Programmability with Proof-Carrying Code George C. Necula Peter Lee University of California Berkeley Carnegie Mellon University Why Programmable APIs • Pros: – Standardize “how” not “what” (mechanism vs. policy) – Easy to customize functionality & performance • Move the computation closer to the data – Richer API • Cons: Security risks? Performance degradation? More complex system Bigger trusted infrastructure ? • Harder (impossible?) to predict global behavior • Programming language technology can help George Necula “Programmability with Proof-Carrying Code”, OpenSig’99 Safety Through Run-Time Checking untrusted client app. code host expensive limited safety policy constrained data representation compiler big and complex native code verified? No way! Hardware memory protection / Interpreter / Monitor run-time is too late! run-time aborts George Necula “Programmability with Proof-Carrying Code”, OpenSig’99 Software Safety: Java untrusted client Java app. code Javac host Java byte code Limited, fixed safety policy Java Verifier slow still slow! JVM still big and complex (and buggy?) JIT native code not verified George Necula “Programmability with Proof-Carrying Code”, OpenSig’99 Our Idea: Proof-Carrying Code (PCC) • Use static checking for both safety and performance • Static checking is possible (and in fact easy) if the client supplies evidence attesting to the safety of the code • For an important class of properties, the evidence can be produced by a client-side compiler George Necula “Programmability with Proof-Carrying Code”, OpenSig’99 Proof-Carrying Code (PCC) untrusted client Certifying compiler application code host optimized native code safety with maximum performance proof Proof checker CPU simple, small, & fast automated support in a familiar tool small & tamperproof formal safety policy Flexible, customizable safety policies George Necula “Programmability with Proof-Carrying Code”, OpenSig’99 What You Can Do With PCC • Any property with an adequate formalism can be enforced – if you can prove it, PCC can check it! • One proof-checker for all policies! – Small commitment for open-ended flexibility • Example: safety policies defined by safe interpreters – E.g, security monitors, memory safety, resource usage limits, … – The interpreter need not be directly implementable! • E.g, a pointer points to a null-terminated string • … can be enforced statically with PCC – – – – The proof says that all run-time checks will succeed No run-time penalty No data representation constraints Effective enforcement of timing constraints George Necula “Programmability with Proof-Carrying Code”, OpenSig’99 PCC Beyond Memory Safety Example: database with multi-level access control • access route price agent • level • parent fare pricing server Safety policy: – host invokes the agent with: • security clearance level – route and price fields readable only if access <= level • parent – communication permitted only back to parent – must terminate within MAX instructions – wait BNDW * SIZE instructions before sending SIZE bytes – Proofs are bigger now (300% of code) PCC is not limited to memory safety! George Necula “Programmability with Proof-Carrying Code”, OpenSig’99 Experience with PCC • Producing the proofs of safety is generally hard • But can be automated in certain cases – E.g., Type safety, monitor-based safety policies • Automation idea for type safety: – start with a type-safe language – the proof exists at source level; just preserve it! – Compile the proof while compiling the code • Experimental results for a safe-C compiler – – – – – Speed of code on par with traditional optimizing compilers Proofs are 10%-40% the size of the code Proof checking is fast (~ 100Kb/s) Checker + machine code parser is small (~50Kb for x86) A certifying compiler for Java is being built by Cedilla Systems George Necula “Programmability with Proof-Carrying Code”, OpenSig’99 Conclusions • The is a need for system extensibility without sacrificing safety and performance • Programming language technology can provide all of these in a small and flexible package – Type safety for optimized machine code is here – More research is needed to automate proof generation for more complex safety policies • Try proof-carrying code online – http://www.cs.berkeley.edu/~necula/pcc.html George Necula “Programmability with Proof-Carrying Code”, OpenSig’99 Supplemental Slides Speedup vs. "GNU gcc -O0" Touchstone vs. C Compilers 12x 10x 8x 6x 4x 2x 0x GNU gcc -O4 DEC cc -O4 Touchstone blur sharpen qsort simplex kmp unpack bcopy edge GMEAN 2.33 2.92 2.64 3.82 3.68 3.89 3.51 3.52 3.52 2.97 2.79 3.86 2.44 2.44 1.93 2.62 2.76 2.20 5.50 6.88 4.00 2.92 11.52 9.16 3.17 3.92 3.48 • Touchstone has the extra burden of removing bounds checks Certifying compilation and PCC coexist with optimizations! George Necula “Programmability with Proof-Carrying Code”, OpenSig’99 PCC binary size (bytes) Proof Sizes 5000 4000 3000 2000 1000 0 blur sharpen qsort simplex kmp unpack bcopy edge Proof 112 624 80 786 211 1002 7 75 Invar 162 342 272 825 132 804 36 102 Code 320 1248 560 3584 624 2496 64 640 • Geometric means: – proofs are 20% of code – invariant annotations are 20% of code George Necula “Programmability with Proof-Carrying Code”, OpenSig’99 Experiment: Network Packet Filters user process space network monitoring application OS kernel packet filter Safety policy: • packet read only • no loops Wrote filters using: • Touchstone + PCC • Modula-3 network • SFI (sandboxing) • BPF (interpreter) George Necula “Programmability with Proof-Carrying Code”, OpenSig’99 PCC Packet Filters • PCC filters are safe and fast – 10x interpretation, 2x Modula-3, 1.3x sandboxing – PCC can certify even hand-optimized packets! • Proof sizes and checking times are small – proof overhead: 20% (smaller than signatures !) – proof checking time: 1-3ms (amortized quickly) ms 15 12 9 6 3 0 PCC SFI M3 BPF 0 10 20 30 40 50 Thousands of packets George Necula “Programmability with Proof-Carrying Code”, OpenSig’99 Minimal-Cooperation PCC Host Client Safety policy Invar Code VC Generator VC Code Proof Checker Certifying Compiler Logic Theorem Prover Proof George Necula “Programmability with Proof-Carrying Code”, OpenSig’99 Source Firewall-based PCC Host within enclave Client Firewall Safety policy Invar Code VC Generator Certifying Compiler Logic Theorem Prover VC Code Proof Checker Proof Code George Necula “Programmability with Proof-Carrying Code”, OpenSig’99 Source
© Copyright 2026 Paperzz