310 likes | 555 Views
Dealing with Untrusted Mobile Code – Proof Carrying Code & Authentication. Christopher Howard CSCI 342 – Group B1 February 15, 2007. References. Internal: George C. Necula. Proof-Carrying Code . Andrew W. Appel and Edward W. Felten. Proof-Carrying Authentication.
E N D
Dealing with Untrusted Mobile Code – Proof Carrying Code & Authentication Christopher Howard CSCI 342 – Group B1 February 15, 2007
References • Internal: • George C. Necula. Proof-Carrying Code . • Andrew W. Appel and Edward W. Felten. Proof-Carrying Authentication. • GC Necula, P Lee. The Design and Implementation of a Certifying Compiler • Christopher Colby, Peter Lee, George C. Necula, Fred Blau, Ken Cline, Mark Plesko. A Certifying Compiler for Java • External: • http://raw.cs.berkeley.edu/pcc.html • http://en.wikipedia.org/wiki/Proof-Carrying_Code • http://www.cigital.com/irc/march00-irc • http://www.drdc-rddc.gc.ca/researchtech/malicots/compile_e.asp • www.tolerantsystems.org/ITS_Ref/ • wwwhome.cs.utwente.nl/~etalle/school2000/Material/Lee/
Outline • Introduction • Dealing w/ Untrusted Code (Mobile Code) • Trust vs. Protection/Enforcement • Proof Carrying Code (PCC) Concept • Certifying Compiler • Verification by Host • Proof Carrying Authentication (PCA) • Mixing Trust and Enforcement • Discussion
What’s My Motivation • Application of the PCC concept in; • Security and Authentication (discussed later). • Establishing trust in untrusted (mobile) code. • Interested in code sandboxes and ability to shield system from malicious code. • Ability of PCC to reduce the usual performance impacts of checking the safety of running code.
The Problem: Untrusted (Mobile) Code • What assurance does a system have that mobile code will not; • Damage internal data structures • Violate memory safety • Misuse system resources or cause deadlock • Follow the established security policy • Goal: Verify mobile code will not violate system security policy without; • Seriously impacting performance on the host system
Two Possible Solutions • Trust • Proof Carrying Authentication • Idea: Run only trusted code. • Use technology to establish trust • Public-key infrastructure (PKI) • Code signing (Cryptographic protection) • Subject to corruption • Works for any security property • (type safety, memory protections, etc) • Protection/Enforcement • Proof Carrying Code & Certifying Compilers • Idea: Run untrusted, safe code • Use technical mechanisms to ensure code is safe • Certifying compilers • High assurance • Works for only some security properties.
Enforcing Code Safety:Proof Carrying Code • Proof Carrying Code (PCC) • Software mechanisms that allows a host system to verify properties about an application via a formal proof that accompanies the application's executable code. • This formal proof shows that the mobile application complies with the system policy. • The host system can use a simple and fast proof validator to check the conclusions of the proof against its own security policy to determine whether the application is safe to execute.
PCC For Dummies OK, but let me quickly look over the instructions first. Please install and execute this. Code producer Host
PCC For Dummies Code producer Host
PCC For Dummies This store instruction is dangerous! Code producer Host
PCC For Dummies Can you prove that it is always safe? Code producer Host
PCC For Dummies Yes! Here’s the proof I got from my certifying Java compiler! Can you prove that it is always safe? Code producer Host
PCC For Dummies Your proof checks out. I believe you because I believe in logic. Code producer Host
The Certifying Compiler • At the heart of the PCC concept is the certifying compiler • A new type of compiler that enforces a formal security policy while translating the source code into the an executable. • Inputs: normal source code and a formal security policy • Outputs: annotated version of normal executable code and proof guaranteeing compliance to the policy • NOTE: PCC does not require use of a Certifying Compiler, proofs can be written by hand.
The Certifying Compiler • So how does it do its magic? • Source Code is compiled to machine code that contains annotations. • The safety policy is encoded into the verification-condition generator (VCgen) which, maps each machine-language program to a safety theorem. • The annotated machine code is sent to the VCgen which, verifies the code and produces the verification conditions (VC’s). • The VC’s are passed to the theorem prover which, produces the proof that the program follows the security policy.
Example Annotations • (a) Sample program • (b) Compiler output w/ annotations • (c) type specification
Example Proof • Proof 1: Safe to read from an array of element if the index is within array boundaries. • Proof 2: Result of the read from the array must be of the same type as the array elements.
Verification by Host System • Host System receives: • Executable code w/ annotations • Proof that code is safe (“adheres to policy”). • Host verifies code safety • Safety policy is encoded into VCgen. • Annotated code is run through VCgen to produce VC’s. • VC’s and proof are verified by proof checker for correctness.
Advantages of PCC • Burden of proving code safety shifted to the code producer. • Host system does not need any knowledge about how the certifying proof was constructed. • Host need not trust certifying compiler or proof-generator. • Code is determined safe before it runs. • No cryptography or third party certification of code safeness needed. • Proof is considered “semantic checksum” of program making it tamperproof because any modification to the program will cause either; • The proof to no longer be valid. • The proof will be valid but will not represent the untrusted executable code. • The modification didn’t change the proof or the executable code.
PCC: What About Performance • Time: • Time to check code proof is very minimal! • Proof generation time can range between 1 - 2x compilation time. • Space: • Proofs are large! On average 76% of the code size.
Establishing Trust in Mobile Code:Proof Carrying Authentication • Proof Carrying Authentication (PCA) • Software mechanisms that allows a host system to verify weather we should trust a particular piece of mobile code. • Once trust is established the code is trusted to act within the systems policy. • The proof in this case proves to the host system that a piece of code should be trusted.
“read foo” signature + cert cert policy Traditional Authentication Example Alice Bob decision procedure Charlie
Alice Bob “read foo” proof checker proof cert Charlie policy Proof Carrying Authentication Example
Proof Carrying Authentication Concept Code Producer Code Consumer Native Code Source Program Compiler Execute load r3, 4(r2) add r2,r4,r1 store 1, 0(r7) store r1, 4(r7) add r7,0,r3 add r7,8,r7 beq r3, .-20 Policy Policy Inspect & Sign Verification Condition Verification Condition Prover Certs OK Proof Checker
Code Signing Code with hash 0x52… has property P, signed KA “Alice’s key is KA” signed KC Public-Key Certificates Establishing Trust OK to run this code? Policy and Axioms I trust Alice for code signing OK to run code with property P KC is Charlie’s key I trust Charlie for key certification
“Alice’s key is KA” signed KC x. (KA signed x) (Alice says x) Example Proof x. (KC signed x) (Charlie says x) KC is Charlie’s key KC signed (x. (KA signed x) (Alice says x)) K. P. x. (KC signed y.(K signed y) (P says y)) (K signed x) (P says x) I trust Charlie for key certification
Conclusions: Mixing Trust w/ Enforcement, Writing Policies • Enforcement/Protection (PCC) offers higher assurance than trust (PCA) does. • But PCC doesn’t work for all properties while PCA does. • “This program will not display misleading dialog boxes.” • “This control software won’t let the vehicle tip over.” • Integration allows mixed use of trust (PCA) and protection (PCC) for different properties within the same program. • Both PCA and PCC depend on well written and defined policies. • Creating good policies can be difficult.