scaling proof-carrying code to production compilers and security policies
DESCRIPTION
Scaling Proof-Carrying Code to Production Compilers and Security Policies. Andrew W. Appel Princeton University Edward W. Felten Princeton University Zhong Shao Yale University July 2000. ?. Private files Network access Launch control etc. The problem: Mobile Code Security. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Scaling Proof-Carrying Code to Production Compilers and Security Policies](https://reader034.vdocuments.net/reader034/viewer/2022042822/56812e22550346895d9387a2/html5/thumbnails/1.jpg)
04/19/23 1
Scaling Proof-Carrying Code to Production Compilers and Security Policies
Andrew W. Appel Princeton University
Edward W. Felten Princeton University
Zhong Shao Yale University
July 2000
![Page 2: Scaling Proof-Carrying Code to Production Compilers and Security Policies](https://reader034.vdocuments.net/reader034/viewer/2022042822/56812e22550346895d9387a2/html5/thumbnails/2.jpg)
04/19/23 2
The problem: Mobile Code Security
Code Producer
Code Consumer
load r3, 4(r2)add r2,r4,r1store 1, 0(r7)store r1, 4(r7)add r7,0,r3add r7,8,r7beq r3, .-20
CodeCompiler Execute
SourceProgram
Private files
Network access
Launch control
etc.
?
![Page 3: Scaling Proof-Carrying Code to Production Compilers and Security Policies](https://reader034.vdocuments.net/reader034/viewer/2022042822/56812e22550346895d9387a2/html5/thumbnails/3.jpg)
04/19/23 3
Two Solutions
Protection
Self-Certifying Compilersvia
Typed Intermediate Languages
(i.e., FLINT compiler)
Proof-Carrying Code(machine-checkable safety
proofs about machine-language programs)
Trust
Distributed Authentication Frameworks
viaProof-Carrying Authentication
![Page 4: Scaling Proof-Carrying Code to Production Compilers and Security Policies](https://reader034.vdocuments.net/reader034/viewer/2022042822/56812e22550346895d9387a2/html5/thumbnails/4.jpg)
04/19/23 4
Expected major achievements
Felten, AppelPrinceton U.
DistributedAuthenticationFrameworks:
Proof-CarryingAuthentication
Appel, FeltenPrinceton U.
Mobile CodeSecurity:
Proof-CarryingCode
ShaoYale U.
CertifyingCompilers:
FLINT/MLFLINT/Java
SecureLinking
SecureKey
Distribution
File servers
PCC systemsfor ML, Java
Language- &machine-
independentmobile code
safe lang.interop.
![Page 5: Scaling Proof-Carrying Code to Production Compilers and Security Policies](https://reader034.vdocuments.net/reader034/viewer/2022042822/56812e22550346895d9387a2/html5/thumbnails/5.jpg)
04/19/23 5
Existing Practice: Bytecode Verification
Code Producer
Code Consumer
load r3, 4(r2)add r2,r4,r1store 1, 0(r7)store r1, 4(r7)add r7,0,r3add r7,8,r7beq r3, .-20
ByteCodeCompiler
Just-in-time
Compiler
OK
Bytecode
Verifier
JavaProgram
Native code
Execute
TrustedComputing
Base
Advantage:Clean, fast, O-O interface
between trusted & untrusted code
Disadvantage:Huge trusted computing base: JIT
![Page 6: Scaling Proof-Carrying Code to Production Compilers and Security Policies](https://reader034.vdocuments.net/reader034/viewer/2022042822/56812e22550346895d9387a2/html5/thumbnails/6.jpg)
04/19/23 6
Code Producer
Code Consumer
SafetyTheorem
Prover
Compiler
Checker OK
ExecuteSourceProgram
Policy
SafetyTheorem
Policy
load r3, 4(r2)add r2,r4,r1store 1, 0(r7)store r1, 4(r7)add r7,0,r3add r7,8,r7beq r3, .-20
Native Code
Safety Proof
Hints
-i( -i(... -r ( ...) ))
Proof-carrying code - tiny TCB
![Page 7: Scaling Proof-Carrying Code to Production Compilers and Security Policies](https://reader034.vdocuments.net/reader034/viewer/2022042822/56812e22550346895d9387a2/html5/thumbnails/7.jpg)
04/19/23 7
Why we can trust the checker
We use a simple, sound, well-understood logic(Church’s higher-order logic, 1950’s)
A proof is just a tree of inference rules, with axioms at the leaves
Proof-checking is just type-checking of expression trees(~1000 lines of code)
Many independent implementations of proof-checker:Twelf (CMU); Ginseng (Cedilla systems); Coq system (INRIA, France); HOL system (Cambridge U.)
![Page 8: Scaling Proof-Carrying Code to Production Compilers and Security Policies](https://reader034.vdocuments.net/reader034/viewer/2022042822/56812e22550346895d9387a2/html5/thumbnails/8.jpg)
04/19/23 8
Why we can trust the “policy”
9 axioms of higher-order logic + 30 axioms of arithmetic
subtotal: 39 lines of specification + ... one axiom specifying machine
semanticstotal: 639 lines
Must specify how Sparc (or Pentium, etc.) instructions work in order to prove properties of programs (more about this later)
Checker + policy much smaller than the TCB of other approaches (operating system, or optimizing compiler)
![Page 9: Scaling Proof-Carrying Code to Production Compilers and Security Policies](https://reader034.vdocuments.net/reader034/viewer/2022042822/56812e22550346895d9387a2/html5/thumbnails/9.jpg)
04/19/23 9
Conference on Automated DeductionJune 2000
![Page 10: Scaling Proof-Carrying Code to Production Compilers and Security Policies](https://reader034.vdocuments.net/reader034/viewer/2022042822/56812e22550346895d9387a2/html5/thumbnails/10.jpg)
04/19/23 10
Code Consumer
Security Policy: Host/client API
Policy
“Models for Security Policies
in Proof-Carrying Code”,
Andrew Appel & Ed Felten,
in preparation.
How to design sound policies andreason about them effectively.
![Page 11: Scaling Proof-Carrying Code to Production Compilers and Security Policies](https://reader034.vdocuments.net/reader034/viewer/2022042822/56812e22550346895d9387a2/html5/thumbnails/11.jpg)
04/19/23 11
Program:106 instructions
Theorem:2 x 106 words
Proof:105 + 10 x 106
Program-specific lemmas
Programming-language-specific lemmas
RecursiveTypes
Fixed Point Theorem
Hoare’s Logic
Machine Instructions
Structure of theorem, proof
safe( , , , , , , , ,, )
CardinalityPartialOrders
Modular Arithmetic
![Page 12: Scaling Proof-Carrying Code to Production Compilers and Security Policies](https://reader034.vdocuments.net/reader034/viewer/2022042822/56812e22550346895d9387a2/html5/thumbnails/12.jpg)
04/19/23 12
POPL ‘00: Principles of Programming Languages
(Jan. 2000)
![Page 13: Scaling Proof-Carrying Code to Production Compilers and Security Policies](https://reader034.vdocuments.net/reader034/viewer/2022042822/56812e22550346895d9387a2/html5/thumbnails/13.jpg)
04/19/23 13
Software engineering of proofs
Programming Finding the right
abstractions is critical Data types Functions
All details must be filled in
Engineering Divide large program into
modules with clean interfaces
Break large algorithms into one-page functions
Strive for readability and maintainability
Proving Finding the right
abstractions is critical Data types
(sets, metric spaces) Lemmas
All details must be filled in
Engineering Divide large proof into
modules with clean interfaces
Break large proofs into one-page lemmas
Strive for readability and maintainability
![Page 14: Scaling Proof-Carrying Code to Production Compilers and Security Policies](https://reader034.vdocuments.net/reader034/viewer/2022042822/56812e22550346895d9387a2/html5/thumbnails/14.jpg)
04/19/23 14
Code Consumer
Checker OK
Execute
Policy
SafetyTheorem
Code Producer
SafetyTheorem
Compiler
Hints
SourceProgram
Policy
Prover
load r3, 4(r2)add r2,r4,r1store 1, 0(r7)store r1, 4(r7)add r7,0,r3add r7,8,r7beq r3, .-20
Native Code
Safety Proof
-i( -i(... -r ( ...) ))
Compiling with proofs
![Page 15: Scaling Proof-Carrying Code to Production Compilers and Security Policies](https://reader034.vdocuments.net/reader034/viewer/2022042822/56812e22550346895d9387a2/html5/thumbnails/15.jpg)
04/19/23 15
Compiling with proofs
Code Producer
Native Code
Safety Theorem
Prover
Compiler
Hints
SourceProgram
Policy
How to build
a compiler
that can
produce a
proof?
Prover
![Page 16: Scaling Proof-Carrying Code to Production Compilers and Security Policies](https://reader034.vdocuments.net/reader034/viewer/2022042822/56812e22550346895d9387a2/html5/thumbnails/16.jpg)
04/19/23 16
Phases of a compiler
Source Program
Parse, Semantic
High-level intermed.lang (IL)Analysis,
Optimization
Medium-level IL
Code GenerationLow-level IL
Register Allocation
Machine Language
type-check
Traditionalcompiler
untyped
untyped
untyped
untyped
type-check
Certifyingcompiler
type-check
type-check
type-check
proof-check
![Page 17: Scaling Proof-Carrying Code to Production Compilers and Security Policies](https://reader034.vdocuments.net/reader034/viewer/2022042822/56812e22550346895d9387a2/html5/thumbnails/17.jpg)
04/19/23 17
Using a certifying compiler in PCC
Source Program
CertifyingcompilerParse, Semantic
High-level IL
Optimization
Medium-level IL
Code Gen.
Low-level IL
Register Alloc.
Machine Language
type-check
type-check
type-check
type-check
Program for execution
Hints
Theorem
Prover
Safety
Theorem
Operation of theorem-prover is completely automatic; no assistance needed from programmer !
![Page 18: Scaling Proof-Carrying Code to Production Compilers and Security Policies](https://reader034.vdocuments.net/reader034/viewer/2022042822/56812e22550346895d9387a2/html5/thumbnails/18.jpg)
04/19/23 18
The FLINT project
Parse & semanti
c
High-level FLINT
Analysis & Optimization
Medium-level FLINT
Code Gen.
Low-level FLINT
type-check
type-check
type-check
Program for execution
Hints
Theorem
Prover
Safety
Theorem
Parse & semanti
c
Parse & semanti
c
Safe CML Java Add new front-ends to build new certifying compilers !
Key: use typed intermediate languages !
Long-Term Objective: to build a FLINT VM that uses low-level typed mobile code, and can run on any device !
![Page 19: Scaling Proof-Carrying Code to Production Compilers and Security Policies](https://reader034.vdocuments.net/reader034/viewer/2022042822/56812e22550346895d9387a2/html5/thumbnails/19.jpg)
04/19/23 19
Why typed intermediate languages ? Essential for certifying compilers
PCC and TAL are good but how to generate them?
Safe and secure low-level mobile code (Why? applets, JINI, active network, extensible systems)
Java VM language is too complex and high-level
Types for stating and verifying invariants IDL for common component libraries Safe and principled language interoperation
Help optimizations and compiler debugging (useful but not critical)
![Page 20: Scaling Proof-Carrying Code to Production Compilers and Security Policies](https://reader034.vdocuments.net/reader034/viewer/2022042822/56812e22550346895d9387a2/html5/thumbnails/20.jpg)
04/19/23 20
FLINT as a common typed IL
state & region dependent types
explicit memory management efficient array access“Safe” C
The F calculus row-kind dot notation ???
classes; interfaces; objects access control & privacy name-based subtyping dynamic linking & loading reflection; concurrency
Java & JVML
The F calculus ref exn
module system (functor) closures & polymorphism recursive data types
ML
ApproachesChallengesLanguages
![Page 21: Scaling Proof-Carrying Code to Production Compilers and Security Policies](https://reader034.vdocuments.net/reader034/viewer/2022042822/56812e22550346895d9387a2/html5/thumbnails/21.jpg)
04/19/23 21
ICFP ‘00: International Conference on Functional Programming (Sept. 2000)
![Page 22: Scaling Proof-Carrying Code to Production Compilers and Security Policies](https://reader034.vdocuments.net/reader034/viewer/2022042822/56812e22550346895d9387a2/html5/thumbnails/22.jpg)
04/19/23 22
Proof-Carrying Authentication
Alice Bob
policy
“read foo”
Charlie
cert
signature + cert decisionprocedure
Traditional approach
![Page 23: Scaling Proof-Carrying Code to Production Compilers and Security Policies](https://reader034.vdocuments.net/reader034/viewer/2022042822/56812e22550346895d9387a2/html5/thumbnails/23.jpg)
04/19/23 23
Proof-Carrying Authentication
Alice Bob
policy
“read foo”
Charlie
cert
proof proofchecker
Our approach
![Page 24: Scaling Proof-Carrying Code to Production Compilers and Security Policies](https://reader034.vdocuments.net/reader034/viewer/2022042822/56812e22550346895d9387a2/html5/thumbnails/24.jpg)
04/19/23 24
6th ACM Conference on Computer and Communications Security (Nov. 1999)
![Page 25: Scaling Proof-Carrying Code to Production Compilers and Security Policies](https://reader034.vdocuments.net/reader034/viewer/2022042822/56812e22550346895d9387a2/html5/thumbnails/25.jpg)
04/19/23 25
Proof Tree
readfoo
Bob’s policy
check signature
Alice says readfoo (Alice says readfoo) readfoo
modus ponens
KA signed readfoo
modus ponens
(KA signed readfoo) (Alice says readfoo)
F. (KA signed F) (Alice says F)
-elimination
(subproof)
![Page 26: Scaling Proof-Carrying Code to Production Compilers and Security Policies](https://reader034.vdocuments.net/reader034/viewer/2022042822/56812e22550346895d9387a2/html5/thumbnails/26.jpg)
04/19/23 26
Definitions and Lemmas
can define new abstractions, in terms of existing ones keybind(K,A) = F. (K signed F) A(F) A controls F = A(F) F CA(C) = K.A. C controls keybind(K,A)
can prove lemmas, then use them prove properties of defined abstractions abstractions need not be primitives
![Page 27: Scaling Proof-Carrying Code to Production Compilers and Security Policies](https://reader034.vdocuments.net/reader034/viewer/2022042822/56812e22550346895d9387a2/html5/thumbnails/27.jpg)
04/19/23 27
Custom
ProxyServer
Bro
wse
r
Web server/browser prototype
Prover
policy
proof
(under construction)
Web Server
Checker
get http://...
authenticate
web page
policy
![Page 28: Scaling Proof-Carrying Code to Production Compilers and Security Policies](https://reader034.vdocuments.net/reader034/viewer/2022042822/56812e22550346895d9387a2/html5/thumbnails/28.jpg)
04/19/23 28
Accomplishments to date
Policy Specification of SPARC, MIPS
semantics Models for reasoning about
security policies Authentication logic for
Web browser Prover
Basic lemmas about logic, arithmetic, sets, lists, sequences, equiv. relations
Derivation of Hoare logic from machine semantics
Set-theoretic model of types (completed, but too weak)
PER model of types (powerful, but still much work left to do)
Checker Selection of proof-
representation language Evaluation of suitability of
various checker software
FLINT compiler FLINT/ML (alpha release) FLINT/Javasub (prototype)
Released as part of the SML/NJ compiler
Types are now propagated through all optimization phases