Code-Carrying Proofs
Aytekin Vargun
Rensselaer Polytechnic Institute
Outline
Introduction Proof-Carrying Code (PCC) Code-Carrying Proofs(CCP) Sample CCP session Future Work
Potential Problems to be Solved
Memory Safety illegal operations or illegal access to memory
Security unauthorized access to data or system
resources Functional Correctness
whether the code does correctly what it is formally required to do
Two Solutions
Proof-Carrying Code (PCC) Code-Carrying Proofs (CCP)
Proof-Carrying Code (PCC)
Developed by Necula and Lee [1996] at CMU.
Basic Idea: Use machine-checkable proofs as certificates.
Proof construction is harder than proof checking Code producer provides the proof Code consumer checks it
Code Producer
Code Consumer
Theorem Prover
Safety Policy
Native CodeWith Annotations
Proof Checker
Ok
CPU
VCGen
Verification Condition
Safety Policy
Safety Proof Safety Proof
VCGen
Verification Condition
Source Code Touchstone Compiler
Native CodeWith Annotations
PCC
Code Producer
Code Consumer
Theorem Prover
Safety Policy
Native CodeWith Annotations
Proof Checker
No
CPU
VCGen
Verification Condition
Safety Policy
Safety Proof
Safety Proof
VCGen
Verification Condition(may change)
Source Code Touchstone Compiler
TamperedNative Code
With Annotations
Hacker
Tampered Code is not delivered to the CPU
But safety is still guaranteed if the code is modified in such a way that the VC is unchanged
PCCTampered
Code Producer
Code Consumer
Theorem Prover
Safety Policy
Native CodeWith Annotations
Proof Checker
No
CPU
VCGen
Verification Condition
Safety Policy
Tampered Safety Proof
Safety Proof
VCGen
Verification Condition
Source Code Touchstone Compiler
Native CodeWith Annotations
Proof is either invalidoris not the proof of the VC
Hacker
PCCTampered
Code Producer
Code Consumer
Theorem Prover
Safety Policy
Native CodeWith Annotations
Proof Checker
VCGen
Verification Condition
Safety Policy
VCGen
Verification Condition(may change)
Source Code Touchstone Compiler
TamperedNative Code
With Annotations
Hacker
Safety is guaranteedif the tampered proof is the proof of the new VC
Safety Proof
Hacker
Tampered Safety Proof
Ok
CPU
PCCTampered
Foundational PCC
Developed by Appel in [2000] at Princeton VCGen is a large program. Replace it! Basic Idea:
Define the semantics of the machine instructions and safety rules
Use foundational mathematical logic instead of programming-language-specific axioms or safety rules
No particular type system
Foundational PCC
Prove w.r.t. the formal machine language semantics
Operates at a very low level of abstraction It does reduce dependency on a large
program (VCGen) but this is true for CCP also
Code-Carrying Proofs (CCP)
Start with axioms that define functions The form of axioms is such that it is easy to
extract executable code from them. Prove that the defined functions obey certain
requirements The producer transmits
Axioms The correctness theorems And their proofs
Code-Carrying Proofs (CCP)
No explicit code transmission The consumer checks proofs to see if the
correctness theorem is proved If proof checking succeeds, the consumer
applies the code extractor to the axioms and obtain the executable code
Code-Carrying Proofs (CCP)
CCP attempts to solve Functional Correctness problem
We are dealing with a higher-level language
Code Producer
Code Consumer
Axioms & Proofs
Theorem Prover
Requirements
Axioms & Theorems
Proof Checker
CPUAxioms & Theorems Code Extractor Code
CCP
Requirements
Axioms & Proofs
Code Producer
Code Consumer
Axioms & Proofs
Tampered Axioms & Proofs
Theorem Prover
Requirements
Requirements
Axioms & Theorems
Proof Checker
CPUCode Extractor
Hacker
(Failed Proofs) (No Code)
CCPTampered
Issues
Encoding axioms and proofs Proof Checking Tests to be applied by the consumer to new
function definitions (definitional principle) Syntactic Property Consistency Termination
Implementing Code Extractor
Athena
Implemented by K.Arkoudas A language for both:
Ordinary Computation Logical Deduction
Athena Ordinary Computation Language
Provides higher-order functions Has primitive functions for
Unification Matching Substitution
Athena Logical Language
Special Deductive Forms dcheck, dbegin, assume, …
Primitive Deduction Methods mp, both, left-and, …
Declarations structure, declare, …
Directives load-file, clear-assumption-base, …
Athena Advantages
Better Proof Readability Machine checkable proofs Makes it possible to formulate and write
proofs as methods Generic Proofs
write the proof once and instantiate it to prove specific cases
Code Extractor
Quantified Equations and Conditional Equations
These are clauses of a recursive function definition
CE has to be able to combine these into a recursive function
Code Extractor
CE can extract pure functions it is not capable of extracting destructive
functions Example Functions:
searching functions, sum It cannot handle functions like:
in-place reverse, sort
Code Extractor
We have been working on simple functions. But: In analogy to STL, it is useful to have a library
of simple functions from which more complex functions can be composed, especially if the functions are generic
It is possible for code extractor to extract complex functions composed of such simple functions
Future Work
New Definitions and Tests to be applied Defining Memory More Proof Examples Improving the Code Extractor Memory Safety Generic Proofs and Proof packaging