Proof-carrying code

Consider Filter 1 as described in Section 3: it accepts all IPv4 packets, where the bytes at offsets 12 and 13 are 0x08 and 0x00, respectively.

1   ldq   r1, 8(r1)   # load bytes at offset 8-15
2   extwl r1, 4, r1   # extract 2-byte EtherType at offset 12-13
3   cmpeq r1, 8, r1   # r1 <- (r1 == ETHER_IP), assuming little endian
4   lda   r0, 0(zero) # r0 <- 0 (failure code)
5   beq   r1, L0      # jump to L0 if r1 is zero (EtherType is not ETHER_IP)
6   lda   r0, 1(zero) # r0 <- 1 (success code)
L0: ret

The program uses a few instructions not described in the paper:

• lda r, n(zero): r <- n (load immediate n into register r)
• extwl rs, n, rd: rd <- (rs >> n) & 0xffff (right-shift rs by n bytes, extract lower two bytes, and store into rd)
• cmpeq rs, n, rd: rd <- (rs == n) ? 1 : 0 (store 1 in rd if rs equals n, 0 otherwise)

What’s the verification condition VC₀ for the beginning of the program? Does the precondition Pre (given in Section 3) imply VC₀? Briefly describe why or why not.

Suppose a malicious user modifies Filter 1 by adding an stq instruction that attempts to write an arbitrary memory address (say 0xdeadbeef). How exactly does PCC prevent this memory write?

What’s the trusted computing base for the kernel to run a PCC binary? In other words, what components in the kernel are assumed to be correct?

Provide a list of questions you would like to discuss in class. Feel free to provide any comments on the paper and related topics (e.g., which parts you like and which parts you find confusing).

For example, compared other approaches for running untrusted code in the kernel, such as SFI and domain-specific languages in exokernels, what are the advantages and disadvantages of PCC?