We propose a concrete ("pointer as integer") memory semantics for C that supports verified compilation to a target environment having simple "public vs. private" data protection based on tagging or sandboxing (such as the WebAssembly virtual machine). Our semantics gives definition to a range of legacy programming idioms that cause undefined behavior in standard C, and are not covered by existing verified compilers, but that often work in practice. Compiler correctness in this context implies that target programs are secure against all control-flow attacks (although not against data-only attacks). To avoid tying our semantics too closely to particular compiler implementation choices, it is parameterized by a novel form of oracle that non-deterministically chooses the addresses of stack and heap allocations. As a proof-of-concept, we formalize a small RTL-like language and verify two-way refinement for a compiler from this language to a low-level machine and runtime system with hardware tagging. Our Coq formalization and proofs are provided as supplementary material.
@InProceedings{tolmach_et_al:LIPIcs.ITP.2024.36, author = {Tolmach, Andrew and Chhak, Chris and Anderson, Sean}, title = {{Defining and Preserving More C Behaviors: Verified Compilation Using a Concrete Memory Model}}, booktitle = {15th International Conference on Interactive Theorem Proving (ITP 2024)}, pages = {36:1--36:20}, series = {Leibniz International Proceedings in Informatics (LIPIcs)}, ISBN = {978-3-95977-337-9}, ISSN = {1868-8969}, year = {2024}, volume = {309}, editor = {Bertot, Yves and Kutsia, Temur and Norrish, Michael}, publisher = {Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik}, address = {Dagstuhl, Germany}, URL = {https://drops.dagstuhl.de/entities/document/10.4230/LIPIcs.ITP.2024.36}, URN = {urn:nbn:de:0030-drops-207643}, doi = {10.4230/LIPIcs.ITP.2024.36}, annote = {Keywords: Compiler verification, C language semantics, Coq proof assistant} }
Feedback for Dagstuhl Publishing