Reasoning about Trace Properties of Higher-order Programs

Transcription

1 Reasoning about Trace Properties of Higher-order Programs Limin Jia Joint work with Deepak Garg and Anupam Datta CyLab University

2 Goal: Compositional security S 1 ψ 1 + ϕ S 2 ψ 2! Do S 1 + S 2 satisfy a global security property ϕ based on local properties ψ 1 of S 1 and ψ 2 of S 2 that are checkable separately? 2"

3 Case study: an extensible hypervisor Guest OS Design Principles: Core handles basic functionalities Can be extended with other hyp apps Event handlers registered with core Event handlers access memory through narrow interfaces Guest mode Host mode Hardware virtualization support Hypervisor core Event Hub Event Handler Event Handler 3"

4 Case study: an extensible hypervisor Memory Integrity: Hypervisor s memory (code and data) is only written to by hypervisor s code (including event handlers) Guest mode Host mode Adversary model: Core is trusted Guest OS is untrusted Event handlers are not completely trusted Source code is only available for analysis at link time Confined to a set of interfaces Guest OS Hardware virtualization support Hypervisor core Event Handler Event Hub Event Handler 4"

5 Compositional security! How to reason about a composed system that include adversary-supplied code! Our approach! Interface-confined adversary! Use a type system to! Analyze the programs of trusted components! Provide abstractions of interface-confined adversary 5"

6 Outline! Background! Modeling language! Syntax! Trace semantics! Type system! Types! Semantics of types! Typing rules! Soundness! Case study 6"

7 Modeling language! Effective computation! Side effects that change the machine state! E.g., Pointer operations! Pure expressions (terms)! E.g., Expressions e ::= x true false n fun f(x) = e e 1 (e 2 ) comp(c) Action symbols A ::= read write Actions a ::= A a e Computations c ::= act(a) ret(e) fix f(x).c c e let x = c 1 in c 2 let x = e in c if e then c 1 else c 2 7"

8 Operational semantics (configuration) Shared state Configuration C ::= T 1 T 2 T n Tread T ::= ( i, K, c ) Thread ID Evaluation context Program being evaluated e.g. : memory (0, -, Windows 8) (100, -, Adobe Flash) (101, -, Chrome) e.g. : network messages (0, -, server) (100, -, router) (101, -, firewall) 8"

9 Operational semantics (top-level transition)! Configuration! C ::= σ T 1 T 2 T n! Individual thread transition! σ T σ T! System transition! C 1 (u) C 2 iff exists i, T i T i at time u! Trace! A trace T is a sequence of transitions! (u 0 ) C 1 (u 1 ) C 2 (u 2 ) (u n ) C n 9"

10 Operational semantics (expressions) (fun f(x) = e)(e ) β e[e /x] c β c comp(c) β comp(c ) e β e ret(e) β ret(e ) 10"

11 Operational semantics (computations)! Atomic actions! next(σ, a) = (σ, e)! E.g., next(σ, read l) = (σ, σ(l))! Thread next(, a ) = (, e) a * β a β ( i; x.c::k; act(a)) ( i; K; c[e/x]) ( i; x.c::k; ret(e)) ( i; K; c[e/x]) e * β comp(c ) ( i; K; let x = e in c) ( i; x.c::k; c ) 11"

12 Outline! Background! Modeling language! Syntax! Trace semantics! Type system! Types! Semantics of types! Typing rules! Soundness! Case study 12"

13 Types! Assertions! Specify properties of the trace! E.g. thread i read R to x at time u 1 and thread i read x at time u 2 and u 1 < u 2 ϕ = Read i R x u 1 Read i x y u 2 u 1 < u 2 Base types b ::= unit bool ptr time thread Expr types τ ::= b Π"x: τ 1. τ 2 comp(η c ) Comp types η ::= x : τ. ϕ ϕ Closed c types η c ::= u 1.u 2.i.(x:τ.ϕ, ϕ ) Π x:τ 1. u 1.u 2.i.(y:τ.ϕ, ϕ ) Assertions ϕ ::= P e 1 = e 2 T# ϕ ϕ 1 ϕ 2 ϕ 1 ϕ 2 x. ϕ x. ϕ ϕ 13"

14 Types! Assertions! Computation types! parameterized over time points u 1 u 2 and threadid i! Partial correctness (PC) types! Specify the effect of a computation even after it finishes evaluation! Invariant types! Specify the effect of a computation even when it has not finished Base types b ::= unit bool ptr time thread Expr types τ ::= b Π"x: τ 1. τ 2 comp(η c ) Comp types η ::= x : τ. ϕ ϕ Closed c types η c ::= u 1.u 2.i.(x:τ.ϕ, ϕ ) Π x:τ 1. u 1.u 2.i.(y:τ.ϕ, ϕ ) Assertions ϕ ::= P e 1 = e 2 T# ϕ ϕ 1 ϕ 2 ϕ 1 ϕ 2 x. ϕ x. ϕ ϕ 14"

15 Types! Assertions! Computation types! parameterized over time points u 1 u 2 and threadid I! Closed Computation types! Bind the thread ID and begin and end time Base types b ::= unit bool ptr time thread Expr types τ ::= b Π"x: τ 1. τ 2 comp(η c ) Comp types η ::= x : τ. ϕ ϕ Closed c types η c ::= u 1.u 2.i.(x:τ.ϕ, ϕ ) Π x:τ 1. u 1.u 2.i.(y:τ.ϕ, ϕ ) Assertions ϕ ::= P e 1 = e 2 T# ϕ ϕ 1 ϕ 2 ϕ 1 ϕ 2 x. ϕ x. ϕ ϕ 15"

16 Types! Assertions! Computation types! parameterized over time points u 1 u 2 and threadid I! Closed Computation types! Bind the thread ID and begin and end time! Expression types Base types b ::= unit bool ptr time thread Expr types τ ::= b Π"x: τ 1. τ 2 comp(η c ) Comp types η ::= x : τ. ϕ ϕ Closed c types η c ::= u 1.u 2.i.(x:τ.ϕ, ϕ ) Π x:τ 1. u 1.u 2.i.(y:τ.ϕ, ϕ ) Assertions ϕ ::= P e 1 = e 2 T# ϕ ϕ 1 ϕ 2 ϕ 1 ϕ 2 x. ϕ x. ϕ ϕ 16"

17 Types Examples! ϕ = u, u 1 < u < u 2 a v, Write i a u! e : comp(u 1.u 2.i.(y:nat.ϕ, T))! g : Π"y:nat.comp(u 1.u 2.i.(r:unit.ϕ, T) (τ g )! f : Π"g:"τ g. Π"x: nat. comp(u 1.u 2.i.(r:unit. ϕ, T)) 17"

18 Outline! Background! Modeling language! Syntax! Trace semantics! Type system! Types! Semantics of types! Typing rules! Soundness! Case study 18"

19 Semantics of types (simplified)! [[ x:τ.ϕ ]] u1.u 2.i ; Δ = { c (1) a trace T contains completed computation of c from time t b to t e by thread I (2) upon completing, c returns e (3) T #Δ Composi3onality"is"built"into"the"seman3cs" then T ϕ[t b, t e, I, e/ u 1, u 2, i, x] and e [[τ]] } (t b ) σ T 1 T 2 (I, x.c ::K, c) T n σ (t e ) T 1 T 2 (I, K, c [e/x]) T n 19"

20 Semantics of types (cont.)! [[ ϕ ]] u1.u2.i ; Δ = { c (1) a trace T contains unfinshed computation of c from time t b to t e by thread I (2) T #Δ then T ϕ[t b, t e, I/ u 1, u 2, i] } (t b ) σ T 1 T 2 (I, K, c) T n σ (t e ) T 1 T 2 (I, K, c ) T n Evaluating c 20"

21 Outline! Background! Modeling language! Syntax! Trace semantics! Type system! Types! Semantics of types! Typing rules! Soundness! Case study 21"

22 Typing judgments variable typing Γ ; Δ G e : global logical assumptions (e.g., x > 3) u 1.u 2.i; Γ; Δ G ; Δ L c : x:τ.ϕ parameters: beginning, ending time points, thread id u 1.u 2.i; Γ; Δ G ; Δ L c : ϕ logical assumptions (e.g., thread i has written 3 to memory address l u 1.u 2.i; Γ; Δ G ; Δ L idle ϕ ϕ is true when thread i is idle (e.g. thread i does not write to memory) Γ;Δ G ; Δ L ϕ ϕ is true (e.g. memory integrity) 22"

23 Typing rules partial correctness! u 1.u 2.i; Γ;Δ G ; Δ L #c : x:τ.ϕ u 0, u 1, i ; Γ ; Δ G ; Δ, u 0 u 1 idle ϕ 0 u 1, u 2, i ; Γ, u 0 ; Δ G ; Δ, u 0 < u 1 u 2, ϕ 0 c 1 : (x:τ. ϕ 1 ) u 2, u 3, i ; Γ, u 0, u 1 ; Δ G ; Δ, u 0 < u 1 < u 2 u 3, ϕ 0, ϕ 1 c 2 : (y:τ. ϕ 2 ) u 0, u 3, i ; Γ ; Δ G ; Δ let x = c 1 in c 2 : y: τ. u 1,u 2,x, u 0 < u 1 < u 2 u 3 ϕ 0 ϕ 1 ϕ 2 idle c 1 ϕ c 2 1 ϕ 2 ϕ 0 u 0 u 1 u 2 u 3 23"

24 Typing rules partial correctness! Example: let x = read addr in read x : y:exp. u 1,u 2,x, u 0 < u 1 < u 2 u 3 v, Mem(addr, v)@u 2 x = v v, Mem(x, v )@u 3 y = v idle c 1 ϕ c 2 1 ϕ 2 ϕ 0 u 0 u 1 u 2 u 3 24"

25 Typing rules invariant (sequencing)! u 1.u 2.i; Γ;Δ G ; Δ L #c : ϕ! u 1.u 2.i; Γ;Δ G ; Δ L #let x = c 1 in c 2 : ϕ! Example: let x = read addr in read x : a, u, u1 < u < u2 Write i u idle c 1 c 2 ϕ pc1 ϕ 0 ϕ inv1 ϕ inv2 ϕ 0 ϕ ϕ 0 ϕ inv1 ϕ ϕ 0 ϕ inv1 ϕ inv2 ϕ 25"

26 Typing rules (expressions) u 1.u 2.i; Γ; Δ G ; c : x:τ.ϕ 1 u 1.u 2.i; Γ; Δ G ; c : ϕ 2 Γ ; Δ G comp(c) : u 1.u 2.i.(x:τ.ϕ 1, ϕ 2 ) 26"

27 Typing rules (Honest)! Honest rule transition from reasoning about trusted program to trace properties of the system! Example:! u 1.u 2.i; ; ; let x = read R in read x : u, u 1 < u < u 2 a, v, Write i a u! ; start(user, c, u 0 ) ; start(user, c, u 0 )! ; start(user, c, u 0 ) ; u, u > u 0, u, u 0 < u < u a, v, Write user a u u 1.u 2.i; ; Δ G ; Δ L c : ϕ ; Δ G ; Δ L start(i, c, u 0 ) ; Δ G ; Δ L u, u > u, ϕ[u 0, u, I/ u 1, u 2, i] Honest 27"

28 Reasoning about adversary! Adversary typing! What s stored in L ihub is not entirely under the control of the hypervisor! let x = read L ihub (x = download url) in let y = x in ret y! Idea:! Interface-confined adversary! Event handlers can only access core s memory through narrowly defined interfaces! No need to analyze the code! Analyze the interfaces! Ensure that the code is confined to these set of interfaces 28"

29 Adversary typing confine! Ensure that the code is confined to these set of interfaces! Interface-confined code is type-checked against a simple type system! Booleans cannot be used as functions! E.g., Java bytecode verifier! Typing for trusted programs:! u 1.u 2.i; Γ;Δ G ; Δ L c : x:τ. ϕ! Typing requirement for interface-confined programs! Ξ c : π c cannot perform any actions beyond the interfaces Simple types, no effects π ::= b Π x:π 1.π 2 O(π) 29"

30 Confine (cont.)! Predicate stype(e, π) internalizes e : π! Empty typing context ensures that e cannot perform any effectful actions beyond the interfaces! Judgment (confine τ ##π###u 1.u 2.i.ϕ)! Decorating π with effects (u 1.u 2.i.ϕ) results in τ! Examples:! confine (comp(u 1.u 2.i.(y:nat.ϕ, ϕ))) O(nat) u 1.u 2.i.ϕ! confine Π g: (Π y:nat.comp(u 1.u 2.i.(r:unit.ϕ, ϕ)). Π x: nat. comp(u 1.u 2.i.(r:unit. ϕ, ϕ)) (Π g: (Π y:nat.o unit). Π x: nat. O unit) (u 1.u 2.i.ϕ)! ϕ = u, u 1 < u < u 2 a, v, Write i a u 30"

31 Confine (cont.)! Predicate stype(e, π) internalizes e : π! Empty typing context ensures that e cannot perform any effectful actions beyond the interfaces! Judgment (confine τ ##π###u 1.u 2.i.ϕ)! Decorating π with effects (u 1.u 2.i.ϕ) results in τ T #ϕ[u b, u m, I / u 1, u 2, i] ϕ[u m, u e, I / u 1, u 2, i] implies T #ϕ[u b, u e, I / u 1, u 2, i] u 1, u 2, i ; Γ ; Δ G ; idle ϕ u Γ ; Δ G ; stype(e, π) Γ ; Δ G e : τ 1.u 2.i.ϕ is composable Confine τ π u 1.u 2.i.ϕ 31"

32 Practical aspects of confine! stype(e, π) assertion can be obtained by applying a simply type checking procedure to e when it is downloaded (linked to) by trusted component! E.g., Java bytecode verifier! Asymmetric typing requirements for trusted and untrusted components! No properties are derived about the untrusted code during the simple type checking in contrast to Proof Carrying Code 32"

33 Beta rule! let x = read Lihub in let y = x in ret y stype(ihub, π) x = ihub v, mem (Lihub, u 2 (v = ihub) v, mem (Lihub, u 2 (x = v) ihub : τ x :? Γ ; Δ G e : τ Γ; Δ G ; e = e Beta Γ ; Δ G e : τ 33"

34 Semantics for types (revisited)! Logical relation [[Πx:τ 1. τ 2 ]] = {fun f(x) =e v [[τ 1 ]] e[v/x] [[τ 2 ]]}! [[τ]] = {e e * β v and v [[τ]]} Beta equivalence Γ ; Δ G e : τ Γ; Δ G ; e = e Beta Γ ; Δ G e : τ 34"

35 Outline! Background! Modeling language! Syntax! Trace semantics! Type system! Types! Semantics of types! Typing rules! Soundness! Case study 35"

36 Soundness of the type system 1) If Γ ; Δ G e : then for all substitution δ for Γ, Δ G δ eδ [[τ]] 2) If u 1.u 2.i;#Γ;Δ G ;#Δ L## #c#:#x:τ.ϕ then for all substitution δ for Γ, Δ G δ cδ [[x:τ.ϕ]]# u1.u2.i;#δl δ 3) If u 1.u 2.i;#Γ;Δ G ;#Δ L## #c#:#ϕ#then for all substitution δ for Γ, Δ G δ cδ [[ϕ]]# u1.u2.i;#δl δ 4) If Γ; Δ G ; Δ L ϕ then for all substitution δ for Γ, for all trace T, T ϕδ L and Δ G δ T ϕδ 36"

37 Outline! Background! Modeling language! Syntax! Trace semantics! Type system! Types! Semantics of types! Typing rules! Soundness! Case study 37"

38 Case study: an extensible hypervisor Verified Memory Integrity on the Design Core is trusted Encode the program logic in our Guest#mode# language Use type system to derive its invariant Host#mode# Guest OS is untrusted Hardware axioms are used to confine its ability Event Handlers are not completely trusted R # L core# : " Guest#OS# Hardware# virtualizabon## support# XMHF#core# Confined to a set of interfaces Use Confine rule Beta rule is used to reason about jumping to code locations Core, and ihub Inductive reasoning over the length of the trace Event## Handler# L ihub #:" # Event#Hub# Event# Handler# 38"

39 Summary! Design a type system for reasoning about trace properties of systems that contain adversarial components! Monad! Confine and beta rule! Define trace semantics for types! Prove soundness! Verified the program logic of an extensible hypervisor 39"

40 Related Work! PCL [Datta et al.] LS 2 [Garg et al.]! Hoare Type Theory (Ynot) [Nanevski et al.] 40"

41 Thanks! Apply to CMU ECE