Presentation is loading. Please wait.

Presentation is loading. Please wait.

Extensible Verification of Untrusted Code Bor-Yuh Evan Chang, Adam Chlipala, Kun Gao, George Necula, and Robert Schneck May 14, 2004 OSQ Retreat Santa.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Extensible Verification of Untrusted Code Bor-Yuh Evan Chang, Adam Chlipala, Kun Gao, George Necula, and Robert Schneck May 14, 2004 OSQ Retreat Santa."— Presentation transcript:

1 Extensible Verification of Untrusted Code Bor-Yuh Evan Chang, Adam Chlipala, Kun Gao, George Necula, and Robert Schneck May 14, 2004 OSQ Retreat Santa Cruz, California

2 2 5/14/2004 Type Safety as an Assurance Mechanism Type safety is an accepted assurance mechanism Today –Good:Type check source code in a strongly-typed high-level language (e.g. ML, C#, Java) –Better:Type check intermediate code (e.g., MS-CLI, JVML) OR code untrustedtrusted type checker

3 3 5/14/2004 Type Systems Today (JVML,MS-CLI,TAL) Hard-wired in the verifier High-level and tailored to particular source languages –E.g, built-in object-oriented features Hard to compile other source languages –Unnatural, loss of performance or expressiveness –E.g, ML ! JVML or Java ! TAL Under constant pressure to become more complex –To handle more source languages –To be able to check more complex code (e.g. optimizations)

4 4 5/14/2004 Generality by Customization MS-CLI is designed for a multiple languages, but –quite complex (e.g. 6-9 versions of function call) –not complex enough (the ILX project adds more calls) Still not general enough! –JVML: native code interface –MS-CLI: unverifiable subset of the language Proposal: Allow multiple type systems and other verification methods (e.g. PCC) to co-exist –Fix only the safety policy (e.g. memory safety) –Not the enforcement mechanism (e.g. a type system)

5 5 5/14/2004 Design Goals of the Open Verifier Should be easy to develop “verifier extensions” –Only incrementally more complicated than a conventional verifier for the same language –Be able to retrofit existing compilers or conventional verifiers Client should have complete control over the type system or other conventions –Calling conventions, exceptions, stack usage, data layout

6 6 5/14/2004 Bytecode Verification Example 2 r arg = 0 3 r rv à r rv + 1 4 r arg à m[r arg ] 1 r rv à 0 5 jump [r ra ] T F 0  ::= int | list | nelist len : list ! int

7 7 5/14/2004 Bytecode Verification Example 2 r arg = 0 3 r rv à r rv + 1 4 r arg à m[r arg ] 1 r rv à 0 5 jump [r ra ] arg : list arg : list Æ rv : int T F Why? arg : list Æ rv: int arg : nelist Æ rv : int

8 8 5/14/2004 Bytecode Verifier Correctness How do we know the verifier didn’t forget any checks? –Should not need to provide proofs involving the model of the machine semantics Use strongest post-condition generation to eliminate proof obligations about machine transitions –Show at each program point i with next states N, post(I i ) ) Ç j 2 N I j

9 9 5/14/2004 Verified Bytecode Verification 2 r arg = 0 3 r rv à r rv + 1 4 r arg à m[r arg ] 1 r rv à 0 5 jump [r ra ] I 1 = arg : list I 2 = arg : list Æ rv : int Why? pc = 2 Æ arg : list Æ rv = 0 post(I 1 )post(I 1 ) ) I 2 new I 2 = post(I 1 ) with add (rv : int) by imm_int with drop (rv = 0) T F

10 10 5/14/2004 Branch 2 r arg = 0 3 r rv à r rv + 1 4 r arg à m[r arg ] 1 r rv à 0 5 jump [r ra ] arg : list I 2 = arg : list Æ rv : int I 5 = arg : list Æ rv: int Why? pc = 3 Æ arg : list Æ rv : int Æ arg  0 Ç pc = 5 Æ arg : list Æ rv : int Æ arg = 0 post(I 2 ) case post(I 2 ) of I false where (pc = 3) ) new I 3 = I false with let h,h’ = find (arg : list), find (arg  0) in add (arg : nelist) by (cons h h’) with drop (arg : list) with drop (arg  0) | I true where (pc = 5) ) new I 5 = I true with drop (arg = 0) post(I 2 ) ) I 3 Ç I 5 T F I 3 = arg : nelist Æ rv : int

11 11 5/14/2004 Arithmetic 2 r arg = 0 3 r rv à r rv + 1 4 r arg à m[r arg ] 1 r rv à 0 5 jump [r ra ] arg : list arg : list Æ rv : int arg : list Æ rv: int I 3 = arg : nelist Æ rv : int Why? 9 rv 3. pc = 4 Æ arg : nelist Æ rv 3 : int Æ rv = rv 3 + 1 post(I 3 ) new I 4 = post(I 3 ) with let h = find (rv 3 : int) in add (rv : int) by (plus h (imm_int)) with drop (rv 3 : int) with drop (rv = rv 3 + 1) post(I 3 ) ) I 4 T F I 4 = arg : nelist Æ rv : int

12 12 5/14/2004 Memory Read 2 r arg = 0 3 r rv à r rv + 1 4 r arg à m[r arg ] 1 r rv à 0 5 jump [r ra ] arg : list I 2 = arg : list Æ rv : int arg : list Æ rv: int arg : nelist Æ rv : int I 4 = arg : nelist Æ rv : int Why? 9 arg 4. pc = 2 Æ arg 4 : nelist Æ rv : int Æ addr arg 4 Æ arg = m[arg 4 ] Ç pc = err Æ arg : nelist Æ rv : int Æ : (addr arg) post(I 4 ) case post(I 4 ) of I ok where _ ) I ok with let h = find (arg 4 : nelist) in add (arg : list) by (lem2 h) with … | I err where : (addr arg) by bad ) I err with let h = … in add ? by (bad (lem1 h)) with … post(I 4 ) ) I 2 Ç F T F lem1: If (arg : nelist) then (addr arg) lem2: If (arg : nelist) then (m[arg] : list) F = pc = err Æ ?

13 13 5/14/2004 Customizability Yields Controlled Trust Trust Meter Trust Any Binary (*.exe) Trust Specialized Verifiers (JVM) Trust Compilers (javac) Trust Typing Rules Trust Model of Machine Semantics

14 14 5/14/2004 Summary Provide a “natural” language for the verifier to describe in a checkable form the reasoning it makes –Close to conventional type-based verifiers –Amenable to other safety enforcement mechanisms, such as PCC PCC –Most of the time, just goes along with post( ¢ ) –When proof is required, give the proof attached with the code –Proof representation can be chosen by the client

15 15 5/14/2004 type checker Summary Towards practical extensible verification of untrusted code –Ask only for reasoning already done by conventional verifiers OR untrustedtrusted type checker code post( ¢ ) “preservation and progress”

16 16 5/14/2004 Conclusion We have verifier extensions for –Cool (“mini-Java”) [Aiken et al.] can verify output of existing Cool compilers –TAL (functional typed assembly language) retrofitted TALx86 [Morrisett et al.] –PCC Philosophy: –To verify complete software systems, not a general, super-expressive type system rather a framework to allow existing ones to work together

17

18 18 5/14/2004 Return 2 r arg = 0 3 r rv à r rv + 1 4 r arg à m[r arg ] 1 r rv à 0 5 jump [r ra ] arg : list arg : list Æ rv : int I 5 = arg : list Æ rv: int arg : nelist Æ rv : int Why? pc = ra 0 Æ arg : list Æ rv : int post(I 5 ) post(I 5 ) with drop (arg : list) post(I 5 ) ) R T F R = pc = ra 0 Æ rv : int

Download ppt "Extensible Verification of Untrusted Code Bor-Yuh Evan Chang, Adam Chlipala, Kun Gao, George Necula, and Robert Schneck May 14, 2004 OSQ Retreat Santa."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Compositional Verifiers for Mobile Code Safety Bor-Yuh Evan Chang Adam Chlipala George C. Necula May 12, 2005 OSQ Retreat Santa Cruz, California.

Compositional Verifiers for Mobile Code Safety Bor-Yuh Evan Chang Adam Chlipala George C. Necula May 12, 2005 OSQ Retreat Santa Cruz, California.
Objects and Classes David Walker CS 320. Advanced Languages advanced programming features –ML data types, exceptions, modules, objects, concurrency,...

Objects and Classes David Walker CS 320. Advanced Languages advanced programming features –ML data types, exceptions, modules, objects, concurrency,...
Type Analysis and Typed Compilation Stephanie Weirich Cornell University.

Type Analysis and Typed Compilation Stephanie Weirich Cornell University.
Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1.

Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1.
8. Code Generation. Generate executable code for a target machine that is a faithful representation of the semantics of the source code Depends not only.

8. Code Generation. Generate executable code for a target machine that is a faithful representation of the semantics of the source code Depends not only.
Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.

Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.
Current Techniques in Language-based Security David Walker COS 597B With slides stolen from: Steve Zdancewic University of Pennsylvania.

Current Techniques in Language-based Security David Walker COS 597B With slides stolen from: Steve Zdancewic University of Pennsylvania.
David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 20: Total Correctness; Proof-

David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 20: Total Correctness; Proof-
1 Mooly Sagiv and Greta Yorsh School of Computer Science Tel-Aviv University Modern Compiler Design.

1 Mooly Sagiv and Greta Yorsh School of Computer Science Tel-Aviv University Modern Compiler Design.
Type-Based Verification of Assembly Language for Compiler Debugging Bor-Yuh Evan ChangAdam Chlipala George C. NeculaRobert R. Schneck University of California,

Type-Based Verification of Assembly Language for Compiler Debugging Bor-Yuh Evan ChangAdam Chlipala George C. NeculaRobert R. Schneck University of California,
Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu

Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu
CS 355 – Programming Languages

CS 355 – Programming Languages
An Introduction to Proof-Carrying Code David Walker Princeton University (slides kindly donated by George Necula; modified by David Walker)

An Introduction to Proof-Carrying Code David Walker Princeton University (slides kindly donated by George Necula; modified by David Walker)
The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI 297 5.31.2005.

The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI
Ross Tate, Juan Chen, Chris Hawblitzel. Typed Assembly Languages Compilers are great but they make mistakes and can introduce vulnerabilities Typed assembly.

Ross Tate, Juan Chen, Chris Hawblitzel. Typed Assembly Languages Compilers are great but they make mistakes and can introduce vulnerabilities Typed assembly.
Coolaid: Debugging Compilers with Untrusted Code Verification Bor-Yuh Evan Chang with George Necula, Robert Schneck, and Kun Gao May 14, 2003 OSQ Retreat.

Coolaid: Debugging Compilers with Untrusted Code Verification Bor-Yuh Evan Chang with George Necula, Robert Schneck, and Kun Gao May 14, 2003 OSQ Retreat.
Intermediate Representation I High-Level to Low-Level IR Translation EECS 483 – Lecture 17 University of Michigan Monday, November 6, 2006.

Intermediate Representation I High-Level to Low-Level IR Translation EECS 483 – Lecture 17 University of Michigan Monday, November 6, 2006.
CPSC 325 - Compiler Tutorial 8 Code Generator (unoptimized)

CPSC Compiler Tutorial 8 Code Generator (unoptimized)
The Future of Correct Software George Necula. 2 Software Correctness is Important ► Where there is software, there are bugs ► It is estimated that software.

The Future of Correct Software George Necula. 2 Software Correctness is Important ► Where there is software, there are bugs ► It is estimated that software.

Similar presentations

Ads by Google