Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Introduction to Proof-Carrying Code David Walker Princeton University (slides kindly donated by George Necula; modified by David Walker)

Published byGriffin Cross Modified over 9 years ago

Similar presentations

Presentation on theme: "An Introduction to Proof-Carrying Code David Walker Princeton University (slides kindly donated by George Necula; modified by David Walker)"— Presentation transcript:

1 An Introduction to Proof-Carrying Code David Walker Princeton University (slides kindly donated by George Necula; modified by David Walker)

2 David Walker - Foundations of Security 20032 Motivation Extensible systems can be more flexible and more efficient than client-server interaction client server client-server extensible systems extension host

3 David Walker - Foundations of Security 20033 extensible system Motivation Extensible systems can be more flexible and more efficient than client-server interaction client server client-server extension host

4 Source: NASA Jet Propulsion Lab Example: Deep-Space Onboard Analysis Bandwidth: < 1KB/sec Latency: > hours Data: > 10MB/sec Note: efficiency (cycles, bandwidth) safety critical operation

5 David Walker - Foundations of Security 20035 More Examples of Extensible Systems Device driver Operating system Applet Web browser Loaded procedure Database server DCOM Component DCOM client … Host Code

6 David Walker - Foundations of Security 20036 Concerns Regarding Extensibility Safety and reliability concerns è How to protect the host from the extensions ? Extensions of unknown origin ) potentially malicious Extensions of known origin ) potentially erroneous Complexity concerns è How can we do this without having to trust a complex infrastructure? Performance concerns è How can we do this without compromising performance? Other concerns (not addressed here) –How to ensure privacy and authenticity? –How to protect the component from the host?

7 David Walker - Foundations of Security 20037 Approaches to Component Safety Digital signatures Run-time monitoring and checking Bytecode verification Proof-carrying code

8 David Walker - Foundations of Security 20038 Assurance Support: Digital Signatures Host Example properties: “Microsoft produced this software” “Verisoft tested the software with test suite 17” LNo direct connection with program semantics LMicrosoft recently recommended that Microsoft be removed from one’s list of trusted code signers Code Checker

9 David Walker - Foundations of Security 20039 Run-Time Monitoring and Checking Host A monitor detects attempts to violate the safety policy and stops the execution –Hardware-enforced memory protection –Software fault isolation (sandboxing) –Java stack inspection Code Monitor JRelatively simple; effective for many properties LEither inflexible or expensive on its own

10 David Walker - Foundations of Security 200310 Java Bytecode Host Checker Code JVM bytecode JRelatively simple; overall an excellent idea LLarge trusted computing base –commercial, optimizing JIT: 200,000-500,000 LOC –when is the last time you wrote a bug-free 200,000 line program? LJava-specific; somewhat limited policies Code Compiler Code

11 David Walker - Foundations of Security 200311 Proof-carrying code Host Checker Code JVM bytecode Proof Code Compiler JFlexible interfaces like the JVM model JSmall trusted computing base (minimum of 3000 LOC) JCan be somewhat more language/policy independent LBuilding an optimizing, type-preserving compiler is much harder than building an ordinary compiler

12 David Walker - Foundations of Security 200312 Proof-carrying code Host Checker Code JVM bytecode Proof Code Compiler Question: Isn’t it hard, perhaps impossible, to check properties of assembly language?

13 David Walker - Foundations of Security 200313 Proof-carrying code Host Checker Code JVM bytecode Proof Code Compiler Question: Isn’t it hard, perhaps impossible, to check properties of assembly language? Actually, no, not really, provided we have a proof to guide the checker.

14 David Walker - Foundations of Security 200314 Proof-Carrying Code: An Analogy Legend: code proof

15 David Walker - Foundations of Security 200315 Proof-carrying code Host Checker Code JVM bytecode Proof Code Compiler Question: Well, aren’t you just avoiding the real problem then? Isn’t it extremely hard to generate the proof?

16 David Walker - Foundations of Security 200316 Proof-carrying code Host Checker Code JVM bytecode Proof Code Compiler Question: Well, aren’t you just avoiding the real problem then? Isn’t it extremely hard to generate the proof? Yes. But there is a trick.

17 David Walker - Foundations of Security 200317 PCC + Type-Preserving Compilation Host Checker Code JVM bytecode ProofTypes Code Compiler Types Compiler The trick: we fool the programmer into doing our proof for us! We convince them to program in a typesafe language. We design our compiler to translate the typing derivation into a proof of safety We can always make this work for type safety properties

18 David Walker - Foundations of Security 200318 Good Things About PCC 1.Someone else does the really hard work (the compiler writer) Hard to prove safety but easy to check a proof Research over the last 5-10 years indicates we can produce proofs of type safety properties for assembly language 2.Requires minimal trusted infrastructure Trust proof checker but not the compiler Again, recent research shows PCC TCB can be as small as ~3000 LOC 3.Agnostic to how the code and proof are produced Not compiler specific; Hand-optimized code is Ok 4.Can be much more general than the JVM type system Only limited by the logic that is used (and we can use very general logics) 5.Coexists peacefully with cryptography Signatures are a syntactic checksum Proofs are a semantic checksum (see Appel & Felten’s proof-carrying authorization)

19 David Walker - Foundations of Security 200319 The Different Flavors of PCC Type Theoretic PCC [Morrisett, Walker, et al. 1998] –source-level types are translated into low-level types for machine language or assembly language programs –the proof of safety is a typing derivation that is verified by a type checker Logical PCC [Necula, Lee, 1996, 1997] –low-level types are encoded as logical predicates –a verification-condition generator runs over the program and emits a theorem, which if true, implies the safety of the program –the proof of safety is a proof of this theorem Foundational PCC [Appel et al. 2000] –the semantics of the machine is encoded directly in logic –a type system for the machine is built up directly from the machine semantics and proven correct using a general-purpose logic (eg: higher-order logic) –the total TCB is approximately 3000 LOC

20 David Walker - Foundations of Security 200320 The Common Theme Every general-purpose system for proof carrying code relies upon a type system for checking low- level program safety –why? –building a proof of safety for low-level programs is hard –success depends upon being able to structure these proofs in a uniform, modular fashion –types provide the framework for developing well- structured safety proofs In the following lectures, we will study the low- level typing mechanisms that are the basis for powerful systems of proof carrying code

Download ppt "An Introduction to Proof-Carrying Code David Walker Princeton University (slides kindly donated by George Necula; modified by David Walker)"

Similar presentations

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu www.list.gmu.edu.

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu
Access Control 1. Given Credit Where It Is Due Most of the lecture notes are based on slides by Dr. Daniel M. Zimmerman at CALTECH Some slides are from.

Access Control 1. Given Credit Where It Is Due Most of the lecture notes are based on slides by Dr. Daniel M. Zimmerman at CALTECH Some slides are from.
Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.

Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.
Operating System Security

Operating System Security
Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1.

Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1.
Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.

Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.
Current Techniques in Language-based Security David Walker COS 597B With slides stolen from: Steve Zdancewic University of Pennsylvania.

Current Techniques in Language-based Security David Walker COS 597B With slides stolen from: Steve Zdancewic University of Pennsylvania.
David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 20: Total Correctness; Proof-

David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 20: Total Correctness; Proof-
Java Applet Security Diana Dong CS 265 Spring 2004.

Java Applet Security Diana Dong CS 265 Spring 2004.
Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee 2007. 04. 23.

Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee
H28.1 6-Apr-01 Clark Thomborson Software Security CompSci 725 Handout 28: Report Writing #2 (Sample Titles & Abstracts) Clark Thomborson University of.

H Apr-01 Clark Thomborson Software Security CompSci 725 Handout 28: Report Writing #2 (Sample Titles & Abstracts) Clark Thomborson University of.
Nicholas Moore Bianca Curutan Pooya Samizadeh McMaster University March 30, 2012.

Nicholas Moore Bianca Curutan Pooya Samizadeh McMaster University March 30, 2012.
The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI 297 5.31.2005.

The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI
Code-Carrying Proofs Aytekin Vargun Rensselaer Polytechnic Institute.

Code-Carrying Proofs Aytekin Vargun Rensselaer Polytechnic Institute.
Coolaid: Debugging Compilers with Untrusted Code Verification Bor-Yuh Evan Chang with George Necula, Robert Schneck, and Kun Gao May 14, 2003 OSQ Retreat.

Coolaid: Debugging Compilers with Untrusted Code Verification Bor-Yuh Evan Chang with George Necula, Robert Schneck, and Kun Gao May 14, 2003 OSQ Retreat.
Attacking Malicious Code: A Report to the Infosec Research Council Kim Sung-Moo.

Attacking Malicious Code: A Report to the Infosec Research Council Kim Sung-Moo.
Extensible Verification of Untrusted Code Bor-Yuh Evan Chang, Adam Chlipala, Kun Gao, George Necula, and Robert Schneck May 14, 2004 OSQ Retreat Santa.

Extensible Verification of Untrusted Code Bor-Yuh Evan Chang, Adam Chlipala, Kun Gao, George Necula, and Robert Schneck May 14, 2004 OSQ Retreat Santa.
Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)

Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)
LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.

LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.
Java: History and Introduction (Lecture # 1). History… Java – Based on C and C++ – Developed in 1991 for intelligent consumer electronic devices – Green.

Java: History and Introduction (Lecture # 1). History… Java – Based on C and C++ – Developed in 1991 for intelligent consumer electronic devices – Green.

Similar presentations

Ads by Google