Presentation is loading. Please wait.

Presentation is loading. Please wait.

Programmability with Proof-Carrying Code George C. Necula University of California Berkeley Peter Lee Carnegie Mellon University.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Programmability with Proof-Carrying Code George C. Necula University of California Berkeley Peter Lee Carnegie Mellon University."— Presentation transcript:

1 Programmability with Proof-Carrying Code George C. Necula University of California Berkeley Peter Lee Carnegie Mellon University

2 George Necula “Programmability with Proof-Carrying Code”, OpenSig’99 Why Programmable APIs Pros: –Standardize “how” not “what” (mechanism vs. policy) –Easy to customize functionality & performance Move the computation closer to the data –Richer API Cons: Security risks? Performance degradation? More complex system Bigger trusted infrastructure ? Harder (impossible?) to predict global behavior Programming language technology can help

3 George Necula “Programmability with Proof-Carrying Code”, OpenSig’99 Safety Through Run-Time Checking native code host untrusted client app. code compiler Hardware memory protection / Interpreter / Monitor run-time aborts big and complex verified? No way! limited safety policy run-time is too late! expensive constrained data representation

4 George Necula “Programmability with Proof-Carrying Code”, OpenSig’99 Software Safety: Java Javac JVM slow Java app. code Java byte code Java Verifier host untrusted client Limited, fixed safety policy JIT still slow! native code still big and complex (and buggy?) not verified

5 George Necula “Programmability with Proof-Carrying Code”, OpenSig’99 Our Idea: Proof-Carrying Code (PCC) Use static checking for both safety and performance Static checking is possible (and in fact easy) if the client supplies evidence attesting to the safety of the code For an important class of properties, the evidence can be produced by a client-side compiler

6 George Necula “Programmability with Proof-Carrying Code”, OpenSig’99 Proof-Carrying Code (PCC) host untrusted client formal safety policy application code Certifying compiler optimized native code proof Proof checker CPU automated support in a familiar tool small & tamper- proof simple, small, & fast safety with maximum performance Flexible, customizable safety policies

7 George Necula “Programmability with Proof-Carrying Code”, OpenSig’99 What You Can Do With PCC Any property with an adequate formalism can be enforced –if you can prove it, PCC can check it! One proof-checker for all policies! –Small commitment for open-ended flexibility Example: safety policies defined by safe interpreters –E.g, security monitors, memory safety, resource usage limits, … –The interpreter need not be directly implementable! E.g, a pointer points to a null-terminated string … can be enforced statically with PCC –The proof says that all run-time checks will succeed –No run-time penalty –No data representation constraints –Effective enforcement of timing constraints

8 George Necula “Programmability with Proof-Carrying Code”, OpenSig’99 PCC Beyond Memory Safety Example: database with multi-level access control accessrouteprice agent Safety policy : –host invokes the agent with: security clearance level –route and price fields readable only if access <= level parent –communication permitted only back to parent –must terminate within MAX instructions –wait BNDW * SIZE instructions before sending SIZE bytes –Proofs are bigger now (300% of code) fare pricing server level parent PCC is not limited to memory safety!

9 George Necula “Programmability with Proof-Carrying Code”, OpenSig’99 Experience with PCC Producing the proofs of safety is generally hard But can be automated in certain cases –E.g., Type safety, monitor-based safety policies Automation idea for type safety: –start with a type-safe language –the proof exists at source level; just preserve it! –Compile the proof while compiling the code Experimental results for a safe-C compiler –Speed of code on par with traditional optimizing compilers –Proofs are 10%-40% the size of the code –Proof checking is fast (~ 100Kb/s) –Checker + machine code parser is small (~50Kb for x86) –A certifying compiler for Java is being built by Cedilla Systems

10 George Necula “Programmability with Proof-Carrying Code”, OpenSig’99 Conclusions The is a need for system extensibility without sacrificing safety and performance Programming language technology can provide all of these in a small and flexible package –Type safety for optimized machine code is here –More research is needed to automate proof generation for more complex safety policies Try proof-carrying code online –http://www.cs.berkeley.edu/~necula/pcc.html

11 Supplemental Slides

12 George Necula “Programmability with Proof-Carrying Code”, OpenSig’99 Touchstone vs. C Compilers Touchstone has the extra burden of removing bounds checks Certifying compilation and PCC coexist with optimizations!

13 George Necula “Programmability with Proof-Carrying Code”, OpenSig’99 Proof Sizes Geometric means: –proofs are 20% of code –invariant annotations are 20% of code

14 George Necula “Programmability with Proof-Carrying Code”, OpenSig’99 Experiment: Network Packet Filters OS kernel user process space network monitoring application network packet filter Safety policy: packet read only no loops Wrote filters using: Touchstone + PCC Modula-3 SFI (sandboxing) BPF (interpreter)

15 George Necula “Programmability with Proof-Carrying Code”, OpenSig’99 PCC Packet Filters PCC filters are safe and fast –10x interpretation, 2x Modula-3, 1.3x sandboxing –PCC can certify even hand-optimized packets! Proof sizes and checking times are small –proof overhead: 20% (smaller than signatures !) –proof checking time: 1-3ms (amortized quickly)

16 George Necula “Programmability with Proof-Carrying Code”, OpenSig’99 Minimal-Cooperation PCC Safety policy Certifying Compiler Theorem Prover VC Generator Proof Checker Client Host Proof Invar Code Source Logic Code VC

17 George Necula “Programmability with Proof-Carrying Code”, OpenSig’99 Firewall-based PCC Safety policy Certifying Compiler Theorem Prover VC Generator Proof Checker Client Firewall Proof Invar Code Source Logic Code VC Host within enclave Code

Download ppt "Programmability with Proof-Carrying Code George C. Necula University of California Berkeley Peter Lee Carnegie Mellon University."

Similar presentations

Logical Attestation: An Authorization Architecture for Trustworthy Computing Emin Gün Sirer Willem de Bruijn †, Patrick Reynolds *, Alan Shieh ‡, Kevin.

Logical Attestation: An Authorization Architecture for Trustworthy Computing Emin Gün Sirer Willem de Bruijn †, Patrick Reynolds *, Alan Shieh ‡, Kevin.
Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.

Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.
David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 20: Total Correctness; Proof-

David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 20: Total Correctness; Proof-
March 4, 2005Susmit Sarkar 1 A Cost-Effective Foundational Certified Code System Susmit Sarkar Thesis Proposal.

March 4, 2005Susmit Sarkar 1 A Cost-Effective Foundational Certified Code System Susmit Sarkar Thesis Proposal.
© Chinese University, CSE Dept. Software Engineering / 1 - 1 Software Engineering Topic 1: Software Engineering: A Preview Your Name: ____________________.

© Chinese University, CSE Dept. Software Engineering / Software Engineering Topic 1: Software Engineering: A Preview Your Name: ____________________.
Overview Motivations Basic static and dynamic optimization methods ADAPT Dynamo.

Overview Motivations Basic static and dynamic optimization methods ADAPT Dynamo.
Java Applet Security Diana Dong CS 265 Spring 2004.

Java Applet Security Diana Dong CS 265 Spring 2004.
01/05/2015Leiden Institute of Advanced Computer Science 1 The Open Kernel Environment - spinning Linux - Herbert Bos Bart Samwel

01/05/2015Leiden Institute of Advanced Computer Science 1 The Open Kernel Environment - spinning Linux - Herbert Bos Bart Samwel
Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee 2007. 04. 23.

Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee
EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,

EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,
VeriCon: Towards Verifying Controller Programs in SDNs (PLDI 2014) Thomas Ball, Nikolaj Bjorner, Aaron Gember, Shachar Itzhaky, Aleksandr Karbyshev, Mooly.

VeriCon: Towards Verifying Controller Programs in SDNs (PLDI 2014) Thomas Ball, Nikolaj Bjorner, Aaron Gember, Shachar Itzhaky, Aleksandr Karbyshev, Mooly.
Nicholas Moore Bianca Curutan Pooya Samizadeh McMaster University March 30, 2012.

Nicholas Moore Bianca Curutan Pooya Samizadeh McMaster University March 30, 2012.
Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.

Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.
An Introduction to Proof-Carrying Code David Walker Princeton University (slides kindly donated by George Necula; modified by David Walker)

An Introduction to Proof-Carrying Code David Walker Princeton University (slides kindly donated by George Necula; modified by David Walker)
The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI 297 5.31.2005.

The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI
Code-Carrying Proofs Aytekin Vargun Rensselaer Polytechnic Institute.

Code-Carrying Proofs Aytekin Vargun Rensselaer Polytechnic Institute.
Attacking Malicious Code: A Report to the Infosec Research Council Kim Sung-Moo.

Attacking Malicious Code: A Report to the Infosec Research Council Kim Sung-Moo.
The Future of Correct Software George Necula. 2 Software Correctness is Important ► Where there is software, there are bugs ► It is estimated that software.

The Future of Correct Software George Necula. 2 Software Correctness is Important ► Where there is software, there are bugs ► It is estimated that software.
Extensible Verification of Untrusted Code Bor-Yuh Evan Chang, Adam Chlipala, Kun Gao, George Necula, and Robert Schneck May 14, 2004 OSQ Retreat Santa.

Extensible Verification of Untrusted Code Bor-Yuh Evan Chang, Adam Chlipala, Kun Gao, George Necula, and Robert Schneck May 14, 2004 OSQ Retreat Santa.
CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.

Similar presentations

Ads by Google