Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lectures on Proof-Carrying Code Peter Lee Carnegie Mellon University Lecture 2 (of 3) June 21-22, 2003 University of Oregon 2004 Summer School on Software.

Published byAgnes Morton Modified over 9 years ago

Similar presentations

Presentation on theme: "Lectures on Proof-Carrying Code Peter Lee Carnegie Mellon University Lecture 2 (of 3) June 21-22, 2003 University of Oregon 2004 Summer School on Software."— Presentation transcript:

1 Lectures on Proof-Carrying Code Peter Lee Carnegie Mellon University Lecture 2 (of 3) June 21-22, 2003 University of Oregon 2004 Summer School on Software Security

2 Some loose ends “Certified code is an old idea” see Butler Lampson’s 1974 paper: An open operating system for a single-user machine. Operating Systems Proceedings of an International Symposium, LNCS 16.

3 Java Grande Suite sec

4 Java Grande Benchmark Suite ops

5 Back to our case study Program AlsoInteresting while read() != 0 i := 0 while i < 100 use 1 i := i + 1

6 The language s ::= skip | i := e | if e then s else s | while e do s | s ; s | use e | acquire e

7 Defining a VCgen To define a verification-condition generator for our language, we start by defining the language of predicates P ::= b | P Æ P | A ) P | 8 i.P | e? P : P A ::= b | A Æ A b ::= true | false | e ¸ e | e = e predicates annotations boolean expressions

8 Weakest preconditions The VCgen we define is a simple variant of Dijkstra’s weakest precondition calculus It makes use of generalized predicates of the form: (P,e) (P,e) is true if P is true and at least e units of the resource are currently available

9 Hoare triples The VCgen’s job is to compute, for each statement S in the program, the Hoare triple  (P’,e’) S (P,e) which means, roughly: If (P,e) holds prior to executing S, and then S is executed and it terminates, then (P’,e’) holds afterwards

10 VCgen Since we will usually have the postcondition (true,0) for the last statement in the program, we can define a function vcg(S, (P,i)) ! (P’,i’) I.e., given a statement and its postcondition, generate the weakest precondition

11 The VCgen (easy parts) vcg(skip, (P,e))= (P,e) vcg(s 1 ;s 2, (P,e))= vcg(s 1, vcg(s 2, (P,e))) vcg(x:=e’, (P,e))= ([e’/x]P, [e’/x]e) vcg(if b then s 1 else s 2, (P,e)) = (b? P 1 :P 2, b? e 1 :e 2 ) where (P 1,e 1 ) = vcg(s 1,(P,e)) and (P 2,e 2 ) = vcg(s 2,(P,e)) vcg(use e’, (P,e))= (P Æ e’ ¸ 0, e’ + (e ¸ 0? e : 0) vcg(acquire e’, (P,e)) = (P Æ e’ ¸ 0, e-e’)

12 Example 1 acquire 3 use 2 (true, 0) (true Æ 2 ¸ 0, 2+0) vcg(use e’, (P,e))= (P Æ e’ ¸ 0, e’ + (e ¸ 0? e:0) vcg(acquire e’, (P,e)) = (P Æ e’ ¸ 0, e-e’) (true Æ 2 ¸ 0 Æ 3 ¸ 0, 2+0-3) Pre: (true,0) Post: (true,0) Prove: Pre ) (true,-1)

13 Example 2 acquire 3 use 2 use 1 (true, 0) (true Æ 1 ¸ 0, 1+0) (true Æ 1 ¸ 0 Æ 2 ¸ 0 Æ 3 ¸ 0, 2+1+0-3) (true Æ 1 ¸ 0 Æ 2 ¸ 0, 2+1+0) vcg(use e’, (P,e))= (P Æ e’ ¸ 0, e’ + (e ¸ 0? e:0) vcg(acquire e’, (P,e)) = (P Æ e’ ¸ 0, e-e’)

14 Example 3 acquire 9 if (b) then use 5 else use 4 use 4 vcg(if b then s1 else s2, (P,e)) = (b? P1:P2, b? e1:e2) where (P1,e1) = vcg(s1,(P,e)) and (P2,e2) = vcg(s2,(P,e)) (true, 0) (4 ¸ 0, 4) (4 ¸ 0, 8) (5 ¸ 0, 9) (b?true:true, b?9:8) (9 ¸ 0, (b?9:8) - 9)

15 Example 4 acquire 8 if (b) then use 5 else use 4 use 4 vcg(if b then s1 else s2, (P,e)) = (b? P1:P2, b? e1:e2) where (P1,e1) = vcg(s1,(P,e)) and (P2,e2) = vcg(s2,(P,e)) (true, 0) (4 ¸ 0, 4) (4 ¸ 0, 8) (5 ¸ 0, 9) (b?true:true, b?9:8) (8 ¸ 0, (b?9:8) - 8)

16 Loops Loops cause an obvious problem for the computation of weakest preconditions acquire n i := 0 while (i<n) do { use 1 i := i + 1 }

17 Snipping up programs A simple loop I I I Pre I Post I Broken into segments

18 Loop invariants We thus require that the programmer or compiler insert invariants to cut the loops acquire n i := 0 while (i<n) do { use 1 i := i + 1 } with (i · n, n-i) An annotated loop A ::= b | A Æ A

19 VCgen for loops vcg(while b do s with (A I,e I ), (P,e)) = (A I Æ 8 i 1,i 2,….A I ) b ?P’ Æ e I ¸ e’, : P Æ e i ¸ e, e I ) where (P’,e’) = vcg(s,(A I,e I )) and i 1,i 2,… are the variables modified in s

20 Example 5 acquire n; i := 0; while (i<n) do { use 1; i := i + 1; } with (i · n,n-i); (true, 0) (i · n, n-i) (i+1 · n, n-(i+1)) (i+1 · n Æ 1 ¸ 0, n-i) (i · n Æ 8 i.i · n ) cond(i<n,i+1 · n Æ n-i ¸ n-i, n-i ¸ n-i) n-i) (0 · n Æ 8 i. …, n-0) (… \and n ¸ 0, n-n)

21 Our easy case Program Static acquire 10000 i := 0 while i < 10000 use 1 i := i + 1 with (i · 10000, 10000-i) Typical loop invariant for “standard for loops”

22 Our hopeless case Program Dynamic while read() != 0 acquire 1 use 1 with (true, 0) Typical loop invariant for “Java-style checking”

23 Our interesting case Program Interesting N := read() acquire N i := 0 while i < N use 1 i := i + 1 with (i · N, N-i)

24 Also interesting Program AlsoInteresting while read() != 0 acquire 100 i := 0 while i < 100 use 1 i := i + 1 with (i · 100, 100-i)

25 Annotating programs How are these annotations to be inserted? The programmer could do it Or: A compiler could start with code that has every use immediately preceded by an acquire We then have a code-motion optimization problem to solve

26 VCGen’s Complexity Some complications: If dealing with machine code, then VCGen must parse machine code. Maintaining the assumptions and current context in a memory- efficient manner is not easy. Note that Sun’s kVM does verification in a single pass and only 8KB RAM!

27 VC Explosion a == b a == c f(a,c) a := xc := x a := yc := y a=b => (x=c => safe f (y,c)  x<>c => safe f (x,y))  a<>b => (a=x => safe f (y,x)  a<>x => safe f (a,y)) Exponential growth in size of the VC is possible.

28 VC Explosion a == b a == c f(a,c) a := xc := x a := yc := y INV: P(a,b,c,x) (a=b => P(x,b,c,x)  a<>b => P(a,b,x,x))  (  a’,c’. P(a’,b,c’,x) => a’=c’ => safe f (y,c’)  a’<>c’ => safe f (a’,y)) Growth can usually be controlled by careful placement of just the right “join-point” invariants.

29 Proving the Predicates

30 Proving predicates Note that left-hand side of implications is restricted to annotations vcg() respects this, as long as loop invariants are restricted to annotations P ::= b | P Æ P | A ) P | 8 i.P | e? P : P A ::= b | A Æ A b ::= true | false | e ¸ e | e = e predicates annotations boolean expressions

31 A simple prover We can thus use a simple prover with functionality prove(annotation,pred) ! bool where prove(A,P) is true iff A ) P i.e., A ) P holds for all values of the variables introduced by 8

32 A simple prover prove(A,b)= : sat(A Æ : b) prove(A,P 1 Æ P 2 )= prove(A,P 1 ) Æ prove(A,P 2 ) prove(A,b? P 1 :P 2 )= prove(A Æ b,P 1 ) Æ prove(A Æ : b,P 2 ) prove(A,A 1 ) P)= prove(A Æ A 1,P) prove(A, 8 i.P)= prove(A,[a/i]P) (a fresh)

33 Soundness Soundness is stated in terms of a formal operational semantics. Essentially, it states that if Pre ) vcg(program) holds, then all use e statements succeed

34 Logical Frameworks

35 Logical frameworks The Edinburgh Logical Framework (LF) is a language for specifying logics. LF is a lambda calculus with dependent types, and a powerful language for writing formal proof systems.

36 LF The Edinburgh Logical Framework language, or LF, provides an expressive language for proofs- as-programs. Furthermore, it use of dependent types allows, among other things, the axioms and rules of inference to be specified as well

37 Pfenning’s Elf true: pred. false: pred. /\: pred -> pred -> pred. \/: pred -> pred -> pred. =>: pred -> pred -> pred. all: (exp -> pred) -> pred. Several researchers have developed logic programming languages based on these principles. One of special interest, as it is based on LF, is Pfenning’s Elf language and system. This small example defines the abstract syntax of a small language of predicates

38 Elf example So, for example: Can be written in Elf as all([a:pred] all([b:pred] => (/\ a b) (/\ b a))) true: pred. false: pred. /\: pred -> pred -> pred. \/: pred -> pred -> pred. =>: pred -> pred -> pred. all: (exp -> pred) -> pred.

39 Proof rules in Elf Dependent types allow us to define the proof rules… pf: pred -> type. truei: pf true. andi: {P:pred} {Q:pred} pf P -> pf Q -> pf (/\ P Q). andel: {P:pred} {Q:pred} pf (/\ P Q) -> pf P. ander: {P:pred} {Q:pred} pf (/\ P Q) -> pf Q. impi: {P1:pred} {P2:pred} (pf P1 -> pf P2) -> pf (=> P1 P2). alli: {P1:exp -> pred} ({X:exp} pf (P1 X)) -> pf (all P1). e: exp -> pred

40 Proofs in Elf …which in turns allows us to have easy-to-validate proofs … (impi (/\ a b) (/\ b a) ([ab:pf(/\ a b)] (andi b a (ander a b ab) (andel a b ab))))…) : all([a:exp] all([b:exp] => (/\ a b) (/\ b a))).

41 LF as the internal language Explanation Code Verification condition generator Checker Proof rules Agent Host LF is the language of the blue arrows

42 Code producerHost

43 This store instruction is dangerous! Code producerHost

44 I am convinced it is safe to execute only if all([a:exp] (all([b:exp] (=> (/\ a b) (/\ b a))) Code producerHost A verification condition

45 … (impi (/\ a b) (/\ b a) ([ab:pf(/\ a b)] (andi b a (ander a b ab) (andel a b ab))))…) Code producerHost

46 Your proof typechecks. I believe you because I believe in logic. Code producerHost

Download ppt "Lectures on Proof-Carrying Code Peter Lee Carnegie Mellon University Lecture 2 (of 3) June 21-22, 2003 University of Oregon 2004 Summer School on Software."

Similar presentations

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models.
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
ICE1341 Programming Languages Spring 2005 Lecture #6 Lecture #6 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.

ICE1341 Programming Languages Spring 2005 Lecture #6 Lecture #6 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Types, Proofs, and Safe Mobile Code The unusual effectiveness of logic in programming language research Peter Lee Carnegie Mellon University January 22,

Types, Proofs, and Safe Mobile Code The unusual effectiveness of logic in programming language research Peter Lee Carnegie Mellon University January 22,
David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.

David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.
VIDE als voortzetting van Cocktail SET Seminar 11 september 2008 Dr. ir. Michael Franssen.

VIDE als voortzetting van Cocktail SET Seminar 11 september 2008 Dr. ir. Michael Franssen.
Axiomatic Verification I Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture 17.

Axiomatic Verification I Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture 17.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
Copyright © 2006 Addison-Wesley. All rights reserved. 3.5 Dynamic Semantics Meanings of expressions, statements, and program units Static semantics – type.

Copyright © 2006 Addison-Wesley. All rights reserved. 3.5 Dynamic Semantics Meanings of expressions, statements, and program units Static semantics – type.
Predicate Transformers

Predicate Transformers
Program Proving Notes Ellen L. Walker.

Program Proving Notes Ellen L. Walker.
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.

1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.

1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.
CS 355 – Programming Languages

CS 355 – Programming Languages
The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI 297 5.31.2005.

The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI

Similar presentations

Ads by Google