Proof-Carrying Code: A Language-Based Security Approach Thao Doan Wei Hu Liqian Luo Jinlin Yang CS851 Malware 11/16/2004.

Slides:



Advertisements
Similar presentations
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Advertisements

Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.
Certified Typechecking in Foundational Certified Code Systems Susmit Sarkar Carnegie Mellon University.
Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.
March 4, 2005Susmit Sarkar 1 A Cost-Effective Foundational Certified Code System Susmit Sarkar Thesis Proposal.
Department of Computer Science and Engineering University of Washington Brian N. Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Java Applet Security Diana Dong CS 265 Spring 2004.
01/05/2015Leiden Institute of Advanced Computer Science 1 The Open Kernel Environment - spinning Linux - Herbert Bos Bart Samwel
Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee
EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,
Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.
Assembly Code Verification Using Model Checking Hao XIAO Singapore University of Technology and Design.
Nicholas Moore Bianca Curutan Pooya Samizadeh McMaster University March 30, 2012.
Types, Proofs, and Safe Mobile Code The unusual effectiveness of logic in programming language research Peter Lee Carnegie Mellon University January 22,
An Introduction to Proof-Carrying Code David Walker Princeton University (slides kindly donated by George Necula; modified by David Walker)
The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI
Code-Carrying Proofs Aytekin Vargun Rensselaer Polytechnic Institute.
Coolaid: Debugging Compilers with Untrusted Code Verification Bor-Yuh Evan Chang with George Necula, Robert Schneck, and Kun Gao May 14, 2003 OSQ Retreat.
Attacking Malicious Code: A Report to the Infosec Research Council Kim Sung-Moo.
Extensible Verification of Untrusted Code Bor-Yuh Evan Chang, Adam Chlipala, Kun Gao, George Necula, and Robert Schneck May 14, 2004 OSQ Retreat Santa.
CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.
Type-Safe Programming in C George Necula EECS Department University of California, Berkeley.
Extensibility, Safety and Performance in the SPIN Operating System Brian Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,
Proof-system search ( ` ) Interpretation search ( ² ) Main search strategy DPLL Backtracking Incremental SAT Natural deduction Sequents Resolution Main.
Proofs, Types, and Safe Mobile Code CoS 598E David Walker.
Programmability with Proof-Carrying Code George C. Necula University of California Berkeley Peter Lee Carnegie Mellon University.
Java for High Performance Computing Jordi Garcia Almiñana 14 de Octubre de 1998 de la era post-internet.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
Extensibility, Safety and Performance in the SPIN Operating System Brian Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,
Language-Based Security Proof-Carrying Code Greg Morrisett Cornell University Thanks to G.Necula & P.Lee.
Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?
A Type System for Expressive Security Policies David Walker Cornell University.
Exokernel: An Operating System Architecture for Application-Level Resource Management Dawson R. Engler, M. Frans Kaashoek, and James O’Toole Jr. M.I.T.
Extensible Untrusted Code Verification Robert Schneck with George Necula and Bor-Yuh Evan Chang May 14, 2003 OSQ Retreat.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Chapter 2: Operating-System Structures Modified from the text book.
1 The Problem o Fluid software cannot be trusted to behave as advertised unknown origin (must be assumed to be malicious) known origin (can be erroneous.
CS533 Concepts of OS Class 16 ExoKernel by Constantia Tryman.
Page 1 Sandboxing & Signed Software Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
Stack Management Each process/thread has two stacks  Kernel stack  User stack Stack pointer changes when exiting/entering the kernel Q: Why is this necessary?
ISA 562 Internet Security Theory & Practice
Secure Execution of Untrusted Code
Computer Architecture and Operating Systems CS 3230: Operating System Section Lecture OS-7 Memory Management (1) Department of Computer Science and Software.
Java Virtual Machine Java Virtual Machine A Java Virtual Machine (JVM) is a set of computer software programs and data structures that use.
Proof Carrying Code Zhiwei Lin. Outline Proof-Carrying Code The Design and Implementation of a Certifying Compiler A Proof – Carrying Code Architecture.
Java Security Nathan Moore CS 665. Overview Survey of Java Inherent Security Properties Java Runtime Environment Java Virtual Machine Java Security Model.
Proof-Carrying Code & Proof-Carrying Authentication Stuart Pickard CSCI 297 June 2, 2005.
1 MVD 2010 University of Iowa New York University Comparing Proof Systems for Linear Real Arithmetic Using LFSC Andrew Reynolds September 17, 2010.
CE Operating Systems Lecture 3 Overview of OS functions and structure.
© Andrew IrelandDependable Systems Group On the Scalability of Proof Carrying Code for Software Certification Andrew Ireland School of Mathematical & Computer.
Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University Lecture 2 July 11, 2001 Overview of PCC and Safety Policies Lipari School.
A Certifying Compiler and Pointer Logic Zhaopeng Li Software Security Lab. Department of Computer Science and Technology, University of Science and Technology.
EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM
Secure Compiler Seminar 4/11 Visions toward a Secure Compiler Toshihiro YOSHINO (D1, Yonezawa Lab.)
M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.
Operating Systems Security
Introduction Program File Authorization Security Theorem Active Code Authorization Authorization Logic Implementation considerations Conclusion.
Exploiting Instruction Streams To Prevent Intrusion Milena Milenkovic.
SAFE KERNEL EXTENSIONS WITHOUT RUN-TIME CHECKING George C. Necula Peter Lee Carnegie Mellon U.
CSE 60641: Operating Systems George C. Necula and Peter Lee, Safe Kernel Extensions Without Run-Time Checking, OSDI ‘96 –SIGOPS Hall of fame citation:
Efficient Software-Based Fault Isolation Authors: Robert Wahbe Steven Lucco Thomas E. Anderson Susan L. Graham Presenter: Gregory Netland.
Lecture 4 Page 1 CS 111 Online Modularity and Memory Clearly, programs must have access to memory We need abstractions that give them the required access.
1 Security Architecture and Designs  Security Architecture Description and benefits  Definition of Trusted Computing Base (TCB)  System level and Enterprise.
Sung-Dong Kim, Dept. of Computer Engineering, Hansung University Java - Introduction.
Introduction to Operating Systems
Presentation by Omar Abu-Azzah
State your reasons or how to keep proofs while optimizing code
Introduction to Operating Systems
A Trustworthy Proof Checker
The Design & Implementation of Hyperupcalls
Presentation transcript:

Proof-Carrying Code: A Language-Based Security Approach Thao Doan Wei Hu Liqian Luo Jinlin Yang CS851 Malware 11/16/2004

11/16/2004CS851 Malware2 Outline 1.Introduction To Language-based Security 2.Proof-carrying Code (PCC) 3.Example 1: Network Packet Filters 4.Example 2: A Certifying Compiler For Java 5.Issues With PCC 6.Discussion

11/16/2004CS851 Malware3 Part 1 Introduction to Language-Based Security

11/16/2004CS851 Malware4 Malicious code - A growing problem What is malicious code? –“any code added, changed, removed from a software system in order to intentionally cause harm or subvert the intended function of the system.” What makes it a growing problem? –Growing connectivity (the Internet) –Growing complexity of systems –Support for extensibility

11/16/2004CS851 Malware5 Two well-known security design principles Principle of Least Privilege –a component should be given the minimum privilege necessary to accomplish its task –Ex: file access Principle of Minimum Trusted Computing Base –keep the TCB as small and simple as possible (~ the KISS principle) –Ex: JVM, Proof Checker of PCC

11/16/2004CS851 Malware6 Approaches against malicious code Analyze the code : before execution [reject] –Ex: scanning, compiler’s dataflow analysis Rewrite the code : before execution [modify] –Ex: BEQZ R4, BadCode  BEQZ R4, GoodCode Monitor the code : during execution [stop before harm] –Ex: OS’ page translation hardware Audit the code : during execution [police on harm] –Ex: audit trail to assess and address the problem

11/16/2004CS851 Malware7 Disadvantages of traditional approaches Miss unseen cases Trust entities required Performance Burden on consumers

11/16/2004CS851 Malware8 Motivation of language based security Is it possible to enforce security on the semantics or behavior of the code? Types, logics, & proofs come into play Examples Type-Safe Languages Proof-Carrying Code

11/16/2004CS851 Malware9 Part 2 Proof-Carrying Code : Concept and Implementation

11/16/2004CS851 Malware10 Type-safe languages Type –gives semantic meaning to ultimately mere bits –associated either with values in memory or with objects Type-safe languages: –have complete type systems –e.g., Java, C#, ML Code producer writes code in a type-safe language Code consumer ensures code is safe: –static checks (e.g., type checks) –dynamic checks (e.g., array-bound checks)

11/16/2004CS851 Malware11 Cons of type-safe languages Have large trusted computing base –many exploits of JVM itself has been reported Require many run-time tests –casts, arrays, pointers, etc. Incur inflexibility

11/16/2004CS851 Malware12 Proof-carrying code (PCC) Code Consumer Publicizes safety policy Provides Proof Code producer Validates Proof CPU Native Proof code [Necula, POPL’97]

11/16/2004CS851 Malware13 Benefits of PCC Shifts the burden of ensuring the safety from code consumer to code producer Can verify code in low-level languages Fewer run-time checks  Tamperproof  Simpler, smaller, and faster TCB  No cryptography or external authentication required

11/16/2004CS851 Malware14 Proof generation theorem proving –extend first-order predicate logic to formalize the safety policy Proof validation type checking –Edinburgh Logical Framework (LF) –map proof rules into types in LF Implementation of PCC

11/16/2004CS851 Malware15 Code Producer Code Consumer safety Policy native code Proof Generator annotated assembly code PCC system architecture validator verification condition (VC) generator code in high level programming language safety predicate theorem prover proof compiler 1. safety rules 2. module interface

11/16/2004CS851 Malware16 An example function on a DEC Alpha

11/16/2004CS851 Malware17 Part 3 Example 1 - Network Packet Filters [Necula et. al. OSDI'96]

11/16/2004CS851 Malware18 The problem Examples –OS Extensions, Safe Mobile Code, Programming Language Interoperation Previous Approaches –Hardware memory protection, Runtime checking, Interpretation We want both safety and performance!

11/16/2004CS851 Malware19 The solution - PCC

11/16/2004CS851 Malware20 A PCC example Goal –Test feasibility of PCC concept –Measure costs (proof size and validation time) –Choose simple but practical applications Network Packet Filters

11/16/2004CS851 Malware21 Network packet filters OS kernel user process space network monitoring application network packet filter

11/16/2004CS851 Malware22 Safety policy

11/16/2004CS851 Malware23 Safety policy Follow the BSD Packet Filter (BPF) model of safety –The packet is read-only. –The scratch memory is read-write. –No backward branches. –Only aligned memory accesses.

11/16/2004CS851 Malware24 Safety policy Use first-order predicate logic extended with can_rd(addr) and can_wr(addr) The precondition is: –aligned memory addresses on an 8-byte boundary –r0 (address of packet) –r1 (length of packet) –r2 (address of scratch memory (16 bytes))

11/16/2004CS851 Malware25 Code certification

11/16/2004CS851 Malware26 Code certification Step 1 - Compute a safety predicate for the code –for example: For each LD r,n[rb] add can_rd(rb+n) For each ST r,n[rb] add can_wr(rb+n) Step 2 – Generate a proof (checkable) of the safety predicate

11/16/2004CS851 Malware27 Performance – experiment setup 4 packet filters: –1 Accepts IP packets (8 instr.) –2 Accepts IP packets for (15 instr.) –3 IP or ARP between and (47 instr.) –4 TCP/IP packets for FTP (28 instr.) Compared with: –Interpretation: BSD Packet Filter –Runtime Checking: Software Fault Isolation –Type-safe Language: Modula-3

11/16/2004CS851 Malware28 Per-packet delay PCC packet filters: fastest possible on the architecture The point: Safety without sacrificing performance!

11/16/2004CS851 Malware29 Cost Proofs are approx. 3 times larger than the code Validation time: ms

11/16/2004CS851 Malware30 Startup cost amortization Conclusion: One-time validation cost amortized quickly

11/16/2004CS851 Malware31 Conclusion A very promising framework for ensuring safety of untrusted code Achieves safety without sacrificing performance Serious difficulties exist Needs more experiments

11/16/2004CS851 Malware32 Part 4 Example 2 - A certifying compiler for Java

11/16/2004CS851 Malware33 Certifying compiler (recap) Source Certifying Compiler VC Generator VC Native Code Annotations Proof VC Axioms & Rules Proof Generator Axioms & Rules Proof Checker VC Generator Code Producer Code Consumer [Colby et. al. PLDI ‘00]

11/16/2004CS851 Malware34 Class Poly{ Poly(float[] coefficients){…} float eval(float x){ float term = 1.0f; float result = 0.0f; for(int i=0; i<coefficients.length; i++){ result += coefficients[i] * term; term *= x; } return result; } private float[] coefficients; } An example

11/16/2004CS851 Malware35 LOOP_ENTRY: fxch %st(1)// result on top of FPU LOOP_INV = {(lt edx (sel4 rm (add eax 4))), (ge edx, 0), (type f7 jfloat), (type f6 jfloat)} flds 8(%eax, %edx, 4)// load coefficients[i] fmul %st(2), %st(0)// *term faddp// +result fxch %st(1)// term on top of FPU fmuls 12(%ebp)// *x incl %edx// i++ cmpl %ecx, %edx// i<coefficients.length? jl LOOP_ENTRY// loop back if yes RegisterValue edxi eaxcoefficients ecxcoefficients.length f6term f7result for(int i=0; i<coefficients.length; i++){ result += coefficients[i] * term; term *= x; } Loop Annotations

11/16/2004CS851 Malware36 VC generation flds 8(%eax, %edx, 4)// load coefficients[i] prove: (saferd4 (add (sel4 rm_1 (add loc2_1 4)) (add (imul edx_3 4) 8))) It is safe to read coefficients[i] (rdArray4 (tyField (instFld A10 A32 A31) A30) A30 (sub0chk A34) szfloat (aidxi 4 (below1 (lt_b (geswap A38) A37))))

11/16/2004CS851 Malware37 CC for modern OO languages Key Challenges: Handle advanced language features –Dynamic creation of objects –Exception handling –Floating point arithmetic Optimization Cost (time & space)

11/16/2004CS851 Malware38 CC for Java Handle dynamic object creation, exception handling, and float point arithmetic Apply many standard optimizations Proof size: 85% of the code size on average Negligible checking time [Colby et. al. PLDI ‘00]

11/16/2004CS851 Malware39 Demo ccdemo.html

11/16/2004CS851 Malware40 Part 5 Issues with PCC

11/16/2004CS851 Malware41 Issues with PCC –Assuming: Trusted VCgen Trusted proof checker No bug in logical axioms No bug in typing rules –Type-specialized built-in understanding of a particular type system

11/16/2004CS851 Malware42 Foundational PCC Code provider provides: - executable code - proof in foundational logic Eliminate implicit built-in logic  Explicitly prove relevant concepts and their properties down to the foundation of mathematics

11/16/2004CS851 Malware43 Comparisons Type-specializedPCCFoundational PCC - Relies on VCgen - First-order logic - Built-in understanding of systems - Large (~23000 LOC in Cedilla Systems) - No VCgen - Higher-order logic - Allows novel type system or safety arguments - Minimal proof checker (2700 LOC)

11/16/2004CS851 Malware44 Foundational PCC More secure More flexible [Appel, LICS ’01]

11/16/2004CS851 Malware45 Discussion What do you think is the hardest part in PCC implementation? Which security problems doesn’t PCC address? To what extent can it be applied? Is it easy for legacy systems to adopt PCC?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.