Functional Programming for Securing Cloud and Embedded Environments
Doctoral thesis, 2024
The ubiquity of digital systems across all aspects of modern society, while beneficial, has simultaneously exposed a lucrative attack surface for potential adversaries and attackers. Consequently, securing digital systems becomes of critical importance. In this dissertation, we address the security concerns of two classes of digital systems: (i) cloud systems, co-locating multiple applications and relying on a large trusted code base for software virtualisation, and (ii) embedded systems, resource-constrained environments that typically employ unsafe programming languages for application development.
The thesis underlying our dissertation is that digital systems can be protected from a wide range of critical attacks by employing functional programming-based techniques, ensuring software isolation in the cloud, and facilitating high-level, declarative and memory-safe abstractions in embedded systems. Our approach here is to employ programming language tools, specifically functional programming, which focuses on building software by composing pure functions, avoiding shared state, mutable data, and side-effects, to enhance the security of both cloud and embedded systems. For cloud systems, we use functional programming abstractions to partition security-critical software into compartmentalised structures that use modern hardware protection mechanisms such as Trusted Execution Environments (TEEs) for software isolation. For embedded systems, we present high-level functional programming constructs that raise the level of abstractions and provides safety features to resource constrained embedded system. The dissertation is organised into two parts.
Part I introduces two successive versions of a domain-specific language (DSL) designed for programming TEEs, such as Intel SGX. TEEs isolate applications from low-level system software with large codebases, such as operating systems and hypervisors, thereby minimizing the trusted computing base and reducing the resultant attack surface of cloud applications. Broadly, the DSL contributes the following: (1) It facilitates automatic type-based program partitioning between trusted and untrusted code, (2) It supports dynamic information flow control mechanisms for ensuring data confidentiality, (3) It integrates with an automated remote attestation framework to preserve TEE integrity, and (4) It offers a tierless programming model that helps minimise errors arising from multi-tier confidential computing applications, requiring adherence to complex data exchange protocols.
Evaluations for Part I involve expressing confidential computing applications, such as (i) a privacy-preserving federated learning application, (ii) an encrypted password wallet, and (iii) a data-clean room design pattern for multiple parties to conduct data analytics.
Part II contributes a functional language runtime and a functional reactive programming language targeting embedded systems, with the goal of raising the level of abstraction and ensuring memory and type safety. The runtime offers a unified message-passing framework for handling both software messages and hardware interrupts, along with a novel timing operator to capture the notion of time. This allows for expressing classical (1) concurrent, (2) I/O-bound, and (3) timing-aware embedded systems applications in a declarative manner. Similarly, the reactive programming language is a declarative, pure functional language built on top of the runtime. It tracks unique side effects in its type system using a feature called resource types.
Evaluations for Part II ran the language and runtime on microcontrollers like NRF52, STM32, and GRiSP boards, microbenchmarking resource efficiency parameters including memory footprint, garbage collection latency, throughput, jitter, and interpretive load, demonstrating acceptable overheads.
The programming artifacts resulting from this dissertation comprise the HasTEE and HasTEE+ DSLs for programming TEEs, the Synchron C99-based portable embedded systems runtime, and the Hailstorm reactive programming language for embedded systems. All these programming artifacts are made publicly available, along with the evaluation procedures, encouraging further experiments in securing both cloud and embedded systems.
The thesis underlying our dissertation is that digital systems can be protected from a wide range of critical attacks by employing functional programming-based techniques, ensuring software isolation in the cloud, and facilitating high-level, declarative and memory-safe abstractions in embedded systems. Our approach here is to employ programming language tools, specifically functional programming, which focuses on building software by composing pure functions, avoiding shared state, mutable data, and side-effects, to enhance the security of both cloud and embedded systems. For cloud systems, we use functional programming abstractions to partition security-critical software into compartmentalised structures that use modern hardware protection mechanisms such as Trusted Execution Environments (TEEs) for software isolation. For embedded systems, we present high-level functional programming constructs that raise the level of abstractions and provides safety features to resource constrained embedded system. The dissertation is organised into two parts.
Part I introduces two successive versions of a domain-specific language (DSL) designed for programming TEEs, such as Intel SGX. TEEs isolate applications from low-level system software with large codebases, such as operating systems and hypervisors, thereby minimizing the trusted computing base and reducing the resultant attack surface of cloud applications. Broadly, the DSL contributes the following: (1) It facilitates automatic type-based program partitioning between trusted and untrusted code, (2) It supports dynamic information flow control mechanisms for ensuring data confidentiality, (3) It integrates with an automated remote attestation framework to preserve TEE integrity, and (4) It offers a tierless programming model that helps minimise errors arising from multi-tier confidential computing applications, requiring adherence to complex data exchange protocols.
Evaluations for Part I involve expressing confidential computing applications, such as (i) a privacy-preserving federated learning application, (ii) an encrypted password wallet, and (iii) a data-clean room design pattern for multiple parties to conduct data analytics.
Part II contributes a functional language runtime and a functional reactive programming language targeting embedded systems, with the goal of raising the level of abstraction and ensuring memory and type safety. The runtime offers a unified message-passing framework for handling both software messages and hardware interrupts, along with a novel timing operator to capture the notion of time. This allows for expressing classical (1) concurrent, (2) I/O-bound, and (3) timing-aware embedded systems applications in a declarative manner. Similarly, the reactive programming language is a declarative, pure functional language built on top of the runtime. It tracks unique side effects in its type system using a feature called resource types.
Evaluations for Part II ran the language and runtime on microcontrollers like NRF52, STM32, and GRiSP boards, microbenchmarking resource efficiency parameters including memory footprint, garbage collection latency, throughput, jitter, and interpretive load, demonstrating acceptable overheads.
The programming artifacts resulting from this dissertation comprise the HasTEE and HasTEE+ DSLs for programming TEEs, the Synchron C99-based portable embedded systems runtime, and the Hailstorm reactive programming language for embedded systems. All these programming artifacts are made publicly available, along with the evaluation procedures, encouraging further experiments in securing both cloud and embedded systems.
trusted execution environment
real time
functional programming
runtime
information flow control
microcontrollers
functional reactive programming
HB2, Hörsalsvägen 8, 412 58
Opponent: Prof. Anil Madhavapeddy, University of Cambridge, UK.
Author
Abhiroop Sarkar
Chalmers, Computer Science and Engineering (Chalmers), Functional Programming
HasTEE - Programming Trusted Execution Environments with Haskell
Haskell 2023 - Proceedings of the 16th ACM SIGPLAN International Symposium on Haskell, Co-located with ICFP 2023,; (2023)p. 72-88
Paper in proceeding
Sarkar A, Russo A. HasTEE+ : Confidential Cloud Computing and Analytics with Haskell
Synchron - An API and Runtime for Embedded Systems
Leibniz International Proceedings in Informatics, LIPIcs,; Vol. 222(2022)p. 17:1-17:28
Paper in proceeding
Hailstorm : A Statically-Typed, Purely Functional Language for IoT Applications
ACM International Conference Proceeding Series,; (2020)
Paper in proceeding
The growing adoption of software in every aspect of modern society, while enhancing productivity, has also opened up a lucrative attack surface for malicious actors to cause widescale societal damage. This stems from the fundamental design of our software stacks, which are constructed as a trusted tower of abstractions involving complex low-level software such as hypervisors, operating systems, firmware, drivers, etc. Attackers exploit a programmer’s trust in these bloated low-level software stacks to execute sophisticated attacks, compromising the safety and security of software running on the cloud and in embedded environments.
This dissertation addresses the fundamental issue of trust in software through a domain-specific functional programming language. The language employs a combination of specialised hardware isolation technologies and cryptographic techniques to eliminate the tower of low-level software abstractions from the programmer’s trusted code base, enabling software construction tailored for malicious cloud environments. Furthermore, in the realm of embedded systems, we introduce a high-level functional programming language and runtime, elevating the abstraction level at which these systems are programmed and significantly reducing common memory, type, and temporal-unsafety vulnerabilities. We hope that the contributions made through our dissertation will pave the way for further research avenues, where the robust security guarantees provided by our proposed functional languages can be integrated with emerging hardware and software-based security techniques to enable the construction of safer and more secure digital systems.
This dissertation addresses the fundamental issue of trust in software through a domain-specific functional programming language. The language employs a combination of specialised hardware isolation technologies and cryptographic techniques to eliminate the tower of low-level software abstractions from the programmer’s trusted code base, enabling software construction tailored for malicious cloud environments. Furthermore, in the realm of embedded systems, we introduce a high-level functional programming language and runtime, elevating the abstraction level at which these systems are programmed and significantly reducing common memory, type, and temporal-unsafety vulnerabilities. We hope that the contributions made through our dissertation will pave the way for further research avenues, where the robust security guarantees provided by our proposed functional languages can be integrated with emerging hardware and software-based security techniques to enable the construction of safer and more secure digital systems.
Octopi: Secure Programming for the Internet of Things
Swedish Foundation for Strategic Research (SSF), 2018-05-01 -- .
Subject Categories
Computer Engineering
Computer and Information Science
Areas of Advance
Information and Communication Technology
ISBN
978-91-8103-026-6
Doktorsavhandlingar vid Chalmers tekniska högskola. Ny serie: 5484
Publisher
Chalmers
HB2, Hörsalsvägen 8, 412 58
Opponent: Prof. Anil Madhavapeddy, University of Cambridge, UK.