Lecture 19: Proof-Carrying Code Background just got here last week

Slides:

Advertisements

Similar presentations

Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.

Advertisements

David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 20: Total Correctness; Proof-

David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.

Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.

An Introduction to Proof-Carrying Code David Walker Princeton University (slides kindly donated by George Necula; modified by David Walker)

The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI

Code-Carrying Proofs Aytekin Vargun Rensselaer Polytechnic Institute.

Web sites should always post a privacy policy, where they tell you why they need information from you and what they will do with it. If you're not sure.

David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 11: Birthday Paradoxes.

Attacking Malicious Code: A Report to the Infosec Research Council Kim Sung-Moo.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

The Future of Correct Software George Necula. 2 Software Correctness is Important ► Where there is software, there are bugs ► It is estimated that software.

Web Security A how to guide on Keeping your Website Safe. By: Robert Black.

Proof-system search ( ` ) Interpretation search ( ² ) Main search strategy DPLL Backtracking Incremental SAT Natural deduction Sequents Resolution Main.

Programmability with Proof-Carrying Code George C. Necula University of California Berkeley Peter Lee Carnegie Mellon University.

A Type System for Expressive Security Policies David Walker Cornell University.

CS 330 Programming Languages 09 / 16 / 2008 Instructor: Michael Eckmann.

SM3121 Software Technology Mark Green School of Creative Media.

1 The Problem o Fluid software cannot be trusted to behave as advertised unknown origin (must be assumed to be malicious) known origin (can be erroneous.

Extensible Code Verification Kun Gao (Senior EECS) with Professor George Necula, Evan Chang, Robert Schneck, Adam Chlipala An individual receives code.

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Welcome to the wonderful world of……. . A Quick & Easy Guide.  What IS ?  A quick, easy and convenient way to send a letter to friends, family.

© G. Dhillon, IS Department Virginia Commonwealth University Principles of IS Security Formal Models.

Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.

Proof Carrying Code Zhiwei Lin. Outline Proof-Carrying Code The Design and Implementation of a Certifying Compiler A Proof – Carrying Code Architecture.

Let’s Stop Beating Dead Horses, and Start Beating Trojan Horses! David Evans INFOSEC Malicious Code Workshop San Antonio, 13.

Proof-Carrying Code & Proof-Carrying Authentication Stuart Pickard CSCI 297 June 2, 2005.

CS216: Program and Data Representation University of Virginia Computer Science Spring 2006 David Evans Lecture 3: Levels of Abstraction

Lecture 18 Page 1 CS 111 Online OS Use of Access Control Operating systems often use both ACLs and capabilities – Sometimes for the same resource E.g.,

David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 21: Proof-Carrying Code and.

Operating Systems Security

Introduction Program File Authorization Security Theorem Active Code Authorization Authorization Logic Implementation considerations Conclusion.

CSCI1600: Embedded and Real Time Software Lecture 28: Verification I Steven Reiss, Fall 2015.

Lecture 4 Page 1 CS 111 Online Modularity and Virtualization CS 111 On-Line MS Program Operating Systems Peter Reiher.

CHAPTER 2 Laws of Security. Introduction Laws of security enable user make the judgment about the security of a system. Some of the “laws” are not really.

SAFE KERNEL EXTENSIONS WITHOUT RUN-TIME CHECKING George C. Necula Peter Lee Carnegie Mellon U.

David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 9: Designing Exceptionally.

David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 18: Malcode Countermeasures.

ICT and the Law Mr Conti. Did you see anything wrong with that? Most people wouldn’t want that sort of information posted in a public place. Why? Because.

Lecture9 Page 1 CS 236 Online Operating System Security, Con’t CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Lecture 15 Page 1 CS 236 Online Evaluating Running Systems Evaluating system security requires knowing what’s going on Many steps are necessary for a full.

INF3110 Group 2 EXAM 2013 SOLUTIONS AND HINTS. But first, an example of compile-time and run-time type checking Imagine we have the following code. What.

Lecture 2 Page 1 CS 236 Online Security Policies Security policies describe how a secure system should behave Policy says what should happen, not how you.

Compilers and Security

(Thunking about Thunks)

Lecture 4: Metacircles Eval Apply David Evans

Modularity Most useful abstractions an OS wants to offer can’t be directly realized by hardware Modularity is one technique the OS uses to provide better.

Lecture 6: Lambda Calculus

Lecture 4: Evaluation Rules Recursion CS200: Computer Science

Lambda Calculus Revisited

The Security Problem Security must consider external environment of the system, and protect it from: unauthorized access. malicious modification or destruction.

State your reasons or how to keep proofs while optimizing code

Matching Logic - A New Program Verification Approach -

Security in Java Real or Decaf? cs205: engineering software

Lecture 14: Blocking and Catching Photons Background

Lecture 8: Security of RSA THE MAGIC WORDS ARE SQUEAMISH OSSIFRAGE.

Lecture 21: Crosscutting Aspect-Oriented Programming Background

Lecture 10: The Return of Paco Background just got here last week

Lecture 10: Using Object-Oriented Languages

Lecture 17: Defeating Malcode (Shameless Self-Promotion) Background

Lecture 10: Fixed Points ad Infinitum M.C. Escher, Moebius Ants

David Evans Lecture 19: ||ism I don’t think we have found the right programming concepts for parallel computers yet.

Lecture 13: Proof-Carrying Code Background just got here last week

Lecture 12: Minding your Ps & Qs:

Lecture 14: Mocking Mockingbirds

Lecture 15: Crazy Eddie and the Fixed Points Background

Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Group 4: Song Li, Ying Lu, Hexin Wang, and Michael Walker May 1, 2000

Presentation transcript:

David Evans http://www.cs.virginia.edu/~evans Lecture 19: Proof-Carrying Code Background just got here last week finished degree at MIT week before Philosophy of advising students don’t come to grad school to implement someone else’s idea can get paid more to do that in industry learn to be a researcher important part of that is deciding what problems and ideas are worth spending time on grad students should have their own project looking for students who can come up with their own ideas for research will take good students interested in things I’m interested in – systems, programming languages & compilers, security rest of talk – give you a flavor of the kinds of things I am interested in meant to give you ideas (hopefully even inspiration!) but not meant to suggest what you should work on CS551: Security and Privacy University of Virginia Computer Science David Evans http://www.cs.virginia.edu/~evans

University of Virginia CS 551 Menu Proof-Carrying Code Project Group Meetings – check your email Mike Ernst’s Top Gun Talk (3:30) Next Time: Gary McGraw (on smart cards) 12 April 2019 University of Virginia CS 551

University of Virginia CS 551 Maze (From http://www.cedillasys.com/pages/tech/technotes/) 12 April 2019 University of Virginia CS 551

University of Virginia CS 551 Proof-Carrying Maze (From http://www.cedillasys.com/pages/tech/technotes/) 12 April 2019 University of Virginia CS 551

University of Virginia CS 551 Proof-Carrying Code Guarantee properties of untrustworthy code by checking a proof provided by code producer Creating a proof is hard Have to make up invariants, choose cases, pick strategies, etc. Checking a proof is easy Simple mechanical application of rules 12 April 2019 University of Virginia CS 551

Proof-Carrying Code (not to scale) Program Certifying Compiler Object Code Proof Code Producer Code Consumer Object Code Proof Ok Proof Checker Policy CPU 12 April 2019 University of Virginia CS 551

University of Virginia CS 551 Certifying Compiler Program Object Code Proof Code Producer Code Consumer Proof Object Code Ok Proof Checker Policy CPU 12 April 2019 University of Virginia CS 551

University of Virginia CS 551 Tamper with Code Program Certifying Compiler Object Code Proof Code Producer Wily Hacker Code Consumer Tampered Code Proof No! Proof Checker CPU 12 April 2019 University of Virginia CS 551

University of Virginia CS 551 Tamper with Both Program Certifying Compiler Native Code Proof Code Producer Wily P. Hacker Code Consumer Tampered Code Tampered Proof But it means the desired property still holds! No! Ok Proof Checker CPU 12 April 2019 University of Virginia CS 551

What must the proof prove? Safety Policy VCGen Safety Predicate Program Depends on the policy Code consumer must run VCGen (can’t trust proof unless it proves safety predicate) VCGen can be developed from an operational semantics (take CS 655) 12 April 2019 University of Virginia CS 551

Have we seen anything like this? Java Bytecode Verifier is a simple instance of PCC: Bytecodes include extra information on typing, stack use, etc. Bytecode verifier checks it to enforce low-level code safety properties 12 April 2019 University of Virginia CS 551

Let’s Stop Beating Dead Horses, and Start Beating Trojan Horses! David Evans www.cs.virginia.edu/~evans/ INFOSEC Malicious Code Workshop San Antonio, 13 January 2000 University of Virginia Department of Computer Science Charlottesville, VA

University of Virginia CS 551 Analogy: Security Cryptography Fun to do research in, lots of cool math problems, opportunities to dazzle people with your brilliance, etc. But, 99.9999% of break ins do not involve attack on sensible cryptography Guessing passwords and stealing keys Back doors, buffer overflows Ignorant implementers choosing bad cryptography [Netscape Navigator Mail] 12 April 2019 University of Virginia CS 551

Structure of Argument Low-level code safety (isolation) is the wrong focus Agree Disagree PCC is not a realistic solution for the real problems in the foreseeable future PCC is not the most promising solution for low-level code safety Lots of useful research and results coming from PCC, but realistic solution to malicious code won’t be one of them. 12 April 2019 University of Virginia CS 551

University of Virginia CS 551 Low-level code safety Type safety, memory safety, control flow safety [Kozen98] All high-level code safety depends on it Many known pretty good solutions: separate processes, SFI, interpreter Very few real attacks exploit low-level code safety vulnerabilities One exception: buffer overflows Many known solutions to this Just need to sue vendors to get them implemented 12 April 2019 University of Virginia CS 551

High-Level Code Safety Enforcement is (embarrassingly) easy Reference monitors (since 1970s) Can enforce most useful policies [Schneider98] Performance penalty is small Writing good policies is the hard part Better ways to define policies Ways to reason about properties of policies Ideas for the right policies for different scenarios Ways to develop, reason about, and test distributed policies 12 April 2019 University of Virginia CS 551

University of Virginia CS 551 Proofs Reference Monitors All possible executions Current execution so far No run-time costs Monitoring and calling overhead Checking integrated into code Checking separate from code Excruciatingly difficult Trivially easy Vendor sets policy Consumer sets policy 12 April 2019 University of Virginia CS 551

University of Virginia CS 551 Fortune Cookie “That which be proved cannot be worth much.” Fortune cookie quoted on Peter’s web page must can True for all users True for all executions Exception: Low-level code safety 12 April 2019 University of Virginia CS 551

Reasons you might prefer PCC Run-time performance? Amortizes additional download and verification time only rarely SFI Performance penalty: ~5% If you care, pay $20 more for a better processor or wait 5 weeks Smaller Trusted Computing Base? Not really smaller: twice as big as SFI (Touchstone VCGen+checker – 8300 lines / MisFiT x86 SFI implementation – 4500 lines) You are a vendor who cares more about quality than time to market Not really PCC (not across a trust boundary) 12 April 2019 University of Virginia CS 551

University of Virginia CS 551 PCC Summary Code producer provides a checkable proof of desired property Code consumer verifies the proof Can use invariants, type hints, etc. but must not assume they are true Help direct the checker to construct a proof quickly Take CS655 if you want to understand how it works Enables optimizations not possible without proof Enables guarantees not possible without proof (lack of run-time errors) 12 April 2019 University of Virginia CS 551

University of Virginia CS 551 Charge Mike Ernst’s Talk: 009 “Dynamically Detecting Likely Program Invariants” Read Intrusion Detection Paper Check email – need to schedule project meetings before Thanksgiving 12 April 2019 University of Virginia CS 551