An Introduction to Proof-Carrying Code David Walker Princeton University (slides kindly donated by George Necula; modified by David Walker)

Slides:

Advertisements

Similar presentations

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu

Advertisements

Access Control 1. Given Credit Where It Is Due Most of the lecture notes are based on slides by Dr. Daniel M. Zimmerman at CALTECH Some slides are from.

Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.

Operating System Security

Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1.

Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.

Current Techniques in Language-based Security David Walker COS 597B With slides stolen from: Steve Zdancewic University of Pennsylvania.

David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 20: Total Correctness; Proof-

Java Applet Security Diana Dong CS 265 Spring 2004.

Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee

H Apr-01 Clark Thomborson Software Security CompSci 725 Handout 28: Report Writing #2 (Sample Titles & Abstracts) Clark Thomborson University of.

Nicholas Moore Bianca Curutan Pooya Samizadeh McMaster University March 30, 2012.

The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI

Code-Carrying Proofs Aytekin Vargun Rensselaer Polytechnic Institute.

Coolaid: Debugging Compilers with Untrusted Code Verification Bor-Yuh Evan Chang with George Necula, Robert Schneck, and Kun Gao May 14, 2003 OSQ Retreat.

Attacking Malicious Code: A Report to the Infosec Research Council Kim Sung-Moo.

Extensible Verification of Untrusted Code Bor-Yuh Evan Chang, Adam Chlipala, Kun Gao, George Necula, and Robert Schneck May 14, 2004 OSQ Retreat Santa.

Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)

LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.

Java: History and Introduction (Lecture # 1). History… Java – Based on C and C++ – Developed in 1991 for intelligent consumer electronic devices – Green.

Proof-system search ( ` ) Interpretation search ( ² ) Main search strategy DPLL Backtracking Incremental SAT Natural deduction Sequents Resolution Main.

Proofs, Types, and Safe Mobile Code CoS 598E David Walker.

Programmability with Proof-Carrying Code George C. Necula University of California Berkeley Peter Lee Carnegie Mellon University.

Language-Based Security Proof-Carrying Code Greg Morrisett Cornell University Thanks to G.Necula & P.Lee.

Extensibility, Safety and Performance in the SPIN Operating System Dave Camarillo.

Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?

More Enforceable Security Policies Lujo Bauer, Jay Ligatti and David Walker Princeton University (graciously presented by Iliano Cervesato)

A Type System for Expressive Security Policies David Walker Cornell University.

Describing Syntax and Semantics

Extensible Untrusted Code Verification Robert Schneck with George Necula and Bor-Yuh Evan Chang May 14, 2003 OSQ Retreat.

1 The Problem o Fluid software cannot be trusted to behave as advertised unknown origin (must be assumed to be malicious) known origin (can be erroneous.

Extensible Code Verification Kun Gao (Senior EECS) with Professor George Necula, Evan Chang, Robert Schneck, Adam Chlipala An individual receives code.

Cormac Flanagan University of California, Santa Cruz Hybrid Type Checking.

3-1 3 Compilers and interpreters  Compilers and other translators  Interpreters  Tombstone diagrams  Real vs virtual machines  Interpretive compilers.

Session-02. Objective In this session you will learn : What is Class Loader ? What is Byte Code Verifier? JIT & JAVA API Features of Java Java Environment.

Page 1 Sandboxing & Signed Software Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.

Your Interactive Guide to the Digital World Discovering Computers 2012.

Stack Management Each process/thread has two stacks  Kernel stack  User stack Stack pointer changes when exiting/entering the kernel Q: Why is this necessary?

Introduction to Java CSIS 3701: Advanced Object Oriented Programming.

CSCI 224 Introduction to Java Programming. Course Objectives  Learn the Java programming language: Syntax, Idioms Patterns, Styles  Become comfortable.

Introduction to Java Kumar Harshit. Objectives ( 목적지 ) At the end of the lesson, the student should be able to: ● Describe the features of Java technology.

Java Introduction Lecture 1. Java Powerful, object-oriented language Free SDK and many resources at

Chapter 1 What is Programming? Lecture Slides to Accompany An Introduction to Computer Science Using Java (2nd Edition) by S.N. Kamin, D. Mickunas, E.

Proof Carrying Code Zhiwei Lin. Outline Proof-Carrying Code The Design and Implementation of a Certifying Compiler A Proof – Carrying Code Architecture.

Overview of Formal Methods. Topics Introduction and terminology FM and Software Engineering Applications of FM Propositional and Predicate Logic Program.

Java 2 security model Valentina Casola. Components of Java the development environment –development lifecycle –Java language features –class files and.

CPRG 215 Introduction to Object-Oriented Programming with Java Module 1-Introduction to Java Topic 1.1 Basics of Java Produced by Harvey Peters, 2008 Copyright.

Proof-Carrying Code & Proof-Carrying Authentication Stuart Pickard CSCI 297 June 2, 2005.

CE Operating Systems Lecture 3 Overview of OS functions and structure.

Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.

CT1513 Introduction To java © A.AlOsaimi.

Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University Lecture 1 Course Overview July 10, 2001 Lipari School on Foundations of.

Secure Compiler Seminar 4/11 Visions toward a Secure Compiler Toshihiro YOSHINO (D1, Yonezawa Lab.)

A compiler is a computer program that translate written code (source code) into another computer language Associated with high level languages A well.

Introduction Program File Authorization Security Theorem Active Code Authorization Authorization Logic Implementation considerations Conclusion.

SAFE KERNEL EXTENSIONS WITHOUT RUN-TIME CHECKING George C. Necula Peter Lee Carnegie Mellon U.

Proof-Carrying Code: A Language-Based Security Approach Thao Doan Wei Hu Liqian Luo Jinlin Yang CS851 Malware 11/16/2004.

This Week Lecture on relational semantics Exercises on logic and relations Labs on using Isabelle to do proofs.

CSE 60641: Operating Systems George C. Necula and Peter Lee, Safe Kernel Extensions Without Run-Time Checking, OSDI ‘96 –SIGOPS Hall of fame citation:

1 Introduction Read D&D Sec 1.8; Sec 1.13 THE Java tutorial -

Introduction to Programming 1 1 2Introduction to Java.

1 Chapter 2: Operating-System Structures Services Interface provided to users & programmers –System calls (programmer access) –User level access to system.

Introduction to Computers, the Internet and the World Wide Web

Types for Programs and Proofs

Proof Carrying Code and Proof Preserving Program Transformations

Lecture 1: Introduction to JAVA

State your reasons or how to keep proofs while optimizing code

Introduction CSC 111.

A Trustworthy Proof Checker

Lecture 19: Proof-Carrying Code Background just got here last week

Presentation transcript:

An Introduction to Proof-Carrying Code David Walker Princeton University (slides kindly donated by George Necula; modified by David Walker)

David Walker - Foundations of Security Motivation Extensible systems can be more flexible and more efficient than client-server interaction client server client-server extensible systems extension host

David Walker - Foundations of Security extensible system Motivation Extensible systems can be more flexible and more efficient than client-server interaction client server client-server extension host

Source: NASA Jet Propulsion Lab Example: Deep-Space Onboard Analysis Bandwidth: < 1KB/sec Latency: > hours Data: > 10MB/sec Note: efficiency (cycles, bandwidth) safety critical operation

David Walker - Foundations of Security More Examples of Extensible Systems Device driver Operating system Applet Web browser Loaded procedure Database server DCOM Component DCOM client … Host Code

David Walker - Foundations of Security Concerns Regarding Extensibility Safety and reliability concerns è How to protect the host from the extensions ? Extensions of unknown origin ) potentially malicious Extensions of known origin ) potentially erroneous Complexity concerns è How can we do this without having to trust a complex infrastructure? Performance concerns è How can we do this without compromising performance? Other concerns (not addressed here) –How to ensure privacy and authenticity? –How to protect the component from the host?

David Walker - Foundations of Security Approaches to Component Safety Digital signatures Run-time monitoring and checking Bytecode verification Proof-carrying code

David Walker - Foundations of Security Assurance Support: Digital Signatures Host Example properties: “Microsoft produced this software” “Verisoft tested the software with test suite 17” LNo direct connection with program semantics LMicrosoft recently recommended that Microsoft be removed from one’s list of trusted code signers Code Checker

David Walker - Foundations of Security Run-Time Monitoring and Checking Host A monitor detects attempts to violate the safety policy and stops the execution –Hardware-enforced memory protection –Software fault isolation (sandboxing) –Java stack inspection Code Monitor JRelatively simple; effective for many properties LEither inflexible or expensive on its own

David Walker - Foundations of Security Java Bytecode Host Checker Code JVM bytecode JRelatively simple; overall an excellent idea LLarge trusted computing base –commercial, optimizing JIT: 200, ,000 LOC –when is the last time you wrote a bug-free 200,000 line program? LJava-specific; somewhat limited policies Code Compiler Code

David Walker - Foundations of Security Proof-carrying code Host Checker Code JVM bytecode Proof Code Compiler JFlexible interfaces like the JVM model JSmall trusted computing base (minimum of 3000 LOC) JCan be somewhat more language/policy independent LBuilding an optimizing, type-preserving compiler is much harder than building an ordinary compiler

David Walker - Foundations of Security Proof-carrying code Host Checker Code JVM bytecode Proof Code Compiler Question: Isn’t it hard, perhaps impossible, to check properties of assembly language?

David Walker - Foundations of Security Proof-carrying code Host Checker Code JVM bytecode Proof Code Compiler Question: Isn’t it hard, perhaps impossible, to check properties of assembly language? Actually, no, not really, provided we have a proof to guide the checker.

David Walker - Foundations of Security Proof-Carrying Code: An Analogy Legend: code proof

David Walker - Foundations of Security Proof-carrying code Host Checker Code JVM bytecode Proof Code Compiler Question: Well, aren’t you just avoiding the real problem then? Isn’t it extremely hard to generate the proof?

David Walker - Foundations of Security Proof-carrying code Host Checker Code JVM bytecode Proof Code Compiler Question: Well, aren’t you just avoiding the real problem then? Isn’t it extremely hard to generate the proof? Yes. But there is a trick.

David Walker - Foundations of Security PCC + Type-Preserving Compilation Host Checker Code JVM bytecode ProofTypes Code Compiler Types Compiler The trick: we fool the programmer into doing our proof for us! We convince them to program in a typesafe language. We design our compiler to translate the typing derivation into a proof of safety We can always make this work for type safety properties

David Walker - Foundations of Security Good Things About PCC 1.Someone else does the really hard work (the compiler writer) Hard to prove safety but easy to check a proof Research over the last 5-10 years indicates we can produce proofs of type safety properties for assembly language 2.Requires minimal trusted infrastructure Trust proof checker but not the compiler Again, recent research shows PCC TCB can be as small as ~3000 LOC 3.Agnostic to how the code and proof are produced Not compiler specific; Hand-optimized code is Ok 4.Can be much more general than the JVM type system Only limited by the logic that is used (and we can use very general logics) 5.Coexists peacefully with cryptography Signatures are a syntactic checksum Proofs are a semantic checksum (see Appel & Felten’s proof-carrying authorization)

David Walker - Foundations of Security The Different Flavors of PCC Type Theoretic PCC [Morrisett, Walker, et al. 1998] –source-level types are translated into low-level types for machine language or assembly language programs –the proof of safety is a typing derivation that is verified by a type checker Logical PCC [Necula, Lee, 1996, 1997] –low-level types are encoded as logical predicates –a verification-condition generator runs over the program and emits a theorem, which if true, implies the safety of the program –the proof of safety is a proof of this theorem Foundational PCC [Appel et al. 2000] –the semantics of the machine is encoded directly in logic –a type system for the machine is built up directly from the machine semantics and proven correct using a general-purpose logic (eg: higher-order logic) –the total TCB is approximately 3000 LOC

David Walker - Foundations of Security The Common Theme Every general-purpose system for proof carrying code relies upon a type system for checking low- level program safety –why? –building a proof of safety for low-level programs is hard –success depends upon being able to structure these proofs in a uniform, modular fashion –types provide the framework for developing well- structured safety proofs In the following lectures, we will study the low- level typing mechanisms that are the basis for powerful systems of proof carrying code