1. David Evans http://www.cs.virginia.edu/~evans
Lecture 13: Proof-Carrying Code
Background
just got here last week
finished degree at MIT week before
Philosophy of advising students
don’t come to grad school to implement someone else’s idea
can get paid more to do that in industry
learn to be a researcher
important part of that is deciding what problems and ideas are worth spending time on
grad students should have their own project
looking for students who can come up with their own ideas for research
will take good students interested in things I’m interested in – systems, programming languages & compilers, security
rest of talk – give you a flavor of the kinds of things I am interested in
meant to give you ideas (hopefully even inspiration!) but not meant to suggest what you should work on
CS655: Programming Languages
University of Virginia
Computer Science
David Evans

2. University of Virginia CS 655
Menu
Challenge Question Solution (C++ overriding/overloading)
Proof-Carrying Code
My INFOSEC Malicious Code Talk
30 April 2019
University of Virginia CS 655

3. University of Virginia CS 655
Subject: Re: C++: overriding problems!
Date: Sat, 4 Mar :19: (EST)
From: Bjarne Stroustrup
Reply-To: Bjarne Stroustrup
To:
> Delivered-To:
> Date: Fri, 03 Mar :09:
> From: Avneesh Saxena
> X-Accept-Language: en
> MIME-Version: 1.0
> To:
> Subject: C++: overriding problems!
> Content-Transfer-Encoding: 7bit
>
> Sir,
> I am Avneesh, a graduate student in the CS Dept, Univ of Virginia. I am currently taking a course on Programming languages in which we are doing a detailed study of subclassing mechanisms in computer languages. I have learned C++ from your book "The C++ Pgm'ing Language" which is written in a very clear and concise manner. Especially, the concepts are made clear and ambiguties about language features have been discussed and resolved in an appreciable manner.
> However, I have run in a problem while trying to figure out what this code would do: [Unexpected results are noted as comments]
30 April 2019
University of Virginia CS 655

4. University of Virginia CS 655
>
> #include<stdio.h>
> class A {
> public:
> void other() { printf("is an empty func in A\n"); };
> virtual void other(class A *a) { printf("In A\n"); }
> }; //End class
> class B: public A {
> void other(class B *b) { printf("In B\n"); }
> };//End class
> class C: public A {
> void other(class C *c) { printf("In C\n"); }
Your problem is that you think that the two other() function overloads. They don't: functions in different scope do not overload, so when you look at scope C::other(). If you want overloading you'll have to explicitly do so in C.
One simple way of doing so is to say:
using B::other;
in C, but that's a relatively new feature.
30 April 2019
University of Virginia CS 655

5. University of Virginia CS 655
> void main(void) {
> A a; B b; C c;
> A *aPtr = &a;
> B *bPtr = &b;
> C *cPtr = &c;
>
> aPtr = bPtr;
> aPtr->other(bPtr); //prints "in A", whereas we expect it to print
> "In B"
> //bPtr->other(); //Gives an error saying can't find the function
> }//End main
> I have tried to run this code both through GCC v2.8.1 and MS-VC++, which give the same results. It appears that while we would accept other() to be accessible through the derived classes, the compiler doesn't find it.
I think you mean "expect", but you expect wrongly.
> The second (more serious)problem is when other(bPtr) is called, we expect it to execute the function which has been defined in class B as it overrides the function defines in class A as the type of the actual argument matches this more closely; however, it executes the base classes function (circumvents polymorphism!). I tried to check if this behavior was consistent with the language definition but I failed to find anything which would clarify things. So, I am left wondering whether this is a case of the compiler not understanding the language and doing something wrong or is it what the language desires?
The compilers are wrong I suggest a re-read of the sections about
deriving classes in your textbook.
> I hope you will be able to clarify things for me,
> Thanks,
> Avs
30 April 2019
University of Virginia CS 655

6. University of Virginia CS 655
PCC: Basic Idea
Creating a proof is hard
Have to make up invariants, etc.
Checking a proof is easy
Simple mechanical application of rules
Guarantee properties of untrustworthy code by checking a proof provided by code producer
30 April 2019
University of Virginia CS 655

7. University of Virginia CS 655
Proof-Carrying Code
Program
Certifying Compiler
Native Code
Proof
Code Producer
Code Consumer
Native Code
Proof Ok
Proof Checker
Policy
CPU
30 April 2019
University of Virginia CS 655

8. University of Virginia CS 655
Tamper with Code
Program
Certifying Compiler
Native Code
Proof
Code Producer
Wily Hacker
Code Consumer
Tampered Code
Proof
No!
Proof Checker
CPU
30 April 2019
University of Virginia CS 655

9. University of Virginia CS 655
Tamper with Both
Program
Certifying Compiler
Native Code
Proof
Code Producer
Wily P. Hacker
Code Consumer
Tampered Code
Tampered Proof
But it means the
desired property
still holds!
No! Ok
Proof Checker
CPU
30 April 2019
University of Virginia CS 655

10. What must the proof prove?
Safety Policy
VCGen
Safety Predicate
Program
Depends on the policy
Code consumer must run VCGen (can’t trust proof unless it proves safety predicate)
VCGen can be developed from an operational semantics (like you did in PS2)
30 April 2019
University of Virginia CS 655

11. How many PCC systems in active use?2
100
1000
1 Million
10 Million
> 20 Million
Java byte code verifier is
a limited implementation of PCC:
Bytecodes include extra
information on typing,
stack use, etc.
Bytecode verifier checks it to
enforce low-level code
safety properties
Peter Lee claims most linkers are
instances of PCC also.
30 April 2019
University of Virginia CS 655

12. University of Virginia CS 655
UmniVML2
Program::= TypeHint* Statement*
TypeHint::= TYPE MemoryLocation Type
Type::= INTEGER | REF Type
Statement::=
STORE Expression_m Expression_v
Expression_m must have type ref (typeof Expression_v).
| READ Expression
Expression must have type ref (integer).
| WHILE Expression_l <= Expression_r
Expression_l and Expression_r must have type integer.
| ENDWHILE | HALT
| CHECKTYPE Expression Type
Generates a run-time error if type of Expression is not Type.
Expression::=
ADD Expression_1 Expression_2
Expression_1 and Expression_2 must have type integer.
| ADDP Expression_1 Expression_2
Expression_1 must have type ref(T). Expression_2 must have type integer.
| DEREF Expression Expression must have type ref (T).
30 April 2019
University of Virginia CS 655

13. University of Virginia CS 655
An UmniVML2 Program
[T0] TYPE M0 INT
[T1] TYPE M1 REF INT
[T2] TYPE M100-M200 INT % abbrev for 201 decls
[0] STORE M0 0
[1] STORE M1 M100
[2] WHILE DEREF M0 <= 99
[3] CHECKTYPE DEREF M1 REF INT
[4] READ DEREF M1
[5] STORE M1 ADDP DEREF M1 1
[6] STORE M0 ADD DEREF M0 1
[7] ENDWHILE
[8] HALT
30 April 2019
University of Virginia CS 655

14. University of Virginia CS 655
VCGen for UmniVML2
VCGen (PC) =
if Inst[PC] = STORE Expression_m Expression_v
typeof (Expression_m) = ref (typeof (Expression_v))
& VCGenE (Expression_m) & VCGenE (Expression_v) & VCGen (PC + 1)
if Inst[PC] = WHILE Expression_l <= Expression_r
typeof (Expression_l) = integer & typeof (Expression_r) = integer
& VCGenE (Expression_l) & VCGenE (Expression_r)
& VCGen (PC + 1) & VCGen (<pc of next ENDWHILE>)
if INST[PC] = READ Expression
typeof (Expression) = ref (integer)
& VCGenE (Expression) & VCGen (PC + 1)
if INST[PC] = CHECKTYPE Expression Type
VCGen (PC + 1) can assume typeof (Expression) = Type
if INST[PC] = ENDWHILE
VCGen (PC + 1)
if INST[PC] = HALT
true
30 April 2019
University of Virginia CS 655

15. University of Virginia CS 655
VCGenE
VCGenE (E) =
if E = ADD Expression_1 Expression_2
typeof (Expression_1) = integer
& typeof (Expression_2) = integer
& VCGenE (Expression_1) & VCGenE (Expression_2)
if E = ADDP Expression_1 Expression_2
typeof (Expression_1) = ref (T)
if E = DEREF Expression
typeof (Expression) = ref (T) & VCGenE (Expression)
if E = IntLiteral
true
if E = MemoryLocation
30 April 2019
University of Virginia CS 655

16. University of Virginia CS 655
VCGen for Program
[T0] TYPE M0 INT
[T1] TYPE M1 REF INT
[T2] TYPE M100-M200 INT % abbrev for 201 decls
[0] STORE M0 0
[1] STORE M1 M100
[2] WHILE DEREF M0 <= 99
[3] CHECKTYPE DEREF M1 REF INT
[4] READ DEREF M1
[5] STORE M1 ADDP DEREF M1 1
[6] STORE M0 ADD DEREF M0 1
[7] ENDWHILE
[8] HALT
Project Group 1
Group 2
Group 3
Group 4
Group 5
Group 6
30 April 2019
University of Virginia CS 655

17. University of Virginia CS 655
Constructing a Proof
A = type environment
= [ M0: ref (integer), M1: ref (ref (integer)),
M100-M200: ref (integer) ]
Axioms are typing judgments (your PS2 solution)
We need to show: A proves VCGen (0)
Type bindings given by
CHECKTYPE Expression Type
are true until STORE Expression_x Expression
or READ Expression_x
where typeof (Expression_x) = Type.
30 April 2019
University of Virginia CS 655

18. University of Virginia CS 655
So Far
About as easy to generate these proofs as to check them, so no need to pass proof around with code.
Except: the type hints are really a proof!
CHECKTYPE is expensive – optimizing compiler should be able to remove it for this program
30 April 2019
University of Virginia CS 655

19. University of Virginia CS 655
An UmniVML2 Program
[T0] TYPE M0 INT [T1] TYPE M1 REF INT
[T2] TYPE M100-M199 INT % abbrev for 200 decls
[0] STORE M0 0
[1] STORE M1 M100
[2] WHILE DEREF M0 <= 99
[3] READ DEREF M1
[4] STORE M1 ADDP M1 1
[5] STORE M0 ADD M0 1
[6] ENDWHILE
[7] HALT
Need a loop invariant
30 April 2019
University of Virginia CS 655

20. Requirements for Invariant
Strong enough to prove:
Inv & Pred  VCGen ([3] READ DEREF M1)
Inv & (DEREF M0 <= 99)  typeof (DEREF M1) = ref (integer)
Weak enough to prove:
TypeHints + [0] STORE M0 0 + [1] STORE M1 M100  Inv
Weak and strong enough to prove WHILE loop axioms
Inv & (DEREF M0 <= 99) {
[3] READ DEREF M1
[4] STORE M1 ADDP M1 1
[5] STORE M0 ADD M0 1 } Inv
30 April 2019
University of Virginia CS 655

21. University of Virginia CS 655
Loop Invariant
Inv =
DEREF (DEREF M1) = DEREF M0
& DEREF M0 >= 0
This is the “proof” attached to the code. Once you have it, checking is easy!
30 April 2019
University of Virginia CS 655

22. University of Virginia CS 655
PCC Summary
Code producer provides a checkable proof of desired property
Code consumer verifies the proof
Can use invariants, type hints, etc. but must not assume they are true
Help direct the checker to construct a proof quickly
Enables optimizations not possible without proof
Enables guarantees not possible without proof (lack of run-time errors)
30 April 2019
University of Virginia CS 655