Presentation is loading. Please wait.

Presentation is loading. Please wait.

Towards Automatic Verification of Safety Architectures Carsten Schürmann Carnegie Mellon University April 2000.

Published byJessie Snow Modified over 9 years ago

Similar presentations

Presentation on theme: "Towards Automatic Verification of Safety Architectures Carsten Schürmann Carnegie Mellon University April 2000."— Presentation transcript:

1 Towards Automatic Verification of Safety Architectures Carsten Schürmann Carnegie Mellon University April 2000

2 2 Subtitle Twelf A Tool to Reason About Formal Systems

3 3 Motivation CERT-advisories [www.cert.org]  Computer Emergency Response Team  January 1999 – February 2000  29 Advisories total  11 Advisories: Buffer overflow (e.g. ftpd)  Others: Viruses, Denial of Service … > 38% of vulnerabilities due to bugs

4 4 Motivation We need tools to  Increase confidence in software  Engineer trusted bases for computing  Catch programming language design flaws There is such a tool: Twelf

5 5 Contributions Design of Twelf  Meta-logic [Schürmann 00]  Algorithms for automated deduction Implementation of Twelf  Core [Pfenning, Schürmann 99]  Meta theorem prover [Schürmann 00] Application of Twelf  Experiments

6 6 Outline of This Talk Problem  Safety Architectures Twelf  Design Implementation  Experiments Conclusion  Research Agenda

7 7 Trusting the Source? Example:  WU-ftpd 2.6.0: 17865 lines of code  GCC-core 2.95.2: 433128 lines of code Related work:  Piton/Micro Gipsy [Moore, Young, Bevier 89] CompilerBinarySource Trusted Computing Base

8 8 Trusting Binaries? Example:  WU-ftpd 2.5.0 binary: 150 KB [RedHat 6.1] Related work:  Software fault isolation [Wahbe, … 93] Compiler Trusted Computing Base VerifierBinarySource

9 9 Feasibility study  Packet filter [ Necula, Lee 96] Trusting Safety Proofs? CompilerSourceProof Checker Safety Proof Binary Safety Proof Language Small Trusted Computing Base

10 10 Safety Architectures Proof Carrying Code  Logic: 129 rules [Necula, Lee 97]  Logic: several 100 rules [Appel, Felty 99]  Proof checker: 206 lines [Schürmann 98]  Uses a logical framework Typed Assembly Language  Type Theory: 31 rules [Morrisett, Crary … 98]  Proof Checker: approx 4000 lines Java Bytecode  Type system: 20 pages prose  Bytecode verifier

11 11 Uniform representation language  Storing  Shipping  Checking Logic-independent safety proof checker Logical Frameworks Safety Proof Proof Checker Safety Proof Language Binary Logical Framework Safety Proof Proof Checker Safety Proof Language

12 12 Safety Proof Languages First-order/higher-order logics [Gentzen 35] Temporal logics (CTL, CTL*, LTL) [Pnueli, Manna, … 84] Modal and linear logics [Girard 86] Type theories Language and system-specific knowledge

13 13 Good Safety Proof Languages Consistency  Falsehood should not be derivable Expressiveness  Small safety proofs require expressive logics Extensibility  Possibility to add new admissible rules Is The Safety Proof Language Good?

14 14 Meta-Logical Framework Meta-Logical Frameworks Logical Framework Safety Proof Proof Checker Safety Proof Language Is The Safety Proof Language Good?

15 15 Rest of this Talk Twelf A meta-logical framework that supports the representation of logics and type systems and automates reasoning about them Used at CMU, Princeton, Stanford…

16 16 Overview Safety Proof Language Logic Judgments Inference rules Logical Framework Uniform language Types Direct encoding as objects Reasoning Consistency arguments Theorems about logics Inductive proofs Meta-logical Framework Automated proof search Formulas Direct encoding as proofs

17 17 Let’s Start Safety Proof Language Logic Judgments Inference rules

18 18 A Simple Logic Intuitionistic logic: Sequent calculus: [Gentzen 35]  Judgment:  Rules:

19 19 Next: Logical Framework LF Safety Proof Language Logic Judgments Inference rules Logical Framework Uniform language Types Direct encoding as objects

20 20 Logical framework LF [Honsell, Harper, Plotkin 93]  Simply typed λ -calculus  Dependent types Paradigm  Judgments as types  Derivations as objects Representation Logical Framework

21 21 Representation (cont’d) Inference rules as constants axiom : (hyp A -> conc A). impr : (hyp A -> conc B) -> conc (A imp B). impl : conc A -> (hyp B -> conc C) -> (hyp (A imp B) -> conc C). cut : conc A -> (hyp A -> conc C) -> conc C.

22 22 Reasoning about the real world is as good as the encoding is Theorem prover for LF [Schürmann 98] Representation (cont’d) 1-to-1 Logic Logical Framework

23 23 Notes on the Representation Elegance  Higher-order representation techniques  Dependent types Benefit  Variables and substitutions come for free! We can look at the current field of problem solving by computers as a series of ideas about how to present a problem. If a problem can be cast into one of these representations in a natural way, then it is possible to manipulate it and stand some chance of solving it. [Allen Newell]

24 24 Next: Reasoning Safety Proof Language Logic Judgments Inference rules Logical Framework Uniform language Types Direct encoding as objects Reasoning Consistency arguments Theorems about logics Inductive proofs

25 25 A (Not So) Simple Argument Theorem [Admissibility]: [Gentzen 35] If and then Proof: by induction on A,D,E. Case: E= by induction hyp. on D,E’ by application of impr

26 26 History of This Result  Fundamental theorem in Logic [Gentzen 35]  Consistency of first-order logic  Structural proof [Pfenning 95]  Twelf can prove it automatically [Schürmann 99]  Neither a toy problem nor a trivial problem  18 2 = 324 cases for full-first order intuitionistic logic  One of the most basic theorems of logic and automated deduction

27 27 Significance of This Result It is not reasoning in a logic  Derivation in a logic is only an object  Admissibility lemma is not expressible But reasoning about a logic  Step outside the logic  Analyze properties of the logic  Admissibility lemma is expressible It is not reasoning in a logic  Derivation in a logic is only an object  Admissibility lemma is not expressible But reasoning about a logic  Step outside the logic  Analyze properties of the logic  Admissibility lemma is expressible

28 28 Next: Meta-logical Framework Safety Proof Language Logic Judgments Inference rules Logical Framework Uniform language Types Direct encoding as objects Reasoning Consistency arguments Theorems about logics Inductive proofs Meta-logical Framework Automated proof search Formulas Direct encoding as proofs

29 29 Problem Reasoning about derivations is inductive In general: LF signatures are not inductive Standard induction techniques do not apply axiom : (hyp A -> conc A). impr : (hyp A -> conc B) -> conc (A imp B). impl : conc A -> (hyp B -> conc C) -> (hyp (A imp B) -> conc C). Negative occurrence

30 30 Closed World Assumption Standard induction techniques assume  Fixed set of constructors  Existence of induction principles Example: Natural number induction zero:nat succ:nat -> nat

31 31 Open World Assumption No induction principles  Type definitions are open-ended  New types, new inference rules may be added Example: Admissibility Theorem  Not stable under extensions of the world Forms of objects are not predictable

32 32 Solution Regular world assumption Closed world assumption Open world assumption

33 33 Regular World Assumption Extensions to the world are predictable!  Sound induction principle exist  But it is not standard! axiom : (hyp A -> conc A). impr : (hyp A -> conc B) -> conc (A imp B). impl : conc A -> (hyp B -> conc C) -> (hyp (A imp B) -> conc C). h 1 :hyp A 1. h 2 :hyp A 2.... h n :hyp A n.

34 34 Meta Logic M 2 Regular extensions of the world: Here Theorem [Admissibility]: If and then +

35 35 Meta Logic M 2 (cont’d) Formulas: Semantics: +

36 36 Meta Logic M 2 (cont’d) Proof calculus for M 2 [Schürmann 00]  Judgment:  Rules: see thesis Theorem [Soundness of M 2 ] [Schürmann 00] If then Proof: via realizability interpretation. + + +

37 37 Twelf Implementation Implements a theorem prover for M 2 Success due to regular world assumption Automated proof search No tactics Twelf Lemmas Ind.-variables Bound Proof in M 2 Not found + +

38 38 Twelf Implementation (cont’d) Splitting Case analysis over LF objects Regular world assumption Recursion Induction hypotheses Regular world assumption Filling Applies an underlying LF prover Or theorem prover for underlying logic

39 39 Experiments Machine: Pentium II, 400Mhz, 192MB RAM, Linux 2.0

40 40 Experiments (cont’d) Machine: Pentium II, 400Mhz, 192MB RAM, Linux 2.0

41 41 Experiments (cont’d) Machine: Pentium II, 400Mhz, 192MB RAM, Linux 2.0

42 42 Experiments (cont’d) Machine: Pentium II, 400Mhz, 192MB RAM, Linux 2.0

43 43 Contributions Design of Twelf  Design of a theorem prover for LF  Regular world assumption  Design of the sound meta-logic M 2 Implementation of Twelf  Core (together with Frank Pfenning)  Meta theorem prover Application of Twelf  Experiments +

44 44 Research Vision I believe, that the demand for safe and secure software, networks, programming languages will continuously increase. I foresee myself designing, implementing, and applying the necessary tools.

45 45 Research Agenda Towards real-world applications  Network protocol design  Security protocol design  Programming language design  Software engineering

46 46 Research Agenda (cont’d) Design and Implementation  Meta logic + Constraints  Lemma generalization  Natural language explanation

47 47 Conclusion A meta-logical framework (Twelf) that supports the representation of logics and type systems and automates reasoning about them http://www.twelf.org

Download ppt "Towards Automatic Verification of Safety Architectures Carsten Schürmann Carnegie Mellon University April 2000."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Brief Introduction to Logic. Outline Historical View Propositional Logic : Syntax Propositional Logic : Semantics Satisfiability Natural Deduction : Proofs.

Brief Introduction to Logic. Outline Historical View Propositional Logic : Syntax Propositional Logic : Semantics Satisfiability Natural Deduction : Proofs.
Static and User-Extensible Proof Checking Antonis StampoulisZhong Shao Yale University POPL 2012.

Static and User-Extensible Proof Checking Antonis StampoulisZhong Shao Yale University POPL 2012.
Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1.

Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1.
Certified Typechecking in Foundational Certified Code Systems Susmit Sarkar Carnegie Mellon University.

Certified Typechecking in Foundational Certified Code Systems Susmit Sarkar Carnegie Mellon University.
Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.

Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.
The Logic of Intelligence Pei Wang Department of Computer and Information Sciences Temple University.

The Logic of Intelligence Pei Wang Department of Computer and Information Sciences Temple University.
March 4, 2005Susmit Sarkar 1 A Cost-Effective Foundational Certified Code System Susmit Sarkar Thesis Proposal.

March 4, 2005Susmit Sarkar 1 A Cost-Effective Foundational Certified Code System Susmit Sarkar Thesis Proposal.
1 Dependent Types for Termination Verification Hongwei Xi University of Cincinnati.

1 Dependent Types for Termination Verification Hongwei Xi University of Cincinnati.
SYMBOLIC MODEL CHECKING: 10 20 STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.

SYMBOLIC MODEL CHECKING: STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.
Proof Planning in Logical Frameworks Carsten Schürmann Yale University September 2002.

Proof Planning in Logical Frameworks Carsten Schürmann Yale University September 2002.
The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI 297 5.31.2005.

The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI
Code-Carrying Proofs Aytekin Vargun Rensselaer Polytechnic Institute.

Code-Carrying Proofs Aytekin Vargun Rensselaer Polytechnic Institute.
An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.

An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.
Mathematical Modeling Carsten Schürmann DemTech April 8, 2015 IEEE-SA VSSC-1622.6.

Mathematical Modeling Carsten Schürmann DemTech April 8, 2015 IEEE-SA VSSC
CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)

CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)
1 CPS Transform for Dependent ML Hongwei Xi University of Cincinnati and Carsten Schürmann Yale University.

1 CPS Transform for Dependent ML Hongwei Xi University of Cincinnati and Carsten Schürmann Yale University.
What’s left in the course. The course in a nutshell Logics Techniques Applications.

What’s left in the course. The course in a nutshell Logics Techniques Applications.
A Concurrent Logical Framework (Joint work with Frank Pfenning, David Walker, and Kevin Watkins) Iliano Cervesato ITT Industries,

A Concurrent Logical Framework (Joint work with Frank Pfenning, David Walker, and Kevin Watkins) Iliano Cervesato ITT Industries,
Proof-system search ( ` ) Interpretation search ( ² ) Main search strategy DPLL Backtracking Incremental SAT Natural deduction Sequents Resolution Main.

Proof-system search ( ` ) Interpretation search ( ² ) Main search strategy DPLL Backtracking Incremental SAT Natural deduction Sequents Resolution Main.

Similar presentations

Ads by Google