Programmability with Proof-Carrying Code George C. Necula University of California Berkeley Peter Lee Carnegie Mellon University.

Slides:



Advertisements
Similar presentations
Logical Attestation: An Authorization Architecture for Trustworthy Computing Emin Gün Sirer Willem de Bruijn †, Patrick Reynolds *, Alan Shieh ‡, Kevin.
Advertisements

Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.
David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 20: Total Correctness; Proof-
March 4, 2005Susmit Sarkar 1 A Cost-Effective Foundational Certified Code System Susmit Sarkar Thesis Proposal.
© Chinese University, CSE Dept. Software Engineering / Software Engineering Topic 1: Software Engineering: A Preview Your Name: ____________________.
Overview Motivations Basic static and dynamic optimization methods ADAPT Dynamo.
Java Applet Security Diana Dong CS 265 Spring 2004.
01/05/2015Leiden Institute of Advanced Computer Science 1 The Open Kernel Environment - spinning Linux - Herbert Bos Bart Samwel
Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee
EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,
VeriCon: Towards Verifying Controller Programs in SDNs (PLDI 2014) Thomas Ball, Nikolaj Bjorner, Aaron Gember, Shachar Itzhaky, Aleksandr Karbyshev, Mooly.
Nicholas Moore Bianca Curutan Pooya Samizadeh McMaster University March 30, 2012.
Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.
An Introduction to Proof-Carrying Code David Walker Princeton University (slides kindly donated by George Necula; modified by David Walker)
The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI
Code-Carrying Proofs Aytekin Vargun Rensselaer Polytechnic Institute.
Attacking Malicious Code: A Report to the Infosec Research Council Kim Sung-Moo.
The Future of Correct Software George Necula. 2 Software Correctness is Important ► Where there is software, there are bugs ► It is estimated that software.
Extensible Verification of Untrusted Code Bor-Yuh Evan Chang, Adam Chlipala, Kun Gao, George Necula, and Robert Schneck May 14, 2004 OSQ Retreat Santa.
CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.
The Alta Operating System Patrick Tullmann Masters Thesis Defense University of Utah.
Type-Safe Programming in C George Necula EECS Department University of California, Berkeley.
CS 268: Active Networks Ion Stoica May 6, 2002 (* Based on David Wheterall presentation from SOSP ’99)
CS 501: Software Engineering Fall 2000 Lecture 16 System Architecture III Distributed Objects.
Proofs, Types, and Safe Mobile Code CoS 598E David Walker.
Java for High Performance Computing Jordi Garcia Almiñana 14 de Octubre de 1998 de la era post-internet.
Capriccio: Scalable Threads for Internet Services Rob von Behren, Jeremy Condit, Feng Zhou, Geroge Necula and Eric Brewer University of California at Berkeley.
Language-Based Security Proof-Carrying Code Greg Morrisett Cornell University Thanks to G.Necula & P.Lee.
Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?
A Type System for Expressive Security Policies David Walker Cornell University.
From last time S1: l := new Cons p := l S2: t := new Cons *p := t p := t l p S1 l p tS2 l p S1 t S2 l t S1 p S2 l t S1 p S2 l t S1 p L2 l t S1 p S2 l t.
1 CSE 380 Computer Operating Systems Instructor: Insup Lee and Dianna Xu University of Pennsylvania Fall 2003 Lecture Note: Protection Mechanisms.
Slide 1 ISTORE: System Support for Introspective Storage Appliances Aaron Brown, David Oppenheimer, and David Patterson Computer Science Division University.
1 Janos Patrick Tullmann Flux Research Group University of Utah.
CS884 (Prasad)Java Goals1 “Perfect Quote” You know you've achieved perfection in design, Not when you have nothing more to add, But when you have nothing.
Extensible Untrusted Code Verification Robert Schneck with George Necula and Bor-Yuh Evan Chang May 14, 2003 OSQ Retreat.
1 The Problem o Fluid software cannot be trusted to behave as advertised unknown origin (must be assumed to be malicious) known origin (can be erroneous.
Extensible Code Verification Kun Gao (Senior EECS) with Professor George Necula, Evan Chang, Robert Schneck, Adam Chlipala An individual receives code.
Cormac Flanagan University of California, Santa Cruz Hybrid Type Checking.
Session-02. Objective In this session you will learn : What is Class Loader ? What is Byte Code Verifier? JIT & JAVA API Features of Java Java Environment.
Page 1 Sandboxing & Signed Software Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
Stack Management Each process/thread has two stacks  Kernel stack  User stack Stack pointer changes when exiting/entering the kernel Q: Why is this necessary?
Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.
Secure Virtual Architecture John Criswell, Arushi Aggarwal, Andrew Lenharth, Dinakar Dhurjati, and Vikram Adve University of Illinois at Urbana-Champaign.
Secure Execution of Untrusted Code
Eric Keller, Evan Green Princeton University PRESTO /22/08 Virtualizing the Data Plane Through Source Code Merging.
Proof Carrying Code Zhiwei Lin. Outline Proof-Carrying Code The Design and Implementation of a Certifying Compiler A Proof – Carrying Code Architecture.
Native Client: A Sandbox for Portable, Untrusted x86 Native Code
Java Security Nathan Moore CS 665. Overview Survey of Java Inherent Security Properties Java Runtime Environment Java Virtual Machine Java Security Model.
Silberschatz, Galvin and Gagne  2002 Modified for CSCI 399, Royden, Operating System Concepts Operating Systems Lecture 7 OS System Structure.
Proof-Carrying Code & Proof-Carrying Authentication Stuart Pickard CSCI 297 June 2, 2005.
CE Operating Systems Lecture 3 Overview of OS functions and structure.
Intrusion Tolerant Software Architectures Bruno Dutertre, Valentin Crettaz, Victoria Stavridou System Design Laboratory, SRI International
School of Computer Science & Information Technology G6DICP Introduction to Computer Programming Milena Radenkovic.
Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University Lecture 2 July 11, 2001 Overview of PCC and Safety Policies Lipari School.
Compressed Abstract Syntax Trees as Mobile Code Christian H. Stork Vivek Haldar University of California, Irvine.
Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University Lecture 1 Course Overview July 10, 2001 Lipari School on Foundations of.
Department of Computer Science and Software Engineering
SAFE KERNEL EXTENSIONS WITHOUT RUN-TIME CHECKING George C. Necula Peter Lee Carnegie Mellon U.
Proof-Carrying Code: A Language-Based Security Approach Thao Doan Wei Hu Liqian Luo Jinlin Yang CS851 Malware 11/16/2004.
CSE 60641: Operating Systems George C. Necula and Peter Lee, Safe Kernel Extensions Without Run-Time Checking, OSDI ‘96 –SIGOPS Hall of fame citation:
Language Based Operating Systems by Sean Olson What is a virtual machine? What is managed code? Kernels. Memory and security models. What is a language.
BPF+ Exploiting Global Data-flow Optimization in a Packet Filter Architecture Andrew Begel, Steven McCanne, Susan L. Graham University of California, Berkeley.
Types for Programs and Proofs
State your reasons or how to keep proofs while optimizing code
TRUST:Team for Research in Ubiquitous Secure Technologies
Security in Java Real or Decaf? cs205: engineering software
The Design & Implementation of Hyperupcalls
Lecture 19: Proof-Carrying Code Background just got here last week
Interpreting Java Program Runtimes
Presentation transcript:

Programmability with Proof-Carrying Code George C. Necula University of California Berkeley Peter Lee Carnegie Mellon University

George Necula “Programmability with Proof-Carrying Code”, OpenSig’99 Why Programmable APIs Pros: –Standardize “how” not “what” (mechanism vs. policy) –Easy to customize functionality & performance Move the computation closer to the data –Richer API Cons: Security risks? Performance degradation? More complex system Bigger trusted infrastructure ? Harder (impossible?) to predict global behavior Programming language technology can help

George Necula “Programmability with Proof-Carrying Code”, OpenSig’99 Safety Through Run-Time Checking native code host untrusted client app. code compiler Hardware memory protection / Interpreter / Monitor run-time aborts big and complex verified? No way! limited safety policy run-time is too late! expensive constrained data representation

George Necula “Programmability with Proof-Carrying Code”, OpenSig’99 Software Safety: Java Javac JVM slow Java app. code Java byte code Java Verifier host untrusted client Limited, fixed safety policy JIT still slow! native code still big and complex (and buggy?) not verified

George Necula “Programmability with Proof-Carrying Code”, OpenSig’99 Our Idea: Proof-Carrying Code (PCC) Use static checking for both safety and performance Static checking is possible (and in fact easy) if the client supplies evidence attesting to the safety of the code For an important class of properties, the evidence can be produced by a client-side compiler

George Necula “Programmability with Proof-Carrying Code”, OpenSig’99 Proof-Carrying Code (PCC) host untrusted client formal safety policy application code Certifying compiler optimized native code proof Proof checker CPU automated support in a familiar tool small & tamper- proof simple, small, & fast safety with maximum performance Flexible, customizable safety policies

George Necula “Programmability with Proof-Carrying Code”, OpenSig’99 What You Can Do With PCC Any property with an adequate formalism can be enforced –if you can prove it, PCC can check it! One proof-checker for all policies! –Small commitment for open-ended flexibility Example: safety policies defined by safe interpreters –E.g, security monitors, memory safety, resource usage limits, … –The interpreter need not be directly implementable! E.g, a pointer points to a null-terminated string … can be enforced statically with PCC –The proof says that all run-time checks will succeed –No run-time penalty –No data representation constraints –Effective enforcement of timing constraints

George Necula “Programmability with Proof-Carrying Code”, OpenSig’99 PCC Beyond Memory Safety Example: database with multi-level access control accessrouteprice agent Safety policy : –host invokes the agent with: security clearance level –route and price fields readable only if access <= level parent –communication permitted only back to parent –must terminate within MAX instructions –wait BNDW * SIZE instructions before sending SIZE bytes –Proofs are bigger now (300% of code) fare pricing server level parent PCC is not limited to memory safety!

George Necula “Programmability with Proof-Carrying Code”, OpenSig’99 Experience with PCC Producing the proofs of safety is generally hard But can be automated in certain cases –E.g., Type safety, monitor-based safety policies Automation idea for type safety: –start with a type-safe language –the proof exists at source level; just preserve it! –Compile the proof while compiling the code Experimental results for a safe-C compiler –Speed of code on par with traditional optimizing compilers –Proofs are 10%-40% the size of the code –Proof checking is fast (~ 100Kb/s) –Checker + machine code parser is small (~50Kb for x86) –A certifying compiler for Java is being built by Cedilla Systems

George Necula “Programmability with Proof-Carrying Code”, OpenSig’99 Conclusions The is a need for system extensibility without sacrificing safety and performance Programming language technology can provide all of these in a small and flexible package –Type safety for optimized machine code is here –More research is needed to automate proof generation for more complex safety policies Try proof-carrying code online –

Supplemental Slides

George Necula “Programmability with Proof-Carrying Code”, OpenSig’99 Touchstone vs. C Compilers Touchstone has the extra burden of removing bounds checks Certifying compilation and PCC coexist with optimizations!

George Necula “Programmability with Proof-Carrying Code”, OpenSig’99 Proof Sizes Geometric means: –proofs are 20% of code –invariant annotations are 20% of code

George Necula “Programmability with Proof-Carrying Code”, OpenSig’99 Experiment: Network Packet Filters OS kernel user process space network monitoring application network packet filter Safety policy: packet read only no loops Wrote filters using: Touchstone + PCC Modula-3 SFI (sandboxing) BPF (interpreter)

George Necula “Programmability with Proof-Carrying Code”, OpenSig’99 PCC Packet Filters PCC filters are safe and fast –10x interpretation, 2x Modula-3, 1.3x sandboxing –PCC can certify even hand-optimized packets! Proof sizes and checking times are small –proof overhead: 20% (smaller than signatures !) –proof checking time: 1-3ms (amortized quickly)

George Necula “Programmability with Proof-Carrying Code”, OpenSig’99 Minimal-Cooperation PCC Safety policy Certifying Compiler Theorem Prover VC Generator Proof Checker Client Host Proof Invar Code Source Logic Code VC

George Necula “Programmability with Proof-Carrying Code”, OpenSig’99 Firewall-based PCC Safety policy Certifying Compiler Theorem Prover VC Generator Proof Checker Client Firewall Proof Invar Code Source Logic Code VC Host within enclave Code

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.