© Andrew IrelandDependable Systems Group On the Scalability of Proof Carrying Code for Software Certification Andrew Ireland School of Mathematical & Computer.

Slides:



Advertisements
Similar presentations
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Advertisements

© Andrew IrelandSoftware Design F28SD2 Software Design: Summary Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt University Edinburgh.
Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.
LIFE CYCLE MODELS FORMAL TRANSFORMATION
The ideal of program correctness Tony Hoare BudapestSeptember 2006.
Nicholas Moore Bianca Curutan Pooya Samizadeh McMaster University March 30, 2012.
Job No/ 1 © British Crown Copyright 2008/MOD Developing a High Integrity Code Generator Using iUML/iCCG Sam Moody AWE plc, Aldermaston, Berkshire, United.
The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI
Code-Carrying Proofs Aytekin Vargun Rensselaer Polytechnic Institute.
An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.
Building Reliable Software Requirements and Methods.
Under the Hood of the Open Verifier Bor-Yuh Evan Chang, Adam Chlipala, Kun Gao, George Necula, and Robert Schneck October 21, 2003 OSQ Group Meeting.
VIDE Integrated Environment for Development and Verification of Programs.
Background on Testing and Maintenance CISC 879 Fall 2008.
Proof-system search ( ` ) Interpretation search ( ² ) Main search strategy DPLL Backtracking Incremental SAT Natural deduction Sequents Resolution Main.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?
A Type System for Expressive Security Policies David Walker Cornell University.
The Systems Assurance Group Dr Jaspal Sagoo Systems Assurance Group QinetiQ Trusted Information Management Malvern Technology Centre.
1 The Problem o Fluid software cannot be trusted to behave as advertised unknown origin (must be assumed to be malicious) known origin (can be erroneous.
Software Engineering Tools and Methods Presented by: Mohammad Enamur Rashid( ) Mohammad Rashim Uddin( ) Masud Ur Rahman( )
Formal Methods 1. Software Engineering and Formal Methods  Every software engineering methodology is based on a recommended development process  proceeding.
INTRODUCTION What is software? What is software engineering?
© Andrew IrelandSoftware Design F28SD2 Function-oriented Design Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt University Edinburgh.
A Z Approach in Validating ORA-SS Data Models Scott Uk-Jin Lee Jing Sun Gillian Dobbie Yuan Fang Li.
Is Proof More Cost-Effective Than Testing? Presented by Yin Shi.
Advanced Technology Center Slide 1 Requirements-Based Testing Dr. Mats P. E. Heimdahl University of Minnesota Software Engineering Center Dr. Steven P.
© Andrew IrelandDependable Systems Group Proof Automation for the SPARK Approach to High Integrity Ada Andrew Ireland Computing & Electrical Engineering.
© Andrew IrelandDependable Systems Group. © Andrew IrelandDependable Systems Group Proof Automation for the SPARK Approach to High Integrity Ada Andrew.
© Andrew IrelandDependable Systems Group Cooperative Reasoning for Automatic Software Verification Andrew Ireland School of Mathematical & Computer Sciences.
© Andrew IrelandDependable Systems Group ITI Techmedia and Technology Transfer Andrew Ireland Dependable Systems Group School of Mathematical & Computer.
(On secondment at) Praxis High Integrity Systems Bath Dependable Systems Group School of Mathematical & Computer Sciences Heriot-Watt University Edinburgh.
Proof Carrying Code Zhiwei Lin. Outline Proof-Carrying Code The Design and Implementation of a Certifying Compiler A Proof – Carrying Code Architecture.
1 New Development Techniques: New Challenges for Verification and Validation Mats Heimdahl Critical Systems Research Group Department of Computer Science.
Overview of Formal Methods. Topics Introduction and terminology FM and Software Engineering Applications of FM Propositional and Predicate Logic Program.
Korea Advanced Institute of Science and Technology, Dept. of EECS, Div. of CS, Information Systems Lab. 1/10 CS204 Course Overview Prof.
Framework for the Development and Testing of Dependable and Safety-Critical Systems IKTA 065/ Supported by the Information and Communication.
Proof-Carrying Code & Proof-Carrying Authentication Stuart Pickard CSCI 297 June 2, 2005.
© Andrew IrelandDependable Systems Group Cooperative Reasoning for Automatic Software Verification Andrew Ireland Dependable Systems Group School of Mathematical.
ISBN Chapter 3 Describing Semantics -Attribute Grammars -Dynamic Semantics.
© Andrew IrelandDependable Systems Group Cooperative Reasoning for Automatic Software Verification Andrew Ireland School of Mathematical & Computer Sciences.
An overview of Coq Xinyu Feng USTC Erasmus Mundus NordSecMob Scholar at DTU.
© Gudmund Grov & Andrew Ireland Dependable Systems Group Planning for System Development Gudmund Grov & Andrew Ireland Dependable Systems Group School.
Bill J. Ellis Dependable Systems Group Heriot-Watt University (Project page: Proving Exception.
Safety-Critical Systems 5 Testing and V&V T
Page 1 Advanced Technology Center HCSS 03 – April 2003 vFaat: von Neumann Formal Analysis and Annotation Tool David Greve Dr. Matthew Wilding Rockwell.
© Andrew IrelandDependable Systems Group Static Analysis and Program Proof Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt University.
© Andrew IrelandDependable Systems Group Invariant Patterns for Program Reasoning Andrew Ireland Dependable Systems Group School of Mathematical & Computer.
3.2 Semantics. 2 Semantics Attribute Grammars The Meanings of Programs: Semantics Sebesta Chapter 3.
© Andrew IrelandDependable Systems Group Proof Automation for the SPARK Approach to High Integrity Ada Andrew Ireland Computing & Electrical Engineering.
Formal Methods in SE Software Verification Using Formal Methods By: Qaisar Javaid, Assistant Professor Formal Methods1.
SPADEase: The Good, the Bad and the Ugly Bill J Ellis Dependable Systems Group School of Mathematical & Computer Sciences Heriot-Watt University Edinburgh.
Verification & Validation By: Amir Masoud Gharehbaghi
Industrial Avionics Working Group 18/04/07 The Relationship Between the Design and Safety Domains in IAWG Modular Certification Part 2: Completeness of.
SAFE KERNEL EXTENSIONS WITHOUT RUN-TIME CHECKING George C. Necula Peter Lee Carnegie Mellon U.
© Andrew IrelandGrand Challenges for Computing Research 2004 The Verifying Compiler Andrew Ireland Dependable Systems Group School of Mathematical & Computer.
© Andrew IrelandDependable Systems Group The Use of Patterns to Guide Code Certification: A Proposal Andrew Ireland School of Mathematical & Computer Sciences.
© Andrew IrelandDependable Systems Group Increasing Automation for Exception Freedom Proofs Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.
Bill J. Ellis Dependable Systems Group Heriot-Watt University (Project page: Proving Exception.
Introductory Lecture. What is Discrete Mathematics? Discrete mathematics is the part of mathematics devoted to the study of discrete (as opposed to continuous)
The PLA Model: On the Combination of Product-Line Analyses 강태준.
Proof Carrying Code and Proof Preserving Program Transformations
State your reasons or how to keep proofs while optimizing code
CodePeer Update Arnaud Charlet CodePeer Update Arnaud Charlet
Cooperative Reasoning for Automatic Software Verification
CodePeer Update Arnaud Charlet CodePeer Update Arnaud Charlet
An overview of Coq Xinyu Feng USTC.
Proof Automation for the SPARK Approach to High Integrity Ada
Automatic Software Verification: A Renaissance
An overview of Coq.
Presentation transcript:

© Andrew IrelandDependable Systems Group On the Scalability of Proof Carrying Code for Software Certification Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt University Edinburgh

© Andrew IrelandDependable Systems Group Outline High integrity software development Evidence based software certificates Scalability problems A planning approach Issues for discussion

© Andrew IrelandDependable Systems Group The SPARK Approach SPARK Examiner SPADE Simplifier SPADE Proof Checker SPARK is a subset of Ada with annotations (Praxis High Integrity Systems Ltd) Supports data & information flow analysis and formal verification - in particular, exception freedom proofs EuroFighter and Hawk projects, advocated by NSA, … VCs Unproven VCs  SPARK code Proofs X Revisions Tactics

© Andrew IrelandDependable Systems Group NuSPADE SPARK Examiner SPADE Simplifier SPADE Proof Checker NuSPADE = proof planning + program analysis Annotation generation motivated by proof-failure analysis VCs Unproven VCs  SPARK code Proofs Annotations X Tactics

© Andrew IrelandDependable Systems Group NuSPADE Unproven VCs Abstract Predicates Annotations Co-operative style of integration, i.e. “productive use of failure” Proof Planner Program Analyzer Tactics

© Andrew IrelandDependable Systems Group Conjecture Proof Plans Plan Theory Proof Planner Proof Checker Tactic Proof Failure

© Andrew IrelandDependable Systems Group SPARK and Certification Z specifications + rigorous proofs Data flow & information analysis Code level proofs: –Exception freedom proofs: automatic + interactive proofs –Functional proofs: significant level of interactive proofs –Proof review files Resource analysis Note: various levels of formal & rigorous evidence

© Andrew IrelandDependable Systems Group Evidence Based Certification Proof-Carrying Code (PCC) – a example of an evidence based approach to certification Code is delivered with a certificate containing a condensed mathematical proof, i.e. a proof that the code satisfies desired safety properties Responsibility for proof construction lies with the code producer, consumer performs proof checking Trusted Computing Base (TCB) for PCC is small, i.e. safety properties, verification condition generator and proof checker

© Andrew IrelandDependable Systems Group Properties, Proofs & Certificates Properties typically simple, e.g. memory safety Proof construction involves advanced type checking, i.e. no theorem proving Certificates: –LF proofs quadratic with respect to program size –LFi proofs 2.5 to 5 times program size –Oracles strings on average 12% program size –Proof tactics have also been used

© Andrew IrelandDependable Systems Group Scalability Problems Need for comprehensive properties, e.g. functional properties MOBIUS: combining type-based and logic- based approaches Need to exploit automated theorem proving techniques Will current PCC architecture scale-up, e.g. oracles strings?

© Andrew IrelandDependable Systems Group Conjecture Proof Plans Plan Theory Proof Planner Proof Checker Tactic Proof Failure

© Andrew IrelandDependable Systems Group Conjecture Proof Plans Plan Theory Proof Planner Proof Checker Tactic Proof Failure

© Andrew IrelandDependable Systems Group Conjecture Proof Plans Plan Theory Proof Planner Proof Checker Tactic Proof Failure Oracle

© Andrew IrelandDependable Systems Group Conjecture Planning Oracles as Certificates Plan Theory Proof Planner Proof Checker Tactic Proof Failure Oracle

© Andrew IrelandDependable Systems Group Conjecture Planning Oracles as Certificates Plan Theory Proof Planner Proof Checker Tactic Proof Failure Oracle Oracle identifies: Proof plans and where they should be used Relevant theories Search control hints, e.g. auxiliary lemmas and generalization steps

© Andrew IrelandDependable Systems Group Certificate Generation Code + Spec Certificate Generation (VCGen + Planner +Checker) Certificate (Oracle) ? ProofFailure Repositories (plans + theories)

© Andrew IrelandDependable Systems Group Certificate Validation Code + Spec Certificate Validation (VCGen + Planner +Checker) Certificate (Oracle) Repositories (plans + theories) ? Proof Failure CPU Note: Certificate transforming compiler

© Andrew IrelandDependable Systems Group Discussion Issues The proposed proof planning approach will add theory repositories (and specifications) to the TCB – is this acceptable? For memory limited devices, proof planning oracles are not an option for on-device certificate validation – how important is on-device validation to certification management in general? More comprehensive properties will require off-device validation – could a dedicated certificate validation device have a role to play? Certificate transforming compiler or trusted compiler?

© Andrew IrelandDependable Systems Group Conclusion The SPARK Approach and proof automation via proof planning The success of PCC as well and the limits of current architectures Proposal for proof planning and proof planning oracles as a technique for addressing limitations

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.