Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 19: Proof-Carrying Code Background just got here last week

Published byErlin Setiawan Modified over 5 years ago

Similar presentations

Presentation on theme: "Lecture 19: Proof-Carrying Code Background just got here last week"— Presentation transcript:

1 David Evans http://www.cs.virginia.edu/~evans
Lecture 19: Proof-Carrying Code Background just got here last week finished degree at MIT week before Philosophy of advising students don’t come to grad school to implement someone else’s idea can get paid more to do that in industry learn to be a researcher important part of that is deciding what problems and ideas are worth spending time on grad students should have their own project looking for students who can come up with their own ideas for research will take good students interested in things I’m interested in – systems, programming languages & compilers, security rest of talk – give you a flavor of the kinds of things I am interested in meant to give you ideas (hopefully even inspiration!) but not meant to suggest what you should work on CS551: Security and Privacy University of Virginia Computer Science David Evans

2 University of Virginia CS 551
Menu Proof-Carrying Code Project Group Meetings – check your Mike Ernst’s Top Gun Talk (3:30) Next Time: Gary McGraw (on smart cards) 12 April 2019 University of Virginia CS 551

3 University of Virginia CS 551
Maze (From 12 April 2019 University of Virginia CS 551

4 University of Virginia CS 551
Proof-Carrying Maze (From 12 April 2019 University of Virginia CS 551

5 University of Virginia CS 551
Proof-Carrying Code Guarantee properties of untrustworthy code by checking a proof provided by code producer Creating a proof is hard Have to make up invariants, choose cases, pick strategies, etc. Checking a proof is easy Simple mechanical application of rules 12 April 2019 University of Virginia CS 551

6 Proof-Carrying Code (not to scale)
Program Certifying Compiler Object Code Proof Code Producer Code Consumer Object Code Proof Ok Proof Checker Policy CPU 12 April 2019 University of Virginia CS 551

7 University of Virginia CS 551
Certifying Compiler Program Object Code Proof Code Producer Code Consumer Proof Object Code Ok Proof Checker Policy CPU 12 April 2019 University of Virginia CS 551

8 University of Virginia CS 551
Tamper with Code Program Certifying Compiler Object Code Proof Code Producer Wily Hacker Code Consumer Tampered Code Proof No! Proof Checker CPU 12 April 2019 University of Virginia CS 551

9 University of Virginia CS 551
Tamper with Both Program Certifying Compiler Native Code Proof Code Producer Wily P. Hacker Code Consumer Tampered Code Tampered Proof But it means the desired property still holds! No! Ok Proof Checker CPU 12 April 2019 University of Virginia CS 551

10 What must the proof prove?
Safety Policy VCGen Safety Predicate Program Depends on the policy Code consumer must run VCGen (can’t trust proof unless it proves safety predicate) VCGen can be developed from an operational semantics (take CS 655) 12 April 2019 University of Virginia CS 551

11 Have we seen anything like this?
Java Bytecode Verifier is a simple instance of PCC: Bytecodes include extra information on typing, stack use, etc. Bytecode verifier checks it to enforce low-level code safety properties 12 April 2019 University of Virginia CS 551

12 Let’s Stop Beating Dead Horses, and Start Beating Trojan Horses!
David Evans INFOSEC Malicious Code Workshop San Antonio, 13 January 2000 University of Virginia Department of Computer Science Charlottesville, VA

13 University of Virginia CS 551
Analogy: Security Cryptography Fun to do research in, lots of cool math problems, opportunities to dazzle people with your brilliance, etc. But, % of break ins do not involve attack on sensible cryptography Guessing passwords and stealing keys Back doors, buffer overflows Ignorant implementers choosing bad cryptography [Netscape Navigator Mail] 12 April 2019 University of Virginia CS 551

14 Structure of Argument Low-level code safety (isolation) is the wrong focus Agree Disagree PCC is not a realistic solution for the real problems in the foreseeable future PCC is not the most promising solution for low-level code safety Lots of useful research and results coming from PCC, but realistic solution to malicious code won’t be one of them. 12 April 2019 University of Virginia CS 551

15 University of Virginia CS 551
Low-level code safety Type safety, memory safety, control flow safety [Kozen98] All high-level code safety depends on it Many known pretty good solutions: separate processes, SFI, interpreter Very few real attacks exploit low-level code safety vulnerabilities One exception: buffer overflows Many known solutions to this Just need to sue vendors to get them implemented 12 April 2019 University of Virginia CS 551

16 High-Level Code Safety
Enforcement is (embarrassingly) easy Reference monitors (since 1970s) Can enforce most useful policies [Schneider98] Performance penalty is small Writing good policies is the hard part Better ways to define policies Ways to reason about properties of policies Ideas for the right policies for different scenarios Ways to develop, reason about, and test distributed policies 12 April 2019 University of Virginia CS 551

17 University of Virginia CS 551
Proofs Reference Monitors All possible executions Current execution so far No run-time costs Monitoring and calling overhead Checking integrated into code Checking separate from code Excruciatingly difficult Trivially easy Vendor sets policy Consumer sets policy 12 April 2019 University of Virginia CS 551

18 University of Virginia CS 551
Fortune Cookie “That which be proved cannot be worth much.” Fortune cookie quoted on Peter’s web page must can True for all users True for all executions Exception: Low-level code safety 12 April 2019 University of Virginia CS 551

19 Reasons you might prefer PCC
Run-time performance? Amortizes additional download and verification time only rarely SFI Performance penalty: ~5% If you care, pay $20 more for a better processor or wait 5 weeks Smaller Trusted Computing Base? Not really smaller: twice as big as SFI (Touchstone VCGen+checker – 8300 lines / MisFiT x86 SFI implementation – 4500 lines) You are a vendor who cares more about quality than time to market Not really PCC (not across a trust boundary) 12 April 2019 University of Virginia CS 551

20 University of Virginia CS 551
PCC Summary Code producer provides a checkable proof of desired property Code consumer verifies the proof Can use invariants, type hints, etc. but must not assume they are true Help direct the checker to construct a proof quickly Take CS655 if you want to understand how it works Enables optimizations not possible without proof Enables guarantees not possible without proof (lack of run-time errors) 12 April 2019 University of Virginia CS 551

21 University of Virginia CS 551
Charge Mike Ernst’s Talk: 009 “Dynamically Detecting Likely Program Invariants” Read Intrusion Detection Paper Check – need to schedule project meetings before Thanksgiving 12 April 2019 University of Virginia CS 551

Download ppt "Lecture 19: Proof-Carrying Code Background just got here last week"

Similar presentations

Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.

Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.
David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 20: Total Correctness; Proof-

David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 20: Total Correctness; Proof-
David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.

David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.
Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.

Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.
An Introduction to Proof-Carrying Code David Walker Princeton University (slides kindly donated by George Necula; modified by David Walker)

An Introduction to Proof-Carrying Code David Walker Princeton University (slides kindly donated by George Necula; modified by David Walker)
The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI 297 5.31.2005.

The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI
Code-Carrying Proofs Aytekin Vargun Rensselaer Polytechnic Institute.

Code-Carrying Proofs Aytekin Vargun Rensselaer Polytechnic Institute.
Web sites should always post a privacy policy, where they tell you why they need information from you and what they will do with it. If you're not sure.

Web sites should always post a privacy policy, where they tell you why they need information from you and what they will do with it. If you're not sure.
David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 11: Birthday Paradoxes.

David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 11: Birthday Paradoxes.
Attacking Malicious Code: A Report to the Infosec Research Council Kim Sung-Moo.

Attacking Malicious Code: A Report to the Infosec Research Council Kim Sung-Moo.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
The Future of Correct Software George Necula. 2 Software Correctness is Important ► Where there is software, there are bugs ► It is estimated that software.

The Future of Correct Software George Necula. 2 Software Correctness is Important ► Where there is software, there are bugs ► It is estimated that software.
Web Security A how to guide on Keeping your Website Safe. By: Robert Black.

Web Security A how to guide on Keeping your Website Safe. By: Robert Black.
Proof-system search ( ` ) Interpretation search ( ² ) Main search strategy DPLL Backtracking Incremental SAT Natural deduction Sequents Resolution Main.

Proof-system search ( ` ) Interpretation search ( ² ) Main search strategy DPLL Backtracking Incremental SAT Natural deduction Sequents Resolution Main.
Programmability with Proof-Carrying Code George C. Necula University of California Berkeley Peter Lee Carnegie Mellon University.

Programmability with Proof-Carrying Code George C. Necula University of California Berkeley Peter Lee Carnegie Mellon University.
A Type System for Expressive Security Policies David Walker Cornell University.

A Type System for Expressive Security Policies David Walker Cornell University.
CS 330 Programming Languages 09 / 16 / 2008 Instructor: Michael Eckmann.

CS 330 Programming Languages 09 / 16 / 2008 Instructor: Michael Eckmann.
SM3121 Software Technology Mark Green School of Creative Media.

SM3121 Software Technology Mark Green School of Creative Media.
1 The Problem o Fluid software cannot be trusted to behave as advertised unknown origin (must be assumed to be malicious) known origin (can be erroneous.

1 The Problem o Fluid software cannot be trusted to behave as advertised unknown origin (must be assumed to be malicious) known origin (can be erroneous.
Extensible Code Verification Kun Gao (Senior EECS) with Professor George Necula, Evan Chang, Robert Schneck, Adam Chlipala An individual receives code.

Extensible Code Verification Kun Gao (Senior EECS) with Professor George Necula, Evan Chang, Robert Schneck, Adam Chlipala An individual receives code.

Similar presentations

Ads by Google