proof carrying data
play

Proof-Carrying Data: secure computation on untrusted execution - PowerPoint PPT Presentation

Oct 03, 2023 •219 likes •725 views

Proof-Carrying Data: secure computation on untrusted execution platforms Eran Tromer Joint work with Alessandro Chiesa Eli Ben-Sasson Daniel Genkin 1 Technion Cryptoday June 16, 2011 Motivation 3 Motivation INTEGRITY CONFIDENTIALITY

  1. Proof-Carrying Data: secure computation on untrusted execution platforms Eran Tromer Joint work with Alessandro Chiesa Eli Ben-Sasson Daniel Genkin 1 Technion Cryptoday June 16, 2011

  2. Motivation 3

  3. Motivation INTEGRITY CONFIDENTIALITY • Software engineering (review, tests) • Bugs SOFTWARE • Formal verification, static analysis • Trojans • Language type safety • Dynamic analysis • Reference monitors 4

  4. Motivation INTEGRITY CONFIDENTIALITY • Software engineering (review, tests) • Bugs SOFTWARE • Formal verification, static analysis • Trojans • Language type safety ? • Dynamic analysis • Reference monitors • Lack of trust NETWORK 5

  5. Motivation INTEGRITY CONFIDENTIALITY • Bugs SOFTWARE • Trojans • Lack of trust NETWORK • Physical ENVIRONMENT • Tampering side-channels (EM, power, acoustic) 6

  6. Motivation INTEGRITY CONFIDENTIALITY • Bugs SOFTWARE • Trojans • Lack of trust NETWORK • Physical ENVIRONMENT • Tampering side-channels 8

  7. Motivation INTEGRITY CONFIDENTIALITY • Bugs SOFTWARE • Trojans • Lack of trust NETWORK • Physical ENVIRONMENT • Tampering side-channels • Cosmic rays • Hardware bugs PLATFORM • Hardware trojans • IT supply chain 9

  8. Information technology supply chain: headlines ( May 9, 2008) “F.B.I. Says the Military Had Bogus Computer Gear” ( October 6, 2008) “Chinese counterfeit chips causing military hardware crashes” (May 6, 2010) “A Saudi man was sentenced […] to four years in prison for selling counterfeit computer parts to the Marine Corps DARPA Trust in ICs for use in Iraq and Afghanistan.” Argonne APS Assurance? Validation? Certification? 10

  9. Motivation INTEGRITY CONFIDENTIALITY • Bugs SOFTWARE • Trojans • Lack of trust NETWORK • Physical ENVIRONMENT • Tampering side-channels • Cosmic rays • Hardware bugs PLATFORM • Hardware trojans • IT supply chain 11

  10. Motivation INTEGRITY CONFIDENTIALITY • Bugs SOFTWARE • Trojans • Lack of trust NETWORK • Physical ENVIRONMENT • Tampering side-channels • Cosmic rays Fault analysis • Hardware bugs • Architectural PLATFORM • Hardware trojans side-channels • IT supply chain ( e.g., cache attacks) 12

  11. Information Leakage in Third-Party Compute Clouds [Ristenpart Tromer Shacham Savage ‘09] Demonstrated, using Amazon EC2 as a study case: • Cloud cartography Mapping the structure of the “cloud” and locating a target on the map. • Placement vulnerabilities An attacker can place his VM on the same physical machine as a target VM (40% success for a few dollars). • Cross-VM exfiltration Once VMs are co-resident, information can be exfiltrated across VM boundary: – Covert channels – Load traffic analysis – Keystrokes 23

  12. Motivation CORRECTNESS SECRECY • Bugs SOFTWARE • Trojans • Lack of trust NETWORK • Physical ENVIRONMENT • Tampering side-channels • Cosmic rays • Fault analysis • Hardware bugs • Architectural PLATFORM • Hardware trojans side-channels • IT supply chain ( e.g., cache attacks) 24

  13. High-level goal ���������������������� ����������������������� ���������������� �������������������� ������������� � ���������� 25

  14. Proof-Carrying Data overview 27

  15. Proof-Carrying Data: an example 28

  16. Toy example (3-party correctness) Alice Bob Carol x, F G y z y ← F(x) z ← G(y) is “z=G(F(x))” true? 31

  17. Toy example: trivial solution Bob Alice Carol y z z ← G(y) z’ ← G(F(x)) y ← F(x) ? z’ = z Carol can recompute everything, but: • Uselessly expensive • Requires Carol to fully know x,F,G – We will want to represent these via short hashes/signatures 32

  18. Toy example: secure multiparty computation [GMW87][BGW88][CCD88] Alice Bob Carol x, F G z ← G(y) y ← F(x) But: • computational blowup is polynomial in the whole computation, and not in the local computation • computation (F and G) must be chosen in advance • does not preserve the communication graph: parties must be fixed in advance, otherwise… 33

  19. Toy example: secure multiparty computation [GMW87][BGW88][CCD88] Alice Bob x, F G Carol #1 z ← G(y) y ← F(x) Carol #2 Carol #3 ... must pre-emptively talk ... must pre-emptively talk ... must pre-emptively talk to everyone on the Internet! to everyone on the Internet! to everyone on the Internet! 34

  20. Toy example: computationally-sound (CS) proofs [Micali 94] Alice Bob Carol x, F G y z verify y ← F(x) z ← G(y) π z π z π z ← prove ( “z=G(F(x))” ) z=G(F(x)) Bob can generate a proof string that is: • Tiny (polylogarithmic in his own computation) • Efficiently verifiable by Carol However, now Bob recomputes everything... 35

  21. Toy example: Proof-Carrying Data [Chiesa Tromer 09] following Incrementally-Verifiable Computation [Valiant 08] Alice Bob Carol x, F G y z verify z ← G(y) y ← F(x) π z π y π z z=G(y) y=F(x) and I got a valid proof that “y=F(x)” Each party prepares a proof string for the next one. Each proof is: • Tiny (polylogarithmic in party’s own computation). • Efficiently verifiable by the next party. 36

  22. Generalizing: The Proof-Carrying Data framework 37

  23. Generalizing: distributed computations Distributed computation: Parties exchange messages and perform computation. m 3 m out 38

  24. Generalizing: arbitrary interactions • Arbitrary interactions – communication graph over time is any direct acyclic graph m 3 m out 39

  25. Generalizing: arbitrary interactions • Computation and graph are determined on the fly – by each party’s local inputs: human inputs randomness program m 3 m out 40

  26. Generalizing: arbitrary interactions • Computation and graph are determined on the fly – by each party’s local inputs: human inputs randomness program How to define m 3 correctness of dynamic distributed m out computation? 41

  27. C -compliance System designer specifies his notion of correctness via a compliance predicate C (in,code,out) that must be locally fulfilled at every node. code (program, human inputs, randomness) C accept / reject C -compliant C -compliant C -compliant in out distributed distributed distributed computation computation computation m 3 m out m 5 42

  28. Examples of C -compliance correctness is a compliance predicate C (in,code,out) that must be locally fulfilled at every node Some examples: C C = “the output is the result of correctly computing a prescribed program” C C = “the output is the result of correctly executing some program signed by the sysadmin” C C = “the output is the result of correctly executing some type-safe program” or “… “program with a valid formal proof” m 3 m out m 5 43

  29. Dynamically augment computation with proofs strings In PCD, messages sent between parties are augmented with concise proof strings attesting to their “compliance”. Distributed computation evolves like before, except that each party also generates on the fly a proof string to attach to each output message. C m 3 π 3 m out π out 45

  30. Extra setup (“model”) Every node has access to a simple, fixed, stateless trusted functionality • Signed-Input-and-Randomness (SIR) oracle C m 3 π 3 SIR SIR m out SIR π out SIR SIR SIR 46

  31. Extra setup (“model”) Every node has access to a simple, fixed, stateless trusted functionality: essentially, a signature card. • Signed-Input-and-Randomness (SIR) oracle x s SIR SK input length r ← {0,1} s string σ r σ ← SIGN SK (x , r) random signature string on (x,r) VK 47

  32. (Some) envisioned applications 49

  33. Application: Correctness and integrity of IT supply chain • Consider a system as a collection of components, with specified functionalities – Chips on a motherboard – Servers in a datacenter – Software modules • C (in,code,out) checks if the component’s specification holds • Proofs are attached across component boundaries • If a proof fails, computation is locally aborted → integrity, attribution 50

  34. Application: Fault and leakage resilient Information Flow Control 51

  35. Application: Fault and leakage resilient Information Flow Control • Computation gets “ secret ” / “ non-secret ” inputs • “ non-secret ” inputs are signed as such • Any output labeled “ non-secret ” must be independent of secret s • System perimeter is controlled and all output can be checked (but internal computation can be leaky/faulty). • C allows only: – Non-secret inputs: Initial inputs must be signed as “ non-secret ”. – IFC-compliant computation: Subsequent computation respect Information Flow Control rules and follow fixed schedule • Censor at system’s perimeter inspects all outputs: – Verifies proof on every outgoing message – Releases only non-secret data. 52

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Proof Search in Minimal Logic Helmut Schwichtenberg Mathematisches Institut, Universit at M

Proof Search in Minimal Logic Helmut Schwichtenberg Mathematisches Institut, Universit at M

Proof Search in Minimal Logic Helmut Schwichtenberg Mathematisches Institut, Universit at M unchen 1 Motivation Proof carrying code (Lee, Necula) Why? Proofs are machine checkable (easily) Here: code carrying proofs Prospects:

541 views • 36 slides
Proof-Carrying Code GEORGE C. NECULA , POPL 97 PRESENTED BY TOM MAGRINO AND MENTORED BY ETHAN

Proof-Carrying Code GEORGE C. NECULA , POPL 97 PRESENTED BY TOM MAGRINO AND MENTORED BY ETHAN

Proof-Carrying Code GEORGE C. NECULA , POPL 97 PRESENTED BY TOM MAGRINO AND MENTORED BY ETHAN CECCHETTI IN GREAT WORKS IN PL, APRIL 16 TH , 2019 How can you trust that code you downloaded? Context Similar motivation to TAL: Want

155 views • 14 slides
Resource Guarantees and PCC 50 ways* to say it with a proof Ian Stark Laboratory for Foundations

Resource Guarantees and PCC 50 ways* to say it with a proof Ian Stark Laboratory for Foundations

Resource Guarantees and PCC 50 ways* to say it with a proof Ian Stark Laboratory for Foundations of Computer Science School of Informatics The University of Edinburgh Proof Carrying Code workshop Friday 11 August 2006

469 views • 36 slides
Importing data into R Workshop 3 2 Objectives By doing this workshop and carrying out the

Importing data into R Workshop 3 2 Objectives By doing this workshop and carrying out the

1 Importing data into R Workshop 3 2 Objectives By doing this workshop and carrying out the independent study the successful student will be able to: Describe the breadth of data sources Devise reproducible strategies to import

512 views • 14 slides
10-16-2018 CARRYING CAPACITY Carrying capacity is defined as the number of individuals who

10-16-2018 CARRYING CAPACITY Carrying capacity is defined as the number of individuals who

Jekyll Island Carrying Capacity & Infrastructure Assessment 10-16-2018 CARRYING CAPACITY Carrying capacity is defined as the number of individuals who can be supported within a given area without degrading the natural, social,

698 views • 23 slides
Proof reconstruction in conflict-driven satisfiability 1 Maria Paola Bonacina Dipartimento di

Proof reconstruction in conflict-driven satisfiability 1 Maria Paola Bonacina Dipartimento di

The big picture Proof-carrying CDSAT Discussion Proof reconstruction in conflict-driven satisfiability 1 Maria Paola Bonacina Dipartimento di Informatica Universit` a degli Studi di Verona Verona, Italy, EU Schlo Dagstuhl Seminar # 19371:

392 views • 28 slides
Tidying and exploring data Workshop 5 2 Objectives By doing this workshop and carrying out the

Tidying and exploring data Workshop 5 2 Objectives By doing this workshop and carrying out the

1 Tidying and exploring data Workshop 5 2 Objectives By doing this workshop and carrying out the independent study the successful student will be able to: - Explain what is meant by tidy data - Devise reproducible strategies to tidy

377 views • 12 slides
Minimal logic for computable functionals Helmut Schwichtenberg Mathematisches Institut der

Minimal logic for computable functionals Helmut Schwichtenberg Mathematisches Institut der

Minimal logic for computable functionals Helmut Schwichtenberg Mathematisches Institut der Universit at M unchen Motivation Proof carrying code (Lee, Necula) Why? Proofs are machine checkable (easily) Need: code carrying proofs

701 views • 53 slides
3515ICT Theory of Computation Some sample proofs 4-0 Proof types 1. Proof

3515ICT Theory of Computation Some sample proofs 4-0 Proof types 1. Proof

Griffith University 3515ICT Theory of Computation Some sample proofs 4-0 Proof types 1. Proof by construction 2. Proof by equivalence 3. Proof by contradiction 4. Proof by case analysis 5. Proof by induction

549 views • 11 slides
Raw Data Reconstruction with Raw-Data Reconstruction with PROOF C. Cheshkov, P. Hristov

Raw Data Reconstruction with Raw-Data Reconstruction with PROOF C. Cheshkov, P. Hristov

Raw Data Reconstruction with Raw-Data Reconstruction with PROOF C. Cheshkov, P. Hristov 24/10/2008 ALICE Offline Week C O e ee Many thanks to: Andrei,Federico,Fons,Jan,Gerri,Latchezar,Rene for the discussions and help and Marco &

399 views • 28 slides
Carrying capacity assessment and impact Carrying capacity assessment and impact of aquaculture in

Carrying capacity assessment and impact Carrying capacity assessment and impact of aquaculture in

Carrying capacity assessment and impact Carrying capacity assessment and impact of aquaculture in Chinese bays of aquaculture in Chinese bays *1,*2 *1,*2 http://www.ecowin.org/china/ J.G. Ferreira Universidade Nova de Lisboa Faculdade de

595 views • 33 slides
Specification language and WP calculus for Java Bytecode. joint work in progress Mariela

Specification language and WP calculus for Java Bytecode. joint work in progress Mariela

Specification language and WP calculus for Java Bytecode. joint work in progress Mariela Pavlova, Lilian Burdy INRIA Sophia-Antipolis spopS p. 1 Motivation Proof Carrying ByteCode Proof obligations. What is the language in which

443 views • 31 slides
Carrying Capacity What Is It And Why Is It Important? Photo from NOAA Science Center 1

Carrying Capacity What Is It And Why Is It Important? Photo from NOAA Science Center 1

Carrying Capacity What Is It And Why Is It Important? Photo from NOAA Science Center 1 Definition Carrying Capacity = Number of individuals or biomass the resources of a given area can support usually through the most unfavorable period of the

185 views • 16 slides
STAKEHOLDERS STUDY ON THE TOURISM CARRYING CAPACITY FOR THE WORKSHOP ISLAND OF MAHE

STAKEHOLDERS STUDY ON THE TOURISM CARRYING CAPACITY FOR THE WORKSHOP ISLAND OF MAHE

STAKEHOLDERS STUDY ON THE TOURISM CARRYING CAPACITY FOR THE WORKSHOP ISLAND OF MAHE BONZOUR! WHAT WELL ACCOMPLISH Purpose of Snapshot of Carrying Current Capacity Study Conditions Understanding Defining a of Key Issues Path

964 views • 59 slides
TCP/ICN: Carrying TCP over Content Centric and Named Data Networks Ilya Moiseenko Dave Oran

TCP/ICN: Carrying TCP over Content Centric and Named Data Networks Ilya Moiseenko Dave Oran

TCP/ICN: Carrying TCP over Content Centric and Named Data Networks Ilya Moiseenko Dave Oran Cisco Systems Cisco Systems Outline I. Introduction II. Design Basic fetching proxy Reliable prefetching proxy Unreliable prefetching

923 views • 26 slides
A Mathematical Proof When referring to a proof in logic we usually mean: 1. A sequence of

A Mathematical Proof When referring to a proof in logic we usually mean: 1. A sequence of

A Mathematical Proof When referring to a proof in logic we usually mean: 1. A sequence of statements. 2. Based on axioms. 3. Each statement is derived via the derivation rules. Zero Knowledge Protocols 4. The proof is fixed, i.e, in any time,

642 views • 14 slides
F RAUD ON Online and Card-not-Present T RANSACTIONS Richard J. Sullivan Economic Research

F RAUD ON Online and Card-not-Present T RANSACTIONS Richard J. Sullivan Economic Research

F RAUD ON Online and Card-not-Present T RANSACTIONS Richard J. Sullivan Economic Research Federal Reserve Bank of Kansas City Presentation to the Symposium on Improving Security for Online and Card-not-Present Transactions Federal Reserve

759 views • 3 slides
Homology of generalized generalized graph homology generalizing to configuration spaces

Homology of generalized generalized graph homology generalizing to configuration spaces

homology of configuration spaces Cooper the chromatic polynomial Homology of generalized generalized graph homology generalizing to configuration spaces simplicial complexes categorification Andrew Cooper joint work with R. Sazdanovi

680 views • 52 slides
CCS Public Forums on Capacity & Growth 11.13.2017 | Slide 2 CCS Public Forums on Capacity

CCS Public Forums on Capacity & Growth 11.13.2017 | Slide 2 CCS Public Forums on Capacity

CCS Public Forums on Capacity & Growth 11.13.2017 | Slide 2 CCS Public Forums on Capacity & Growth 11.13.2017 | Slide 3 CCS Public Forums on Capacity & Growth 11.13.2017 | Slide 4 CCS Public Forums on Capacity & Growth

342 views • 5 slides
GEANT4 CMS SI MULATI ON Pedro Arce (CERN/ CI EMAT) (on behalf of CMS collaboration) GEANT4

GEANT4 CMS SI MULATI ON Pedro Arce (CERN/ CI EMAT) (on behalf of CMS collaboration) GEANT4

GEANT4 CMS SI MULATI ON Pedro Arce (CERN/ CI EMAT) (on behalf of CMS collaboration) GEANT4 workshop 02 CMS GEANT4 Simulation Pedro Arce (CERN/ CI EMAT) 1 Outline OSCAR functionality OSCAR/GEANT4 robustness and performance Physics

838 views • 30 slides
"Power Struggles and the Natural Resource Curse" Francisco Caselli (LSE) April 2006

"Power Struggles and the Natural Resource Curse" Francisco Caselli (LSE) April 2006

"Power Struggles and the Natural Resource Curse" Francisco Caselli (LSE) April 2006 Francisco Caselli (LSE) () Power Struggles April 2006 1 / 14 The Resource curse Example: Nigeria , ! started generating signicant oil revenues

295 views • 15 slides
H-COUP 1. H-COUP ? 2. H-COUP ? 3. H-COUP

H-COUP 1. H-COUP ? 2. H-COUP ? 3. H-COUP

H-COUP 1. H-COUP ? 2. H-COUP ? 3. H-COUP : ( ) ? ( )

382 views • 23 slides
1A God provides for the transition of the Kingship from David to Solomon in fulfillment of the

1A God provides for the transition of the Kingship from David to Solomon in fulfillment of the

1A God provides for the transition of the Kingship from David to Solomon in fulfillment of the Davidic covenant (1 Kgs 111) 1B Transfer of the kingdom from David to Solomon (1:12:12) 1C David coronates Solomon despite Adonijahs

325 views • 10 slides
Multiword Expression Identification with Tree Substitution Grammars Spence Green, Marie-Catherine

Multiword Expression Identification with Tree Substitution Grammars Spence Green, Marie-Catherine

Multiword Expression Identification with Tree Substitution Grammars Spence Green, Marie-Catherine de Marneffe, John Bauer, and Christopher D. Manning Stanford University EMNLP 2011 Main Idea Use syntactic context to find multiword expressions

1.18k views • 82 slides

More recommend