Post on 17-Jan-2016
Towards Automatic Verification
of Safety Architectures
Carsten SchürmannCarnegie Mellon University
April 2000
2
Subtitle
TwelfA Tool to Reason About Formal
Systems
3
Motivation
CERT-advisories [www.cert.org] Computer Emergency Response Team January 1999 – February 2000 29 Advisories total 11 Advisories: Buffer overflow (e.g. ftpd) Others: Viruses, Denial of Service …
> 38% of vulnerabilities due to
bugs
4
Motivation
We need tools to Increase confidence in software Engineer trusted bases for computing Catch programming language design
flaws
There is such a tool:
Twelf
5
Contributions
Design of Twelf Meta-logic [Schürmann 00]
Algorithms for automated deduction
Implementation of Twelf Core [Pfenning, Schürmann 99] Meta theorem prover [Schürmann 00]
Application of Twelf Experiments
6
Outline of This Talk
Problem Safety Architectures
Twelf Design
Implementation Experiments
Conclusion Research Agenda
7
Trusting the Source?
Example: WU-ftpd 2.6.0: 17865 lines of code GCC-core 2.95.2: 433128 lines of code
Related work: Piton/Micro Gipsy [Moore, Young, Bevier 89]
Compiler BinarySource
Trusted Computing Base
8
Trusting Binaries?
Example: WU-ftpd 2.5.0 binary: 150 KB [RedHat 6.1]
Related work: Software fault isolation [Wahbe, … 93]
Compiler
Trusted Computing Base
VerifierBinarySource
9
Feasibility study Packet filter [Necula, Lee
96]
Trusting Safety Proofs?
CompilerSource Proof CheckerSafety Proof
Binary
Safety Proof Language
Small Trusted Computing Base
10
Safety Architectures
Proof Carrying Code Logic: 129 rules [Necula, Lee 97] Logic: several 100 rules [Appel, Felty
99] Proof checker: 206 lines [Schürmann
98] Uses a logical framework
Typed Assembly Language Type Theory: 31 rules [Morrisett, Crary … 98] Proof Checker: approx 4000 lines
Java Bytecode Type system: 20 pages prose Bytecode verifier
11
Uniform representation language Storing Shipping Checking
Logic-independent safety proof checker
Logical Frameworks
Safety ProofProof Checker
Safety Proof Language
Binary
Logical Framework
Safety ProofProof Checker
Safety Proof Language
12
Safety Proof Languages
First-order/higher-order logics[Gentzen 35]
Temporal logics (CTL, CTL*, LTL)[Pnueli, Manna, … 84]
Modal and linear logics[Girard 86]
Type theories
Language and system-specific knowledge
13
Good Safety Proof Languages
Consistency Falsehood should not be derivable
Expressiveness Small safety proofs require expressive logics
Extensibility Possibility to add new admissible rules
Is The Safety Proof Language Good?
14
Meta-Logical Framework
Meta-Logical Frameworks
Logical Framework
Safety ProofProof Checker
Safety Proof Language
Is The Safety Proof Language Good?
15
Rest of this Talk
Twelf A meta-logical framework that supports
the representation of logics and type systems
and automates reasoning about them
Used at CMU, Princeton, Stanford…
16
Overview
Safety Proof Language
• Logic• Judgments• Inference rules
Logical Framework
• Uniform language• Types• Direct encoding as objects
Reasoning
• Consistency arguments• Theorems about logics• Inductive proofs
Meta-logical Framework
• Automated proof search• Formulas• Direct encoding as proofs
17
Let’s Start
Safety Proof Language
• Logic• Judgments• Inference rules
18
A Simple Logic
Intuitionistic logic:
Sequent calculus: [Gentzen 35]
Judgment: Rules:
axiomAA,
imprBA
BA
,
implCBA
CBA
,
,
|| 21 AA
AAA n ,,1
cutC
CAA
,
19
Next: Logical Framework LF
Safety Proof Language
• Logic• Judgments• Inference rules
Logical Framework
• Uniform language• Types• Direct encoding as objects
20
Logical framework LF [Honsell, Harper, Plotkin 93]
Simply typed λ-calculus Dependent types
Paradigm Judgments as types Derivations as objects
Representation
Logical Framework
ADAuAu nn conchyphyp :|:,,: 11
DAAA n ,,1
21
Representation (cont’d)
Inference rules as constants
axiom : (hyp A -> conc A).
impr : (hyp A -> conc B) -> conc (A imp B).
impl : conc A -> (hyp B -> conc C) -> (hyp (A imp B) -> conc C).
cut : conc A -> (hyp A -> conc C) -> conc C.
axiomAA,
implCBA
CBA
,
,
imprBA
BA
,
cutC
CAA
,
22
Reasoning about the real worldis as good as the encoding is
Theorem prover for LF [Schürmann 98]
Representation (cont’d)
1-to-1
Logic Logical Framework
23
Notes on the Representation
Elegance Higher-order representation techniques Dependent types
Benefit Variables and substitutions come for free!
We can look at the current field of problem solving by computers as a series of ideas about how to present a problem. If a problem can be cast into one of these representations in a natural way, then it is possible to manipulate it and stand some chance of solving it.
[Allen Newell]
24
Next: Reasoning
Safety Proof Language
• Logic• Judgments• Inference rules
Logical Framework
• Uniform language• Types• Direct encoding as objects
Reasoning
• Consistency arguments• Theorems about logics• Inductive proofs
25
A (Not So) Simple ArgumentTheorem [Admissibility]: [Gentzen 35]
If and then
Proof: by induction on A,D,E.
Case: E=
by induction hyp. on D,E’
by application of impr
DA
ECA,
FC
imprCBACBA
,,,E'
imprCBCB
,
F'
26
History of This Result
Fundamental theorem in Logic [Gentzen 35]
Consistency of first-order logic Structural proof [Pfenning 95] Twelf can prove it automatically [Schürmann 99]
Neither a toy problem nor a trivial problem 182 = 324 cases for full-first order intuitionistic
logic One of the most basic theorems of logic and
automated deduction
27
Significance of This Result
It is not reasoning in a logic Derivation in a logic is only an object Admissibility lemma is not expressible
But reasoning about a logic Step outside the logic Analyze properties of the logic Admissibility lemma is expressible
It is not reasoning in a logic Derivation in a logic is only an object Admissibility lemma is not expressible
But reasoning about a logic Step outside the logic Analyze properties of the logic Admissibility lemma is expressible
28
Next: Meta-logical Framework
Safety Proof Language
• Logic• Judgments• Inference rules
Logical Framework
• Uniform language• Types• Direct encoding as objects
Reasoning
• Consistency arguments• Theorems about logics• Inductive proofs
Meta-logical Framework
• Automated proof search• Formulas• Direct encoding as proofs
29
Problem
Reasoning about derivations is inductiveIn general: LF signatures are not inductive
Standard induction techniques do not apply
axiom : (hyp A -> conc A).
impr : (hyp A -> conc B) -> conc (A imp B).
impl : conc A -> (hyp B -> conc C) -> (hyp (A imp B) -> conc C).
Negative occurrence
30
Closed World Assumption
Standard induction techniques assume Fixed set of constructors Existence of induction principles
Example: Natural number induction
zero:nat succ:nat -> nat
31
Open World Assumption
No induction principles Type definitions are open-ended New types, new inference rules may be
added
Example: Admissibility Theorem Not stable under extensions of the world
Forms of objects are not predictable
32
Solution
Regular world assumption
Closed world assumption
Open world assumption
33
Regular World Assumption
Extensions to the world are predictable!
Sound induction principle exist But it is not standard!
axiom : (hyp A -> conc A).
impr : (hyp A -> conc B) -> conc (A imp B).
impl : conc A -> (hyp B -> conc C) -> (hyp (A imp B) -> conc C).
h1 :hyp A1.
h2 :hyp A2.
. . .
hn :hyp An .
34
Meta Logic M2
Regular extensions of the world: Here
true.:.:.:
.:.:
CFCAEAD
CA
concconchypconc
oo
Ahyph :,|:: Theorem [Admissibility]:
If and thenDA
ECA,
FC
Au hyp:,|::
+
35
Meta Logic M2 (cont’d)
Formulas:Semantics:
true||.:|.::: 21 FFFAxFAxF
+
true|
|||
|||
|||
2121
:,]/[.:
:,]/[.:
FFFF
AMMxMFFAx
AMMxMFFAx
andiff
s.t.someforiff
s.t.allforiff
36
Meta Logic M2 (cont’d)
Proof calculus for M2 [Schürmann 00]
Judgment: Rules: see thesis
Theorem [Soundness of M2] [Schürmann 00]
If then
Proof: via realizability interpretation.
+
+
FP |
FP | F |
+
37
Twelf Implementation
Implements a theorem prover for M2
Success due to regular world assumption
Automated proof searchNo tactics
TwelfLemmas
Ind.-variablesBound
Proof in M2
Not found
+
+
38
Twelf Implementation (cont’d)Splitting
Case analysis over LF objectsRegular world assumption
RecursionInduction hypotheses
Regular world assumption
FillingApplies an underlying LF prover
Or theorem prover for underlying logic
39
Experiments
Problem Total time Reason
Cut-Elimination I L Admissibility of Cut 6min 35sec
Cut-elimination 0.28sec
ND - Sequent ND -> Sequent 0.11sec
Sequent -> ND 0.12sec
ND - Hilbert Deduction theorem 0.12sec
Translation theorem 0.37sec
falsetrue
Machine: Pentium II, 400Mhz, 192MB RAM, Linux 2.0
40
Experiments (cont’d)
Problem Total time Reason
Mini-ML Value-soundness 0.13sec
Type preservation 0.42sec
Reduction theorem 0.66sec
(app/ lam) Uniqueness of typing 0.25sec
Compiler (CPM) Soundness not yet. Compl. ind.
Completeness 0.31sec
(both directions) Proof equivalence 0.46sec
CCC Translation lambda 3.392sec
Distributivity not yet. LF Prover
Machine: Pentium II, 400Mhz, 192MB RAM, Linux 2.0
41
Experiments (cont’d)
Problem Total time Reason
Church-Rosser Append lemma 0.08sec
Substitution lemma 0.18sec
Diamond lemma 5.6sec
Strip lemma 3min 58sec
Confl uence lemma 28.52sec
Church-Rosser thm 2.05sec
Machine: Pentium II, 400Mhz, 192MB RAM, Linux 2.0
42
Experiments (cont’d)
Problem Total time Reason
LP (Harrop) Soundness (Uni) 0.31sec
Canonical forms 0.34sec
Completeness (Uni) 0.28sec
Soundness (Res) 1.05sec
Completeness (Res) 0.52sec
Kolmogorov CL->I L Soundness 9.55.sec
Completeness not yet LF Prover
Rippling Equivalence lemma 0.65sec
Skeleton preservation 0.94sec
Machine: Pentium II, 400Mhz, 192MB RAM, Linux 2.0
43
Contributions
Design of Twelf Design of a theorem prover for LF Regular world assumption Design of the sound meta-logic M2
Implementation of Twelf Core (together with Frank Pfenning) Meta theorem prover
Application of Twelf Experiments
+
44
Research Vision
I believe, that the demand for safe and secure software, networks, programming languages will continuously increase.
I foresee myself designing, implementing, and applying the necessary tools.
45
Research Agenda
Towards real-world applications Network protocol design Security protocol design Programming language design Software engineering
46
Research Agenda (cont’d)
Design and Implementation Meta logic + Constraints Lemma generalization Natural language explanation
47
Conclusion
A meta-logical framework
(Twelf)
that supports the representation of logics and type
systems and automates reasoning about them
http://www.twelf.org