510 likes | 604 Views
Secure Certifying Compilation. What do you want to type check today?. David Walker Cornell University. Extensible Systems. Many systems have programmable interfaces. printers and editors (postscript printers, emacs, Word) browsers and servers (applets, plugins, CGI-scripts)
E N D
Secure Certifying Compilation What do you want to type check today? David Walker Cornell University
Extensible Systems Many systems have programmable interfaces. • printers and editors (postscript printers, emacs, Word) • browsers and servers (applets, plugins, CGI-scripts) • operating systems (virus scanners) • networks (active networks, JINI) System Interface Code Download, Link & Execute David Walker, Cornell University
Extensible Systems: Pros • Client-side customization • plug in your own devices, 3rd-party utilities • Preservation of market-share • vendors can add features, improve functionality easily • System maintenance and evolution • software subscriptions David Walker, Cornell University
Extensible Systems: Cons • Security • extensibility opens system to malicious attacks • how do we prevent misuse of resources? • Reliability • flexibility makes it hard to reason about system evolution • how do we limit damage done by erroneous extensions? David Walker, Cornell University
Extensible Systems: Reality • Strong economic and engineering pros • Mobile code, systems with programmable interfaces will proliferate • A necessity: practical technology for increasing the security and reliabilityof extensible systems David Walker, Cornell University
Outline • Framework for improved reliability and security • Idea I: certifying compilation • Idea II: security via code instrumentation • An instance [popl '00] • Security automaton specifications • A dependently-typed target language (TAL) • Related work & research directions David Walker, Cornell University
Certified Code Untrusted Code Secure Code System Interface • Attach annotations/certificate (types, proofs, ...) to untrusted object code extensions • Certificates make verification feasible • Move away from trust-based security & reliability Download & Check Link & Execute Certificate David Walker, Cornell University
Certifying Compilation High-level Program • Low-level certificate generation must be automated • Necessary components: 1) a source-level programming language 2) a compiler to compile and optimize source programs while preserving the certificate 3) a certifying target language Compile certificate Annotated IR Optimize Transmit David Walker, Cornell University
Question How should we obtain the initial certificate? David Walker, Cornell University
Answer • Use a type-safe language • Type inference relieves the tedium of proof construction • Programmers will rewrite programs so they type check David Walker, Cornell University
Certifying Compilation So Far Type Safe High-level Program 1) a strongly typed source-level programming language 2) a type-preserving compiler to compile and optimize source programs 3) a certificate language for type-safety properties types Compile Typed Program Optimize Transmit David Walker, Cornell University
Certifying Compilers • Proof-Carrying Code[Necula & Lee] • an expressive base logic that can encode many security policies • in practice, logic is extended with a type system • compilers producetype safetyproofs • Typed Assembly Language[Morrisett, Walker, et al] • flexible type constructor language that can encode high-level abstractions • guarantees type safety properties David Walker, Cornell University
Conventional Type Safety • Conventional types ensure basic safety: • basic operations performed correctly • abstraction/interfaces hide data representations and system code • Conventional types don't describe complex security policies • eg: policies that depend upon history • Melissa virus reads Outlook contacts list and then sends 50 emails David Walker, Cornell University
Outline • Framework for improved reliability and security • Idea I: certifying compilation • Idea II: security via code instrumentation • An instance [popl '00] • Security automaton specifications • A dependently-typed target language (TAL) • Related work & research directions David Walker, Cornell University
Flexible Security Policies High-level Extension • Specify policies independently of extensible system • Compiler instruments extensions • Easier to understand, debug, evolve policies Compiler Security Policy Instrument Analyze & Optimize David Walker, Cornell University
Security Policy Specifications • Requirement: a language for specifying security policies • Features: • Notation for specifying events of interest • "network send" and "file read" are security-sensitive • Notation for specifying illegal behaviour • a privacy policy: "no send after read" • A feasible compilation strategy • must be able to prevent programs from violating the policy David Walker, Cornell University
Examples • SFI [Wahbe et al] • events are read, write, jump • enforce memory safety properties • SASI[Erlingsson & Schneider],Naccio[Evans & Twyman] • flexible policy languages • not certifying compilers David Walker, Cornell University
Putting it Together • define policies in a high-level, flexible and system-independent specification language • instrument system extensions both with dynamic security checks and static information • preserve proof of security policy during compilation and optimization • verify certified compiler output to reduce TCB David Walker, Cornell University
Outline • Framework for improved reliability and security • Idea I: certifying compilation • Idea II: security via code instrumentation • An instance [popl '00] • Security automaton specifications • A dependently-typed target language (TAL) • Related work & research directions David Walker, Cornell University
Secure Certified Code • Overview of Architecture • Security Automata [Erlingsson & Schneider] • How to specify security properties • A simple compilation strategy • A dependently-typed target language (TAL) • A brief introduction to TAL • Extensions for certifying security properties • theoretical core language proven sound • can express any security automaton policy David Walker, Cornell University
Security Architecture Security Automaton Specification High-level Extension System Interface Instrument Annotate Secure Typed Extension Secure Typed Interface Type Check Optimize Secure Executable Transmit David Walker, Cornell University
Security Automata • A general mechanism for specifying security policies • Specify any safety property • access control policies: • “cannot access file foo” • resource bound policies: • “allocate no more than 1M of memory” • the Melissa policy: • “no network send after file read” David Walker, Cornell University
Example read(f) • Policy: No send operation after a read operation • States: start, has read, bad • Inputs (program operations): send, read • Transitions (state x input -> state): • start x read(f) -> has read start has read send read(f) bad send David Walker, Cornell University
Example Cont’d read(f) • S.A. monitor program execution • Entering the bad state = security violation start has read send read(f) bad send % untrusted program % s.a.: start state send(); % ok -> start read(f); % ok -> has read send(); % bad, security violation David Walker, Cornell University
Bounding Resource Use malloc (i) • Policy: "allocate fewer than n bytes" 0 i n - 1 ... ... malloc (i) bad David Walker, Cornell University
Every security-relevant operation has an associated function: checkop Trusted, provided by policy writer checkop implements the s. a. transition function Enforcing S.A. Specs checksend (state) = if state = start then start else halt % terminates execution David Walker, Cornell University
Enforcing S.A. Specs • Easy, wrap all function calls in checks: • Improve performance using program analysis send() let next_state = checksend(current_state) in send() David Walker, Cornell University
Outline • Technology for improved reliability and security • Idea I: certifying compilation • Idea II: security via code instrumentation • Secure certifying compilation [popl '00] • Security automaton specifications • A dependently-typed target language (TAL) • Related work & research directions David Walker, Cornell University
Brief TAL Overview • Assembly or machine code with typing annotations • Object files checked separately and linked together • Ensures basic safety without run-time checks • Memory safety: can't read/write arbitrary memory • Control-flow safety: can't execute arbitrary data • Type abstraction: TAL can encode and enforce high-level abstract data types Typecheck Link David Walker, Cornell University
A TAL Compiler • TAL is practical • We compile "safe C" (aka Popcorn) • No pointer arithmetic, unsafe casts • ML-style data types, polymorphism, exceptions • Some simple optimizations • null-check elimination, inlining, register allocation • The compiler bootstraps • most compiler hacking by Grossman, Morrisett, Smith David Walker, Cornell University
Other TAL Features • Memory management features • Stack types • Aliasing • Region-based MM • See Dave’s thesis • Other features • Dynamic linking • Run-time code generation • http://www.cs.cornell/talc David Walker, Cornell University
Typing Assembly Code • Programs divided into labeled code blocks • Each block has a code type: {eax:,ebx:,...} • Code types specify expected register contents • Assume code type to check the block • Prove control transfers (jumps) meet the assumptions Foo : {eax: int, ecx: {eax: int}} mov ebx, 3; % {eax: int, ebx: int, ecx: {eax: int}} add eax, ebx; % OK jmp ecx % OK David Walker, Cornell University
Increasing Expressiveness • Basic types ensure standard type safety • functions and data used as intended and cannot be confused • security checks can’t be circumvented • Introduce a logic into the type system to express security invariants • Use the logic to encode the s.a. policy • Use the logic to prove checks unnecessary David Walker, Cornell University
Target Language Predicates • States (for compile-time reasoning) • constants: start, has read, bad, ... • variables: 1, 2, ... • Predicates: • describe security states • instate() • describe relationships between states • transsend(1,2) • describe dependencies between values • (see the paper) David Walker, Cornell University
Preconditions • Code types can specify preconditions: • A typical use: foo: [, instate(), bad].{eax:1, ecx:2} - instantiate polymorphic variable - prove residual preconditions - eg: instate(start), start bad - hope proofs are easy (syntactic matching) - otherwise place explicit proof at call site - eg: jmp foo [start, Proof, Proof] bar: {...} ... % Known: instate(start) ... jmp foo [start] David Walker, Cornell University
Postconditions • Expressed as a precondition on the return address type: bar: { eax: 1, ecx: [instate(has read)].{eax: 2} } • Before returning, bar proves instate(has read) • After return, assume instate(has read) David Walker, Cornell University
Each security-relevant function has a type specifying 3 preconditions, 1 postcondition the send function: P1: instate(curr) P2: transsend(curr,next) P3: next bad Pre: P1, P2, P3 Encoding Security Automata • P4: instate(next) • Post: P4 send: [curr,next,P1,P2,P3].{ ecx: [P4].{ } } David Walker, Cornell University
Technical Note • State predicates behave linearly • as in linear logic, each state predicate is used once • instate(curr) is "consumed" at send call site • can't be used in future proofs • can't fool type system into thinking code continues to be in state curr • instate(next) is "produced" on return • will be used when next calling a security-sensitive function David Walker, Cornell University
Compile-time reasoning depends on run-time values Compile-time & Run-time foo: mov eax, state % should represent the current state mov ecx, ret1 jmp checksend % state argument, state result in eax ret1: push eax % save next state on the stack mov ecx, ret2 jmp send % must establishprecondition for send checksend: % postcond. == precond. for ret1, send David Walker, Cornell University
A type for checksend(first try) Checksend • checksend: • [curr,P1].{eax:state, ecx:[next,P1,P2,P3].{eax:state} } • where • P1 = instate(curr), P2 = transsend(curr,next), P3 = next bad David Walker, Cornell University
A type for checksend(first try) No correspondence between run-time argument and static information Checksend • checksend: • [curr,P1].{eax:state, ecx:[next,P1,P2,P3].{eax:state} } • where • P1 = instate(curr), P2 = transsend(curr,next), P3 = next bad mov eax, wrong_state; mov ecx, next; jmp checksend David Walker, Cornell University
Checksend • Solution: provide very precise types • Singleton types • A type containing one value • eax : state(start) • means eax contains a data structure that represents exactly the start state and no other state • eax : state() • eax contains data representing the unknown state • useful in many contexts • Similar to Dependent ML [Xi & Pfenning] David Walker, Cornell University
Using Singletons • checksend • implements the automaton transition function • intuitively has type state -> state • singletons help relate run-time values to compile-time predicates • [curr,P1].{eax:state(curr),ecx:[next,P1,P2,P3].{eax:state(next)}} • P1 = instate(curr), P2 = transsend(curr,next), P3 = next bad David Walker, Cornell University
Using Checksend foo: { … } ... % Assume: instate(curr), eax : state(curr) mov ecx, ret1 jmp check_send[curr] ret1: [next, instate(curr), transsend(curr,next), next bad]. {eax:state(next)}. push eax; mov ecx, ret2; jmp send [curr,next] % P1 & P2 & P3 ==> ok ret2: ... David Walker, Cornell University
Optimization • Analysis of s.a. structure makes redundant check elimination possible • eg: • identify transsend(start,start) as valid read(f) start has read send read(f) bad send David Walker, Cornell University
Optimization Low-level Interface send: ' read: ' checksend: ' checkread: ' Axiom A = transsend(start,start) Policy High-level Interface David Walker, Cornell University
Optimization loop :[instate(start)].{ } mov ecx, loop jmp send [start,start,By A]; send: [curr,next,instate(curr),transsend(curr,next), next bad].{ecx: [P4].{ }} • Type-checker is simple but general • Typical optimizations • redundant check removal • loop invariant removal David Walker, Cornell University
Implementation • TALx86 implementation is sufficient for these encodings • includes polymorphism, higher-order type constructors, logical connectives (,,), singleton types, .... • Lots more work to be done • axioms in module interfaces • policy compiler David Walker, Cornell University
Outline • Technology for improved reliability and security • Idea I: certifying compilation • Idea II: security via code instrumentation • Secure certifying compilation [popl '00] • Security automaton specifications • A certifying target language • Related work & research directions David Walker, Cornell University
Research Directions • Design of policy languages • What kinds of logics can we compile & certify? • Mawl [Sandholm & Schwartzbach] • TALres [Crary & Weirich] • Design of safety architecture • How do we "clean up" after halting a program? • Support for mutually distrustful agents • Policy-directed optimizations David Walker, Cornell University