An Introduction to Proof-Carrying Code Peter Lee Carnegie Mellon University
Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University
description
Transcript of Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University
![Page 1: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/1.jpg)
Mobility, Security, andProof-Carrying Code
Peter LeeCarnegie Mellon University
Lecture 1
Course Overview
July 10, 2001
Lipari School on Foundations of Wide Area Network Programming
![Page 2: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/2.jpg)
Opportunities and Challenges
![Page 3: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/3.jpg)
Arianne 5
On June 4, 1996, the Arianne 5 took off on its maiden flight.
40 seconds into its flight it veered off course and exploded.
It was later found to be an error in reuse of a software component.
For the next two years, virtually every research presentation used this picture.
![Page 4: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/4.jpg)
“Better, Faster, Cheaper”
In 1999, NASA lost both the Mars Polar Lander and the Climate Orbiter.
Later investigations determined software errors were to blame.
Orbiter: Component reuse error.
Lander: Precondition violation.
![Page 5: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/5.jpg)
USS Yorktown
“After a crew member mistakenly entered a zero into the data field of an application, the computer system proceeded to divide another quantity by that zero. The operation caused a buffer overflow, in which data leaked from a temporary storage space in memory, and the error eventually brought down the ship's propulsion system. The result: the Yorktown was dead in the water for more than two hours.”
![Page 6: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/6.jpg)
Programmable mobile devices
By 2003, one in five people will own a mobile communications device.
Nokia expects to sell 500M Java-enabled phones in 2003.
Most of these devices will be power and memory limited.
![Page 7: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/7.jpg)
Observations
Failures often due to simple problems “in the details.”
Reuse is critical but perilous.
Performance still matters a lot.
![Page 8: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/8.jpg)
Safety Engineering
Small theorems about large programs would be useful.
Need clearly specified interfaces and checking of interface compliance.
Must not sacrifice performance.
![Page 9: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/9.jpg)
But in the Real World?
![Page 10: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/10.jpg)
Security Attacks
According to CERT, the majority of security attacks exploit
input validation failure
buffer overflow
VBShttp://www.cert.org/summaries/CS-2000-04.html
![Page 11: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/11.jpg)
BSOD embarrassments
![Page 12: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/12.jpg)
Warrantees?
LIMITED WARRANTY. Microsoft warrants that (a) the SOFTWARE PRODUCT will perform substantially in accordance with the accompanying written materials for a period of ninety (90) days from the date of receipt, …
LIMITATION OF LIABILITY. TO THE MAXIMUM EXTENTPERMITTED BY APPLICABLE LAW, IN NO EVENT SHALLMICROSOFT OR ITS SUPPLIERS BE LIABLE FOR ANYSPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIALDAMAGES WHATSOEVER (INCLUDING, …) ARISING OUT OF THE USE OF … THE SOFTWARE PRODUCT…MICROSOFT’S ENTIRE LIABILITY … SHALL BE LIMITED TO THE GREATER OF THE AMOUNT ACTUALLY PAID BY YOU FOR THE SOFTWARE PRODUCT OR U.S. $5.00; PROVIDED...
![Page 13: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/13.jpg)
Automotive Analogy
“If the automobile had followed the same development as the computer, a Rolls-Royce would today cost $100, get a million miles per gallon, and ...
![Page 14: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/14.jpg)
Automotive Analogy
“If the automobile had followed the same development as the computer, a Rolls-Royce would today cost $100, get a million miles per gallon, and explode once a year killing everyone inside."
- Robert Cringely
![Page 15: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/15.jpg)
Mobile/Wireless Devices
In ‘97, 101M mobile phones vs 82M PCs. (40% vs 14%.)
95% phones will be WAP enabled by ‘04.
64Mbits of RAM in 2002.
Battery life a primary factor.
Efficiency and bandwidth will still be precious.
![Page 16: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/16.jpg)
Bluetooth
670M Bluetooth-enabled devices by ‘03.
70% of mobile phones Bluetooth-enabled by ‘04.
Priceline.com’s grocery-store scenario.
Commercial world creates demand for “push” technologies.
![Page 17: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/17.jpg)
Networked Appliances
By far the largest-growing segment.
Enormous diversity of platforms.
Reliability and longevity are expected.
Major challenges for OS and language standards.
![Page 18: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/18.jpg)
Commercial Demands
Performance.
Mobility/extensibility.
Reliability/quality.
Well-defined languages.
Scalable security.
![Page 19: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/19.jpg)
Opportunities
High assurance depends fundamentally on our ability to reason about programs.
The opportunities for computational logic, type theory, and formal semantics are great.
![Page 20: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/20.jpg)
Challenges
The impact and cost of software failures will increase, as will the demand for extensibility.
The distinction between “safety-critical” and “consumer electronics” software will fade away.
Somebody will provide technology for “safe” systems. Will it be us?
![Page 21: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/21.jpg)
Is the World Ready?
![Page 22: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/22.jpg)
Is the World Ready?
What we start with:
What we want:
What we get along the way:
![Page 23: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/23.jpg)
Is the World Ready?
What we start with:
What we want:
What we get along the way:
![Page 24: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/24.jpg)
Cheese and the Sum Total of Human Knowledge
![Page 25: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/25.jpg)
The Code Safety Problem
![Page 26: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/26.jpg)
The Code Safety Problem
Please install and execute this.
![Page 27: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/27.jpg)
Code Safety
CPU
Code
Trusted Host
Is this safe to execute?
![Page 28: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/28.jpg)
Approach 1Trust the Code Producer
CPU
Code
Trusted Host
sig
Trusted 3rd Party
PK1
PK1
PK2
PK2
Trust is based on personal authority, not program properties
Scaling problems?
![Page 29: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/29.jpg)
Approach 2Baby-sit the Program
CPU
Code
Trusted Host
Execution monitor
Expensive
Limited in expressive power(Why?)
E.g., Software Fault Isolation [Wahbe & Lucco], Inline Reference Monitors [Schneider]
![Page 30: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/30.jpg)
Approach 3Java
CPU
Code
Trusted Host
Interp/ JIT
Expensive and/or big
Limited in expressive power
Verifier
![Page 31: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/31.jpg)
TheoremProver
Approach 4Formal Verification
CPU
Code
Flexible andpowerful.
Trusted Host
But really reallyreally hard andmust be correct.
![Page 32: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/32.jpg)
A Key Idea: Explicit Proofs
CertifyingProver
CPU
ProofChecker
Code
Proof
Trusted Host
![Page 33: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/33.jpg)
A Key Idea: Explicit Proofs
CertifyingProver
CPU
Code
Proof
No longer need totrust this component.
ProofChecker
![Page 34: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/34.jpg)
Proof-Carrying Code[Necula & Lee, OSDI’96]
A
B
Formal proof or“explanation” of safety
Typically nativeor VM code
rlrrllrrllrlrlrllrlrrllrrll…
![Page 35: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/35.jpg)
Proof-Carrying Code
CertifyingProver
CPU
Code
Proof
Simple,small (<52KB),and fast.
No longer need totrust this component.
ProofChecker
Reasonable in size (0-10%).
![Page 36: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/36.jpg)
But...
...How to generate the proofs?
Proving theorems about real programs is hard.
Most useful safety properties of low-level programs are undecidable.
Theorem-proving systems are unfamiliar to programmers and hard to use even for experts.
![Page 37: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/37.jpg)
The Role ofProgramming Languages
Civilized programming languages can provide “safety for free”.
Well-formed/well-typed safe.
Idea: Arrange for the compiler to “explain” why the target code it generates preserves the safety properties of the source program.
![Page 38: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/38.jpg)
The Role ofJava in this Short Course
Java will be the main focus of the PCC examples in this course.
Java is just barely a civilized programming language.
We can and should do better.
![Page 39: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/39.jpg)
Java
Java is a worthwhile subject of research.
However, it contains many outrageous and mostly inexcusable design errors.
As researchers, we should not forget that we have already done much better, and must continue to do better in the future.
![Page 40: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/40.jpg)
Certifying Compilers[Necula & Lee, PLDI’98]
Intuition:
Compiler “knows” why each translation step is semantics-preserving.
So, have it generate a proof that safety is preserved.
“Small theorems about big programs.”
Don’t try to verify the whole compiler, but only each output it generates.
![Page 41: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/41.jpg)
Automation viaCertifying Compilation
CertifyingCompiler
CPULooks and smells like a compiler.
% spjc foo.java bar.class baz.c -ljdk1.2.2
Sourcecode
Proof
Objectcode
CertifyingProver
ProofChecker
![Page 42: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/42.jpg)
Overview of the Necula/Lee Approach to PCC
![Page 43: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/43.jpg)
Note
Our current approach seems to work for many problems.
But it is the only one we have tried — there are many others.
PCC is a general concept and we have just barely scratched the surface.
![Page 44: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/44.jpg)
Overview of Our Approach
Please install and execute this.
OK, but let me quickly look over the instructions first.
Code producer Host
![Page 45: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/45.jpg)
Overview of Our Approach
Code producer Host
![Page 46: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/46.jpg)
Overview of Our Approach
This store instruction is dangerous!
Code producer Host
![Page 47: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/47.jpg)
Overview of Our Approach
Can you prove that it is always safe?
Code producer Host
![Page 48: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/48.jpg)
Overview of Our Approach
Can you prove that it is always safe?
Yes! Here’s the proof I got from my certifying Java compiler!
Code producer Host
![Page 49: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/49.jpg)
Overview of Our Approach
Your proof checks out. I believe you because I believe in logic.
Code producer Host
![Page 50: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/50.jpg)
Course Overview
![Page 51: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/51.jpg)
This Short Course
This short course will focus on the concept of proof-carrying code.
PCC addresses code safety issues.
Reducing the trusted computing base.
Introducing a concept of “proof engineering”.
Exploiting modern ideas in compiling, theorem-proving, and logic programming.
![Page 52: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/52.jpg)
Proof Engineering
This course will spend much of its time on engineering matters.
In particular, the problems of “scaling up” ideas to handle realistic problems.
A completely formal or systematic understanding of many of the concepts has not yet been attained.
![Page 53: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/53.jpg)
Outline
In four parts:
0) Introduction and informal overview.
1) Safety infrastructure: proof representation and checking.
2) Verification and programming tools.
3) System engineering and related work.
![Page 54: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/54.jpg)
Summary
![Page 55: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/55.jpg)
Summary
The code safety problem presents great opportunities and challenges for applied logic and programming language design.
Proof-carrying code may be an example of how current knowledge can be applied to practical problems.
![Page 56: Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University](https://reader036.fdocuments.us/reader036/viewer/2022062519/568150d5550346895dbef985/html5/thumbnails/56.jpg)
Homework Exercise 1
CertifyingCompiler
CPU
Sourcecode
Proof
Objectcode
CertifyingProver
ProofChecker
The architecture shown in this lecture has the compiler and prover as separate communicating components. An alternative would be to have a single component that compiles and proves simultaneously.
What are some advantages and disadvantages of the separate-component approach?