1 / 33

David W. Hill CSCI 297 5.31.2005

The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al]. David W. Hill CSCI 297 5.31.2005. How to deal with Untrusted Code?.

hayes-dudley
Download Presentation

David W. Hill CSCI 297 5.31.2005

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Design and Implementation of a Certifying Compiler [Necula, Lee]A Certifying Compiler for Java [Necula, Lee et al] David W. HillCSCI 2975.31.2005

  2. How to deal with Untrusted Code? • How can the host system ensure that the untrusted code will not damage it, for example, by corrupting internal data structures? • How can the host ensure that the untrusted code will not use too many resources (such as CPU, memory, and so forth) or use them for too long a time period? • How can the host make these assurances without undue effort and negative effect on overall system performance?

  3. Proof Carrying Code • Proof-Carrying Code is a technique by which the host establishes a set of safety rules that guarantee safe behavior of programs. • The code producer creates a formal safety proof that proves, for the untrusted code, adherence to the safety rules. • Then, the host is able to use a simple and fast proof validator to check, with certainty, that the proof is valid and hence the foreign code is safe to execute.

  4. Program Proof Checker Certifying Compiler Code Producer Code Consumer Security Policy Proof High Level Overview – Proof Carrying Code • A code producer sends a program and its safety proof to a code consumer • A certifying compiler constructs the program and proof • A proof checker checks them against a security policy

  5. PCC Process • The source program is compiled to machine code annotated with loop invariants and with some other annotations. • The annotated machine code is passed through the Verification Condition Generator (VCGen) that verifies the well-formedness of the code (such as that the branch targets are within the code segment) and emits a verification condition (VC). The verification condition is a predicate that is provable only if the code meets the safety policy.

  6. PCC Process • The verification condition is passed to a theorem prover that finds and emits a proof of it according to the logic requested by the code consumer. • The proof is verified to be valid (with respect to the given logic) and to prove the required verification condition. • If the proof checking succeeds, the code meets the safety policy and can be safely installed for execution.

  7. The Cartoon Guide to PCC Great! But let me quickly look over the instructions first. My program solves your problem. Code producer Code consumer

  8. The Cartoon Guide to PCC Code producer Code consumer

  9. The Cartoon Guide to PCC This store instruction is dangerous! Code producer Code consumer

  10. The Cartoon Guide to PCC Can you prove that it is always safe? Code producer Code consumer

  11. The Cartoon Guide to PCC Yes! Here’s the proof I got from my certifying Java compiler! Can you prove that it is always safe?  Code producer Code consumer

  12. The Cartoon Guide to PCC Your proof checks out.  Code producer Code consumer

  13. The Cartoon Guide to PCC I believe you because I believe in logic!  Code producer Code consumer

  14. Design & Implementation of an Certifying Compiler • Translates programs written in a type-safe subset of C into highly optimized DEC Alpha assembly language programs. • Certifier that automatically checks the type safety and memory safety of any assembly language program produced by the compiler. • Certifier produced a formal proof that can be used by the code consumer to ensure safe code

  15. Overview of Certifying Compiler • Code annotations assist certifier to verify type safety and memory safety • Type specifications declare the type of argument and result register for every function in the code.

  16. Inside the Certifier • VCGen creates a safety predicate for each function. • Prover produces a formal proof of the predicate • Proof checker validates the proof • Certifier could be used for other properties, other than memory and type safety.

  17. Sample Code

  18. Source Code Touchstone Compiler PCC VCGen Native Code With Annotations Native Code With Annotations Verification Condition Theorem Prover Safety Proof Safety Proof Code Producer Code Consumer Safety Policy Safety Policy VCGen Proof Checker Verification Condition Ok CPU

  19. Source Code Touchstone Compiler PCCTampered VCGen Native Code With Annotations Verification Condition Safety Policy Theorem Prover Safety Proof Code Producer Hacker Tampered Native Code With Annotations Code Consumer Safety Proof Safety Policy VCGen Proof Checker Verification Condition (may change) No • Tampered Code is not delivered to the CPU • But safety is still guaranteed if the code is • modified in such a way that the VC is unchanged CPU

  20. Sample Proof • First rule states that it is safe to read an element of an array if its index is within the array boundaries • Second rule states that the result of the read operation has the type of the array elements • Proves that assembly language program is safe (memory)

  21. Benchmarks

  22. Certifying Compiler for Java - 2nd paper • Optimized compiler Special J that compiles java bytecodes into target code for x86 architecture • Implement a certifier for a large subset of the Java language • PCC binaries are of reasonable size and can be checked rapidly by a small proof checker • PCC & Certifying compilers are scalable

  23. Architecture Java binary Native code Certifying compiler VCGen Annotations VC VCGen Axioms VC Axioms Proof generator Proof checker Proof Code producer Code Consumer

  24. VC Generation - Detailed • Checks code that could violate safety policy and produces proof obligations • movl 4(%eax), %ebx  Assembly Inst. • Saferd4 (add eax 4) proof obligation

  25. VC Generation - Loops • When VCGen finds annotation below: • ANN_LOOP (INV=P, MODREG=R)

  26. VC Generation

  27. PCC Architecture Details • Host only needs VC Generator and Proof Checker – Small TCB • VC GEN = 23K lines (C) • Proof Checker = 1.4K lines (C)

  28. Benchmarks

  29. Online Demo George Necula’s Touchstone Demo http://raw.cs.berkeley.edu/Ginseng/Images/pccdemo.html

  30. PCC Advantages • Great for mobile code, consumer only has to run a small proof checking process. Burden shifted to producer. • No cryptography of third party checks required • Code is verified before execution, therefore don’t have to kill processes after acquisition of resources

  31. Issues for Discussion Writing good policies is the hard part • Better ways to define policies • Ways to reason about properties of policies • Ideas for the right policies for different scenarios • Ways to develop, reason about, and test distributed policies

  32. References -George Necula’s Web Page http://raw.cs.berkeley.edu/papers.html#annotated -Peter Lee’s Web Page http://www-2.cs.cmu.edu/~petel/ -Flexibility and Trustworthiness in Proof-Carrying Code, Andrew Bernard, CMU -Lecture 19. UVA, Proof Carrying Code, David Evans -Some open issues for certifying compilers, Greg Morrisett -Code Carrying Proofs, Aytekin Vargun, Rensselaer Polytechnic Institute

  33. Thank You! Discussion…..

More Related