Presentation is loading. Please wait.

Presentation is loading. Please wait.

Proofs, Types, and Safe Mobile Code CoS 598E David Walker.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Proofs, Types, and Safe Mobile Code CoS 598E David Walker."— Presentation transcript:

1 Proofs, Types, and Safe Mobile Code CoS 598E David Walker

2 Feb. 2002 COS 598E 2 Quick Outline Mobile code Proof-Carrying Code Abstraction-preserving compilation Punchline: Types, logics, & proofs will play an increasingly visible role in high-performance, next-generation systems. (Acknowledgment: these slides come from a combination of Peter Lee, Greg Morrisett, George Necula, and myself)

3 Feb. 2002 COS 598E 3 Today’s Systems Static, narrow interfaces & protocols data must be copied to/from hosts new functionality is performed at the client bandwidth wasted when server cycles are cheap Host B (video server) Host A (filter) Data Request Data Response

4 Feb. 2002 COS 598E 4 Tomorrow’s Systems: Agents A sends a computational agent to B Agent encapsulates data & code Agent runs locally with direct access to data Agent returns to A with results Host B (video server) Host A filter

5 Feb. 2002 COS 598E 5 Some Critical Issues: Safety concerns: how to protect from faulty/malicious agent? Complexity concerns: how to minimize trusted computing base? Performance concerns: how to minimize overheads? Other concerns (not addressed here): how to ensure privacy and authenticity? How to protect agent from host?

6 Feb. 2002 COS 598E 6 Traditional OS-Approach Place extension in separate address space and re-direct system calls. Host filter Kernel Server

7 Feb. 2002 COS 598E 7 It’s the same problem... And many of the same issues! Static, narrow interface No data sharing (must copy to/from Kernel) Overhead of context switch, TLB-flush, etc. Kernel Application or Extension System Call Response

8 Feb. 2002 COS 598E 8 Everyone wants extensibility: OS Kernel Web browser Routers, switches, “active” networks Servers, repositories All face the same problem: How to give agents direct access without compromising host integrity?

9 Feb. 2002 COS 598E 9 Today’s Hot Topic: Type-Safety Agent is written in a “type-safe” language: type safe ~ respects host’s abstractions Java, Modula-3, ML, Scheme Host ensures agent code is legal: static checks (e.g., type-checking) dynamic checks (e.g., array-bound checks) requires interpreter or JIT compiler

10 Feb. 2002 COS 598E 10 Example: JVM Java Source javac JVM bytecodes JVM verifierSystem Interface Binary Optimizer Low-Level IL System Binary “Kernel”

11 Feb. 2002 COS 598E 11 JVM Pros & Cons Pros: portable hype: $, tools, libraries, books, training Cons: large trusted computing base includes JVM interpreter/JIT requires many run-time tests “down” casts, arrays, null pointers, etc. only suitable for Java (too high-level) even then, there are mismatches with JVM no formal spec (yet)

12 Feb. 2002 COS 598E 12Ideally: Your favorite language Low-Level IL (SSA) optimizer machine code verifierSystem Interface System Binary “Kernel”

13 Feb. 2002 COS 598E 13 Proof Carrying Code [Necula & Lee] Fundamental idea: finding a proof is hard verifying a proof is easy (not so apparent to systems people) PCC: agent = highly optimized code + proof that code respects the host’s integrity.

14 Feb. 2002 COS 598E 14 Example: Packet Filters OS kernel user process space network monitoring application network

15 Feb. 2002 COS 598E 15 packet filter OS kernel user process space network monitoring application network Example: Packet Filters

16 Feb. 2002 COS 598E 16 An Experiment: Safety Policy: given a packet, returns yes/no packet read only, small scratchpad no loops Experiment: [Necula & Lee, OSDI’96] Berkeley Packet Filter Interpreter Modula-3 (SPIN) Software Fault Isolation (sandboxing) PCC

17 Feb. 2002 COS 598E 17 Packet Filters in PCC host untrusted client PF safety policy proofchecking CPU assembly code executable code proof witness- generating theorem prover

18 Feb. 2002 COS 598E 18 Packet Filter Summary The PCC packet filter worked extremely well: BPF safety policy was easy to verify automatically. r0 is aligned address of network packet (read only) r1 is length of packet (>=64 bytes) r2 is aligned address of writeable 16-byte array Allowed hand-optimized packet filters. The “world’s fastest packet filters”. 10 times faster than BPF. Proof sizes and checking times were small. About 1ms proof checking time. 100%-300% overhead for attached proof.

19 Feb. 2002 COS 598E 19Results: PCC wins:

20 Feb. 2002 COS 598E 20 Advantages of PCC  Simple, small, and fast trusted computing base.  No external authentication or cryptography.  No need to insert additional run-time checks.  “Tamper-proof”.  Precise and expressive specification of code safety policies.

21 Feb. 2002 COS 598E 21 One Approach to PCC: Axiomatic semantics Safety policy: additional pre-conditions Floyd/Hoare-style verification condition generator (VCgen) converts to first- order predicate loop-invariants needed as annotations proof of VC implies code respects safety policy

22 Feb. 2002 COS 598E 22 Challenges with PCC What to put in the safety policy? Which safety properties? Liveness properties? How to automate proof construction? How to automate loop invariants? Engineering issues: complexity of proof checker? This is where Andrew’s group & FPCC comes in… size and time to check proofs?

23 Feb. 2002 COS 598E 23 Proof Representation PCC uses the Edinburgh Logical Framework LF type checking adequate for proof checking. Flexible framework for encoding security policies (i.e., logics). Type-checker is small (~6 pages of C code)

24 Feb. 2002 COS 598E 24 Certifying Compilers Big question is still: how to get proofs? Focus on traditional type-safety as the security policy. Source is well-typed…just need to maintain the proof throughout compilation...

25 Feb. 2002 COS 598E 25 Type-Preserving Compilers TIL compiler [PLDI’96] high-performance ML types only to intermediate level Touchstone [PLDI’98] simple, low-level language emits high-performance PCC TALC [PoPL’98,TIC’98] general type system for assembly language(s) techniques for compiling high-level languages

26 Feb. 2002 COS 598E 26 Compiling High-Level Languages When encoding constructs, we must: preserve typing (to emit invariants) preserve abstraction users reason about security at the source level. security policy may be a source-level interface (e.g., an ML signature). cannot afford for agent machine code to violate these abstractions. somehow get to the machine level

27 Feb. 2002 COS 598E 27 TAL [PoPL’98, TIC’98] Type system for assembly language. and a set of encodings for high-level language features. certifying compilers for: Safe-C, Scheme, ML Java, ML2000 in the works Type system based on System-F operational model (accurate machine) “syntactic” soundness result

28 Feb. 2002 COS 598E 28TALx86 Type-checker and tools for Intel x86 code. Slightly different framework than PCC: don’t ship explicit proof they’re very large due to encodings. instead, ship code with invariant annotations host reconstructs & verifies proof + smaller agents, potentially faster checking - larger TCB, less flexible framework

29 Feb. 2002 COS 598E 29 TAL Built-In Types Bytes: int1, int2, int4,.. Tuples: (  1  1,…,  n  n )  Code: {r 1 :  1,…, r n :  n } think pre-condition Polymorphic types:  . ,  . 

30 Feb. 2002 COS 598E 30 Simple Loop sum: {ecx:int4, ebx:{eax:int4}} ; int sum(int x) { moveax,0 ; int a = 0; jmptest ; loop: {eax:int4, ecx:int4, ebx:{eax:int4}}; while(!x) { addeax,ecx ; a += x; dececx ; x--; FALLTHRU ; } test: {eax:int4, ecx:int4, ebx:{eax:int4}}; cmpecx,0 ; jneloop ; return(a); jmpebx ; }

31 Feb. 2002 COS 598E 31 Other TAL Features Module system interfaces, implementations, ADTs Records and datatypes Arrays/vectors (Higher Order) Type constructors Stack support Aliasing support

32 Feb. 2002 COS 598E 32 Some Open Issues Logic and Typing issues: proof representation, provers, etc. logics for encoding more interesting properties (e.g., resource mgmt.) Semantic issues: full abstraction for compilers Security issues: trust management, access control, authentication, information flow, etc.

33 Feb. 2002 COS 598E 33 Why you should take this course The advent of mobile code & the hype of Java have opened the door for us… Systems people now need the combination of performance, flexibility, and security. Proofs & types are the technology that will deliver both.

Download ppt "Proofs, Types, and Safe Mobile Code CoS 598E David Walker."

Similar presentations

Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.

Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.
Introduction to .NET Framework

Introduction to .NET Framework
COS 441 Exam Stuff David Walker. TAL 2 Logistics take-home exam will become available on the course web site Jan 15-18 write down when you download &

COS 441 Exam Stuff David Walker. TAL 2 Logistics take-home exam will become available on the course web site Jan write down when you download &
Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1.

Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1.
Logical Attestation: An Authorization Architecture for Trustworthy Computing Emin Gün Sirer Willem de Bruijn †, Patrick Reynolds *, Alan Shieh ‡, Kevin.

Logical Attestation: An Authorization Architecture for Trustworthy Computing Emin Gün Sirer Willem de Bruijn †, Patrick Reynolds *, Alan Shieh ‡, Kevin.
Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.

Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.
March 4, 2005Susmit Sarkar 1 A Cost-Effective Foundational Certified Code System Susmit Sarkar Thesis Proposal.

March 4, 2005Susmit Sarkar 1 A Cost-Effective Foundational Certified Code System Susmit Sarkar Thesis Proposal.
Department of Computer Science and Engineering University of Washington Brian N. Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,

Department of Computer Science and Engineering University of Washington Brian N. Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,
Java Applet Security Diana Dong CS 265 Spring 2004.

Java Applet Security Diana Dong CS 265 Spring 2004.
Dynamic Typing COS 441 Princeton University Fall 2004.

Dynamic Typing COS 441 Princeton University Fall 2004.
EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,

EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,
Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.

Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.
Nicholas Moore Bianca Curutan Pooya Samizadeh McMaster University March 30, 2012.

Nicholas Moore Bianca Curutan Pooya Samizadeh McMaster University March 30, 2012.
An Introduction to Proof-Carrying Code David Walker Princeton University (slides kindly donated by George Necula; modified by David Walker)

An Introduction to Proof-Carrying Code David Walker Princeton University (slides kindly donated by George Necula; modified by David Walker)
The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI 297 5.31.2005.

The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI
Code-Carrying Proofs Aytekin Vargun Rensselaer Polytechnic Institute.

Code-Carrying Proofs Aytekin Vargun Rensselaer Polytechnic Institute.
Ross Tate, Juan Chen, Chris Hawblitzel. Typed Assembly Languages Compilers are great but they make mistakes and can introduce vulnerabilities Typed assembly.

Ross Tate, Juan Chen, Chris Hawblitzel. Typed Assembly Languages Compilers are great but they make mistakes and can introduce vulnerabilities Typed assembly.
Coolaid: Debugging Compilers with Untrusted Code Verification Bor-Yuh Evan Chang with George Necula, Robert Schneck, and Kun Gao May 14, 2003 OSQ Retreat.

Coolaid: Debugging Compilers with Untrusted Code Verification Bor-Yuh Evan Chang with George Necula, Robert Schneck, and Kun Gao May 14, 2003 OSQ Retreat.
Attacking Malicious Code: A Report to the Infosec Research Council Kim Sung-Moo.

Attacking Malicious Code: A Report to the Infosec Research Council Kim Sung-Moo.
Extensible Verification of Untrusted Code Bor-Yuh Evan Chang, Adam Chlipala, Kun Gao, George Necula, and Robert Schneck May 14, 2004 OSQ Retreat Santa.

Extensible Verification of Untrusted Code Bor-Yuh Evan Chang, Adam Chlipala, Kun Gao, George Necula, and Robert Schneck May 14, 2004 OSQ Retreat Santa.

Similar presentations

Ads by Google