safe kernel extensions without run-time checking george c. necula peter lee carnegie mellon u
DESCRIPTION
Starting Idea Code Producer Code Consumer Untrusted code Verifies safety of code Good idea but …TRANSCRIPT
![Page 1: SAFE KERNEL EXTENSIONS WITHOUT RUN-TIME CHECKING George C. Necula Peter Lee Carnegie Mellon U](https://reader035.vdocument.in/reader035/viewer/2022081808/5a4d1b127f8b9ab059990158/html5/thumbnails/1.jpg)
SAFE KERNEL EXTENSIONS WITHOUT RUN-TIME
CHECKINGGeorge C. NeculaPeter LeeCarnegie Mellon U
![Page 2: SAFE KERNEL EXTENSIONS WITHOUT RUN-TIME CHECKING George C. Necula Peter Lee Carnegie Mellon U](https://reader035.vdocument.in/reader035/viewer/2022081808/5a4d1b127f8b9ab059990158/html5/thumbnails/2.jpg)
Overview• Paper presents a technique allowing kernels
to check extension safety – Code receiver defines a set of safety
rules that guarantee safe behavior of programs,
– Code producer creates a formal safety proof that its code adheres to the safety rules
– Code receiver uses a simple and fast proof validator to check that the code is safe
![Page 3: SAFE KERNEL EXTENSIONS WITHOUT RUN-TIME CHECKING George C. Necula Peter Lee Carnegie Mellon U](https://reader035.vdocument.in/reader035/viewer/2022081808/5a4d1b127f8b9ab059990158/html5/thumbnails/3.jpg)
Starting Idea
Code Producer
Code Consumer
Untrusted code
Verifies safetyof code
• Good idea but …
![Page 4: SAFE KERNEL EXTENSIONS WITHOUT RUN-TIME CHECKING George C. Necula Peter Lee Carnegie Mellon U](https://reader035.vdocument.in/reader035/viewer/2022081808/5a4d1b127f8b9ab059990158/html5/thumbnails/4.jpg)
Starting Idea
Code Producer
Code Consumer
Untrusted code
Verifies safetyof code
• Formally proving the safety of untrusted code requires a large amount of effort
![Page 5: SAFE KERNEL EXTENSIONS WITHOUT RUN-TIME CHECKING George C. Necula Peter Lee Carnegie Mellon U](https://reader035.vdocument.in/reader035/viewer/2022081808/5a4d1b127f8b9ab059990158/html5/thumbnails/5.jpg)
Shift the burden to the producer
Code Producer
Code Receiver
Untrusted code +Safety Proof
Validatesproof
• Works better
Proves safetyof its code
![Page 6: SAFE KERNEL EXTENSIONS WITHOUT RUN-TIME CHECKING George C. Necula Peter Lee Carnegie Mellon U](https://reader035.vdocument.in/reader035/viewer/2022081808/5a4d1b127f8b9ab059990158/html5/thumbnails/6.jpg)
Proof-carrying code• Code producer must establish and
prove the safety of the code– Attaches proof to code
• Code consumer only has to validate the proof– Much simpler task
![Page 7: SAFE KERNEL EXTENSIONS WITHOUT RUN-TIME CHECKING George C. Necula Peter Lee Carnegie Mellon U](https://reader035.vdocument.in/reader035/viewer/2022081808/5a4d1b127f8b9ab059990158/html5/thumbnails/7.jpg)
Advantages• Code producer does most of the validation
work• Code consumer does not care how the
proofs are constructed • PCC programs are tamperproof
– Changing the code voids the proof• No cryptography • No trusted third parties• Errors are detected before code is run
![Page 8: SAFE KERNEL EXTENSIONS WITHOUT RUN-TIME CHECKING George C. Necula Peter Lee Carnegie Mellon U](https://reader035.vdocument.in/reader035/viewer/2022081808/5a4d1b127f8b9ab059990158/html5/thumbnails/8.jpg)
Difficulties• How to encode the formal proof? • How to check the proof?
– Not an easy task • How to relate the proof with the
program?
![Page 9: SAFE KERNEL EXTENSIONS WITHOUT RUN-TIME CHECKING George C. Necula Peter Lee Carnegie Mellon U](https://reader035.vdocument.in/reader035/viewer/2022081808/5a4d1b127f8b9ab059990158/html5/thumbnails/9.jpg)
![Page 10: SAFE KERNEL EXTENSIONS WITHOUT RUN-TIME CHECKING George C. Necula Peter Lee Carnegie Mellon U](https://reader035.vdocument.in/reader035/viewer/2022081808/5a4d1b127f8b9ab059990158/html5/thumbnails/10.jpg)
Implementation• Basic elements:
– Formal specification language used to express the safety policy
– Formal semantics of the language used by the untrusted code
– Language used to express the proofs– Algorithm for validating the proofs – Method for generating the safety
proofs
![Page 11: SAFE KERNEL EXTENSIONS WITHOUT RUN-TIME CHECKING George C. Necula Peter Lee Carnegie Mellon U](https://reader035.vdocument.in/reader035/viewer/2022081808/5a4d1b127f8b9ab059990158/html5/thumbnails/11.jpg)
Formal Specification Language
• Expresses the safety policy of the receiver
• Uses first-order predicate logic extended with predicates for type safety and memory safety
![Page 12: SAFE KERNEL EXTENSIONS WITHOUT RUN-TIME CHECKING George C. Necula Peter Lee Carnegie Mellon U](https://reader035.vdocument.in/reader035/viewer/2022081808/5a4d1b127f8b9ab059990158/html5/thumbnails/12.jpg)
Formal semantics of language
• Describes the language used by the untrusted code– A logic relating programs to
specifications• Untrusted code is DEC Alpha machine
code– Was at that time the fastest
microprocessor
![Page 13: SAFE KERNEL EXTENSIONS WITHOUT RUN-TIME CHECKING George C. Necula Peter Lee Carnegie Mellon U](https://reader035.vdocument.in/reader035/viewer/2022081808/5a4d1b127f8b9ab059990158/html5/thumbnails/13.jpg)
Proof language• Variant of Edinburgh Logical Framework
(LF)– Essentially a typed lambda calculus– Can easily encode a wide variety of
logics, including higher-order logics
![Page 14: SAFE KERNEL EXTENSIONS WITHOUT RUN-TIME CHECKING George C. Necula Peter Lee Carnegie Mellon U](https://reader035.vdocument.in/reader035/viewer/2022081808/5a4d1b127f8b9ab059990158/html5/thumbnails/14.jpg)
Proof validation• Simple LF type checker• Basic tenet of LF is that proofs are
represented as expressions and predicates as types– In order to check the validity of a
proof we only need to typecheck its representation
![Page 15: SAFE KERNEL EXTENSIONS WITHOUT RUN-TIME CHECKING George C. Necula Peter Lee Carnegie Mellon U](https://reader035.vdocument.in/reader035/viewer/2022081808/5a4d1b127f8b9ab059990158/html5/thumbnails/15.jpg)
Generating safety proofs• Uses a theorem prover
– First, the code is scanned by the same verification generator that the consumer uses
– Then the predicate is submitted to a theorem prover that attempts to prove that predicate
– In case of success, prover emits an LF representation of the proof
![Page 16: SAFE KERNEL EXTENSIONS WITHOUT RUN-TIME CHECKING George C. Necula Peter Lee Carnegie Mellon U](https://reader035.vdocument.in/reader035/viewer/2022081808/5a4d1b127f8b9ab059990158/html5/thumbnails/16.jpg)
Application• Machine code implementation of
network packet filters • Safety policy was focused on fine-
grained memory safety• Safety proofs were smaller than 800
bytes • Required no more than 3ms on a DEC
Alpha to be validated.
![Page 17: SAFE KERNEL EXTENSIONS WITHOUT RUN-TIME CHECKING George C. Necula Peter Lee Carnegie Mellon U](https://reader035.vdocument.in/reader035/viewer/2022081808/5a4d1b127f8b9ab059990158/html5/thumbnails/17.jpg)
More details
Observe that all four filters are very small
![Page 18: SAFE KERNEL EXTENSIONS WITHOUT RUN-TIME CHECKING George C. Necula Peter Lee Carnegie Mellon U](https://reader035.vdocument.in/reader035/viewer/2022081808/5a4d1b127f8b9ab059990158/html5/thumbnails/18.jpg)
Run time• Average per packet runtime of the four
PCC packet filters• Compared with
– BSD Packet Filter Interpreter (will be slow!)
– Using software fault isolation– Using a safe subset of Modula 3 plus
the VIEW extension for safe pointer casting
![Page 19: SAFE KERNEL EXTENSIONS WITHOUT RUN-TIME CHECKING George C. Necula Peter Lee Carnegie Mellon U](https://reader035.vdocument.in/reader035/viewer/2022081808/5a4d1b127f8b9ab059990158/html5/thumbnails/19.jpg)
BFI is worst!
![Page 20: SAFE KERNEL EXTENSIONS WITHOUT RUN-TIME CHECKING George C. Necula Peter Lee Carnegie Mellon U](https://reader035.vdocument.in/reader035/viewer/2022081808/5a4d1b127f8b9ab059990158/html5/thumbnails/20.jpg)
Conclusion• PCC allows server or kernel to interact
safely with untrusted code• PCC has no runtime overhead for
receiver• Safety policies are defined by receiver
– Much more flexible
Too bad that safety proofsare so hard to construct!