Post on 31-Dec-2015
description
04/19/23 1
Scaling Proof-Carrying Code to Production Compilers and Security Policies
Andrew W. Appel Princeton University
Edward W. Felten Princeton University
Zhong Shao Yale University
July 2000
04/19/23 2
The problem: Mobile Code Security
Code Producer
Code Consumer
load r3, 4(r2)add r2,r4,r1store 1, 0(r7)store r1, 4(r7)add r7,0,r3add r7,8,r7beq r3, .-20
CodeCompiler Execute
SourceProgram
Private files
Network access
Launch control
etc.
?
04/19/23 3
Two Solutions
Protection
Self-Certifying Compilersvia
Typed Intermediate Languages
(i.e., FLINT compiler)
Proof-Carrying Code(machine-checkable safety
proofs about machine-language programs)
Trust
Distributed Authentication Frameworks
viaProof-Carrying Authentication
04/19/23 4
Expected major achievements
Felten, AppelPrinceton U.
DistributedAuthenticationFrameworks:
Proof-CarryingAuthentication
Appel, FeltenPrinceton U.
Mobile CodeSecurity:
Proof-CarryingCode
ShaoYale U.
CertifyingCompilers:
FLINT/MLFLINT/Java
SecureLinking
SecureKey
Distribution
File servers
PCC systemsfor ML, Java
Language- &machine-
independentmobile code
safe lang.interop.
04/19/23 5
Existing Practice: Bytecode Verification
Code Producer
Code Consumer
load r3, 4(r2)add r2,r4,r1store 1, 0(r7)store r1, 4(r7)add r7,0,r3add r7,8,r7beq r3, .-20
ByteCodeCompiler
Just-in-time
Compiler
OK
Bytecode
Verifier
JavaProgram
Native code
Execute
TrustedComputing
Base
Advantage:Clean, fast, O-O interface
between trusted & untrusted code
Disadvantage:Huge trusted computing base: JIT
04/19/23 6
Code Producer
Code Consumer
SafetyTheorem
Prover
Compiler
Checker OK
ExecuteSourceProgram
Policy
SafetyTheorem
Policy
load r3, 4(r2)add r2,r4,r1store 1, 0(r7)store r1, 4(r7)add r7,0,r3add r7,8,r7beq r3, .-20
Native Code
Safety Proof
Hints
-i( -i(... -r ( ...) ))
Proof-carrying code - tiny TCB
04/19/23 7
Why we can trust the checker
We use a simple, sound, well-understood logic(Church’s higher-order logic, 1950’s)
A proof is just a tree of inference rules, with axioms at the leaves
Proof-checking is just type-checking of expression trees(~1000 lines of code)
Many independent implementations of proof-checker:Twelf (CMU); Ginseng (Cedilla systems); Coq system (INRIA, France); HOL system (Cambridge U.)
04/19/23 8
Why we can trust the “policy”
9 axioms of higher-order logic + 30 axioms of arithmetic
subtotal: 39 lines of specification + ... one axiom specifying machine
semanticstotal: 639 lines
Must specify how Sparc (or Pentium, etc.) instructions work in order to prove properties of programs (more about this later)
Checker + policy much smaller than the TCB of other approaches (operating system, or optimizing compiler)
04/19/23 9
Conference on Automated DeductionJune 2000
04/19/23 10
Code Consumer
Security Policy: Host/client API
Policy
“Models for Security Policies
in Proof-Carrying Code”,
Andrew Appel & Ed Felten,
in preparation.
How to design sound policies andreason about them effectively.
04/19/23 11
Program:106 instructions
Theorem:2 x 106 words
Proof:105 + 10 x 106
Program-specific lemmas
Programming-language-specific lemmas
RecursiveTypes
Fixed Point Theorem
Hoare’s Logic
Machine Instructions
Structure of theorem, proof
safe( , , , , , , , ,, )
CardinalityPartialOrders
Modular Arithmetic
04/19/23 12
POPL ‘00: Principles of Programming Languages
(Jan. 2000)
04/19/23 13
Software engineering of proofs
Programming Finding the right
abstractions is critical Data types Functions
All details must be filled in
Engineering Divide large program into
modules with clean interfaces
Break large algorithms into one-page functions
Strive for readability and maintainability
Proving Finding the right
abstractions is critical Data types
(sets, metric spaces) Lemmas
All details must be filled in
Engineering Divide large proof into
modules with clean interfaces
Break large proofs into one-page lemmas
Strive for readability and maintainability
04/19/23 14
Code Consumer
Checker OK
Execute
Policy
SafetyTheorem
Code Producer
SafetyTheorem
Compiler
Hints
SourceProgram
Policy
Prover
load r3, 4(r2)add r2,r4,r1store 1, 0(r7)store r1, 4(r7)add r7,0,r3add r7,8,r7beq r3, .-20
Native Code
Safety Proof
-i( -i(... -r ( ...) ))
Compiling with proofs
04/19/23 15
Compiling with proofs
Code Producer
Native Code
Safety Theorem
Prover
Compiler
Hints
SourceProgram
Policy
How to build
a compiler
that can
produce a
proof?
Prover
04/19/23 16
Phases of a compiler
Source Program
Parse, Semantic
High-level intermed.lang (IL)Analysis,
Optimization
Medium-level IL
Code GenerationLow-level IL
Register Allocation
Machine Language
type-check
Traditionalcompiler
untyped
untyped
untyped
untyped
type-check
Certifyingcompiler
type-check
type-check
type-check
proof-check
04/19/23 17
Using a certifying compiler in PCC
Source Program
CertifyingcompilerParse, Semantic
High-level IL
Optimization
Medium-level IL
Code Gen.
Low-level IL
Register Alloc.
Machine Language
type-check
type-check
type-check
type-check
Program for execution
Hints
Theorem
Prover
Safety
Theorem
Operation of theorem-prover is completely automatic; no assistance needed from programmer !
04/19/23 18
The FLINT project
Parse & semanti
c
High-level FLINT
Analysis & Optimization
Medium-level FLINT
Code Gen.
Low-level FLINT
type-check
type-check
type-check
Program for execution
Hints
Theorem
Prover
Safety
Theorem
Parse & semanti
c
Parse & semanti
c
Safe CML Java Add new front-ends to build new certifying compilers !
Key: use typed intermediate languages !
Long-Term Objective: to build a FLINT VM that uses low-level typed mobile code, and can run on any device !
04/19/23 19
Why typed intermediate languages ? Essential for certifying compilers
PCC and TAL are good but how to generate them?
Safe and secure low-level mobile code (Why? applets, JINI, active network, extensible systems)
Java VM language is too complex and high-level
Types for stating and verifying invariants IDL for common component libraries Safe and principled language interoperation
Help optimizations and compiler debugging (useful but not critical)
04/19/23 20
FLINT as a common typed IL
state & region dependent types
explicit memory management efficient array access“Safe” C
The F calculus row-kind dot notation ???
classes; interfaces; objects access control & privacy name-based subtyping dynamic linking & loading reflection; concurrency
Java & JVML
The F calculus ref exn
module system (functor) closures & polymorphism recursive data types
ML
ApproachesChallengesLanguages
04/19/23 21
ICFP ‘00: International Conference on Functional Programming (Sept. 2000)
04/19/23 22
Proof-Carrying Authentication
Alice Bob
policy
“read foo”
Charlie
cert
signature + cert decisionprocedure
Traditional approach
04/19/23 23
Proof-Carrying Authentication
Alice Bob
policy
“read foo”
Charlie
cert
proof proofchecker
Our approach
04/19/23 24
6th ACM Conference on Computer and Communications Security (Nov. 1999)
04/19/23 25
Proof Tree
readfoo
Bob’s policy
check signature
Alice says readfoo (Alice says readfoo) readfoo
modus ponens
KA signed readfoo
modus ponens
(KA signed readfoo) (Alice says readfoo)
F. (KA signed F) (Alice says F)
-elimination
(subproof)
04/19/23 26
Definitions and Lemmas
can define new abstractions, in terms of existing ones keybind(K,A) = F. (K signed F) A(F) A controls F = A(F) F CA(C) = K.A. C controls keybind(K,A)
can prove lemmas, then use them prove properties of defined abstractions abstractions need not be primitives
04/19/23 27
Custom
ProxyServer
Bro
wse
r
Web server/browser prototype
Prover
policy
proof
(under construction)
Web Server
Checker
get http://...
authenticate
web page
policy
04/19/23 28
Accomplishments to date
Policy Specification of SPARC, MIPS
semantics Models for reasoning about
security policies Authentication logic for
Web browser Prover
Basic lemmas about logic, arithmetic, sets, lists, sequences, equiv. relations
Derivation of Hoare logic from machine semantics
Set-theoretic model of types (completed, but too weak)
PER model of types (powerful, but still much work left to do)
Checker Selection of proof-
representation language Evaluation of suitability of
various checker software
FLINT compiler FLINT/ML (alpha release) FLINT/Javasub (prototype)
Released as part of the SML/NJ compiler
Types are now propagated through all optimization phases