Proof-system search ( ` ) Interpretation search ( ² ) Main search strategy DPLL Backtracking Incremental SAT Natural deduction Sequents Resolution Main.

Slides:

Advertisements

Similar presentations

SMELS: Sat Modulo Equality with Lazy Superposition Christopher Lynch – Clarkson Duc-Khanh Tran - MPI.

Advertisements

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.

Working with Discourse Representation Theory Patrick Blackburn & Johan Bos Lecture 3 DRT and Inference.

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

UIUC CS 497: Section EA Lecture #2 Reasoning in Artificial Intelligence Professor: Eyal Amir Spring Semester 2004.

Logic as the lingua franca of software verification Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A Joint work with Andrey Rybalchenko.

David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.

1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.

CS 355 – Programming Languages

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI

Code-Carrying Proofs Aytekin Vargun Rensselaer Polytechnic Institute.

Plan for today Proof-system search ( ` ) Interpretation search ( ² ) Quantifiers Equality Decision procedures Induction Cross-cutting aspectsMain search.

Constraint Logic Programming Ryan Kinworthy. Overview Introduction Logic Programming LP as a constraint programming language Constraint Logic Programming.

Last time Proof-system search ( ` ) Interpretation search ( ² ) Quantifiers Equality Decision procedures Induction Cross-cutting aspectsMain search strategy.

ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.

CS 330 Programming Languages 09 / 18 / 2007 Instructor: Michael Eckmann.

Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?

Analysis of Algorithms CS 477/677

Search in the semantic domain. Some definitions atomic formula: smallest formula possible (no sub- formulas) literal: atomic formula or negation of an.

Administrative stuff On Thursday, we will start class at 11:10, and finish at 11:55 This means that each project will get a 10 minute presentation + 5.

A Type System for Expressive Security Policies David Walker Cornell University.

Last time Proof-system search ( ` ) Interpretation search ( ² ) Quantifiers Equality Decision procedures Induction Cross-cutting aspectsMain search strategy.

From last time S1: l := new Cons p := l S2: t := new Cons *p := t p := t l p S1 l p tS2 l p S1 t S2 l t S1 p S2 l t S1 p S2 l t S1 p L2 l t S1 p S2 l t.

ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.

Embedded Systems Laboratory Department of Computer and Information Science Linköping University Sweden Formal Verification and Model Checking Traian Pop.

Review: forward E { P } { P && E } TF { P && ! E } { P 1 } { P 2 } { P 1 || P 2 } x = E { P } { \exists … }

CS 330 Programming Languages 09 / 16 / 2008 Instructor: Michael Eckmann.

Review: forward E { P } { P && E } TF { P && ! E } { P 1 } { P 2 } { P 1 || P 2 } x = E { P } { \exists … }

1 Abstraction Refinement for Bounded Model Checking Anubhav Gupta, CMU Ofer Strichman, Technion Highly Jet Lagged.

After today Week 9 –Tu: Pat Rondon –Th: Ravi/Nathan Week 10 –Tu: Nathan/Ravi –Th: Class canceled Finals week –Th: Zach, John.

Using Decision Procedures for Program Verification Christopher Lynch Clarkson University.

Describing Syntax and Semantics

272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.

Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.

Boolean Satisfiability and SAT Solvers

1 Program Correctness CIS 375 Bruce R. Maxim UM-Dearborn.

SAT and SMT solvers Ayrat Khalimov (based on Georg Hofferek‘s slides) AKDV 2014.

Proof Carrying Code Zhiwei Lin. Outline Proof-Carrying Code The Design and Implementation of a Certifying Compiler A Proof – Carrying Code Architecture.

Introduction Algorithms and Conventions The design and analysis of algorithms is the core subject matter of Computer Science. Given a problem, we want.

Chapter 25 Formal Methods Formal methods Specify program using math Develop program using math Prove program matches specification using.

Proof-Carrying Code & Proof-Carrying Authentication Stuart Pickard CSCI 297 June 2, 2005.

ISBN Chapter 3 Describing Semantics -Attribute Grammars -Dynamic Semantics.

CS 363 Comparative Programming Languages Semantics.

Formal Verification Lecture 9. Formal Verification Formal verification relies on Descriptions of the properties or requirements Descriptions of systems.

© Andrew IrelandDependable Systems Group On the Scalability of Proof Carrying Code for Software Certification Andrew Ireland School of Mathematical & Computer.

Reading and Writing Mathematical Proofs Spring 2015 Lecture 4: Beyond Basic Induction.

Lazy Annotation for Program Testing and Verification Speaker: Chen-Hsuan Adonis Lin Advisor: Jie-Hong Roland Jiang November 26,

Certifying Intermediate Programming Zhaopeng Li

ISBN Chapter 3 Describing Semantics.

Chapter 3 Part II Describing Syntax and Semantics.

Semantics In Text: Chapter 3.

On the Relation between SAT and BDDs for Equivalence Checking Sherief Reda Rolf Drechsler Alex Orailoglu Computer Science & Engineering Dept. University.

Lecture 5 1 CSP tools for verification of Sec Prot Overview of the lecture The Casper interface Refinement checking and FDR Model checking Theorem proving.

Automated tactics for separation logic VeriML Reconstruct Z3 Proof Safe incremental type checker Certifying code transformation Proof carrying hardware.

SAFE KERNEL EXTENSIONS WITHOUT RUN-TIME CHECKING George C. Necula Peter Lee Carnegie Mellon U.

Static Techniques for V&V. Hierarchy of V&V techniques Static Analysis V&V Dynamic Techniques Model Checking Simulation Symbolic Execution Testing Informal.

CS357 Lecture 13: Symbolic model checking without BDDs Alex Aiken David Dill 1.

Combining Static and Dynamic Reasoning for Bug Detection Yannis Smaragdakis and Christoph Csallner Elnatan Reisner – April 17, 2008.

From Natural Language to LTL: Difficulties Capturing Natural Language Specification in Formal Languages for Automatic Analysis Elsa L Gunter NJIT.

Daniel Kroening and Ofer Strichman 1 Decision Procedures An Algorithmic Point of View Basic Concepts and Background.

Knowledge Repn. & Reasoning Lecture #9: Propositional Logic UIUC CS 498: Section EA Professor: Eyal Amir Fall Semester 2005.

Introduction to Computer Programming Concepts M. Uyguroğlu R. Uyguroğlu.

State your reasons or how to keep proofs while optimizing code

IS 2935: Developing Secure Systems

Semantics In Text: Chapter 3.

Presentation transcript:

Proof-system search ( ` ) Interpretation search ( ² ) Main search strategy DPLL Backtracking Incremental SAT Natural deduction Sequents Resolution Main search strategy review More human friendly, Less automatable Less human friendly, More automatable

Comparison between the two domains

Advantages of the interpretation domain –Don’t have to deal with inference rules directly less syntactic overhead, can build specialized data structures –Can more easily take advantage of recent advanges in SAT solvers –A failed search produces a counter-example, namely the interpretation that failed to make the formula true or false (depending on whether the goal is to show validity of unsatisfiability)

Comparison between the two domains Disadvantages of the interpretation domain –Search does not directly provide a proof There are ways to get proofs, but they require more effort –Proofs are useful Proof checkers are more efficient than proof finders (PCC) Provide feedback to the human user of the theorem prover –Find false proofs cause by inconsistent axioms –See path taken, which may point to ways of formulating the problem to improve efficiency Provide feedback to other tools –Proofs from a decision procedure can communicate useful information to the heuristic theorem prover

Comparison between the two domains Disadvantages of the interpretation domain (contd) –A lot harder to make the theorem prover interactive –Fairly simple to add user interaction when searching in the proof domain, but this is no the case in the interpretation domain –For example, when the Simplify theorem prover finds a false counter-example, it is in the middle of an exhaustive search. Not only is it hard to expose this state to the user, but it’s also not even clear how the user is going to provide guidance

Connection between the two domains Are there connections between the techniques in the two domains? There is at least one strong connection, let’s see what it is.

Back to the interpretation domain Show that the following in UNSAT (also, label each leaf with one of the original clauses that the leaf falsifies): –A Æ ( : A Ç B) Æ : B

Let’s go back to interpretation domain Show that the following in UNSAT (also, label each leaf with one of the original clauses that the leaf falsifies): –A Æ ( : A Ç B) Æ : B

Parallel between DPLL and Resolution A successful refutation DPLL search tree is isomorphic to a refutation based resolution proof From the DPLL search tree, one can build the resolution proof –Label each leaf with one of the original clauses that the leaf falsifies –Perform resolution based on the variables that DPLL performed a case split on One can therefore think of DPLL as a special case of resolution

Connection between the two domains Are there any other connections between interpretation searches and proof system searches? –Such connections could point out new search strategies (eg: what is the analog in the proof system domain of Simplify’s search strategy?) –Such connections could allow the state of theorem prover to be switched back and forth between the interpretation domain and proof system domain, leading to a theorem prover that combines the benefits of the two search strategies

Proof Carrying Code

Security Automata start has read read(f) sendread(f) bad send

send(); if(…) read(f); send(); Instr ProviderConsumer Run if (…) halt(); send(); if (…) { if (…) halt(); read(f); } if(…) halt(); send(); Policy Example

send(); if(…) read(f); send(); Instr ProviderConsumer Run send(); if (…) read(f); if(…) halt(); send(); Opt if (…) halt(); send(); if (…) { if (…) halt(); read(f); } if(…) halt(); send(); Policy Example

Optimize: how? Use a dataflow analysis –Determine at each program point what state the security automata may be in. Based on this information, can remove checks that are known to succeed

send(); if(…) read(f); send(); Instr ProviderConsumer Run send(); if (…) read(f); if(…) halt(); send(); Opt if (…) halt(); send(); if (…) { if (…) halt(); read(f); } if(…) halt(); send(); Policy Example

send(); if(…) read(f); send(); Instr ProviderConsumer Run send(); if (…) read(f); if(…) halt(); send(); Opt if (…) halt(); send(); if (…) { if (…) halt(); read(f); } if(…) halt(); send(); Proof valid? Reject Yes No Policy Proof optimize & update proof Proof Instr & generate proof Example

Proofs: how? Generate verification condition –Include verification condition and proof of verification in binary VCGen ProgramVerification Condition Policy

send(); if(…) read(f); send(); Instr ProviderConsumer Run send(); if (…) read(f); if(…) halt(); send(); Opt if (…) halt(); send(); if (…) { if (…) halt(); read(f); } if(…) halt(); send(); Proof valid? Reject Yes No Policy Proof optimize & update proof Proof Instr & generate proof Example

Run send(); if (…) read(f); if(…) halt(); send(); Proof valid? Reject Yes No Proof

Example send(); if (…) read(f); if(…) halt(); send(); Proof 1.Run VCGen on code to generate “VC” 2.Check that “Proof” is a valid proof of “VC” Run Yes Reject No

VCGen Where have we seen this idea before?

VCGen Where have we seen this idea before? –ESC/Java For a certain class of policies, we can use a similar approach to ESC/Java Say we want to guarantee that there are no NULL pointer dereferences –Add assert(p != NULL) before every dereference of p –The verification condition is then the weakest precondition of the program with respect to TRUE

For the security automata example We will do this example slightly differently Instead of providing a proof of WP for the whole program, the provider annotates the code with predicates, and provides proofs that the annotations are locally consistent The consumer checks the proofs of local consistency

For the security automata example curr = “start”; send(); if (…) { next = trans read (curr); read(f); curr = next; } next = trans send (curr); if (next == bad) halt(); send(); if(…) read(f); send(); if (…) read(f); if(…) halt(); send(); Original code Pretty picture of instrumented code Actual instrumented code trans send (“start”) == “start” trans send (“has_read”) == “bad” trans read (“start”) == “has_read” trans read (“has_read”) == “has_read”

Secure functions Each security relevant operation requires pre-conditions, and guarantees post-conditions. For any “alphabet” function “ func” : – P 1 : in(current_state) – P 2 : next_state == trans func (current_state) – P 3 : next_state != “bad” Pre: {P1; P2; P3} Post: {in(next_state)}

Secure functions Example for function send() Normal WP rules apply for other statements, for example: {in(curr); next == trans send (curr); next != “bad”} send(); {in(next)} {in(curr)} next = trans send (curr); {in(curr); next == trans send (curr)}

Example curr = “start”; send(); if (…) { next = trans read (curr); read(f); curr = next; } next = trans send (curr); if (next == bad) halt(); send();

Example

... next = trans send (curr); if (next == bad) halt(); send();... {in(curr)} next = trans send (curr); {in(curr); next == trans send (curr)} if (next == bad) { {in(curr); next == trans send (curr); next == “bad”} halt(); {} } {in(curr); next == trans send (curr); next != “bad”} send();

Recall: trans send (“start”) == “start” trans read (“start”) == “has_read”

What to do with the annotations? The code provider: –Send the annotations with the program –For each statement: –Send a proof of P ) wp(S, Q) The code consumer –For each statement: –Check that the provided proof of P ) wp(S, Q) is correct { P } S { Q }

PCC issues: Generating the proof Cannot always generate the proof automatically Techniques to make it easier to generate proof –Can have programmer provide hints –Can automatically modify the code to make the proof go through –Can use type information to generate a proof at the source code, and propagate the proof through compilation (TIL: Type Intermediate Language, TAL: Typed Assembly Language)

PCC issues: Representing the proof Can use the LF framework –Proofs can be large Techniques for proof compression –Can remove steps from the proof, and let the checker infer them –Tradeoff between size of proof and speed of checker

PCC issues: Trusted Computing Base What’s trusted?

PCC issues: Trusted Computing Base What’s trusted? –Proof checker –VCGen (encodes the semantics of the language) –Background axioms

Foundational PCC Try to reduce the trusted computing base as much as possible Express semantics of machine instructions and safety properties in a foundational logic –This logic should be suitably expressive to serve as a foundation for mathematics –Few axioms, making the proof checker very simple No VCGen. Instead just provide a proof in the foundational proof system that the safety property holds Trusted computed base an order of magnitude smaller than regular PCC

The big questions What problem is this solving? How well does it solve the problem? What other problems does it add? What are the costs (technical, economic, social, other) ? Is it worth it? May this eventually be useful? (which you should ask yourself when you review a paper for this class)