270 likes | 397 Views
Code-Carrying Proofs. Aytekin Vargun Rensselaer Polytechnic Institute. Outline. Introduction Proof-Carrying Code (PCC) Code-Carrying Proofs(CCP) Sample CCP session Future Work. Potential Problems to be Solved. Memory Safety illegal operations or illegal access to memory Security
E N D
Code-Carrying Proofs Aytekin Vargun Rensselaer Polytechnic Institute
Outline • Introduction • Proof-Carrying Code (PCC) • Code-Carrying Proofs(CCP) • Sample CCP session • Future Work
Potential Problems to be Solved • Memory Safety • illegal operations or illegal access to memory • Security • unauthorized access to data or system resources • Functional Correctness • whether the code does correctly what it is formally required to do
Two Solutions • Proof-Carrying Code (PCC) • Code-Carrying Proofs (CCP)
Proof-Carrying Code (PCC) • Developed by Necula and Lee [1996] at CMU. • Basic Idea: Use machine-checkable proofs as certificates. • Proof construction is harder than proof checking • Code producer provides the proof • Code consumer checks it
Source Code Touchstone Compiler PCC VCGen Native Code With Annotations Native Code With Annotations Verification Condition Theorem Prover Safety Proof Safety Proof Code Producer Code Consumer Safety Policy Safety Policy VCGen Proof Checker Verification Condition Ok CPU
Source Code Touchstone Compiler PCCTampered VCGen Native Code With Annotations Verification Condition Safety Policy Theorem Prover Safety Proof Code Producer Hacker Tampered Native Code With Annotations Code Consumer Safety Proof Safety Policy VCGen Proof Checker Verification Condition (may change) No • Tampered Code is not delivered to the CPU • But safety is still guaranteed if the code is • modified in such a way that the VC is unchanged CPU
Source Code Touchstone Compiler PCCTampered VCGen Native Code With Annotations Verification Condition Safety Policy Theorem Prover Safety Proof Code Producer Hacker Native Code With Annotations Code Consumer Tampered Safety Proof Safety Policy VCGen Proof Checker Verification Condition No • Proof is either invalid • or • is not the proof of the VC CPU
Source Code Touchstone Compiler PCCTampered VCGen Native Code With Annotations Verification Condition Safety Policy Theorem Prover Safety Proof Code Producer Hacker Hacker Tampered Native Code With Annotations Code Consumer Tampered Safety Proof Safety Policy VCGen Proof Checker Verification Condition (may change) Ok • Safety is guaranteed • if the tampered proof is the • proof of the new VC CPU
Foundational PCC • Developed by Appel in [2000] at Princeton • VCGen is a large program. Replace it! • Basic Idea: • Define the semantics of the machine instructions and safety rules • Use foundational mathematical logic instead of programming-language-specific axioms or safety rules • No particular type system
Foundational PCC • Prove w.r.t. the formal machine language semantics • Operates at a very low level of abstraction • It does reduce dependency on a large program (VCGen) but this is true for CCP also
Code-Carrying Proofs (CCP) • Start with axioms that define functions • The form of axioms is such that it is easy to extract executable code from them. • Prove that the defined functions obey certain requirements • The producer transmits • Axioms • The correctness theorems • And their proofs
Code-Carrying Proofs (CCP) • No explicit code transmission • The consumer checks proofs to see if the correctness theorem is proved • If proof checking succeeds, the consumer applies the code extractor to the axioms and obtain the executable code
Code-Carrying Proofs (CCP) • CCP attempts to solve Functional Correctness problem • We are dealing with a higher-level language
CCP Axioms & Theorems Theorem Prover Axioms & Proofs Axioms & Proofs Code Producer Code Consumer Requirements Requirements Proof Checker Code Extractor Code Axioms & Theorems CPU
CCPTampered Axioms & Theorems Requirements Theorem Prover Axioms & Proofs Code Producer Hacker Tampered Axioms & Proofs Code Consumer Requirements Proof Checker Code Extractor CPU (No Code) (Failed Proofs)
Issues • Encoding axioms and proofs • Proof Checking • Tests to be applied by the consumer to new function definitions (definitional principle) • Syntactic Property • Consistency • Termination • Implementing Code Extractor
Athena • Implemented by K.Arkoudas • A language for both: • Ordinary Computation • Logical Deduction
Athena Ordinary Computation Language • Provides higher-order functions • Has primitive functions for • Unification • Matching • Substitution
Athena Logical Language • Special Deductive Forms • dcheck, dbegin, assume, … • Primitive Deduction Methods • mp, both, left-and, … • Declarations • structure, declare, … • Directives • load-file, clear-assumption-base, …
Athena Advantages • Better Proof Readability • Machine checkable proofs • Makes it possible to formulate and write proofs as methods • Generic Proofs • write the proof once and instantiate it to prove specific cases
Code Extractor • Quantified Equations and Conditional Equations • These are clauses of a recursive function definition • CE has to be able to combine these into a recursive function
Code Extractor • CE can extract pure functions • it is not capable of extracting destructive functions • Example Functions: • searching functions, sum • It cannot handle functions like: • in-place reverse, sort
Code Extractor • We have been working on simple functions. But: • In analogy to STL, it is useful to have a library of simple functions from which more complex functions can be composed, especially if the functions are generic • It is possible for code extractor to extract complex functions composed of such simple functions
Future Work • New Definitions and Tests to be applied • Defining Memory • More Proof Examples • Improving the Code Extractor • Memory Safety • Generic Proofs and Proof packaging