Presentation is loading. Please wait.

Presentation is loading. Please wait.

SAFE KERNEL EXTENSIONS WITHOUT RUN-TIME CHECKING George C. Necula Peter Lee Carnegie Mellon U.

Published byRegina Tate Modified over 9 years ago

Similar presentations

Presentation on theme: "SAFE KERNEL EXTENSIONS WITHOUT RUN-TIME CHECKING George C. Necula Peter Lee Carnegie Mellon U."— Presentation transcript:

1 SAFE KERNEL EXTENSIONS WITHOUT RUN-TIME CHECKING George C. Necula Peter Lee Carnegie Mellon U

2 Overview Paper presents a technique allowing kernels to check extension safety –Code receiver defines a set of safety rules that guarantee safe behavior of programs, – Code producer creates a formal safety proof that its code adheres to the safety rules –Code receiver uses a simple and fast proof validator to check that the code is safe

3 Starting Idea Code Producer Code Consumer Untrusted code Verifies safety of code Good idea but …

4 Starting Idea Code Producer Code Consumer Untrusted code Verifies safety of code Formally proving the safety of untrusted code requires a large amount of effort

5 Shift the burden to the producer Code Producer Code Receiver Untrusted code + Safety Proof Validates proof Works better Proves safety of its code

6 Proof-carrying code Code producer must establish and prove the safety of the code –Attaches proof to code Code consumer only has to validate the proof –Much simpler task

7 Advantages Code producer does most of the validation work Code consumer does not care how the proofs are constructed PCC programs are tamperproof –Changing the code voids the proof No cryptography No trusted third parties Errors are detected before code is run

8 Difficulties How to encode the formal proof? How to check the proof? –Not an easy task How to relate the proof with the program?

9

10 Implementation Basic elements: –Formal specification language used to express the safety policy –Formal semantics of the language used by the untrusted code –Language used to express the proofs –Algorithm for validating the proofs –Method for generating the safety proofs

11 Formal Specification Language Expresses the safety policy of the receiver Uses first-order predicate logic extended with predicates for type safety and memory safety

12 Formal semantics of language Describes the language used by the untrusted code – A logic relating programs to specifications Untrusted code is DEC Alpha machine code – Was at that time the fastest microprocessor

13 Proof language Variant of Edinburgh Logical Framework (LF) –Essentially a typed lambda calculus –Can easily encode a wide variety of logics, including higher-order logics

14 Proof validation Simple LF type checker Basic tenet of LF is that proofs are represented as expressions and predicates as types –In order to check the validity of a proof we only need to typecheck its representation

15 Generating safety proofs Uses a theorem prover –First, the code is scanned by the same verification generator that the consumer uses –Then the predicate is submitted to a theorem prover that attempts to prove that predicate –In case of success, prover emits an LF representation of the proof

16 Application Machine code implementation of network packet filters Safety policy was focused on fine- grained memory safety Safety proofs were smaller than 800 bytes Required no more than 3ms on a DEC Alpha to be validated.

17 More details Observe that all four filters are very small

18 Run time Average per packet runtime of the four PCC packet filters Compared with –BSD Packet Filter Interpreter (will be slow!) –Using software fault isolation –Using a safe subset of Modula 3 plus the VIEW extension for safe pointer casting

19 BFI is worst!

20 Conclusion PCC allows server or kernel to interact safely with untrusted code PCC has no runtime overhead for receiver Safety policies are defined by receiver –Much more flexible Too bad that safety proofs are so hard to construct!

Download ppt "SAFE KERNEL EXTENSIONS WITHOUT RUN-TIME CHECKING George C. Necula Peter Lee Carnegie Mellon U."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
.NET Technology. Introduction Overview of.NET What.NET means for Developers, Users and Businesses Two.NET Research Projects:.NET Generics AsmL.

.NET Technology. Introduction Overview of.NET What.NET means for Developers, Users and Businesses Two.NET Research Projects:.NET Generics AsmL.
Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.

Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1.

Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1.
Certified Typechecking in Foundational Certified Code Systems Susmit Sarkar Carnegie Mellon University.

Certified Typechecking in Foundational Certified Code Systems Susmit Sarkar Carnegie Mellon University.
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.

Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.
David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 20: Total Correctness; Proof-

David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 20: Total Correctness; Proof-
March 4, 2005Susmit Sarkar 1 A Cost-Effective Foundational Certified Code System Susmit Sarkar Thesis Proposal.

March 4, 2005Susmit Sarkar 1 A Cost-Effective Foundational Certified Code System Susmit Sarkar Thesis Proposal.
Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.

Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.
ECE 720T5 Fall 2012 Cyber-Physical Systems Rodolfo Pellizzoni.

ECE 720T5 Fall 2012 Cyber-Physical Systems Rodolfo Pellizzoni.
Nicholas Moore Bianca Curutan Pooya Samizadeh McMaster University March 30, 2012.

Nicholas Moore Bianca Curutan Pooya Samizadeh McMaster University March 30, 2012.
Types, Proofs, and Safe Mobile Code The unusual effectiveness of logic in programming language research Peter Lee Carnegie Mellon University January 22,

Types, Proofs, and Safe Mobile Code The unusual effectiveness of logic in programming language research Peter Lee Carnegie Mellon University January 22,
VIDE als voortzetting van Cocktail SET Seminar 11 september 2008 Dr. ir. Michael Franssen.

VIDE als voortzetting van Cocktail SET Seminar 11 september 2008 Dr. ir. Michael Franssen.
An Introduction to Proof-Carrying Code David Walker Princeton University (slides kindly donated by George Necula; modified by David Walker)

An Introduction to Proof-Carrying Code David Walker Princeton University (slides kindly donated by George Necula; modified by David Walker)
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI 297 5.31.2005.

The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI
Code-Carrying Proofs Aytekin Vargun Rensselaer Polytechnic Institute.

Code-Carrying Proofs Aytekin Vargun Rensselaer Polytechnic Institute.
Formal Methods in Software Engineering Credit Hours: 3+0 By: Qaisar Javaid Assistant Professor Formal Methods in Software Engineering1.

Formal Methods in Software Engineering Credit Hours: 3+0 By: Qaisar Javaid Assistant Professor Formal Methods in Software Engineering1.
CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)

CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)

Similar presentations

Ads by Google