Proof-Carrying Code&
Proof-Carrying Authentication
Stuart Pickard CSCI 297
June 2, 2005
Proof-Carrying Code George C. Necula. POPL97, January 1997.
Proof-Carrying Authentication Andrew W. Appel and Edward W. Felten. 6th ACM Conference on Computer and Communications Security, November 1999.
Papers
The “Proof-Carrying Code” paper is an extension on Tuesday’s presentation on Certifying Compilers.
However, the “Proof-Carrying Authentication” is a new topic that uses similar logic to Proof-Carrying Code to prove the right of authentication.
Proof-Carrying Code (quick review)
code
StuartProf. Simha
proof
Can Professor Simha trust me that my code is safe to run on his computer?
Diagram from “Proof-Carrying Code” paper
The Basic ideas of the paper:
General Proof Carrying Technique With Specific Implementations:
•Safety Policy
•Safety Proofs
•Validation of Safety Proofs
The implementation in the paper uses First-Order Predicate Logic as a basis to formalize the safety policy.
The safety rules are expressed as a Floyd-style verification condition generator
When given a program and a set of preconditions and postconditions the system can produce a verification condition predicate (VC) in First–Order Logic.
If the VC can be proven using the proof rules associated with the logic, then the program satisfies the safety invariants.
If the VC cannot be proven, then the program does not satisfy the safety invariants and is unsafe to run.
So what is First-Order Predicate Logic?
First-order predicate calculus or first-order logic (FOL) permits the formulation of quantified statements such as "there exists an x such that..."
In our case: The statements that need to be quantified are the annotated lines of code where type verification is needed.
The Typing Rules
Theorem 3.1
Any program with a valid verification condition starting in a state that satisfies the preconditions will only reference valid memory locations
Theorem: For any program Π, set of invariants Invand postcondition Post such that Π0 = INV Pre, if►VC (Π, Inv, Post) and the initial state satisfies theprecondition Pre, then the program reads only fromvalid memory locations as they are defined by thetyping rules, and if it terminates, it does so in a
statesatisfying the postcondition.
Theorem 3.2 + Corollary
These theorems can be used to help prove adequacy of the first-order logic to guarantee type safety as defined by the safety policy
Recap of Paper Proof-Carrying code is a mechanism to
allow code users to be guaranteed safe code in regards to their safety policy.
The main contribution of the paper was the fact that they implemented a system of program verification using certification (creating the proof on the code producer side) and proof validation (on the code user side)
Paper number 2: “Proof-Carrying
Authentication”
Main Idea: Say for example a client desired access to a server, but needed to be authenticated. The authors are purposing a strategy, analogous to Proof-Carrying Code, that makes the user construct a proof that shows they should have access. The server then verifies correctness of the proof and lets the user proceed
Access?proof Check Proof
Grant Access
Proof-Carrying Authentication
Example of Proof-Carrying Authentication Protocol
Suppose Stuart wanted to access an email server named GWU. The server receives a request from Stuart to “read Stuart’s email.” GWU’s control list says that Stuart can read his email.
But is the request really from Stuart? How do we solve this?
Add a Certificate Authority The server GWU trusts the CA to guarantee
key-to-name bindings, and the server also knows the CA’s public key.
Stuart then obtains a certificate signed by CA’s private key that says “Ks is Stuart’s public key.” Stuart then signs the message ”read Stuart’s email” with his private key.
With this information GWU can safely grant the request to “read Stuart’s email.”
Constructing the Proof The server GWU starts with the following
assumptions:A1 = trustedCA(CA)A2 = keybind(Kc, CA)A3 = Stuart controls read Stuart’s email
With these assumptions published to Stuart, Stuart can prove to the server GWU that he should be able to read his email using high-order logic.
Proof:
How the Proof is checked:
First check the two digital signatures to establish the fact that Ks signed “read Stuart’s email” and Kc signed the keybind(Ks, S)
From assumption A1 we can prove C controls keybind(Ks, S) by the lemma trustedCA_e.
From A2 and a digital; signature we prove C(keybind(Ks, S)) by the keybind_e lemma.
Proof Check continued Now from the last two results (C controls
keybind(Ks, S) and C(keybind(Ks, S))) we prove keybind(Ks, S) by the controls_e lemma.
From this result and a signature we prove S(read Stuart’s email) by the keybind_e lemma.
Finally, from assumption A3 and S(read Stuart’s email) we prove “read Stuart’s email” by controls_e.
Thus, the server GWU authenticates the user Stuart and allows him access to his email
Note: All parts of the proof need to be true/ checked in order for authentication to occur
Advantages
Just like Proof-Carrying Code, the burden is placed on one side.
It is easy to check a proof, but hard to create a proof.
The user takes the burden and leaves the server to perform the easy proof checking
Implementation of previous example in Twelf
Twelf is an implementation of the Edinburgh Logical Framework.
A standard way of representing this protocol is needed and the code on the next slide is an example of the standard used in this paper.
Twelf representation
Overview
Overall, this example has shown that higher-order logic can be used for authentication purposes
The proofs can be small and not too difficult to create.
Also, proof checking is easy in comparison to proof creation.
Sources George C. Necula. Proof-Carrying Code POPL97, January 1997. Andrew W. Appel and Edward W. Felten.
Proof-Carrying Authentication 6th ACM Conference on Computer and Communications Security, November 1999.
Peter Lee http://www-2.cs.cmu.edu/Groups/fox/papers/necula-osdi96/node2.html Tue Sep 17 15:37:44 EDT 1996
Discussion