Safe kernel extensions without run-time checking

Abstract : This paper describes a mechanism by which an operating system kernel can determine with certainty that it is safe to execute a binary supplied by an untrusted source. The kernel first defines a safety policy and makes it public. Then, using this policy, an application can provide binaries in a special form called proof-carrying code, or simply PCC. Each PCC binary contains, in addition to the native code, a formal proof that the code obeys the safety policy. The kernel can easily validate the proof without using cryptography and without consulting any external trusted entities. If the validation succeeds, the code is guaranteed to respect the safety policy without relying on run-time checks. The main practical difficulty of PCC is in generating the safety proofs. In order to gain some preliminary experience with this, we have written several network packet filters in hand-tuned DEC Alpha assembly language, and then generated PCC binaries for them using a special prototype assembler. The PCC binaries can be executed with no run-time over-head, beyond a one-time cost of 1 to 3 milliseconds for validating the enclosed proofs. The net result is that our packet filters are formally guaranteed to be safe and are faster than packet filters created using Berkeley Packet Filters, Software Fault Isolation, or safe languages such as Modula-3.

[1]  A. W. Hofmann The Theory of Types , 1964 .

[2]  C. A. R. HOARE,et al.  An axiomatic basis for computer programming , 1969, CACM.

[3]  Edsger W. Dijkstra,et al.  Guarded commands, nondeterminacy and formal derivation of programs , 1975, Commun. ACM.

[4]  Edsger W. Dijkstra,et al.  A Discipline of Programming , 1976 .

[5]  Rance Cleaveland,et al.  Implementing mathematics with the Nuprl proof development system , 1986 .

[6]  Jeffrey C. Mogul,et al.  The packer filter: an efficient mechanism for user-level network code , 1987, SOSP '87.

[7]  F. Honsell,et al.  A Framework for De ning LogicsRobert Harper , 1987 .

[8]  D. L. Clutterbuck,et al.  The verification of low-level code , 1988, Softw. Eng. J..

[9]  Robin Milner,et al.  Definition of standard ML , 1990 .

[10]  Greg Nelson,et al.  Systems programming in modula-3 , 1991 .

[11]  Furio Honsell,et al.  A framework for defining logics , 1993, JACM.

[12]  T. Anderson,et al.  Eecient Software-based Fault Isolation , 1993 .

[13]  Steven McCanne,et al.  The BSD Packet Filter: A New Architecture for User-level Packet Capture , 1993, USENIX Winter.

[14]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[15]  Robert W. Floyd,et al.  Assigning Meanings to Programs , 1993 .

[16]  Brian N. Bershad,et al.  Extensibility safety and performance in the SPIN operating system , 1995, SOSP.

[17]  S. Savage,et al.  Writing an Operating System with Modula-3 , 1995 .

[18]  Richard L. Sites,et al.  Alpha Architecture Reference Manual , 1995 .

[19]  Robert S. Boyer,et al.  Automated proofs of object code for a widely used microprocessor , 1996, JACM.

[20]  Peter Lee,et al.  Optimizing ML with run-time code generation , 1996, PLDI '96.

[21]  Guy L. Steele,et al.  The Java Language Specification , 1996 .

[22]  Frank Yellin,et al.  The Java Virtual Machine Specification , 1996 .

[23]  Dawson R. Engler,et al.  ASHs: application-specific handlers for high-performance messaging , 1997, TNET.

[24]  George C. Necula,et al.  Proof-carrying code , 1997, POPL '97.