Modular, Fully-abstract Compilation by Approximate Back-translation

Abstract

A compiler is fully-abstract if the compilation from source language programsto target language programs reflects and preserves behavioural equivalence.Such compilers have important security benefits, as they limit the power of anattacker interacting with the program in the target language to that of anattacker interacting with the program in the source language. Proving compilerfull-abstraction is, however, rather complicated. A common proof technique isbased on the back-translation of target-level program contexts tobehaviourally-equivalent source-level contexts. However, constructing such aback- translation is problematic when the source language is not strong enoughto embed an encoding of the target language. For instance, when compiling fromSTLC to ULC, the lack of recursive types in the former prevents such aback-translation. We propose a general and elegant solution for this problem. The key insightis that it suffices to construct an approximate back-translation. Theapproximation is only accurate up to a certain number of steps and conservativebeyond that, in the sense that the context generated by the back-translationmay diverge when the original would not, but not vice versa. Based on thisinsight, we describe a general technique for proving compiler full-abstractionand demonstrate it on a compiler from STLC to ULC. The proof uses asymmetriccross-language logical relations and makes innovative use of step-indexing toexpress the relation between a context and its approximate back-translation.The proof extends easily to common compiler patterns such as modularcompilation and it, to the best of our knowledge, it is the first compiler fullabstraction proof to have been fully mechanised in Coq. We believe this prooftechnique can scale to challenging settings and enable simpler, more scalableproofs of compiler full-abstraction