Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stack zeroization on main with proofs #631

Merged
merged 10 commits into from
Dec 5, 2023
Merged

Stack zeroization on main with proofs #631

merged 10 commits into from
Dec 5, 2023

Conversation

eponier
Copy link
Contributor

@eponier eponier commented Oct 31, 2023
edited
Loading

This is (finally...) stack zeroization on latest main with proofs. The code is the last version (the one that makes Valgrind happy). The separation in commits should be meaningful.

I tried to consistently rename every "clear stack" to "stack zero".

The arm part is missing for the moment, so I put the PR as a draft for now.

eponier and others added 9 commits November 20, 2023 16:27
@eponier @sarranz
Set alignment padding apart
7fc85f0 
The padding introduced by the alignment at the start of the export
function is no longer included in the frame size of the export function,
only in the max stack size.

And we distinguish two max stack sizes:
- stk_max : the amount of stack without the padding. This is the amount
  of stack that the function may write to.
- total_stack : this is the amount of stack including the padding. This
  is the minimal stack space required for the execution of the compiled
  program. This is the amount to use in the correctness theorem.

Co-authored-by: Santiago Arranz Olmos <santiago.arranz1@gmail.com>
@eponier @sarranz
Print both stk_max and total_stack
dce7482 
Co-authored-by: Santiago Arranz Olmos <santiago.arranz1@gmail.com>
@eponier @sarranz
Strengthen the proof of linearization
ef27718 
At the end of a call, rsp is back at the same point.

Co-authored-by: Santiago Arranz Olmos <santiago.arranz1@gmail.com>
@eponier @sarranz
Strengthen the proof of linearization
c2c006a 
The fact that the memory that is not part of the source memory and not
part of the stack is untouched is made explicit. This is needed to prove
stack zeroization.

Co-authored-by: Santiago Arranz Olmos <santiago.arranz1@gmail.com>
@eponier @sarranz
Stack zeroization: code and proof
dfb1464 
But just the generic part for the moment. The architecture-dependent
parts (for x86 and ARM) are TODOs.

Co-authored-by: Santiago Arranz Olmos <santiago.arranz1@gmail.com>
@eponier @sarranz
Stack zeroization for x86
c58ef28 
Code and proof

Co-authored-by: Santiago Arranz Olmos <santiago.arranz1@gmail.com>
@eponier @sarranz
Stack zeroization for x86: add tests
8f5931c 
Co-authored-by: Santiago Arranz Olmos <santiago.arranz1@gmail.com>
@eponier @sarranz
Stack zeroization for ARM
d451b64 
Code and proof

Co-authored-by: Santiago Arranz Olmos <santiago.arranz1@gmail.com>
@eponier @sarranz
Stack zeroization for ARM: add tests
3236156 
Co-authored-by: Santiago Arranz Olmos <santiago.arranz1@gmail.com>
@eponier eponier marked this pull request as ready for review November 20, 2023 15:47
@eponier
Copy link
Contributor Author

eponier commented Nov 20, 2023

ARM part done. The PR is ready!

@eponier @sarranz
Add Changelog entry
836dcfe 
Co-authored-by: Santiago Arranz Olmos <santiago.arranz1@gmail.com>
@bgregoir
Copy link
Contributor

Great, I will try to read it soon.

bgregoir
bgregoir reviewed Dec 1, 2023
View reviewed changes
Copy link
Contributor

@bgregoir bgregoir left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will not block the PR for my remark but it should be added in the TODO list.
I think it would be nice if some other reviewer are agree that the final lemma is what we want.

proofs/compiler/compiler_proof.v
@@ -712,38 +857,63 @@ Lemma compile_prog_to_asmP
-> exists xm',
[/\ asmsem_exportcall xp fn xm xm'
, mem_agreement m' (asm_mem xm') (asm_rip xm') (asm_globs xp), asm_scs xm' = scs'
, (cparams.(stack_zero_info) fn <> None ->
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is not very nice to use cparams.(stack_zero_info) here.
Because there is no guaranties on its value.
I think we should add a boolean flag in the function (source level) and refers to it. So we will have the guaranty that if the source function is annotated then the stack is cleared.

@sarranz
Copy link
Collaborator

sarranz commented Dec 4, 2023

I reviewed the statements (not proofs) of the lemmas in this PR and they look good to me.

@bgregoir bgregoir merged commit 05d3202 into main Dec 5, 2023
@bgregoir bgregoir deleted the clear-stack_reborn branch December 5, 2023 04:15
jedisct1 added a commit to aegis-aead/aegis-jasmin that referenced this pull request Dec 5, 2023
@jedisct1
Enable stack zeroing
0d4facb 
Finally merged into Jasmin 🎉

jasmin-lang/jasmin#631
@eponier eponier mentioned this pull request Dec 6, 2023
Closed
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bgregoir bgregoir bgregoir approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@eponier @bgregoir @sarranz