Dealing with Untrusted Mobile Code Proof Carrying Code
Dealing with Untrusted Mobile Code – Proof Carrying Code & Authentication Christopher Howard CSCI 342 – Group B 1 February 15, 2007
References n Internal: n n n George C. Necula. Proof-Carrying Code. Andrew W. Appel and Edward W. Felten. Proof-Carrying Authentication. GC Necula, P Lee. The Design and Implementation of a Certifying Compiler Christopher Colby, Peter Lee, George C. Necula, Fred Blau, Ken Cline, Mark Plesko. A Certifying Compiler for Java External: n n n http: //raw. cs. berkeley. edu/pcc. html http: //en. wikipedia. org/wiki/Proof-Carrying_Code http: //www. cigital. com/irc/march 00 -irc http: //www. drdc-rddc. gc. ca/researchtech/malicots/compile_e. asp www. tolerantsystems. org/ITS_Ref/ wwwhome. cs. utwente. nl/~etalle/school 2000/Material/Lee/
Outline n n Introduction Dealing w/ Untrusted Code (Mobile Code) n n Trust vs. Protection/Enforcement Proof Carrying Code (PCC) Concept n n n Certifying Compiler Verification by Host Proof Carrying Authentication (PCA) Mixing Trust and Enforcement Discussion
What’s My Motivation n Application of the PCC concept in; n n Security and Authentication (discussed later). Establishing trust in untrusted (mobile) code. Interested in code sandboxes and ability to shield system from malicious code. Ability of PCC to reduce the usual performance impacts of checking the safety of running code.
The Problem: Untrusted (Mobile) Code n What assurance does a system have that mobile code will not; n n n Damage internal data structures Violate memory safety Misuse system resources or cause deadlock Follow the established security policy Goal: Verify mobile code will not violate system security policy without; n Seriously impacting performance on the host system
Two Possible Solutions n Trust n n n Proof Carrying Authentication Idea: Run only trusted code. Use technology to establish trust n n Subject to corruption Works for any security property n n Public-key infrastructure (PKI) Code signing (Cryptographic protection) (type safety, memory protections, etc) Protection/Enforcement n n n Proof Carrying Code & Certifying Compilers Idea: Run untrusted, safe code Use technical mechanisms to ensure code is safe n n n Certifying compilers High assurance Works for only some security properties.
Enforcing Code Safety: Proof Carrying Code n Proof Carrying Code (PCC) n n n Software mechanisms that allows a host system to verify properties about an application via a formal proof that accompanies the application's executable code. This formal proof shows that the mobile application complies with the system policy. The host system can use a simple and fast proof validator to check the conclusions of the proof against its own security policy to determine whether the application is safe to execute.
Proof Carrying Code Concept
PCC For Dummies Please install and execute this. Code producer OK, but let me quickly look over the instructions first. Host
PCC For Dummies Code producer Host
PCC For Dummies This store instruction is dangerous! Code producer Host
PCC For Dummies Can you prove that it is always safe? Code producer Host
PCC For Dummies Yes! Here’s the proof I got from my certifying Java compiler! Code producer Can you prove that it is always safe? Host
PCC For Dummies Code producer Your proof checks out. I believe you because I believe in logic. Host
The Certifying Compiler n At the heart of the PCC concept is the certifying compiler n n A new type of compiler that enforces a formal security policy while translating the source code into the an executable. Inputs: normal source code and a formal security policy Outputs: annotated version of normal executable code and proof guaranteeing compliance to the policy NOTE: PCC does not require use of a Certifying Compiler, proofs can be written by hand.
The Certifying Compiler n So how does it do its magic? n n Source Code is compiled to machine code that contains annotations. The safety policy is encoded into the verification-condition generator (VCgen) which, maps each machine-language program to a safety theorem. The annotated machine code is sent to the VCgen which, verifies the code and produces the verification conditions (VC’s). The VC’s are passed to theorem prover which, produces the proof that the program follows the security policy.
Example Annotations n n n (a) Sample program (b) Compiler output w/ annotations (c) type specification
Example Proof n Proof 1: Safe to read from an array of element if the index is within array boundaries. n Proof 2: Result of the read from the array must be of the same type as the array elements.
Proof Carrying Code Revisited
Verification by Host System n Host System receives: n n n Executable code w/ annotations Proof that code is safe (“adheres to policy”). Host verifies code safety n n n Safety policy is encoded into VCgen. Annotated code is run through VCgen to produce VC’s and proof are verified by proof checker for correctness.
Advantages of PCC n n Burden of proving code safety shifted to the code producer. Host system does not need any knowledge about how the certifying proof was constructed. n n Host need not trust certifying compiler or proof-generator. Code is determined safe before it runs. No cryptography or third party certification of code safeness needed. Proof is considered “semantic checksum” of program making it tamperproof because any modification to the program will cause either; n n n The proof to no longer be valid. The proof will be valid but will not represent the untrusted executable code. The modification didn’t change the proof or the executable code.
PCC: What About Performance n Time: n n n Time to check code proof is very minimal! Proof generation time can range between 1 - 2 x compilation time. Space: n Proofs are large! On average 76% of the code size.
Establishing Trust in Mobile Code: Proof Carrying Authentication n Proof Carrying Authentication (PCA) n n n Software mechanisms that allows a host system to verify weather we should trust a particular piece of mobile code. Once trust is established the code is trusted to act within the systems policy. The proof in this case proves to the host system that a piece of code should be trusted.
Traditional Authentication Example Alice “read foo” signature + cert Charlie Bob decision procedure policy
Proof Carrying Authentication Example Alice “read foo” proof cert Charlie Bob proof checker policy
Proof Carrying Authentication Concept Code Producer Source Program Compiler Policy Inspect & Verification Sign Condition Certs Native Code load r 3, 4(r 2) add r 2, r 4, r 1 store 1, 0(r 7) store r 1, 4(r 7) add r 7, 0, r 3 add r 7, 8, r 7 beq r 3, . -20 Code Consumer Execute Policy Verification Condition Prover Proof Checker OK
Establishing Trust Policy and Axioms I trust Alice for code signing OK to run code with property P OK to run this code? Code Signing Code with hash 0 x 52… has property P, signed KA KC is Charlie’s key I trust Charlie for key certification Public-Key Certificates “Alice’s key is KA” signed KC
Example Proof KC is Charlie’s key x. (KC signed x) (Charlie says x) “Alice’s key is KA” KC signed ( x. (KA signed x) signed KC (Alice says x)) K. P. x. I trust Charlie for key certification (KC signed y. (K signed y) (P says y)) (K signed x) (P says x) x. (KA signed x) (Alice says x)
Full Proof Carrying Authentication Example
Conclusions: Mixing Trust w/ Enforcement, Writing Policies n n Enforcement/Protection (PCC) offers higher assurance than trust (PCA) does. But PCC doesn’t work for all properties while PCA does. n n “This program will not display misleading dialog boxes. ” “This control software won’t let the vehicle tip over. ” n Integration allows mixed use of trust (PCA) and protection (PCC) for different properties within the same program. n Both PCA and PCC depend on well written and defined policies. n Creating good policies can be difficult.
That’s all folks!
- Slides: 31