Presentation is loading. Please wait.

Presentation is loading. Please wait.

Kestrel Policy Enforcement and Refinement Douglas R. Smith Kestrel Institute Palo Alto, California.

Published byHorace Randall Modified over 9 years ago

Similar presentations

Presentation on theme: "Kestrel Policy Enforcement and Refinement Douglas R. Smith Kestrel Institute Palo Alto, California."— Presentation transcript:

1 Kestrel Policy Enforcement and Refinement Douglas R. Smith Kestrel Institute Palo Alto, California

2 Kestrel Specifications and Morphisms spec Partial-Order is sort E op le: E, E  Boolean axiom reflx is le(x,x) axiom trans is le(x,y)  le(y,z)  le(x,z) axiom antis is le(x,y)  le(y,x)  x = y end-spec spec Integer is sort Int op  : Int, Int  Boolean op 0 : Int op _+_ : Int, Int  Int … end-spec Specification morphism: a language translation that preserves provability E ↦ Int le ↦  axioms ↦ thms

3 Kestrel Composition by Colimit in SPEC spec TRANSITIVE -RELATION is type E op _tr_ : E* E  Boolean axiom transitivity is a tr b  b tr c  a tr c end-spec spec REFLEXIVE-RELATION is type E op _rr_ : E* E  Boolean axiom reflexivity is a rr a end-spec spec PREORDER-RELATION is sort E op  : E* E  Boolean axiom reflexivity is a  a axiom transitivity is a  b  b  c  a  c end-spec spec BINARY-RELATION is type E op _br_ : E* E  Boolean end-spec

4 Kestrel System Composition Diagram Mission-Controller MC-Env Comm-Channel Radar Radar-Env p p MC+CC+Radar CC-Env1 CC-Env2 p p

5 Kestrel Constructing Refinements Scheduling 0 Scheduling 1 po Scheduling 2 po 1. Library of Refinements Set Sequence Resource Transportation Resource Global Search Global Search Algorithm Rewrite Simplification Context-dependent Simplification Finite Differencing Case Analysis Partial Evaluation 2. Library of Refinement Generators Global Search Global Search Algorithm Set Sequence Scheduling 3 Scheduling 4 Context-dependent Simplification Finite Differencing

6 Kestrel Issue: How to Handle Nonfunctional and Cross-Cutting Concerns wrt Composition and Refinement? A concern is cross-cutting if its manifestation cuts across the dominant hierarchical structure of a program/system. Examples Log all errors that arise during system execution Enforce a system-wide error-handling policy Disallow unauthorized data accesses Enforce timing and resource constraints on a system design

7 Kestrel Working Hypothesis 1.A policy is a cross-cutting constraint that reduces nondeterminism in a system. 2.Policy enforcement determines a refinement. 3.We can express policies constraint as automata or in temporal logic 4.Explore enforcement mechanisms for various classes of policies System Policy Constraint Policy Conditions Refined System showing where the policy applies seems to require sound static analysis

8 Kestrel A Generative Approach to Aspect-Oriented Programming hypothesis: aspects are invariants to maintain

9 Kestrel Maintain an Error Log Policy: Maintain an error log in a system

10 Kestrel Expressing System Constraints Many systems constraints refer to history (events, actions, state,…) dynamic context (i.e. the call-stack) environment behavior substrate properties (e.g. instruction timing, latence, …)

11 Kestrel Virtual Variables in State S0S0 act 0 S1S1 act 1 S 3 S2S2 act 2 hist :=  S 0, act 0  hist := hist ::  S 1, act 1  hist := hist ::  S 2, act 2  key idea: extend state with a virtual history variable Virtual variables exist for purposes of specification sliced away prior to code generation

12 Kestrel Maintain an Error Log Policy: Maintain an error log in a system Assume: errlog = filter(error?, actions(hist)) Achieve: errlog ´ = filter(error?, actions(hist ´ )) spec satisfied by: errlog := errlog :: erract Invariant:  errlog = filter(error?, actions(hist)) Disruptive Actions: error?(act) Spec for Maintenance Code : for each error action erract, = filter(error?, actions(hist ::  S, erract  )) = filter(error?, actions(hist) :: erract) = filter(error?, actions(hist)) :: erract = errlog :: erract

13 Kestrel Maintaining an Error Log S0S0 act 0 S1S1 hist :=  S 0, act 0  error 1 S 3 hist := hist ::  S 1, act 1  S2S2 act 2 hist := hist ::  S 2, act 2  errlog := errlog errlog := errlog:: error 1 errlog := errlog

14 Kestrel General Case Invariant:  I(x) Disruptive Actions: any action that changes x or an alias Spec for Maintenance Code : for each such action act with specification Assume: P(x) Achieve: Q(x, x´) generate and satisfy new specification Assume: P(x)  I(x) Achieve: Q(x, x´)  I(x´) spec typically satisfied by code of the form: act || update

15 Kestrel Error-Handling Policies and their Enforcement Douglas R. Smith Klaus Havelund Kestrel Technology/NASA Ames Palo Alto, California www.kestreltechnology.com

16 Kestrel NonRobust Java Program class AddNumbersFromFile { static void doIt(String fileName) throws IOException { DataInputStream source = null; if (fileName != null) source = new DataInputStream(new FileInputStream(fileName)); int count = source.readInt(); int sum = addEm(source,count); System.out.println("Sum is " + sum); } static int addEm(DataInputStream s, int c) throws IOException { int sum = 0; for (int i = 0; i < c; i++) sum += s.readInt(); if (s.available() == 0) s.close(); return sum; }}

17 Kestrel Generic File Management Policy Open Stop openclose use FileNotFoundException / handler1 IOException / handler2 use handler3 Start Error

18 Kestrel Policy Simulation on the Example Program DoIt entry fileName != null F source = new DataInputStreamPolicy(fileName) T {Start} {Open} {Start,Open} count = source.readInteger(); {Open} call addEm(source,count); {Open  Closed, Open  Open } sum = result {Open,Closed} System.out.println("Sum is " + sum) {Open,Closed} exit addEm entry {Open} sum = 0; i= 0; i < c sum += source.readInteger(); i++; T s.available()==0 F F s.close(); T {Open} {Closed} {Open, Closed} {Open} exit return sum {Open, Closed} ambiguous analysis

19 Kestrel Program Transformation to Reduce Policy Ambiguity if ( fileName != null ) source = new DataInputStream(new FileInputStream(fileName)); count = source.readInt(); if ( fileName != null ){ source = new DataInputStream(new FileInputStream(fileName)); count = source.readInt(); } else { count = source.readInt(); } distribute if-then-else over semicolon if ( fileName == null ) throw new Error("Attempt to read from an unopen File"); source = new DataInputStream(new FileInputStream(fileName)); count = source.readInt(); apply the policy and simplify has ambiguous analysis has unambiguous analysis! unambiguous analysis, clear code

20 Kestrel Revised Java Program with Unambiguous Analysis class AddNumbersFromFile { static void doIt(String fileName) throws IOException { DataInputStream source = null; if ( fileName == null ) {throw new Error("Attempt to read from an unopen File");} source = new DataInputStream(new FileInputStream(fileName)); count = source.readInt(); int sum = addEm(source,count); System.out.println("Sum is " + sum); } static int addEm(DataInputStream s, int c) throws IOException { int sum = 0; for (int i = 0; i < c; i++) sum += s.readInt(); // if (s.available()==0) s.close(); return sum; }

21 Kestrel Revised Java Program with Enforced Policy class RobustlyAddNumbersFromFile1 { static void doIt(String fileName) throws IOException{ DataInputStreamForAddNumbers1 source = null; if(fileName==null){ throw new Error("Attempt to read from an unopen File"); } try { source = new DataInputStreamForAddNumbers1(fileName); } catch (FileNotFoundException e) { throw new Error("File " + fileName + " cannot be found"); } int count = 0; try { count = source.readInt(); } catch(EOFException e){ source.close(); throw new Error("File " + source.filename + " contains no data!"); } catch(IOException e){ source.close(); throw new Error("Bad data in file" + source.filename); } …

22 Kestrel Ambiguous Analysis If the analysis remains ambiguous, then some form of runtime tracking of state is required, and runtime enforcement decisions. Technique: use subclassing to track state

23 Kestrel Generic File Management Policy Open Stop openclose use FileNotFoundException / handler1 IOException / handler2 use handler3 Start Error

24 Kestrel Ambiguous Analysis public class DataInputStreamForAddNumbers extends DataInputStream { public static final int Start = 1; public static final int Open = 2; public static final int Closed = 3; int currentState = Start; public String filename; public DataInputStreamForAddNumbers(String filename) throws FileNotFoundException { super(new FileInputStream(filename)); // field in stores the file handle this.filename = filename; this.currentState = Open; } public boolean inState(int state){ return this.currentState == state; }

25 Kestrel Ambiguous Analysis public int readInteger() throws IOException { int x = 0; switch(currentState){ case Start: throw new Error("Attempt to read from an unopen File"); case Open: try{ x = super.readInt(); } catch (EOFException e){ throw new EOFException("File" + filename + "contains no data!"); } catch (IOException e){ throw new IOException("Cannot read from file " + filename); } break; case Closed: throw new Error("File " + filename + "already closed"); } return x; }

26 Kestrel Extra slides

Download ppt "Kestrel Policy Enforcement and Refinement Douglas R. Smith Kestrel Institute Palo Alto, California."

Similar presentations

Chapter 17 Failures and exceptions. This chapter discusses n Failure. n The meaning of system failure. n Causes of failure. n Handling failure. n Exception.

Chapter 17 Failures and exceptions. This chapter discusses n Failure. n The meaning of system failure. n Causes of failure. n Handling failure. n Exception.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Lilian Blot VARIABLE SCOPE EXCEPTIONS FINAL WORD Final Lecture Spring 2014 TPOP 1.

Lilian Blot VARIABLE SCOPE EXCEPTIONS FINAL WORD Final Lecture Spring 2014 TPOP 1.
Topics Introduction Types of Errors Exceptions Exception Handling

Topics Introduction Types of Errors Exceptions Exception Handling
Exceptions Chapter 15. 15 Throwing and Catching Exceptions When a program runs into a problem that it cannot handle, it throws an exception. Exceptions.

Exceptions Chapter Throwing and Catching Exceptions When a program runs into a problem that it cannot handle, it throws an exception. Exceptions.
Chapter 1 Writing a Program Fall 2011. Class Overview Course Information –On the web page and Blackboard –www.uncp.edu/home/lilliec/www.uncp.edu/home/lilliec/

Chapter 1 Writing a Program Fall Class Overview Course Information –On the web page and Blackboard –
Yoshi

Yoshi
Java Exception Very slightly modified from K.P. Chow University of Hong Kong (some slides from S.M. Yiu)

Java Exception Very slightly modified from K.P. Chow University of Hong Kong (some slides from S.M. Yiu)
C++ Programming: Program Design Including Data Structures, Fourth Edition Chapter 15: Exception Handling.

C++ Programming: Program Design Including Data Structures, Fourth Edition Chapter 15: Exception Handling.
Chapter 16: Exception Handling C++ Programming: From Problem Analysis to Program Design, Fifth Edition.

Chapter 16: Exception Handling C++ Programming: From Problem Analysis to Program Design, Fifth Edition.
 Both System.out and System.err are streams—a sequence of bytes.  System.out (the standard output stream) displays output  System.err (the standard.

 Both System.out and System.err are streams—a sequence of bytes.  System.out (the standard output stream) displays output  System.err (the standard.
Slides prepared by Rose Williams, Binghamton University ICS201 Exception Handling University of Hail College of Computer Science and Engineering Department.

Slides prepared by Rose Williams, Binghamton University ICS201 Exception Handling University of Hail College of Computer Science and Engineering Department.
COP 2800 Lake Sumter State College Mark Wilson, Instructor.

COP 2800 Lake Sumter State College Mark Wilson, Instructor.
Concolic Modularity Testing Derrick Coetzee University of California, Berkeley CS 265 Final Project Presentation.

Concolic Modularity Testing Derrick Coetzee University of California, Berkeley CS 265 Final Project Presentation.
Exception Handling.  What are errors?  What does exception handling allow us to do?  Where are exceptions handled?  What does exception handling facilitate?

Exception Handling.  What are errors?  What does exception handling allow us to do?  Where are exceptions handled?  What does exception handling facilitate?
1 Chapter 4 Language Fundamentals. 2 Identifiers Program parts such as packages, classes, and class members have names, which are formally known as identifiers.

1 Chapter 4 Language Fundamentals. 2 Identifiers Program parts such as packages, classes, and class members have names, which are formally known as identifiers.
Exception examples. import java.io.*; import java.util.*; class IO { private String line; private StringTokenizer tokenizer; public void newline(DataInputStream.

Exception examples. import java.io.*; import java.util.*; class IO { private String line; private StringTokenizer tokenizer; public void newline(DataInputStream.
Exceptions Used to signal errors or unexpected situations to calling code Should not be used for problems that can be dealt with reasonably within local.

Exceptions Used to signal errors or unexpected situations to calling code Should not be used for problems that can be dealt with reasonably within local.
Exceptions in Java Fawzi Emad Chau-Wen Tseng Department of Computer Science University of Maryland, College Park.

Exceptions in Java Fawzi Emad Chau-Wen Tseng Department of Computer Science University of Maryland, College Park.
1 Fall 2008ACS-1903 for Loop Reading files String conversions Random class.

1 Fall 2008ACS-1903 for Loop Reading files String conversions Random class.

Similar presentations

Ads by Google