1 The Problem o Fluid software cannot be trusted to behave as advertised unknown origin (must be assumed to be malicious) known origin (can be erroneous.

Slides:

Advertisements

Similar presentations

Javascript Code Quality Check Tools Javascript Code Quality Check Tools JavaScript was originally intended to do small tasks in webpages, but now JavaScript.

Advertisements

Verification and Validation

Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.

Logical Attestation: An Authorization Architecture for Trustworthy Computing Emin Gün Sirer Willem de Bruijn †, Patrick Reynolds *, Alan Shieh ‡, Kevin.

Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.

David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 20: Total Correctness; Proof-

Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee

Dynamic Typing COS 441 Princeton University Fall 2004.

Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.

An Introduction to Proof-Carrying Code David Walker Princeton University (slides kindly donated by George Necula; modified by David Walker)

The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI

Code-Carrying Proofs Aytekin Vargun Rensselaer Polytechnic Institute.

Malicious Logic What is malicious logic Types of malicious logic Defenses Computer Security: Art and Science © Matt Bishop.

Attacking Malicious Code: A Report to the Infosec Research Council Kim Sung-Moo.

The Future of Correct Software George Necula. 2 Software Correctness is Important ► Where there is software, there are bugs ► It is estimated that software.

Extensible Verification of Untrusted Code Bor-Yuh Evan Chang, Adam Chlipala, Kun Gao, George Necula, and Robert Schneck May 14, 2004 OSQ Retreat Santa.

Type-Safe Programming in C George Necula EECS Department University of California, Berkeley.

CS 290C: Formal Models for Web Software Lecture 10: Language Based Modeling and Analysis of Navigation Errors Instructor: Tevfik Bultan.

Programmability with Proof-Carrying Code George C. Necula University of California Berkeley Peter Lee Carnegie Mellon University.

1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.

Language-Based Security Proof-Carrying Code Greg Morrisett Cornell University Thanks to G.Necula & P.Lee.

Dynamic Tainting for Deployed Java Programs Du Li Advisor: Witawas Srisa-an University of Nebraska-Lincoln 1.

Reference Book: Modern Compiler Design by Grune, Bal, Jacobs and Langendoen Wiley 2000.

Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?

A Type System for Expressive Security Policies David Walker Cornell University.

Bending Binary Programs to your Will Rajeev Barua.

November 18, 2004 Embedded System Design Flow Arkadeb Ghosal Alessandro Pinto Daniele Gasperini Alberto Sangiovanni-Vincentelli

Database Management Systems (DBMS)

Computer Programming and Basic Software Engineering 4. Basic Software Engineering 1 Writing a Good Program 4. Basic Software Engineering.

Language Evaluation Criteria

P51UST: Unix and Software Tools Unix and Software Tools (P51UST) Compilers, Interpreters and Debuggers Ruibin Bai (Room AB326) Division of Computer Science.

Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.

Verification and Validation Yonsei University 2 nd Semester, 2014 Sanghyun Park.

A Portable Virtual Machine for Program Debugging and Directing Camil Demetrescu University of Rome “La Sapienza” Irene Finocchi University of Rome “Tor.

© Janice Regan, CMPT 128, Jan CMPT 128 Introduction to Computing Science for Engineering Students Creating a program.

Secure Virtual Architecture John Criswell, Arushi Aggarwal, Andrew Lenharth, Dinakar Dhurjati, and Vikram Adve University of Illinois at Urbana-Champaign.

High level & Low level language High level programming languages are more structured, are closer to spoken language and are more intuitive than low level.

COP4020 Programming Languages

Java Virtual Machine Java Virtual Machine A Java Virtual Machine (JVM) is a set of computer software programs and data structures that use.

Software Models (Cont.) 9/22/2015ICS 413 – Software Engineering1 -Component-based software engineering -Formal Development Model.

Mathematical Modeling and Formal Specification Languages CIS 376 Bruce R. Maxim UM-Dearborn.

Containment and Integrity for Mobile Code Security policies as types Andrew Myers Fred Schneider Department of Computer Science Cornell University.

Proof Carrying Code Zhiwei Lin. Outline Proof-Carrying Code The Design and Implementation of a Certifying Compiler A Proof – Carrying Code Architecture.

CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.

Introduction to Software Testing. Types of Software Testing Unit Testing Strategies – Equivalence Class Testing – Boundary Value Testing – Output Testing.

CE Operating Systems Lecture 3 Overview of OS functions and structure.

Exception Handling Unit-6. Introduction An exception is a problem that arises during the execution of a program. An exception can occur for many different.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 20 Slide 1 Critical systems development 3.

1.  10% Assignments/ class participation  10% Pop Quizzes  05% Attendance  25% Mid Term  50% Final Term 2.

Writing Systems Software in a Functional Language An Experience Report Iavor Diatchki, Thomas Hallgren, Mark Jones, Rebekah Leslie, Andrew Tolmach.

1 Compiler Construction (CS-636) Muhammad Bilal Bashir UIIT, Rawalpindi.

Chapter 1 Introduction. Chapter 1 -- Introduction2  Def: Compiler --  a program that translates a program written in a language like Pascal, C, PL/I,

Program Development Cycle

School of Computer Science & Information Technology G6DICP - Lecture 6 Errors, bugs and debugging.

 Programming - the process of creating computer programs.

Introduction Program File Authorization Security Theorem Active Code Authorization Authorization Logic Implementation considerations Conclusion.

By: Cheryl Mok & Sarah Tan. Java is partially interpreted. 1. Programmer writes a program in textual form 2. Runs the compiler, which converts the textual.

C# and.NET. .NET Architecture  Compiling and running code that targets.NET  Advantages of Microsoft Intermediate Language (MSIL)  Value and Reference.

Software Development Introduction

SAFE KERNEL EXTENSIONS WITHOUT RUN-TIME CHECKING George C. Necula Peter Lee Carnegie Mellon U.

A Binary Agent Technology for COTS Software Integrity Anant Agarwal Richard Schooler InCert Software.

CSE 60641: Operating Systems George C. Necula and Peter Lee, Safe Kernel Extensions Without Run-Time Checking, OSDI ‘96 –SIGOPS Hall of fame citation:

Testing Overview Software Reliability Techniques Testing Concepts CEN 4010 Class 24 – 11/17.

ARO Workshop Wendy Roll - May 2004 Topic 4: Effects of software certification on the current balance between software/system modeling, analysis and testing.

14 Compilers, Interpreters and Debuggers

State your reasons or how to keep proofs while optimizing code

Virtualization Techniques

Language-based Security

IS 135 Business Programming

Presentation transcript:

1 The Problem o Fluid software cannot be trusted to behave as advertised unknown origin (must be assumed to be malicious) known origin (can be erroneous or even malicious) o We must worry about extrinsic code properties (non-semantic properties) –e.g., author, time of creation, 3rd party-endorsements,... semantic code properties (behavioral properties) –e.g., memory safety, lack of information flow, etc. o To handle untrusted fluid software we need: safety enforcement technologies, and design and development methodologies

2 The State of the Art o Cryptographic techniques require external trust relationships good for non-semantic properties o Security monitors monitor the execution and halt if a fault is detected impose data representation constraints run-time checking alone is limited –hard to detect certain faults –halting the execution not always acceptable o Static checking reduced run-time cost quickly becomes undecidable for optimized code JVM: type safety for unoptimized intermediate code

3 Simple And Powerful Static Checking o The code is accompanied by a detailed proof Proof-Carrying Code (PCC) Proof Code Proof Checker Yes/No o The proof “explains the code” to the static checker o No more proving, just proof checking o The “hard work” is delegated to the code source where it should be o The proof certifies that the “hard work” was done properly

4 Features of PCC o Safety without sacrificing performance works for low-level languages (even machine code) works for optimized code o The trusted code base is small checking is easier than proving no need to use (and trust) a compiler o Flexible and general (in principle) need a specification that captures the property of interest and a proof of that property for the untrusted code “if you can prove it, PCC can check it!” install one checker for a multitude of policies o But what about generating the proofs?

5 Certifying Compilation o We typically expect our tools to establish certain basic properties e.g., type safety for a compiler for a type-safe language e.g., lack of race conditions for an Esterel compiler o We must either run the tool ourselves (we better trust it) trust the user to run it (hard to enforce) o Alternatively, use tools that certify their output delegate but do not trust effective way to debug the tools themselves ! Proof Code Proof Checker Yes/No Certifying Code Generator

6 Current Status o Proof-carrying code Intel x86 and DEC Alpha implementations (~ 50Kb code) Proofs are 10%-75% the size of the code (for type safety) Fast proof checking (~ 100Kb/s) parameterized by the specification of the safety policy o Certifying compiler for a subset of C –combines performance (on par with GCC -O4) –with type safety for full Java (under development) o Near future: certification back-end for GCJ (GNU Compiler for Java) gain leverage from using off-the-shelf untrusted compilers

7 What next? o Even in C we try to write type safe programs o Is it possible to discover why a C program is safe? “ratify” a broad set of safe programming practices there will be failures –hopefully they point to programming errors –or else, the tool suggests convenient stylistic adjustments –or else, the tool inserts run-time checks this could be compiler independent Proof Code Proof Checker Yes/No Untrusted code Heuristic-based certifier

8 Criteria for Success o 1 year A toolkit for producing provably-safe native methods with off-the-shelf Java compilers o 3 years A toolkit for certifying type safety of C programs o Common thinking in … years Type and memory faults are as common as uncaught memory parity errors If an application crashes, replace the motherboard