Verified automatic placement of Intel SGX-like enclaves that provides provable security against low-level attackers.

make compiles all proofs.

SImpE is a simplified security-typed calculus that models enclaves. We prove that a well-typed SImpE program has security properties.

• SImpE.v : Model of SImpE syntax, semantics
• SImpE2.v : Model of SImpE2 syntax, semantics, security definitions
• SImpECommon.v : General definitions of security policies and levels, machine model used by SImpE
• SImpE2Adequacy.v : Lemmas about SImpE2 Soudness and Completeness
• SImpE2TypeSystem.v : Lemmas about SImpE2 Well-Typeness Preservation
• SImpESecurity.v : Lemmas about noninterference security of SImpE programs
• SImpE2Helpers.v : Helpers necessary to prove adequacy of SImpE2
• SImpE2SecurityHelpers.v : Helpers necessary to prove security lemmas (preservation and observational equivalence)

The translation scheme takes an ImpS program and produces an ImpE program. ImpS is a security-typed calculus without enclaves. ImpE is a security-typed calculus that models enclaves. We prove that the translation scheme preserves well-typedness.

• ImpE.v : Model of ImpE syntax, semantics, typing
• ImpS.v : Model of ImpS syntax, typing
• Common.v : General definitions of security policies and levels, machine model used by ImpE and ImpS
• Translation.v : A model of the translation scheme and a proof that the translation scheme preserves well-typedness