Proof-Carrying Data: secure computation on untrusted execution - - PowerPoint PPT Presentation

proof carrying data
SMART_READER_LITE
LIVE PREVIEW

Proof-Carrying Data: secure computation on untrusted execution - - PowerPoint PPT Presentation

Oct 03, 2023 219 likes •725 views

Proof-Carrying Data: secure computation on untrusted execution platforms Eran Tromer Joint work with Alessandro Chiesa Eli Ben-Sasson Daniel Genkin 1 Technion Cryptoday June 16, 2011 Motivation 3 Motivation INTEGRITY CONFIDENTIALITY

slide-1
SLIDE 1

1

Proof-Carrying Data:

secure computation on untrusted execution platforms

Eran Tromer

Joint work with

Alessandro Chiesa Eli Ben-Sasson Daniel Genkin

Technion Cryptoday June 16, 2011

slide-2
SLIDE 2

3

Motivation

slide-3
SLIDE 3

4

Motivation

  • Software engineering (review, tests)
  • Formal verification, static analysis
  • Language type safety
  • Dynamic analysis
  • Reference monitors

INTEGRITY CONFIDENTIALITY SOFTWARE

  • Bugs
  • Trojans
slide-4
SLIDE 4

5

Motivation

INTEGRITY CONFIDENTIALITY SOFTWARE

  • Bugs
  • Trojans

NETWORK

  • Lack of trust
  • Software engineering (review, tests)
  • Formal verification, static analysis
  • Language type safety
  • Dynamic analysis
  • Reference monitors

?

slide-5
SLIDE 5

6

Motivation

INTEGRITY CONFIDENTIALITY SOFTWARE

  • Bugs
  • Trojans

NETWORK

  • Lack of trust

ENVIRONMENT • Tampering

  • Physical

side-channels

(EM, power, acoustic)

slide-6
SLIDE 6

8

Motivation

INTEGRITY CONFIDENTIALITY SOFTWARE

  • Bugs
  • Trojans

NETWORK

  • Lack of trust

ENVIRONMENT • Tampering

  • Physical

side-channels

slide-7
SLIDE 7

9

Motivation

INTEGRITY CONFIDENTIALITY SOFTWARE

  • Bugs
  • Trojans

NETWORK

  • Lack of trust

ENVIRONMENT • Tampering

  • Physical

side-channels

PLATFORM

  • Cosmic rays
  • Hardware bugs
  • Hardware trojans
  • IT supply chain
slide-8
SLIDE 8

10

Information technology supply chain: headlines

(May 9, 2008)

“F.B.I. Says the Military Had Bogus Computer Gear”

(October 6, 2008)

“Chinese counterfeit chips causing military hardware crashes”

(May 6, 2010)

“A Saudi man was sentenced […] to four years in prison for selling counterfeit computer parts to the Marine Corps for use in Iraq and Afghanistan.” Assurance? Validation? Certification?

DARPA Trust in ICs

Argonne APS

slide-9
SLIDE 9

11

Motivation

INTEGRITY CONFIDENTIALITY SOFTWARE

  • Bugs
  • Trojans

NETWORK

  • Lack of trust

ENVIRONMENT • Tampering

  • Physical

side-channels

PLATFORM

  • Cosmic rays
  • Hardware bugs
  • Hardware trojans
  • IT supply chain
slide-10
SLIDE 10

12

Motivation

INTEGRITY CONFIDENTIALITY SOFTWARE

  • Bugs
  • Trojans

NETWORK

  • Lack of trust

ENVIRONMENT • Tampering

  • Physical

side-channels

PLATFORM

  • Cosmic rays
  • Hardware bugs
  • Hardware trojans
  • IT supply chain

Fault analysis

  • Architectural

side-channels (e.g.,cache attacks)

slide-11
SLIDE 11

23

Information Leakage in Third-Party Compute Clouds

Demonstrated, using Amazon EC2 as a study case:

  • Cloud cartography

Mapping the structure of the “cloud” and locating a target on the map.

  • Placement vulnerabilities

An attacker can place his VM on the same physical machine as a target VM (40% success for a few dollars).

  • Cross-VM exfiltration

Once VMs are co-resident, information can be exfiltrated across VM boundary:

– Covert channels – Load traffic analysis – Keystrokes

[Ristenpart Tromer Shacham Savage ‘09]

slide-12
SLIDE 12

24

Motivation

CORRECTNESS SECRECY SOFTWARE

  • Bugs
  • Trojans

NETWORK

  • Lack of trust

ENVIRONMENT • Tampering

  • Physical

side-channels

PLATFORM

  • Cosmic rays
  • Hardware bugs
  • Hardware trojans
  • IT supply chain
  • Fault analysis
  • Architectural

side-channels (e.g.,cache attacks)

slide-13
SLIDE 13

25

High-level goal

slide-14
SLIDE 14

27

Proof-Carrying Data

  • verview
slide-15
SLIDE 15

28

Proof-Carrying Data: an example

slide-16
SLIDE 16

31

Toy example (3-party correctness)

Alice

z

y←F(x)

y

Bob

z←G(y)

Carol

is “z=G(F(x))” true?

x, F G

slide-17
SLIDE 17

32

Toy example: trivial solution Carol can recompute everything, but:

  • Uselessly expensive
  • Requires Carol to fully know x,F,G

– We will want to represent these via short hashes/signatures

z

y←F(x)

y

z←G(y) z’←G(F(x)) z’ = z

Alice Bob Carol

?

slide-18
SLIDE 18

33

Toy example:

secure multiparty computation

[GMW87][BGW88][CCD88]

y←F(x) z←G(y)

Alice Bob Carol x, F G

  • computational blowup is polynomial in the whole

computation, and not in the local computation

  • computation (F and G) must be chosen in advance

But:

  • does not preserve the communication graph:

parties must be fixed in advance, otherwise…

slide-19
SLIDE 19

34

y←F(x) z←G(y)

Alice Bob x, F G

... must pre-emptively talk to everyone on the Internet! ... must pre-emptively talk to everyone on the Internet! ... must pre-emptively talk to everyone on the Internet!

Carol #1 Carol #2 Carol #3

Toy example:

secure multiparty computation

[GMW87][BGW88][CCD88]

slide-20
SLIDE 20

35

Toy example:

computationally-sound (CS) proofs

[Micali 94]

z←G(y)

verify

πz πz Bob can generate a proof string that is:

  • Tiny (polylogarithmic in his own computation)
  • Efficiently verifiable by Carol

πz ←prove(

“z=G(F(x))”)

Alice Bob Carol x, F G

y←F(x)

y z

z=G(F(x))

However, now Bob recomputes everything...

slide-21
SLIDE 21

36

Toy example: Proof-Carrying Data

[Chiesa Tromer 09]

following Incrementally-Verifiable Computation

[Valiant 08]

πy

y←F(x) z←G(y)

Each party prepares a proof string for the next one. Each proof is:

  • Tiny (polylogarithmic in party’s own computation).
  • Efficiently verifiable by the next party.

Alice Bob Carol x, F G

y

verify

πz πz z

z=G(y) and I got a valid proof that “y=F(x)” y=F(x)

slide-22
SLIDE 22

37

Generalizing:

The Proof-Carrying Data framework

slide-23
SLIDE 23

38

Generalizing: distributed computations

Distributed computation:

m3 mout

Parties exchange messages and perform computation.

slide-24
SLIDE 24

39

Generalizing: arbitrary interactions

  • Arbitrary interactions

– communication graph over time is any direct acyclic graph

m3 mout

slide-25
SLIDE 25

40

Generalizing: arbitrary interactions

  • Computation and graph are determined on the fly

– by each party’s local inputs:

m3 mout

human inputs randomness program

slide-26
SLIDE 26

41

Generalizing: arbitrary interactions

  • Computation and graph are determined on the fly

– by each party’s local inputs:

m3 mout

human inputs randomness program How to define correctness

  • f dynamic distributed

computation?

slide-27
SLIDE 27

42

C-compliance

m3 m5 mout

System designer specifies his notion of correctness via a compliance predicate C(in,code,out) that must be locally fulfilled at every node.

C

code in

  • ut

accept / reject

(program, human inputs, randomness)

C-compliant distributed computation C-compliant distributed computation C-compliant distributed computation

slide-28
SLIDE 28

43

Examples of C-compliance

correctness is a compliance predicate C(in,code,out) that must be locally fulfilled at every node

Some examples: C = “the output is the result of correctly computing a prescribed program” C = “the output is the result of correctly executing some program signed by the sysadmin” C = “the output is the result of correctly executing some type-safe program” or “… “program with a valid formal proof”

m3 m5 mout

C C C

slide-29
SLIDE 29

45

Dynamically augment computation with proofs strings

In PCD, messages sent between parties are augmented with concise proof strings attesting to their “compliance”. Distributed computation evolves like before, except that each party also generates on the fly a proof string to attach to each output message.

mout

πout

m3

π3

C

slide-30
SLIDE 30

46

Extra setup (“model”) Every node has access to a simple, fixed, stateless trusted functionality C

mout

πout

m3

π3

SIR SIR SIR SIR SIR SIR

  • Signed-Input-and-Randomness (SIR) oracle
slide-31
SLIDE 31

47

Extra setup (“model”) Every node has access to a simple, fixed, stateless trusted functionality: essentially, a signature card.

  • Signed-Input-and-Randomness (SIR) oracle

x

input string

SIRSK

r

random string

r ← {0,1}s σ ← SIGNSK(x,r)

s

length

σ

signature

  • n (x,r)

VK

slide-32
SLIDE 32

49

(Some) envisioned applications

slide-33
SLIDE 33

50

Application: Correctness and integrity of IT supply chain

  • Consider a system as a collection of components,

with specified functionalities

– Chips on a motherboard – Servers in a datacenter – Software modules

  • C(in,code,out) checks if the component’s

specification holds

  • Proofs are attached across component boundaries
  • If a proof fails, computation is locally aborted

→ integrity, attribution

slide-34
SLIDE 34

51

Application: Fault and leakage resilient Information Flow Control

slide-35
SLIDE 35

52

Application: Fault and leakage resilient Information Flow Control

  • Computation gets “secret” / “non-secret” inputs
  • “non-secret” inputs are signed as such
  • Any output labeled “non-secret” must be

independent of secrets

  • System perimeter is controlled and all output can be

checked (but internal computation can be leaky/faulty).

  • C allows only:

– Non-secret inputs: Initial inputs must be signed as “non-secret”. – IFC-compliant computation: Subsequent computation respect Information Flow Control rules and follow fixed schedule

  • Censor at system’s perimeter inspects all outputs:

– Verifies proof on every outgoing message – Releases only non-secret data.

slide-36
SLIDE 36

53

Application: Fault and leakage resilient Information Flow Control

  • Computation gets “secret” / “non-secret” inputs
  • “non-secret” inputs are signed as such
  • Any output labeled “non-secret” must be

independent of secrets

  • System perimeter is controlled and all output can be

checked (but internal computation can be leaky/faulty).

  • C allows only:

– Non-secret inputs: Initial inputs must be signed as “non-secret”. – IFC-compliant computation: Subsequent computation respect Information Flow Control rules and follow fixed schedule

  • Censor at system’s perimeter inspects all outputs:

– Verifies proof on every outgoing message – Releases only non-secret data.

Big assumption, but otherwise no hope for retroactive leakage blocking (by the time you verify, the EM emanations are out of the barn). Applicable when interface across perimeter is well-understood (e.g., network packets). Verify using existing assurance methodology.

slide-37
SLIDE 37

54

Application: Simulations and MMO

  • Distributed simulation:

– Physical models – Virtual worlds (massively multiplayer online virtual reality)

  • How can participants prove they have

“obeyed the laws of physics”?

(e.g., cannot reach through wall into bank safe)

  • Traditional: centralized.
  • P2P architectures strongly motivated but insecure

[Plummer ’04] [GauthierDickey et al. ‘04]

  • Use C-compliance to enforce the laws of physics.
slide-38
SLIDE 38

55

Application: Simulations and MMO – example

  • Alice and Bob playing on an airplane, can later

rejoin a larger group of players, and prove they did not cheat while offline.

m, π m, π m, π m, π “While on the plane, I won a billion dollars, and here is a proof for that” m, π

slide-39
SLIDE 39

56

Application: type safety

  • Using PCD, type safety can be maintained

– even if underlying execution platform is untrusted

– even across mutually untrusting platforms

C(in,code,out) verifies that code is type-safe & out=code(in)

  • Type safety is very expressive:
  • Using dependent types (e.g., Coq) or refinement types:

Can express any computable property. Extensive literature on what that can be verified efficiently (at east with heuristic completeness – good enough!)

  • Using object-oriented model (subclassing as constraint

specification): leverage OO programming methodology.

slide-40
SLIDE 40

58

More applications

Mentioned:

  • Fault isolation and accountability, type safety, multilevel

security, simulations. Many others:

  • Enforcing rules in financial systems
  • Proof-carrying code
  • Distributed dynamic program analysis
  • Antispam email policies

Security design reduces to “compliance engineering”: write down a suitable compliance predicate C.

  • Recurring patterns:

signatures, censors, verify-code-then-verify-result…

  • Introduce design patterns

(a la software engineering)

[GHJV95]

slide-41
SLIDE 41

60

A few words about realization

slide-42
SLIDE 42

61

h

Probabilistically Checkable Proofs (partial history)

[Goldwasser, Micali, Rackoff][Babai and Moran]

generalization of NP proofs to include probabilistic verification and interaction

[Ben-Or Goldwasser Kilian Wigderson][Shamir][Babai Fortnow Lund]

probabilistic verification and interaction buys a lot of “expressive” power

[Babai Fortnow Levin Szegedy]

NP proofs can be written in a format that can be checked with only logarithmic queries and in polylogarithmic time!

[Arora Safra][Arora Lund Motwani Sudan Szegedy]

reduce number of queries to a constant by now: many improved parameters, e.g., [Håstad] [Dinur]

[Ben-Sasson Sudan] [Ben-Sasson Goldreich Harsha Sudan Vadhan]

early 80’s late 80’s early 90’s now

slide-43
SLIDE 43

62

Proof aggregation

Alice

z y

Bob Carol

x

G V P P V F

πz πy

y=F(x) z=G(y) and ∃πy : V(“y=F(x)”,πy)=1

slide-44
SLIDE 44

63

Soundness vs. proof of knowledge

Alice

z y

Bob Carol

x

G V P P

Need proof of knowledge:

V V P

π 1

P F

knowledge extractor

valid w

Pr[

]≈1

y=F(x)

πz πy

z=G(y) and ∃πy : V(“y=F(x)”,πy)=1 ` strong

slide-45
SLIDE 45

64

Must use PCPs for compression

  • Probabilistically Checkable Proofs (PCPs)

used to generate concise proof strings.

Alice

z y

Bob Carol PCP

x

G V P P

PCP

V F

πz πy

(And there is evidence this is inherent [Rothblum Vadhan 09].)

slide-46
SLIDE 46

65

Must use oracles for non-interactive proof of knowledge

Alice

z y

Bob Carol

πz πy

PCP

x

G V P P

PCP

RO V F

The only known construction of non-interactive proofs of knowledge is Micali’s, using Merkle trees where the “hashing” is done using random oracle calls.

slide-47
SLIDE 47

66

PCP vs. oracles conflict

  • PCP theorem does not relativize [Fortnow ‘94], not even

with respect to a RO [Chang et al. ’92]

  • this precluded a satisfying proof of security in [Valiant ‘08]

Alice

z y

Bob Carol

πz πy

PCP

x

G V P P RO V F

PCP

V

PCP

slide-48
SLIDE 48

67

Our solution: Public-key crypto to the rescue

Oracle signs answers using public-key signature:

  • answers are verifiable without accessing oracle
  • asymmetry allows us to break “PCP vs. oracle” conflict, and

recursively aggregate proofs

Alice

z y

Bob Carol

πz πy

PCP

F

x

G V P P

PCP

OSK

VK

V SIR

back

slide-49
SLIDE 49

69

Proof-Carrying Data: Conclusions and open problems

PCD offers a new approach to expressing and enforcing security properties in distributed systems:

  • the system designer writes a compliance specification
  • compliance is enforced in all subsequent computation, even

if parties are untrusted and platforms are faulty and leaky Established

  • Formal framework
  • Theoretical constructions

Ongoing and future work

  • Detailed specifications, implementation and evaluation
  • Achieve practicality (“polynomial time” PCP is not good enough!)
  • Reduce assumptions, extend functionality
  • Identify and realize applications
slide-50
SLIDE 50

70

The road to PCD

Established:

[Chiesa Tromer ’10]

  • Formal framework
  • Explicit construction

– “Polynomial time” - not practically feasible (yet). – Requires signature cards Ongoing fundamental work:

  • Reduce requirement for signature cards (or prove necessity)
  • Extensions (e.g., zero knowledge)

Ongoing applicative work:

  • Full implementation
  • Practicality – improved algorithms
  • Interface with complementary approaches: tie “compliance”

into existing methods and a larger science of security

  • Applications and “compliance engineering” methodology