Extend secure compilation proofs to lower-level enforcement backends

Extend the SECOMP robust safety compilation proofs, which currently end at the compartmentalized RISC assembly language with an abstract isolation semantics, to verified lower-level compartment isolation backends (such as capability-based CHERI-style backends, Software Fault Isolation, or tagged architectures) by establishing robust preservation of safety properties down to concrete byte-addressed memory and hardware mechanisms.

Background

SECOMP extends CompCert with compartmentalization and provides machine-checked proofs of robust safety preservation (RSC) from Clight down to a compartment-aware RISC assembly semantics that abstracts isolation with a shadow stack and interface checks. While this establishes strong guarantees at the assembly level, the paper notes that further enforcement must occur at lower levels (e.g., concrete byte-addressed memory with hardware or SFI-based mechanisms) and that these backends are currently unverified.

The authors prototype a capability-based backend (inspired by CHERI and recent secure calling conventions) and discuss other plausible backends (SFI, tagged architectures, WebAssembly components). However, once memory layout becomes concrete, existing proof techniques used for RSC and recomposition are insufficient; new techniques are needed to prove security through these backends. Hence, extending the secure compilation proofs to cover such lower-level enforcement mechanisms is explicitly left as future work.

References

At the moment all these lower-level backends are, however, unverified, and extending the secure compilation proofs to cover them is a formidable research challenge that we leave as future work (\autoref{sec:future}).

SECOMP: Formally Secure Compilation of Compartmentalized C Programs  (2401.16277 - Thibault et al., 2024) in Introduction, Contributions list; also Section 9 (Future Work)