Michael Franz, University of California, Irvine MobileCode Technologies Laboratory

1
Michael Franz, University of California,
IrvineMobile-Code Technologies Laboratory
A Comprehensive Contextfor Mobile-Code
Deployment with Emphasis on Mobile and Wireless
Devices
2
Introduction

• mobile code is an enabling technology
• download functionality as needed
• handheld, untethered devices, information
  appliances
• platform-independent ? identical code can run on
  PDAs, desktop machines, even supercomputers
• but, many unresolved issues with respect to
• performance of the mobile program (on the target)
• performance of the mobile code distribution
  mechanism
• protecting the host against malicious mobile
  programs
• guarding a mobile programs secrets against a
  malicious host

3
Guiding Overall Objective

• make mobile code practical, so that
• eventually, native code will need to exist only
  transiently, created on-the-fly and consumed on
  the spot
• while mobile code will be used as the storage and
  distribution medium

4
Context

• dynamic code-generation technology is approaching
  maturity and processors are becoming fast enough
  to sustain it (in real time)
• this is rapidly diminishing the value of binary
  compatibility
• moreover, dynamic optimization techniques yield
  better code than static compilation
• exploit actual processor parameters (caches, )
• live profiling data may be available
• gt mobile code will define future platform(s)

5
Mobile Code Security

• (intrinsic) mobile code security is a new line of
  defense and complements other security efforts

falseauthenti-cation
prevent execution unless provably secure
malicious mobile program
intrusion
new third line of defense
second line of defense authentication
first line of defense access control (physical,
logical)
6
Existing Practice Java

• Java is the de-facto standard format for
  distributing mobile programs
• when we speak of distributing mobile programs
  using Java, we in fact usually mean using the
  Java Virtual Machine
• the JVM has an instruction set that has been
  designed specifically for representing Java
  programs
• interestingly enough, there still are JVM
  programs for which no legal equivalent Java
  source program exists
• there are also legal Java programs that are
  rejected by all possible JVM bytecode verifiers
  Staerk00

7
Existing Practice Java Security

• although the Java programming environment is
  type-safe, programs compiled from Java into
  JVM-code must be re-checked upon arrival because
  they may have been corrupted in transit

class MyLibrary public void NoSecret()
private void ASecret()
class MyClient import MyLibrary
...MyLibrary.NoSecret
JVM-code stream
call
MyLibrary.NoSecret
...
8
Existing Practice Java Security

• although the Java programming environment is
  type-safe, programs compiled from Java into
  JVM-code must be re-checked upon arrival because
  they may have been corrupted in transit

class MyLibrary public void NoSecret()
private void ASecret()
class MyClient import MyLibrary
...MyLibrary.NoSecret
corrupted JVM-code stream
call
MyLibrary.ASecret
...
9
Security vs. Efficiency

• the Java Virtual Machine's instruction format is
  not very capable in transporting the results of
  program analyses and optimizations
• as a consequence, when Java byte-code is
  transmitted, each recipient must repeat most of
  the analyses and optimizations that could have
  been performed just once at the origin
• the main reason why Java byte-code has these
  deficiencies is to allow verification by the
  recipient

10
Security vs. Efficiency

• for example, code producer often has information
  about the redundancy of a type or index check
• but this fact cannot be communicated safely to
  the code consumer - not in a manner that the
  recipient can be sure that this is not a false
  claim inserted by a malicious third party
• similar concerns inhibit common compiler
  optimizations such as common subexpression
  elimination at the code producers side

11
Raising JVM Performance

• raising the performance of JVM-code has been
  addressed by annotating the byte-code stream
  with compiler back-end related information
• annotated class-files run much faster if an
  annotation-aware byte-code compiler is available
  on the target platform
• security is lost the annotations are not
  optional to the annotation-aware compiler if an
  adversary falsifies them, the compiler will
  create a program that may be unsafe!

12
Related Emerging Practice .NET

• the code distribution format for Microsofts .NET
  platform has an option to transport SSA
  annotations along with the virtual-machine-based
  code stream
• however, it is unclear whether these annotations
  would ever be validated for security or how one
  would ascertain that the program represented as
  SSA is the same as the one sent as virtual
  machine code
• hence, an external, authentication-based security
  mechanism seems to be required
• note certificates were recently obtained from
  VeriSignby someone illegally claiming to be
  Microsoft

13
A Possible Solution

• in a current DARPA funded project, PI Franz has
  been investigating a class of mobile code
  representations that can provably encode only
  legal programs
• the need for verification goes away
• an incoming mobile program may not do the
  intended task, but it will not do anything bad
  - for any definition of bad that can be cast
  into a type system
• interestingly enough, such intrinsically secure
  mobile code is also denser than virtual machine
  code, and permits to generate better object code,
  and faster
• gt focus then shifts towards mobile code
  distribution

14
Mobile Code Distribution/Management

• current mobile code approaches(Java, Microsoft
  .NET) are surprisingly primitive
• lots of hidden assumptions
• dynamically linkable parts identified by a URL
  string
• all constituent parts that make up a mobile
  program are downloaded to a single location, then
  verified, linked, possibly dynamically compiled,
  and finally executed at that location
• no version management necessary
• all parts of the network are equally (in)secure

15
Mobile Code Management

• can live with these limitations as long as we
  only transport executable web-page content to
  single-user workstations
• Java does this task quite well
• but there are many more potential uses of mobile
  code that dont fit this model at all (example on
  next slide)

16
A Simple Mobile-Code Scenario not Supported by
Current Models
(1) soldiers in the theater carry low-powered
handheld devices (not capable of on-the fly code
generation)
thin pipe mobile code comes across here
(2) low bandwidth, potentially insecure
connection between DoD satellite and
communi-cations hub in the field gt need compact
mobile code, need to verify it
short thick pipe send native code generated on
local hub
(3) communications hub in theater verifies mobile
code, generates native code for handheld units
and distributes it via high bandwidth, low-range
secure local link
17
Or, In A Civilian Context

• Internet-ready mobile phones/gizmos/PDA/gadgets
• generate mobile code at the switch, rather than
  in the terminal device
• possibly even off-load part of the computation to
  an execution unit (XU)
• leads to reduced power consumption (possibly the
  1 problem)
• inexpensive, disposable devices
• bandwidth between terminal and base station soon
  to be abundant!
• more generally, enable a future flexible open
  intelligent environment infrastructure
• contrast this to the currenty predominant
  commercial vision in which every device needs an
  embedded JVM
• instead, make use of reconfigurable hardware
  (FPGA grids etc.) and continuously redistribute
  workload among communicating components
• there will always be resource-constrained devices

18
Splitting Computation/Presentation
19
Current Research Project CIP/SW

• develop a comprehensive model that can capture
  all meaningful modes of mobile-code deployment
• support scenarios in which code validation,
  dynamic translation, and execution occur at
  disjoint physical sites
• also, incorporate issues of code versioning, code
  migration
• cast this model into an actual code management
  architecture that makes it enforceable by
  mechanical means
• implement a prototype system that exhibits modes
  of mobile-code deployment not supported by
  current solutions

20
Mobile Code Security

• provided through type-safe programming language
  and type-safe APIs (everybody does it this way)
• semantically equivalent to transporting source
  code
• but many policies currently cannot be expressed
  in terms of a type system and hence need to be
  implemented inside the library
• open only files in directory X
• initiate connections only with IP addresses in
  range
• execute no more than N instructions between OS
  calls
• do not send on network after reading local
  files
• gt security automata
• need to represent these properties directly and
  support them along the whole pipeline from code
  producer to code consumer

21
Mobile Code Security

• provide type-based security policy support for
  high-level programming languages
• augment an existing programming language with new
  constructs to directly support security policies
  at the source level under programmer control
• provide a source-language compiler from the
  augmented language to mobile code, as well as a
  just-in-time compiler that additionally verifies
  the new security policy
• integrate this mechanism into the mobile-code
  management system prototype, facilitating
  mechanical checking

22
Final Slide Overall Picture

• for mobile code to become truly practical, we
  need
• novel mobile-code performance technologyprofile-d
  riven, continuous dynamic optimizationFranz
  earlier work funded by NSF, now a major
  commercial interest
• better mobile program representationsvirtual
  machines are not good enoughwork funded by
  DARPA (ATO/OASIS/J. Lala) and NSF, 1.2M
• a system-level approach to managing mobile code
  current models are too primitivework funded by
  CIP/URI (ONR/F. Deckelman, 1M
• when it all comes together, mobile code will
  define the platform

23
Thank You