Transcript Lecture
Lecture 19: Proof-Carrying Code CS551: Security and Privacy University of Virginia Computer Science David Evans http://www.cs.virginia.edu/~evans Menu • Proof-Carrying Code • Project Group Meetings – check your email • Mike Ernst’s Top Gun Talk (3:30) • Next Time: – Gary McGraw (on smart cards) 27 July 2016 University of Virginia CS 551 2 Maze (From http://www.cedillasys.com/pages/tech/technotes/) 27 July 2016 University of Virginia CS 551 3 Proof-Carrying Maze (From http://www.cedillasys.com/pages/tech/technotes/) 27 July 2016 University of Virginia CS 551 4 Proof-Carrying Code • Guarantee properties of untrustworthy code by checking a proof provided by code producer • Creating a proof is hard – Have to make up invariants, choose cases, pick strategies, etc. • Checking a proof is easy – Simple mechanical application of rules 27 July 2016 University of Virginia CS 551 5 Proof-Carrying Code (not to scale) Certifying Compiler Program Object Code Proof Object Code Proof Code Producer Code Consumer Ok Proof Checker Policy CPU 27 July 2016 University of Virginia CS 551 6 Certifying Compiler Program Object Code Code Producer Proof Code Consumer Object Code Proof Ok Proof Checker Policy CPU 27 July 2016 University of Virginia CS 551 7 Tamper with Code Certifying Compiler Program Object Code Proof Code Producer Wily Hacker Code Consumer Tampered Code No! Proof Proof Checker CPU 27 July 2016 University of Virginia CS 551 8 Tamper with Both Certifying Compiler Program Native Code Proof Code Producer Wily P. Hacker Code Consumer But it means the desired property still holds! Tampered Code Ok No! Tampered Proof Proof Checker CPU 27 July 2016 University of Virginia CS 551 9 What must the proof prove? Safety Policy VCGen Safety Predicate Program • Depends on the policy • Code consumer must run VCGen (can’t trust proof unless it proves safety predicate) • VCGen can be developed from an operational semantics (take CS 655) 27 July 2016 University of Virginia CS 551 10 Have we seen anything like this? • Java Bytecode Verifier is a simple instance of PCC: – Bytecodes include extra information on typing, stack use, etc. – Bytecode verifier checks it to enforce lowlevel code safety properties 27 July 2016 University of Virginia CS 551 11 Let’s Stop Beating Dead Horses, and Start Beating Trojan Horses! David Evans www.cs.virginia.edu/~evans/ INFOSEC Malicious Code Workshop San Antonio, 13 January 2000 University of Virginia Department of Computer Science Charlottesville, VA Analogy: Security • Cryptography – Fun to do research in, lots of cool math problems, opportunities to dazzle people with your brilliance, etc. • But, 99.9999% of break ins do not involve attack on sensible cryptography – Guessing passwords and stealing keys – Back doors, buffer overflows – Ignorant implementers choosing bad cryptography [Netscape Navigator Mail] 27 July 2016 University of Virginia CS 551 13 Structure of Argument Low-level code safety (isolation) is the wrong focus Agree Disagree PCC is not a realistic solution for the real problems in the foreseeable future PCC is not the most promising solution for lowlevel code safety Lots of useful research and results coming from PCC, but realistic solution to malicious code won’t be one of them. 27 July 2016 University of Virginia CS 551 14 Low-level code safety • Type safety, memory safety, control flow safety [Kozen98] • All high-level code safety depends on it • Many known pretty good solutions: separate processes, SFI, interpreter • Very few real attacks exploit low-level code safety vulnerabilities – One exception: buffer overflows • Many known solutions to this • Just need to sue vendors to get them implemented 27 July 2016 University of Virginia CS 551 15 High-Level Code Safety • Enforcement is (embarrassingly) easy – Reference monitors (since 1970s) – Can enforce most useful policies [Schneider98] – Performance penalty is small • Writing good policies is the hard part – – – – Better ways to define policies Ways to reason about properties of policies Ideas for the right policies for different scenarios Ways to develop, reason about, and test distributed policies 27 July 2016 University of Virginia CS 551 16 Proofs Reference Monitors All possible executions Current execution so far No run-time costs Monitoring and calling overhead Checking integrated into code Checking separate from code Excruciatingly difficult Trivially easy Vendor sets policy Consumer sets policy 27 July 2016 University of Virginia CS 551 17 Fortune Cookie “That which must can be proved cannot be worth much.” Fortune cookie quoted on Peter’s web page • True for all users • True for all executions • Exception: Low-level code safety 27 July 2016 University of Virginia CS 551 18 Reasons you might prefer PCC • Run-time performance? – Amortizes additional download and verification time only rarely – SFI Performance penalty: ~5% • If you care, pay $20 more for a better processor or wait 5 weeks • Smaller Trusted Computing Base? – Not really smaller: twice as big as SFI (Touchstone VCGen+checker – 8300 lines / MisFiT x86 SFI implementation – 4500 lines) • You are a vendor who cares more about quality than time to market – Not really PCC (not across a trust boundary) 27 July 2016 University of Virginia CS 551 19 PCC Summary • Code producer provides a checkable proof of desired property • Code consumer verifies the proof – Can use invariants, type hints, etc. but must not assume they are true – Help direct the checker to construct a proof quickly – Take CS655 if you want to understand how it works • Enables optimizations not possible without proof • Enables guarantees not possible without proof (lack of run-time errors) 27 July 2016 University of Virginia CS 551 20 Charge • Mike Ernst’s Talk: 009 – “Dynamically Detecting Likely Program Invariants” • Read Intrusion Detection Paper • Check email – need to schedule project meetings before Thanksgiving 27 July 2016 University of Virginia CS 551 21