1 / 28

Scaling Proof-Carrying Code to Production Compilers and Security Policies

Scaling Proof-Carrying Code to Production Compilers and Security Policies. Andrew W. Appel Princeton University Edward W. Felten Princeton University Zhong Shao Yale University July 2000. ?. Private files Network access Launch control etc. The problem: Mobile Code Security.

ferris-scott
Download Presentation

Scaling Proof-Carrying Code to Production Compilers and Security Policies

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Scaling Proof-Carrying Code to Production Compilers and Security Policies Andrew W. Appel Princeton University Edward W. Felten Princeton University Zhong Shao Yale University July 2000

  2. ? Private files Network access Launch control etc. The problem: Mobile Code Security Code Producer Code Consumer Code Source Program Compiler Execute load r3, 4(r2) add r2,r4,r1 store 1, 0(r7) store r1, 4(r7) add r7,0,r3 add r7,8,r7 beq r3, .-20

  3. Protection Self-Certifying Compilers via Typed Intermediate Languages (i.e., FLINT compiler) Proof-Carrying Code (machine-checkable safety proofs about machine-language programs) Trust Distributed Authentication Frameworks via Proof-Carrying Authentication Two Solutions

  4. Expected major achievements Felten, Appel Princeton U. Distributed Authentication Frameworks: Proof-Carrying Authentication Appel, Felten Princeton U. Mobile Code Security: Proof-Carrying Code Shao Yale U. Certifying Compilers: FLINT/ML FLINT/Java Language- & machine- independent mobile code safe lang. interop. Secure Key Distribution File servers Secure Linking PCC systems for ML, Java

  5. Trusted Computing Base Advantage: Clean, fast, O-O interface between trusted & untrusted code Disadvantage: Huge trusted computing base: JIT Existing Practice: Bytecode Verification Code Producer Code Consumer ByteCode Java Program Bytecode Verifier Compiler load r3, 4(r2) add r2,r4,r1 store 1, 0(r7) store r1, 4(r7) add r7,0,r3 add r7,8,r7 beq r3, .-20 OK Just-in-time Compiler Native code Execute

  6. Hints Proof-carrying code - tiny TCB Code Producer Code Consumer Native Code Source Program Compiler Execute load r3, 4(r2) add r2,r4,r1 store 1, 0(r7) store r1, 4(r7) add r7,0,r3 add r7,8,r7 beq r3, .-20 Policy Policy Safety Theorem Safety Theorem Safety Proof Prover $-i( -i(... -r ( ...) ) ) OK Checker

  7. Why we can trust the checker We use a simple, sound, well-understood logic (Church’s higher-order logic, 1950’s) A proof is just a tree of inference rules, with axioms at the leaves Proof-checking is just type-checking of expression trees (~1000 lines of code) Many independent implementations of proof-checker: Twelf (CMU); Ginseng (Cedilla systems); Coq system (INRIA, France); HOL system (Cambridge U.)

  8. Why we can trust the “policy” 9 axioms of higher-order logic + 30 axioms of arithmetic subtotal: 39 lines of specification + ... one axiom specifying machine semantics total: 639 lines • Must specify how Sparc (or Pentium, etc.) instructions work in order to prove properties of programs (more about this later) • Checker + policy much smaller than the TCB of other approaches (operating system, or optimizing compiler)

  9. Conference on Automated Deduction June 2000

  10. Security Policy: Host/client API Code Consumer “Models for Security Policies in Proof-Carrying Code”, Andrew Appel & Ed Felten, in preparation. How to design sound policies and reason about them effectively. Policy

  11. Program: 106 instructions Theorem: 2 x 106 words Proof: 105 + 10 x 106 safe( , , , , , , , , , ) Program-specific lemmas Programming-language-specific lemmas Hoare’s Logic Recursive Types Fixed Point Theorem Machine Instructions Partial Orders Modular Arithmetic Cardinality Structure of theorem, proof

  12. POPL ‘00: Principles of Programming Languages (Jan. 2000)

  13. Programming Finding the right abstractions is critical Data types Functions All details must be filled in Engineering Divide large program into modules with clean interfaces Break large algorithms into one-page functions Strive for readability and maintainability Proving Finding the right abstractions is critical Data types (sets, metric spaces) Lemmas All details must be filled in Engineering Divide large proof into modules with clean interfaces Break large proofs into one-page lemmas Strive for readability and maintainability Software engineering of proofs

  14. Code Producer Code Consumer Source Program Compiler Execute Policy Policy Hints Safety Theorem Safety Theorem Prover OK Checker Compiling with proofs Native Code load r3, 4(r2) add r2,r4,r1 store 1, 0(r7) store r1, 4(r7) add r7,0,r3 add r7,8,r7 beq r3, .-20 Safety Proof $-i( -i(... -r ( ...) ) )

  15. Prover Compiling with proofs Code Producer Native Code Source Program Compiler How to build a compiler that can produce a proof? Policy Hints Safety Theorem Prover

  16. proof-check type-check type-check type-check type-check Phases of a compiler Certifying compiler Traditional compiler Source Program type-check Parse, Semantic untyped High-level intermed. lang (IL) Analysis, Optimization untyped Medium-level IL Code Generation untyped Low-level IL Register Allocation untyped Machine Language

  17. type-check type-check type-check type-check Using a certifying compiler in PCC Source Program Operation of theorem-prover is completely automatic; no assistance needed from programmer ! Certifying compiler Parse, Semantic High-level IL Optimization Medium-level IL Code Gen. Low-level IL Register Alloc. Machine Language Hints Program for execution Theorem Prover Safety Theorem

  18. type-check type-check type-check The FLINT project ML Java Add new front-ends to build new certifying compilers ! Safe C Parse & semantic Parse & semantic Parse & semantic Key: use typed intermediate languages ! Long-Term Objective: to build a FLINT VM that uses low-level typed mobile code, and can run on any device ! High-level FLINT Analysis & Optimization Medium-level FLINT Code Gen. Low-level FLINT Hints Safety Theorem Theorem Prover Program for execution

  19. Why typed intermediate languages ? • Essential for certifying compilers • PCC and TAL are good but how to generate them? • Safe and secure low-level mobile code (Why? applets, JINI, active network, extensible systems) • Java VM language is too complex and high-level • Types for stating and verifying invariants • IDL for common component libraries • Safe and principled language interoperation • Help optimizations and compiler debugging (useful but not critical)

  20. Languages Challenges Approaches ML • module system (functor) • closures & polymorphism • recursive data types The F calculus  ref exn Java & JVML • classes; interfaces; objects • access control & privacy • name-based subtyping • dynamic linking & loading • reflection; concurrency The F calculus  row-kind dot notation ??? “Safe” C • explicit memory management • efficient array access state & region dependent types FLINT as a common typed IL

  21. ICFP ‘00: International Conference on Functional Programming (Sept. 2000)

  22. “read foo” signature + cert cert policy Proof-Carrying Authentication Traditional approach Alice Bob decision procedure Charlie

  23. “read foo” proof cert policy Proof-Carrying Authentication Our approach Alice Bob proof checker Charlie

  24. 6th ACM Conference on Computer and Communications Security (Nov. 1999)

  25. modus ponens Alice says readfoo (Alice says readfoo)  readfoo modus ponens KA signed readfoo (KA signed readfoo)  (Alice says readfoo) -elimination F. (KA signed F)  (Alice says F) Proof Tree readfoo Bob’s policy check signature (subproof)

  26. Definitions and Lemmas • can define new abstractions, in terms of existing ones • keybind(K,A) = F. (K signed F)  A(F) • A controls F = A(F)  F • CA(C) = K.A. C controls keybind(K,A) • can prove lemmas, then use them • prove properties of defined abstractions • abstractions need not be primitives

  27. policy policy (under construction) Web server/browser prototype get http://... Web Server Custom Proxy Server Browser authenticate proof web page Prover Checker

  28. Policy Specification of SPARC, MIPS semantics Models for reasoning about security policies Authentication logic for Web browser Prover Basic lemmas about logic, arithmetic, sets, lists, sequences, equiv. relations Derivation of Hoare logic from machine semantics Set-theoretic model of types (completed, but too weak) PER model of types (powerful, but still much work left to do) Checker Selection of proof-representation language Evaluation of suitability of various checker software FLINT compiler FLINT/ML (alpha release) FLINT/Javasub (prototype) Released as part of the SML/NJ compiler Types are now propagated through all optimization phases Accomplishments to date

More Related