Lissom, a Source Level Proof Carrying Code Platform

Lissom , a Source Lev el Pro of Carry ing Co de Platform Jo˜ ao Gomes Daniel Martins Sim˜ ao Melo de Sousa Jorge Sousa Pin to Departamen to de Inform´ atica DI/CCTC Univ ersidade da Beira In terior Univ ersidade do Minho Co vilh˜ a, P ortugal Braga, P ortugal { joao.gomes, daniel.martins,desousa } @di.ubi.pt jsp@di.umin ho.pt Abstract This pap er introduces a prop osal for a Pro of Carrying Code (PCC ) ar chitecture called Lissom . Started as a c hallenge for final year Computing studen ts, Lissom was thought as a mea n to prove to a sceptic comm unity , and in particular to students, that for ma l v erification to o ls can b e put to prac tice in a realistic environment, and be used to solve complex and concrete problems. The attractiv eness of the pr o blems that PCC addresses has alrea dy brought studen ts to show interest in this pro ject. 1 The Lissom Platform T raditional PCC arc hitectures cen ter their certificate generatio n mec hanisms on the output of the compi- lation. Along the lines of recen t pro jects, we b elieve that there are strong b enefits in mo ving the certificate generation to the source co d e level. Because th ere exist go o d to ols for source co de v erification and f or formal v erification in general, it is a feature of the Liss om platform that existing to ols are used as m uc h as p ossible at k ey p oin ts of its infrastru cture. Our vision of PCC is based on the follo wing tw o un d erlying p rinciples: • Sour c e level PCC is the way. It is our b elief that the realistic formal verificatio n of mobile co de should b e p erformed at source lev el. Programmers ma y b e una w are of the targe t archite cture d etails, and in general algorithmic constructions a re expressed at source lev el. • R e u se as much as p ossible. There exist plen t y of p o w erful tools for the formal v erifi cation of sour ce co de. S uc h tools already ha v e exp erienced user communities, and ha ve r eac hed an appreciable level of matur ity and flexibilit y that mak e them natural c hoices in the con text of a source lev el PCC arc hitecture. Our main goal with Lissom is to get exp er ienced with PCC and to put it into p ractice. W e no w describ e the pr op osed archite cture for th e Li ssom platform (see figure b elo w). The Source Language and the Compiler. LISS (Language for In tegers S ets and Sequences) is a non-trivial to y language that also features a realistic type s y s tem (with e.g. sets, vecto rs a la Ja v a, etc. ) and high-lev el constructs. LISS is in tended here a s a su itable test-b ed b efore aiming at an industrial-lev el language. Th is la nguage m ust b e extended in order to pro vide an ann otation system for the source code. In a source lev el PCC architect ure, the compiler h as to compile source co de but also pro ofs int o their mac hine level coun terpart. A v ery in teresting c hallenge is to transform a source lev el stru ctural pro of (pro ofs hea vily rely on the stru cture of the analyzed program) in to a p ro of that is still structurally close to the mac h ine lev el co de. W e follo w here the con tributions of [1]). 1 Yes No Code Consumer Side Code Producer Side Certificate Proof Checker COQ Bytecode VCGen Compiled Code + Certificate Translation Compiler LISS Certificate COQ Proof System (WHY) And Translation Code Annotation Source Code Compiled Code Security Policies Source VCGen Execution Platform The Virtual Machine. Lissom uses a sequen tial, s tack- based virtu al mac hine, w hic h desp ite its sim- plicit y has the ca pacit y to s u pp ort real languages (suc h as C or Ja v a), and is, together with LISS, a suitable test-b ed. The mac hine is an adaptation of Filliatre’s original virtu al mac hine [4], used for teac hing several courses at our un iv ersities ( e.g. Compiler Cons tr uction a nd F ormal Metho d s). The Proof Syste m and the Pro of Chec k er. As far as the T ruste d Computing Base (TC B) is con- cerned, it is imp ortant for it to b e as small and solid as p ossib le; we b eliev e that an adequate choic e of pro of system ma y h elp attai ning such a g oal. Also, it is imp ortant to be a ble to express high lev el p olices as well as lo wer level ones. These requiremen ts ha v e led us to consider using th e COQ pro of system and its higher-order sp ec- ification language and und erlying pro of mec hanisms. This system, b ased on the calculus of ind uctiv e constructions, has b een us ed with su ccess for the formal v erification of critical and large-scale systems. As far as source c o de is concerned, in tegration with CO Q is guaran teed b y the existence of a num b er of to ols suited for co de annotation and pr o of (e.g. [6]). Liss om will feature a sou r ce co de verificat ion system based on why and the COQ system. Thus we inte nd to use COQ pr o of ob jects as certificates. The V erification Generator. This will b e obtained using Filliatre’s WHY to ol [5], w hic h is capable of pro ducing pro of obligat ions for v arious systems, includ ing COQ. W e are presen tly w orking on a WHY mo dule for the languag e L I SS (equiv alent to Caduc eus for C [6]) and for the in put language of the virtu al mac hine. The annotation language used for this will b e an adaptation of JML [3] sp ecial ized for the secur ity p olicy sp ecification. 2 2 Road Map After the presen t protot yp ing phase, the platform m ust ha ve pro ved to be adequate for mobile code securit y . The relev ance and conceptual solidit y of p revious works on formal v erification (e.g. [2]) on w h ic h this is based lea d us to b eliev e in the su ccess of t he en terprise. Ou r roa d-map is the follo wing, where the p oin ts highligh ted as in pr o g r ess are the mo d ules which are cu rrent ly in activ e dev elopmen t. 1. T o design an annotatio n language for Liss (i n progress); 2. to extend the why to ol to conte mplate this annotation language, allo w ing to u se why as a generator of pr o of obligations for sour ce cod e (in progress); 3. to design a p ro of system for the Liss language, in tegrated in Coq (starting phase); 4. to ext end the Liss compiler with the capabilit y to tr anslate ce rtificates (starting ph ase); 5. to design a p ro of system for the virtual mac hin e and its language, integ rated in Coq (in p rogress); 6. to design a p ro of oblig ation generator for compiled co de (in progress); W e finish with a few examples of the man y inte resting problems that will b e raised in this wo rk, along with the classical c hallenges that ev ery PCC platform must address. A first problem is th e automation of the COQ pro of pro cess and it s imp act on the c onsum er effort; the te nsion b et w een expressive ness and automation is a well-kno w n p roblem that m ust b e carefully studied. It also remains to s ee to what extent the tec hniques presente d in [7] allo w for concise ness of COQ certificates. The language Liss and the virtu al mac hine u sed are non-trivial, but are still r elativ ely simple w hen compared to platforms su c h as JA V A or .NET. The capacit y o f the p latform to sca le u p to suc h platforms m ust th us b e ev aluated. Finally , it will b e imp ortan t to apply our c hoices in an appropriate case study that s tarts from the securit y policy sp ecification to the certificate v erification (proof of concept). References [1] G. Barthe, B. Gr ´ egoire, C. Ku nz, and T. Rezk. Certific ate tr anslation for optimizing c ompilers . In Pro ceedings of the 13 th In ternational S tatic An alysis Symp osium. LNCS, Springer-V erlag, 20 06. [2] G. Barthe, P . Courtieu, G. Dufa y , and S. Melo d e Sou s a, T o ol-Assiste d Sp e cific ation and V erific ation of T yp e d L ow-L evel L anguages . Journal of Automat ed Reasoning, Jan 2006. [3] Lilian Burdy , Y o onsik Cheon, Da vid Cok, Mic hael Ernst, Joe Kiniry , G ary T. Lea vens, K. Rustan M. Leino, and Erik Poll, An overview of JML to ols and app lic ations , Internatio nal Journal on Softw are T o ols for T ec hnology T r an s fer (S T TT) 7 (200 5), no. 3, 212–23 2. [4] J.-C. Filliˆ atre, R esour c es for the c ompilat ion c ourse - the virtual machine , from the au th or’s webpage. [5] J.-C. Filliˆ atre, Why: a multi-language multi-pr over ve rific ation to ol , Researc h Rep ort 13 66, LRI, Uni- v ersit ´ e Pa ris Sud, March 2003. [6] J.-C. Filliˆ atre and Claude Marc h ´ e, Multi-Pr over V erific ation of C Pr o gr ams , Sixth In ternational Con- ference on F ormal Engineering Metho ds (ICFEM) (S eattle) , Lecture Note s in Computer Science, vo l. 3308, Sp ringer-V erlag, No v em b er 200 4, pp. 15–29. [7] G. C. Necula and P .Lee, Efficient r epr esentation and validation of lo gic al pr o ofs , Pro ceedings of the 13th Ann ual Symp osium on Logic in Computer Science. IEEE Computer Societ y Press, 1 998, pp. 93–104. 3