{"id":14966239,"url":"https://github.com/secure-compilation/secureptrs","last_synced_at":"2026-01-28T23:33:44.209Z","repository":{"id":71105225,"uuid":"484326565","full_name":"secure-compilation/SecurePtrs","owner":"secure-compilation","description":"Coq formalization for \"SecurePtrs\" paper","archived":false,"fork":false,"pushed_at":"2022-06-03T13:05:02.000Z","size":4158,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"memory-sharing","last_synced_at":"2025-01-31T07:51:28.792Z","etag":null,"topics":["capabilities","compartmentalization","coq","secure-compilation"],"latest_commit_sha":null,"homepage":"https://arxiv.org/abs/2110.01439","language":"Coq","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/secure-compilation.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-04-22T06:49:27.000Z","updated_at":"2022-04-22T20:05:55.000Z","dependencies_parsed_at":null,"dependency_job_id":"7d82b43e-e99c-4211-87de-dc75b0ef815c","html_url":"https://github.com/secure-compilation/SecurePtrs","commit_stats":{"total_commits":2114,"total_committers":19,"mean_commits":"111.26315789473684","dds":0.6471144749290445,"last_synced_commit":"5b4c34eda0b827469a5c73e434a12c6c87773e04"},"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secure-compilation%2FSecurePtrs","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secure-compilation%2FSecurePtrs/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secure-compilation%2FSecurePtrs/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secure-compilation%2FSecurePtrs/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/secure-compilation","download_url":"https://codeload.github.com/secure-compilation/SecurePtrs/tar.gz/refs/heads/memory-sharing","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":238174116,"owners_count":19428629,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["capabilities","compartmentalization","coq","secure-compilation"],"created_at":"2024-09-24T13:36:03.820Z","updated_at":"2025-10-25T16:30:43.584Z","avatar_url":"https://github.com/secure-compilation.png","language":"Coq","funding_links":[],"categories":[],"sub_categories":[],"readme":"# SecurePtrs #\n\nThis branch contains the Coq development of the paper:\n- **[SecurePtrs: Proving Secure Compilation Using\n     Data-Flow Back-Translation nd Turn-Taking Simulation](https://arxiv.org/abs/2110.01439)**.\n   Akram El-Korashy, Roberto Blanco, Jérémy Thibault,\n   Adrien Durier, Deepak Garg, and Catalin Hritcu.\n   arXiv:2110.01439. October 2021.\n\n## Installation ##\n\n### Prerequisites ###\n\nThis development has been built with the following combinations of Coq releases\nand versioned libraries:\n\nCoq 8.12.2\n- Mathematical Components 1.11.0\n- Extensional Structures 0.2.2\n- Equations 1.2.4\n\nCoq 8.13.2\n- Mathematical Components 1.13.0\n- Extensional Structures 0.3.1\n- Equations 1.3\n\nCoq 8.14.1\n- Mathematical Components 1.13.0\n- Extensional Structures 0.3.1\n- Equations 1.3\n\nDependencies can be installed through the OCaml package manager, OPAM.\n\n- Coq (package `coq`) is available through the official\n  [Ocaml OPAM repository](http://opam.ocaml.org/).\n- Stable releases of Mathematical Components (packages `coq-mathcomp-ssreflect`,\n  `coq-mathcomp-fingroup` and `coq-mathcomp-algebra`), Extensional Structures\n  (package `coq-extructures`), and Equations (package `coq-equations`)\n  are available through the [Coq OPAM repository](https://coq.inria.fr/opam/released/).\n\n### Build ###\n\nRun `make` at the root to build the development.\n\n## Definitions and theorems ##\n\nThe following list maps the definitions and statements in the paper to their\nmechanized counterparts in Coq.\n\n- Definition 2.1 (RSP~): see statement of Theorem `RSC` in `RSC.v` for an instance of this definition\n\n- Assumption 2.3 (FCC): `S2I/Compiler.v`, Axiom `forward_simulation_star`\n\n- Lemma 2.4 (recomposition): `Intermediate/RecompositionRel.v`, Theorem `recombination_trace_rel`\n\n- Assumption 2.5 (BCC): `S2I/Compiler.v`, Axiom `backward_simulation_star`\n\n- Definition 2.6 (interaction-trace events): `CompCert/Events.v`, Inductive type `event`\n\n- Definition 3.2 (data-flow events) `Common/TracesInform.v`, Inductive type `event_inform`\n\n- Lemma 3.4 (enrichment): `Intermediate/CS.v`, Lemma `star_sem_non_inform_star_sem_inform`\n\n- Lemma 3.5 (data-flow back-translation): `Source/Definability.v`, Lemma `definability`\n\n- Definition 3.9 (turn-taking memory relation): `Intermediate/RecompositionRelCommon.v`, Inductive proposition `mergeable_internal_states`\n\n- Definition 3.10 (relation on interaction traces): `Common/RenamingOption.v`, Inductive proposition `traces_shift_each_other_option`\n\n- Rule `Jump` (Section 4): `Intermediate/CS.v`, case `Jump` of inductive `step`\n\n- Rule `Store` (Section 4): `Intermediate/CS.v`, case `Store` of inductive `step`\n\n- Theorem 4.1 (RSP~): Theorem `RSC` in `RSC.v`\n\n- Lemma 5.1 (trace prefix mimicking): `Source/Definability.v`, Lemma `definability_gen_rel_right`\n\n- Definition 5.2 (memory relation at interaction events): `Intermediate/RecompositionRelCommon.v`, Inductive proposition `mergeable_border_states`\n\n- Lemma 5.3 (strengthening at interaction events): `Intermediate/RecompositionRelStrengthening.v`, Theorem `threeway_multisem_event_lockstep_program_step`\n\n- Lemma 5.4 (option simulation): `Intermediate/RecompositionRelOptionSim.v`, Lemma `merge_states_silent_star`\n\n- Lemma 5.5 (lockstep simulation): `Intermediate/RecompositionRelLockstepSim.v`, Theorem `threeway_multisem_star_E0`\n\n- Lemma 5.6 (symmetry of the turn-taking state simulation relation): `Intermediate/RecompositionRelCommon.v`, Lemma `mergeable_internal_states_sym`\n\n## Axioms ##\n\n### How to find axioms/admits ###\n\nAll our results are admit-free and only rely, at most, on some of the axioms\nspecified below. Any other axioms or admitted theorems found in the development\nare not used in our proofs.\n\nTo verify this, use the Coq command `Print Assumptions` to examine the axioms\nthat apply to the theorems of interest. An index of the above definitions and\ntheorems is given at the end of the top-level file `RSC.v`.\n\n### Axioms about correct compilation of whole programs ###\n\nWe leave some standard statements about the *correct* compilation of whole\nprograms as axioms because they are not really the focus of \nour novel *secure* compilation proof techniques.\n\nProving these kind of correctness results is typically laborious and we do not\nexpect the proof to be particularly insightful for our chosen pair of languages.\n\nIn fact, one of the key goals of the proof technique for the main secure\ncompilation theorem is to demonstrate that standard results about correct\ncompilation can be reused by (rather than implicitly reproved as part of) the\nsecure compilation proof, since proving these theorems is typically a big manual\neffort that one would wish to avoid duplicating.\n\n#### Compilation and well-formedness ####\nWe assume that every well-formed source program can be successfully compiled\n(`well_formed_compilable`),\nand that compiling preserves certain well-formedness conditions \n(`Compiler.compilation_preserves_well_formedness`,\n` compilation_preserves_main`, `compilation_has_matching_mains`).\n```coq\nCompiler.well_formed_compilable\n  : forall (p : Source.program) (psz : {fmap Component.id -\u003e nat}),\n    Source.well_formed_program p -\u003e\n    exists pc : Intermediate.program, compile_program p psz = Some pc\n\nCompiler.compilation_preserves_well_formedness\n  : forall (p : Source.program) (psz : {fmap Component.id -\u003e nat})\n      (p_compiled : Intermediate.program),\n    Source.well_formed_program p -\u003e\n    compile_program p psz = Some p_compiled -\u003e\n    Intermediate.well_formed_program p_compiled\n\ncompilation_preserves_main\n  : forall (p : Source.program) (pstksize : {fmap Component.id -\u003e nat})\n      (p_compiled : Intermediate.program),\n    Source.well_formed_program p -\u003e\n    compile_program p pstksize = Some p_compiled -\u003e\n    (exists main : expr, Source.prog_main p = Some main) \u003c-\u003e\n    Intermediate.prog_main p_compiled\n\ncompilation_has_matching_mains\n  : forall (p : Source.program) (psz : {fmap Component.id -\u003e nat})\n      (p_compiled : Intermediate.program),\n    Source.well_formed_program p -\u003e\n    compile_program p psz = Some p_compiled -\u003e matching_mains p p_compiled\n```\n\n#### Separate compilation ####\nWe assume that the compiler satisfies `separate_compilation`:\ncompilation and linking commute.\n```coq\nseparate_compilation\n  : forall (p : Source.program) (psz : {fmap Component.id -\u003e nat})\n      (c : Source.program) (csz : {fmap Component.id -\u003e nat})\n      (p_comp c_comp : Intermediate.program),\n    Source.well_formed_program p -\u003e\n    Source.well_formed_program c -\u003e\n    linkable (Source.prog_interface p) (Source.prog_interface c) -\u003e\n    compile_program p psz = Some p_comp -\u003e\n    compile_program c csz = Some c_comp -\u003e\n    compile_program (Source.program_link p c) (unionm psz csz) =\n    Some (Intermediate.program_link p_comp c_comp)\n```\n\n#### Compiler correctness ####\nWe also assume CompCert-style compiler correctness, in the form of a\nforward simulation `forward_simulation_star`\nand a backward simulation `backward_simulation_star`:\n```coq\nCompiler.forward_simulation_star\n  : forall (p : Source.program) (t : Events.trace Events.event)\n      (s : state (S.CS.sem p)) (metasize : Component.id -\u003e nat),\n    Source.closed_program p -\u003e\n    Source.well_formed_program p -\u003e\n    disciplined_program p -\u003e\n    NoLeak.good_Elocal_usage_program p -\u003e\n    Star (S.CS.sem p) (S.CS.initial_machine_state p) t s -\u003e\n    exists\n      (s' : I.CS.state) (t' : Events.trace Events.event) \n    (psz : {fmap nat_ordType -\u003e nat}) (p_compiled : Intermediate.program),\n      domm (T:=nat_ordType) (S:=nat) psz =\n      domm (T:=nat_ordType) (S:=Component.interface)\n        (Source.prog_interface p) /\\\n      compile_program p psz = Some p_compiled /\\\n      Star (I.CS.sem_non_inform p_compiled)\n        (I.CS.initial_machine_state p_compiled) t' s' /\\\n      traces_shift_each_other_option metasize metasize t t'\n\nCompiler.backward_simulation_star\n  : forall (p : Source.program) (psz : {fmap Component.id -\u003e nat})\n      (p_compiled : Intermediate.program) (t : Events.trace Events.event)\n      (s : state (I.CS.sem_non_inform p_compiled))\n      (metasize : Component.id -\u003e nat),\n    Source.closed_program p -\u003e\n    Source.well_formed_program p -\u003e\n    disciplined_program p -\u003e\n    NoLeak.good_Elocal_usage_program p -\u003e\n    compile_program p psz = Some p_compiled -\u003e\n    Star (I.CS.sem_non_inform p_compiled)\n      (I.CS.initial_machine_state p_compiled) t s -\u003e\n    exists (s' : state (S.CS.sem p)) (t' : Events.trace Events.event),\n      Star (S.CS.sem p) (S.CS.initial_machine_state p) t' s' /\\\n      traces_shift_each_other_option metasize metasize t t'\n```\n\n#### Compiler preserves the privacy of the local buffer ####\nFinally, we assume `Compiler.compiler_preserves_non_leakage_of_private_pointers`,\nwhich states that our compiler preserves the privacy of the local buffer.\nSuch a result can likely be proved by using the fine-grained simulation invariants\nin an actual compiler correctness proof.\n```coq\nCompiler.compiler_preserves_non_leakage_of_private_pointers\n  : forall (p : Source.program) (psz : {fmap Component.id -\u003e nat})\n      (p_compiled : Intermediate.program)\n      (metadata_size : Component.id -\u003e nat),\n    Source.closed_program p -\u003e\n    Source.well_formed_program p -\u003e\n    compile_program p psz = Some p_compiled -\u003e\n    S.CS.private_pointers_never_leak_S p metadata_size -\u003e\n    private_pointers_never_leak_I p_compiled metadata_size\n```\n\n### Logical axioms ###\n\nThe following standard axioms are used occasionally in our proofs.\n\n```coq\nProofIrrelevance.proof_irrelevance : forall (P : Prop) (p1 p2 : P), p1 = p2\n\nFunctionalExtensionality.functional_extensionality_dep\n  : forall (A : Type) (B : A -\u003e Type) (f g : forall x : A, B x),\n    (forall x : A, f x = g x) -\u003e f = g\n\nClassical_Prop.classic : forall P : Prop, P \\/ ~ P\n```\n\n## Index of definitions ##\n\nThe source language `SafeP` corresponds to `Source` in the code. The target language `Mach` corresponds to `Intermediate` in the code.\n\n- Backtranslation function `↑`: function `procedures_of_trace` in `Source/Definability.v`\n- Data-flow events `E`: inductive `event_inform` in `Common/TracesInform.v`\n- Memory projection `proj_P(Mem)`: implicit in definitions `mem_of_part_executing_rel_original_and_recombined` and `mem_of_part_not_executing_rel_original_and_recombined_at_internal` in `Intermediate/RecompositionRelCommon.v`\n- Value renaming `valren`: function `rename_value_template_option` in `Common/RenamingOption.v`\n- The +1 block id renaming: Implemented by instantiating `shift_value_option` with `uniform_shift 0` and `uniform_shift 1`, in `Common/RenamingOption.v`\n- Turn-taking simulation invariant `state_rel_tt`: definition `mergeable_internal_states` in `Intermediate/RecompositionRelCommon.v`\n- Turn-taking simulation relation `mem_rel_tt`: memory part of the `mergeable_internal_states` definition in `Intermediate/RecompositionRelCommon.v`\n- Strong memory relation holding at all locations of the executing part `mem_rel_exec`: definition `mem_of_part_executing_rel_original_and_recombined` in `Intermediate/RecompositionRelCommon.v`\n- Memory relation holding only at private locations of the non-executing part `mem_rel_not_exec`: definition `mem_of_part_not_executing_rel_original_and_recombined_at_internal` in `Intermediate/RecompositionRelCommon.v`\n- Function `shared`: inductive `addr_shared_so_far` in `Common/RenamingOption.v`\n- Function `private`: negation of the inductive `addr_shared_so_far` in `Common/RenamingOption.v`\n- Linking `C ∪ P`: functions `program_link` in `Source/Language.v` and `Intermediate/Machine.v`\n- Trace relation `~`: definition `traces_shift_each_other_option` in `Common/RenamingOption.v`\n- Compilation function `↓`: function `compile_program` in `S2I/Compiler.v`\n- Step relation `⇝`: definitions `kstep` in `Source/CS.v`; `step_non_inform` for non-data-flow semantics and `step` for data-flow semantics in `Intermediate/CS.v`\n- Reflexive transitive closure `^*`: inductive `star` in `CompCert/Smallstep.v`\n- Interaction (non-data-flow) events `e`: definition `event` in `CompCert/Events.v`\n- Memory `Mem` or `mem`: Module `Memory` in `Common/Memory.v`\n- Component memory `cMem`: Module `ComponentMemory` in `Common/Memory.v`\n- Source (SafeP) expressions `exp`: definition `expr` in `Source/Language.v`\n- Target (Mach) instructions `instr`: definition `instr` in `Intermediate/Machine.v`\n- Values `v`: definition `value` in `Common/Values.v`\n- Removal of all internal data-flow events `remove_df`: function `project_non_inform` in `Common/TracesInform.v`\n- Back-translation `mimicking_state` invariant: definition `well_formed_state` in `Source/Definability.v`\n- Back-translation of a data-flow event: definition `expr_of_event` in `Source/Definability.v`\n- Trace concatenation `++`: function `Eapp` in `CompCert/Events.v`\n- Border-state relation `state_rel_border`: definition `mergeable_border_states` in `Intermediate/RecompositionRelCommon.v`\n- \"Is executing in\" relation: `is_program_component` and `is_context_component` in `Intermediate/CS.v`\n\n## License ##\n- This code is licensed under the Apache License, Version 2.0 (see `LICENSE`)\n- The code in the `CompCert` dir is adapted based on files in the\n  `common` and `lib` dirs of CompCert and is thus dual-licensed under\n  the INRIA Non-Commercial License Agreement and the GNU General\n  Public License version 2 or later (see `CompCert/LICENSE`)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsecure-compilation%2Fsecureptrs","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsecure-compilation%2Fsecureptrs","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsecure-compilation%2Fsecureptrs/lists"}