Typed Assembly Language and Proof-Carrying Code

Nicholas MooreBianca Curutan

Pooya SamizadehMcMaster UniversityMarch 30, 2012

Part I:Typed Assembly Language

IntroductionTAL and PCCTAL-0 Real World Application

Typed Assembly Language (TAL) extends traditional untyped assembly languages with typing annotations, memory management primitives, and a sound set of typing rules

These typing rules guarantee the memory safety, control flow safety, and type safety of TAL programs

Introduction

Principle of Proof-Carrying Code (PCC): Eliminate the need to trust code by requiring a formal, machine-checkable proof that the code has some desired properties

1. What properties should we require of the code?

2. How do code producers construct a formal proof that their code has the desired properties?

TAL and PCC

Control-flow Safety: Ensure that a program jumps only to a well-defined subset of possible entry points

A focus on control-flow safety allows us to develop a simple abstract machine and demonstrate the key ideas of adapting a type system to machine code

TAL-0

Instructions and Operands

TAL-0 (cont’d)

Abstract Machine Syntax

TAL-0 (cont’d)

Limitations:◦Only supports simple tuple or record-like data

structures◦ Insufficient for compiling real-world high-level

languages which provide data abstraction mechanisms

◦Can only allocate objects whose size is known at compile time

Real World Application

Examples to make type system more useful:◦Annotate primitive memory type components

with flags to control whether that component supports read-only, write-only, or read-write access

◦Add support for subtyping◦Consider a read-write component to be a

subtype of a read-only or a write-only component

Real World Application (cont’d)

Part II:Proof-Carrying Code

IntroductionTouchstone PCC ArchitectureAdvantages Over Related TechniquesTechnical Difficulties to Overcome

Proof-Carrying Code (PCC): General framework that allows the host to verify properties about an agent via a formal proof that accompanies the executable code

The host system can quickly verify the validity of the proof and compare the conclusions to its own security policy to determine if the agent has certain safety properties

Introduction

Touchstone PCC Architecture

1. Operates at load time before the agent code is installed in the host system

2. Trusted computing base is small3. Can operate even on agents expressed in

native-code form4. General – all PCC has to do is verify safety

explanations and match them with the code and safety policy

Advantages Over Related Techniques

How to encode the formal proof?

How to check the proof?

How to relate the proof with the program?

Technical Difficulties to Overcome

Part III:Project

IntroductionRecall TAL-0Description and Demo

Task◦Build an interpreter for the TAL-0 abstract

machine in Haskell, i.e., (lazy) functional programming language

Introduction

Instructions and Operands

Abstract Machine Syntax

Recall TAL-0

Description and Demo

Jones, Mark. Functional Programming with Overloading and Higher-Order Polymorphism. Diss. University of Nottingham. Nottingham. Print.

Liang, Sheng, Paul Hudak, and Mark Jones. Monad Transformers and Modular Interpreters. Diss. Yale University. New Haven. Print.

Necula, George. "Proof-Carrying Code." Computer Science Division, EECS at UC Berkeley. 22 July 2002. Web. 21 Mar. 2012. <http://www.cs.berkeley.edu/~necula/pcc.html>.

Pierce, Benjamin C. Advanced Topics in Types and Programming Languages. Cambridge, MA: MIT, 2005. Print.

"Typed Assembly Language Compiler." Cornell University Department of Computer Science. Web. 21 Mar. 2012. <http://www.cs.cornell.edu/talc/>.

References