A Case Study in Using ACL2 for Feature-Oriented Verification Kathi Fisler and Brian Roberts WPI Computer Science.

Slides:

Advertisements

Similar presentations

1 Data Link Protocols By Erik Reeber. 2 Goals Use SPIN to model-check successively more complex protocols Using the protocols in Tannenbaums 3 rd Edition.

Advertisements

Temporal-Logic Constraints in Feature-Oriented Verification Kathi Fisler (WPI) joint work with Shriram Krishnamurthi (Brown) Colin Blundell (Brown; now.

CHAPTER 8: SECURITY IN COMPUTER NETWORKS Encryption Encryption Authentication Authentication Security Security Secure Sockets Layer Secure.

Addressing spam and enforcing a Do Not Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.

6 C H A P T E R © 2001 The McGraw-Hill Companies, Inc. All Rights Reserved1 Electronic Mail Electronic mail has revolutionized the way people communicate.

Re-Thinking Product Line Verification as a Constraints Problem Kathi Fisler (WPI) Shriram Krishnamurthi (Brown) Brown undergraduate collaborators: Harry.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

Public Key Infrastructure at the University of Pittsburgh Robert F. Pack, Vice Provost Academic Planning and Resources Management March 27, 2000 CNI Spring.

Models and Security Requirements for IDS. Overview The system and attack model Security requirements for IDS –Sensitivity –Detection Analysis methodology.

Lesson 7: Business, , & Personal Information Management

School of Computer ScienceG53FSP Formal Specification1 Dr. Rong Qu Introduction to Formal Specification

Decentralized Information Spaces for Composition and Unification of Services (DISCUS)  Successor to OzWeb  Builds on WebServices  (Relatively) Static.

Automated Tests in NICOS Nightly Control System Alexander Undrus Brookhaven National Laboratory, Upton, NY Software testing is a difficult, time-consuming.

By Laura Trawin.

INFO EMPIRE COMMERCE Shopping Carts Gateways Merchant Accounts & Marketing Platforms.

E- Business Digital Signature Varna Free University Prof. Teodora Bakardjieva.

Complex Security Policies Dave Andersen Advanced Operating Systems Georgia State University.

Using PATLive to Expand Your Business. What is PATLive PATLive is a powerful business tool that provides you with all the business telecommunications.

» Explain the way that electronic mail ( ) works » Configure an client » Identify message components » Create and send messages.

1 © 2001, Cisco Systems, Inc. All rights reserved. Voice Connector Features Voic Interoperability – 4.0(5) Voice Connector features Rahul Singh.

Security using Encryption Security Features Message Origin Authentication - verifying that the sender is who he or she says they are Content Integrity.

SMUCSE 5349/49 Security. SMUCSE 5349/7349 Threats Threats to the security of itself –Loss of confidentiality s are sent in clear over.

SHASHANK MASHETTY security. Introduction Electronic mail most commonly referred to as or e- mail. Electronic mail is one of the most commonly.

CSCI ClearQuest 1 Rational ClearQuest Michel Izygon - Jim Helm.

OCR Nationals – Unit 1 AO2 (Part 2) – s. Overview of AO2 (Part 2) To select and use tools and facilities to download files/information and to send.

AQA Computing A2 © Nelson Thornes 2009 Section Unit 3 Section 6.4: Internet Security Digital Signatures and Certificates.

Outlook 2000 Summertime Technology 2002 Vicki Blackwell Tangipahoa Parish Schools.

Computer Networking From LANs to WANs: Hardware, Software, and Security Chapter 12 Electronic Mail.

Masud Hasan Secue VS Hushmail Project 2.

Outlook Lesson 4 Managing Messages Microsoft Office 2010 Advanced Cable / Morrison 1.

1 A Petri Net Siphon Based Solution to Protocol-level Service Composition Mismatches Pengcheng Xiong 1, Mengchu Zhou 2 and Calton Pu 1 1 College of Computing,

Introduction CS 3358 Data Structures. What is Computer Science? Computer Science is the study of algorithms, including their  Formal and mathematical.

Trouble-shooting Tips Georgia Bulldogs I can receive, but not send messages  If you can successfully receive messages, but can’t send.

Event Management & ITIL V3

Postfix Mail Server Postfix is used frequently and handle thousands of messages. compatible with sendmail at command level. high performance program easier-

Web Security : Secure Socket Layer Secure Electronic Transaction.

Microsoft Office Outlook 2013 Microsoft Office Outlook 2013 Courseware # 3252 Lesson 6: Organizing Information.

Introduction CS 3358 Data Structures. What is Computer Science? Computer Science is the study of algorithms, including their  Formal and mathematical.

1 Information Security Practice I Lab 5. 2 Cryptography and security Cryptography is the science of using mathematics to encrypt and decrypt data.

An Object-Oriented Approach to Programming Logic and Design Fourth Edition Chapter 6 Using Methods.

1 CSCD 326 Data Structures I Software Design. 2 The Software Life Cycle 1. Specification 2. Design 3. Risk Analysis 4. Verification 5. Coding 6. Testing.

Pertemuan #9 Security in Practice Kuliah Pengaman Jaringan.

Copyright ©2015 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training WatchGuard XCS What’s New in version 10.1.

May University of Glasgow Generalising Feature Interactions in Muffy Calder, Alice Miller Dept. of Computing Science University of Glasgow.

LaHave House Project 1 LaHave House Project Automated Architectural Design BML + ARC.

Electronic Commerce School of Library and Information Science PGP and cryptography I. What is encryption? Cryptographic systems II. What is PGP? How does.

INTRODUCTION TO BIOMATRICS ACCESS CONTROL SYSTEM Prepared by: Jagruti Shrimali Guided by : Prof. Chirag Patel.

1 of 4 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2006 Microsoft Corporation.

Facilitating testing and monitoring of number entry systems in medical devices Abigail Cauchi, Christian Colombo, Mark Micallef & Gordon Pace.

Chapter 40 Network Security (Access Control, Encryption, Firewalls)

© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.

Theory-Aided Model Checking of Concurrent Transition Systems Guy Katz, Clark Barrett, David Harel New York University Weizmann Institute of Science.

Trouble-shooting Tips Georgia Bulldogs I can receive, but not send messages  If you can successfully receive messages, but can’t send messages,

ACCOUNT ADMINISTRATION. Objectives In this session you will learn how to: –Create Business Units. –Create new users and manage security settings. –Configure.

2/19/2016clicktechsolution.com Security. 2/19/2016clicktechsolution.com Threats Threats to the security of itself –Loss of confidentiality.

A Key Management Scheme for Distributed Sensor Networks Laurent Eschaenauer and Virgil D. Gligor.

1 of 2 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 23 Slide 1 Software testing.

Copyright 2004 MayneStay Consulting Group Ltd. - All Rights Reserved Jan-041 Security using Encryption Security Features Message Origin Authentication.

Info Spring Features to Find Send a message Read a message sent to you Reply to a message sent to you Forward a message sent to you Save messages.

Security By Meenal Mandalia. What is ? stands for Electronic Mail. much the same as a letter, only that it is exchanged in a different.

SSH. 2 SSH – Secure Shell SSH is a cryptographic protocol – Implemented in software originally for remote login applications – One most popular software.

2013Prof. Reuven Aviv, Mail Security1 Pretty Good Privacy (PGP) Prof. Reuven Aviv Dept. of Computer Science Tel Hai Academic College.

Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.

Internet Business Associate v2.0

Unit 3 Section 6.4: Internet Security

INTERCEPTION APPLICATION

Authentication.

From ACCEPT to MASQUERADE Tim(othy) Clark (eclipse)

Presentation transcript:

A Case Study in Using ACL2 for Feature-Oriented Verification Kathi Fisler and Brian Roberts WPI Computer Science

Configurations of Features decrypt encrypt auto-respond filter signing forward verify signature mailhost r addressbook [Hall, 2000]

Feature-Oriented Design Modules encapsulate features, not objects Command loop User Pref Database Incoming Messages Outgoing Messages auto-reply set-msg, enable response check/send reply encryption set-key, enable key check encrypted encrypt message Components FeaturesFeatures

Feature-Rich Systems Telecommunications industry Telecommunications industry NASA’s next-generation software base NASA’s next-generation software base Symbian Symbian Aspects Aspects Still greatly lacking in verification tools

Verification Challenges Exponential number of possible products! Exponential number of possible products! –verify individual features once –verify compositions cheaply Feature interactions Feature interactions –does voice mail always engage after 4 rings? Features can share data Features can share data

The Case Study Model an system with four features Model an system with four features –Host/postmaster (report unknown users) –Auto-response (aka vacation) –Encryption –Decryption Determine lemmas to modularly Determine lemmas to modularly –prove properties of individual features –confirm properties and detect interactions

A Basic System simulate-network (hostenv, userenv, actions) do-actions (…)do-mail

Modeling Features One function for each extension to the system add new actions add new actions add user info add user info add processing on incoming messages add processing on incoming messages add processing on outgoing messages add processing on outgoing messages Command loop User Pref Database Incoming Messages Outgoing Messages auto-reply set-msg, enable response check/send reply encryption set-key, enable key check encrypted encrypt message

A Basic System simulate-network (hostenv, userenv, actions) do-actions (…)do-mail do-initdo-senddo-deliverdo-command -auto-init -auto-incoming …… host-incoming

Customizing Products (defconst *features-present* '(auto encrypt)) (defund do-init (user) (let-seq user (let-seq user (fif encrypt ( -encrypt-init user) user) (fif encrypt ( -encrypt-init user) user) (fif decrypt ( -decrypt-init user) user) (fif decrypt ( -decrypt-init user) user) (fif auto ( -auto-init user) user) (fif auto ( -auto-init user) user) user)) user))

Verifying Features Needs –init and -incoming functions Needs –init and -incoming functions Verify against product containing base system and auto-response feature Verify against product containing base system and auto-response feature –theorem refers to simulate-network –not really modular If user has auto-response enabled and sender not in prev-recip list, send message

Lightweight Product Verification Add host to product with auto-response: prove auto-response property still holds build (new) product including host feature build (new) product including host feature prove simulate-network theorem again prove simulate-network theorem again Lightweight means proof shouldn’t require unanticipated lemmas Ideally warn of likely feature interactions

Detecting Feature Interactions Sample interaction: Sample interaction: Auto-reply message sent to postmaster Often violates no properties of features Often violates no properties of features Incompleteness makes more difficult Incompleteness makes more difficult Capture interaction as theorem, determine lemmas needed to confirm Capture interaction as theorem, determine lemmas needed to confirm –Hope: failure to prove under lemmas indicates likely interaction

Supporting Modular Verification Lemmas about individual features crucial Lemmas about individual features crucial –make product verification lightweight –help detect feature interactions Four kinds of lemmas helpful Four kinds of lemmas helpful –type/format of inputs and outputs –environment info that might/won’t change –conditions characterizing changes –lifting lemmas through call-graph hierarchy Ideally automate lemma creation Ideally automate lemma creation

Why Modularity? Reviewer: modularity irrelevant for ACL2 We disagree modularity key part of design process modularity key part of design process features provide new form of modularity features provide new form of modularity Research goal goes beyond ACL2 Research goal goes beyond ACL2

Reflections on ACL2 Procedural-style natural match for features Procedural-style natural match for features –features capture functional/behavioral information First-order limitation inhibits plug-and-play First-order limitation inhibits plug-and-play –Implementations use higher-order functions/classes Macros crucial Macros crucial –generate products and standard lemmas Books too restrictive for some feature lemmas Books too restrictive for some feature lemmas Hands-off and disable hints simulate modular environment Hands-off and disable hints simulate modular environment

Questions for Experts Better way to achieve plug-and-play? Better way to achieve plug-and-play? Way to use books for all feature lemmas? Way to use books for all feature lemmas? Results on lemma generation that we should know about? Results on lemma generation that we should know about?