheapplicationof ofprogramx.Afterinitialization,weprovethefollowingtwokey
etotheinterfacescannotbetyped. invariantsaboutexecutionsofrunmodule:
TheruleCONF-SUBconstrainsaregulartypingderivationtoa
specificinvariantu .u .i.ϕ.Thisissoundbecausethefirstpremise 1. PCR Protection: The value of PCR 17 contains the value
b e
does not require the substitutions for Γ to satisfy any specific s hashonlyduringlatelaunchsessionsrunningrunmodule.
2. KeySecrecy:Ifthekeycorrespondingtoaserviceisavailable thatthetermisevaluatedonanduistheearliesttimepointwhen
toathread,thenitmusthaveeithergenerateditorreaditfrom thetermisevaluated.Thesesetscategorizeinvariant-confinedad-
Nloc. versarialprograms.
Wefirstdefinethesetofstep-indexedcomputationsthatsatisfy
WeprovetheseinvariantsusingtheHONESTrule,whichrequires an invariant ϕ below. An indexed computation (k,c) belongs to
ustotyperunmodule.Sincerunmoduleinvokessrvc,weneedto
thisrelationifthefollowingholds:(1)duringanyintervalu and
B
typesrvc.Recallthatsrvcisadversarially-suppliedcode.Thus,in
u when thread ι executes c on T, ϕ[u ,u ,ι/u ,u ,i] holds
E B E b e
typingitwemakeuseoftheCONFINEandEQrules.
on T and (2) if ccompletes at timeu , then the expression that
E
Forthefirstinvariant,wederivethenecessarytypeforsrvc by
creturns,indexedbytheremainingstepsofthetrace,satisfiesthe
typingagainsttheTPMinterface.Theparticularinvarianttypewe
sameinvariant.
wishtoderiveaboutsrvcisthatinalatelaunchsessionifthevalue
inthePCRhasbeensettoavaluethatisnotaprefixofs hash, RCINV[[ub.ue.i.ϕ]]T;u =
{(k,c)| ∀u ,u ,ι,u≤u ≤u ,
B E B E
thensrvccannotchangethevalueinthePCRtosomethingthatis
letγ =[u ,u ,ι/u ,u ,i],
aprefixofs hash(i.e.,itcannotfooltheNVRAMaccesscontrol B E 1 2
j isthelengthofthetracefromtimeu totheendofT
mechanismintobelievingthatservicewasloadedwhenitwasnot). b B
j isthelengthofthetracefromtimeu totheendofT
(srvcExtendPCRResetPCR ···)(state,req): e E
k≥j >j ,
cmp(ub,ue,i.¬PCRPrefix(pcr17,s hash)@ub⇒ thecobnfigureationattimeu is−u−B→σ ⊲··· ,hι;x.c′ ::K;ci···
∀u∈(u ,u ].(InLLSession(u,runmodule,i) 1 b
b ⇒e¬PCRPrefix(pcr17,s hash)@u) theconfigurationattimeuE is−u−E→σe ⊲··· ,hι;K;c′[e′/x]i···
betweenu andu ,thestackofthreadialwayscontainsx.c′::K
B E
shoTwotdheartiveeacthhisfutynpcteiounsiningtthhee TCPOMNFIiNntEerrfualcee, ictainsbsueffiacsiseignntetdo =⇒(je,e′)∈REINV[[ub.ue.i.ϕ]]T;uE andT (cid:15)θ ϕ[e′/x]}
∩{(k,c)| ∀u ,u ,ι,u≤u ≤u ,letγ =[u ,u ,ι/u ,u ,i],
B E B E B E 1 2
this type. For example, the ExtendPCR interface satisfies this
j isthelengthofthetracefromtimeu totheendofT,
b B
invariant as it can only extend a PCR value. This derivation is a
j isthelengthofthetracefromtimeu totheendofT
e E
key step in proving that theservice does not change the value of
k≥j ≥j ,
b e
thePCRtoastatethatallowsanyentityotherthanrunmodule to theconfigurationattimeu is −u−B→σ ⊲··· ,hι;x.c′ ::K;ci···
readtheNVRAMlocationNloc(i.e.,thefirstinvariantofsrvc in B b
betweenu andu (inclusive),thestackofthreadialways
Section3.1). B E
containsprefixx.c′::K
Similarly,wecanprovethatthepermissionsonNlocarealways
=⇒T (cid:15) ϕ}
tied to PCR 17 being s hash, by typing srvc with the invariant θ
Weexplain some parts of the definition. At timeu , thread ι
thatthepermissionsonNloccannotbechanged.Thus,whenever B
begins to run c, which is formalized by requiring that the thread
Nloc isreadfrom,thevalueofPCR17iss hash.Wealsoshow
hι;K;ciisintheconfigurationrightaftertimeu .Attimeu ,c
separatelythatinanyparticularinstanceofrunmodule withsrvc, B E
returnsanexpressione′ toitscontext,whichisformalizedbyre-
the state of PCR 17 must be H(h||code hash(srvc)) for some
quiringthatthreadι’stopframeispoppedoffthestackwithe′sub-
h.Therefore,byNloc’saccesscontrolmechanism,weprovethat
stitutedforx,andthatthetopframeremainsunchanged between
H(h||code hash(srvc))=s hashandthereforesrvc =service
u andu .Bothu andu arewithinthelastk configurations
(where=denotessyntacticequality). B E B E
ofthetracebecausethelengthofthetraceisnandk ≥ j > j .
This is a key step to proving the key secrecy invariant. It al- b e
The earliest time point to interpret e′ is u , which is when e′ is
lowsustotransfer assumptions about theknown Memoir service E
returned. Theindex for the returnedexpression e′ isj , whichis
servicetotheadversarially-suppliedservicesrvc.Specifically,we e
lessthank. Hence, our step-indicescount thenumber of remain-
assumethatservicehasthefollowingtypeτ (whichmeansthat
sec ingstepsinthetrace.Moreover,theseremainingstepsincludenot
if the input of service does not contain a secret s then the out-
just steps of the thread containing c, but also other threads. This
put doesn’t contain it) and an invariant KeepsSecret(i,s,Nloc)
ensuresthecomputation c’spostconditions holdevenwhenitex-
(which means that s is not sent out on the network and the only
ecutesconcurrentlywithotherthreads(robustsafety;Theorem4).
NVRAMlocationspossiblywrittentoisNloc).
Forthesecondset,cmustnothavefinishedatu ,sobetweenu
τ =Πi:msg.cmp(u ,u ,i. E b
sec b e andu ,noframeonthestackx.c′ ::Kshouldhavebeenpopped.
(x:msg.∀s.¬Contains(i,s)⇒¬Contains(x,s), e
∀s.¬Contains(i,s)⇒KeepsSecret(i,s,Nloc)◦(u ,u ])) TherelationRVINV[[ub.ue.i.ϕ]]T;u includesallnormalexpres-
b e
sionsthatarenotintroductionforms(i.e.functionsandsuspended
Using the above assumption about service and the proof that computations). These normal forms cannot be further reduced in
srvc = service,we use EQ toderive the required typefor srvc anyevaluationcontext,andthereforedonothaveanyeffects(they
(i.e.,thesecondinvariantofsrvcdiscussedinSection3.1). aresilent).Afunctionisinthisrelationif,givenargumentsmain-
taining the same invariant, the function body also maintains that
5. SemanticsandSoundness invariant.Asisstandard,thestep-indexoftheargumentissmaller
thanthatofthefunctionbecausefunctionapplicationconsumesa
We build a step-indexed semantic model [2] for types and prove
step.Thecaseofpolymorphicfunctionsisdefinedsimilarly.Asus-
soundness of System M relative to that. Central to the seman-
pendedcomputation comp(c)belongstothisrelationifcbelongs
tics is the notion of invariant. We build two sets of seman-
tics: one is a semanticsx for invariants of the form u .u .i.ϕ totheRCINV[[ub.ue.i.ϕ]]T;urelationdefinedearlier.
(RE [[u .u .i.ϕ]]),andtheotherisaninvariant-indexedbseeman- RVINV[[ub.ue.i.ϕ]]T;u ={(k,nf)| nf6=λx.e,ΛX.e,comp(c)}
ticsfIoNVrtybpese(RE(ub.ue.i.ϕ)[[τ]]). Thesetwosetscoincidewhen ∪∪{{((kk,,cλoxm.ep′()c|))∀|j,(uk′,,cj)<∈kR,uC′IN≥V[[uub.ue.i.ϕ]]T;u}
confine(τ)(ub.ue.i.ϕ)holds(Lemma1). (j,e′)∈REINV[[ub.ue.i.ϕ]]T;u′
5.1 AStep-indexedSemanticsforInvariants =⇒(j,e[e′/x])∈REINV[[ub.ue.i.ϕ]]T;u′}
∪{(k,Λx.e)|∀j,j <k=⇒(j,e)∈REINV[[ub.ue.i.ϕ]]T;u}
We define RVINV[[Φ]]T;u, REINV[[Φ]]T;u, RCINV[[Φ]]T;u (Φ = ThedefinitionoftheREINV[[ub.ue.i.ϕ]]T;urelationisstandard:
ub.ue.i.ϕ),thesetsofstep-indexednormalforms,expressions,and ifeevaluatestoanormalformnfinmsteps,thennfhastobein
computationsthatsatisfytheinvariantϕrespectively.T isthetrace thevaluerelationindexedbythenumberoftheremainingsteps.
REINV[[ub.ue.i.ϕ]]T;u= T (cid:15)P ~e iff P ~e∈ε(T)
{(k,e)|∀0≤m≤k,e→m e′9 T (cid:15)start(I,c,U) iff threadIhascastheactive
=⇒(n−m,e′)∈RVINV[[ub.ue.i.ϕ]]T;u} computationwithanemptystack
This relation includes all programs (including ill-typed ones) attimeU onT
thatsatisfytheinvariantifexecutedinacontextthatsatisfiesthat T (cid:15)∀x:τ.ϕ iff ∀e,e∈[[τ]]impliesT (cid:15)ϕ[e/x]
invariant. This relation justifies the soundness of CONFINE rule. We assume a valuation function ε(T) that returns the set of
Confined adversary-supplied code is inthe REINV[[ub.ue.i.ϕ]]T;u atomicformulasthataretrueonthetraceT.Forfirst-orderquantifi-
relation(Lemma2). cation,weselecttermsinthedenotationofthetypes([[τ]]),which
isdefinedasfollows:
5.2 AStep-indexedModelforTypes [[any]] ={e|eisanexpression}
[[b]] ={e|e→∗ bv}
Asprogramsincludeadversarialcode,whichrequiresitsevaluation [[Πx:τ .τ ]]={λx.e|∀e′,e′∈[[τ ]]=⇒e [e′/x]∈[[τ ]]}
contexttomaintainaninvariant,thesemanticsoftypesneedtobe 1 2 1 1 2
indexedbyinvariantsoftheformu .u .i.ϕ. Thetypesofthelogicalvariablescanonlybeb,anyandfunc-
b e
tiontypes.Theinterpretationofthesetypesismuchsimplerthan
Types The interpretation of an expression type τ is a semantic thatofexpressions.
type, written C. Each C is a set of pairs; each pair contains a
step-indexandanexpression.Theexpressionhastobeinnormal Interpretation of computation types The interpretation of a
form, denoted nf, that cannot be reduced further under call-by- computation type, RC(ub.ue.i.ϕ1)[[x:τ.ϕ]]θ;T;Ξ, is a set of step-
nameβ-reduction.Ccontainsthesetofallpossibleindicesandall indexed computations. The trace T contains the execution of the
syntactically well-formed normal forms. This is used to interpret computation.Ξ = ub,ue,ihasitsusualmeaning,exceptthatub,
the type any of untyped programs. As usual, we require that C ue,andiareconcretevalues,notvariables.
be closed under reduction of step-indices. Let P(S) denote the Wedefinethesemanticsofthepartialcorrectnesstype,denoted
powersetofS.ThesetofallsemantictypesisdenotedType. RC(ub.ue.i.ϕ1)[[x:τ.ϕ]]θ;T;Ξ,below.Informally,itcontainstheset
ofindexedcomputationsc,ifT containsacompleteexecutionof
Type d=ef{C|C∈P({(j,nf)|j ∈N})∧ thecomputationcinthetimeinterval(u ,u ]inthreadιsuchthat
b e
(∀k,nf,(k,nf)∈C∧j <k=⇒(j,nf)∈C)∧ creturnse′attimeu anditisalsothecasethatT satisfiesϕ[e′/x]
e
(∀k,nf,nf6=λx.e,ΛX.e,comp(e)=⇒(j,nf)∈C)} and that e′ has type τ semantically. Similar to the RCINV[[Φ]]T;u
Interpretation of expression types We define the value and ex- relation,theseremainingstepsincludenotjuststepsofthethread
pressioninterpretationsofexpressiontypesτ(writtenRV(Φ)[[τ]]θ;T;u executingc,butalsootherthreads.Theinvariantub.ue.i.ϕ1isused
andRE(Φ)[[τ]]θ;T;u),aswellastheinterpretationofcomputation inthespecificationofthereturnvalue.
typesη (writtenRC(Φ)[[η]]θ;T;u)simultaneouslybyinductionon RC(ub.ue.i.ϕ1)[[x:τ.ϕ]]θ;T;u1,u2,i ={(k,c)|
types(Φ= ub.ue.i.ϕ).Letθdenoteapartialmapfromtypevari- jbisthelengthofthetracefromtimeu1totheendofT
ablestoType,T denotethetracethatexpressionsareevaluatedon, jeisthelengthofthetracefromtimeu2totheendofT
andudenotethetimepointafterwhichexpressionsareevaluated. k≥jb >je,
Figure12definesthevalueandexpressioninterpretations.Weomit theconfigurationattimeu is−u→1 σ ⊲··· ,hι;x.c′ ::K;ci···
1 b
thecasesforanyandX. theconfigurationattimeu is−u→2 σ ⊲··· ,hι;K;c′[e′/x]i···
2 e
TheinterpretationofthebasetypebisthesameasRVINV[[Φ]]θ;T;u. betweenu andu ,thestackofthreadialwayscontainsx.c′::K
1 2
Tsihoenstyipnetbheitsienltferdporeestnat’itosnpeocfifbyaonnylyefnfeeecdts,toansda,ttihsfeyretfhoerei,nevxaprriaens-t =⇒(ajned,Te′)(cid:15)∈ϕR[eE′/(xu]b}.ue.i.ϕ1)[[τ]]θ;T;u2
Φ. The interpretation of the function type Πx:τ .τ is nonstan-
1 2 The interpretation for the invariant assertions is defined simi-
dard: the substitution for the variable x is an expression, not a
larly,andweomititsdefinition.Becausecisbeingevaluatedand
value. Thissimplifiestheproof ofsoundness offunctionapplica-
producesnoreturnvalue,theinterpretationneednotbeindexedby
tion:sinceSystemMusescall-by-nameβ-reduction,thereduction
aninvariant.Wewrite inplaceoftheinvariant.
ofe e neednotevaluatee toavaluebeforeitisappliedtothe
1 2 2
function that e reduces to. Further, the definition builds-in both
1 5.3 Examples
step-indexdownwardclosureandtimedelay:givenanyargument
e′ thathasasmallerindexj andevaluatesafteru′,whichislater Weillustratesomekeypointsofoursemanticmodel.Weinstantiate
thanu,thefunctionapplicationbelongstotheinterpretationofthe thenextfunction(Section2)forthereadactionasfollows:
tairognumofetnhtetyfupnecwtioitnhttyhpeeinaldseoxinjcalunddetsimnoerpmoailntfour′m.sTthheatinatreerpnroettaλ- next(σ,reade1e2)=(cid:26) ((σσ,,σst(uℓc)k)) ℓℓ∈∈/ ddoomm((σσ))
abstractionsthatareintheRVINV[[ub.ue.i.ϕ]]θ;T;urelation.These Predicatestuckιuistruewhenthreadιisinthestuckstateat
areadversary-supplieduntypedcode,whichisrequiredbyourtype
timeu.Thefirstexamplebelowshowsthesemanticspecificationof
systemtosatisfytheinvariantu .u .i.ϕ.
b e thereadaction.Thepartialcorrectnessassertionstatesthataslong
Theinterpretationofthemonadictypeincludessuspendedcom-
as the location l being read is allocated when the read happens,
putations(k,comp(c))suchthat(k,c)belongstotheinterpretation
the thread does not get stuck and the expression y returned by
ofcomputationtypes,definedbelow.Becausecexecutesaftertime
readisthein-memorycontentvofthelocationread.Theinvariant
u,thebeginning and ending timepointsselected forevaluating c
assertionstatesthatbetweenthetimethereadactionbecomesthe
arenoearlierthanu. Similartotheinterpretationof thefunction
redexandthetimeitreduces,thethreadisnotstuck.
type, the interpretation of the monadic type also includes normal
1. (n,act(reade))∈
formsthatarenotmonads,butsatisfytheinvariantu .u .i.ϕ.The
b e RC(Φ)[[y:any.∀l,v,memlvu ∧evalel⇒
interpretationoftheanytypecontainsallnormalforms. 2
WeliftthevalueinterpretationRV(Φ)[[τ]]θ;T;u totheexpres- (y=e)∧¬stucki@(u1,u2]]]θ;T;u1,u2,i
sioninterpretationRE(Φ)[[τ]]θ;T;uinastandardway. 2. RC(Φ)[[∀j,l,e,t.(¬Writejlet)]]θ;T;u1,u2,i =∅
InterpretationofformulasFormulasareinterpretedontraces.We Thesecondexamplestatesthattheinterpretationoftheinvariant
writeT (cid:15)ϕtomeanthatϕistrueontraceT. computationtype(∀j,l,e,t.(¬Writejlet)),whichstatesthatno
RV(ub.ue.i.ϕ)[[b]]θ;T;u ={(k,e)|(k,e)∈RVINV[[ub.ue.i.ϕ]]θ;T;u}
RV(ub.ue.i.ϕ)[[Πx:τ1.τ2]]θ;T;u={(k,λx.e)|∀j <k,∀u′,u′ ≥u,∀e′,(j,e′)∈RE(ub.ue.i.ϕ)[[τ1]]θ;T;u′
=⇒(j,e1[e′/x])∈RE(ub.ue.i.ϕ)[[τ2[e′/x]]]θ;T;u′}∪
{(k,nf)|nf6=λx.e=⇒(k,nf)∈REINV[[ub.ue.i.ϕ]]T;u}
RV(ub.ue.i.ϕ)[[∀X.τ]]θ;T;u ={(k,ΛX)|∀j<k,∀C∈Type=⇒(j,e′)∈RE(ub.ue.i.ϕ)[[τ]]θ[X7→C];T;u}∪
{(k,nf)|nf6=ΛX.e=⇒(k,nf)∈REINV[[ub.ue.i.ϕ]]T;u}
RV(ub.ue.i.ϕ)[[comp(u1.u2.i.(x:τ.ϕ1,ϕ2))]]θ;T;u =
{(k,comp(c))|∀u ,u ,ι,u≤u ≤u ,letγ =[u ,u ,ι/u ,u ,i]
B E B E B E 1 2
(k,c)∈RC(ub.ue.i.ϕ)[[x:τγ.ϕ1γ]]θ;T;uB,uE,ι∩RC( )[[ϕ2γ]]θ;T;uB,uE,ι}∪
{(k,nf)|nf6=comp(c)=⇒(k,nf)∈REINV[[u1.u2.i.ϕ]]T;u}
RE(ub.ue.i.ϕ)[[τ]]θ;T;u ={(k,e)|∀j <m,e→mβ e′ 9=⇒(k−m,e′)∈RV(ub.ue.i.ϕ)[[τ]]θ;T;u}
Figure7. Semanticsforinv-indexedtypes
threadperformsawriteactionat anytime,istheemptyset.This 2.(a) E :: u : b;Θ;Σ;ΓL;Γ;∆ ⊢ e : τ, ∀θ ∈ RT[[Θ]],
is because the semantics of invariant assertions require that any ∀γL ∈ [[ΓL]], ∀U,U′,U′ ≥ U, let γ = [U/u], ∀T,
u
trace containing the execution of such a computation satisfy this ∀Φ,∀n,γ,(n;γ)∈RG(Φ)[[ΓγuγL]]θ;T;U′,T (cid:15)∆γγuγL
invariant. A trivialcounterexample isatracecontaining asecond implies(n;eγ)∈RE(Φ)[[τγγuγL]]θ;T;U′
threadthatwritestomemory. (b) E :: u ,u ,i;Θ;Σ;ΓL;Γ;∆ ⊢ c : η, ∀ u, u , u ,
1 2 B E
ι s.t. u ≤ u ≤ u , let γ = [u ,u ,ι/u ,u ,i]
5.4 SoundnessoftheLogic ∀θ ∈ RT[[Θ]B], ∀γL ∈E [[ΓL]],1∀T, ∀ΦB, ∀nE,γ,(n1;γ)2 ∈
We prove that our type system is sound relative to the semantic RG(Φ)[[Γγ1γL]]θ;T;u, T (cid:15) ∆γγ1γL implies (n;cγ) ∈
model of Section5.2. Westart bydefining valid substitutionsfor RC(Φ)[[ηγγ1γL]]θ;T;uB,uE,ι
contexts. We write RT[[Θ]] to denote the set of valid semantic (c) E :: Θ;Σ;ΓL;Γ;∆ ⊢ ϕ true, ∀θ ∈ RT[[Θ]], ∀γL ∈
ssuubbssttiittuuttiioonnssffoorrvΘar.iaWbeleswirniteΓ.REGac(hΦ)in[[dΓe]]xθe;Td;usutbostditeuntiootneiassaeptaoifr [∆[ΓγLL]],γ∀iTmp,l∀ieΦs,T∀n(cid:15),γϕ,γuL,γ(n;γ)∈RG(Φ)[[ΓγL]]θ;T;u,T (cid:15)
ofanindexandasubstitutionγforvariables.
Wefirstprovetwokeylemmas.Lemma1statesthatwhenall Weprovethesoundnesstheorembyinductionontypingderiva-
the effects in τ are ub.ue.i.ϕ, then the interpretation of τ is the tionsandasubinductiononstep-indicesforthecaseoffixpoints.
sameastheinterpretationoftheinvariantub.ue.i.ϕ.Theproofis Theproof of soundness oftherule CONFINE (2.(a)) firstuses
byinductiononthestructureofτ. Lemma1toshowthatasubstitutionγ forΓ,whereγ mapseach
variableinΓtothetypeinterpretationofΓ(x)isalsoasubstitution
Lemma1(Indexedtypesareconfined). confine(τ)(u .u .i.ϕ)
b e whereγ(x)belongstotheinterpretationoftheinvariant.Thenwe
impliesRE(ub.ue.i.ϕ)[[τ]]θ;T;u =REINV[[ub.ue.i.ϕ]]T;u. use Lemma 2 to show that the untyped term eγ belongs to the
Thefollowinglemma statesthat if edoes not contain anyac- interpretation of the invariant. Applying Lemma 1 again, we can
tions, then e, with its free variables substituted by expressions showthateγisintheinterpretationofτ.Theconfine relationsin
thatsatisfyaninvariantub.ue.i.ϕ,satisfiesthesameinvariant.The thepremisesarekeytothisproof.TheproofoftheruleCONF-SUB
proofisbyinductiononthestructureofe. usestheinductionhypothesisdirectly:aderivationwithanempty
qualifiercanpicksubstitutionswithanyinvariantϕ.
Lemma2(Invariantconfinement). Ifϕiscomposable,andthread
ToprovethesoundnessofHONEST,weneedtoshowthatgiven
ιsilentbetweentimeu andu impliesT (cid:15)ϕ[u ,u ,I/u ,u ,i],
B E B E b e anysubstitution(n,γ)forΓ,thetracesatisfiestheinvariant ofc.
thenfa(e)=∅,fv(e)∈dom(γ),and(n,γ)∈REINV[[ub.ue.i.ϕ]]T;u Fromthelastpremiseof HONEST,weknow thatcstartswithan
imply(n,eγ)∈REINV[[ub.ue.i.ϕ]]T;u. empty stack. c can never return because there is no frame to be
The soundness theorem (Theorem 3) has two different state- popped off the empty stack. Therefore, at any time point after c
ments for judgements with the empty qualifier and the invariant starts, the invariant of c should hold. However, the length of the
qualifier.Theonesforjudgmentswithanemptyqualifierstatethat trace after c starts, denoted m, is not related to n. To use the
for any invariant Φ, if thesubstitution for Γ belongs totheinter- induction hypothesis, we need to use substitution (m,γ) for Γ.
pretation of types, then the expression (computation) belongs to BecauseΓisempty,wecompletetheproofbyusingtheinduction
theinterpretationofitstype,indexedbythesameinvariantΦ.For hypothesisonthefirstpremisegivenanemptysubstitution(m,·).
judgmentsqualifiedbyaspecificinvariantΦ,thesoundnesstheo- Animmediatecorollaryofthesoundnesstheoremisthefollow-
remstatementsarealsospecifictothatΦ. ingrobustsafetytheorem,whichstatesthattheinvariantassertion
ofacomputationc’spostconditionholdsevenwhencexecutescon-
Theorem3(Soundness). currently with other threads, including those that are adversarial.
Assumethat∀A::α∈Σ,∀Φ,T,n,u,(n,A)∈RA(Φ)[[α]]·;T;u, The theorem holds because we account for adversarial actions in
thedefinitionofRC(u .u .i.ϕ)[[η]] .Asimilartheoremholds
1.(a) E :: u : b;Θ;Σ;ΓL;Γ;∆ ⊢ e : τ, ∀θ ∈ RT[[Θ]], b e θ;∆;Ξ
Φ forpartialcorrectnessassertions.
∀γL ∈[[ΓL]],∀U,U′,U′ ≥U,letγ =[U/u],∀T,∀n,γ,
u
(n;γ) ∈ RG(Φ)[[ΓγuγL]]θ;T;U′, T (cid:15) ∆γγuγL implies Theorem4(Robustsafety). If
(n;eγ)∈RE(Φ)[[τγγuγL]]θ;T;U′ • u1,u2,i;∆⊢c:ϕ,T (cid:15)∆,
(b) E :: u1,u2,i;Θ;Σ;ΓL;Γ;∆ ⊢Φ c : η, ∀ u, uB, uE, • T isatraceobtainedbyexecutingtheparallelcompositionof
ιs.t.u ≤ uB ≤ uE,letγ1 = [uB,uE,ι/u1,u2,i]∀θ ∈ threadsofID(ι1,..ιk),
RT[[Θ]],∀γL∈[[ΓL]],∀T,∀n,γ,(n;γ)∈RG(Φ)[[Γγ1γL]]θ;T;u, • attimeUb,thecomputationthatthreadιj isabouttorunisc
T (cid:15)∆γγ1γLimplies(n;cγ)∈RC(Φ)[[ηγγ1γL]]θ;T;uB,uE,ι • attimeUe,chasnotreturned
