dealing with untrusted mobile code – proof carrying code & authentication
DESCRIPTION
Dealing with Untrusted Mobile Code – Proof Carrying Code & Authentication. Christopher Howard CSCI 342 – Group B1 February 15, 2007. References. Internal: George C. Necula. Proof-Carrying Code . Andrew W. Appel and Edward W. Felten. Proof-Carrying Authentication. - PowerPoint PPT PresentationTRANSCRIPT
Dealing with Untrusted Mobile Code – Proof Carrying Code &
Authentication
Christopher HowardCSCI 342 – Group B1
February 15, 2007
References
Internal: George C. Necula. Proof-Carrying Code . Andrew W. Appel and Edward W. Felten.
Proof-Carrying Authentication. GC Necula, P Lee.
The Design and Implementation of a Certifying Compiler Christopher Colby, Peter Lee, George C. Necula, Fred Blau,
Ken Cline, Mark Plesko. A Certifying Compiler for Java External:
http://raw.cs.berkeley.edu/pcc.html http://en.wikipedia.org/wiki/Proof-Carrying_Code http://www.cigital.com/irc/march00-irc http://www.drdc-rddc.gc.ca/researchtech/malicots/
compile_e.asp www.tolerantsystems.org/ITS_Ref/ wwwhome.cs.utwente.nl/~etalle/school2000/Material/Lee/
Outline Introduction Dealing w/ Untrusted Code (Mobile
Code) Trust vs. Protection/Enforcement Proof Carrying Code (PCC) Concept
Certifying Compiler Verification by Host
Proof Carrying Authentication (PCA) Mixing Trust and Enforcement
Discussion
What’s My Motivation
Application of the PCC concept in; Security and Authentication (discussed
later). Establishing trust in untrusted (mobile) code.
Interested in code sandboxes and ability to shield system from malicious code.
Ability of PCC to reduce the usual performance impacts of checking the safety of running code.
The Problem: Untrusted (Mobile) Code
What assurance does a system have that mobile code will not; Damage internal data structures Violate memory safety Misuse system resources or cause deadlock Follow the established security policy
Goal: Verify mobile code will not violate system security policy without; Seriously impacting performance on the host
system
Two Possible Solutions Trust
Proof Carrying Authentication Idea: Run only trusted code. Use technology to establish trust
Public-key infrastructure (PKI) Code signing (Cryptographic protection)
Subject to corruption Works for any security property
(type safety, memory protections, etc)
Protection/Enforcement Proof Carrying Code & Certifying Compilers Idea: Run untrusted, safe code Use technical mechanisms to ensure code is safe
Certifying compilers High assurance Works for only some security properties.
Enforcing Code Safety:Proof Carrying Code
Proof Carrying Code (PCC) Software mechanisms that allows a host system
to verify properties about an application via a formal proof that accompanies the application's executable code.
This formal proof shows that the mobile application complies with the system policy.
The host system can use a simple and fast proof validator to check the conclusions of the proof against its own security policy to determine whether the application is safe to execute.
Proof Carrying Code Concept
Please install and execute this.
OK, but let me quickly look over the instructions first.
Code producer Host
PCC For Dummies
Code producer Host
PCC For Dummies
This store instruction is dangerous!
Code producer Host
PCC For Dummies
Can you prove that it is always safe?
Code producer Host
PCC For Dummies
Can you prove that it is always safe?
Yes! Here’s the proof I got from my certifying Java compiler!
Code producer Host
PCC For Dummies
Your proof checks out. I believe you because I believe in logic.
Code producer Host
PCC For Dummies
The Certifying Compiler At the heart of the PCC concept is the certifying compiler
A new type of compiler that enforces a formal security policy while translating the source code into the an executable.
Inputs: normal source code and a formal security policy Outputs: annotated version of normal executable code and
proof guaranteeing compliance to the policy NOTE: PCC does not require use of a Certifying Compiler,
proofs can be written by hand.
The Certifying Compiler So how does it do its magic?
Source Code is compiled to machine code that contains annotations.
The safety policy is encoded into the verification-condition generator (VCgen) which, maps each machine-language program to a safety theorem.
The annotated machine code is sent to the VCgen which, verifies the code and produces the verification conditions (VC’s).
The VC’s are passed to the theorem prover which, produces the proof that the program follows the security policy.
Example Annotations
(a) Sample program (b) Compiler output
w/ annotations (c) type specification
Example Proof
Proof 1: Safe to read from an array of element if the index is within array boundaries.
Proof 2: Result of the read from the array must be of the same type as the array elements.
Proof Carrying Code Revisited
Verification by Host System
Host System receives: Executable code w/
annotations Proof that code is safe
(“adheres to policy”). Host verifies code
safety Safety policy is encoded
into VCgen. Annotated code is run
through VCgen to produce VC’s.
VC’s and proof are verified by proof checker for correctness.
Advantages of PCC
Burden of proving code safety shifted to the code producer.
Host system does not need any knowledge about how the certifying proof was constructed.
Host need not trust certifying compiler or proof-generator. Code is determined safe before it runs. No cryptography or third party certification of code
safeness needed. Proof is considered “semantic checksum” of program
making it tamperproof because any modification to the program will cause either;
The proof to no longer be valid. The proof will be valid but will not represent the untrusted
executable code. The modification didn’t change the proof or the executable
code.
PCC: What About Performance
Time: Time to check code proof is very minimal! Proof generation time can range between 1 - 2x compilation
time. Space:
Proofs are large! On average 76% of the code size.
Establishing Trust in Mobile Code:Proof Carrying Authentication
Proof Carrying Authentication (PCA) Software mechanisms that allows a
host system to verify weather we should trust a particular piece of mobile code.
Once trust is established the code is trusted to act within the systems policy.
The proof in this case proves to the host system that a piece of code should be trusted.
Traditional Authentication Example
Alice Bob
policy
“read foo”
Charlie
cert
signature + cert decisionprocedure
Proof Carrying Authentication Example
Alice Bob
policy
“read foo”
Charlie
cert
proof proofchecker
Proof Carrying Authentication Concept
Code Producer
Code Consumer
Verification Condition
Prover
Compiler
Inspect&
Sign
Checker OK
ExecuteSourceProgram
Verification Condition
load r3, 4(r2)add r2,r4,r1store 1, 0(r7)store r1, 4(r7)add r7,0,r3add r7,8,r7beq r3, .-20
Native Code
Proof
Policy Policy
Certs
Establishing Trust
Code with hash 0x52…
has property P, signed KA
Code Signing
“Alice’s key is KA”
signed KC
Public-Key Certificates
I trust Alice
for code signing
KC is Charlie’s key
I trust Charlie
for key certification
OK to run code with property P
Policy and AxiomsOK to run
this code?
Example Proof
KC signed (x. (KA signed x)
(Alice says x))
x. (KC signed x) (Charlie says x)
“Alice’s key is KA”
signed KC
KC is Charlie’s key
I trust Charlie
for key certification
K. P. x.
(KC signed y.(K signed y) (P says y))
(K signed x) (P says x)
x. (KA signed x) (Alice says x)
Full Proof Carrying Authentication Example
Conclusions: Mixing Trust w/ Enforcement, Writing Policies
Enforcement/Protection (PCC) offers higher assurance than trust (PCA) does.
But PCC doesn’t work for all properties while PCA does. “This program will not display misleading dialog boxes.” “This control software won’t let the vehicle tip over.”
Integration allows mixed use of trust (PCA) and protection (PCC) for different properties within the same program.
Both PCA and PCC depend on well written and defined policies. Creating good policies can be difficult.
That’s all folks!