Presentation is loading. Please wait.

Presentation is loading. Please wait.

© Andrew IrelandDependable Systems Group On the Scalability of Proof Carrying Code for Software Certification Andrew Ireland School of Mathematical & Computer.

Published byMargaret Pearson Modified over 8 years ago

Similar presentations

Presentation on theme: "© Andrew IrelandDependable Systems Group On the Scalability of Proof Carrying Code for Software Certification Andrew Ireland School of Mathematical & Computer."— Presentation transcript:

1 © Andrew IrelandDependable Systems Group On the Scalability of Proof Carrying Code for Software Certification Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt University Edinburgh

2 © Andrew IrelandDependable Systems Group Outline High integrity software development Evidence based software certificates Scalability problems A planning approach Issues for discussion

3 © Andrew IrelandDependable Systems Group The SPARK Approach SPARK Examiner SPADE Simplifier SPADE Proof Checker SPARK is a subset of Ada with annotations (Praxis High Integrity Systems Ltd) Supports data & information flow analysis and formal verification - in particular, exception freedom proofs EuroFighter and Hawk projects, advocated by NSA, … VCs Unproven VCs  SPARK code Proofs X Revisions Tactics

4 © Andrew IrelandDependable Systems Group NuSPADE SPARK Examiner SPADE Simplifier SPADE Proof Checker NuSPADE = proof planning + program analysis Annotation generation motivated by proof-failure analysis VCs Unproven VCs  SPARK code Proofs Annotations X Tactics

5 © Andrew IrelandDependable Systems Group NuSPADE Unproven VCs Abstract Predicates Annotations Co-operative style of integration, i.e. “productive use of failure” Proof Planner Program Analyzer Tactics

6 © Andrew IrelandDependable Systems Group Conjecture Proof Plans Plan Theory Proof Planner Proof Checker Tactic Proof Failure

7 © Andrew IrelandDependable Systems Group SPARK and Certification Z specifications + rigorous proofs Data flow & information analysis Code level proofs: –Exception freedom proofs: automatic + interactive proofs –Functional proofs: significant level of interactive proofs –Proof review files Resource analysis Note: various levels of formal & rigorous evidence

8 © Andrew IrelandDependable Systems Group Evidence Based Certification Proof-Carrying Code (PCC) – a example of an evidence based approach to certification Code is delivered with a certificate containing a condensed mathematical proof, i.e. a proof that the code satisfies desired safety properties Responsibility for proof construction lies with the code producer, consumer performs proof checking Trusted Computing Base (TCB) for PCC is small, i.e. safety properties, verification condition generator and proof checker

9 © Andrew IrelandDependable Systems Group Properties, Proofs & Certificates Properties typically simple, e.g. memory safety Proof construction involves advanced type checking, i.e. no theorem proving Certificates: –LF proofs quadratic with respect to program size –LFi proofs 2.5 to 5 times program size –Oracles strings on average 12% program size –Proof tactics have also been used

10 © Andrew IrelandDependable Systems Group Scalability Problems Need for comprehensive properties, e.g. functional properties MOBIUS: combining type-based and logic- based approaches Need to exploit automated theorem proving techniques Will current PCC architecture scale-up, e.g. oracles strings?

11 © Andrew IrelandDependable Systems Group Conjecture Proof Plans Plan Theory Proof Planner Proof Checker Tactic Proof Failure

12 © Andrew IrelandDependable Systems Group Conjecture Proof Plans Plan Theory Proof Planner Proof Checker Tactic Proof Failure

13 © Andrew IrelandDependable Systems Group Conjecture Proof Plans Plan Theory Proof Planner Proof Checker Tactic Proof Failure Oracle

14 © Andrew IrelandDependable Systems Group Conjecture Planning Oracles as Certificates Plan Theory Proof Planner Proof Checker Tactic Proof Failure Oracle

15 © Andrew IrelandDependable Systems Group Conjecture Planning Oracles as Certificates Plan Theory Proof Planner Proof Checker Tactic Proof Failure Oracle Oracle identifies: Proof plans and where they should be used Relevant theories Search control hints, e.g. auxiliary lemmas and generalization steps

16 © Andrew IrelandDependable Systems Group Certificate Generation Code + Spec Certificate Generation (VCGen + Planner +Checker) Certificate (Oracle) ? ProofFailure Repositories (plans + theories)

17 © Andrew IrelandDependable Systems Group Certificate Validation Code + Spec Certificate Validation (VCGen + Planner +Checker) Certificate (Oracle) Repositories (plans + theories) ? Proof Failure CPU Note: Certificate transforming compiler

18 © Andrew IrelandDependable Systems Group Discussion Issues The proposed proof planning approach will add theory repositories (and specifications) to the TCB – is this acceptable? For memory limited devices, proof planning oracles are not an option for on-device certificate validation – how important is on-device validation to certification management in general? More comprehensive properties will require off-device validation – could a dedicated certificate validation device have a role to play? Certificate transforming compiler or trusted compiler?

19 © Andrew IrelandDependable Systems Group Conclusion The SPARK Approach and proof automation via proof planning The success of PCC as well and the limits of current architectures Proposal for proof planning and proof planning oracles as a technique for addressing limitations

Download ppt "© Andrew IrelandDependable Systems Group On the Scalability of Proof Carrying Code for Software Certification Andrew Ireland School of Mathematical & Computer."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
© Andrew IrelandSoftware Design F28SD2 Software Design: Summary Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt University Edinburgh.

© Andrew IrelandSoftware Design F28SD2 Software Design: Summary Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt University Edinburgh.
Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.

Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.
LIFE CYCLE MODELS FORMAL TRANSFORMATION

LIFE CYCLE MODELS FORMAL TRANSFORMATION
The ideal of program correctness Tony Hoare BudapestSeptember 2006.

The ideal of program correctness Tony Hoare BudapestSeptember 2006.
Nicholas Moore Bianca Curutan Pooya Samizadeh McMaster University March 30, 2012.

Nicholas Moore Bianca Curutan Pooya Samizadeh McMaster University March 30, 2012.
Job No/ 1 © British Crown Copyright 2008/MOD Developing a High Integrity Code Generator Using iUML/iCCG Sam Moody AWE plc, Aldermaston, Berkshire, United.

Job No/ 1 © British Crown Copyright 2008/MOD Developing a High Integrity Code Generator Using iUML/iCCG Sam Moody AWE plc, Aldermaston, Berkshire, United.
The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI 297 5.31.2005.

The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI
Code-Carrying Proofs Aytekin Vargun Rensselaer Polytechnic Institute.

Code-Carrying Proofs Aytekin Vargun Rensselaer Polytechnic Institute.
An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.

An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.
Building Reliable Software Requirements and Methods.

Building Reliable Software Requirements and Methods.
Under the Hood of the Open Verifier Bor-Yuh Evan Chang, Adam Chlipala, Kun Gao, George Necula, and Robert Schneck October 21, 2003 OSQ Group Meeting.

Under the Hood of the Open Verifier Bor-Yuh Evan Chang, Adam Chlipala, Kun Gao, George Necula, and Robert Schneck October 21, 2003 OSQ Group Meeting.
VIDE Integrated Environment for Development and Verification of Programs.

VIDE Integrated Environment for Development and Verification of Programs.
Background on Testing and Maintenance CISC 879 Fall 2008.

Background on Testing and Maintenance CISC 879 Fall 2008.
Proof-system search ( ` ) Interpretation search ( ² ) Main search strategy DPLL Backtracking Incremental SAT Natural deduction Sequents Resolution Main.

Proof-system search ( ` ) Interpretation search ( ² ) Main search strategy DPLL Backtracking Incremental SAT Natural deduction Sequents Resolution Main.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.

1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?

Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?
A Type System for Expressive Security Policies David Walker Cornell University.

A Type System for Expressive Security Policies David Walker Cornell University.
The Systems Assurance Group Dr Jaspal Sagoo Systems Assurance Group QinetiQ Trusted Information Management Malvern Technology Centre.

The Systems Assurance Group Dr Jaspal Sagoo Systems Assurance Group QinetiQ Trusted Information Management Malvern Technology Centre.
1 The Problem o Fluid software cannot be trusted to behave as advertised unknown origin (must be assumed to be malicious) known origin (can be erroneous.

1 The Problem o Fluid software cannot be trusted to behave as advertised unknown origin (must be assumed to be malicious) known origin (can be erroneous.

Similar presentations

Ads by Google