Static Provenance Verification for Message Passing Programs Rupak Majumdar Roland MeyerZilong Wang MPI-SWSTU KaiserslauternMPI-SWS

Motivation: Taint Analysis “All data from sources must be sanitized before a sink.” otherwise sanitizer source sink data source. sanitizer

Provenance Information about the source and access history of an object Databases: What rows were used to compute a query? Workflows: Which information was used for a result? Program Analysis: what can we do?

Provenance Verification for Concurrent Programs Questions: Can we statically track provenance information in a concurrent program model? Can we verify interesting provenance properties? Main results: A model of asynchronous message passing program with provenances Static provenance verification is decidable (with finite data domains)

Message Passing Program Principals run in parallel – Local variables – Operations: control flow, send(ch, x), recv(ch, x) Channels – Unbounded but unordered Messages – Finite domain

Provenance on Messages Provenance of a message = Principals who have sent the message chronologically Provenance domain = Strings over principal names

ch0 Medical Example PC1 PC2 PC3 ch2 principal patient { var p1, p2, p3; while(true) { choose :: p1 = HQ; send(ch0, p1); :: p1 = AR; send(ch0, p1); :: recv(ch1, p2); if (p2 == HA) p3 = p2;}} ch1 principal secretary { var s1, s2; while(true) { recv(ch0, s1); if (s1 == HQ) send(ch2, s1); else { s2 = AA(s1); send(ch1, s2);}}} principal doctor { var d1, d2; while(true) { recv(ch2, d1); d2 = HA(d1); choose :: send(ch2, d2); :: send(ch1, d2);}} HQ HQ, patient HQ, patient HA HA, patient.secretary.doctor.doctor HA, patient.secretary.doctor.doctor HQ, patient.secretary HQ, patient.secretary HA, patient.secretary.doctor HA, patient.secretary.doctor

ch0 Medical Example PC1 PC2 PC3 principal patient { var p1, p2, p3; while(true) { choose :: p1 = HQ; send(ch0, p1); :: p1 = AR; send(ch0, p1); :: recv(ch1, p2); if (p2 == HA) p3 = p2; } ch2 ch1 principal secretary { var s1, s2; while(true) { recv(ch0, s1); if (s1 == HQ) send(ch2, s1); else { s2 = AA(s1); send(ch1, s2); } principal doctor { var d1, d2; while(true) { recv(ch2, d1); d2 = HA(d1); choose :: send(ch2, d2); :: send(ch1, d2);}} HQ HA, patient.secretary.doctor.doctor HA, patient.secretary.doctor.doctor Requirement: Every health answer received by a patient must be seen by a doctor at least once. Requirement: Every health answer received by a patient must be seen by a doctor at least once. Provenance problem: Are provenances of messages in p3 always in the regular set along all executions?

Provenance Verification Problem Given a message passing program P, a variable x, and a regular set R of provenances, are provenances of all messages stored in x always in the set R along all executions of P?

Verification Challenge Infinite state space: 1.Unboundedly many messages in a channel 1.Unboundedly many provenances

ch0 Unbounded Messages in a Channel PC1 principal patient { var p1, p2, p3; while(true) { choose :: p1 = HQ; send(ch0, p1); :: p1 = AR; send(ch0, p1); :: recv(ch1, p2); if (p2 == HA) p3 = p2;}} ch1 ch2 principal secretary { var s1, s2; while(true) { recv(ch0, s1); if (s1 == HQ) send(ch2, s1); else { s2 = AA(s1); send(ch1, s2);}}} principal doctor { var d1, d2; while(true) { recv(ch2, d1); d2 = HA(d1); choose :: send(ch2, d2); :: send(ch1, d2);}} HQ

Verification Challenge Infinite state space: 1.Unboundedly many messages in a channel 1.Unboundedly many provenances

ch0 Unboundedly Many Provenances PC3 principal patient { var p1, p2, p3; while(true) { choose :: p1 = HQ; send(ch0, p1); :: p1 = AR; send(ch0, p1); :: recv(ch1, p2); if (p2 == HA) p3 = p2;}} ch1 ch2 principal secretary { var s1, s2; while(true) { recv(ch0, s1); if (s1 == HQ) send(ch2, s1); else { s2 = AA(s1); send(ch1, s2);}}} principal doctor { var d1, d2; while(true) { recv(ch2, d1); d2 = HA(d1); choose :: send(ch2, d2); :: send(ch1, d2);}} HA HA, ….doctor.doctor HA, ….doctor.doctor

Unbounded Messages: Petri Net Finite set of places Finite set of transitions Places marked with tokens Fire transitions An infinite state system Coverability problem is decidable. Is a given place markable in some execution?

B A Program to a Bisimilar Petri Net A transition for each operation in a program 1.A place for each control location 2.A place (x, m): for each variable x and each message value m 3.A place (ch, m): for each channel ch and each message value m

Unboundedly many provenances  unboundedly many places! Consider Provenances

Provenance Automata Provenance problem: Are provenances of all messages stored in x always in the regular set R of provenances along all executions of P? A regular set of provenances  DFA The answer to the problem depends on the states of DFA, not on individual provenances. Equivalence classes w.r.t. states: Two provenances are equivalent if they let DFA go to the same state.

ch2 ch0 PC1 PC2 PC3 principal patient { var p1, p2, p3; while(true) { choose :: p1 = HQ; send(ch0, p1); :: p1 = AR; send(ch0, p1); :: recv(ch1, p2); if (p2 == HA) p3 = p2;}} ch1 principal secretary { var s1, s2; while(true) { recv(ch0, s1); if (s1 == HQ) send(ch2, s1); else { s2 = AA(s1); send(ch1, s2);}}} principal doctor { var d1, d2; while(true) { recv(ch2, d1); d2 = HA(d1); choose :: send(ch2, d2); :: send(ch1, d2);}} q0 q1 P q2 q3 S D D a HA HA, patient.secretary. doctor HA, patient.secretary. doctor HA,q3 Track States, not Provenances

ch2 ch0 PC1 PC2 principal patient { var p1, p2, p3; while(true) { choose :: p1 = HQ; send(ch0, p1); :: p1 = AR; send(ch0, p1); :: recv(ch1, p2); if (p2 == HA) p3 = p2; } ch1 principal secretary { var s1, s2; while(true) { recv(ch0, s1); if (s1 == HQ) send(ch2, s1); else { s2 = AA(s1); send(ch1, s2); } q0 q1 P q2 q3 S D D HQ,q2 HA,q3 a Provenance problem: Are provenances of messages in p3 always in the regular set along all executions? Coverability problem: Is one of the places (p3,*,q1),(p3,*,q2) and (p3,*,sink) markable along some execution? Provenance problem: Are provenances of messages in p3 always in the regular set along all executions? Coverability problem: Is one of the places (p3,*,q1),(p3,*,q2) and (p3,*,sink) markable along some execution? Track States, not Provenances

Program + Provenance DFA ➔ poly Petri net Provenance verification problem = Coverability problem of Petri nets Reduction

Provenance verification problem for message passing programs is decidable and is EXPSPACE-complete. Main Theorem

Application: Firefox Extensions Database service: mozlStorageService async APIs Private mode in Firefox No restrictions for extensions in private mode Question: can extensions save user data into databases in the private mode?

Extensions and Channels DB PubEx PriEx ch0 ch1 ch2 ch0: for temporary files ch1, ch2: for database async API calls Are provenances of all messages received by DB always in the set PubEx * along all executions?

Tool 1.Use Javascript analyzer JSure to obtain the control flow of extensions 2.Perform data flow abstraction to obtain Petri net models 3.Run a coverability checker

Experimental Results  Nine extensions using mozlStorageService  Five extensions save user information to databases in private mode -Amazon price history -Facebook chat history manager -FVD Speed Dial -Privad privacy-aware ad server -Shopping assistant

Summary  Provenance verification problem in concurrent message passing programs -Coverability problem of Petri nets  Firefox extensions may save user data in private mode (Be careful!)

Questions?