Your search keyword '"Proof-carrying code"' showing total 191 results

1. Research on Remote Attestation Technology Based on Formal Software Behavior Measurement

Author

Qian, Hanwei, Yuan, Ming, Xia, Lingling, Filipe, Joaquim, Editorial Board Member, Ghosh, Ashish, Editorial Board Member, Kotenko, Igor, Editorial Board Member, Prates, Raquel Oliveira, Editorial Board Member, Zhou, Lizhu, Editorial Board Member, Sun, Xingming, editor, Wang, Jinwei, editor, and Bertino, Elisa, editor

Published

2020

2. Effective Bridging Between Ecore and Coq: Case of a Type-Checker with Proof-Carrying Code

Author

Buisson, Jérémy, Rehab, Seidali, Kacprzyk, Janusz, Series Editor, Chikhi, Salim, editor, Amine, Abdelmalek, editor, Chaoui, Allaoua, editor, and Saidouni, Djamel Eddine, editor

Published

2019

3. Stopping Injection Attacks with Code and Structured Data

Author

Tirronen, Ville, Tzafestas, S.G., Series Editor, Antsaklis, P., Advisory Editor, Borne, P., Advisory Editor, Carelli, R., Advisory Editor, Fukuda, T., Advisory Editor, Gans, N.R., Advisory Editor, Harashima, F., Advisory Editor, Martinet, P., Advisory Editor, Monaco, S., Advisory Editor, Negenborn, R.R., Advisory Editor, Pascoal, A.M., Advisory Editor, Schmidt, G., Advisory Editor, Sobh, T.M., Advisory Editor, Tzafestas, C., Advisory Editor, Valavanis, K., Advisory Editor, Lehto, Martti, editor, and Neittaanmäki, Pekka, editor

Published

2018

4. A Proof-Carrying Code Approach to Certificate Auction Mechanisms

Author

Bai, W., Tadjouddine, E. M., Payne, T. R., Guan, S. U., Hutchison, David, Series editor, Kanade, Takeo, Series editor, Kittler, Josef, Series editor, Kleinberg, Jon M., Series editor, Kobsa, Alfred, Series editor, Mattern, Friedemann, Series editor, Mitchell, John C., Series editor, Naor, Moni, Series editor, Nierstrasz, Oscar, Series editor, Pandu Rangan, C., Series editor, Steffen, Bernhard, Series editor, Terzopoulos, Demetri, Series editor, Tygar, Doug, Series editor, Weikum, Gerhard, Series editor, Fiadeiro, José Luiz, editor, Liu, Zhiming, editor, and Xue, Jinyun, editor

Published

2014

5. Certificates and Separation Logic

Author

Nordio, Martin, Calcagno, Cristiano, Meyer, Bertrand, Abadi, Martín, editor, and Lluch Lafuente, Alberto, editor

Published

2014

6. Certifying delta-oriented programs.

Author

Rodrigues, Vítor, Donetti, Simone, and Damiani, Ferruccio

Subjects

*SOFTWARE frameworks, *LIBRARY software, *BINARY codes, *SOURCE code, *COMPUTER software development, *COMPUTER software reusability, *UNIFIED modeling language

Abstract

A major design concern in modern software development frameworks is to ensure that mechanisms for updating code running on remote devices comply with given safety specifications. This paper presents a delta-oriented approach for implementing product lines where software reuse is achieved at the three levels of state-diagram modeling, C/ C + + source code and binary code. A safety specification is expressed on the properties of reusable software libraries that can be dynamically loaded at run time after an over-the-air update. The compilation of delta-engineered code is certified using the framework of proof-carrying code in order to guarantee safety of software updates on remote devices. An empirical evaluation of the computational cost associated with formal safety checks is done by means of experimentation. [ABSTRACT FROM AUTHOR]

Published

2019

7. Proof-Carrying Code in a Session-Typed Process Calculus

Author

Pfenning, Frank, Caires, Luis, Toninho, Bernardo, Hutchison, David, Series editor, Kanade, Takeo, Series editor, Kittler, Josef, Series editor, Kleinberg, Jon M., Series editor, Mattern, Friedemann, Series editor, Mitchell, John C., Series editor, Naor, Moni, Series editor, Nierstrasz, Oscar, Series editor, Pandu Rangan, C., Series editor, Steffen, Bernhard, Series editor, Sudan, Madhu, Series editor, Terzopoulos, Demetri, Series editor, Tygar, Doug, Series editor, Vardi, Moshe Y., Series editor, Weikum, Gerhard, Series editor, Jouannaud, Jean-Pierre, editor, and Shao, Zhong, editor

Published

2011

8. An Extended Proof-Carrying Code Framework for Security Enforcement

Author

Pirzadeh, Heidar, Dubé, Danny, Hamou-Lhadj, Abdelwahab, Hutchison, David, editor, Kanade, Takeo, editor, Kittler, Josef, editor, Kleinberg, Jon M., editor, Mattern, Friedemann, editor, Mitchell, John C., editor, Naor, Moni, editor, Nierstrasz, Oscar, editor, Pandu Rangan, C., editor, Steffen, Bernhard, editor, Sudan, Madhu, editor, Terzopoulos, Demetri, editor, Tygar, Doug, editor, Vardi, Moshe Y., editor, Weikum, Gerhard, editor, Gavrilova, Marina L., editor, Tan, C. J. Kenneth, editor, and Moreno, Edward David, editor

Published

2010

9. Proof-Transforming Compilation of Eiffel Programs

Author

Nordio, Martin, Müller, Peter, Meyer, Bertrand, van der Aalst, Will, editor, Mylopoulos, John, editor, Sadeh, Norman M., editor, Shaw, Michael J., editor, Szyperski, Clemens, editor, Paige, Richard F., editor, and Meyer, Bertrand, editor

Published

2008

10. On Formal Certification of AD Transformations

Author

Tadjouddine, Emmanuel M., Barth, Timothy J., editor, Griebel, Michael, editor, Keyes, David E., editor, Nieminen, Risto M., editor, Roose, Dirk, editor, Schlick, Tamar, editor, Bischof, Christian H., editor, Bücker, H. Martin, editor, Hovland, Paul, editor, Naumann, Uwe, editor, and Utke, Jean, editor

Published

2008

11. Light Functional Interpretation : An Optimization of Gödel’s Technique Towards the Extraction of (More) Efficient Programs from (Classical) Proofs

Author

Hernest, Mircea-Dan, Hutchison, David, editor, Kanade, Takeo, editor, Kittler, Josef, editor, Kleinberg, Jon M., editor, Mattern, Friedemann, editor, Mitchell, John C., editor, Naor, Moni, editor, Nierstrasz, Oscar, editor, Pandu Rangan, C., editor, Steffen, Bernhard, editor, Sudan, Madhu, editor, Terzopoulos, Demetri, editor, Tygar, Dough, editor, Vardi, Moshe Y., editor, Weikum, Gerhard, editor, and Ong, Luke, editor

Published

2005

12. Correctness of Source-Level Safety Policies

Author

Denney, Ewen, Fischer, Bernd, Araki, Keijiro, editor, Gnesi, Stefania, editor, and Mandrioli, Dino, editor

Published

2003

13. Temporal Logic for Proof-Carrying Code

Author

Bernard, Andrew, Lee, Peter, Goos, G., editor, Hartmanis, J., editor, van Leeuwen, J., editor, Carbonell, Jaime G., editor, Siekmann, Jörg, editor, and Voronkov, Andrei, editor

Published

2002

14. Synthesizing Certified Code

Author

Whalen, Michael, Schumann, Johann, Fischer, Bernd, Goos, Gerhard, editor, Hartmanis, Juris, editor, van Leeuwen, Jan, editor, Eriksson, Lars-Henrik, editor, and Lindsay, Peter Alexander, editor

Published

2002

15. Proof-Carrying Code

Author

Necula, George, van Tilborg, Henk C. A., editor, and Jajodia, Sushil, editor

Published

2011

16. Programs from Proofs: A Framework for the Safe Execution of Untrusted Software.

Author

JAKOBS, MARIE-CHRISTINE and WEHRHEIM, HEIKE

Subjects

*COMPUTER software safety measures, *PROGRAM transformation, *COMPUTER programming, *PROOF of concept, *COMPUTER software development, *FLOW control (Data transmission systems)

Abstract

Today, software is traded worldwide on global markets, with apps being downloaded to smartphones within minutes or seconds. This poses, more than ever, the challenge of ensuring safety of software in the face of (1) unknown or untrusted software providers together with (2) resource-limited software consumers. The concept of Proof-Carrying Code (PCC), years ago suggested by Necula, provides one framework for securing the execution of untrusted code. PCC techniques attach safety proofs, constructed by software producers, to code. Based on the assumption that checking proofs is usually much simpler than constructing proofs, software consumers should thus be able to quickly check the safety of software. However, PCC techniques often suffer from the size of certificates (i.e., the attached proofs), making PCC techniques inefficient in practice. In this article, we introduce a new framework for the safe execution of untrusted code called Programs from Proofs (PfP). The basic assumption underlying the PfP technique is the fact that the structure of programs significantly influences the complexity of checking a specific safety property. Instead of attaching proofs to program code, the PfP technique transforms the program into an efficiently checkable form, thus guaranteeing quick safety checks for software consumers. For this transformation, the technique also uses a producer-side automatic proof of safety. More specifically, safety proving for the software producer proceeds via the construction of an abstract reachability graph (ARG) unfolding the control-flow automaton (CFA) up to the degree necessary for simple checking. To this end, we combine different sorts of software analysis: expensive analyses incrementally determining the degree of unfolding, and cheap analyses responsible for safety checking. Out of the abstract reachability graph we generate the new program. In its CFA structure, it is isomorphic to the graph and hence another, this time consumer-side, cheap analysis can quickly determine its safety. Like PCC, Programs from Proofs is a general framework instantiable with different sorts of (expensive and cheap) analysis. Here, we present the general framework and exemplify it by some concrete examples. We have implemented different instantiations on top of the configurable program analysis tool CPACHECKER and report on experiments, in particular on comparisons with PCC techniques. [ABSTRACT FROM AUTHOR]

Published

2017

17. Eliminating the Hardware-Software Boundary: A Proof-Carrying Approach for Trust Evaluation on Computer Systems.

Author

Guo, Xiaolong, Dutta, Raj Gautam, and Jin, Yier

Abstract

The wide usage of hardware intellectual property (IP) cores and software programs from untrusted third-party vendors has raised security concerns for computer system designers. The existing approaches, designed to ensure the trustworthiness of either the hardware IP cores or to verify software programs, rarely secure the entire computer system. The semantic gap between the hardware and the software lends to the challenge of securing computer systems. In this paper, we propose a new unified framework to represent both the hardware infrastructure and the software program in the same formal language. As a result, the semantic gap between the hardware and the software is bridged, enabling the development of system-level security properties for the entire computer system. Our unified framework uses a cross-domain formal verification method to protect the entire computer system within the scope of proof-carrying hardware. The working procedure of the unified framework is demonstrated with a sample embedded system which includes an 8051 microprocessor and an RC5 encryption program. In our demonstration, we show that the embedded system is trusted if the system level security properties are provable. Supported by the unified framework, the system designers/integrators will be able to formally verify the trustworthiness of the computer system integrated with hardware and software both from untrusted third-party vendors. [ABSTRACT FROM PUBLISHER]

Published

2017

18. Proving renaming for Haskell via dependent types : a case-study in refactoring soundness

Author

Barwell, Adam David, Brown, Christopher Mark, Sarkar, Susmit, EPSRC, European Commission, and University of St Andrews. School of Computer Science

Subjects

MCC, QA75, Renaming, Refactoring, Haskell, TheoryofComputation_LOGICSANDMEANINGSOFPROGRAMS, Proof-carrying code, Soundness, QA75 Electronic computers. Computer science, T-NDAS, Idris, NIS, Dependent types

Abstract

We present a formally verified renaming refactoring for a subset of Haskell 98 giving a case-study in proving soundness properties of Haskell refactorings. Our renaming is implemented in the dependently- typed language Idris, which allows us to encode soundness proofs as an integral part of the implementation. We give the formal definition of our static semantics for our Haskell 98 subset, which we encode as part of the AST, ensuring that only well-formed programs may be represented and transformed. This forms a foundation upon which refactorings can be formally specified. We then define soundness of refactoring implementations as conformity to their specification. We demonstrate our approach via renaming, a canonical and well-understood refactoring, giving its implementation alongside its formal specification and soundness proof. Postprint

Published

2021

19. Practical and Efficient in-Enclave Verification of Privacy Compliance

Author

Kai Chen, Haixu Tang, Wenhao Wang, Xinyu Wang, XiaoFeng Wang, Yaosong Lu, Qintao Shen, Yi Chen, Hongbo Chen, and Weijie Liu

Subjects

Guard (information security), Information privacy, Computer science, Privacy policy, Code generation, Proof-carrying code, Trusted Computing, Trusted third party, Computer security, computer.software_genre, Security policy, computer, Article

Abstract

A trusted execution environment (TEE) such as Intel Software Guard Extension (SGX) runs attestation to prove to a data owner the integrity of the initial state of an enclave, including the program to operate on her data. For this purpose, the data-processing program is supposed to be open to the owner or a trusted third party, so its functionality can be evaluated before trust being established. In the real world, however, increasingly there are application scenarios in which the program itself needs to be protected (e.g., proprietary algorithm). So its compliance with privacy policies as expected by the data owner should be verified without exposing its code. To this end, this paper presents Deflection, a new model for TEE-based delegated and flexible in-enclave code verification. Given that the conventional solutions do not work well under the resource-limited and TCB-frugal TEE, we come up with a new design inspired by Proof-Carrying Code. Our design strategically moves most of the workload to the code generator, which is responsible for producing easy-to-check code, while keeping the consumer simple. Also, the whole consumer can be made public and verified through a conventional attestation. We implemented this model on Intel SGX and demonstrate that it introduces a very small part of TCB. We also thoroughly evaluated its performance on micro- and macro- benchmarks and real-world applications, showing that the design only incurs a small overhead when enforcing several categories of security policies.

Published

2021

20. A trustworthy framework for resource-aware embedded programming

Author

Barwell, Adam David, Brown, Christopher Mark, Stutterheim, Jurriën, Chin, Wei Ngan, European Commission, EPSRC, and University of St Andrews. School of Computer Science

Subjects

QA75, QA76 Computer software, Proof-carrying code, Embedded systems, QA75 Electronic computers. Computer science, T-NDAS, Abstract interpretation, Idris, LIghtweight verification, Dependent types, BDU, Non-functional properties, QA76

Abstract

Funding: EU Horizon 2020 project, TeamPlay (https://www.teamplay-h2020.eu), grant number 779882; UK EPSRC Discovery, grant number EP/P020631/1. Systems with non-functional requirements, such as Energy, Time and Security (ETS), are of increasing importance due to the proliferation of embedded devices with limited resources such as drones, wireless sensors, and tablet computers. Currently, however, there are little to no programmer supported methodologies or frameworks to allow them to reason about ETS properties in their source code. Drive is one such existing framework supporting the developer by lifting non-functional properties to the source-level through the Contract Specification Language (CSL), allowing non-functional properties to be first-class citizens, and supporting programmer-written code-level contracts to guarantee the non-functional specifications of the program are met. In this paper, we extend the Drive system by providing rigorous implementations of the underlying proof-engine, modeling the specification of the annotations and assertions from CSL for a representative subset of C, called Imp. We define both an improved abstract interpretation that automatically derives proofs of assertions, and define inference algorithms for the derivation of both abstract interpretations and the context over which the interpretation is indexed. We use the dependently-typed programming language, Idris, to give a formal definition, and implementation, of our abstract interpretation. Finally, we show our well-formed abstract interpretation over some representative exemplars demonstrating provable assertions of ETS. Postprint

Published

2020

21. Research on Remote Attestation Technology Based on Formal Software Behavior Measurement

Author

Hanwei Qian, Ming Yuan, and Lingling Xia

Subjects

Software, Computer science, business.industry, Formal specification, Data integrity, Formal language, Proof-carrying code, Trusted Computing, Software engineering, business, Formal methods, Formal proof

Abstract

The traditional static measurement method based on data integrity measurement can only prove that the software has not been tampered with, and cannot describe the software behavior status. Dynamic measurement can measure the software behavior in real time, but there is no doubt that it requires a lot of computing resources. In this paper, we propose static measurement architecture PMA, which using formal method to abstract and verify software behavior. In PMA, formal language abstracts software behavior, formal specification describes security policy, and software behavior measurement problem is transformed into formal proof. We also have implemented the corresponding code according to the PMA design principle. The experimental test verifies the feasibility of the PMA architecture.

Published

2020

22. Certifying delta-oriented programs

Author

Ferruccio Damiani, Vítor Rodrigues, and Simone Donetti

Subjects

Source code, Computer science, media_common.quotation_subject, 02 engineering and technology, Reuse, Model-driven development, computer.software_genre, Software, Safety properties, 0202 electrical engineering, electronic engineering, information engineering, Code (cryptography), Runtime systems, Proof-carrying code, Delta-oriented programming, media_common, business.industry, Programming language, Software development, Order (ring theory), 020207 software engineering, Modeling and Simulation, Binary code, business, computer

Abstract

A major design concern in modern software development frameworks is to ensure that mechanisms for updating code running on remote devices comply with given safety specifications. This paper presents a delta-oriented approach for implementing product lines where software reuse is achieved at the three levels of state-diagram modeling, C/ $$\text {C}^{_{_{_{++}}}} $$ source code and binary code. A safety specification is expressed on the properties of reusable software libraries that can be dynamically loaded at run time after an over-the-air update. The compilation of delta-engineered code is certified using the framework of proof-carrying code in order to guarantee safety of software updates on remote devices. An empirical evaluation of the computational cost associated with formal safety checks is done by means of experimentation.

Published

2018

23. Certificate size reduction in abstraction-carrying code.

Author

ALBERT, ELVIRA, ARENAS, PURI, PUEBLA, GERMÁN, and HERMENEGILDO, MANUEL

Subjects

COMPUTER software correctness, CODING theory, ITERATIVE methods (Mathematics), COMPUTER checkers, ALGORITHMS, INFORMATION theory, COMPUTER software

Abstract

Abstraction-Carrying Code (ACC) has recently been proposed as a framework for mobile code safety in which the code supplier provides a program together with an abstraction (or abstract model of the program) whose validity entails compliance with a predefined safety policy. The abstraction plays thus the role of safety certificate and its generation is carried out automatically by a fixpoint analyzer. The advantage of providing a (fixpoint) abstraction to the code consumer is that its validity is checked in a single pass (i.e., one iteration) of an abstract interpretation-based checker. A main challenge to make ACC useful in practice is to reduce the size of certificates as much as possible while at the same time not increasing checking time. The intuitive idea is to only include in the certificate information that the checker is unable to reproduce without iterating. We introduce the notion of reduced certificate which characterizes the subset of the abstraction which a checker needs in order to validate (and re-construct) the full certificate in a single pass. Based on this notion, we instrument a generic analysis algorithm with the necessary extensions in order to identify the information relevant to the checker. Interestingly, the fact that the reduced certificate omits (parts of) the abstraction has implications in the design of the checker. We provide the sufficient conditions which allow us to ensure that (1) if the checker succeeds in validating the certificate, then the certificate is valid for the program (correctness) and (2) the checker will succeed for any reduced certificate which is valid (completeness). Our approach has been implemented and benchmarked within the CiaoPP system. The experimental results show that our proposal is able to greatly reduce the size of certificates in practice. [ABSTRACT FROM AUTHOR]

Published

2012

24. Relational bytecode correlations

Author

Beringer, Lennart

Subjects

*STATISTICAL correlation, *DATA structures, *ANALYSIS of variance, *VIRTUAL reality, *COMPUTER software, *CODING theory

Abstract

Abstract: We present a calculus for tracking equality relationships between values through pairs of bytecode programs. The calculus may serve as a certification mechanism for non-interference, a well-known program property in the field of language-based security, and code transformations. Contrary to previous type systems for non-interference, no restrictions are imposed on the control flow structure of programs. Objects, static and virtual methods are included, and heap-local reasoning is supported by frame rules. In combination with polyvariance, the latter enable the modular verification of programs over heap-allocated data structures, which we illustrate by verifying and comparing different implementations of list copying. The material is based on a complete formalisation in Isabelle/HOL. [Copyright &y& Elsevier]

Published

2010

25. Certification of Thread Context Switching.

Author

Guo, Yu, Jiang, Xin-Yu, and Chen, Yi-Yun

Subjects

THREADS (Computer programs), SWITCHING theory, COMPUTER systems, COMPUTER software, ABSTRACT thought, MATHEMATICAL logic

Abstract

With recent efforts to build foundational certified software systems, two different approaches have been proposed to certify thread context switching. One is to certify both threads and context switching in a single logic system, and the other certifies threads and context switching at different abstraction levels. The former requires heavyweight extensions in the logic system to support first-class code pointers and recursive specifications. Moreover, the specification for context switching is very complex. The latter supports simpler and more natural specifications, but it requires the contexts of threads to be abstracted away completely when threads are certified. As a result, the conventional implementation of context switching used in most systems needs to be revised to make the abstraction work. In this paper, we extend the second approach to certify the conventional implementation, where the clear abstraction for threads is unavailable since both threads and context switching hold pointers of thread contexts. To solve this problem, we allow the program specifications for threads to refer to pointers of thread contexts. Thread contexts are treated as opaque structures, whose contents are unspecified and should never be accessed by the code of threads. Therefore, the advantage of avoiding the direct support of first-class code pointers is still preserved in our method. Besides, our new approach is also more lightweight. Instead of using two different logics to certify threads and context switching, we employ only one program logic with two different specifications for the context switching. One is used to certify the implementation itself, and the more abstract one is used as an interface between threads and context switching at a higher abstraction level. The consistency between the two specifications are enforced by the global program invariant. [ABSTRACT FROM AUTHOR]

Published

2010

26. Semantic Foundations for Typed Assembly Languages.

Author

AHMED, AMAL, APPEL, ANDREW W., RICHARDS, CHRISTOPHER D., SWADI, KEDAR N., GANG TAN, and WANG, DANIEL C.

Subjects

*PROGRAMMING language semantics, *SOFTWARE validation, *ASSEMBLY languages (Electronic computers), *COMPUTER logic, *AXIOMS, *PROOF theory

Abstract

Typed Assembly Languages (TALs) are used to validate the safety of machine-language programs. The Foundational Proof-Carrying Code project seeks to verify the soundness of TALs using the smallest possible set of axioms: the axioms of a suitably expressive logic plus a specification of machine semantics. This article proposes general semantic foundations that permit modular proofs of the soundness of TALs. These semantic foundations include Typed Machine Language (TML), a type theory for specifying properties of low-level data with powerful and orthogonal type constructors, and Lc, a compositional logic for specifying properties of machine instructions with simplified reasoning about unstructured control flow. Both of these components, whose semantics we specify using higher-order logic, are useful for proving the soundness of TALs. We demonstrate this by using TML and Lc to verify the soundness of a low-level, typed assembly language, LTAL, which is the target of our core-ML-to-SPARC compiler. To prove the soundness of the TML type system we have successfully applied a new approach, that of step-indexed logical relations. This approach provides the first semantic model for a type system with updatable references to values of impredicative quantified types. Both impredicative polymorphism and mutable references are essential when representing function closures in compilers with typed closure conversion, or when compiling objects to simpler typed primitives. [ABSTRACT FROM AUTHOR]

Published

2010

27. Proof optimization for partial redundancy elimination

Author

Saabas, Ando and Uustalu, Tarmo

Subjects

*OPTIMIZING compilers, *SCALABILITY, *MATHEMATICAL logic, *COMPILERS (Computer programs), *PROGRAMMING languages

Abstract

Abstract: Partial redundancy elimination is a subtle optimization which performs common subexpression elimination and expression motion at the same time. In this paper, we use it as an example to promote and demonstrate the scalability of the technology of proof optimization. By this we mean automatic transformation of a given program’s Hoare logic proof of functional correctness or resource usage into one of the optimized program, guided by a type-derivation representation of the result of the underlying dataflow analyses. A proof optimizer is a useful tool for the producer’s side in a natural proof-carrying code scenario where programs are proved correct prior to optimizing compilation before transmission to the consumer. We present a type-systematic description of the underlying analyses and of the optimization for the while language, demonstrate that the optimization is semantically sound and improving in a formulation using type-indexed relations, and then show that these arguments can be transferred to automatic transformations of functional correctness/resource usage proofs in Hoare logics. For the improvement part, we instrument the standard semantics and Hoare logic so that evaluations of expressions become a resource. [Copyright &y& Elsevier]

Published

2009

28. Provably correct runtime monitoring

Author

Aktug, Irem, Dam, Mads, and Gurov, Dilian

Subjects

*COMPUTER network monitoring, *VIRTUAL machine systems, *COMPUTER engineering, *COMPUTER software, *COMPUTER security, *JAVA programming language, *MACHINE theory, *PROGRAMMING languages

Abstract

Abstract: Runtime monitoring is an established technique to enforce a wide range of program safety and security properties. We present a formalization of monitoring and monitor inlining, for the Java Virtual Machine. Monitors are security automata given in a special-purpose monitor specification language, ConSpec. The automata operate on finite or infinite strings of calls to a fixed API, allowing local dependencies on parameter values and heap content. We use a two-level class file annotation scheme to characterize two key properties: (i) that the program is correct with respect to the monitor as a constraint on allowed program behavior, and (ii) that the program has a copy of the given monitor embedded into it. As the main application of these results we sketch a simple inlining algorithm and show how the two-level annotations can be completed to produce a fully annotated program which is valid in the standard sense of Floyd/Hoare logic. This establishes the mediation property that inlined programs are guaranteed to adhere to the intended policy. Furthermore, validity can be checked efficiently using a weakest precondition based annotation checker, thus preparing the ground for on-device checking of policy adherence in a proof-carrying code setting. [Copyright &y& Elsevier]

Published

2009

29. A pointer logic and certifying compiler.

Author

Chen, Yiyun, Ge, Lin, Hua, Baojian, Li, Zhaopeng, Liu, Cheng, and Wang, Zhifang

Abstract

Proof-Carrying Code brings two big challenges to the research field of programming languages. One is to seek more expressive logics or type systems to specify or reason about the properties of low-level or high-level programs. The other is to study the technology of certifying compilation in which the compiler generates proofs for programs with annotations. This paper presents our progress in the above two aspects. A pointer logic was designed for PointerC (a C-like programming language) in our research. As an extension of Hoare logic, our pointer logic expresses the change of pointer information for each statement in its inference rules to support program verification. Meanwhile, based on the ideas from CAP (Certified Assembly Programming) and SCAP (Stack-based Certified Assembly Programming), a reasoning framework was built to verify the properties of object code in a Hoare style. And a certifying compiler prototype for PointerC was implemented based on this framework. The main contribution of this paper is the design of the pointer logic and the implementation of the certifying compiler prototype. In our certifying compiler, the source language contains rich pointer types and operations and also supports dynamic storage allocation and deallocation. [ABSTRACT FROM AUTHOR]

Published

2007

30. Programs from Proofs

Author

Marie-Christine Jakobs and Heike Wehrheim

Subjects

business.industry, Computer science, Programming language, Program transformation, 020207 software engineering, 02 engineering and technology, Abstract interpretation, computer.software_genre, CPAchecker, Software framework, Software, Program analysis, TheoryofComputation_LOGICSANDMEANINGSOFPROGRAMS, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Proof-carrying code, business, Software analysis pattern, computer

Abstract

Today, software is traded worldwide on global markets, with apps being downloaded to smartphones within minutes or seconds. This poses, more than ever, the challenge of ensuring safety of software in the face of (1) unknown or untrusted software providers together with (2) resource-limited software consumers. The concept of Proof-Carrying Code (PCC), years ago suggested by Necula, provides one framework for securing the execution of untrusted code. PCC techniques attach safety proofs, constructed by software producers, to code. Based on the assumption that checking proofs is usually much simpler than constructing proofs, software consumers should thus be able to quickly check the safety of software. However, PCC techniques often suffer from the size of certificates (i.e., the attached proofs), making PCC techniques inefficient in practice. In this article, we introduce a new framework for the safe execution of untrusted code called Programs from Proofs (PfP). The basic assumption underlying the PfP technique is the fact that the structure of programs significantly influences the complexity of checking a specific safety property. Instead of attaching proofs to program code, the PfP technique transforms the program into an efficiently checkable form, thus guaranteeing quick safety checks for software consumers. For this transformation, the technique also uses a producer-side automatic proof of safety. More specifically, safety proving for the software producer proceeds via the construction of an abstract reachability graph (ARG) unfolding the control-flow automaton (CFA) up to the degree necessary for simple checking. To this end, we combine different sorts of software analysis: expensive analyses incrementally determining the degree of unfolding, and cheap analyses responsible for safety checking. Out of the abstract reachability graph we generate the new program. In its CFA structure, it is isomorphic to the graph and hence another, this time consumer-side, cheap analysis can quickly determine its safety. Like PCC, Programs from Proofs is a general framework instantiable with different sorts of (expensive and cheap) analysis. Here, we present the general framework and exemplify it by some concrete examples. We have implemented different instantiations on top of the configurable program analysis tool CPA checker and report on experiments, in particular on comparisons with PCC techniques.

Published

2017

31. A portable virtual machine target for proof-carrying code

Author

Franz, Michael, Chandra, Deepak, Gal, Andreas, Haldar, Vivek, Probst, Christian W., Reig, Fermín, and Wang, Ning

Subjects

*COMPUTER software, *COMPUTER science, *COMPUTER programming, *ALGORITHMS

Abstract

Abstract: Virtual machines and proof-carrying code provide two techniques that have been used independently to provide safety for mobile code. Both these techniques have strengths and limitations. Existing virtual machines, such as the Java VM, have several drawbacks. First, the effort required for safety verification is considerable. Second, and more subtly, the need to provide such verification by the code consumer inhibits the amount of optimization that can be performed by the code producer. This in turn makes just-in-time compilation surprisingly expensive. Proof-carrying code, on the other hand, has its own set of limitations, among which are the size of proofs and the fact that the certified code is no longer machine independent. By combining the two techniques, we are able to overcome these limitations. Our hybrid safe-code solution uses a virtual machine that has been designed specifically to support proof-carrying code, while simultaneously providing efficient just-in-time compilation and target-machine independence. In particular, our approach reduces the complexity of the required proofs, resulting in fewer proof obligations that need to be discharged at the target machine. [Copyright &y& Elsevier]

Published

2005

32. A complexity analysis of functional interpretations

Author

Hernest, Mircea-Dan and Kohlenbach, Ulrich

Subjects

*MATHEMATICS, *ALGORITHMS, *MATHEMATICAL analysis, *COMPUTER programming

Abstract

Abstract: We give a quantitative analysis of Gödel''s functional interpretation and its monotone variant. The two have been used for the extraction of programs and numerical bounds as well as for conservation results. They apply both to (semi-)intuitionistic as well as (combined with negative translation) classical proofs. The proofs may be formalized in systems ranging from weak base systems to arithmetic and analysis (and numerous fragments of these). We give upper bounds in basic proof data on the depth, size, maximal type degree and maximal type arity of the extracted terms as well as on the depth of the verifying proof. In all cases terms of size linear in the size of the proof at input can be extracted and the corresponding extraction algorithms have cubic worst-time complexity. The verifying proofs have depth linear in the depth of the proof at input and the maximal size of a formula of this proof. [Copyright &y& Elsevier]

Published

2005

33. Building certified libraries for PCC: dynamic storage allocation

Author

Yu, Dachuan, Hamid, Nadeem A., and Shao, Zhong

Subjects

*SAFETY, *CERTIFICATION, *ELIGIBILITY (Social aspects), *LICENSES

Abstract

Proof-carrying code (PCC) allows a code producer to provide to a host a program along with its formal safety proof. The proof attests to a certain safety policy enforced by the code, and can be mechanically checked by the host. While this language-based approach to code certification is very general in principle, existing PCC systems have only focused on programs whose safety proofs can be automatically generated. As a result, many low-level system libraries (e.g., memory management) have not yet been handled. In this paper, we explore a complementary approach in which general properties and program correctness are semi-automatically certified. In particular, we introduce a low-level language, CAP, for building certified programs and present a certified library for dynamic storage allocation. [Copyright &y& Elsevier]

Published

2004

34. Automated techniques for provably safe mobile code

Author

Colby, Christopher, Crary, Karl, Harper, Robert, Lee, Peter, and Pfenning, Frank

Subjects

*CODING theory, *COMPILERS (Computer programs), *ASSEMBLY languages (Electronic computers)

Abstract

We present a general framework for provably safe mobile code. It relies on a formal definition of a safety policy and explicit evidence for compliance with this policy which is attached to a binary. Concrete realizations of this framework are proof-carrying code, where the evidence for safety is a formal proof generated by a certifying compiler, and typed assembly language, where the evidence for safety is given via type annotations propagated throughout the compilation process in typed intermediate languages. Validity of the evidence is established via a small trusted type checker, either directly on the binary or indirectly on proof representations in a logical framework. [Copyright &y& Elsevier]

Published

2003

35. Effective Bridging Between Ecore and Coq: Case of a Type-Checker with Proof-Carrying Code

Author

Seidali Rehab, Jérémy Buisson, Centre de recherche des écoles de Saint-Cyr Coëtquidan [Guer] (CREC), Ecoles de Saint-Cyr Coëtquidan [Guer], ArchWare, Institut de Recherche en Informatique et Systèmes Aléatoires (IRISA), CentraleSupélec-Télécom Bretagne-Université de Rennes 1 (UR1), Université de Rennes (UNIV-RENNES)-Université de Rennes (UNIV-RENNES)-Institut National de Recherche en Informatique et en Automatique (Inria)-École normale supérieure - Rennes (ENS Rennes)-Université de Bretagne Sud (UBS)-Centre National de la Recherche Scientifique (CNRS)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut National des Sciences Appliquées (INSA)-Université de Rennes (UNIV-RENNES)-Institut National des Sciences Appliquées (INSA)-CentraleSupélec-Télécom Bretagne-Université de Rennes 1 (UR1), Institut National des Sciences Appliquées (INSA)-Université de Rennes (UNIV-RENNES)-Institut National des Sciences Appliquées (INSA), LANGAGE ET GÉNIE LOGICIEL (IRISA-D4), Université de Rennes 1 (UR1), Université de Rennes (UNIV-RENNES)-Université de Rennes (UNIV-RENNES)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut National des Sciences Appliquées (INSA)-Université de Rennes (UNIV-RENNES)-Institut National des Sciences Appliquées (INSA)-Université de Bretagne Sud (UBS)-École normale supérieure - Rennes (ENS Rennes)-Institut National de Recherche en Informatique et en Automatique (Inria)-CentraleSupélec-Centre National de la Recherche Scientifique (CNRS)-IMT Atlantique Bretagne-Pays de la Loire (IMT Atlantique), Institut Mines-Télécom [Paris] (IMT)-Institut Mines-Télécom [Paris] (IMT)-Université de Rennes 1 (UR1), Institut Mines-Télécom [Paris] (IMT)-Institut Mines-Télécom [Paris] (IMT), Advanced Technologies for Operated Networks (ARCHWARE), Institut Mines-Télécom [Paris] (IMT)-Institut Mines-Télécom [Paris] (IMT)-Institut de Recherche en Informatique et Systèmes Aléatoires (IRISA), Modélisation et d'Implémentation des Systèmes Complexes [Constantine] (MISC), Université de Constantine 2 Abdelhamid Mehri [Constantine], Université de Rennes (UR)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut National des Sciences Appliquées (INSA)-Institut National des Sciences Appliquées (INSA)-Université de Bretagne Sud (UBS)-École normale supérieure - Rennes (ENS Rennes)-Institut National de Recherche en Informatique et en Automatique (Inria)-Télécom Bretagne-CentraleSupélec-Centre National de la Recherche Scientifique (CNRS)-Université de Rennes (UR)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut National des Sciences Appliquées (INSA)-Institut National des Sciences Appliquées (INSA)-Université de Bretagne Sud (UBS)-École normale supérieure - Rennes (ENS Rennes)-Institut National de Recherche en Informatique et en Automatique (Inria)-Télécom Bretagne-CentraleSupélec-Centre National de la Recherche Scientifique (CNRS), Institut National des Sciences Appliquées (INSA)-Institut National des Sciences Appliquées (INSA)-Université de Bretagne Sud (UBS)-École normale supérieure - Rennes (ENS Rennes)-Institut National de Recherche en Informatique et en Automatique (Inria)-CentraleSupélec-Centre National de la Recherche Scientifique (CNRS)-IMT Atlantique (IMT Atlantique), and Institut Mines-Télécom [Paris] (IMT)-Institut Mines-Télécom [Paris] (IMT)-Université de Rennes (UR)-Institut National des Sciences Appliquées - Rennes (INSA Rennes)

Subjects

System of systems, Computer science, Programming language, Model transformation, Proof assistant, 020207 software engineering, 02 engineering and technology, [INFO.INFO-SE]Computer Science [cs]/Software Engineering [cs.SE], computer.software_genre, Bridging (programming), Metamodeling, 020204 information systems, Abstract syntax, 0202 electrical engineering, electronic engineering, information engineering, Proof-carrying code, Architecture, computer, computer.programming_language

Abstract

International audience; The work presented in this paper lies in the context of implementing supporting tools for a domain-specific language named SosADL, targeted at the description and analysis of architecture for systems of systems. While the language has formal definition rooted in the Cc-pi calculus, we have adopted the Eclipse ecosystem, including EMF, Ecore and Xtext for the convenience they provide in implementation tasks. Proof-carrying code is a well-known approach to ensure such an implementation involving non-formal technologies conforms to its formal definition, by making the implementation generate proof in addition to usual output artifacts. In this paper, we therefore investigate for an infrastructure that eases the development of proof-carrying code for an Eclipse/EMF/Ecore/Xtext-based tool in relation with the Coq proof assistant. At the core of our approach, we combine an automatic transformation of a metamodel into a set of inductive types, in conjunction with a second transformation of model elements into terms. The first one, reused from our previous work, provides necessary abstract syntax definitions such that the formal definition of the language can be mechanized using Coq. The second transformation is part of the proof generator.

Published

2019

36. A trustworthy framework for resource-aware embedded programming

Author

Adam D. Barwell and Christopher Brown

Subjects

Interpretation (logic), Source code, business.industry, Computer science, media_common.quotation_subject, 020207 software engineering, Context (language use), 02 engineering and technology, Specification language, Abstract interpretation, 020202 computer hardware & architecture, Embedded system, 0202 electrical engineering, electronic engineering, information engineering, Proof-carrying code, business, Programmer, Implementation, media_common

Abstract

Systems with non-functional requirements, such as Energy, Time and Security (ETS), are of increasing importance due to the proliferation of embedded devices with limited resources such as drones, wireless sensors, and tablet computers. Currently, however, there are little to no programmer supported methodologies or frameworks to allow them to reason about ETS properties in their source code. Drive is one such existing framework supporting the developer by lifting non-functional properties to the source-level through the Contract Specification Language (CSL), allowing non-functional properties to be first-class citizens, and supporting programmer-written code-level contracts to guarantee the non-functional specifications of the program are met. In this paper, we extend the Drive system by providing rigorous implementations of the underlying proof-engine, modeling the specification of the annotations and assertions from CSL for a representative subset of C, called Imp. We define both an improved abstract interpretation that automatically derives proofs of assertions, and define inference algorithms for the derivation of both abstract interpretations and the context over which the interpretation is indexed. We use the dependently-typed programming language, Idris, to give a formal definition, and implementation, of our abstract interpretation. Finally, we show our well-formed abstract interpretation over some representative exemplars demonstrating provable assertions of ETS.

Published

2019

37. Effective Bridging Between Ecore and Coq: Case of a Type-Checker with Proof-Carrying Code

Author

#PLACEHOLDER_PARENT_METADATA_VALUE#, Faculty of Information and Communication Technology (ICT), Buisson, J., Rehab, Seidali, #PLACEHOLDER_PARENT_METADATA_VALUE#, Faculty of Information and Communication Technology (ICT), Buisson, J., and Rehab, Seidali

Abstract

The work presented in this paper lies in the context of implementing supporting tools for a domain-specific language named SosADL, targeted at the description and analysis of architecture for systems of systems. While the language has formal definition rooted in the Cc-pi calculus, we have adopted the Eclipse ecosystem, including EMF, Ecore and Xtext for the convenience they provide in implementation tasks. Proof-carrying code is a well-known approach to ensure such an implementation involving non-formal technologies conforms to its formal definition, by making the implementation generate proof in addition to usual output artifacts. In this paper, we therefore investigate for an infrastructure that eases the development of proof-carrying code for an Eclipse/EMF/Ecore/Xtext-based tool in relation with the Coq proof assistant. At the core of our approach, we combine an automatic transformation of a metamodel into a set of inductive types, in conjunction with a second transformation of model elements into terms. The first one, reused from our previous work, provides necessary abstract syntax definitions such that the formal definition of the language can be mechanized using Coq. The second transformation is part of the proof generator.

Published

2018

38. Effective Bridging Between Ecore and Coq: Case of a Type-Checker with Proof-Carrying Code

Author

Buisson, J., Rehab, Seidali, PLACEHOLDER_PARENT_METADATA_VALUE, and Faculty of Information and Communication Technology (ICT)

Subjects

Ecore, Proof-carrying code, Coq, Model transformation

Abstract

The work presented in this paper lies in the context of implementing supporting tools for a domain-specific language named SosADL, targeted at the description and analysis of architecture for systems of systems. While the language has formal definition rooted in the Cc-pi calculus, we have adopted the Eclipse ecosystem, including EMF, Ecore and Xtext for the convenience they provide in implementation tasks. Proof-carrying code is a well-known approach to ensure such an implementation involving non-formal technologies conforms to its formal definition, by making the implementation generate proof in addition to usual output artifacts. In this paper, we therefore investigate for an infrastructure that eases the development of proof-carrying code for an Eclipse/EMF/Ecore/Xtext-based tool in relation with the Coq proof assistant. At the core of our approach, we combine an automatic transformation of a metamodel into a set of inductive types, in conjunction with a second transformation of model elements into terms. The first one, reused from our previous work, provides necessary abstract syntax definitions such that the formal definition of the language can be mechanized using Coq. The second transformation is part of the proof generator. 64 259 273

Published

2018

39. Stopping injection attacks with code and structured data

Subjects

ta113, SQL injection, SQL, injection, proof-carrying code, XSS, tietoturva, cryptographic hash

Published

2018

40. Stopping injection attacks with code and structured data

Author

Ville Tirronen, Lehto, Martti, and Neittaanmäki, Pekka

Subjects

0301 basic medicine, Exploit, Computer science, Cross-site scripting, Cryptography, Computer security, computer.software_genre, SQL injection, 03 medical and health sciences, 0302 clinical medicine, Software, Code (cryptography), Cryptographic hash function, Proof-carrying code, proof-carrying code, tietoturva, SQL, business.industry, XSS, 030104 developmental biology, injection, 030220 oncology & carcinogenesis, cryptographic hash, business, computer

Abstract

Injection attacks top the lists of the most harmful software vulnerabilities. Injection vulnerabilities are both commonplace and easy to exploit, which makes development of injection protection schemes important. In this article, we show how injection attacks can be practically eliminated through the use of structured data paired with cryptographic verification codes upon transmission. peerReviewed

Published

2018

41. Information Flow Certificates

Author

Heike Wehrheim and Manuel Töws

Subjects

Soundness, Database, Computer science, 020206 networking & telecommunications, 02 engineering and technology, computer.software_genre, Certificate, CPAchecker, Program analysis, Flow (mathematics), 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Proof-carrying code, Information flow (information theory), computer

Abstract

Information flow analysis investigates the flow of data in applications, checking in particular for flows from private sources to public sinks. Flow- and path-sensitive analyses are, however, often too costly to be performed every time a security-critical application is run. In this paper, we propose a variant of proof carrying code for information flow security. To this end, we develop information flow (IF) certificates which get attached to programs as well as a method for IF certificate validation. We prove soundness of our technique, i.e., show it to be tamper-free. The technique is implemented within the program analysis tool CPAchecker. Our experiments confirm that the use of certificates pays off for costly analysis runs.

Published

2018

42. An Abstract Interpretation-based Approach to Mobile Code Safety.

Author

Albert, Elvira, Puebla, Germán, and Hermenegildo, Manuel

Subjects

COMPUTER integrated manufacturing systems, CONTROL theory (Engineering), INTELLIGENT agents, COMPUTER science

Abstract

Abstract: Recent approaches to mobile code safety, like proof-carrying code, involve associating safety information to programs. The code supplier provides a program and also includes with it a certificate (or proof) whose validity entails compliance with a predefined safety policy. The intended benefit is that the program consumer can locally validate the certificate w.r.t. the “untrusted” program by means of a certificate checker—a process which should be much simpler, efficient, and automatic than generating the original proof. We herein introduce a novel approach to mobile code safety which follows a similar scheme, but which is based throughout on the use of abstract interpretation techniques. In our framework the safety policy is specified by using an expressive assertion language defined over abstract domains. We identify a particular slice of the abstract interpretation-based static analysis results which is especially useful as a certificate. The validity of the certificate on the consumer side is checked by a very simplified and efficient specialized abstract-interpreter. Our ideas are illustrated through an example implemented in the context of constraint logic programs, using the CiaoPP system. Though further experimentation is still required, we believe the pro- posed approach is of interest for bringing the automation and expressiveness which is inherent in the abstract interpretation techniques to the area of mobile code safety. [Copyright &y& Elsevier]

Published

2005

43. A resource semantics and abstract machine for Safe : A functional language with regions and explicit deallocation

Author

Ricardo Peña, Clara Segura, and Manuel Montenegro

Subjects

Functional programming, Theoretical computer science, Computer science, Semantics (computer science), Programming language, computer.software_genre, Semantics, Abstract machine, Computer Science Applications, Theoretical Computer Science, Memory management, Computational Theory and Mathematics, Dangling pointer, TheoryofComputation_LOGICSANDMEANINGSOFPROGRAMS, Code generation, Proof-carrying code, Compiler, Memory safety, computer, Information Systems, Heap (data structure)

Abstract

In this paper we summarise Safe, a first-order functional language for programming small devices and embedded systems with strict memory requirements, which has been introduced elsewhere. It has some unusual memory management features such as heap regions and explicit cell deallocation. It is targeted at a Proof Carrying Code environment, and consistently with this aim the Safe compiler provides machine checkable certificates about important safety properties such as the absence of dangling pointers and bounded memory consumption. The kernel of the paper is devoted to developing part of the Safe compiler's back-end, by deriving an appropriate abstract machine from the language semantics, by providing the code generation functions, and by formally proving that the translation is sound, both in the semantic and in the memory consumption senses.

Published

2014

44. Practical and Efficient in-Enclave Verification of Privacy Compliance.

Author

Liu W, Wang W, Chen H, Wang X, Lu Y, Chen K, Wang X, Shen Q, Chen Y, and Tang H

Abstract

A trusted execution environment (TEE) such as Intel Software Guard Extension (SGX) runs attestation to prove to a data owner the integrity of the initial state of an enclave, including the program to operate on her data. For this purpose, the data-processing program is supposed to be open to the owner or a trusted third party, so its functionality can be evaluated before trust being established. In the real world, however, increasingly there are application scenarios in which the program itself needs to be protected (e.g., proprietary algorithm). So its compliance with privacy policies as expected by the data owner should be verified without exposing its code. To this end, this paper presents Deflection, a new model for TEE-based delegated and flexible in-enclave code verification. Given that the conventional solutions do not work well under the resource-limited and TCB-frugal TEE, we come up with a new design inspired by Proof-Carrying Code. Our design strategically moves most of the workload to the code generator, which is responsible for producing easy-to-check code, while keeping the consumer simple. Also, the whole consumer can be made public and verified through a conventional attestation. We implemented this model on Intel SGX and demonstrate that it introduces a very small part of TCB. We also thoroughly evaluated its performance on micro- and macro- benchmarks and real-world applications, showing that the design only incurs a small overhead when enforcing several categories of security policies.

Published

2021

45. Defending Against the Buffer Overflows: A Static Approach Using Proof-Carrying Code

Author

Ping Wang and Lei Wang

Subjects

Heap overflow, Computer science, Distributed computing, Code (cryptography), Proof-carrying code, Static analysis, Buffer overflow

Abstract

Buffer overflow has been one of the most outstanding attacks in the last ten years. This kind of vulnerability may compromise the system security by various means. Existing solutions to this problem have focused on the execution environment of the malicious program rather than the hypostasis of buffer overflow and most of them try to detect buffer overflows dynamically. This paper presents the effort of applying a static analysis approach against the programs exploiting buffer overflow and the method adopted is named Proof-Carrying Code (PCC). This paper shows that: (1) it is possible to defend against most of the buffer overflow vulnerabilities with proper use of PCC; and (2) the method is well prepared to handle the coming-up variants of the buffer overflow problems. 

Published

2013

46. Detection of Non-Size Increasing Programs in Compilers

Author

Moyen, Jean-Yves, Rubiano, Thomas, Department of Computer Science [Copenhagen] (DIKU), Faculty of Science [Copenhagen], University of Copenhagen = Københavns Universitet (KU)-University of Copenhagen = Københavns Universitet (KU), Logic, Computation and Reasoning [Villetaneuse] (LCR), Laboratoire d'Informatique de Paris-Nord (LIPN), Université Paris 13 (UP13)-Institut Galilée-Université Sorbonne Paris Cité (USPC)-Centre National de la Recherche Scientifique (CNRS)-Université Paris 13 (UP13)-Institut Galilée-Université Sorbonne Paris Cité (USPC)-Centre National de la Recherche Scientifique (CNRS), ANR-14-CE25-0005 Elica, Damiano Mazza, and ANR-14-CE25-0005,ELICA,Élargir les idées logiques pour l'analyse de complexité(2014)

Subjects

[INFO.INFO-CC]Computer Science [cs]/Computational Complexity [cs.CC], [INFO.INFO-PF]Computer Science [cs]/Performance [cs.PF], Implicit Complexity, LLVM, Proof-Carrying Code, Static Analysis, Compiler

Abstract

International audience; Implicit Computational Complexity (ICC) aims atgiving machine-free characterisations of complexity classes. Be-cause it is usually sound but not complete, it actually providescertificates that a given program can be run within a givenamount of resources. ICC is usually applied on toy languages withrestricted expressivity, we show here that it can be performed onreal programming languages.Because it is usually a static, syntactical analysis of theprograms, ICC is well-suited to be performed at compile time.The bounds given by ICC can then be used to fuel someoptimisation or to produce certificates of good behaviour. Moderncompilers do most of their work in a modular sequences of passesdone on some Intermediate Representation (IR) language. TheIR is a generic typed assembly-like language and thus very wellsuited to express ICC criteria. The modularity of the passes makeit easy to add one and to re-use existing ones at will.We focus here on the relatively simple analysis of Non-SizeIncreasing (NSI) programs. We’ve implemented a NSI analysisfor the LLVM compiler. This can be seen as a proof of conceptthat ICC and compilers are able to interact productively.

Published

2016

47. An Abstract Model of Certificate Translation

Author

César Kunz and Gilles Barthe

Subjects

Source code, Correctness, Programming language, Computer science, media_common.quotation_subject, 020207 software engineering, Static program analysis, 0102 computer and information sciences, 02 engineering and technology, computer.software_genre, Certificate, 01 natural sciences, Program analysis, 010201 computation theory & mathematics, 0202 electrical engineering, electronic engineering, information engineering, Proof-carrying code, Unreachable code, Redundant code, computer, Software, media_common

Abstract

A certificate is a mathematical object that can be used to establish that a piece of mobile code satisfies some security policy. In general, certificates cannot be generated automatically. There is thus an interest in developing methods to reuse certificates generated for source code to provide strong guarantees of the compiled code correctness. Certificate translation is a method to transform certificates of program correctness along semantically justified program transformations. These methods have been developed in previous work, but they were strongly dependent on particular programming and verification settings. This article provides a more general development in the setting of abstract interpretation, showing the scalability of certificate translation.

Published

2011

48. Semantic foundations for typed assembly languages

Author

Daniel C. Wang, Gang Tan, Kedar N. Swadi, Amal Ahmed, Christopher D. Richards, and Andrew W. Appel

Subjects

Soundness, Theoretical computer science, Assembly language, Computer science, Programming language, Typed assembly language, Semantic data model, computer.software_genre, TheoryofComputation_LOGICSANDMEANINGSOFPROGRAMS, Proof-carrying code, Machine code, computer, Software, Axiom, Impredicativity, computer.programming_language

Abstract

Typed Assembly Languages (TALs) are used to validate the safety of machine-language programs. The Foundational Proof-Carrying Code project seeks to verify the soundness of TALs using the smallest possible set of axioms: the axioms of a suitably expressive logic plus a specification of machine semantics. This article proposes general semantic foundations that permit modular proofs of the soundness of TALs. These semantic foundations include Typed Machine Language (TML), a type theory for specifying properties of low-level data with powerful and orthogonal type constructors, and L c , a compositional logic for specifying properties of machine instructions with simplified reasoning about unstructured control flow. Both of these components, whose semantics we specify using higher-order logic, are useful for proving the soundness of TALs. We demonstrate this by using TML and L c to verify the soundness of a low-level, typed assembly language, LTAL, which is the target of our core-ML-to-sparc compiler. To prove the soundness of the TML type system we have successfully applied a new approach, that of step-indexed logical relations . This approach provides the first semantic model for a type system with updatable references to values of impredicative quantified types. Both impredicative polymorphism and mutable references are essential when representing function closures in compilers with typed closure conversion, or when compiling objects to simpler typed primitives.

Published

2010

49. Certificate translation for optimizing compilers

Author

Tamara Rezk, Gilles Barthe, César Kunz, and Benjamin Grégoire

Subjects

Source code, ComputingMilieux_THECOMPUTINGPROFESSION, Programming language, Computer science, media_common.quotation_subject, Optimizing compiler, Program optimization, computer.software_genre, Object code, Proof-carrying code, Code generation, Compiler, computer, Compiled language, Software, media_common

Abstract

Proof Carrying Code provides trust in mobile code by requiring certificates that ensure the code adherence to specific conditions. The prominent approach to generate certificates for compiled code is Certifying Compilation, that automatically generates certificates for simple safety properties. In this work, we present Certificate Translation, a novel extension for standard compilers that automatically transforms formal proofs for more expressive and complex properties of the source program to certificates for the compiled code. The article outlines the principles of certificate translation, instantiated for a nonoptimizing compiler and for standard compiler optimizations in the context of an intermediate RTL Language.

Published

2009

50. Provably correct runtime monitoring

Author

Dilian Gurov, Irem Aktug, and Mads Dam

Subjects

Logic, Computer science, Programming language, Information and Computer Science, 020207 software engineering, 02 engineering and technology, Specification language, Policy enforcement, Hoare logic, computer.software_genre, Theoretical Computer Science, Automaton, Predicate transformer semantics, Annotation, Computational Theory and Mathematics, Proof-carrying code, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Monitor inlining, Runtime monitoring, computer, Software, Heap (data structure)

Abstract

Runtime monitoring is an established technique to enforce a wide range of program safety and security properties. We present a formalization of monitoring and monitor inlining, for the Java Virtual Machine. Monitors are security automata given in a special-purpose monitor specification language, ConSpec. The automata operate on finite or infinite strings of calls to a fixed API, allowing local dependencies on parameter values and heap content. We use a two-level class file annotation scheme to characterize two key properties: (i) that the program is correct with respect to the monitor as a constraint on allowed program behavior, and (ii) that the program has a copy of the given monitor embedded into it. As the main application of these results we sketch a simple inlining algorithm and show how the two-level annotations can be completed to produce a fully annotated program which is valid in the standard sense of Floyd/Hoare logic. This establishes the mediation property that inlined programs are guaranteed to adhere to the intended policy. Furthermore, validity can be checked efficiently using a weakest precondition based annotation checker, thus preparing the ground for on-device checking of policy adherence in a proof-carrying code setting.

Published

2009