Taming the Chaos: Can we build systems that actually work?
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Subtitle |
| |
| Title of Series | ||
| Number of Parts | 165 | |
| Author | ||
| License | CC Attribution 4.0 International: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/39227 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
| |
| Keywords |
35C3 Refreshing Memories131 / 165
2
5
6
7
8
9
10
11
12
13
15
16
17
22
26
29
30
31
33
37
38
39
40
44
45
48
49
53
54
55
57
59
60
62
65
66
69
70
72
73
74
77
80
82
83
84
85
86
87
89
92
94
100
104
105
106
107
108
111
113
114
115
116
117
119
121
122
123
124
127
132
133
136
139
141
143
144
145
146
148
149
150
154
155
156
157
158
159
160
161
162
163
164
165
00:00
Semiconductor memoryRoundness (object)Computer animationDiagramLecture/ConferenceMeeting/Interview
00:50
Chaos theoryColor managementMenu (computing)Moment of inertiaMaxima and minimaMIDIWindowWechselseitige InformationGamma functionInformation securityEmailSpacetimeKernel (computing)Exploit (computer security)WindowComputer animation
01:42
Vulnerability (computing)Line (geometry)BitCodeLecture/ConferenceComputer animationMeeting/Interview
02:33
Babbage, CharlesCalculationNumberRead-only memoryOperations researchInterface (computing)Continuous functionDiscrete groupKolmogorov complexitySoftware testingEstimationLine (geometry)CodeSemiconductor memoryCodeLine (geometry)ComputerComputer animationLecture/Conference
03:24
ComputerRadio-frequency identificationTask (computing)Computer hardwarePlanningDescriptive statisticsSoftwareLecture/ConferenceComputer animationDiagram
04:32
CompilerComputer hardwarePhase transitionInformationRootPhysical systemIntegrated development environmentBitLine (geometry)GirderComplex (psychology)CodeComputer animationMeeting/Interview
06:04
Semiconductor memoryKolmogorov complexitySoftware testingContinuous functionDiscrete groupNumberCodeLine (geometry)Complex (psychology)Proof theorySoftware testingError messagePhysical systemMathematicsPotenz <Mathematik>State of matterLecture/ConferenceComputer animation
06:49
Information securityInterface (computing)Kolmogorov complexitySoftware testingDiscrete groupContinuous functionCodeSocket-SchnittstelleFormal languageMereologyEnterprise architecturePhysical systemLecture/ConferenceComputer animationMeeting/Interview
07:39
OracleProof theoryInterface (computing)Kolmogorov complexitySoftware testingInformation securityInterface (computing)InternetworkingProof theorySoftware testingLatent heatCASE <Informatik>Moment (mathematics)Lecture/ConferenceComputer animation
08:55
Interface (computing)Discrete groupContinuous functionKolmogorov complexitySoftware testingInformation securityArithmetic meanInterface (computing)Enterprise architectureFormal languageComputer animationLecture/Conference
09:41
CalculationBabbage, CharlesNumberRead-only memoryOperations researchSemiconductor memorySemiconductor memoryDichotomyBabbage, CharlesHacker (term)View (database)PlanningOperator (mathematics)Data storage deviceNumberDecimalAddress spaceComputerComputer animationLecture/Conference
10:55
Zoom lensLeakComputer fileView (database)Model theoryBitLecture/ConferenceComputer animation
11:46
Software maintenanceLeakComputer fileKerberos <Kryptologie>Model theoryView (database)Zoom lensSign (mathematics)NumberPointer (computer programming)BitComputerPersonal identification numberComputer animation
12:45
LeakZoom lensComputer fileView (database)Kerberos <Kryptologie>Model theoryStandard deviationComputer programCompilerArithmetic meanInformation securityFraction (mathematics)Computer programStandard deviationComputer animation
13:34
Standard deviationComputer programCompilerConstraint (mathematics)Computer programDependent and independent variablesImplementationCompilation albumLecture/ConferenceMeeting/InterviewComputer animation
14:18
Kerberos <Kryptologie>Model theoryView (database)Computer fileZoom lensSoftware maintenanceLeakData storage deviceResource allocationPointer (computer programming)Uniform resource locatorNumberTrailIdentifiabilityComputer animationLecture/Conference
15:04
Zoom lensSoftware maintenanceLeakModel theoryView (database)Computer fileRadical (chemistry)MereologyStandard deviationComputer programAddress spaceStructural loadSequenceImplementationData storage deviceInformationRun time (program lifecycle phase)Computer animationLecture/Conference
16:01
CodeDevice driverSpeicherschutzEnterprise architectureRead-only memoryVirtual realityInformation securityMoment of inertiaSystem programmingPhysical systemScale (map)OracleKerberos <Kryptologie>SpeichermodellCompilerCohen's kappaArmPOWER <Computerarchitektur>BootingEmulatorTheoremConcurrency (computer science)Field (computer science)Scripting languageJava appletKey (cryptography)Data storage deviceStructural loadIntrusion detection systemResource allocationAddress spaceOrder (biology)Enterprise architectureArmComputer animation
16:49
OracleKerberos <Kryptologie>CompilerSpeichermodellCohen's kappaEnterprise architectureBootingArmPOWER <Computerarchitektur>EmulatorTheoremReduced instruction set computingConcurrency (computer science)Power (physics)System programmingJava appletScripting languageField (computer science)BitMathematical modelTouchscreenStandard deviationArmGraphical user interfaceSoftware testingEnvelope (mathematics)Concurrency (computer science)WhiteboardProjective planeGoodness of fitMathematicsEnterprise architectureMultiplication signOracleComputer animationMeeting/Interview
18:35
OracleKerberos <Kryptologie>SpeichermodellCompilerCohen's kappaEnterprise architectureArmPOWER <Computerarchitektur>TheoremEmulatorPower (physics)Concurrency (computer science)System programmingField (computer science)Java appletScripting languageDevice driverCodeVirtual realityRead-only memorySpeicherschutzInformation securityMoment of inertiaPhysical systemScale (map)Mathematical modelProjective planeArmConcurrency (computer science)BitFile systemStandard deviationMultiplication signInformationEnterprise architectureWeb browserFlow separationVirtual memoryLecture/ConferenceMeeting/InterviewComputer animation
20:14
Reduced instruction set computingARPANETView (database)Presentation of a groupArmGoogolForceProgrammer (hardware)Barrelled spaceNeumann boundary conditionMoore's lawComputer hardwareProgramming languageUbiquitous computingSoftwareInformation securityMathematicsCasting (performing arts)ArmBitLecture/ConferenceMeeting/InterviewComputer animation
21:11
Cursor (computers)Function (mathematics)EmulatorSemantics (computer science)Higher-order logicFormal grammarExtension (kinesiology)LeakReduced instruction set computingArchitectureSpeicherschutzScalabilityFingerprintComputer hardwareSpeicherschutzComputer hardwareSoftware bugBuildingFocus (optics)CuboidBitCodeComputer animationLecture/Conference
21:56
Reduced instruction set computingArchitectureSpeicherschutzFingerprintScalabilityComputer hardwareMoment (mathematics)Computer hardwareBitComputer programCodePointer (computer programming)Lecture/ConferenceComputer animationMeeting/Interview
22:45
Sign (mathematics)LeakSystem on a chipSigma-algebraResource allocationStandard deviationNumberPointer (computer programming)LengthComputer hardwareSet (mathematics)BitSemiconductor memoryNumbering schemeInformationData compressionComputer animationLecture/Conference
24:13
Computer hardwareSoftwareSemiconductor memoryExtension (kinesiology)Constructor (object-oriented programming)Operating systemResource allocationFormal languageLinker (computing)Lecture/ConferenceMeeting/Interview
25:00
Hardware-in-the-loop simulationLeakSign (mathematics)System on a chipIRIS-TMaizeMachine codeFormal languageCodeBitExecution unitINTEGRALRow (database)Semiconductor memoryLecture/ConferenceMeeting/InterviewComputer animation
25:58
LeakSign (mathematics)Software maintenanceSigma-algebraTLB <Informatik>PressureRead-only memoryPointer (computer programming)Virtual realityEncapsulation (object-oriented programming)Mechanism designCodeExecution unitTemporal logicFocus (optics)Point (geometry)Resource allocationResultantSet (mathematics)InformationComputer hardwareImplementationSoftwareLatent heatVirtual memorySpacetimeKernel (computing)Interface (computing)Source codeSemiconductor memoryPhysical systemBitLecture/ConferenceComputer animation
27:40
PressureTLB <Informatik>Read-only memoryPointer (computer programming)Virtual realityMechanism designEncapsulation (object-oriented programming)CodeExecution unitTemporal logicFocus (optics)Point (geometry)Resource allocationVirtual memoryEncapsulation (object-oriented programming)SpeicherschutzFocus (optics)Temporal logicNumbering schemeSemiconductor memoryBuildingLecture/ConferenceComputer animation
28:36
Kerberos <Kryptologie>SoftwareModel theoryFormal grammarComputer hardwareEnterprise architectureField programmable gate arrayCoprocessorSpacetimeKernel (computing)FreewareReduced instruction set computingMathematical modelGroup actionCoprocessorMultiplication signEnterprise architectureOperator (mathematics)BuildingSoftwareMereologyComputer animation
29:23
Kerberos <Kryptologie>SoftwareComputer hardwareEnterprise architectureField programmable gate arrayCoprocessorSpacetimeKernel (computing)FreewareEnterprise architectureLatent heatSocial classProjective planeMicrocontrollerComputer hardwareImplementationCombinational logicSoftwareCartesian coordinate systemPerformance appraisalCoprocessorArmElectronic mailing listLecture/ConferenceComputer animation
30:39
Performance appraisalOverhead (computing)FreewareSpacetimeCodeComputer fileInformation securityAdaptive behaviorCASE <Informatik>MathematicsComputer programWorkloadPressureOverhead (computing)Pointer (computer programming)Run time (program lifecycle phase)Lecture/ConferenceComputer animation
31:47
Performance appraisalOverhead (computing)CodeSpacetimeComputer fileFreewareInformation securityCodeBitOperating systemMultiplication signMeasurementFamilyMultiplicationChainMereologySemiconductor memoryLecture/ConferenceMeeting/InterviewComputer animation
33:03
Kerberos <Kryptologie>Formal grammarComputer hardwareSoftwareModel theoryEnterprise architectureCoprocessorField programmable gate arrayFreewareSpacetimeKernel (computing)Reduced instruction set computingOverhead (computing)CodeComputer fileInformation securityHigher-order logicTheoremFunction (mathematics)Semantics (computer science)EmulatorBasis <Mathematik>Latent heatSoftware testingElectric generatorCursor (computers)CASE <Informatik>CoprocessorException handlingNormal (geometry)CodeRandom matrixMathematical modelBitTheoremLecture/ConferenceComputer animation
34:36
Spherical capCodeTheoremRead-only memoryException handlingProof theoryInformation securityVirtual machineInformation securityCategory of beingSemiconductor memoryEncapsulation (object-oriented programming)LeakTheoremSocial classCodeSoftwareData structureVideoconferencingException handlingWeb 2.0Point (geometry)RecursionLecture/ConferenceComputer animation
36:41
Proof theoryTheoremInformation securityCategory of beingKernel (computing)Lecture/Conference
37:28
CodeTheoremRead-only memoryException handlingProof theoryVirtual machineInformation securitySemiconductor memoryArchitectureAbstractionEnterprise architectureChaos theoryComputer engineeringStatement (computer science)Real numberOracleSoftware testingLatent heatComputer animationLecture/Conference
38:39
ArchitectureEnterprise architectureAbstractionInformation securityChaos theoryRandom matrixMathematicsRoutingMoment (mathematics)BitLecture/ConferenceComputer animation
39:40
TheoremVirtual machineDisk read-and-write headDescriptive statisticsNumberModel theorySpeichermodellComputer hardwareSemiconductor memoryCombinational logicLecture/ConferenceMeeting/Interview
40:56
Scaling (geometry)Computer hardwareCoprocessorSuperscalarQuicksortNumberInternetworkingLecture/Conference
41:45
InternetworkingInformation securityComputer hardwareSoftwareBuildingLine (geometry)CodeLecture/ConferenceMeeting/Interview
42:53
CodeModel theoryComputer hardwareSoftwareInformation securityParameter (computer programming)Physical systemOffice suiteImplementationSoftware bugOrder (biology)Meeting/InterviewLecture/Conference
43:56
Fraction (mathematics)BitLecture/ConferenceMeeting/Interview
44:41
1 (number)Constructor (object-oriented programming)TDMASoftwareContent (media)Computer hardwareImplementationPointer (computer programming)Lecture/ConferenceMeeting/Interview
45:25
Cache (computing)Communications protocolPhysical systemPoint (geometry)DataflowCodeINTEGRALGame controllerOnline helpBitResource allocationTwitterFormal languageLecture/ConferenceMeeting/Interview
46:52
EmulatorRoutingLecture/ConferenceMeeting/Interview
47:45
CodeOperating systemMathematicsStandard deviationInstance (computer science)Range (statistics)Pointer (computer programming)CASE <Informatik>Lecture/ConferenceMeeting/Interview
48:44
Pointer (computer programming)Operating systemPhysical systemOrder (biology)CodeBitWeb pageStandard deviationCASE <Informatik>InternetworkingMathematicsLecture/ConferenceMeeting/Interview
50:00
PlanningCodeSoftware testingInternetworkingPhysical systemMoment (mathematics)Lecture/ConferenceMeeting/Interview
50:45
Computer programPointer (computer programming)NumberObject (grammar)Address spaceState of matterSemiconductor memoryRandomizationLeakEncapsulation (object-oriented programming)BuildingBitPhysical systemSoftwareMeeting/Interview
52:45
Mathematical analysisFluid staticsMechanism designRun time (program lifecycle phase)Physical systemFormal verificationSoftwareInformation securityCategory of beingProof theoryLecture/ConferenceMeeting/Interview
53:47
Software bugOperator (mathematics)Fluid staticsScaling (geometry)Semantics (computer science)Proof theoryCompilation albumTerm (mathematics)WritingFormal verificationLecture/ConferenceMeeting/Interview
54:37
CodeApproximationOrder (biology)Mathematical analysisLinear programmingLogicEnterprise architectureFood energyMoore's lawPower (physics)MereologyMeeting/InterviewLecture/Conference
55:44
Product (business)ImplementationInheritance (object-oriented programming)Scaling (geometry)Food energyEstimatorPosition operatorSocial classComputer programNumberLecture/Conference
56:31
Code1 (number)Disk read-and-write headPoint (geometry)WordChaos theoryPhysical systemArtificial neural networkLevel (video gaming)Lecture/ConferenceMeeting/Interview
57:37
Virtual machineCASE <Informatik>Goodness of fitInternetworkingLecture/ConferenceMeeting/Interview
58:27
Semiconductor memoryCartesian closed categorySource code
Transcript: English(auto-generated)
00:19
Okay, our next speaker will be trying to tame the chaos, Peter Sewell from the University
00:30
of Cambridge. A warm round of applause, please. Thank you.
00:42
Okay, so here we are, V3 again, with a program full of fascinating and exciting and cool stuff. If we look just at the security talks, all manner of interesting things. I'm going to go to lots of these. You should too.
01:01
Let's see, though, if we read some of the titles, exploiting kernel memory corruptions, attacking end-to-end email encryption, what else have we got? Modern Windows user space exploitation.
01:26
Compromising online accounts. Okay, so a lot of these talks, as usual, they're explaining to us that they're not doing what we would like. And this, as usual, is the nearest tip of a tiny iceberg.
01:43
We have hundreds of thousands of known vulnerabilities. How many unknown vulnerabilities? Let me do, it's a bit dark here, but let me try some audience participation. How many of you have, in the last year, written at least 100 lines of code?
02:04
And of those people, keep your hands up if you are completely confident that code does the right thing. I would like to talk to you later.
02:20
And so would the people in the self-driving car that you're probably engineering. So how many unknown vulnerabilities then? Well, you can take what is in your mind right now and multiply it by, oh, this doesn't work very well.
02:40
No! No! No! Computers! They do the wrong thing! Again, and again, and again. We can multiply by this estimate of about 100 billion lines of new code each year. So if we take all of this, these talks, these numbers, these should make us not happy
03:03
and excited, these should make us sad, very sad, and frankly, rather scared of what is going on in the world. So what can we do? We can, option one, give up using computers all together.
03:25
In most audiences, this would be a hard sell, but here, I'm sure you're all happy to just turn them off now, or we can throw up our hands in the air and collapse in some kind
03:40
of pit of despair. Well, maybe, maybe not. My task today is to give you a tiny smidgen, a very small amount of hope that it may be possible to do slightly better.
04:01
If we want to do better, we first have to understand why things are so bad. If we look at our aeronautical engineering colleagues, for example, they can make planes which very rarely fall out of the sky. Why is it that they can do that, and we are so shit at making computers?
04:20
Well, I'm going to reuse a picture that I used at 31C3, which is still the best description I can find of the stack of hardware and software that we live above, all right? Here we go. It's, there's so much information in this, it's just ace, all right? So we see down here all of this transparent silicon, it's the hardware we live above.
04:43
We see a stack of phases of a C compiler. We see all kinds of other bits and pieces, all right? I think it might be a slightly hostile wireless environment in this room for some reason. If we look at this and think about the root causes for why our systems are so bad,
05:03
we can see several things. So the first is obviously there's a lot of legacy complexity that we're really stuck with, all right? If you pull out one of those pieces from the middle and try and replace it with something which is not of exactly the same shape, the whole pile will collapse, all right? So we somehow need to find an incremental path to a better world.
05:25
And then this is the most fundamental reason that these are not like airplanes. These systems are discrete, not continuous, all right? If you take an honest girder made out of a piece of steel and you push on it a little bit, it moves a little bit, basically in proportion.
05:43
If it's 1% too strong, 1% too weak, basically it doesn't matter. But in these things, one line of code can mean you're open to a catastrophic exploit and one line in many, many million. Okay, the next thing, this really doesn't work.
06:06
They're very complicated, but the scary thing is not the static complexity of those lines of code and the number of components, although that's pretty intimidating. The really scary thing is the exponential number of states and execution paths.
06:21
So these two together, they mean that the testing that we rely on, testing is the only way we have to build systems which are not instantly broken. Testing can never save us from these exploitable errors. And that means, ultimately, we need to do proof,
06:40
like honest, machine-checked mathematical proof. And it also tells us that we need to arrange for our systems to be secure for simple reasons that do not depend on the correctness of all of those hundred billion lines of code. Then, another thing that we have here, all these interfaces,
07:00
the architecture interface, the C language interface, the sockets API interface, the TCPY interface, all of these we rely on to let different parts of the system be engineered by different organizations, but they're all really badly described and badly defined.
07:23
So what you find is, for each of these, typically a prose book varying in thickness between about that and about that, full of text. Well, we still rely on testing, limited though it is, but you can never test anything against those books.
07:43
So we need, instead, interface descriptions, definitions, specifications that are more rigorous, mathematically rigorous, and that are executable, not in the normal sense of executable as an implementation, but executable as a test oracle, so you can compute whether some observed behavior
08:01
is allowed or not, and not have to read the book and argue on the internet. And we also need interface definitions that support this proof that we need. And then, all of this stuff was made up in the 1970s, or the 60s.
08:22
And in the 70s and the 60s, the world was a happy place, and people walked around with flowers in their hair, and nothing bad ever happened. And that is no longer the case. So we need defensive design, but we need defensive design that is somehow compatible, or can be made enough compatible
08:40
with this legacy investment, so that's quite hard. And then, I can't say very much about this, but we have at the moment very bad incentives, because we have a very strong incentive to make things that are more complex than we can possibly handle or understand. We make things, we add features, we make a thing which is just about shippable,
09:00
and then we ship it, and then we go on to the next thing. So we need economic and legal incentives for simplicity and for security that we do not yet have. But it's hard to talk about those until we have the technical means to react to those incentives. Okay, so what I'm going to do now,
09:21
I'm going to talk about two of these interfaces, the architecture interface and the C language interface, and see what we can do to make things better. A lot of this has to do with memory. So whoever it was that picked the subtitle for this meeting, refreshing memories, thank you, because it's great, I love it.
09:42
Let's refresh your memory quite a way, all right? So I invite you to think back to when you were very, very young, in about 1837, when cool hacking was going on, Charles Babbage was designing the analytical engine. And even then, you see, there was this dichotomy
10:01
between a mill performing operations and a store holding numbers. This is a plan view of the analytical engine. Well, it was vaporware, but a design from the analytical engine. And you see here, these circles, these are columns of numbers, each made out of a stack of cogs,
10:21
maybe a 50-digit decimal number in each of those columns. And this array, really, he imagined it going on out to, I don't know, over there somewhere, with about 1,000 numbers. So even then, you have a memory which is an array of numbers.
10:40
I think these were not, I don't think you could do address computation on these things. I think addresses were only constants, but still, basically an array of numbers. So, OK, what have you got now? Let's look a bit at C. How many of those people who have programmed 100 lines of code,
11:01
how many of you were C programmers? A few. Or maybe you're just embarrassed. Oh, I forgot to say, all of those that didn't put your hands up for that first question, you should feel proud and you should glory in your innocence while you still have it.
11:22
You are not yet complicit in this train wreck. It worked then. OK, so here's a little piece of C code, which I shall explain. I shall explain it in several different ways. So we start out, it creates two locations, X and secret, ah, don't do that.
11:42
This is so bad. Creates X, storing one, and secret key, which stores, I might get this wrong, your pin. And then there's some computation which is supposed to only operate on X,
12:01
but maybe it's a teensy bit buggy, or corrupted by somebody. And then we try and we make a pointer to X. OK, and in this execution, X just happened to be allocated at 14, and this pointer contains the number 14. And then we add one to that pointer.
12:23
Ah, it's C, so actually that adding one to the pointer, it really means add the four bytes which are the size of that thing. So we add four to 14, and we get 18. OK, and then we try and read the thing which is pointed to. OK, what's going to happen?
12:41
Let me compile this and run it in a conventional way. Oh, it printed the secret key, bad. This program, rather distressingly, this is characteristic by no means of all security flaws, but a very disturbingly large fraction of all the security flaws are basically doing this.
13:04
OK, so does C really let you do that? Yes and no. So if you look at the C standard, which is one of these beautiful books, it says, and you have to read moderately carefully to understand this,
13:22
but it says that this program has undefined behavior. Now, many of you will know what that means, but others won't. So that means, as far as the standard is concerned, for programs like that, there is no constraint on the behavior of the implementation at all.
13:40
Or, said another way, and maybe a more usefully way, the standard lets implementation, so C compilers, assume that programs don't have this kind of stuff, and it's the programmer's responsibility to ensure that. Now, in about 1970, 1975, maybe 1980, this was a really good idea.
14:04
It gives compilers a lot of flexibility to do efficient implementation. Now, not so much. But how does this work in the definition? So the standard somehow has to be able to look at this program and identify it as having this undefined behavior.
14:25
And indeed, well, if we just think about the numbers in memory, this 18, it points to a perfectly legitimate storage location. And that plus one was also something that you're definitely allowed to do in C.
14:45
So the only way that we can know that this is undefined behavior is to keep track of the original allocation of this pointer. And here, I've got these allocation identifiers at three, at four, at five. And you see here, what I've still got in this pointer,
15:01
despite the fact that I added four to it, I've still remembered the allocation ID. So then I can check, or the standard can check, when we try and read from this, whether that address is within the footprint of that original allocation, i.e., is within there. And in fact, it's not. It's over here. It's not within there at all. So this program is deemed to have undefined behavior.
15:25
Just to clarify something, people often get confused. So we detect undefined behavior here, but it isn't really a temporal thing. The fact that there is an undefined behavior anywhere in the execution means the whole program is toast. Okay.
15:41
But this is really interesting, because we're relying for this critical part of the standard on some information which is not there at runtime in a conventional implementation. So just to emphasize that point, if I compile this program, let's say, to ARM assembly language,
16:01
I get a sequence of store and load and add instructions. Store, load, add, store, load, load. And if I look at what the ARM architecture says can happen, these blue transitions, one thing to notice is that we can perfectly well do some things out of order. At this point, we could either do this load, or we could do that store.
16:24
That would be a whole other talk. Let's stick with the sequential execution for now. What I want to emphasize is that this load of this address really was loading a 64-bit number, which was the address of X, and adding four to it, and then loading from that address the secret key.
16:44
So there's no trace of these allocation IDs. No trace at all. Okay. Let me step back a little bit. So I've been showing you some screen shots of C behavior and ARM behavior.
17:07
And I claim that these are actually showing you all of the behaviors allowed by what one would like the standards to be for these two things. And really, what I've been showing you are GUIs attached to mathematical models
17:26
that we've built in a big research project for the last many years. REMS, Rigorous Engineering of Mainstream Systems. Sounds good. Aspirational title, I think I would say. And in that, we've built semantics, so mathematical models defining the envelope of all allowed behavior
17:43
for a quite big fragment of C, and for the concurrency architecture of major processes, ARM and x86 and RISC-V and IBM Power, and also for the instruction set architecture of these processes, the details of how individual instructions execute.
18:00
And in each case, these are specs that are executable as test oracles. You can compare algorithmically some observed behavior against whether the spec says it's allowed or not, which you can't do with those books. So this is an idiot simple idea, but for some reason, the industry has not taken it on board
18:21
any time in the last five decades. It's not that hard to do. These are also mathematical models, and I'll come back to that later. But another thing I want to emphasize here is that in each of these cases, especially these first two, when you start looking really closely, then you learn that what you have to do is not build a nice,
18:41
clean mathematical model of something which is well understood. What you learn is that there are real open questions. For example, within the C standards committee and within ARM a few years ago, about exactly what these things even were. And that is a bit disturbing, given that these are the foundations for all of our information infrastructure.
19:04
There's also a lot of other work going on with other people within this REMS project on WebAssembly and JavaScript and file systems and other concurrency. Don't have time to talk about those, but Hannes Menard is going to talk a little bit about TCP later today. You should go to that talk too, if you like this one.
19:21
If you don't like this one, you should still go to that talk. Okay. So this is doing somewhat better, certainly more rigorous engineering of specifications, but so far only for existing infrastructure.
19:41
For this C language, ARM architecture, what have you. So what if we try and do better? What if we try and build better security in? So the architectures that we have, really they date back to the 1970s or even 60s with the idea of virtual memory. And that gives you, I don't need to go into what it is,
20:02
but that gives you very coarse-grain protection. You can have your separate processes isolated from each other, and on a good day you might have separate browser tabs isolated from each other in some browsers sometimes, but it doesn't scale, right? It's just too expensive.
20:22
You don't have lots of little compartments. One thing we could do, we can certainly design much better programming languages than C, but all of that legacy code, that's got a massive inertia, right? So an obvious question is whether we can build in better security into the hardware
20:41
that doesn't need some kind of massive, pervasive change to all the software we ever wrote. And that's the question that a different large project, the Cherry project, has been addressing. So this is something that's been going on for the last eight years or so, mostly at SRI and at Cambridge, funded by DARPA and the EPSRC and ARM and other people,
21:03
mostly led by Robert Watson, Simon Moore, Peter Neumann, and a cast of thousands, and me, a tiny bit. So, don't do that. I should learn to stop pushing this button. It's very hard to not push the button.
21:20
So here's the question in a more focused way that Cherry is asking, right? Can we build hardware support, which is both efficient enough and deployable enough, that gives us both fine-grain memory protection to prevent that kind of bug that we were talking about earlier, or that kind of leak, at least,
21:40
and also scalable compartmentalization? So you can take bits of untrusted code and put them in safe boxes and know that nothing bad is gonna get out, right? That's the question. The answer, so the basic idea of the answer is pretty simple, and it also dates back to the 70s, is to add hardware support for what people call capabilities, all right?
22:02
And we'll see that working in a few moments. The idea is that this will let programmers exercise the principle of least privilege, so with each little bit of code having only the permissions it needs to do its job, and also the principle of intentional use. So with each little bit of code,
22:20
when it uses one of those capabilities, will require it to explicitly use it rather than implicitly, so the intention of the code has to be made plain. So let's see how this works. So these capabilities, they're basically replacing some, or maybe all,
22:41
of the pointers in your code. So if we take this example again, all right? In ISO C, we had an address, and in the standard, well, the standard is not very clear about this, but we're trying to make it more clear, an allocation ID, something like it. Now in Cherry C, we can run the same code,
23:01
but we might represent this pointer not just with that number at runtime, but with something that contains that number and the base of the original allocation and the length of the original allocation and some permissions. And having all of those in the pointer means that we can do, the hardware can do,
23:21
at runtime, at access time, a very efficient check that this is within this region of memory. And if it's not, it can fail stop and trap. No information leak. And you need a bit more machinery to make this actually work, right? So it would be nice if all of these were 64-bit numbers,
23:42
but then you get a 256-bit pointer, and that's a bit expensive. So there's a clever compression scheme that squeezes all this down into one to eight bits with enough accuracy. And then you need to design the instruction set of the CPU carefully to ensure that you can
24:05
never forge one of these capabilities with a normal instruction. You can never just magic one up out of a bunch of bits that you happen to find lying around. So all the capability manipulating instructions, they're going to take a valid capability
24:23
and construct another, possibly smaller, in memory extent, or possibly with less permissions, new capability. They're never going to grow the memory extent or add permissions. And when the hardware starts, at hardware initialization time,
24:42
the hardware will hand to the software a capability to everything. And then as the operating system works, and the linker works, and the C language allocator works, these capabilities will be chopped up into ever finer and smaller pieces to be handed out to the right places.
25:00
And then you need one more little thing. So this is C language world we're living in here, or really a machine code language world. So there's nothing stopping code writing bytes of stuff. So you have to somehow protect these capabilities
25:20
against being forged by the code, either on purpose or accidentally, writing bytes over the top. You need to preserve their integrity. So that's done by adding, for each of these 128 bit sized and aligned units of memory, just a one extra bit that holds a tag,
25:43
and that tag records whether this memory holds a currently valid capability or not. So all the capability manipulating instructions, if they're given a valid capability with a tag set,
26:02
then the result will still have a tag set. But if you write, say you just wrote that byte there, which might change the base, then the hardware will clear that tag. And these tags, they're not conventionally addressable.
26:21
They don't have addresses. They're just stuck there in the memory system of the hardware. So there is no way that software can futz with these. So this is really cool. We've taken what in ISO was undefined behavior in the standard, and in implementations was a memory leak.
26:42
And we've turned it into something that in charity is in both the specification and the implementation is guaranteed to trap, to fail stop, and not leak that information. So there's another few things about the design that I should mention. So I think all these blue things,
27:00
I think I've talked about. But then a lot of care has gone in to make this be very flexible, to make it possible to adopt it. So you can use capabilities for all pointers, if you want to, or just at some interfaces. You might, for example, use them at the kernel user space interface.
27:21
It coexists very nicely with existing C and C++. You don't need to change the source code very much at all and we'll see a tiny bit of data about this to make these, to start using these. It coexists with the existing virtual memory machinery. So you can use both capabilities and virtual memory
27:41
if you want, or you can just use capabilities if you want or just use virtual memory if you want. And then there's some more machinery which I'm not gonna talk about for doing this secure encapsulation stuff. What I've talked about so far is basically the fine-grain memory protection story. And I should say, the focus so far
28:00
is on spatial memory safety. So that's not, in the first instance, protecting against reuse of an old capability in a bad way. But there are various schemes for supporting temporal memory safety with basically the same setup. Okay, so.
28:20
So how do we, okay, so this is some kind of a high-level idea. How do we know that it can be made to work? Well, the only way is to actually build it and see. And this has been a really interesting process, right? Because mostly when you're building something, either in academia or in industry, you have to keep most of the parts fixed.
28:43
I mean, you're not routinely changing both the processor and the operating system, because that would just be too scary. But here, we have been doing that, and indeed, we've really been doing a three-way co-design of building hardware, and building and adapting software to run above it,
29:02
and also building these mathematical models all at the same time. This is, well, A, it's a lot of fun, because you often get groups of people together that can do all of those things. But B, it's really effective. So what we've produced then is an architecture specification,
29:21
in fact, extending MIPS, because it was conveniently free of IP concerns. And that specification is one of these mathematically rigorous things expressed in a domain-specific language, specifically for writing instruction set architecture specifications. And we've designed and implemented actually two of those.
29:41
And then there are hardware processor implementations that actually run on FPGAs, and a lot of hardware research devoted to making this go fast and be efficient, despite these extra tags and whatnot. And then there's a big software stack adapted to run over this stuff, so including Clang, and the FreeBSD kernel,
30:01
and the FreeBSD user space, and WebKit, and all kinds of pieces. So this is a very major evaluation effort that one is not normally able to do. This is why, this combination of things is why that list of people up there was about 40 people. I say this is based on MIPS, but the ideas are not specific to MIPS,
30:21
and there are ongoing research projects to see if this can be adapted to the ARM application class architecture, and the ARM microcontroller architecture, and to RISC-V. We'll see how that goes in due course. So then, with all of these pieces,
30:41
we can evaluate whether it actually works. And that's still kind of an ongoing process, but the data that we've got so far is pretty encouraging. So we see here, first, performance. So you see maybe a percent or two
31:03
in many cases of runtime overhead. There are workloads where it performs badly. If you have something that's very pointer heavy, then the extra pressure from those larger pointers will be a bit annoying. But really, it seems to be surprisingly good.
31:22
Then, is it something that can work without massive adaption to the existing code? Well, in this port of the FreeBSD user space, so all the normal programs that run, there was something like 20,000 files,
31:40
and only 200 of those needed a change. And that's been done by one or two people in not all that large an amount of time. Some of the other code that's more like an operating system needs a bit more invasive change, but still, it seems to be viable.
32:02
Is it actually more secure? How are you gonna measure that? We like measuring things as a whole. We try and do science where we can. Can we measure that? Not really, but it certainly does, the whole setup certainly does mitigate against quite a large family of known attacks.
32:23
I mean, if you try and run Heartbleed, you'll get a trap. It will say, trap. I think it will say, signal 34, in fact. So, that's pretty good. And if you think about attacks, very many of them involve a chain of multiple flaws
32:42
put together by an ingenious member of the C3 community or somebody else. And very often, at least one of those is some kind of memory access permission flaw of some kind or other. Okay, so this is nice, but I was talking a lot
33:02
in the first part of the talk about rigorous engineering. So here, we've got formally defined definitions of the architecture, and that's been really useful for testing against and for doing test generation on the basis of, and doing specification coverage
33:22
in an automated way, but surely we should be able to do more than that. So this formal definition of the architecture, what does it look like? So for each instruction of this Cherry MIPS processor, there's a definition, and that definition, it looks a bit like normal code.
33:42
So here's the definition of how the instruction for capability increment cursor immediate goes. So this is a thing that takes capability register and an immediate value, and it tries to add something onto the cursor of that capability. And what you see here is some code,
34:02
looks like code, that defines exactly what happens, and also defines exactly what happens if something goes wrong. You can see there's some kind of an exception case there. That's a processor, no, that's a, yeah, that's a raising our processor exception. So it looks like code, but from this,
34:21
we can generate both reasonably high-performance emulators, reasonably, in C and in OCaml, and also mathematical models in the theorem provers. So three of the main theorem provers in the world are called Isabelle and Hull and Koch. And we generate definitions in all of those.
34:41
So then we've got a mathematical definition of the architecture, then finally, we can start stating some properties. So Cherry is designed with some kind of vague security goals in mind from the beginning, but now we can take, let's say, one of those goals and make it into a precise thing.
35:01
So this is kind of a secure encapsulation kind of a thing, not exactly the memory leak that we were looking at before, sorry, the secret leak that we were looking at. So let's take, imagine, some Cherry compartment, I haven't told you exactly what that means, but let's suppose that that's understood,
35:22
and inside that compartment there's a piece of software running, and that might be maybe a video codec, or a web browser, or maybe even a data structure implementation, maybe, or a C++ class and all of its objects, maybe.
35:44
So imagine that compartment running, and imagine the initial capabilities that it has access to via registers and memory, and via all the capabilities it has access to via the memory that it has access to, and so on recursively. So imagine all of those capabilities.
36:01
So the theorem says, no matter how this code executes, whatever it does, however compromised or buggy it was, in an execution, up until any point at which it raises an exception, or makes an inter-compartment call,
36:22
it can't make any access which is not allowed by those initial capabilities. And you have to exclude exceptions and inter-compartment calls, because by design they do introduce new capabilities into the execution. But until that point, you get this guarantee.
36:43
And this is something that we've proved, actually Kinderland-Neenhouse has proved, with a machine-checked proof in fact the Isabel theorem prover. So this is a fact which is about as solidly known as any fact the human race knows.
37:01
These provers, they're checking the mathematical proof in exceedingly great detail, with great care and attention, and they're structured in such a way that the soundness of the prover depends only on some tiny little kernel. So conceivably, cosmic rays hit the transistors
37:22
at all of the wrong points, but basically we know this for sure. I emphasize, this is a security property. We have not proved, we certainly wouldn't claim to have proved that Cherry is secure, and there are all kinds of other kinds of attack that this statement doesn't even address,
37:42
but at least this one property, we know it for real. So that's kind of comforting, and not a thing that conventional computer science and engineering has been able to do on the whole. Okay, so I'll be taming the chaos then.
38:04
Well, no, sorry. But I've shown you two kinds of things. So the first was showing how we can do somewhat more rigorous engineering for that existing infrastructure. It's now feasible to do that, and in fact, I believe it has been feasible
38:23
to build specifications which you can use as test oracles for many decades. We haven't needed any super fancy new tech for that. We've just needed to focus on that idea. And then, so that's for existing infrastructure,
38:41
and then Cherry is a relatively lightweight change that does build in improved security, and we think it's demonstrably deployable, at least in principle. Is it deployable in practice? Are we gonna have in all of our phones five years from now? Will these all be Cherry-indained balls?
39:02
Well, I can't say. I think it is plausible that that should happen, and we're exploring various routes that might mean that that happens, and we'll see how that goes. Okay, so with that, I aim to have given you at least not a whole lot of hope,
39:23
but just a little bit of hope that the world can be made a better place, and I encourage you to think about ways to do it because Lordy knows we need it. But maybe you can at least dream for a few moments of living in a better world.
39:40
And with that, I thank you for your attention. Thanks very much. And with that, we'll head straight into the Q&A.
40:06
We'll just start with mic number one, which I can see right now. Yeah, so thanks for the very encouraging talk. And I have a question about how to secure the part below that. So the theorem that you stated assumes that the machine description
40:23
matches the hardware, or at least describes the hardware accurately. But are there any attempts to check that the hardware actually works like that, that there are no holes in the hardware, that some combination of matching commands work differently or allow memory access that is not in the model?
40:42
So is it possible to use hardware designs and check that it matches the spec and will Intel or AMD try to check their models against that spec? Okay, so the question is basically, can we do provably correct hardware underneath this architectural abstraction?
41:03
And the answer is, so it's a good question. People are working on that, and it can be done, I think, on at least a modest academic scale. Trying to do that in its sort of full glory for a industrial superscalar processor design,
41:24
I think is right now out of reach. But it's certainly something one would like to be able to do. I think we will get there, maybe in a decade or so. A decade is quick. Well thanks, mic number four is empty again, okay.
41:43
So we'll take the internet. But where is the internet? The internet is right here and everywhere. So Rumin8 would like to know, is the effort and cost of building in security to hardware as you've described in your talk,
42:01
significantly greater or less than the effort and cost of porting software to more secure languages? So is the effort of building new hardware more or less than the cost of porting existing software to better languages? I think the answer has to be yes, it is less.
42:25
And the difficulty with porting software is all of you and all of your colleagues and all of your friends and all of your enemies have been beavering away writing lines of code for 50 years, really, I don't know what I want to say, effectively, really numerously.
42:42
There's an awful lot of it. There's a really terrifying amount of code out there. It's very hard to get people to rewrite it. Okay, mic two. So given that most of the parameters that we have in software today are on the software level, not on the hardware level,
43:02
is it possible to go halfway using your entire system as a model so we can have good development, the code base can be executed from the secure hardware, but then, essentially, it should be the same software for unsecured hardware
43:22
and take pretty much the same benefits from office. Right, so this question, if I paraphrase it, is can we use this hardware implementation really as the perfect sanitizer? And I think there is scope for doing that.
43:43
And you can even imagine running this not on actual silicon hardware, but in like a QEMU implementation, which we have, in order to do that. And I think for that purpose, it could already be a pretty effective bug finding tool. I think that would be worth doing.
44:01
But you would like, I mean, as for any testing, it will only explore a very tiny fraction of the possible paths. So we would like to have it always on, if we possibly can. Okay, the internet again. Okay, we would like to know
44:20
how does your technique compare to Intel MPX, which failed miserably with G-Lip-C ignoring it? Will it be better or faster? Could you talk a little bit about that? Hmm, I think for that question, for a real answer to that question, you would need one of my more hardware-y colleagues.
44:42
What I can say is they make nasty faces when you say MPX. Well, that's that. Mic number one. Somewhat inherent to your whole construction was this idea of having an unchangeable bit,
45:01
which describes whether your pointer contents have been changed. Is this even something that can be done in software, or do you have to construct a whole extra RAM or something? So you can't do it exclusively in software because you need to protect it.
45:21
In the hardware implementations that my colleagues have built, it's done in a reasonably efficient way. So it's cached and managed in clever ways to ensure that it's not terribly expensive to do. But you do need slightly wider data piles in your cache protocol and things like that to manage it.
45:45
Okay, mic seven. How good does this system help secure the control for integrity compared to other systems like hardware-assisted data flow isolation or code point integrity in ARM now?
46:03
Well, that's another question which is a bit hard to answer because then it depends somewhat on how you're using the capabilities. So you can arrange here for each, say each C language allocation is independently protected.
46:25
And indeed, you can also arrange that each, where this is sensible, that each sub-object is independently protected. And those protections are going to give you protection against trashing bits of the stack because they'll restrict the capability to just those objects.
46:46
Okay, the internet again. Twitter would like to know, is it possible to run Cherry C without custom hardware?
47:01
So can you run Cherry C without custom hardware? And the answer is you can run it in emulation above this QEMU. That works pretty fast. I mean, fast enough for debugging and as the earlier question was talking about, you can imagine somewhat faster emulations of that.
47:28
It's not clear how much it's worth going down that route. I mean, the real potential big win is to have this be always on. And that's what we would like to have.
47:41
Okay, mic one. Do you have, I'm sorry, do you have some examples of the kinds of code changes that you need to the operating system and user land that you mentioned? So, okay, so what kind of changes do you need to adapt code to Cherry? So if you look at C code,
48:06
there is this C standard that deems a whole lot of things to be undefined behavior. And then if you look at actual C code, you find that very, very much of it does depend on some idiom that the C standard does not approve of.
48:24
So there is, for example, there are quite a lot of instances of code that constructs a pointer by doing a more than one, more than plus one offset, and then brings it back within range before you use it.
48:43
So, in fact, in Cherry C, many of those cases are allowed, but not all of them. More exotic are cases where there's really some crazy inter-object stuff going on, or where a pointer arithmetic between objects,
49:02
which the C standard is certainly quite down on, but which does happen, and code which is, say, manipulating the low order bits of a pointer to store some data in it. That's pretty common. You can do it in Cherry C, but you might have to adapt the code a little bit. Other cases are more fundamental. So, say, in operating system code,
49:21
if you swap out a page to disk, and then you swap it back in, then somehow the operating system has to reconstruct new capabilities from a large capability which it kept for the purpose. So, that needs a bit more work. So, it's kind of a combination. Some things you would regard as
49:43
good changes to the code anyway, and others are more radical. Okay, another one from the internet. Last one. Yep. The internet has gone quiet. Bliss. Wow. Last question from the internet.
50:03
Are there any plans to impact test on Linux or just FreeBSD? If anyone has a good number of spare minutes, then that would be lovely to try the impact on Linux, not just FreeBSD.
50:21
The BSD code base is simpler and maybe cleaner, and my systems colleagues are already familiar with it. So, it's the obvious target. And for an academic project, doing that is already a humongous amount of work. So, I think we would love to know how Linux and especially how Android could be adapted,
50:41
but it's not something that we have the resource to do at the moment. Mic number one again. How likely or dangerous- Your mic number one is not working. How likely or dangerous do you think it is for a programmer to screw up the capabilities he specifies?
51:03
So, how often will the programmer screw up the capabilities? So, in many cases, the programmer is just doing an access with a C or C++ pointer or a C++ object in a normal way. They're not manually constructing these things. So, a lot of that is going to just work.
51:23
If you're building some particular secure encapsulation setup, you have to be a bit careful. But, on the whole, I think this is a small risk compared to the state of software as we have it now. Okay, mic eight.
51:41
So, existing memory patching techniques are quite patchwork-y, like canaries and address random layout. Yes, address layout randomization. Yes.
52:00
Is this a system designed to replace or supplement these measures? I think if you, so if, again, it depends a bit how you use it. So, if you have capabilities really everywhere,
52:23
then there's not much need for address space layout randomization or canaries to protect against explicit information leaks. I imagine that you might still want randomization
52:43
to protect against some side-channel flows, but canaries not so much. And whether you actually do for side-channel flows, I don't know, it's a good question. Mic four, please. Thanks for the very interesting talk. So, you presented with Terri
53:01
a system of verifying existing C software, sort of post-hoc, and improving its security via runtime mechanism. Improving or proving? Improving, yes. Proving, no. So, what's your opinion on the viability of using a static analysis
53:21
and static verification for that? Would it be possible to somehow analyze software that already exists and is written in these unsafe languages and show that it nevertheless has some security properties without writing all the proofs manually in like Hull or Isabelle?
53:41
Well, so if you want to analyze existing software, so static analysis is already useful for finding, finding bugs in existing software. If you want to have assurance from static analysis, that's really very tough. So you certainly wouldn't want to manually write proofs
54:00
in terms of the definitional C semantics. You would need intermediate infrastructure. And if you look at the people who have done verified software, so verified compilers and verified hypervisors and verified operating systems, all of those are now possible on significant scales.
54:24
But they use whole layers of proof and verification infrastructure for doing that. They're not writing proofs by hand for every little detail. And some of those verification methods either are, or you can imagine them being,
54:40
basically like static analysis. You might use a static analysis to prove some relatively simple facts about the code and then stitch those together into a larger assembly. I think like any kind of more complete thing, I think it's hard to imagine. I mean, and these analysis tools, mostly they rely on making some approximation
55:02
in order to be able to do their thing at all. So it's hard to get assurance out of some. Okay, mic one. Hi, you said you modified MIPs architecture to add some logic to check the capabilities.
55:21
Do you know what's the cost of this regarding computational power and energetic power supply? Sorry, can you repeat the last part of that? What's the cost of this modification regarding computational power and power consumption?
55:40
So what's the energy cost? So I gave you a performance cost. I carefully didn't give you an energy cost estimate because it's really hard to do in a scientifically credible way without making a more or less production super scale implementation. And we are sadly not in a position to do that.
56:01
Although if you have 10 or 20 million pounds, then I would be happy to accept it. Mic number seven, please. How does the class of problems that you can address with Cherry compare to the class of problems that are excluded by, for example,
56:22
the Rust programming language? So how does the problems of Cherry relate to the problems, sorry, the problems excluded by Cherry relate to the problems excluded by Rust? So if you are happy to write all of your code in Rust
56:42
without ever using the word unsafe, then maybe there would be no point in Cherry at all. Are you happy to do that? I think someone shakes their head sideways, yeah.
57:07
Mic number one. What do you think about the following thesis? We are building a whole system of things with artificial intelligence and something like that that is above this technical level
57:22
and is building another chaos that isn't healing with those things. It's dreadful, isn't it?
57:44
There are, so you might, in fact some of my colleagues are interested in this question. If you might well want to bound what your artificial intelligence can access or touch and for that you might want this kind of technology.
58:00
But this is not, we are with machine learning systems, we are intrinsically building things that we on the whole don't understand and that will have edge cases that go wrong. And this is not speaking to that in any way. Okay, does the internet have a question? No. Good.
58:21
Don't see anyone else, so let's conclude this. Thank you very much. Thank you.