SAFE KERNEL EXTENSIONS WITHOUT RUN-TIME CHECKING George C. Necula Peter Lee Carnegie Mellon U.

Slides:



Advertisements
Similar presentations
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Advertisements

.NET Technology. Introduction Overview of.NET What.NET means for Developers, Users and Businesses Two.NET Research Projects:.NET Generics AsmL.
Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1.
Certified Typechecking in Foundational Certified Code Systems Susmit Sarkar Carnegie Mellon University.
Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.
David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 20: Total Correctness; Proof-
March 4, 2005Susmit Sarkar 1 A Cost-Effective Foundational Certified Code System Susmit Sarkar Thesis Proposal.
Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.
ECE 720T5 Fall 2012 Cyber-Physical Systems Rodolfo Pellizzoni.
Nicholas Moore Bianca Curutan Pooya Samizadeh McMaster University March 30, 2012.
Types, Proofs, and Safe Mobile Code The unusual effectiveness of logic in programming language research Peter Lee Carnegie Mellon University January 22,
VIDE als voortzetting van Cocktail SET Seminar 11 september 2008 Dr. ir. Michael Franssen.
An Introduction to Proof-Carrying Code David Walker Princeton University (slides kindly donated by George Necula; modified by David Walker)
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI
Code-Carrying Proofs Aytekin Vargun Rensselaer Polytechnic Institute.
Formal Methods in Software Engineering Credit Hours: 3+0 By: Qaisar Javaid Assistant Professor Formal Methods in Software Engineering1.
CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)
Attacking Malicious Code: A Report to the Infosec Research Council Kim Sung-Moo.
Extensible Verification of Untrusted Code Bor-Yuh Evan Chang, Adam Chlipala, Kun Gao, George Necula, and Robert Schneck May 14, 2004 OSQ Retreat Santa.
Under the Hood of the Open Verifier Bor-Yuh Evan Chang, Adam Chlipala, Kun Gao, George Necula, and Robert Schneck October 21, 2003 OSQ Group Meeting.
Type-Safe Programming in C George Necula EECS Department University of California, Berkeley.
Proof-system search ( ` ) Interpretation search ( ² ) Main search strategy DPLL Backtracking Incremental SAT Natural deduction Sequents Resolution Main.
Proofs, Types, and Safe Mobile Code CoS 598E David Walker.
Programmability with Proof-Carrying Code George C. Necula University of California Berkeley Peter Lee Carnegie Mellon University.
Language-Based Security Proof-Carrying Code Greg Morrisett Cornell University Thanks to G.Necula & P.Lee.
8/14/03ALADDIN REU Symposium Implementing TALT William Lovas with Karl Crary.
Lectures on Proof-Carrying Code Peter Lee Carnegie Mellon University Lecture 1 (of 3) June 21-22, 2003 University of Oregon 2004 Summer School on Software.
A Type System for Expressive Security Policies David Walker Cornell University.
From last time S1: l := new Cons p := l S2: t := new Cons *p := t p := t l p S1 l p tS2 l p S1 t S2 l t S1 p S2 l t S1 p S2 l t S1 p L2 l t S1 p S2 l t.
On the Correctness of Model Transformations Gabor Karsai ISIS/Vanderbilt University.
School of Computer ScienceG53FSP Formal Specification1 Dr. Rong Qu Introduction to Formal Specification
Extensible Untrusted Code Verification Robert Schneck with George Necula and Bor-Yuh Evan Chang May 14, 2003 OSQ Retreat.
1 The Problem o Fluid software cannot be trusted to behave as advertised unknown origin (must be assumed to be malicious) known origin (can be erroneous.
Extensible Code Verification Kun Gao (Senior EECS) with Professor George Necula, Evan Chang, Robert Schneck, Adam Chlipala An individual receives code.
Cormac Flanagan University of California, Santa Cruz Hybrid Type Checking.
Formal Methods 1. Software Engineering and Formal Methods  Every software engineering methodology is based on a recommended development process  proceeding.
VeriML DARPA CRASH Project Progress Report Antonis Stampoulis October 5 th, 2012 A language-based, dependently-typed, user-extensible approach to proof.
ECE 720T5 Winter 2014 Cyber-Physical Systems Rodolfo Pellizzoni.
Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.
Secure Execution of Untrusted Code
Proof Carrying Code Zhiwei Lin. Outline Proof-Carrying Code The Design and Implementation of a Certifying Compiler A Proof – Carrying Code Architecture.
Framework for the Development and Testing of Dependable and Safety-Critical Systems IKTA 065/ Supported by the Information and Communication.
Proof-Carrying Code & Proof-Carrying Authentication Stuart Pickard CSCI 297 June 2, 2005.
Dichotomies: Software Research vs Practice Peter Lee Carnegie Mellon University HCMDSS Workshop, June 2005 Peter Lee Carnegie Mellon University HCMDSS.
An overview of Coq Xinyu Feng USTC Erasmus Mundus NordSecMob Scholar at DTU.
Towards Automatic Verification of Safety Architectures Carsten Schürmann Carnegie Mellon University April 2000.
© Andrew IrelandDependable Systems Group On the Scalability of Proof Carrying Code for Software Certification Andrew Ireland School of Mathematical & Computer.
Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University Lecture 2 July 11, 2001 Overview of PCC and Safety Policies Lipari School.
A Certifying Compiler and Pointer Logic Zhaopeng Li Software Security Lab. Department of Computer Science and Technology, University of Science and Technology.
Page 1 Advanced Technology Center HCSS 03 – April 2003 vFaat: von Neumann Formal Analysis and Annotation Tool David Greve Dr. Matthew Wilding Rockwell.
Writing Systems Software in a Functional Language An Experience Report Iavor Diatchki, Thomas Hallgren, Mark Jones, Rebekah Leslie, Andrew Tolmach.
Compressed Abstract Syntax Trees as Mobile Code Christian H. Stork Vivek Haldar University of California, Irvine.
3.2 Semantics. 2 Semantics Attribute Grammars The Meanings of Programs: Semantics Sebesta Chapter 3.
Semantics In Text: Chapter 3.
Secure Compiler Seminar 4/11 Visions toward a Secure Compiler Toshihiro YOSHINO (D1, Yonezawa Lab.)
Lecture 5 1 CSP tools for verification of Sec Prot Overview of the lecture The Casper interface Refinement checking and FDR Model checking Theorem proving.
Verification & Validation By: Amir Masoud Gharehbaghi
Page 1 Towards a Schedu Capturing OS Expertise in an Event Type System: the Bossa Experience Julia L. Lawall DIKU, University of Copenhagen Joint work.
Proof-Carrying Code: A Language-Based Security Approach Thao Doan Wei Hu Liqian Luo Jinlin Yang CS851 Malware 11/16/2004.
CSE 60641: Operating Systems George C. Necula and Peter Lee, Safe Kernel Extensions Without Run-Time Checking, OSDI ‘96 –SIGOPS Hall of fame citation:
September 1999Compaq Computer CorporationSlide 1 of 16 Verification of cache-coherence protocols with TLA+ Homayoon Akhiani, Damien Doligez, Paul Harter,
Certifying and Synthesizing Membership Equational Proofs Patrick Lincoln (SRI) joint work with Steven Eker (SRI), Jose Meseguer (Urbana) and Grigore Rosu.
Formal Methods: Model Checkers and Theorem Provers
State your reasons or how to keep proofs while optimizing code
An overview of Coq Xinyu Feng USTC.
Types and Type Checking (What is it good for?)
An overview of Coq.
Presentation transcript:

SAFE KERNEL EXTENSIONS WITHOUT RUN-TIME CHECKING George C. Necula Peter Lee Carnegie Mellon U

Overview Paper presents a technique allowing kernels to check extension safety –Code receiver defines a set of safety rules that guarantee safe behavior of programs, – Code producer creates a formal safety proof that its code adheres to the safety rules –Code receiver uses a simple and fast proof validator to check that the code is safe

Starting Idea Code Producer Code Consumer Untrusted code Verifies safety of code Good idea but …

Starting Idea Code Producer Code Consumer Untrusted code Verifies safety of code Formally proving the safety of untrusted code requires a large amount of effort

Shift the burden to the producer Code Producer Code Receiver Untrusted code + Safety Proof Validates proof Works better Proves safety of its code

Proof-carrying code Code producer must establish and prove the safety of the code –Attaches proof to code Code consumer only has to validate the proof –Much simpler task

Advantages Code producer does most of the validation work Code consumer does not care how the proofs are constructed PCC programs are tamperproof –Changing the code voids the proof No cryptography No trusted third parties Errors are detected before code is run

Difficulties How to encode the formal proof? How to check the proof? –Not an easy task How to relate the proof with the program?

Implementation Basic elements: –Formal specification language used to express the safety policy –Formal semantics of the language used by the untrusted code –Language used to express the proofs –Algorithm for validating the proofs –Method for generating the safety proofs

Formal Specification Language Expresses the safety policy of the receiver Uses first-order predicate logic extended with predicates for type safety and memory safety

Formal semantics of language Describes the language used by the untrusted code – A logic relating programs to specifications Untrusted code is DEC Alpha machine code – Was at that time the fastest microprocessor

Proof language Variant of Edinburgh Logical Framework (LF) –Essentially a typed lambda calculus –Can easily encode a wide variety of logics, including higher-order logics

Proof validation Simple LF type checker Basic tenet of LF is that proofs are represented as expressions and predicates as types –In order to check the validity of a proof we only need to typecheck its representation

Generating safety proofs Uses a theorem prover –First, the code is scanned by the same verification generator that the consumer uses –Then the predicate is submitted to a theorem prover that attempts to prove that predicate –In case of success, prover emits an LF representation of the proof

Application Machine code implementation of network packet filters Safety policy was focused on fine- grained memory safety Safety proofs were smaller than 800 bytes Required no more than 3ms on a DEC Alpha to be validated.

More details Observe that all four filters are very small

Run time Average per packet runtime of the four PCC packet filters Compared with –BSD Packet Filter Interpreter (will be slow!) –Using software fault isolation –Using a safe subset of Modula 3 plus the VIEW extension for safe pointer casting

BFI is worst!

Conclusion PCC allows server or kernel to interact safely with untrusted code PCC has no runtime overhead for receiver Safety policies are defined by receiver –Much more flexible Too bad that safety proofs are so hard to construct!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.