© Andrew IrelandDependable Systems Group On the Scalability of Proof Carrying Code for Software...
-
Upload
margaret-pearson -
Category
Documents
-
view
215 -
download
1
Transcript of © Andrew IrelandDependable Systems Group On the Scalability of Proof Carrying Code for Software...
![Page 1: © Andrew IrelandDependable Systems Group On the Scalability of Proof Carrying Code for Software Certification Andrew Ireland School of Mathematical & Computer.](https://reader036.fdocuments.in/reader036/viewer/2022082711/56649f065503460f94c1b932/html5/thumbnails/1.jpg)
© Andrew IrelandDependable Systems Group
On the Scalability of Proof Carrying Code for Software Certification
Andrew IrelandSchool of Mathematical & Computer Sciences
Heriot-Watt UniversityEdinburgh
![Page 2: © Andrew IrelandDependable Systems Group On the Scalability of Proof Carrying Code for Software Certification Andrew Ireland School of Mathematical & Computer.](https://reader036.fdocuments.in/reader036/viewer/2022082711/56649f065503460f94c1b932/html5/thumbnails/2.jpg)
© Andrew IrelandDependable Systems Group
Outline
• High integrity software development• Evidence based software certificates• Scalability problems• A planning approach• Issues for discussion
![Page 3: © Andrew IrelandDependable Systems Group On the Scalability of Proof Carrying Code for Software Certification Andrew Ireland School of Mathematical & Computer.](https://reader036.fdocuments.in/reader036/viewer/2022082711/56649f065503460f94c1b932/html5/thumbnails/3.jpg)
© Andrew IrelandDependable Systems Group
The SPARK ApproachSPARK
ExaminerSPADE Simplifier
SPADEProof Checker
• SPARK is a subset of Ada with annotations
(Praxis High Integrity Systems Ltd)• Supports data & information flow analysis and
formal verification - in particular, exception freedom proofs• EuroFighter and Hawk projects, advocated by NSA, …
VCs
UnprovenVCs
SPARK
codeProofs
XRevisions Tactics
![Page 4: © Andrew IrelandDependable Systems Group On the Scalability of Proof Carrying Code for Software Certification Andrew Ireland School of Mathematical & Computer.](https://reader036.fdocuments.in/reader036/viewer/2022082711/56649f065503460f94c1b932/html5/thumbnails/4.jpg)
© Andrew IrelandDependable Systems Group
NuSPADE
NuSPADESPARK
ExaminerSPADE Simplifier
SPADEProof Checker
• NuSPADE = proof planning + program analysis• Annotation generation motivated by proof-failure analysis
VCs
UnprovenVCs
SPARK
codeProofs
AnnotationsX
Tactics
![Page 5: © Andrew IrelandDependable Systems Group On the Scalability of Proof Carrying Code for Software Certification Andrew Ireland School of Mathematical & Computer.](https://reader036.fdocuments.in/reader036/viewer/2022082711/56649f065503460f94c1b932/html5/thumbnails/5.jpg)
© Andrew IrelandDependable Systems Group
NuSPADEUnproven
VCs
AbstractPredicatesAnnotations
Co-operative style of integration, i.e. “productive use of failure”
ProofPlanner
ProgramAnalyzer
Tactics
![Page 6: © Andrew IrelandDependable Systems Group On the Scalability of Proof Carrying Code for Software Certification Andrew Ireland School of Mathematical & Computer.](https://reader036.fdocuments.in/reader036/viewer/2022082711/56649f065503460f94c1b932/html5/thumbnails/6.jpg)
© Andrew IrelandDependable Systems Group
Conjecture
Proof Plans
Plan Theory
ProofPlanner
ProofChecker
Tactic
Proof
Failure
![Page 7: © Andrew IrelandDependable Systems Group On the Scalability of Proof Carrying Code for Software Certification Andrew Ireland School of Mathematical & Computer.](https://reader036.fdocuments.in/reader036/viewer/2022082711/56649f065503460f94c1b932/html5/thumbnails/7.jpg)
© Andrew IrelandDependable Systems Group
SPARK and Certification• Z specifications + rigorous proofs• Data flow & information analysis• Code level proofs:
– Exception freedom proofs: automatic + interactive proofs
– Functional proofs: significant level of interactive proofs
– Proof review files• Resource analysis
Note: various levels of formal & rigorous evidence
![Page 8: © Andrew IrelandDependable Systems Group On the Scalability of Proof Carrying Code for Software Certification Andrew Ireland School of Mathematical & Computer.](https://reader036.fdocuments.in/reader036/viewer/2022082711/56649f065503460f94c1b932/html5/thumbnails/8.jpg)
© Andrew IrelandDependable Systems Group
Evidence Based Certification• Proof-Carrying Code (PCC) – a example of an
evidence based approach to certification• Code is delivered with a certificate containing a
condensed mathematical proof, i.e. a proof that the code satisfies desired safety properties
• Responsibility for proof construction lies with the code producer, consumer performs proof checking
• Trusted Computing Base (TCB) for PCC is small, i.e. safety properties, verification condition generator and proof checker
![Page 9: © Andrew IrelandDependable Systems Group On the Scalability of Proof Carrying Code for Software Certification Andrew Ireland School of Mathematical & Computer.](https://reader036.fdocuments.in/reader036/viewer/2022082711/56649f065503460f94c1b932/html5/thumbnails/9.jpg)
© Andrew IrelandDependable Systems Group
Properties, Proofs & Certificates• Properties typically simple, e.g. memory safety • Proof construction involves advanced type
checking, i.e. no theorem proving• Certificates:
– LF proofs quadratic with respect to program size– LFi proofs 2.5 to 5 times program size– Oracles strings on average 12% program size– Proof tactics have also been used
![Page 10: © Andrew IrelandDependable Systems Group On the Scalability of Proof Carrying Code for Software Certification Andrew Ireland School of Mathematical & Computer.](https://reader036.fdocuments.in/reader036/viewer/2022082711/56649f065503460f94c1b932/html5/thumbnails/10.jpg)
© Andrew IrelandDependable Systems Group
Scalability Problems• Need for comprehensive properties, e.g.
functional properties• MOBIUS: combining type-based and logic-
based approaches• Need to exploit automated theorem proving
techniques• Will current PCC architecture scale-up, e.g.
oracles strings?
![Page 11: © Andrew IrelandDependable Systems Group On the Scalability of Proof Carrying Code for Software Certification Andrew Ireland School of Mathematical & Computer.](https://reader036.fdocuments.in/reader036/viewer/2022082711/56649f065503460f94c1b932/html5/thumbnails/11.jpg)
© Andrew IrelandDependable Systems Group
Conjecture
Proof Plans
Plan Theory
ProofPlanner
ProofChecker
Tactic
Proof
Failure
![Page 12: © Andrew IrelandDependable Systems Group On the Scalability of Proof Carrying Code for Software Certification Andrew Ireland School of Mathematical & Computer.](https://reader036.fdocuments.in/reader036/viewer/2022082711/56649f065503460f94c1b932/html5/thumbnails/12.jpg)
© Andrew IrelandDependable Systems Group
Conjecture
Proof Plans
Plan Theory
ProofPlanner
ProofChecker
Tactic
Proof
Failure
![Page 13: © Andrew IrelandDependable Systems Group On the Scalability of Proof Carrying Code for Software Certification Andrew Ireland School of Mathematical & Computer.](https://reader036.fdocuments.in/reader036/viewer/2022082711/56649f065503460f94c1b932/html5/thumbnails/13.jpg)
© Andrew IrelandDependable Systems Group
Conjecture
Proof Plans
Plan Theory
ProofPlanner
ProofChecker
Tactic
Proof
Failure
Oracle
![Page 14: © Andrew IrelandDependable Systems Group On the Scalability of Proof Carrying Code for Software Certification Andrew Ireland School of Mathematical & Computer.](https://reader036.fdocuments.in/reader036/viewer/2022082711/56649f065503460f94c1b932/html5/thumbnails/14.jpg)
© Andrew IrelandDependable Systems Group
Conjecture
Planning Oracles as Certificates
Plan Theory
ProofPlanner
ProofChecker
Tactic
Proof
Failure
Oracle
![Page 15: © Andrew IrelandDependable Systems Group On the Scalability of Proof Carrying Code for Software Certification Andrew Ireland School of Mathematical & Computer.](https://reader036.fdocuments.in/reader036/viewer/2022082711/56649f065503460f94c1b932/html5/thumbnails/15.jpg)
© Andrew IrelandDependable Systems Group
Conjecture
Planning Oracles as Certificates
Plan Theory
ProofPlanner
ProofChecker
Tactic
Proof
Failure
Oracle
Oracle identifies:• Proof plans and where they should be used• Relevant theories• Search control hints, e.g. auxiliary lemmas and generalization steps
![Page 16: © Andrew IrelandDependable Systems Group On the Scalability of Proof Carrying Code for Software Certification Andrew Ireland School of Mathematical & Computer.](https://reader036.fdocuments.in/reader036/viewer/2022082711/56649f065503460f94c1b932/html5/thumbnails/16.jpg)
© Andrew IrelandDependable Systems Group
Certificate GenerationCode +Spec
Certificate Generation(VCGen + Planner +Checker)
Certificate(Oracle)
? ProofFailure
Repositories(plans + theories)
![Page 17: © Andrew IrelandDependable Systems Group On the Scalability of Proof Carrying Code for Software Certification Andrew Ireland School of Mathematical & Computer.](https://reader036.fdocuments.in/reader036/viewer/2022082711/56649f065503460f94c1b932/html5/thumbnails/17.jpg)
© Andrew IrelandDependable Systems Group
Certificate ValidationCode +Spec
Certificate Validation(VCGen + Planner +Checker)
Certificate(Oracle)
Repositories(plans + theories)
?ProofFailure
CPU
Note: Certificate transforming compiler
![Page 18: © Andrew IrelandDependable Systems Group On the Scalability of Proof Carrying Code for Software Certification Andrew Ireland School of Mathematical & Computer.](https://reader036.fdocuments.in/reader036/viewer/2022082711/56649f065503460f94c1b932/html5/thumbnails/18.jpg)
© Andrew IrelandDependable Systems Group
Discussion Issues • The proposed proof planning approach will add theory
repositories (and specifications) to the TCB – is this acceptable?
• For memory limited devices, proof planning oracles are not an option for on-device certificate validation – how important is on-device validation to certification management in general?
• More comprehensive properties will require off-device validation – could a dedicated certificate validation device have a role to play?
• Certificate transforming compiler or trusted compiler?
![Page 19: © Andrew IrelandDependable Systems Group On the Scalability of Proof Carrying Code for Software Certification Andrew Ireland School of Mathematical & Computer.](https://reader036.fdocuments.in/reader036/viewer/2022082711/56649f065503460f94c1b932/html5/thumbnails/19.jpg)
© Andrew IrelandDependable Systems Group
Conclusion • The SPARK Approach and proof automation via
proof planning• The success of PCC as well and the limits of
current architectures• Proposal for proof planning and proof planning
oracles as a technique for addressing limitations