An Introduction to Proof-Carrying Code

David WalkerPrinceton University

(slides kindly donated by George Necula;

modified by David Walker)

David Walker - Foundations of Security 2003 2

Motivation

• Extensible systems can be more flexible and more efficient than client-server interaction

clientserver

client-server

extensiblesystems

extension

host

David Walker - Foundations of Security 2003 3

extensiblesystem

Motivation

• Extensible systems can be more flexible and more efficient than client-server interaction

clientserver

client-server

extension

host

Source: NASA Jet Propulsion Lab

Example: Deep-Space Onboard Analysis

Bandwidth: < 1KB/secLatency: > hours

Data: > 10MB/sec

Note:• efficiency (cycles, bandwidth)• safety critical operation

David Walker - Foundations of Security 2003 5

More Examples of Extensible Systems

Device driver Operating systemApplet Web browserLoaded procedure Database serverDCOM Component DCOM client…

Host

Code

David Walker - Foundations of Security 2003 6

Concerns Regarding Extensibility

• Safety and reliability concerns How to protect the host from the extensions ?

Extensions of unknown origin ) potentially malicious

Extensions of known origin ) potentially erroneous

• Complexity concerns How can we do this without having to trust a complex

infrastructure?

• Performance concerns How can we do this without compromising

performance?

• Other concerns (not addressed here)– How to ensure privacy and authenticity?– How to protect the component from the host?

David Walker - Foundations of Security 2003 7

Approaches to Component Safety

• Digital signatures

• Run-time monitoring and checking

• Bytecode verification

• Proof-carrying code

David Walker - Foundations of Security 2003 8

Assurance Support: Digital Signatures

Host

• Example properties: • “Microsoft produced this software”• “Verisoft tested the software with test suite 17”

No direct connection with program semantics Microsoft recently recommended that Microsoft be

removed from one’s list of trusted code signers

Code

Checker

David Walker - Foundations of Security 2003 9

Run-Time Monitoring and Checking

Host

• A monitor detects attempts to violate the safety policy and stops the execution– Hardware-enforced memory protection– Software fault isolation (sandboxing)– Java stack inspection

Code

Monitor

Relatively simple; effective for many properties Either inflexible or expensive on its own

David Walker - Foundations of Security 2003 10

Java Bytecode

HostChecker

CodeJVMbytecode

Relatively simple; overall an excellent idea Large trusted computing base

– commercial, optimizing JIT: 200,000-500,000 LOC– when is the last time you wrote a bug-free 200,000 line

program?

Java-specific; somewhat limited policies

CodeCompiler

Code

David Walker - Foundations of Security 2003 11

Proof-carrying code

Host

Checker

CodeJVMbytecode

Proof

CodeCompiler

Flexible interfaces like the JVM model Small trusted computing base (minimum of 3000 LOC) Can be somewhat more language/policy independent Building an optimizing, type-preserving compiler is

much harder than building an ordinary compiler

David Walker - Foundations of Security 2003 12

Proof-carrying code

Host

Checker

CodeJVMbytecode

Proof

CodeCompiler

Question: Isn’t it hard, perhaps impossible,to check properties of assembly language?

David Walker - Foundations of Security 2003 13

Proof-carrying code

Host

Checker

CodeJVMbytecode

Proof

CodeCompiler

Question: Isn’t it hard, perhaps impossible,to check properties of assembly language?

Actually, no, not really, provided we have a proofto guide the checker.

David Walker - Foundations of Security 2003 14

Proof-Carrying Code: An AnalogyLegend: code proof

David Walker - Foundations of Security 2003 15

Proof-carrying code

Host

Checker

CodeJVMbytecode

Proof

CodeCompiler

Question: Well, aren’t you just avoiding the real problem then? Isn’t it extremely hardto generate the proof?

David Walker - Foundations of Security 2003 16

Proof-carrying code

Host

Checker

CodeJVMbytecode

Proof

CodeCompiler

Question: Well, aren’t you just avoiding the real problem then? Isn’t it extremely hardto generate the proof?

Yes. But there is a trick.

David Walker - Foundations of Security 2003 17

PCC + Type-Preserving Compilation

Host

Checker

CodeJVMbytecode

ProofTypes

CodeCompiler

TypesCompiler

The trick: we fool the programmer into doing our proof for us!

•We convince them to program in a typesafe language.•We design our compiler to translate the typing derivationinto a proof of safety•We can always make this work for type safety properties

David Walker - Foundations of Security 2003 18

Good Things About PCC

1. Someone else does the really hard work (the compiler writer)

• Hard to prove safety but easy to check a proof• Research over the last 5-10 years indicates we can

produce proofs of type safety properties for assembly language

2. Requires minimal trusted infrastructure• Trust proof checker but not the compiler• Again, recent research shows PCC TCB can be as small as

~3000 LOC3. Agnostic to how the code and proof are produced

• Not compiler specific; Hand-optimized code is Ok4. Can be much more general than the JVM type system

• Only limited by the logic that is used (and we can use very general logics)

5. Coexists peacefully with cryptography• Signatures are a syntactic checksum• Proofs are a semantic checksum • (see Appel & Felten’s proof-carrying authorization)

David Walker - Foundations of Security 2003 19

The Different Flavors of PCC

• Type Theoretic PCC [Morrisett, Walker, et al. 1998]

– source-level types are translated into low-level types for machine language or assembly language programs

– the proof of safety is a typing derivation that is verified by a type checker

• Logical PCC [Necula, Lee, 1996, 1997]

– low-level types are encoded as logical predicates– a verification-condition generator runs over the program

and emits a theorem, which if true, implies the safety of the program

– the proof of safety is a proof of this theorem• Foundational PCC [Appel et al. 2000]

– the semantics of the machine is encoded directly in logic– a type system for the machine is built up directly from the

machine semantics and proven correct using a general-purpose logic (eg: higher-order logic)

– the total TCB is approximately 3000 LOC

David Walker - Foundations of Security 2003 20

The Common Theme

• Every general-purpose system for proof carrying code relies upon a type system for checking low-level program safety– why?– building a proof of safety for low-level programs is

hard– success depends upon being able to structure these

proofs in a uniform, modular fashion– types provide the framework for developing well-

structured safety proofs

• In the following lectures, we will study the low-level typing mechanisms that are the basis for powerful systems of proof carrying code