1 / 27

Code-Carrying Proofs

Code-Carrying Proofs. Aytekin Vargun Rensselaer Polytechnic Institute. Outline. Introduction Proof-Carrying Code (PCC) Code-Carrying Proofs(CCP) Sample CCP session Future Work. Potential Problems to be Solved. Memory Safety illegal operations or illegal access to memory Security

valiant
Télécharger la présentation

Code-Carrying Proofs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Code-Carrying Proofs Aytekin Vargun Rensselaer Polytechnic Institute

  2. Outline • Introduction • Proof-Carrying Code (PCC) • Code-Carrying Proofs(CCP) • Sample CCP session • Future Work

  3. Potential Problems to be Solved • Memory Safety • illegal operations or illegal access to memory • Security • unauthorized access to data or system resources • Functional Correctness • whether the code does correctly what it is formally required to do

  4. Two Solutions • Proof-Carrying Code (PCC) • Code-Carrying Proofs (CCP)

  5. Proof-Carrying Code (PCC) • Developed by Necula and Lee [1996] at CMU. • Basic Idea: Use machine-checkable proofs as certificates. • Proof construction is harder than proof checking • Code producer provides the proof • Code consumer checks it

  6. Source Code Touchstone Compiler PCC VCGen Native Code With Annotations Native Code With Annotations Verification Condition Theorem Prover Safety Proof Safety Proof Code Producer Code Consumer Safety Policy Safety Policy VCGen Proof Checker Verification Condition Ok CPU

  7. Source Code Touchstone Compiler PCCTampered VCGen Native Code With Annotations Verification Condition Safety Policy Theorem Prover Safety Proof Code Producer Hacker Tampered Native Code With Annotations Code Consumer Safety Proof Safety Policy VCGen Proof Checker Verification Condition (may change) No • Tampered Code is not delivered to the CPU • But safety is still guaranteed if the code is • modified in such a way that the VC is unchanged CPU

  8. Source Code Touchstone Compiler PCCTampered VCGen Native Code With Annotations Verification Condition Safety Policy Theorem Prover Safety Proof Code Producer Hacker Native Code With Annotations Code Consumer Tampered Safety Proof Safety Policy VCGen Proof Checker Verification Condition No • Proof is either invalid • or • is not the proof of the VC CPU

  9. Source Code Touchstone Compiler PCCTampered VCGen Native Code With Annotations Verification Condition Safety Policy Theorem Prover Safety Proof Code Producer Hacker Hacker Tampered Native Code With Annotations Code Consumer Tampered Safety Proof Safety Policy VCGen Proof Checker Verification Condition (may change) Ok • Safety is guaranteed • if the tampered proof is the • proof of the new VC CPU

  10. Foundational PCC • Developed by Appel in [2000] at Princeton • VCGen is a large program. Replace it! • Basic Idea: • Define the semantics of the machine instructions and safety rules • Use foundational mathematical logic instead of programming-language-specific axioms or safety rules • No particular type system

  11. Foundational PCC • Prove w.r.t. the formal machine language semantics • Operates at a very low level of abstraction • It does reduce dependency on a large program (VCGen) but this is true for CCP also

  12. Code-Carrying Proofs (CCP) • Start with axioms that define functions • The form of axioms is such that it is easy to extract executable code from them. • Prove that the defined functions obey certain requirements • The producer transmits • Axioms • The correctness theorems • And their proofs

  13. Code-Carrying Proofs (CCP) • No explicit code transmission • The consumer checks proofs to see if the correctness theorem is proved • If proof checking succeeds, the consumer applies the code extractor to the axioms and obtain the executable code

  14. Code-Carrying Proofs (CCP) • CCP attempts to solve Functional Correctness problem • We are dealing with a higher-level language

  15. CCP Axioms & Theorems Theorem Prover Axioms & Proofs Axioms & Proofs Code Producer Code Consumer Requirements Requirements Proof Checker Code Extractor Code Axioms & Theorems CPU

  16. CCPTampered Axioms & Theorems Requirements Theorem Prover Axioms & Proofs Code Producer Hacker Tampered Axioms & Proofs Code Consumer Requirements Proof Checker Code Extractor CPU (No Code) (Failed Proofs)

  17. Issues • Encoding axioms and proofs • Proof Checking • Tests to be applied by the consumer to new function definitions (definitional principle) • Syntactic Property • Consistency • Termination • Implementing Code Extractor

  18. Athena • Implemented by K.Arkoudas • A language for both: • Ordinary Computation • Logical Deduction

  19. Athena Ordinary Computation Language • Provides higher-order functions • Has primitive functions for • Unification • Matching • Substitution

  20. Athena Logical Language • Special Deductive Forms • dcheck, dbegin, assume, … • Primitive Deduction Methods • mp, both, left-and, … • Declarations • structure, declare, … • Directives • load-file, clear-assumption-base, …

  21. Athena Advantages • Better Proof Readability • Machine checkable proofs • Makes it possible to formulate and write proofs as methods • Generic Proofs • write the proof once and instantiate it to prove specific cases

  22. Code Extractor • Quantified Equations and Conditional Equations • These are clauses of a recursive function definition • CE has to be able to combine these into a recursive function

  23. Code Extractor • CE can extract pure functions • it is not capable of extracting destructive functions • Example Functions: • searching functions, sum • It cannot handle functions like: • in-place reverse, sort

  24. Code Extractor • We have been working on simple functions. But: • In analogy to STL, it is useful to have a library of simple functions from which more complex functions can be composed, especially if the functions are generic • It is possible for code extractor to extract complex functions composed of such simple functions

  25. Future Work • New Definitions and Tests to be applied • Defining Memory • More Proof Examples • Improving the Code Extractor • Memory Safety • Generic Proofs and Proof packaging

More Related