Proceedings of the 1 st International Workshop on Software Analysis and Development for Pervasive Systems SONDA 2004 Mauricio

Interpretation-based Code Certification for Pervasive Systems: Preliminary Experiments∗ Elvira Albert School of Computer Science Complutense University of Madrid [email protected] Germán Puebla School of Computer Science Technical University of Madrid {german,herme}@fi.upm.es Manuel Hermenegildo Departments of Computer Science and Electrical and Computer Engineering University of New Mexico ABSTRACT Proof carrying code is a general methodology for certifying that the execution of an untrusted mobile code is safe, according to a predefined safety policy. The basic idea is that the code supplier attaches a certificate (or proof) to the mobile code which, then, the consumer checks in order to ensure that the code is indeed safe. The potential benefit is that the consumer’s task is reduced from the level of proving to the level of checking, a much simpler task. Recently, the abstract interpretation techniques developed in logic programming have been proposed as a basis for proof carrying code [1]. To this end, the certificate is generated from an abstract interpretation-based proof of safety. Intuitively, the verification condition is extracted from a set of assertions guaranteeing safety and the answer table generated during the analysis. Given this information, it is relatively simple and fast to verify that the code does meet this proof and so its execution is safe. This extended abstract reports on experiments which illustrate several issues involved in abstract interpretation-based code certification. First, we describe the implementation of our system in the context of CiaoPP: the preprocessor of the Ciao multiparadigm (constraint) logic programming system. Then, by means of some experiments, we show how code certification is aided in the implementation of the framework. Finally, we discuss the application of our method within the area of pervasive systems which may lack the necessary computing resources to verify safety on their own. We herein illustrate the relevance of the information inferred by existing cost analysis to control resource usage in this context. Moreover, since the (rather complex) analysis phase is replaced by a simpler, efficient checking process at the code consumer side, we believe that our abstract interpretation-based approach to proof-carrying code becomes practically applicable to this kind of systems.Proof carrying code is a general methodology for certifying that the execution of an untrusted mobile code is safe, according to a predefined safety policy. The basic idea is that the code supplier attaches a certificate (or proof) to the mobile code which, then, the consumer checks in order to ensure that the code is indeed safe. The potential benefit is that the consumer’s task is reduced from the level of proving to the level of checking, a much simpler task. Recently, the abstract interpretation techniques developed in logic programming have been proposed as a basis for proof carrying code [1]. To this end, the certificate is generated from an abstract interpretation-based proof of safety. Intuitively, the verification condition is extracted from a set of assertions guaranteeing safety and the answer table generated during the analysis. Given this information, it is relatively simple and fast to verify that the code does meet this proof and so its execution is safe. This extended abstract reports on experiments which illustrate several issues involved in abstract interpretation-based code certification. First, we describe the implementation of our system in the context of CiaoPP: the preprocessor of the Ciao multiparadigm (constraint) logic programming system. Then, by means of some experiments, we show how code certification is aided in the implementation of the framework. Finally, we discuss the application of our method within the area of pervasive systems which may lack the necessary computing resources to verify safety on their own. We herein illustrate the relevance of the information inferred by existing cost analysis to control resource usage in this context. Moreover, since the (rather complex) analysis phase is replaced by a simpler, efficient checking process at the code consumer side, we believe that our abstract interpretation-based approach to proof-carrying code becomes practically applicable to this kind of systems. ∗This work was funded in part by projects ASAP (EU IST FET Programme Project Number IST-2001-38059) and CUBICO (MCYT TIC 2002-0055). Part of this work was performed during a research stay of Elvira Albert and Germán Puebla at UNM supported by respective grants from the Secretaŕıa de Estado de Educación y Universidades. Manuel Hermenegildo is also supported by the Prince of Asturias Chair in Information Science and Technology at UNM. SONDA’04 — 24 August 2004, Verona (Italy). 1. THE FRAMEWORK Current approaches to mobile code safety, inspired by the technique of Proof-Carrying Code (PCC) [19], associate safety information in the form of a certificate to programs. The certificate (or proof) is created by the code supplier at compile time, and packaged along with the untrusted code. The consumer who receives the code+certificate package can then run a checker which by a straightforward inspection of the code and the certificate, can verify the validity of the certificate and thus compliance with the safety policy. The key benefit of this approach is that the burden of ensuring compliance with the desired safety policy is shifted from the consumer to the supplier. Indeed the (proof) checker performs a task that should be much simpler, efficient, and automatic than generating the original certificate. For instance, in the first PCC system [19], the certificate is originally a proof in first-order logic of certain verification conditions and the checking process involves ensuring that the certificate is indeed a valid first-order proof. The main practical difficulty of PCC techniques is in generating safety certificates which at the same time: • allow expressing interesting safety properties, • can be generated automatically and, • are easy and efficient to check. In [1], the abstract interpretation techniques [6] developed in logic programming are proposed as a basis for PCC. They offer a number of advantages for dealing with the aforementioned issues. In particular, the expressiveness of existing abstract domains will be implicitly available in abstract interpretation-based code certification to define a wide range of safety properties. Furthermore, the approach inherits the automation and inference power of the abstract interpretation engines used in (Constraint) Logic Programming, (C)LP. 1.1 Certification in the Supplier In Fig. 1, we illustrate the certification process of [1] carried out to generate a safety certificate by the code supplier. It is based on the idea that a particular subset of the analysis results computed by abstract interpretation-based fixpoint We refer to [2, 7, 15], and their references, for more details on analysis techniques developed in logic programming.