Robustly Safe Compilation, an Efficient Form of Secure Compilation

Security-preserving compilers generate compiled code that withstands target-level attacks such as alteration of control flow, data leaks, or memory corruption. Many existing security-preserving compilers are proven to be fully abstract, meaning that they reflect and preserve observational equivalence. Fully abstract compilation is strong and useful but, in certain cases, comes at the cost of requiring expensive runtime constructs in compiled code. These constructs may have no relevance for security, but are needed to accommodate differences between the source and target languages that fully abstract compilation necessarily needs. As an alternative to fully abstract compilation, this article explores a different criterion for secure compilation called robustly safe compilation or RSC . Briefly, this criterion means that the compiled code preserves relevant safety properties of the source program against all adversarial contexts interacting with the compiled program. We show that RSC can be proved more easily than fully abstract compilation and also often results in more efficient code. We also present two different proof techniques for establishing that a compiler attains RSC and, to illustrate them, develop three illustrative robustly safe compilers that rely on different target-level protection mechanisms. We then proceed to turn one of our compilers into a fully abstract one and through this example argue that proving RSC can be simpler than proving full abstraction. To better explain and clarify notions, this article uses syntax highlighting in a way that colourblind and black-8-white readers can benefit from Reference [58]. For a better experience, please print or view this article in colour . 1

Download Full-text

Control Flow Treatment in a Simple: Semantics-Directed Compiler Generator

DAIMI Report Series ◽

10.7146/dpb.v10i137.7411 ◽

1981 ◽

Vol 10 (137) ◽

Cited By ~ 2

Author(s):

Neil D. Jones ◽

Henning Christiansen

Keyword(s):

Simple Algebra ◽

Control Flow ◽

Program Execution ◽

Correctness Proofs ◽

Compiler Generation ◽

Source Program ◽

Target Program ◽

Definition Of ◽

Flow Treatment ◽

Semantic Definition

<p>A simple algebra-based algorithm for compiler generation is described. Its input is a semantic definition of a programming language, and its output is a ''compiling semantics'' which maps each source program into a sequence of compile-time actions whose net effect on execution is the production of a semantically equivalent target program. The method does not require individual compiler correctness proofs or the construction of specialized target algebras.</p><p>Source program execution is assumed to proceed by performing a series of elementary actions on a runtime state. A semantic algebra is introduced to represent and manipulate possible execution sequences. A source semantic definition has two parts: A set of semantic equations mapping source programs into terms of the algebra, and an interpretation which gives concrete definitions of the state and the elementary actions on it.</p>

Download Full-text

Procedure-modular verification of control flow safety properties

Proceedings of the 12th Workshop on Formal Techniques for Java-Like Programs - FTFJP '10 ◽

10.1145/1924520.1924525 ◽

2010 ◽

Cited By ~ 3

Author(s):

Siavash Soleimanifard ◽

Dilian Gurov ◽

Marieke Huisman

Keyword(s):

Control Flow ◽

Safety Properties ◽

Modular Verification

Download Full-text

Pharmacoeconomic Analysis of Therapy with Generic Statin Drugs in Patients with High and Very High Cardiovascular Risk (According to the Study PRIORITY)

Rational Pharmacotherapy in Cardiology ◽

10.20996/1819-6446-2020-10-16 ◽

2020 ◽

Vol 16 (5) ◽

pp. 693-698

Author(s):

S. Yu. Martsevich ◽

Yu. V. Lukina ◽

N. P. Kutishenko

Keyword(s):

Cardiovascular Risk ◽

Cost Effectiveness ◽

Statin Therapy ◽

Pharmacoeconomic Analysis ◽

Target Level ◽

Cost Effectiveness Ratio ◽

High Cardiovascular Risk ◽

The Cost ◽

Statin Drugs ◽

Very High

Aim. To perform a pharmacoeconomical assessment of the use of generic statin drugs in patients with high and very high cardiovascular risk (CVR) in real clinical practice based on the data of the study PRIORITY.Material and methods. The PRIORITY study included 298 patients with high (29; 9.7%) and very high (269, 90.3%) CVR. All patients were recommended to take the reproduced drugs of atorvastatin and rosuvastatin in an individually prescribed dose. After 1 month (B1), if the target level of lowdensity lipoprotein cholesterol (LDL-C) was not reached, the statin dose was titrated. After 3 months of follow-up (B3), the hypolipidemic effect of statin therapy was evaluated. 295 people completed the study, 285 patients had the results of the lipid profile. To perform a pharmacoeconomic analysis and evaluate the “cost/effectiveness” ratio, we used the prices of generic statins in one of the online pharmacies. The effectiveness of statins was determined by the LDL-C reduction, as well as by the percentage of achieving the target LDL-C level.Results. At the first stage of the pharmacoeconomic analysis, the criterion for the effectiveness of 3-month lipid-lowering therapy was a decrease in LDL-C level by 1 mmol/l. The median and interquartile range of the ratio “cost/effectiveness” indicator for atorvastatin was 658.2 (431.5; 1257.1) RUB/mmol/l, and for rosuvastatin – 621.0 (390.7; 940.6) RUB/mmol/l (p=0.45). The results of a comparative assessment of the “cost/effectiveness” ratio (with the abovementioned effectiveness indicator) in subgroups of patients with high and very high CVR, with the achievement and nonachievement of the target level of LDL-C, adherent and non-adherent to statins, revealed the economic advantage of statins in groups of adherent patients (p=0.35), high-risk patients (p<0.0001) and individuals who reached the target level of LDL-C (p=0.002) when compared with the corresponding comparison groups. Despite the revealed high effectiveness of rosuvastatin at doses of 20-40 mg/day (assessed by the cost/effectiveness of achieving the target values of LDL-C for specific doses of statins), calculation of the “cost/effectiveness” ratio for each reproduced statin, in general, showed a higher economic effectiveness of atorvastatin.Conclusion. Pharmacoeconomic analysis of therapy with generic statin drugs, performed according to the data of the non-randomized uncontrolled study, allows to justify the economic efficiency and advantages of these drugs in various subgroups of patients who need statin therapy.

Download Full-text

Trace-Relating Compiler Correctness and Secure Compilation

Programming Languages and Systems - Lecture Notes in Computer Science ◽

10.1007/978-3-030-44914-8_1 ◽

2020 ◽

pp. 1-28

Author(s):

Carmine Abate ◽

Roberto Blanco ◽

Ștefan Ciobâcă ◽

Adrien Durier ◽

Deepak Garg ◽

...

Keyword(s):

Target Property ◽

Compiler Correctness ◽

Fine Grained ◽

Side Channels ◽

Source Program ◽

Target Values ◽

Resource Exhaustion ◽

Target Languages ◽

Trace Property

AbstractCompiler correctness is, in its simplest form, defined as the inclusion of the set of traces of the compiled program into the set of traces of the original program, which is equivalent to the preservation of all trace properties. Here traces collect, for instance, the externally observable events of each execution. This definition requires, however, the set of traces of the source and target languages to be exactly the same, which is not the case when the languages are far apart or when observations are fine-grained. To overcome this issue, we study a generalized compiler correctness definition, which uses source and target traces drawn from potentially different sets and connected by an arbitrary relation. We set out to understand what guarantees this generalized compiler correctness definition gives us when instantiated with a non-trivial relation on traces. When this trace relation is not equality, it is no longer possible to preserve the trace properties of the source program unchanged. Instead, we provide a generic characterization of the target trace property ensured by correctly compiling a program that satisfies a given source property, and dually, of the source trace property one is required to show in order to obtain a certain target property for the compiled code. We show that this view on compiler correctness can naturally account for undefined behavior, resource exhaustion, different source and target values, side-channels, and various abstraction mismatches. Finally, we show that the same generalization also applies to many secure compilation definitions, which characterize the protection of a compiled program against linked adversarial code.

Download Full-text

Bluethunder: A 2-level Directional Predictor Based Side-Channel Attack against SGX

IACR Transactions on Cryptographic Hardware and Embedded Systems ◽

10.46586/tches.v2020.i1.321-347 ◽

2019 ◽

pp. 321-347

Author(s):

Tianlin Huo ◽

Xiaoni Meng ◽

Wenhao Wang ◽

Chunliang Hao ◽

Pei Zhao ◽

...

Keyword(s):

Branch Prediction ◽

Control Flow ◽

Side Channel ◽

Side Channel Attack ◽

Fine Grained ◽

Private Key ◽

High Bandwidth ◽

Execution Environment ◽

The Cost ◽

Trusted Execution Environment

Software Guard Extension (SGX) is a hardware-based trusted execution environment (TEE) implemented in recent Intel commodity processors. By isolating the memory of security-critical applications from untrusted software, this mechanism provides users with a strongly shielded environment called enclave for executing programs safely. However, recent studies have demonstrated that SGX enclaves are vulnerable to side-channel attacks. In order to deal with these attacks, several protection techniques have been studied and utilized.In this paper, we explore a new pattern history table (PHT) based side-channel attack against SGX named Bluethunder, which can bypass existing protection techniques and reveal the secret information inside an enclave. Comparing to existing PHT-based attacks (such as Branchscope [ERAG+18]), Bluethunder abuses the 2-level directional predictor in the branch prediction unit, on top of which we develop an exploitation methodology to disclose the input-dependent control flow in an enclave. Since the cost of training the 2-level predictor is pretty low, Bluethunder can achieve a high bandwidth during the attack. We evaluate our attacks on two case studies: extracting the format string information in the vfprintf function in the Intel SGX SDK and attacking the implementation of RSA decryption algorithm in mbed TLS. Both attacks show that Bluethunder can recover fine-grained information inside an enclave with low training overhead, which outperforms the latest PHT-based side channel attack (Branchscope) by 52×. Specifically, in the second attack, Bluethunder can recover the RSA private key with 96.76% accuracy in a single run.

Download Full-text

Effect of nest microclimate temperatures on metabolic rates of small carpenter bees, Ceratina calcarata (Hymenoptera: Apidae)

The Canadian Entomologist ◽

10.4039/tce.2020.50 ◽

2020 ◽

Vol 152 (6) ◽

pp. 772-782

Author(s):

Miriam H. Richards ◽

Andrea Cardama Garate ◽

Mary Shehata ◽

Derrick Groom ◽

Glenn J. Tattersall ◽

...

Keyword(s):

Room Temperature ◽

Thermal Protection ◽

Thermal Environment ◽

Metabolic Rates ◽

Nest Sites ◽

Carpenter Bees ◽

Protection Mechanisms ◽

Nest Microclimate ◽

The Cost ◽

Ceratina Calcarata

AbstractSmall carpenter bees (Ceratina calcarata Robertson) (Hymenoptera: Apidae) build their nests in both sunny and shady sites, so maternal decisions about nest sites influence the thermal environment experienced by juveniles throughout development. A previous study demonstrated that when larvae and pupae were raised in the laboratory at room temperature, those from sunny nests developed more slowly than those from shady nests. This suggested that bees developing in sunny nests slowed their metabolism or that bees developing in shady nests increased their metabolism. To test this hypothesis, we performed a field experiment in which bees nested in full sun, full shade, or semi-shade. We brought larvae and pupae into the laboratory to be raised to adulthood at room temperature and measured their metabolic rates (VCO2) at 10 °C, 25 °C, and 40 °C. As expected, bees had higher VCO2 at higher test temperatures, but significant interaction also occurred between test temperature and field treatment, such that bees from sunny nests exhibited higher metabolic rates at 40 °C. Because small carpenter bees frequently nest in full sun, adaptation to high nest temperatures may involve activation of thermal protection mechanisms at the cost of slower development.

Download Full-text

Protection mechanisms against control-flow hijacking attacks

10.47749/t/unicamp.2016.979871 ◽

2016 ◽

Author(s):

João Batista Corrêa Gomes Moreira

Keyword(s):

Control Flow ◽

Protection Mechanisms

Download Full-text

A Set of Solutions to Reduce the Water Cut in Well Production

10.2118/206462-ms ◽

2021 ◽

Author(s):

Anatoliy Andreevich Isaev ◽

Rustem Shafagatovich Takhautdinov ◽

Vladimir Ivanovich Malykhin ◽

Almaz Amirzyanovich Sharifullin

Keyword(s):

Produced Water ◽

Tracer Tests ◽

Control Flow ◽

Technical Solution ◽

Separation Device ◽

Well Production ◽

Flow Deviation ◽

Water Cut ◽

The Cost ◽

Bashkirian Stage

Abstract This paper presents a set of activities to reduce water cut and develop a technical solution to measure water cut: measurement of watercut, flow rates and gas-oil ratio of a well output using a mobile unit. tracer tests and conformance control operations - watercut of reacting wells within Bashkirian stage decreased by 16,6% after those operations were performed. water flow control, flow deviation and remedying production casing damages made it possible to reduce extraction of produced water and, accordingly, the cost of oil production. development of Liquid Phase Separation Device enabled alternate delivery of oil and water to the intake of downhole pump.

Download Full-text

Planning and managing resources of transport enterprises

MATEC Web of Conferences ◽

10.1051/matecconf/201823904023 ◽

2018 ◽

Vol 239 ◽

pp. 04023

Author(s):

Viktor Terskikh ◽

Vladimir Katargin ◽

Natalia Morozova

Keyword(s):

System Reliability ◽

Probability Distributions ◽

Road Transport ◽

Spare Parts ◽

Target Level ◽

Management Effectiveness ◽

New Approach ◽

Degree Of Satisfaction ◽

The Cost ◽

Statistical Indicators

The paper considers a new approach to planning and forming a stock of spare parts necessary for the smooth functioning of transport enterprises. The basis of the author's approach is the developed simulation model of the warehouse adapted for any type of enterprise that serves and (or) operates road transport. The need for spare parts in this model is defined as a mixture of probability distributions of demand of various kinds, which makes it universal. The model was based on the new patterns of influence of following factors on the size of the stock revealed by the authors: the statistical indicators of the need for spare parts, the type and location of the enterprise, the target level of reliability of the supply system, etc. The proposed approach allows connecting the main indicators of the resource management effectiveness: the shortage rate, the cost of stock, the level of system reliability. It allows planning and forming a stock of spare parts reasonably. It is expected that the proposed approach will increase the efficiency of transport enterprises and the degree of satisfaction of consumers of their services.

Download Full-text

Droidsentry: Efficient Code Integrity and Control Flow Verification on TrustZone Devices

2017 21st International Conference on Control Systems and Computer Science (CSCS) ◽

10.1109/cscs.2017.28 ◽

2017 ◽

Cited By ~ 2

Author(s):

Darius-Andrei Suciu ◽

Radu Sion

Keyword(s):

Control Flow ◽

Code Integrity ◽

Efficient Code ◽

And Control

Download Full-text