04/19/23 1

Scaling Proof-Carrying Code to Production Compilers and Security Policies

Andrew W. Appel Princeton University

Edward W. Felten Princeton University

Zhong Shao Yale University

July 2000

04/19/23 2

The problem: Mobile Code Security

Code Producer

Code Consumer

load r3, 4(r2)add r2,r4,r1store 1, 0(r7)store r1, 4(r7)add r7,0,r3add r7,8,r7beq r3, .-20

CodeCompiler Execute

SourceProgram

Private files

Network access

Launch control

etc.

?

04/19/23 3

Two Solutions

Protection

Self-Certifying Compilersvia

Typed Intermediate Languages

(i.e., FLINT compiler)

Proof-Carrying Code(machine-checkable safety

proofs about machine-language programs)

Trust

Distributed Authentication Frameworks

viaProof-Carrying Authentication

04/19/23 4

Expected major achievements

Felten, AppelPrinceton U.

DistributedAuthenticationFrameworks:

Proof-CarryingAuthentication

Appel, FeltenPrinceton U.

Mobile CodeSecurity:

Proof-CarryingCode

ShaoYale U.

CertifyingCompilers:

FLINT/MLFLINT/Java

SecureLinking

SecureKey

Distribution

File servers

PCC systemsfor ML, Java

Language- &machine-

independentmobile code

safe lang.interop.

04/19/23 5

Existing Practice: Bytecode Verification

Code Producer

Code Consumer

load r3, 4(r2)add r2,r4,r1store 1, 0(r7)store r1, 4(r7)add r7,0,r3add r7,8,r7beq r3, .-20

ByteCodeCompiler

Just-in-time

Compiler

OK

Bytecode

Verifier

JavaProgram

Native code

Execute

TrustedComputing

Base

Advantage:Clean, fast, O-O interface

between trusted & untrusted code

Disadvantage:Huge trusted computing base: JIT

04/19/23 6

Code Producer

Code Consumer

SafetyTheorem

Prover

Compiler

Checker OK

ExecuteSourceProgram

Policy

SafetyTheorem

Policy

load r3, 4(r2)add r2,r4,r1store 1, 0(r7)store r1, 4(r7)add r7,0,r3add r7,8,r7beq r3, .-20

Native Code

Safety Proof

Hints

-i( -i(... -r ( ...) ))

Proof-carrying code - tiny TCB

04/19/23 7

Why we can trust the checker

We use a simple, sound, well-understood logic(Church’s higher-order logic, 1950’s)

A proof is just a tree of inference rules, with axioms at the leaves

Proof-checking is just type-checking of expression trees(~1000 lines of code)

Many independent implementations of proof-checker:Twelf (CMU); Ginseng (Cedilla systems); Coq system (INRIA, France); HOL system (Cambridge U.)

04/19/23 8

Why we can trust the “policy”

9 axioms of higher-order logic + 30 axioms of arithmetic

subtotal: 39 lines of specification + ... one axiom specifying machine

semanticstotal: 639 lines

Must specify how Sparc (or Pentium, etc.) instructions work in order to prove properties of programs (more about this later)

Checker + policy much smaller than the TCB of other approaches (operating system, or optimizing compiler)

04/19/23 9

Conference on Automated DeductionJune 2000

04/19/23 10

Code Consumer

Security Policy: Host/client API

Policy

“Models for Security Policies

in Proof-Carrying Code”,

Andrew Appel & Ed Felten,

in preparation.

How to design sound policies andreason about them effectively.

04/19/23 11

Program:106 instructions

Theorem:2 x 106 words

Proof:105 + 10 x 106

Program-specific lemmas

Programming-language-specific lemmas

RecursiveTypes

Fixed Point Theorem

Hoare’s Logic

Machine Instructions

Structure of theorem, proof

safe( , , , , , , , ,, )

CardinalityPartialOrders

Modular Arithmetic

04/19/23 12

POPL ‘00: Principles of Programming Languages

(Jan. 2000)

04/19/23 13

Software engineering of proofs

Programming Finding the right

abstractions is critical Data types Functions

All details must be filled in

Engineering Divide large program into

modules with clean interfaces

Break large algorithms into one-page functions

Strive for readability and maintainability

Proving Finding the right

abstractions is critical Data types

(sets, metric spaces) Lemmas

All details must be filled in

Engineering Divide large proof into

modules with clean interfaces

Break large proofs into one-page lemmas

Strive for readability and maintainability

04/19/23 14

Code Consumer

Checker OK

Execute

Policy

SafetyTheorem

Code Producer

SafetyTheorem

Compiler

Hints

SourceProgram

Policy

Prover

load r3, 4(r2)add r2,r4,r1store 1, 0(r7)store r1, 4(r7)add r7,0,r3add r7,8,r7beq r3, .-20

Native Code

Safety Proof

-i( -i(... -r ( ...) ))

Compiling with proofs

04/19/23 15

Compiling with proofs

Code Producer

Native Code

Safety Theorem

Prover

Compiler

Hints

SourceProgram

Policy

How to build

a compiler

that can

produce a

proof?

Prover

04/19/23 16

Phases of a compiler

Source Program

Parse, Semantic

High-level intermed.lang (IL)Analysis,

Optimization

Medium-level IL

Code GenerationLow-level IL

Register Allocation

Machine Language

type-check

Traditionalcompiler

untyped

untyped

untyped

untyped

type-check

Certifyingcompiler

type-check

type-check

type-check

proof-check

04/19/23 17

Using a certifying compiler in PCC

Source Program

CertifyingcompilerParse, Semantic

High-level IL

Optimization

Medium-level IL

Code Gen.

Low-level IL

Register Alloc.

Machine Language

type-check

type-check

type-check

type-check

Program for execution

Hints

Theorem

Prover

Safety

Theorem

Operation of theorem-prover is completely automatic; no assistance needed from programmer !

04/19/23 18

The FLINT project

Parse & semanti

c

High-level FLINT

Analysis & Optimization

Medium-level FLINT

Code Gen.

Low-level FLINT

type-check

type-check

type-check

Program for execution

Hints

Theorem

Prover

Safety

Theorem

Parse & semanti

c

Parse & semanti

c

Safe CML Java Add new front-ends to build new certifying compilers !

Key: use typed intermediate languages !

Long-Term Objective: to build a FLINT VM that uses low-level typed mobile code, and can run on any device !

04/19/23 19

Why typed intermediate languages ? Essential for certifying compilers

PCC and TAL are good but how to generate them?

Safe and secure low-level mobile code (Why? applets, JINI, active network, extensible systems)

Java VM language is too complex and high-level

Types for stating and verifying invariants IDL for common component libraries Safe and principled language interoperation

Help optimizations and compiler debugging (useful but not critical)

04/19/23 20

FLINT as a common typed IL

state & region dependent types

explicit memory management efficient array access“Safe” C

The F calculus row-kind dot notation ???

classes; interfaces; objects access control & privacy name-based subtyping dynamic linking & loading reflection; concurrency

Java & JVML

The F calculus ref exn

module system (functor) closures & polymorphism recursive data types

ML

ApproachesChallengesLanguages

04/19/23 21

ICFP ‘00: International Conference on Functional Programming (Sept. 2000)

04/19/23 22

Proof-Carrying Authentication

Alice Bob

policy

“read foo”

Charlie

cert

signature + cert decisionprocedure

Traditional approach

04/19/23 23

Proof-Carrying Authentication

Alice Bob

policy

“read foo”

Charlie

cert

proof proofchecker

Our approach

04/19/23 24

6th ACM Conference on Computer and Communications Security (Nov. 1999)

04/19/23 25

Proof Tree

readfoo

Bob’s policy

check signature

Alice says readfoo (Alice says readfoo) readfoo

modus ponens

KA signed readfoo

modus ponens

(KA signed readfoo) (Alice says readfoo)

F. (KA signed F) (Alice says F)

-elimination

(subproof)

04/19/23 26

Definitions and Lemmas

can define new abstractions, in terms of existing ones keybind(K,A) = F. (K signed F) A(F) A controls F = A(F) F CA(C) = K.A. C controls keybind(K,A)

can prove lemmas, then use them prove properties of defined abstractions abstractions need not be primitives

04/19/23 27

Custom

ProxyServer

Bro

wse

r

Web server/browser prototype

Prover

policy

proof

(under construction)

Web Server

Checker

get http://...

authenticate

web page

policy

04/19/23 28

Accomplishments to date

Policy Specification of SPARC, MIPS

semantics Models for reasoning about

security policies Authentication logic for

Web browser Prover

Basic lemmas about logic, arithmetic, sets, lists, sequences, equiv. relations

Derivation of Hoare logic from machine semantics

Set-theoretic model of types (completed, but too weak)

PER model of types (powerful, but still much work left to do)

Checker Selection of proof-

representation language Evaluation of suitability of

various checker software

FLINT compiler FLINT/ML (alpha release) FLINT/Javasub (prototype)

Released as part of the SML/NJ compiler

Types are now propagated through all optimization phases