Dealing with Untrusted Mobile Code

1
Dealing with Untrusted Mobile Code Proof
Carrying Code Authentication

• Christopher Howard
• CSCI 342 Group B1
• February 15, 2007

2
References

• Internal
• George C. Necula. Proof-Carrying Code .
• Andrew W. Appel and Edward W. Felten.
  Proof-Carrying Authentication.
• GC Necula, P Lee. The Design and Implementation
  of a Certifying Compiler
• Christopher Colby, Peter Lee, George C. Necula,
  Fred Blau, Ken Cline, Mark Plesko. A Certifying
  Compiler for Java
• External
• http//raw.cs.berkeley.edu/pcc.html
• http//en.wikipedia.org/wiki/Proof-Carrying_Code
• http//www.cigital.com/irc/march00-irc
• http//www.drdc-rddc.gc.ca/researchtech/malicots/c
  ompile_e.asp
• www.tolerantsystems.org/ITS_Ref/
• wwwhome.cs.utwente.nl/etalle/school2000/Material/
  Lee/

3
Outline

• Introduction
• Dealing w/ Untrusted Code (Mobile Code)
• Trust vs. Protection/Enforcement
• Proof Carrying Code (PCC) Concept
• Certifying Compiler
• Verification by Host
• Proof Carrying Authentication (PCA)
• Mixing Trust and Enforcement
• Discussion

4
Whats My Motivation

• Application of the PCC concept in
• Security and Authentication (discussed later).
• Establishing trust in untrusted (mobile) code.
• Interested in code sandboxes and ability to
  shield system from malicious code.
• Ability of PCC to reduce the usual performance
  impacts of checking the safety of running code.

5
The Problem Untrusted (Mobile) Code

• What assurance does a system have that mobile
  code will not
• Damage internal data structures
• Violate memory safety
• Misuse system resources or cause deadlock
• Follow the established security policy
• Goal Verify mobile code will not violate system
  security policy without
• Seriously impacting performance on the host system

6
Two Possible Solutions

• Trust
• Proof Carrying Authentication
• Idea Run only trusted code.
• Use technology to establish trust
• Public-key infrastructure (PKI)
• Code signing (Cryptographic protection)
• Subject to corruption
• Works for any security property
• (type safety, memory protections, etc)
• Protection/Enforcement
• Proof Carrying Code Certifying Compilers
• Idea Run untrusted, safe code
• Use technical mechanisms to ensure code is safe
• Certifying compilers
• High assurance
• Works for only some security properties.

7
Enforcing Code SafetyProof Carrying Code

• Proof Carrying Code (PCC)
• Software mechanisms that allows a host system to
  verify properties about an application via a
  formal proof that accompanies the application's
  executable code.
• This formal proof shows that the mobile
  application complies with the system policy.
• The host system can use a simple and fast proof
  validator to check the conclusions of the proof
  against its own security policy to determine
  whether the application is safe to execute.

8
Proof Carrying Code Concept
9
PCC For Dummies
OK, but let me quickly look over the instructions
first.
Please install and execute this.
Code producer
Host
10
PCC For Dummies
Code producer
Host
11
PCC For Dummies
This store instruction is dangerous!
Code producer
Host
12
PCC For Dummies
Can you prove that it is always safe?
Code producer
Host
13
PCC For Dummies
Yes! Heres the proof I got from my certifying
Java compiler!
Can you prove that it is always safe?
?
Code producer
Host
14
PCC For Dummies
Your proof checks out. I believe you because I
believe in logic.
?
Code producer
Host
15
The Certifying Compiler

• At the heart of the PCC concept is the certifying
  compiler
• A new type of compiler that enforces a formal
  security policy while translating the source code
  into the an executable.
• Inputs normal source code and a formal security
  policy
• Outputs annotated version of normal executable
  code and proof guaranteeing compliance to the
  policy
• NOTE PCC does not require use of a Certifying
  Compiler, proofs can be written by hand.

16
The Certifying Compiler

• So how does it do its magic?
• Source Code is compiled to machine code that
  contains annotations.
• The safety policy is encoded into the
  verification-condition generator (VCgen) which,
  maps each machine-language program to a safety
  theorem.
• The annotated machine code is sent to the VCgen
  which, verifies the code and produces the
  verification conditions (VCs).
• The VCs are passed to the theorem prover which,
  produces the proof that the program follows the
  security policy.

17
Example Annotations

• (a) Sample program
• (b) Compiler output w/ annotations
• (c) type specification

18
Example Proof

• Proof 1 Safe to read from an array of element
  if the index is within array boundaries.

• Proof 2 Result of the read from the array must
  be of the same type as the array elements.

19
Proof Carrying Code Revisited
20
Verification by Host System

• Host System receives
• Executable code w/ annotations
• Proof that code is safe (adheres to policy).
• Host verifies code safety
• Safety policy is encoded into VCgen.
• Annotated code is run through VCgen to produce
  VCs.
• VCs and proof are verified by proof checker for
  correctness.

21
Advantages of PCC

• Burden of proving code safety shifted to the code
  producer.
• Host system does not need any knowledge about how
  the certifying proof was constructed.
• Host need not trust certifying compiler or
  proof-generator.
• Code is determined safe before it runs.
• No cryptography or third party certification of
  code safeness needed.
• Proof is considered semantic checksum of
  program making it tamperproof because any
  modification to the program will cause either
• The proof to no longer be valid.
• The proof will be valid but will not represent
  the untrusted executable code.
• The modification didnt change the proof or the
  executable code.

22
PCC What About Performance

• Time
• Time to check code proof is very minimal!
• Proof generation time can range between 1 - 2x
  compilation time.
• Space
• Proofs are large! On average 76 of the code
  size.

23
Establishing Trust in Mobile CodeProof Carrying
Authentication

• Proof Carrying Authentication (PCA)
• Software mechanisms that allows a host system to
  verify weather we should trust a particular piece
  of mobile code.
• Once trust is established the code is trusted to
  act within the systems policy.
• The proof in this case proves to the host system
  that a piece of code should be trusted.

24
Traditional Authentication Example
Alice
Bob
decision procedure
Charlie
25
Proof Carrying Authentication Example
26
Proof Carrying Authentication Concept
Code Producer
Code Consumer
Native Code
Source Program
Compiler
Execute
load r3, 4(r2) add r2,r4,r1 store 1, 0(r7) store
r1, 4(r7) add r7,0,r3 add r7,8,r7 beq r3, .-20
Policy
Policy
Inspect Sign
Verification Condition
Verification Condition
Prover
Certs
OK
Proof
Checker
27
Establishing Trust
OK to run this code?
Policy and Axioms
I trust Alice for code signing
OK to run code with property P
KC is Charlies key
I trust Charlie for key certification
28
Example Proof
?x. (KC signed x) ? (Charlie says x)
KC is Charlies key
KC signed (?x. (KA signed x) ? (Alice says x))
?K. ?P. ?x. (KC signed ?y.(K signed y) ? (P
says y)) ? (K signed x) ? (P says x)
I trust Charlie for key certification
29
Full Proof Carrying Authentication Example
30
Conclusions Mixing Trust w/ Enforcement, Writing
Policies

• Enforcement/Protection (PCC) offers higher
  assurance than trust (PCA) does.
• But PCC doesnt work for all properties while PCA
  does.
• This program will not display misleading dialog
  boxes.
• This control software wont let the vehicle tip
  over.
• Integration allows mixed use of trust (PCA) and
  protection (PCC) for different properties within
  the same program.
• Both PCA and PCC depend on well written and
  defined policies.
• Creating good policies can be difficult.

31
Thats all folks!