Code-Carrying Proofs Aytekin Vargun Rensselaer Polytechnic Institute.

Slides:



Advertisements
Similar presentations
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Advertisements

An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.
Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1.
Certified Typechecking in Foundational Certified Code Systems Susmit Sarkar Carnegie Mellon University.
Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.
David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 20: Total Correctness; Proof-
1 Regression-Verification Benny Godlin Ofer Strichman Technion.
March 4, 2005Susmit Sarkar 1 A Cost-Effective Foundational Certified Code System Susmit Sarkar Thesis Proposal.
LIFE CYCLE MODELS FORMAL TRANSFORMATION
Design & Analysis of Algoritms
Nicholas Moore Bianca Curutan Pooya Samizadeh McMaster University March 30, 2012.
David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.
Generic Programming and Formal Methods David R. Musser Rensselaer Polytechnic Institute.
ISBN Chapter 3 Describing Syntax and Semantics.
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
An Introduction to Proof-Carrying Code David Walker Princeton University (slides kindly donated by George Necula; modified by David Walker)
The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI
Comp 205: Comparative Programming Languages Semantics of Imperative Programming Languages denotational semantics operational semantics logical semantics.
Constraint Logic Programming Ryan Kinworthy. Overview Introduction Logic Programming LP as a constraint programming language Constraint Logic Programming.
Proof-system search ( ` ) Interpretation search ( ² ) Main search strategy DPLL Backtracking Incremental SAT Natural deduction Sequents Resolution Main.
Programmability with Proof-Carrying Code George C. Necula University of California Berkeley Peter Lee Carnegie Mellon University.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Operational Semantics.
Language-Based Security Proof-Carrying Code Greg Morrisett Cornell University Thanks to G.Necula & P.Lee.
A Type System for Expressive Security Policies David Walker Cornell University.
Describing Syntax and Semantics
Recursion Chapter 7. Chapter 7: Recursion2 Chapter Objectives To understand how to think recursively To learn how to trace a recursive method To learn.
Recursion Chapter 7. Chapter 7: Recursion2 Chapter Objectives To understand how to think recursively To learn how to trace a recursive method To learn.
1 The Problem o Fluid software cannot be trusted to behave as advertised unknown origin (must be assumed to be malicious) known origin (can be erroneous.
C OURSE : D ISCRETE STRUCTURE CODE : ICS 252 Lecturer: Shamiel Hashim 1 lecturer:Shamiel Hashim second semester Prepared by: amani Omer.
© Janice Regan, CMPT 128, Jan CMPT 128 Introduction to Computing Science for Engineering Students Creating a program.
Mathematical Modeling and Formal Specification Languages CIS 376 Bruce R. Maxim UM-Dearborn.
Recursion Chapter 7. Chapter Objectives  To understand how to think recursively  To learn how to trace a recursive method  To learn how to write recursive.
Proof Carrying Code Zhiwei Lin. Outline Proof-Carrying Code The Design and Implementation of a Certifying Compiler A Proof – Carrying Code Architecture.
Proof-Carrying Code & Proof-Carrying Authentication Stuart Pickard CSCI 297 June 2, 2005.
ISBN Chapter 3 Describing Semantics -Attribute Grammars -Dynamic Semantics.
An overview of Coq Xinyu Feng USTC Erasmus Mundus NordSecMob Scholar at DTU.
Towards Automatic Verification of Safety Architectures Carsten Schürmann Carnegie Mellon University April 2000.
© Andrew IrelandDependable Systems Group On the Scalability of Proof Carrying Code for Software Certification Andrew Ireland School of Mathematical & Computer.
CHAPTER 15 & 16 Functional & Logic Programming Languages.
Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University Lecture 2 July 11, 2001 Overview of PCC and Safety Policies Lipari School.
3.2 Semantics. 2 Semantics Attribute Grammars The Meanings of Programs: Semantics Sebesta Chapter 3.
ISBN Chapter 3 Describing Semantics.
Programming Languages and Design Lecture 3 Semantic Specifications of Programming Languages Instructor: Li Ma Department of Computer Science Texas Southern.
Semantics In Text: Chapter 3.
Syntax and Semantics CIS 331 Syntax: the form or structure of the expressions, statements, and program units. Semantics: the meaning of the expressions,
Secure Compiler Seminar 4/11 Visions toward a Secure Compiler Toshihiro YOSHINO (D1, Yonezawa Lab.)
Logic Programming and Prolog Goal: use formalism of first-order logic Output described by logical formula (theorem) Input described by set of formulae.
Ch. 13 Ch. 131 jcmt CSE 3302 Programming Languages CSE3302 Programming Languages (notes?) Dr. Carter Tiernan.
Code-Carrying Theory Aytekin Vargun Rensselaer Polytechnic Institute.
CSE Winter 2008 Introduction to Program Verification January 15 tautology checking.
DEDUCTION PRINCIPLES AND STRATEGIES FOR SEMANTIC WEB Chain resolution and its fuzzyfication Dr. Hashim Habiballa University of Ostrava.
SAFE KERNEL EXTENSIONS WITHOUT RUN-TIME CHECKING George C. Necula Peter Lee Carnegie Mellon U.
Static Techniques for V&V. Hierarchy of V&V techniques Static Analysis V&V Dynamic Techniques Model Checking Simulation Symbolic Execution Testing Informal.
This Week Lecture on relational semantics Exercises on logic and relations Labs on using Isabelle to do proofs.
CSE 60641: Operating Systems George C. Necula and Peter Lee, Safe Kernel Extensions Without Run-Time Checking, OSDI ‘96 –SIGOPS Hall of fame citation:
Faithful mapping of model classes to mathematical structures Ádám Darvas ETH Zürich Switzerland Peter Müller Microsoft Research Redmond, WA, USA SAVCBS.
CSC3315 (Spring 2009)1 CSC 3315 Languages & Compilers Hamid Harroud School of Science and Engineering, Akhawayn University
1 Proving Properties of Recursive List Functions CS 270 Math Foundations of CS Jeremy Johnson.
Certifying and Synthesizing Membership Equational Proofs Patrick Lincoln (SRI) joint work with Steven Eker (SRI), Jose Meseguer (Urbana) and Grigore Rosu.
Thoughts on Programming with Proof Assistants Adam Chlipala University of California, Berkeley PLPV Workshop.
Proof And Strategies Chapter 2. Lecturer: Amani Mahajoub Omer Department of Computer Science and Software Engineering Discrete Structures Definition Discrete.
Sub-fields of computer science. Sub-fields of computer science.
Recursion Topic 5.
Matching Logic An Alternative to Hoare/Floyd Logic
State your reasons or how to keep proofs while optimizing code
Chapter 10: Mathematical proofs
Introduction Artificial Intelligent.
Semantics In Text: Chapter 3.
A Trustworthy Proof Checker
Lecture 19: Proof-Carrying Code Background just got here last week
Presentation transcript:

Code-Carrying Proofs Aytekin Vargun Rensselaer Polytechnic Institute

Outline Introduction Proof-Carrying Code (PCC) Code-Carrying Proofs(CCP) Sample CCP session Future Work

Potential Problems to be Solved Memory Safety illegal operations or illegal access to memory Security unauthorized access to data or system resources Functional Correctness whether the code does correctly what it is formally required to do

Two Solutions Proof-Carrying Code (PCC) Code-Carrying Proofs (CCP)

Proof-Carrying Code (PCC) Developed by Necula and Lee [1996] at CMU. Basic Idea: Use machine-checkable proofs as certificates. Proof construction is harder than proof checking Code producer provides the proof Code consumer checks it

Code Producer Code Consumer Theorem Prover Safety Policy Native Code With Annotations Proof Checker Ok CPU VCGen Verification Condition Safety Policy Safety Proof VCGen Verification Condition Source Code Touchstone Compiler Native Code With Annotations PCC

Code Producer Code Consumer Theorem Prover Safety Policy Native Code With Annotations Proof Checker No CPU VCGen Verification Condition Safety Policy Safety Proof VCGen Verification Condition (may change) Source Code Touchstone Compiler Tampered Native Code With Annotations Hacker  Tampered Code is not delivered to the CPU But safety is still guaranteed if the code is modified in such a way that the VC is unchanged PCC Tampered

Code Producer Code Consumer Theorem Prover Safety Policy Native Code With Annotations Proof Checker No CPU VCGen Verification Condition Safety Policy Tampered Safety Proof VCGen Verification Condition Source Code Touchstone Compiler Native Code With Annotations  Proof is either invalid or  is not the proof of the VC Hacker PCC Tampered

Code Producer Code Consumer Theorem Prover Safety Policy Native Code With Annotations Proof Checker VCGen Verification Condition Safety Policy VCGen Verification Condition (may change) Source Code Touchstone Compiler Tampered Native Code With Annotations Hacker  Safety is guaranteed if the tampered proof is the proof of the new VC Safety Proof Hacker Tampered Safety Proof Ok CPU PCC Tampered

Foundational PCC Developed by Appel in [2000] at Princeton VCGen is a large program. Replace it! Basic Idea: Define the semantics of the machine instructions and safety rules Use foundational mathematical logic instead of programming-language-specific axioms or safety rules No particular type system

Foundational PCC Prove w.r.t. the formal machine language semantics Operates at a very low level of abstraction It does reduce dependency on a large program (VCGen) but this is true for CCP also

Code-Carrying Proofs (CCP) Start with axioms that define functions The form of axioms is such that it is easy to extract executable code from them. Prove that the defined functions obey certain requirements The producer transmits Axioms The correctness theorems And their proofs

Code-Carrying Proofs (CCP) No explicit code transmission The consumer checks proofs to see if the correctness theorem is proved If proof checking succeeds, the consumer applies the code extractor to the axioms and obtain the executable code

Code-Carrying Proofs (CCP) CCP attempts to solve Functional Correctness problem We are dealing with a higher-level language

Code Producer Code Consumer Axioms & Proofs Theorem Prover Requirements Axioms & Theorems Proof Checker CPU Axioms & Theorems Code Extractor Code CCP Requirements Axioms & Proofs

Code Producer Code Consumer Axioms & Proofs Tampered Axioms & Proofs Theorem Prover Requirements Axioms & Theorems Proof Checker CPU Code Extractor Hacker (Failed Proofs) (No Code) CCP Tampered

Issues Encoding axioms and proofs Proof Checking Tests to be applied by the consumer to new function definitions (definitional principle) Syntactic Property Consistency Termination Implementing Code Extractor

Athena Implemented by K.Arkoudas A language for both: Ordinary Computation Logical Deduction

Athena Ordinary Computation Language Provides higher-order functions Has primitive functions for Unification Matching Substitution

Athena Logical Language Special Deductive Forms dcheck, dbegin, assume, … Primitive Deduction Methods mp, both, left-and, … Declarations structure, declare, … Directives load-file, clear-assumption-base, …

Athena Advantages Better Proof Readability Machine checkable proofs Makes it possible to formulate and write proofs as methods Generic Proofs write the proof once and instantiate it to prove specific cases

Code Extractor Quantified Equations and Conditional Equations These are clauses of a recursive function definition CE has to be able to combine these into a recursive function

Code Extractor CE can extract pure functions it is not capable of extracting destructive functions Example Functions: searching functions, sum It cannot handle functions like: in-place reverse, sort

Code Extractor We have been working on simple functions. But: In analogy to STL, it is useful to have a library of simple functions from which more complex functions can be composed, especially if the functions are generic It is possible for code extractor to extract complex functions composed of such simple functions

Future Work New Definitions and Tests to be applied Defining Memory More Proof Examples Improving the Code Extractor Memory Safety Generic Proofs and Proof packaging

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.