The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI 297 5.31.2005.

Slides:



Advertisements
Similar presentations
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Advertisements

Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.
Individual Position Slides: Jonathan Katz (University of Maryland) (Apologies I can’t be here in person)
Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1.
Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.
David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 20: Total Correctness; Proof-
March 4, 2005Susmit Sarkar 1 A Cost-Effective Foundational Certified Code System Susmit Sarkar Thesis Proposal.
Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee
Nicholas Moore Bianca Curutan Pooya Samizadeh McMaster University March 30, 2012.
Types, Proofs, and Safe Mobile Code The unusual effectiveness of logic in programming language research Peter Lee Carnegie Mellon University January 22,
David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.
Automated Soundness Proofs for Dataflow Analyses and Transformations via Local Rules Sorin Lerner* Todd Millstein** Erika Rice* Craig Chambers* * University.
An Introduction to Proof-Carrying Code David Walker Princeton University (slides kindly donated by George Necula; modified by David Walker)
Code-Carrying Proofs Aytekin Vargun Rensselaer Polytechnic Institute.
Coolaid: Debugging Compilers with Untrusted Code Verification Bor-Yuh Evan Chang with George Necula, Robert Schneck, and Kun Gao May 14, 2003 OSQ Retreat.
The Future of Correct Software George Necula. 2 Software Correctness is Important ► Where there is software, there are bugs ► It is estimated that software.
Extensible Verification of Untrusted Code Bor-Yuh Evan Chang, Adam Chlipala, Kun Gao, George Necula, and Robert Schneck May 14, 2004 OSQ Retreat Santa.
Strength Through Typing: A more powerful dependently-typed assembly language Matt Harren George Necula OSQ 2004.
Under the Hood of the Open Verifier Bor-Yuh Evan Chang, Adam Chlipala, Kun Gao, George Necula, and Robert Schneck October 21, 2003 OSQ Group Meeting.
Proof-system search ( ` ) Interpretation search ( ² ) Main search strategy DPLL Backtracking Incremental SAT Natural deduction Sequents Resolution Main.
Automatically Proving the Correctness of Compiler Optimizations Sorin Lerner Todd Millstein Craig Chambers University of Washington.
1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.
1 A Dependently Typed Assembly Language Hongwei Xi University of Cincinnati and Robert Harper Carnegie Mellon University.
Proofs, Types, and Safe Mobile Code CoS 598E David Walker.
Programmability with Proof-Carrying Code George C. Necula University of California Berkeley Peter Lee Carnegie Mellon University.
/191 Typed Compilation of Objects Andrew McCreight and Zhong Shao FLINT Project Yale University.
Language-Based Security Proof-Carrying Code Greg Morrisett Cornell University Thanks to G.Necula & P.Lee.
Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?
A Type System for Expressive Security Policies David Walker Cornell University.
From last time S1: l := new Cons p := l S2: t := new Cons *p := t p := t l p S1 l p tS2 l p S1 t S2 l t S1 p S2 l t S1 p S2 l t S1 p L2 l t S1 p S2 l t.
1 Programming Languages Translation  Lecture Objectives:  Be able to list and explain five features of the Java programming language.  Be able to explain.
Extensible Untrusted Code Verification Robert Schneck with George Necula and Bor-Yuh Evan Chang May 14, 2003 OSQ Retreat.
CS 104 Introduction to Computer Science and Graphics Problems Software and Programming Language (2) Programming Languages 09/26/2008 Yang Song (Prepared.
1 The Problem o Fluid software cannot be trusted to behave as advertised unknown origin (must be assumed to be malicious) known origin (can be erroneous.
Extensible Code Verification Kun Gao (Senior EECS) with Professor George Necula, Evan Chang, Robert Schneck, Adam Chlipala An individual receives code.
Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.
Secure Execution of Untrusted Code
Java Virtual Machine Java Virtual Machine A Java Virtual Machine (JVM) is a set of computer software programs and data structures that use.
Containment and Integrity for Mobile Code Security policies as types Andrew Myers Fred Schneider Department of Computer Science Cornell University.
Proof Carrying Code Zhiwei Lin. Outline Proof-Carrying Code The Design and Implementation of a Certifying Compiler A Proof – Carrying Code Architecture.
1 New Development Techniques: New Challenges for Verification and Validation Mats Heimdahl Critical Systems Research Group Department of Computer Science.
Native Client: A Sandbox for Portable, Untrusted x86 Native Code
Extended Static Checking for Java  ESC/Java finds common errors in Java programs: null dereferences, array index bounds errors, type cast errors, race.
Proof-Carrying Code & Proof-Carrying Authentication Stuart Pickard CSCI 297 June 2, 2005.
Checking Reachability using Matching Logic Grigore Rosu and Andrei Stefanescu University of Illinois, USA.
An overview of Coq Xinyu Feng USTC Erasmus Mundus NordSecMob Scholar at DTU.
© Andrew IrelandDependable Systems Group On the Scalability of Proof Carrying Code for Software Certification Andrew Ireland School of Mathematical & Computer.
Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University Lecture 2 July 11, 2001 Overview of PCC and Safety Policies Lipari School.
Page 1 Advanced Technology Center HCSS 03 – April 2003 vFaat: von Neumann Formal Analysis and Annotation Tool David Greve Dr. Matthew Wilding Rockwell.
Compressed Abstract Syntax Trees as Mobile Code Christian H. Stork Vivek Haldar University of California, Irvine.
Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University Lecture 1 Course Overview July 10, 2001 Lipari School on Foundations of.
Semantics In Text: Chapter 3.
Secure Compiler Seminar 4/11 Visions toward a Secure Compiler Toshihiro YOSHINO (D1, Yonezawa Lab.)
Code-Carrying Theory Aytekin Vargun Rensselaer Polytechnic Institute.
From Hoare Logic to Matching Logic Reachability Grigore Rosu and Andrei Stefanescu University of Illinois, USA.
Introduction Program File Authorization Security Theorem Active Code Authorization Authorization Logic Implementation considerations Conclusion.
SAFE KERNEL EXTENSIONS WITHOUT RUN-TIME CHECKING George C. Necula Peter Lee Carnegie Mellon U.
Proof-Carrying Code: A Language-Based Security Approach Thao Doan Wei Hu Liqian Luo Jinlin Yang CS851 Malware 11/16/2004.
CSE 60641: Operating Systems George C. Necula and Peter Lee, Safe Kernel Extensions Without Run-Time Checking, OSDI ‘96 –SIGOPS Hall of fame citation:
Types for Programs and Proofs
John Backes, Rockwell Collins Dan DaCosta, Rockwell Collins
Lecture 1: Introduction to JAVA
State your reasons or how to keep proofs while optimizing code
Proof-Transforming Compilation of Programs with Abrupt Termination
A Trustworthy Proof Checker
Language-based Security
Lecture 19: Proof-Carrying Code Background just got here last week
Lecture 13: Proof-Carrying Code Background just got here last week
John Backes, Rockwell Collins Dan DaCosta, Rockwell Collins
An overview of Coq.
Presentation transcript:

The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI

How to deal with Untrusted Code? How can the host system ensure that the untrusted code will not damage it, for example, by corrupting internal data structures? How can the host ensure that the untrusted code will not use too many resources (such as CPU, memory, and so forth) or use them for too long a time period? How can the host make these assurances without undue effort and negative effect on overall system performance?

Proof Carrying Code Proof-Carrying Code is a technique by which the host establishes a set of safety rules that guarantee safe behavior of programs. The code producer creates a formal safety proof that proves, for the untrusted code, adherence to the safety rules. Then, the host is able to use a simple and fast proof validator to check, with certainty, that the proof is valid and hence the foreign code is safe to execute.

High Level Overview – Proof Carrying Code A code producer sends a program and its safety proof to a code consumer –A certifying compiler constructs the program and proof –A proof checker checks them against a security policy Program Proof Code Consumer Proof Checker Security Policy Code Producer Certifying Compiler

PCC Process The source program is compiled to machine code annotated with loop invariants and with some other annotations. The annotated machine code is passed through the Verification Condition Generator (VCGen) that verifies the well-formedness of the code (such as that the branch targets are within the code segment) and emits a verification condition (VC). The verification condition is a predicate that is provable only if the code meets the safety policy.

PCC Process The verification condition is passed to a theorem prover that finds and emits a proof of it according to the logic requested by the code consumer. The proof is verified to be valid (with respect to the given logic) and to prove the required verification condition. If the proof checking succeeds, the code meets the safety policy and can be safely installed for execution.

The Cartoon Guide to PCC Great! But let me quickly look over the instructions first. Code producerCode consumer My program solves your problem.

The Cartoon Guide to PCC Code producerCode consumer

The Cartoon Guide to PCC Code producerCode consumer This store instruction is dangerous!

The Cartoon Guide to PCC Code producerCode consumer Can you prove that it is always safe?

The Cartoon Guide to PCC Code consumer Can you prove that it is always safe? Yes! Here’s the proof I got from my certifying Java compiler! Code producer

The Cartoon Guide to PCC Code consumerCode producer Your proof checks out.

The Cartoon Guide to PCC Code consumerCode producer I believe you because I believe in logic!

Design & Implementation of an Certifying Compiler Translates programs written in a type-safe subset of C into highly optimized DEC Alpha assembly language programs. Certifier that automatically checks the type safety and memory safety of any assembly language program produced by the compiler. Certifier produced a formal proof that can be used by the code consumer to ensure safe code

Overview of Certifying Compiler Code annotations assist certifier to verify type safety and memory safety Type specifications declare the type of argument and result register for every function in the code.

Inside the Certifier VCGen creates a safety predicate for each function. Prover produces a formal proof of the predicate Proof checker validates the proof Certifier could be used for other properties, other than memory and type safety.

Sample Code

Code Producer Code Consumer Theorem Prover Safety Policy Native Code With Annotations Proof Checker Ok CPU VCGen Verification Condition Safety Policy Safety Proof VCGen Verification Condition Source Code Touchstone Compiler Native Code With AnnotationsPCC

Code Producer Code Consumer Theorem Prover Safety Policy Native Code With Annotations Proof Checker No CPU VCGen Verification Condition Safety Policy Safety Proof VCGen Verification Condition (may change) Source Code Touchstone Compiler Tampered Native Code With Annotations Hacker  Tampered Code is not delivered to the CPU But safety is still guaranteed if the code is modified in such a way that the VC is unchanged PCC Tampered

Sample Proof First rule states that it is safe to read an element of an array if its index is within the array boundaries Second rule states that the result of the read operation has the type of the array elements Proves that assembly language program is safe (memory)

Benchmarks

Certifying Compiler for Java - 2 nd paper Optimized compiler Special J that compiles java bytecodes into target code for x86 architecture Implement a certifier for a large subset of the Java language PCC binaries are of reasonable size and can be checked rapidly by a small proof checker PCC & Certifying compilers are scalable

Annotations Architecture Code producerCode Consumer Java binary Proof generator Proof checker VCGen Axioms Certifying compiler VCGen VC Native code Proof VC

VC Generation - Detailed Checks code that could violate safety policy and produces proof obligations movl 4(%eax), %ebx  Assembly Inst. Saferd4 (add eax 4)  proof obligation

VC Generation - Loops When VCGen finds annotation below: ANN_LOOP (INV=P, MODREG=R)

VC Generation

PCC Architecture Details Host only needs VC Generator and Proof Checker – Small TCB VC GEN = 23K lines (C) Proof Checker = 1.4K lines (C)

Benchmarks

Online Demo George Necula’s Touchstone Demo ccdemo.html

PCC Advantages Great for mobile code, consumer only has to run a small proof checking process. Burden shifted to producer. No cryptography of third party checks required Code is verified before execution, therefore don’t have to kill processes after acquisition of resources

Issues for Discussion Writing good policies is the hard part – –Better ways to define policies – –Ways to reason about properties of policies – –Ideas for the right policies for different scenarios – –Ways to develop, reason about, and test distributed policies

References -George Necula’s Web Page -Peter Lee’s Web Page -Flexibility and Trustworthiness in Proof-Carrying Code, Andrew Bernard, CMU -Lecture 19. UVA, Proof Carrying Code, David Evans -Some open issues for certifying compilers, Greg Morrisett -Code Carrying Proofs, Aytekin Vargun, Rensselaer Polytechnic Institute

Thank You! Discussion…..

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.