Research on proof-carrying code for untrusted-code security

Abstract

A powerful method of interaction between two software systems is through mobile code. By allowing code to be installed dynamically and then executed, a host system can provide a flexible means of access to its internal resources and services. There are many problems to be solved before such uses of untrusted code can become practical. We focus on the problem of how to establish guarantees about the intrinsic behavior of untrusted programs. Of particular interest are the following: (1) How can the host system ensure that the untrusted code will not damage it, for example, by corrupting internal data structures? (2) How can the host ensure that the untrusted code will not use too many resources (such as CPU, memory, and so forth) or use them for too long a time period? (3) How can the host make these assurances without undue effort and deleterious effect on overall system performance? Our position is that the theory of programming languages, including formal semantics, type theory, and applications of logic, are critical to solving the untrusted code security problem. To illustrate the possibilities of programming language theory, we briefly describe one rather extreme but promising example, which is proof carrying code (PCC). This is a technique by which the host establishes a set of safety rules that guarantee safe behavior of programs, and the code producer creates a formal safety proof that proves, for the untrusted code, adherence to the safety rules. Then, the host is able to use a simple and fast proof validator to check, with certainty, that the proof is valid and hence the foreign code is safe to execute.