Presentation is loading. Please wait.

Presentation is loading. Please wait.

Static Provenance Verification for Message Passing Programs Rupak Majumdar Roland MeyerZilong Wang MPI-SWSTU KaiserslauternMPI-SWS.

Published byBrendon Seymore Modified over 9 years ago

Similar presentations

Presentation on theme: "Static Provenance Verification for Message Passing Programs Rupak Majumdar Roland MeyerZilong Wang MPI-SWSTU KaiserslauternMPI-SWS."— Presentation transcript:

1 Static Provenance Verification for Message Passing Programs Rupak Majumdar Roland MeyerZilong Wang MPI-SWSTU KaiserslauternMPI-SWS

2 Motivation: Taint Analysis “All data from sources must be sanitized before a sink.” otherwise sanitizer source sink data source. sanitizer

3 Provenance Information about the source and access history of an object Databases: What rows were used to compute a query? Workflows: Which information was used for a result? Program Analysis: what can we do?

4 Provenance Verification for Concurrent Programs Questions: Can we statically track provenance information in a concurrent program model? Can we verify interesting provenance properties? Main results: A model of asynchronous message passing program with provenances Static provenance verification is decidable (with finite data domains)

5 Message Passing Program Principals run in parallel – Local variables – Operations: control flow, send(ch, x), recv(ch, x) Channels – Unbounded but unordered Messages – Finite domain

6 Provenance on Messages Provenance of a message = Principals who have sent the message chronologically Provenance domain = Strings over principal names

7 ch0 Medical Example PC1 PC2 PC3 ch2 principal patient { var p1, p2, p3; while(true) { choose :: p1 = HQ; send(ch0, p1); :: p1 = AR; send(ch0, p1); :: recv(ch1, p2); if (p2 == HA) p3 = p2;}} ch1 principal secretary { var s1, s2; while(true) { recv(ch0, s1); if (s1 == HQ) send(ch2, s1); else { s2 = AA(s1); send(ch1, s2);}}} principal doctor { var d1, d2; while(true) { recv(ch2, d1); d2 = HA(d1); choose :: send(ch2, d2); :: send(ch1, d2);}} HQ HQ, patient HQ, patient HA HA, patient.secretary.doctor.doctor HA, patient.secretary.doctor.doctor HQ, patient.secretary HQ, patient.secretary HA, patient.secretary.doctor HA, patient.secretary.doctor

8 ch0 Medical Example PC1 PC2 PC3 principal patient { var p1, p2, p3; while(true) { choose :: p1 = HQ; send(ch0, p1); :: p1 = AR; send(ch0, p1); :: recv(ch1, p2); if (p2 == HA) p3 = p2; } ch2 ch1 principal secretary { var s1, s2; while(true) { recv(ch0, s1); if (s1 == HQ) send(ch2, s1); else { s2 = AA(s1); send(ch1, s2); } principal doctor { var d1, d2; while(true) { recv(ch2, d1); d2 = HA(d1); choose :: send(ch2, d2); :: send(ch1, d2);}} HQ HA, patient.secretary.doctor.doctor HA, patient.secretary.doctor.doctor Requirement: Every health answer received by a patient must be seen by a doctor at least once. Requirement: Every health answer received by a patient must be seen by a doctor at least once. Provenance problem: Are provenances of messages in p3 always in the regular set along all executions?

9 Provenance Verification Problem Given a message passing program P, a variable x, and a regular set R of provenances, are provenances of all messages stored in x always in the set R along all executions of P?

10 Verification Challenge Infinite state space: 1.Unboundedly many messages in a channel 1.Unboundedly many provenances

11 ch0 Unbounded Messages in a Channel PC1 principal patient { var p1, p2, p3; while(true) { choose :: p1 = HQ; send(ch0, p1); :: p1 = AR; send(ch0, p1); :: recv(ch1, p2); if (p2 == HA) p3 = p2;}} ch1 ch2 principal secretary { var s1, s2; while(true) { recv(ch0, s1); if (s1 == HQ) send(ch2, s1); else { s2 = AA(s1); send(ch1, s2);}}} principal doctor { var d1, d2; while(true) { recv(ch2, d1); d2 = HA(d1); choose :: send(ch2, d2); :: send(ch1, d2);}} HQ

12 Verification Challenge Infinite state space: 1.Unboundedly many messages in a channel 1.Unboundedly many provenances

13 ch0 Unboundedly Many Provenances PC3 principal patient { var p1, p2, p3; while(true) { choose :: p1 = HQ; send(ch0, p1); :: p1 = AR; send(ch0, p1); :: recv(ch1, p2); if (p2 == HA) p3 = p2;}} ch1 ch2 principal secretary { var s1, s2; while(true) { recv(ch0, s1); if (s1 == HQ) send(ch2, s1); else { s2 = AA(s1); send(ch1, s2);}}} principal doctor { var d1, d2; while(true) { recv(ch2, d1); d2 = HA(d1); choose :: send(ch2, d2); :: send(ch1, d2);}} HA HA, ….doctor.doctor HA, ….doctor.doctor

14 Unbounded Messages: Petri Net Finite set of places Finite set of transitions Places marked with tokens Fire transitions An infinite state system Coverability problem is decidable. Is a given place markable in some execution?

15 B A Program to a Bisimilar Petri Net A transition for each operation in a program 1.A place for each control location 2.A place (x, m): for each variable x and each message value m 3.A place (ch, m): for each channel ch and each message value m

16 Unboundedly many provenances  unboundedly many places! Consider Provenances

17 Provenance Automata Provenance problem: Are provenances of all messages stored in x always in the regular set R of provenances along all executions of P? A regular set of provenances  DFA The answer to the problem depends on the states of DFA, not on individual provenances. Equivalence classes w.r.t. states: Two provenances are equivalent if they let DFA go to the same state.

18 ch2 ch0 PC1 PC2 PC3 principal patient { var p1, p2, p3; while(true) { choose :: p1 = HQ; send(ch0, p1); :: p1 = AR; send(ch0, p1); :: recv(ch1, p2); if (p2 == HA) p3 = p2;}} ch1 principal secretary { var s1, s2; while(true) { recv(ch0, s1); if (s1 == HQ) send(ch2, s1); else { s2 = AA(s1); send(ch1, s2);}}} principal doctor { var d1, d2; while(true) { recv(ch2, d1); d2 = HA(d1); choose :: send(ch2, d2); :: send(ch1, d2);}} q0 q1 P q2 q3 S D D a HA HA, patient.secretary. doctor HA, patient.secretary. doctor HA,q3 Track States, not Provenances

19 ch2 ch0 PC1 PC2 principal patient { var p1, p2, p3; while(true) { choose :: p1 = HQ; send(ch0, p1); :: p1 = AR; send(ch0, p1); :: recv(ch1, p2); if (p2 == HA) p3 = p2; } ch1 principal secretary { var s1, s2; while(true) { recv(ch0, s1); if (s1 == HQ) send(ch2, s1); else { s2 = AA(s1); send(ch1, s2); } q0 q1 P q2 q3 S D D HQ,q2 HA,q3 a Provenance problem: Are provenances of messages in p3 always in the regular set along all executions? Coverability problem: Is one of the places (p3,*,q1),(p3,*,q2) and (p3,*,sink) markable along some execution? Provenance problem: Are provenances of messages in p3 always in the regular set along all executions? Coverability problem: Is one of the places (p3,*,q1),(p3,*,q2) and (p3,*,sink) markable along some execution? Track States, not Provenances

20 Program + Provenance DFA ➔ poly Petri net Provenance verification problem = Coverability problem of Petri nets Reduction

21 Provenance verification problem for message passing programs is decidable and is EXPSPACE-complete. Main Theorem

22 Application: Firefox Extensions Database service: mozlStorageService async APIs Private mode in Firefox No restrictions for extensions in private mode Question: can extensions save user data into databases in the private mode?

23 Extensions and Channels DB PubEx PriEx ch0 ch1 ch2 ch0: for temporary files ch1, ch2: for database async API calls Are provenances of all messages received by DB always in the set PubEx * along all executions?

24 Tool 1.Use Javascript analyzer JSure to obtain the control flow of extensions 2.Perform data flow abstraction to obtain Petri net models 3.Run a coverability checker

25 Experimental Results  Nine extensions using mozlStorageService  Five extensions save user information to databases in private mode -Amazon price history -Facebook chat history manager -FVD Speed Dial -Privad privacy-aware ad server -Shopping assistant

26 Summary  Provenance verification problem in concurrent message passing programs -Coverability problem of Petri nets  Firefox extensions may save user data in private mode (Be careful!)

27 Questions? www.mpi-sws.org/~zilong

Download ppt "Static Provenance Verification for Message Passing Programs Rupak Majumdar Roland MeyerZilong Wang MPI-SWSTU KaiserslauternMPI-SWS."

Similar presentations

Formal Methods and Testing Goal: software reliability Use software engineering methodologies to develop the code. Use formal methods during code development.

Formal Methods and Testing Goal: software reliability Use software engineering methodologies to develop the code. Use formal methods during code development.
Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.

Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
Advanced topics in touchdevelop privacy transparent privacy control via information flow analysis Disclaimer: This document is provided “as-is”. Information.

Advanced topics in touchdevelop privacy transparent privacy control via information flow analysis Disclaimer: This document is provided “as-is”. Information.
Expand, Enlarge, and Check for Branching Vector Addition Systems Rupak Majumdar Zilong Wang MPI-SWS.

Expand, Enlarge, and Check for Branching Vector Addition Systems Rupak Majumdar Zilong Wang MPI-SWS.
Global States.

Global States.
Techniques to analyze workflows (design-time)

Techniques to analyze workflows (design-time)
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Based on: Petri Nets and Industrial Applications: A Tutorial

Based on: Petri Nets and Industrial Applications: A Tutorial
What’s Decidable for Asynchronous Programs? Rupak Majumdar Max Planck Institute for Software Systems Joint work with Pierre Ganty, Michael Emmi, Fernando.

What’s Decidable for Asynchronous Programs? Rupak Majumdar Max Planck Institute for Software Systems Joint work with Pierre Ganty, Michael Emmi, Fernando.
Timed Automata.

Timed Automata.
Week 6: Chapter 6 Agenda Automation of SQL Server tasks using: SQL Server Agent Scheduling Scripting Technologies.

Week 6: Chapter 6 Agenda Automation of SQL Server tasks using: SQL Server Agent Scheduling Scripting Technologies.
From Monotonic Transition Systems to Monotonic Games Parosh Aziz Abdulla Uppsala University.

From Monotonic Transition Systems to Monotonic Games Parosh Aziz Abdulla Uppsala University.
Tonight’s JavaScript Topics 1 Conditional Statements: if and switch The Array Object Looping Statements: for, while and do-while.

Tonight’s JavaScript Topics 1 Conditional Statements: if and switch The Array Object Looping Statements: for, while and do-while.
Software Reliability CIS 640 Adapted from the lecture notes by Doron Pelel (www.dcs.warwick.ac.uk/~doron/notes.html)

Software Reliability CIS 640 Adapted from the lecture notes by Doron Pelel (
1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture 05.

1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture 05.
1 Spin Model Checker Samaneh Navabpour Electrical and Computer Engineering Department University of Waterloo SE-464 Summer 2011.

1 Spin Model Checker Samaneh Navabpour Electrical and Computer Engineering Department University of Waterloo SE-464 Summer 2011.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Simulation of Spiking Neural P Systems Using Pnet Lab Authors Padmavati Metta Kamala Krithivasan Deepak Garg.

Simulation of Spiking Neural P Systems Using Pnet Lab Authors Padmavati Metta Kamala Krithivasan Deepak Garg.
Synthesis of Embedded Software Using Free-Choice Petri Nets.

Synthesis of Embedded Software Using Free-Choice Petri Nets.

Similar presentations

Ads by Google