The Design and The Design and Implementation of a Implementation of a Certifying Compiler Certifying Compiler

[Necula, Lee][Necula, Lee]

A Certifying Compiler for Java A Certifying Compiler for Java [Necula, Lee et al][Necula, Lee et al]

David W. HillDavid W. HillCSCI 297CSCI 2975.31.20055.31.2005

How to deal with Untrusted How to deal with Untrusted Code?Code?

How can the host system ensure that the untrusted code will not damage it, for example, by corrupting internal data structures?

How can the host ensure that the untrusted code will not use too many resources (such as CPU, memory, and so forth) or use them for too long a time period?

How can the host make these assurances without undue effort and negative effect on overall system performance?

Proof Carrying CodeProof Carrying Code

Proof-Carrying Code is a technique by which the host establishes a set of safety rules that guarantee safe behavior of programs. The code producer creates a formal safety proof that proves, for the untrusted code, adherence to the safety rules. Then, the host is able to use a simple and fast proof validator to check, with certainty, that the proof is valid and hence the foreign code is safe to execute.

High Level Overview – Proof High Level Overview – Proof Carrying Code Carrying Code

A A code producercode producer sends a program and its safety sends a program and its safety proof to a proof to a code consumercode consumer– A A certifying compilercertifying compiler constructs the program and constructs the program and

proofproof– A A proof checkerproof checker checks them against a security policy checks them against a security policy

Program

Proof

CodeConsumer

Proof Checker

Security Policy

CodeProducer

CertifyingCompiler

PCC ProcessPCC Process

The source program is compiled to machine The source program is compiled to machine code annotated with loop invariants and with code annotated with loop invariants and with some other annotations. some other annotations.

The annotated machine code is passed The annotated machine code is passed through the Verification Condition Generator through the Verification Condition Generator (VCGen) that verifies the well-formedness of (VCGen) that verifies the well-formedness of the code (such as that the branch targets are the code (such as that the branch targets are within the code segment) and emits a within the code segment) and emits a verification condition (VC). The verification verification condition (VC). The verification condition is a predicate that is provable only if condition is a predicate that is provable only if the code meets the safety policy. the code meets the safety policy.

PCC ProcessPCC Process

The verification condition is passed to a The verification condition is passed to a theorem prover that finds and emits a proof of theorem prover that finds and emits a proof of it according to the logic requested by the code it according to the logic requested by the code consumer. consumer.

The proof is verified to be valid (with respect to The proof is verified to be valid (with respect to the given logic) and to prove the required the given logic) and to prove the required verification condition. verification condition.

If the proof checking succeeds, the code If the proof checking succeeds, the code meets the safety policy and can be safely meets the safety policy and can be safely installed for execution. installed for execution.

The Cartoon Guide to PCCThe Cartoon Guide to PCC

Great! But let me quickly look over the instructions first.

Code producer Code consumer

My program solves your problem.

The Cartoon Guide to PCCThe Cartoon Guide to PCC

Code producer Code consumer

The Cartoon Guide to PCCThe Cartoon Guide to PCC

Code producer Code consumer

This store instruction is dangerous!

The Cartoon Guide to PCCThe Cartoon Guide to PCC

Code producer Code consumer

Can you prove that it is always safe?

The Cartoon Guide to PCCThe Cartoon Guide to PCC

Code consumer

Can you prove that it is always safe?

Yes! Here’s the proof I got from my certifying Java compiler!

Code producer

The Cartoon Guide to PCCThe Cartoon Guide to PCC

Code consumerCode producer

Your proof checks out.

The Cartoon Guide to PCCThe Cartoon Guide to PCC

Code consumerCode producer

I believe you because I believe in logic!

Design & Implementation Design & Implementation of an Certifying Compilerof an Certifying Compiler

Translates programs written in a type-safe subset of C into highly optimized DEC Alpha assembly language programs.

Certifier that automatically checks the type safety and memory safety of any assembly language program produced by the compiler.

Certifier produced a formal proof that can be used by the code consumer to ensure safe code

Overview of Certifying Overview of Certifying CompilerCompiler

Code annotations assist certifier to verify type safety and memory safety Type specifications declare the type of argument and result register for every function in the code.

Inside the CertifierInside the Certifier

VCGen creates a safety predicate for each function. Prover produces a formal proof of the predicateProof checker validates the proofCertifier could be used for other properties, other than memory and type safety.

Sample Code Sample Code

Code Producer

Code Consumer

Theorem Prover

Safety Policy

Native CodeWith Annotations

Proof Checker

Ok

CPU

VCGen

Verification Condition

Safety Policy

Safety Proof Safety Proof

VCGen

Verification Condition

Source Code Touchstone Compiler

Native CodeWith Annotations

PCCPCC

Code Producer

Code Consumer

Theorem Prover

Safety Policy

Native CodeWith Annotations

Proof Checker

No

CPU

VCGen

Verification Condition

Safety Policy

Safety Proof

Safety Proof

VCGen

Verification Condition(may change)

Source Code Touchstone Compiler

TamperedNative Code

With Annotations

Hacker

Tampered Code is not delivered to the CPU

But safety is still guaranteed if the code is modified in such a way that the VC is unchanged

PCCPCCTamperedTampered

Sample ProofSample Proof

First rule states that it is safe to read an element of an array if its index is within the array boundaries Second rule states that the result of the read operation has the type of the array elementsProves that assembly language program is safe (memory)

Benchmarks Benchmarks

Certifying Compiler for Java Certifying Compiler for Java - 2- 2ndnd paper paper

Optimized compiler Special J that compiles java bytecodes into target code for x86 architectureImplement a certifier for a large subset of the Java language PCC binaries are of reasonable size and can be checked rapidly by a small proof checkerPCC & Certifying compilers are scalable

Annotations

ArchitectureArchitecture

Code producer Code Consumer

Java binary

Proof generator

Proof checker

VCGen

Axioms

Axioms

Certifying compiler

VCGen

VC

Native code

Proof

VC

VC Generation - DetailedVC Generation - Detailed

Checks code that could violate safety policy and produces proof obligations

movl 4(%eax), %ebx Assembly Inst.

Saferd4 (add eax 4) proof obligation

VC Generation - LoopsVC Generation - LoopsWhen VCGen finds annotation below:ANN_LOOP (INV=P, MODREG=R)

VC GenerationVC Generation

PCC Architecture DetailsPCC Architecture Details

Host only needs VC Generator and Proof Checker – Small TCB

VC GEN = 23K lines (C)

Proof Checker = 1.4K lines (C)

BenchmarksBenchmarks

Online DemoOnline Demo

George Necula’s Touchstone Demo

http://raw.cs.berkeley.edu/Ginseng/Images/pccdemo.html

PCC AdvantagesPCC Advantages

Great for mobile code, consumer only has to run a small proof checking process. Burden shifted to producer.

No cryptography of third party checks required

Code is verified before execution, therefore don’t have to kill processes after acquisition of resources

Issues for DiscussionIssues for Discussion

Writing good policies is the hard part– Better ways to define policies– Ways to reason about properties of policies– Ideas for the right policies for different

scenarios– Ways to develop, reason about, and test

distributed policies

ReferencesReferences

-George Necula’s Web Page

http://raw.cs.berkeley.edu/papers.html#annotated

-Peter Lee’s Web Page

http://www-2.cs.cmu.edu/~petel/

-Flexibility and Trustworthiness in Proof-Carrying Code, Andrew Bernard, CMU

-Lecture 19. UVA, Proof Carrying Code, David Evans

-Some open issues for certifying compilers, Greg Morrisett

-Code Carrying Proofs, Aytekin Vargun, Rensselaer Polytechnic Institute

Thank You!Thank You!

Discussion…..Discussion…..