proof carrying code zhiwei lin. outline proof-carrying code the design and implementation of a...

Proof Carrying CodeProof Carrying Code

Zhiwei Lin

OutlineOutline

Proof-Carrying CodeThe Design and Implementation of a

Certifying CompilerA Proof – Carrying Code Architecture for

JavaA Certifying Compiler for Java

Proof-Carrying CodeProof-Carrying Code

George C.Necula

Carnegie Mellon University

January 1997


Why do we need Proof-Carrying Code– In distributed and web computing, particularly when

mobile code is allowed.– Agent A on one part of the network write a component

of the software in ML, compile it to native machine code, then transmit it to an agent B on another node for execution

– How does agent A convince the agent B that the native code have the type-safety properties shared by all ML programs


A code consumer must become convinced that the code supplied by an untrusted code producer has some set of properties

We need to establish “Trust”between the consumer and the producer


One Solution => Cryptography– Ensure that the code was produced by a trusted

person or compiler– While, it’s weak because of it’s dependency on

personal authority– Even trusted persons, or compilers written by

them, can make errors occasionally


Our Solution => PCC– Code consumer specified Safety policy, that is under what

conditions it considers the execution of a foreign program to be safe and make it public to code consumer

– Code producer creates a formal safety proof that proves, for the untrusted code, adherence to the safety rules

– Code consumer uses a simple and fast proof validator to check that the proof is valid and hence the foreign code is safe to execute


3 Stages of PCC– Stage 1: Certification

The coder producer compiles the source code and verifies the program with respect to the specification described by the safety policy

A proof of successful verification together with the native code component forms the PCC binary

Code producer can store the resulting PCC binary for future use. Or can deliver it to code consumers for execution


3 Stages of PCC– Stage 2: Validation

Code consumer validates the proof part of PCC binary and loads the native code component for execution

The existence of the proof allows for the verification process to be performed off-line and only once for a given program, independently of the number of times it’s executed


3 Stages of PCC– Stage 3: Execution

Code Consumer executes the machine-code program many times without performing additional run-time checks because the previous validation stage ensures that the code obeys the safety policy

Proof-Carrying CodeProof-Carrying CodeSource Program

Compilation&Certification

Safety ProofNative Code

Proof Validation

PCC Binary

Enable

CPU

Code Producer User Process

Code Consumer Runtime System

Safety Policy

Certifying CompilerCertifying Compiler

George C.Necula, Peter Lee

Carnegie Mellon University

June 1998


Certifying Compiler vs. PCC– PCC depends on semi-automatic theorem-

proving techniques to generate safety proofs

– Certifying Compiler produces safety proofs for a PCC system for type safety completely automatically


What’s Certifying Compiler– A combination of a compiler and a certifier

– A compiler that translates programs into assembly language programs, and a certifier that automatically checks the type safety and memory safety of any assembly language program produced by the compiler


Compiler Certifier

Type Specification

Annotated Code

Proof/Counter Example

Overview of the Certifying Compiler


Overview of the Certifying Compiler– The Compiler is a traditional compiler adapted

to produce type specifications and code annotations in addition to the assembly language target program

– The purpose of the code annotation is to make it possible for a simple certifier to understand enough of the code to verify its type safety and memory safety


The Certifier subsystem is itself a pipeline composed of three subsystems– The verification condition generator(VCGen)– The prover– The proof checker


VCGen Prover

Proof Checker

The Structure of the Certifier

Safety predicate

Proof

Certifying Steps– Step 1: Verification Condition

VCGen scans the annotated assembly language program and, using the type specifications and the code annotations, produces a safety predicate for each function in the code, such that the safety predicate has a proof if and only if the assembly language program is memory-safe and type safe according to the typing specification



Certifying Steps– Step2: Prover

The safety predicate is submitted to a prover for first-order predicate logic that produces a formal proof of the predicate


Certifying Steps– Step3: Proof Checker

The safety predicate and its proof are given to a very simple proof checker that verifies that we actually have a valid proof of the required safety predicate, and therefore the compiler output is memory safe and type safe

A Proof-Carrying Code A Proof-Carrying Code Architecture for JavaArchitecture for Java

Christopher Colby, Peter Lee, and George C.Necula

In 12th CAV00, Chicago,

15 July 2000.

A PCC Architecture for JavaA PCC Architecture for Java

Java Bytecode

Certifying Compiler

VC Generator

Proof Generator

VC Generator

VC

Proof Checker

VC Axioms & Rules

Code Producer

Axioms & Rules

Host

Proof

Native Code

Annotations


A PCC architecture comprise two parts:– Code Producer

A compiler generates native code from a java .class file. This compiler is largely conventional except that it attaches some logical annotations to the resulting binary.



• The annotated binary is then analyzed by verification-condition generator. The VC Generator outputs a logical predicate that describes a precondition that, if true, would imply that any possible execution of the binary is safe by scanning each native-code instruction and emitting safety conditions as they arise. The result is called the verification condition(VC)



The VC is sent to an automated theorem prover, which attempts to prove the VC and, if successful, outputs the resulting logical proof in binary form. The annotations and proof are added to the binary as an .lf segment, thus producing a PCC binary. This object file can be loaded and linked with existing tools just like any other object file.


A PCC architecture comprise two parts:– Host

Host first separates the annotated binary from the proof

Host then runs a VC generator on the annotated binary to produce a VC from a safety policy specified by the same set of rules an axioms

Lastly, it checks the proof to make sure that it’s indeed a valid proof under the safety policy.

Advantages Over Related Advantages Over Related TechniquesTechniques

The trustworthiness of the proof-checker is an important advantage over approaches that involve the use of complex compilers or interpreters in the code consumer. Here, almost the entire burden is on the code producer. The code consumer has only to perform a fast, simple, and easy-to-trust proof-checking process

No Cryptography or trusted third parties are required because PCC are ‘self-certifying’

Advantages Over Related Advantages Over Related TechniquesTechniques

As the untrusted code is verified statically before executed, we not only save execution time but we detect potentially hazardous operations early, thus avoiding the situations when the code consumer must kill the untrusted process after it has acquired resources or modified state

ConclusionConclusion

PCC TheoryCertifying CompilerPCC Architecture for JavaAdvantages of PCC

proof carrying code zhiwei lin. outline proof-carrying code the design and implementation of a...

Documents

foreign code

code architecture

source code

mobile code

code consumers

codea code consumer

untrusted code producer

native code component