Enforcing Security and Safety with Proof-Carrying Code

Abstract In an environment where more and more code cannot be trusted to behave safety it is becoming necessary to employ mechanisms for detecting and preventing unsafe program behavior. This paper first reviews various such mechanisms and then focuses on static mechanisms with an emphasis on Proof-Carrying Code and its expressiveness. Proof-Carrying Code is a technique that allows a code receiver to verify statically that the code has certain required properties, which are stated in the form of a safety policy. To make this possible the code is accompanied by a representation of an easily checkable formal proof of compliance with the safety policy. This paper discusses first the general properties of the Proof-Carrying Code technique and then explores a particular implementation of the idea using verification condition generators. As a surprising result we prove that by adopting such an implementation choice we limit ourselves to safety properties, which constitute but a subset (albeit a very important one) of all the interesting program properties. We further speculate on what it takes to extend Proof-Carrying Code to handle more that safety properties.

[1]  George C. Necula,et al.  Proof-carrying code , 1997, POPL '97.

[2]  Frank Yellin,et al.  The Java Virtual Machine Specification , 1996 .

[3]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[4]  George C. Necula,et al.  Safe, Untrusted Agents Using Proof-Carrying Code , 1998, Mobile Agents and Security.

[5]  George C. Necula,et al.  Efficient representation and validation of proofs , 1998, Proceedings. Thirteenth Annual IEEE Symposium on Logic in Computer Science (Cat. No.98CB36226).

[6]  Bowen Alpern,et al.  Defining Liveness , 1984, Inf. Process. Lett..

[7]  Margo I. Seltzer,et al.  Dealing with disaster: surviving misbehaved kernel extensions , 1996, OSDI '96.

[8]  George C. Necula,et al.  Compiling with proofs , 1998 .

[9]  Leslie Lamport,et al.  Proving the Correctness of Multiprocess Programs , 1977, IEEE Transactions on Software Engineering.

[10]  George C. Necula,et al.  The design and implementation of a certifying compiler , 1998, PLDI.

[11]  Furio Honsell,et al.  A framework for defining logics , 1993, JACM.

[12]  George C. Necula,et al.  The design and implementation of a certifying compiler (with retrospective) , 1998, PLDI 1998.

[13]  Steven McCanne,et al.  The BSD Packet Filter: A New Architecture for User-level Packet Capture , 1993, USENIX Winter.