Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. ....
Transcript of Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. ....
![Page 1: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/1.jpg)
Compilation of certificates
Gilles Barthe
INRIA Sophia-Antipolis Mediterranee, France
Marktoberdorf, August 2007 Compilation of certificates
![Page 2: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/2.jpg)
Motivation
Mobile code is ubiquitousLarge distributed networks of JVM devices
aimed at providing a global and uniform access to services
Security is a central concern:applications manipulate sensitive data stored on devicescommunications must be secured
Issues:uniform access to services vs. heterogeneity of devicesflexibility of computational infrastructure vs. rigid securityarchitectureplatform must be correct (VM, API,. . . )lack of appropriate security mechanisms to guarantee security onconsumer side
Marktoberdorf, August 2007 Compilation of certificates
![Page 3: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/3.jpg)
Security challenge
Bytecode program
Compiler
NetworkRuntime
Bytecode program
Source program
Code producer Code consumer
Marktoberdorf, August 2007 Compilation of certificates
![Page 4: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/4.jpg)
Proof Carrying Code
Downloaded components come equipped with certificates, wherecertificates:
are condensed and formalized mathematical proofs/hintsare self-evident and unforgeablecan be checked efficiently
Marktoberdorf, August 2007 Compilation of certificates
![Page 5: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/5.jpg)
Proof Carrying Code
Downloaded components come equipped with certificates, wherecertificates:
are condensed and formalized mathematical proofs/hintsare self-evident and unforgeablecan be checked efficiently
pgflastimage
Marktoberdorf, August 2007 Compilation of certificates
![Page 6: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/6.jpg)
Proof Carrying Code
Downloaded components come equipped with certificates, wherecertificates:
are condensed and formalized mathematical proofs/hintsare self-evident and unforgeablecan be checked efficiently
pgflastimage
Marktoberdorf, August 2007 Compilation of certificates
![Page 7: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/7.jpg)
Flavors of Proof Carrying Code
Type-based PCC
CompilerCertifyingCompiler
BCV
Runtime environmentProgram Cert.
Program
Widely deployed in KVMApplication to JVM typingOn-device checking possible
Logic-based PCC
Compiler
Certifying
Compiler
Runtime environmentProgram
ProgramVC
generator
Checker
Cert.
Original scenarioApplication to type safety andmemory safety
Marktoberdorf, August 2007 Compilation of certificates
![Page 8: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/8.jpg)
Contents
The objective of the course is to present verification methods forbytecode and relate them to verification methods for source code
Type system for information flow based confidentiality policiesVerification condition generator for logical specifications
Virtual machine
Source programJif typechecker
API
Bytecode program
Jif types
Operating system
Information flowtypes
Security envRegions
BCV
Inf flow
Virtual machineOperating system
Source program
Bytecode program
Interactiveproofs
API
JML specification
specificationBytecode
Certificate
Certificate
Certificatechecker
Marktoberdorf, August 2007 Compilation of certificates
![Page 9: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/9.jpg)
Contents
The objective of the course is to present verification methods forbytecode and relate them to verification methods for source code
Type system for information flow based confidentiality policiesVerification condition generator for logical specifications
Virtual machine
Source programJif typechecker
API
Bytecode program
Jif types
Operating system
Information flowtypes
Security envRegions
BCV
Inf flow
Virtual machineOperating system
Source program
Bytecode program
Interactiveproofs
API
JML specification
specificationBytecode
Certificate
Certificate
Certificatechecker
Marktoberdorf, August 2007 Compilation of certificates
![Page 10: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/10.jpg)
Contents
The objective of the course is to present verification methods forbytecode and relate them to verification methods for source code
Type system for information flow based confidentiality policiesVerification condition generator for logical specifications
Virtual machine
Source programJif typechecker
API
Bytecode program
Jif types
Operating system
Information flowtypes
Security envRegions
BCV
Inf flow
Virtual machineOperating system
Source program
Bytecode program
Interactiveproofs
API
JML specification
specificationBytecode
Certificate
Certificate
Certificatechecker
Marktoberdorf, August 2007 Compilation of certificates
![Page 11: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/11.jpg)
Mobius: Mobility, Ubiquity, Security
Main goals:develop basic technologies (type systemsand logics) for static enforcement ofexpressive policies at application level:
confidentiality, integrity, resource usagelogical specifications
build a Proof Carrying Code infrastructurethat integrates these basic technologiesuse proof assistants to achieve the highestguarantees for security mechanisms
INRIAETH ZurichLMU MunichRU NijmegenU. EdinburghChalmers U.Tallinn U.Imperial CollegeUC DublinU. WarsawUP MadridTLSSAP ResearchFrance TelecomTrusted LogicTU Darmstadt
Marktoberdorf, August 2007 Compilation of certificates
![Page 12: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/12.jpg)
The Mobius view
Source program
Source Specification (types + logics)
Runtime environment
Bytecode program
Bytecode Specification
Certificate
Req
uire
men
ts
Certificate checker
Certificate generation
CertificateCertificate
Bytecode program
Bytecode Specification
Interactive proofs
Java compiler
Spec compiler
Proof compiler
Code producer
Code consumer
Marktoberdorf, August 2007 Compilation of certificates
![Page 13: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/13.jpg)
Part 1: Information flow typingG. Barthe, D. Naumann and T. Rezk, Deriving an Information FlowChecker and Certifying Compiler for Java, Security and Privacy 2006G. Barthe, D. Pichardie and T. Rezk, A Certified LightweightNon-Interference Java Bytecode Verifier, ESOP’07G. Barthe, T. Rezk, A. Russo and A. Sabelfeld, Security ofMulti-Threaded Programs by Compilation, ESORICS’07
Marktoberdorf, August 2007 Compilation of certificates
![Page 14: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/14.jpg)
Non-interference
”Low-security behavior of the program is not affected by anyhigh-security data.” Goguen & Meseguer 1982
H1 L
H ′1 L ′
H2 L
H ′2 L ′
∼L
∼L
∀s1, s2, s1 ∼L s2 ∧ P, s1 ⇓ s ′1 ∧ P, s2 ⇓ s ′2 =⇒ s ′1 ∼L s ′2
High = confidential Low = public
Marktoberdorf, August 2007 Compilation of certificates
![Page 15: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/15.jpg)
Non-interference
”Low-security behavior of the program is not affected by anyhigh-security data.” Goguen & Meseguer 1982
H1 L
H ′1 L ′
H2 L
H ′2 L ′
∼L
∼L
∀s1, s2, s1 ∼L s2 ∧ P, s1 ⇓ s ′1 ∧ P, s2 ⇓ s ′2 =⇒ s ′1 ∼L s ′2
High = confidential Low = public
Marktoberdorf, August 2007 Compilation of certificates
![Page 16: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/16.jpg)
Non-interference
”Low-security behavior of the program is not affected by anyhigh-security data.” Goguen & Meseguer 1982
H1 L
H ′1 L ′
H2 L
H ′2 L ′
∼L
∼L
∀s1, s2, s1 ∼L s2 ∧ P, s1 ⇓ s ′1 ∧ P, s2 ⇓ s ′2 =⇒ s ′1 ∼L s ′2
High = confidential Low = public
Marktoberdorf, August 2007 Compilation of certificates
![Page 17: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/17.jpg)
Examples of insecure programs
Direct flow
load yHstore xLreturn
Indirect flow
load yHif 5push 0store xLreturn
Flow via return
load yHif 5push 1returnpush 0return
Flow via operand stack
push 0push 1load yHif 6swapstore xLreturn 0
Marktoberdorf, August 2007 Compilation of certificates
![Page 18: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/18.jpg)
Programs
A program is an array of instructions:
instr ::= prim op primitive operation| push v push value on top of stack| load x load value of x on stack| store x store top of stack in x| ifeq j conditional jump| goto j unconditional jump| return return
where:j ∈ P is a program pointv ∈ V is a valuex ∈ X is a variable
Marktoberdorf, August 2007 Compilation of certificates
![Page 19: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/19.jpg)
Semantics
States are of the form 〈i, ρ, s〉where:i : P is the program counterρ : X→ V maps variables to valuess : V? is the operand stack
Operational semantics is given by rules are of the form
P[i] = ins constraintss{ s ′
Evaluation semantics: P,µ ⇓ ν, v iff 〈1,µ, ε〉{? 〈ν, v〉, where{?
is the reflexive transitive closure of{
Marktoberdorf, August 2007 Compilation of certificates
![Page 20: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/20.jpg)
Semantics: rules
P[i] = prim op n1 op n2 = n
〈i, ρ, n1 :: n2 :: s〉{ 〈i + 1, ρ, n :: s〉P[i] = push n
〈i, ρ, s〉{ 〈i + 1, ρ, n :: s〉P[i] = load x
〈i, ρ, s〉{ 〈i + 1, ρ, ρ(x) :: s〉P[i] = store x
〈i, ρ, v :: s〉{ 〈i + 1, ρ(x := v), s〉P[i] = ifeq j
〈i, ρ, 0 :: s〉{ 〈j, ρ, s〉P[i] = ifeq j n , 0〈i, ρ, n :: s〉{ 〈i + 1, ρ, s〉
P[i] = goto j〈i, ρ, s〉{ 〈j, ρ, s〉
P[i] = return〈i, ρ, v :: s〉{ 〈ρ, v〉
Marktoberdorf, August 2007 Compilation of certificates
![Page 21: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/21.jpg)
Policy
A lattice of security levels S = {H, L} with L 6 HEach program is given a security signature: Γ : X→ S and kret.Γ determines an equivalence relation ∼L on memories: ρ ∼L ρ
′ iff
∀x ∈ X.Γ(x) 6 L⇒ ρ(x) = ρ ′(x)
Program P is non-interfering w.r.t. signature Γ , kret iff for everyµ,µ ′,ν,ν ′, v, v ′,
P,µ ⇓ ν, vP,µ ′ ⇓ ν ′, v ′
µ ∼L µ′
⇒ ν ∼L ν′ ∧ (kret 6 L⇒ v = v ′)
Marktoberdorf, August 2007 Compilation of certificates
![Page 22: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/22.jpg)
Type system
Transfer rules of the form
P[i] = ins constraintsi ` st⇒ st ′
P[i] = ins constraintsi ` st⇒
where st, st ′ ∈ S?.Types assign stack of security levels to program points
S : P→ S?
S ` P iff S1 = ε and for all i, j ∈ P
i 7→ j⇒ ∃st ′. i ` Si ⇒ st ′ ∧ st ′ 6 Sj;i 7→⇒ i ` Si ⇒
The transfer rules and typability relation are implicitly parametrizedby a signature Γ , kret and additional information (next slide)
Marktoberdorf, August 2007 Compilation of certificates
![Page 23: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/23.jpg)
Control dependence regionsApproximating the scope of branching statements
A program point j is in a control dependence region of a branching pointi if
j is reachable from i,there is a path from i to a return point which does not contain j
CDR can be computed using post-dominators of branching points.
Example :a must belong toregion(i)b does not necessarybelong to region(i)
exit
i
a
b
exit
exit
i
a
Marktoberdorf, August 2007 Compilation of certificates
![Page 24: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/24.jpg)
CDR usage : tracking implicit flows
In a typical type system for a structured language:
` exp : k [k1] ` c1 [k2] ` c2 k 6 k1 k 6 k2
[k] ` if exp then c1 else c2
In our contextse: a security environment that attaches a security level to eachprogram pointfor each branching point i, we constrain se(j) for all j ∈ region(i)
P[i] = ifeq i ′ ∀j ∈ region(i), k 6 se(j)i ` k :: st⇒ · · ·
Marktoberdorf, August 2007 Compilation of certificates
![Page 25: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/25.jpg)
CDR soundnessSOAP (Safe Over Approximation Properties)
CDR soundness is ensured by local conditions (instead of pathproperties) using region ∈ P→ ℘(P) and jun ∈ P ⇀ P.
SOAP1: for all program points i and allsuccessors j, k of i (i 7→ j and i 7→ k)such that j , k (i is hence abranching point), k ∈ region(i) ork = jun(i);
SOAP2: for all program points i, j, k, ifj ∈ region(i) and j 7→ k, then eitherk ∈ region(i) or k = jun(i);
SOAP3: for all program points i, j, ifj ∈ region(i) and j 7→ then jun(i) isundefined.
Marktoberdorf, August 2007 Compilation of certificates
![Page 26: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/26.jpg)
CDR soundnessSOAP (Safe Over Approximation Properties)
CDR soundness is ensured by local conditions (instead of pathproperties) using region ∈ P→ ℘(P) and jun ∈ P ⇀ P.
SOAP1: for all program points i and allsuccessors j, k of i (i 7→ j and i 7→ k)such that j , k (i is hence abranching point), k ∈ region(i) ork = jun(i);
SOAP2: for all program points i, j, k, ifj ∈ region(i) and j 7→ k, then eitherk ∈ region(i) or k = jun(i);
SOAP3: for all program points i, j, ifj ∈ region(i) and j 7→ then jun(i) isundefined.
exit
ij k
jun(i)
Marktoberdorf, August 2007 Compilation of certificates
![Page 27: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/27.jpg)
CDR soundnessSOAP (Safe Over Approximation Properties)
CDR soundness is ensured by local conditions (instead of pathproperties) using region ∈ P→ ℘(P) and jun ∈ P ⇀ P.
SOAP1: for all program points i and allsuccessors j, k of i (i 7→ j and i 7→ k)such that j , k (i is hence abranching point), k ∈ region(i) ork = jun(i);
SOAP2: for all program points i, j, k, ifj ∈ region(i) and j 7→ k, then eitherk ∈ region(i) or k = jun(i);
SOAP3: for all program points i, j, ifj ∈ region(i) and j 7→ then jun(i) isundefined.
exit
i
j
k
jun(i)
Marktoberdorf, August 2007 Compilation of certificates
![Page 28: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/28.jpg)
CDR soundnessSOAP (Safe Over Approximation Properties)
CDR soundness is ensured by local conditions (instead of pathproperties) using region ∈ P→ ℘(P) and jun ∈ P ⇀ P.
SOAP1: for all program points i and allsuccessors j, k of i (i 7→ j and i 7→ k)such that j , k (i is hence abranching point), k ∈ region(i) ork = jun(i);
SOAP2: for all program points i, j, k, ifj ∈ region(i) and j 7→ k, then eitherk ∈ region(i) or k = jun(i);
SOAP3: for all program points i, j, ifj ∈ region(i) and j 7→ then jun(i) isundefined.
exit
i
j
kjun(i)
Marktoberdorf, August 2007 Compilation of certificates
![Page 29: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/29.jpg)
CDR soundnessSOAP (Safe Over Approximation Properties)
CDR soundness is ensured by local conditions (instead of pathproperties) using region ∈ P→ ℘(P) and jun ∈ P ⇀ P.
SOAP1: for all program points i and allsuccessors j, k of i (i 7→ j and i 7→ k)such that j , k (i is hence abranching point), k ∈ region(i) ork = jun(i);
SOAP2: for all program points i, j, k, ifj ∈ region(i) and j 7→ k, then eitherk ∈ region(i) or k = jun(i);
SOAP3: for all program points i, j, ifj ∈ region(i) and j 7→ then jun(i) isundefined.
exit
exit
i
j
Marktoberdorf, August 2007 Compilation of certificates
![Page 30: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/30.jpg)
Transfer rules
P[i] = push ni ` st⇒ se(i) :: st
P[i] = binop opi ` k1 :: k2 :: st⇒ (k1 t k2) :: st
P[i] = load xi ` st⇒ (Γ(x) t se(i)) :: st
P[i] = store x se(i) t k 6 Γ(x)
i ` k :: st⇒ st
P[i] = goto ji ` st⇒ st
P[i] = return se(i) t k 6 kr
i ` k :: st⇒
P[i] = ifeq j ∀j ′ ∈ region(i), k 6 se(j ′)i ` k :: ε⇒ ε
Marktoberdorf, August 2007 Compilation of certificates
![Page 31: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/31.jpg)
SoundnessIf S ` P (w.r.t. se and cdr) then P is non-interfering.
Proof:Low (locally respects) unwinding lemma:If s ∼L s ′ and s{ t and s ′ { t ′ and transitions are typable, thent ∼L t ′, provided s · pc = s ′ · pcHigh (step consistent) unwinding lemma:If s ∼L s ′ and s{ t and transition is typable then t ∼L s ′, provideds · pc = i is a high program point and Si is highGluing lemmas for combining high and low unwinding lemmas(extensive use of SOAP properties)
pgflastimage
Marktoberdorf, August 2007 Compilation of certificates
![Page 32: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/32.jpg)
SoundnessIf S ` P (w.r.t. se and cdr) then P is non-interfering.
Proof:Low (locally respects) unwinding lemma:If s ∼L s ′ and s{ t and s ′ { t ′ and transitions are typable, thent ∼L t ′, provided s · pc = s ′ · pcHigh (step consistent) unwinding lemma:If s ∼L s ′ and s{ t and transition is typable then t ∼L s ′, provideds · pc = i is a high program point and Si is highGluing lemmas for combining high and low unwinding lemmas(extensive use of SOAP properties)
pgflastimage
Marktoberdorf, August 2007 Compilation of certificates
![Page 33: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/33.jpg)
Lightweight checking algorithm
Code provided with:regions (verified by a region checker),security environmenttype annotations for junction points (most often empty)
Program entry point is typed with the empty stackPropagation
Pick a program point i annotated with stCompute st ′ such that i ` st⇒ st ′. If there is no st ′, then rejectprogram.If st ′ exists, then for all successors j of i
if j is not yet annotated, annotated it with st ′if j is annotated with st ′′, check that st ′ 6 st ′′. If not, reject program
Marktoberdorf, August 2007 Compilation of certificates
![Page 34: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/34.jpg)
Type-preserving compilation
Source information flow type system offers a tool for developingsecure applications, but does not directly address mobile codeBytecode verifier provides information flow assurance to usersReconcile both views by showing that typable programs arecompiled into typable programs
∀P,` P =⇒ ∃S. S ` [[P]]
Must also compile regions and security environment
Marktoberdorf, August 2007 Compilation of certificates
![Page 35: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/35.jpg)
Source language
Programs are commands
c ::= x := e | if(e){c}{c} | while(e){c} | c; c | skip | return e
Security policy Γ : X→ S and kret
Volpano-Smith security type system
e : k k t pc 6 Γ(x)
[pc] ` x := e[pc] ` c [pc] ` c ′
[pc] ` c; c ′ [pc] ` skip
e : pc [pc] ` c1 [pc] ` c2
[pc] ` if(e){c1}{c2}
e : pc [pc] ` c[pc] ` while(e){c}
e : k k t pc 6 kret
[pc] ` return e
[pc] ` c pc ′ 6 pc[pc ′] ` c ′
e : k k 6 k ′
e : k ′
Marktoberdorf, August 2007 Compilation of certificates
![Page 36: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/36.jpg)
Compiler
[[x]] = load x[[v]] = push v
[[e1 op e2]] = [[e2]]; [[e1]]; binop op
k : [[x := e]] = [[e]]; store xk : [[i1; i2]] = k : [[i1]]; k2 : [[i2]]
where k2 = k + |[[i1]]|
k : [[return e]] = [[e]]; return
k : [[if(e1 cmp e2){i1}{i2}]] = [[e2]]; [[e1]]; if cmp k2; k1 : [[i1]]; goto l; k2 : [[i2]]where k1 = k + |[[e2]]| + |[[e1]]| + 1
k2 = k1 + |[[i1]]| + 1l = k2 + |[[i2]]|
k : [[while(e1 cmp e2){i}]] = [[e2]]; [[e1]]; if cmp k2; k1 : [[i]]; goto kwhere k1 = k + |[[e2]]| + |[[e1]]| + 1
k2 = k1 + |[[i]]| + 1
Marktoberdorf, August 2007 Compilation of certificates
![Page 37: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/37.jpg)
Semantics-preserving compilation
Compiler correctness
P,µ ⇓ ν, v implies [[P]],µ ⇓ ν, v
Consequences:Source programs non-interfering iff their compilation isnon-interfering
∀P, P is non-interfering⇐⇒ [[P]] is non-interfering
Type-preservation entails soundness of source type system:
∀P, ` P =⇒ P is non-interfering
However, preservation of typing is not a consequence of compilercorrectness
Marktoberdorf, August 2007 Compilation of certificates
![Page 38: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/38.jpg)
Compiling regions and security environment
Regions are compiled by induction on structure of programsSecurity environment and type annotations computed fromtyping derivation
if(yH){x := 1}{x := 2};x ′ := 3;return 2
load yH L ε
ifeq 6 L H : εpush 1 H ∈ region(2) ε
store x H ∈ region(2) H : εgoto 8 H ∈ region(2) ε
push 2 H ∈ region(2) ε
store x H ∈ region(2) H : εpush 3 L = jun(2) ε
store x ′ L L : εpush 2 L ε
return L L : ε
Marktoberdorf, August 2007 Compilation of certificates
![Page 39: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/39.jpg)
Preservation of information flow types
For our (non-optimizing) compiler:If P is typable, then [[P]] is typable wrt security environment,regions, and type annotations generated by extended compiler.Furthemore, generated regions satisfy SOAP.For optimizing compilers, type preserving compilation may fail:
xH := n1 ∗ n2; yL := n1 ∗ n2 =⇒ xH := n1 ∗ n2; yL := xH
There may be easy fixes
Marktoberdorf, August 2007 Compilation of certificates
![Page 40: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/40.jpg)
Concurrency
Mobile code applications often exploit concurrencyConcurrent execution of secure sequential programs is notnecessarily secure:
if(yH > 0){skip; skip}{skip}; xL := 1||skip; skip; xL := 2
Using round robin scheduler with time slice one:if yH > 0 then xL := 1if not yH > 0 then xL := 2
Security of multi-threaded programs can be achieved:by imposing strong security conditions on programsby relying on secure schedulers
Marktoberdorf, August 2007 Compilation of certificates
![Page 41: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/41.jpg)
Secure schedulers
A secure scheduler selects the thread to be executed in function of thesecurity environment:
the thread pool is partitioned into low, high, and hidden threadsif a thread is hidden (currently executing under the scope of ahigh branching instruction), then only high threads arescheduledif the program counter of the last executed thread becomes high(resp. low), then the thread becomes hidden or high (resp. low)
Round-robin schedulers are secure, provided they take over controlwhen threads become high/low/hidden
Marktoberdorf, August 2007 Compilation of certificates
![Page 42: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/42.jpg)
Multi-threaded language
Instruction for dynamic thread creation start iStates 〈ρ, λ〉where λ associates to each active thread a pair 〈i, s〉.Semantics lifted from sequential fragment
pickt(〈ρ, λ〉, h) = ctid λ(ctid) = 〈i, s〉P[i] , start k 〈i, ρ, s〉{seq 〈i ′, ρ ′, s ′〉
〈ρ, λ〉{ 〈ρ ′, λ ′〉where
λ ′(tid) =
{〈i ′, s ′〉 if tid = ctidλ(tid) otherwise
Marktoberdorf, August 2007 Compilation of certificates
![Page 43: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/43.jpg)
Policy and type system
Policy and type system similar to sequential fragmentTransfer rules inherited from sequential fragment
P[i] , start j i `seq st⇒ st ′
i ` st⇒ st ′P[i] = start j se(i) 6 se(j)
i ` st⇒ st
Assume the scheduler is secure, type soundness and typepreservation can be lifted from sequential language:
Type soundness: same proof techniques (using extended SOAPproperties)Type preservation: parallel composition typed in the naive way
[pc] ` P [pc] ` Q[pc] ` P||Q
compiler generates security environment that prevents internaltiming leaks
Marktoberdorf, August 2007 Compilation of certificates
![Page 44: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/44.jpg)
Adding objects, exceptions and methods
We have formally proved in Coq the soundness of information flowtype system for a sequential JVM-like language, and extracted aninformation flow checker.
Main issue is with exceptions:
loss of precision due to explosion of control flowregions are parametrized by exceptionsmore complex signatures and typing rulesfor type-preserving compilation, loss of structure at source level
There are also interesting issues wrt dynamic object creation:heap L-equivalenceallocator may leak information
Marktoberdorf, August 2007 Compilation of certificates
![Page 45: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/45.jpg)
Adding objects, exceptions and methods
We have formally proved in Coq the soundness of information flowtype system for a sequential JVM-like language, and extracted aninformation flow checker.
Main issue is with exceptions:
loss of precision due to explosion of control flowregions are parametrized by exceptionsmore complex signatures and typing rulesfor type-preserving compilation, loss of structure at source level
There are also interesting issues wrt dynamic object creation:heap L-equivalenceallocator may leak information
Marktoberdorf, August 2007 Compilation of certificates
![Page 46: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/46.jpg)
A three-stage typing system
1 preliminary analysis in order toreduce control flow graph
null pointersarray accesses. . .
2 CDR analyser computes controldependence regions
3 IF (Information Flow) analysercomputes a security environmentand a type
TCB
program
PA analyser
CDR analyser
IF analyser
PA checker
CDR checker
IF checker
diagnostic
annots.
annots.
annots.
Marktoberdorf, August 2007 Compilation of certificates
![Page 47: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/47.jpg)
Information flow type system
Type annotations required on programs:ft : F → S attaches security levels to fields,each method posseses one (or several) signature(s):
~kvkh−→ ~kr
~kv provides the security level of the method parameterskh: effect of the method on the heap~kr is a record of security levels of the form {n : kn, e1 : ke1 , . . . en : ken }
kn is the security level of the return value (normal termination),ki is the security level of each exception ei that might be propagated bythe method
Marktoberdorf, August 2007 Compilation of certificates
![Page 48: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/48.jpg)
Typing judgment
General formP[i] = ins constraints
Γ , ft, region, se, sgn, i `τ st⇒ st ′
Invokation
Pm[i] = invokevirtual mID ΓmID [k] = ~k′a
k′h−→ ~k′r
kt kh t se(i) 6 k′h k 6 ~k′
a [0] ∀i ∈ [0, length(st1) − 1], st1[i] 6 ~k′a [i + 1]
e ∈ excAnalysis(mID)∪ {np} ∀j ∈ region(i, e), kt ~k′r [e] 6 se(j) Handler(i, e) = t
Γ , region, se, ~kakh−→ ~kr, i `e st1 :: k :: st2 ⇒ (kt ~k′
r [e]) :: ε
other 60 typing rules...
Marktoberdorf, August 2007 Compilation of certificates
![Page 49: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/49.jpg)
Example of typable program
i n t m( boolean x ,C y ) throws C {
i f ( x ) { throw new C ( ) ; }e l s e {y . f = 3 ; } ;re turn 1 ;
}
1 load x2 ifeq 53 new C4 throw5 load y6 push 37 putfield f8 push 19 return
m : (x : L, y : H)H−→ {n : H, C : L, np : H}
kh = H: no side effect on low fields~kr[n] = H: result depends on ytermination by an exception C does not depend on ybut termination by a null pointer exception does
Marktoberdorf, August 2007 Compilation of certificates
![Page 50: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/50.jpg)
Justifying fine grain treatment of exceptions
try {z = o.m(x,y);} catch (NullPointerException z) {}; t = 1;
0 : load oL1 : load yH2 : load xL3 : invokevirtual m4 : store zH5 : push 16 : store tL
handler : [0, 3], NullPointer→ 4
0 1 2
3
4
5
6
np
∅ ∅
∅C
∅
∅
∅
Marktoberdorf, August 2007 Compilation of certificates
![Page 51: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/51.jpg)
Justifying fine grain treatment of exceptions
try {z = o.m(x,y);} catch (NullPointerException z) {}; t = 1;
0 : load oL1 : load yH2 : load xL3 : invokevirtual m4 : store zH5 : push 16 : store tL
handler : [0, 3], NullPointer→ 4
0 1 2
3
4
5
6
np
∅ ∅
∅C
∅
∅
∅
Naive treatment of exceptions[4,5,6] is a high region (depends on yH): tL = 1 is rejected
Marktoberdorf, August 2007 Compilation of certificates
![Page 52: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/52.jpg)
Justifying fine grain treatment of exceptions
try {z = o.m(x,y);} catch (NullPointerException z) {}; t = 1;
0 : load oL1 : load yH2 : load xL3 : invokevirtual m4 : store zH5 : push 16 : store tL
handler : [0, 3], NullPointer→ 4
0 1 2
3
4
5
6
np
∅ ∅
∅C
∅
∅
∅
Treating each exception separately[4,5,6] is a low region: tL = 1 is accepted
Marktoberdorf, August 2007 Compilation of certificates
![Page 53: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/53.jpg)
Summary
We have developed:Sound information flowbytecode verifier forsequential fragment of JVMType-preserving compilerfor Java
Next goal is to providesupport for realisticapplications:
more flexible type systemmore flexible policies
Trusted declassifierCryptography
Other goalscertifying compilationdistribution by compilation
Virtual machine
Source programJif typechecker
API
Bytecode program
Jif types
Operating system
Information flowtypes
Security envRegions
BCV
Inf flow
Marktoberdorf, August 2007 Compilation of certificates
![Page 54: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/54.jpg)
Declassification (from A. Sabelfeld)
Marktoberdorf, August 2007 Compilation of certificates
![Page 55: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/55.jpg)
Final remarks on machine-checked proofs
Implementing an information flow type checker for JVM is anon-trivial taskDo you trust your implementation? Do you trust thenon-interference proof?
We have used the Coq proof assistantto formally define non-interference,to formally specify information flow type system,to mechanically prove that typability enforces non-interference,to program a type checker and prove it enforces typability,to extract an Ocaml implementation of this type checker.
Marktoberdorf, August 2007 Compilation of certificates
![Page 56: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/56.jpg)
Machine-checked proof: structure
1 Basis : JVM program and small-step semantics formalisation(Bicolano)
2 Intermediate semantics:operates on annotated programsmethod calls are big-step (simpler definition of ∼L withoutcallstacks; inappropriate for multi-threading)
3 Implementation and correctness proof of the CDR checker4 Implementation and correctness proof of the information flow
type system
Human effortabout 20,000 lines of definitions and proofs with a reasonableCoq style programming,about 3,000 lines are only there to define the JVM semantics
Marktoberdorf, August 2007 Compilation of certificates
![Page 57: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/57.jpg)
Architecture revisited
Since we prove these checkers in Coq,TCB is in fact relegated to Coq and theformal definition of non-interference.
Similar to Appel’s FoundationalPCCWe exploit reflection to achievesmall certificates
TCB
program
PA analyser
CDR analyser
IF analyser
PA checker
CDR checker
IF checker
diagnostic
annots.
annots.
annots.
Coq+
NI definition
TCB
proof
Marktoberdorf, August 2007 Compilation of certificates
![Page 58: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/58.jpg)
Architecture revisited
Since we prove these checkers in Coq,TCB is in fact relegated to Coq and theformal definition of non-interference.
Similar to Appel’s FoundationalPCCWe exploit reflection to achievesmall certificates
program
PA analyser
CDR analyser
IF analyser
PA checker
CDR checker
IF checker
diagnostic
annots.
annots.
annots.
Coq+
NI definition
TCB
proof
Marktoberdorf, August 2007 Compilation of certificates
![Page 59: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/59.jpg)
Architecture revisited
Since we prove these checkers in Coq,TCB is in fact relegated to Coq and theformal definition of non-interference.
Similar to Appel’s FoundationalPCCWe exploit reflection to achievesmall certificates
program
PA analyser
CDR analyser
IF analyser
PA checker
CDR checker
IF checker
diagnostic
annots.
annots.
annots.
Coq+
NI definition
TCB
proof
Marktoberdorf, August 2007 Compilation of certificates
![Page 60: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/60.jpg)
Compilation of certificates
Gilles Barthe
INRIA Sophia-Antipolis Mediterranee, France
Marktoberdorf, August 2007 Compilation of certificates
![Page 61: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/61.jpg)
Part 2: Verification condition generationG. Barthe, T. Rezk and A. Saabas, Preservation of proofobligations, FAST’05G. Barthe, B. Gregoire and M. Pavlova, Preservation of proofobligations for Java, 2007G. Barthe, B. Gregoire, C. Kunz and T. Rezk, Certificatetranslation for optimizing compilers, SAS’06
Marktoberdorf, August 2007 Compilation of certificates
![Page 62: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/62.jpg)
Motivation: source code verification
Traditional PCC
Producer Consumer
ProofChecker OK
Source Program Compiler
VCGen
VerificationConditions
Prover Certificate
Execution
VCGen
VerificationConditions
CompiledProgram
Marktoberdorf, August 2007 Compilation of certificates
![Page 63: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/63.jpg)
Motivation: source code verification
Source Code Verification
VCGen
VerificationConditions
Prover Certificate
Producer Consumer
ProofChecker OK
Source Program Compiler Execution
VCGen
VerificationConditions
CompiledProgram
Marktoberdorf, August 2007 Compilation of certificates
![Page 64: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/64.jpg)
Motivation: source code verification
Certificate Translation
VCGen
VerificationConditions
Prover CertificateCertificate
CertificateTranslator
Producer Consumer
ProofChecker OK
Source Program Compiler Execution
VCGen
VerificationConditions
CompiledProgram
Marktoberdorf, August 2007 Compilation of certificates
![Page 65: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/65.jpg)
Certificate translation vs certifying compilation
ProgramSource Compiler
VCGen
VerificationConditions
Prover ProofCheckerCertificate
VCGen
VerificationConditions
CompiledProgram
OK
ExecutionProgramSource
VCGen
VerificationConditions
Prover CertificateCertificate
Compiler
ProofChecker
VCGen
VerificationConditions
CompiledProgram
OK
Execution
CertificateTranslator
Conventional PCC Certificate Translation
Automatically inferredinvariants
Specification Interactive
Automatic certifyingcompiler
Verification Interactive sourceverification
Safety Properties Complex functionalproperties
Marktoberdorf, August 2007 Compilation of certificates
![Page 66: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/66.jpg)
Certificate translation vs certified compilation
Certified compilation aims at producing a proof term H such that
H : ∀P µ ν, P, µ ⇓ ν =⇒ [[P]], µ ⇓ ν
Thus, we can build a proof term H ′ : {φ}[[P]]{ψ} from H andH0 : {φ}P{ψ}
ProgramSource
ProofChecker OKCompilation
CertificateProducer Consumer
CompiledProgram
ExecutionCompiler
* encapsulating
source program
* limited to input output properties
compiler definition
must be available
Marktoberdorf, August 2007 Compilation of certificates
![Page 67: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/67.jpg)
Program Specification
{pre}ins1{ϕ1}ins2...{ϕ2}insk{post}
Assertions: formulae attached to a program point,characterizing the set of execution states at that point.Instructions are possibly annotated:
Possibly annotated instructions
ins ::= ins | 〈ϕ, ins〉
A partially annotated program is a triple 〈P,Φ,Ψ〉 s.t.Φ is a precondition and Ψ is a postconditionP is a sequence of possibly annotated instructions
Marktoberdorf, August 2007 Compilation of certificates
![Page 68: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/68.jpg)
Program Specification
{pre}ins1{ϕ1}ins2...{ϕ2}insk{post}
Assertions: formulae attached to a program point,characterizing the set of execution states at that point.Instructions are possibly annotated:
Possibly annotated instructions
ins ::= ins | 〈ϕ, ins〉
A partially annotated program is a triple 〈P,Φ,Ψ〉 s.t.Φ is a precondition and Ψ is a postconditionP is a sequence of possibly annotated instructions
Marktoberdorf, August 2007 Compilation of certificates
![Page 69: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/69.jpg)
Program Specification
{pre}ins1{ϕ1}ins2...{ϕ2}insk{post}
Assertions: formulae attached to a program point,characterizing the set of execution states at that point.Instructions are possibly annotated:
Possibly annotated instructions
ins ::= ins | 〈ϕ, ins〉
A partially annotated program is a triple 〈P,Φ,Ψ〉 s.t.Φ is a precondition and Ψ is a postconditionP is a sequence of possibly annotated instructions
Marktoberdorf, August 2007 Compilation of certificates
![Page 70: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/70.jpg)
Program Specification
{pre}ins1{ϕ1}ins2...{ϕ2}insk{post}
Assertions: formulae attached to a program point,characterizing the set of execution states at that point.Instructions are possibly annotated:
Possibly annotated instructions
ins ::= ins | 〈ϕ, ins〉
A partially annotated program is a triple 〈P,Φ,Ψ〉 s.t.Φ is a precondition and Ψ is a postconditionP is a sequence of possibly annotated instructions
Marktoberdorf, August 2007 Compilation of certificates
![Page 71: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/71.jpg)
Program Specification
{pre}ins1{ϕ1}ins2...{ϕ2}insk{post}
Assertions: formulae attached to a program point,characterizing the set of execution states at that point.Instructions are possibly annotated:
Possibly annotated instructions
ins ::= ins | 〈ϕ, ins〉
A partially annotated program is a triple 〈P,Φ,Ψ〉 s.t.Φ is a precondition and Ψ is a postconditionP is a sequence of possibly annotated instructions
Marktoberdorf, August 2007 Compilation of certificates
![Page 72: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/72.jpg)
VCGen
A verification Condition Generator (VCGen):1 fully annotates a program2 extracts a set of proof obligations
Specification Theorem Prover
VCGen Proof Obligations Certificate
Program+
Marktoberdorf, August 2007 Compilation of certificates
![Page 73: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/73.jpg)
Weakest precondition calculus
Computes an assertion for a given program node only if the correspondingassertion has been already computed for all successor nodes
Sufficiently annotated program
All infinite paths must go through an annotated program point
Weakest precondition wpL(k) of programpoint k
wpL(k) = φ if P[k ] = 〈φ, i〉wpL(k) = wpi (k) otherwise
Marktoberdorf, August 2007 Compilation of certificates
![Page 74: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/74.jpg)
Weakest precondition calculus
Computes an assertion for a given program node only if the correspondingassertion has been already computed for all successor nodes
Sufficiently annotated program
All infinite paths must go through an annotated program point
Weakest precondition wpL(k) of programpoint k
wpL(k) = φ if P[k ] = 〈φ, i〉wpL(k) = wpi (k) otherwise
Marktoberdorf, August 2007 Compilation of certificates
![Page 75: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/75.jpg)
Weakest precondition calculus
Computes an assertion for a given program node only if the correspondingassertion has been already computed for all successor nodes
Sufficiently annotated program
All infinite paths must go through an annotated program point
Weakest precondition wpL(k) of programpoint k
wpL(k) = φ if P[k ] = 〈φ, i〉wpL(k) = wpi (k) otherwise
Marktoberdorf, August 2007 Compilation of certificates
![Page 76: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/76.jpg)
Weakest precondition calculus
Computes an assertion for a given program node only if the correspondingassertion has been already computed for all successor nodes
Sufficiently annotated program
All infinite paths must go through an annotated program point
Weakest precondition wpL(k) of programpoint k
wpL(k) = φ if P[k ] = 〈φ, i〉wpL(k) = wpi (k) otherwise
Marktoberdorf, August 2007 Compilation of certificates
![Page 77: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/77.jpg)
Weakest precondition calculus
Computes an assertion for a given program node only if the correspondingassertion has been already computed for all successor nodes
Sufficiently annotated program
All infinite paths must go through an annotated program point
Weakest precondition wpL(k) of programpoint k
wpL(k) = φ if P[k ] = 〈φ, i〉wpL(k) = wpi (k) otherwise
Marktoberdorf, August 2007 Compilation of certificates
![Page 78: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/78.jpg)
Weakest precondition calculus
Computes an assertion for a given program node only if the correspondingassertion has been already computed for all successor nodes
Sufficiently annotated program
All infinite paths must go through an annotated program point
Weakest precondition wpL(k) of programpoint k
wpL(k) = φ if P[k ] = 〈φ, i〉wpL(k) = wpi (k) otherwise
Marktoberdorf, August 2007 Compilation of certificates
![Page 79: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/79.jpg)
Weakest precondition calculus
Computes an assertion for a given program node only if the correspondingassertion has been already computed for all successor nodes
Sufficiently annotated program
All infinite paths must go through an annotated program point
Weakest precondition wpL(k) of programpoint k
wpL(k) = φ if P[k ] = 〈φ, i〉wpL(k) = wpi (k) otherwise
Marktoberdorf, August 2007 Compilation of certificates
![Page 80: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/80.jpg)
Weakest precondition calculus
Computes an assertion for a given program node only if the correspondingassertion has been already computed for all successor nodes
Sufficiently annotated program
All infinite paths must go through an annotated program point
Weakest precondition wpL(k) of programpoint k
wpL(k) = φ if P[k ] = 〈φ, i〉wpL(k) = wpi (k) otherwise
Marktoberdorf, August 2007 Compilation of certificates
![Page 81: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/81.jpg)
Assertions
Annotations do not refer to stacksIntermediate assertions may do so
{true}push 5 5 = 5store x os[>] = 5{x = 5}
Stack indices
k ::= > | > − i
Expressions
e ::= res | x? | x | c | e op e | os[k ]
Assertions
φ ::= e cmp e | ¬φ | φ ∧ φ | φ ∨ φ | φ⇒ φ∀x . φ | ∃x . φ
Marktoberdorf, August 2007 Compilation of certificates
![Page 82: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/82.jpg)
Assertions
Annotations do not refer to stacksIntermediate assertions may do so
{true}push 5 5 = 5store x os[>] = 5{x = 5}
Stack indices
k ::= > | > − i
Expressions
e ::= res | x? | x | c | e op e | os[k ]
Assertions
φ ::= e cmp e | ¬φ | φ ∧ φ | φ ∨ φ | φ⇒ φ∀x . φ | ∃x . φ
Marktoberdorf, August 2007 Compilation of certificates
![Page 83: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/83.jpg)
Assertions
Annotations do not refer to stacksIntermediate assertions may do so
{true}push 5
5 = 5
store x
os[>] = 5
{x = 5}
Stack indices
k ::= > | > − i
Expressions
e ::= res | x? | x | c | e op e | os[k ]
Assertions
φ ::= e cmp e | ¬φ | φ ∧ φ | φ ∨ φ | φ⇒ φ∀x . φ | ∃x . φ
Marktoberdorf, August 2007 Compilation of certificates
![Page 84: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/84.jpg)
Assertions
Annotations do not refer to stacksIntermediate assertions may do so
{true}push 5
5 = 5
store x os[>] = 5{x = 5}
Stack indices
k ::= > | > − i
Expressions
e ::= res | x? | x | c | e op e | os[k ]
Assertions
φ ::= e cmp e | ¬φ | φ ∧ φ | φ ∨ φ | φ⇒ φ∀x . φ | ∃x . φ
Marktoberdorf, August 2007 Compilation of certificates
![Page 85: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/85.jpg)
Assertions
Annotations do not refer to stacksIntermediate assertions may do so
{true}push 5 5 = 5store x os[>] = 5{x = 5}
Stack indices
k ::= > | > − i
Expressions
e ::= res | x? | x | c | e op e | os[k ]
Assertions
φ ::= e cmp e | ¬φ | φ ∧ φ | φ ∨ φ | φ⇒ φ∀x . φ | ∃x . φ
Marktoberdorf, August 2007 Compilation of certificates
![Page 86: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/86.jpg)
Assertions
Annotations do not refer to stacksIntermediate assertions may do so
{true}push 5 5 = 5store x os[>] = 5{x = 5}
Stack indices
k ::= > | > − i
Expressions
e ::= res | x? | x | c | e op e | os[k ]
Assertions
φ ::= e cmp e | ¬φ | φ ∧ φ | φ ∨ φ | φ⇒ φ∀x . φ | ∃x . φ
Marktoberdorf, August 2007 Compilation of certificates
![Page 87: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/87.jpg)
Weakest precondition
if P[k ] = push n then
wpi (k) = wpL(k + 1)[n/os[>],>/>− 1]
if P[k ] = binop op then
wpi (k) = wpL(k + 1)[os(>− 1) op os[>]/os[>],>− 1/>]
if P[k ] = load x then
wpi (k) = wpL(k + 1)[x/os[>],>/>− 1]
if P[k ] = store x then
wpi (k) = wpL(k + 1)[os[>]/x ,>− 1/>]
if P[k ] = if cmp l then
wpi (k) = (os[>− 1] cmp os[>]⇒ wpL(k + 1)[>− 2/>])∧(¬(os[>− 1] cmp os[>])⇒ wpL(l)[>− 2/>])
if P[k ] = goto l then wpi (k) = wpL(l)if P[k ] = return then wpi (k) = Ψ[os[>]/res]
Marktoberdorf, August 2007 Compilation of certificates
![Page 88: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/88.jpg)
Verification conditions
Proof obligations PO(P,Φ,Ψ)
Precondition implies the weakest precondition of entry point:
Φ⇒ wpL(1)
For all annotated program points (P[k ] = 〈ϕ, i〉), the annotation ϕimplies the weakest precondition of the instruction at k :
ϕ⇒ wpi (k)
An annotated program is correct if its verification conditions are valid.
Marktoberdorf, August 2007 Compilation of certificates
![Page 89: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/89.jpg)
Soundness
Define validity of assertions:s |= φ
µ, s |= φ (shorthand µ, ν |= φ if φ does not contain stack indices)
If (P,Φ,Ψ) is correct, andP, µ ⇓ ν, vµ |= Φ
thenµ, ν |= Ψ[v/res]
Furthermore, all intermediate assertions are verified
Proof idea: if s s′ and s · pc = k and s′ · pc = k ′,
µ, s |= wpi (k) =⇒ µ, s′ |= wpL(k ′)
Marktoberdorf, August 2007 Compilation of certificates
![Page 90: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/90.jpg)
Source language
Same assertions, without stack expressionsAnnotated programs (P,Φ,Ψ), with all loops annotatedwhileI(t){s}Weakest precondition
wpS(skip, ψ) = ψ, ∅ wpS(x := e, ψ) = ψ[e/x ], ∅
wpS(it , ψ) = φt , θt wpS(if , ψ) = φf , θfwpS(if(t){it}{if}, ψ) = (t ⇒ φt ) ∧ (¬t ⇒ φt ), θt ∪ θf
wpS(i , I) = φ, θwpS(whileI(t){i}, ψ) = I, {I ⇒ ((t ⇒ φ) ∧ (¬t ⇒ ψ))} ∪ θ
wpS(i2, ψ) = φ2, θ2 wpS(i1, φ2) = φ1, θ1
wpS(i1; i2, ψ) = φ1, θ1 ∪ θ2
Marktoberdorf, August 2007 Compilation of certificates
![Page 91: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/91.jpg)
Preservation of proof obligationsNon-optimizing compiler
Syntactically equal proof obligations
PO(P, φ, ψ) = PO([[P]], φ, ψ)
Marktoberdorf, August 2007 Compilation of certificates
![Page 92: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/92.jpg)
Preservation of proof obligationsNon-optimizing compiler
Syntactically equal proof obligations
PO(P, φ, ψ) = PO([[P]], φ, ψ)
VCGen
VerificationConditions
Prover Certificate
Producer Consumer
ProofChecker OK
Source Program Compiler Execution
VCGen
VerificationConditions
CompiledProgram
Marktoberdorf, August 2007 Compilation of certificates
![Page 93: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/93.jpg)
Preservation of proof obligationsNon-optimizing compiler
Syntactically equal proof obligations
PO(P, φ, ψ) = PO([[P]], φ, ψ)
VCGen
VerificationConditions
Prover CertificateCertificate
Producer Consumer
ProofChecker OK
Source Program Execution
VCGen
VerificationConditions
CompiledProgram
Preservation ofProof Obligations
CompilerNon−optimizing
Marktoberdorf, August 2007 Compilation of certificates
![Page 94: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/94.jpg)
Preservation of proof obligationsNon-optimizing compiler
Syntactically equal proof obligations
PO(P, φ, ψ) = PO([[P]], φ, ψ)
VCGen
VerificationConditions
Prover CertificateCertificate
Producer Consumer
ProofChecker OK
Source Program Execution
VCGen
VerificationConditions
CompiledProgram
Preservation ofProof Obligations
CompilerNon−optimizing
Marktoberdorf, August 2007 Compilation of certificates
![Page 95: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/95.jpg)
Adding objects, exceptions, methods
We have formally proved in Coq the soundness of VC generator for asequential JVM-like language, and proved (almost) PPO for Java
Main points:Methods:
pre- and post-conditions to ensure modular reasoningbehavioral subtyping: method overriding should preserve spec
Exceptions:loss of precision due to explosion of control flow: preliminaryanalyses (as in information flow)exceptional postconditions must be considered
For PPO: renaming, booleans, simple optimizationsHowever:
many challenges in verification of sequential OO programsconcurrency (semantics and verification) is another challenge
Marktoberdorf, August 2007 Compilation of certificates
![Page 96: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/96.jpg)
Remark on machine-checked proof
Implementing a verification condition generator for JVM is anon-trivial taskDo you trust your implementation? And the soundness proof?
We have used the Coq proof assistantto formally specify the verification condition generator,to mechanically prove that valid proof obligations imply validity ofannotations.
The development is structured in two layers:1 Basis : JVM program and small-step semantics formalisation
(Bicolano)2 Intermediate semantics:
operates on annotated programsmethod calls are big-step
Marktoberdorf, August 2007 Compilation of certificates
![Page 97: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/97.jpg)
Tools: Java Modeling Language
There is a range of tools that support deductive verification of Javaapplications. Many tools use JML as specification language.
Annotation language for Javapre- and post-conditions and invariants written as specialcommentsUses Java-like notationAnnotations are side-effect-free Java expressions + some extrakeywords (\exists, \forall, \old(−), \result. . . )Developed by Leavens et.al., Iowa State UniversityDifferent tools available to validate, reason or generate JMLannotations
Marktoberdorf, August 2007 Compilation of certificates
![Page 98: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/98.jpg)
Example
/*@ exceptional_behavior@ requires arg == null;@ signals (NullPointerException) true;@ also@ behavior@ requires arg != null;@ ensures \result == arg[0];@ signals (IndexOutOfBoundsException)@ arg.length == 0;@*/
Object firstElement (Object [] arg) {return arg[0];
}
Marktoberdorf, August 2007 Compilation of certificates
![Page 99: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/99.jpg)
Tools: verification
Many tools to validate Java applications annotated with JML: testing,run-time checking, model-checking. . .and deductive verification tools:
ESC/Java: extended static checking, uses intermediate language(guarded commands)JACK: backwards propagation of invariants, support for nativemethods, support for bytecode (BML)Krakatoa/Why: uses intermediate language, also supports C(Caduceus)Jive: uses Hoare logic
Also relevant: JSR 308, Spec# for C#
Marktoberdorf, August 2007 Compilation of certificates
![Page 100: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/100.jpg)
Summary
We have developed:Sound VC generator forsequential fragment of JVMPPO for Java
Next goal is to providesupport for realisticapplications:
more specificationconstructslink with JML-based tools
Other goalscertificate generationoptimisationsconcurrency
Virtual machineOperating system
Source program
Bytecode program
Interactiveproofs
API
JML specification
specificationBytecode
Certificate
Certificate
Certificatechecker
Marktoberdorf, August 2007 Compilation of certificates
![Page 101: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/101.jpg)
Optimizing Compilers
VCGen
VerificationConditions
Prover CertificateCertificate
Producer Consumer
ProofChecker OK
Source Program Execution
VCGen
VerificationConditions
CompiledProgram
Preservation ofProof Obligations
CompilerNon−optimizing
Proofs obligations might not be preserved
annotations might need to be modified (e.g. constant propagation)
certificates for analyzers might be needed (certifying analyzer)
analyses might need to be modified (e.g. dead variable elimination)
Marktoberdorf, August 2007 Compilation of certificates
![Page 102: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/102.jpg)
Optimizing Compilers
VCGen
VerificationConditions
Prover CertificateCertificate
VCGenCompiledProgram Optimizer
Producer Consumer
ProofChecker OK
Source Program Execution
VerificationConditions
Preservation ofProof Obligations
CompilerNon−optimizing Optimized
Program
Proofs obligations might not be preserved
annotations might need to be modified (e.g. constant propagation)
certificates for analyzers might be needed (certifying analyzer)
analyses might need to be modified (e.g. dead variable elimination)
Marktoberdorf, August 2007 Compilation of certificates
![Page 103: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/103.jpg)
Optimizing Compilers
VCGen
VerificationConditions
Prover CertificateCertificate
VCGenCompiledProgram Optimizer
Producer Consumer
ProofChecker OK
Source Program Execution
VerificationConditions
Preservation ofProof Obligations
CompilerNon−optimizing Optimized
Program
Proofs obligations might not be preserved
annotations might need to be modified (e.g. constant propagation)
certificates for analyzers might be needed (certifying analyzer)
analyses might need to be modified (e.g. dead variable elimination)
Marktoberdorf, August 2007 Compilation of certificates
![Page 104: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/104.jpg)
Certificate Translation with Certifying Analyzers
Specification of f
Program f
Specification of fA
(RESA)
Certificate for f
Certificate for fACertificate for f
Program fOptimized
Analyzer
VerificationInteractive
CertificateTranslator
AnalyzerCertifying
CompilerOptimizing
TCB
VC Gen
ProofChecker
Marktoberdorf, August 2007 Compilation of certificates
![Page 105: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/105.jpg)
Motivating example
{j = 0}{j = (b + 0) ∗ 0 ∧ b ≤ (b + 0) ∧ 0 ≤ 0}i := 0;{j = (b + i) ∗ i ∧ b ≤ (b + i) ∧ 0 ≤ i}x := b + i;{Inv : j = x ∗ i ∧ b ≤ x ∧ 0 ≤ i}while(i! = n){x ∗ (c + i) = x ∗ (c + i) ∧ b ≤ x ∧ 0 ≤ c + i}i := c + i{x ∗ i = x ∗ i ∧ b ≤ x ∧ 0 ≤ i}j := x ∗ i;{j = x ∗ i ∧ b ≤ x ∧ 0 ≤ i}endwhile;{n ∗ b ≤ j}
Program+
Specification
WeakestPrecondition(no fixpoint to compute)
Fully AnnotatedProgram
Marktoberdorf, August 2007 Compilation of certificates
![Page 106: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/106.jpg)
Motivating example
{j = 0}{j = (b + 0) ∗ 0 ∧ b ≤ (b + 0) ∧ 0 ≤ 0}i := 0;{j = (b + i) ∗ i ∧ b ≤ (b + i) ∧ 0 ≤ i}x := b + i;{Inv : j = x ∗ i ∧ b ≤ x ∧ 0 ≤ i}while(i! = n){x ∗ (c + i) = x ∗ (c + i) ∧ b ≤ x ∧ 0 ≤ c + i}i := c + i{x ∗ i = x ∗ i ∧ b ≤ x ∧ 0 ≤ i}j := x ∗ i;{j = x ∗ i ∧ b ≤ x ∧ 0 ≤ i}endwhile;{n ∗ b ≤ j}
Program+
Specification
WeakestPrecondition(no fixpoint to compute)
Fully AnnotatedProgram
Marktoberdorf, August 2007 Compilation of certificates
![Page 107: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/107.jpg)
Motivating example
{j = 0}{j = (b + 0) ∗ 0 ∧ b ≤ (b + 0) ∧ 0 ≤ 0}i := 0;{j = (b + i) ∗ i ∧ b ≤ (b + i) ∧ 0 ≤ i}x := b + i;{Inv : j = x ∗ i ∧ b ≤ x ∧ 0 ≤ i}while(i! = n){x ∗ (c + i) = x ∗ (c + i) ∧ b ≤ x ∧ 0 ≤ c + i}i := c + i{x ∗ i = x ∗ i ∧ b ≤ x ∧ 0 ≤ i}j := x ∗ i;{j = x ∗ i ∧ b ≤ x ∧ 0 ≤ i}endwhile;{n ∗ b ≤ j}
Program+
Specification
WeakestPrecondition(no fixpoint to compute)
Fully AnnotatedProgram
Marktoberdorf, August 2007 Compilation of certificates
![Page 108: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/108.jpg)
Motivating example
{j = 0}{j = (b + 0) ∗ 0 ∧ b ≤ (b + 0) ∧ 0 ≤ 0}i := 0;{j = (b + i) ∗ i ∧ b ≤ (b + i) ∧ 0 ≤ i}x := b + i;{Inv : j = x ∗ i ∧ b ≤ x ∧ 0 ≤ i}while(i! = n){x ∗ (c + i) = x ∗ (c + i) ∧ b ≤ x ∧ 0 ≤ c + i}i := c + i{x ∗ i = x ∗ i ∧ b ≤ x ∧ 0 ≤ i}j := x ∗ i;{j = x ∗ i ∧ b ≤ x ∧ 0 ≤ i}endwhile;{n ∗ b ≤ j}
Program+
Specification
WeakestPrecondition(no fixpoint to compute)
Fully AnnotatedProgram
Marktoberdorf, August 2007 Compilation of certificates
![Page 109: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/109.jpg)
Motivating example
{j = 0}{j = (b + 0) ∗ 0 ∧ b ≤ (b + 0) ∧ 0 ≤ 0}i := 0;{j = (b + i) ∗ i ∧ b ≤ (b + i) ∧ 0 ≤ i}x := b + i;{Inv : j = x ∗ i ∧ b ≤ x ∧ 0 ≤ i}while(i! = n){x ∗ (c + i) = x ∗ (c + i) ∧ b ≤ x ∧ 0 ≤ c + i}i := c + i{x ∗ i = x ∗ i ∧ b ≤ x ∧ 0 ≤ i}j := x ∗ i;{j = x ∗ i ∧ b ≤ x ∧ 0 ≤ i}endwhile;{n ∗ b ≤ j}
Program+
Specification
WeakestPrecondition(no fixpoint to compute)
Fully AnnotatedProgram
Marktoberdorf, August 2007 Compilation of certificates
![Page 110: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/110.jpg)
Motivating example
{j = 0}{j = (b + 0) ∗ 0 ∧ b ≤ (b + 0) ∧ 0 ≤ 0}i := 0;{j = (b + i) ∗ i ∧ b ≤ (b + i) ∧ 0 ≤ i}x := b + i;{Inv : j = x ∗ i ∧ b ≤ x ∧ 0 ≤ i}while(i! = n){x ∗ (c + i) = x ∗ (c + i) ∧ b ≤ x ∧ 0 ≤ c + i}i := c + i{x ∗ i = x ∗ i ∧ b ≤ x ∧ 0 ≤ i}j := x ∗ i;{j = x ∗ i ∧ b ≤ x ∧ 0 ≤ i}endwhile;{n ∗ b ≤ j}
Program+
Specification
WeakestPrecondition(no fixpoint to compute)
Fully AnnotatedProgram
Marktoberdorf, August 2007 Compilation of certificates
![Page 111: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/111.jpg)
Motivating example
{j = 0}{j = (b + 0) ∗ 0 ∧ b ≤ (b + 0) ∧ 0 ≤ 0}i := 0;{j = (b + i) ∗ i ∧ b ≤ (b + i) ∧ 0 ≤ i}x := b + i;{Inv : j = x ∗ i ∧ b ≤ x ∧ 0 ≤ i}while(i! = n){x ∗ (c + i) = x ∗ (c + i) ∧ b ≤ x ∧ 0 ≤ c + i}i := c + ij := x ∗ i;
endwhile;{n ∗ b ≤ j}
Set of Proof Obligations:
j = 0⇒ j = (b + 0) ∗ 0 ∧ b ≤ (b + 0) ∧ 0 ≤ 0
j = x ∗ i ∧ b ≤ x ∧ 0 ≤ i ∧ i 6= n⇒x ∗ (c + i) = x ∗ (c + i) ∧ b ≤ x ∧ 0 ≤ c + i
j = x ∗ i ∧ b ≤ x ∧ 0 ≤ i ∧ i = n⇒ n ∗ b ≤ j
Marktoberdorf, August 2007 Compilation of certificates
![Page 112: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/112.jpg)
Constant propagation analysis
{j = 0}{j = b ∗ 0 ∧ b ≤ b ∧ 0 ≤ 0}i := 0;{j = b ∗ i ∧ b ≤ b ∧ 0 ≤ i}
(i , 0)→ x := b + i;{Inv : j = x ∗ i ∧ b ≤ x ∧ 0 ≤ i}
(x , b)→ while(i! = n){b ∗ (c + i) = x ∗ (c + i) ∧ b ≤ x ∧ 0 ≤ c + i}
(x , b)→ i := c + i{b ∗ i = x ∗ i ∧ b ≤ x ∧ 0 ≤ i}
(x , b)→ j := x ∗ i;{j = x ∗ i ∧ b ≤ x ∧ 0 ≤ i}endwhile;{n ∗ b ≤ j}
Marktoberdorf, August 2007 Compilation of certificates
![Page 113: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/113.jpg)
Program transformation
{j = 0}{j = b ∗ 0 ∧ b ≤ b ∧ 0 ≤ 0}i := 0;{j = b ∗ i ∧ b ≤ b ∧ 0 ≤ i}
(i , 0)→ x := b;{Inv : j = x ∗ i ∧ b ≤ x ∧ 0 ≤ i}
(x , b)→ while(i! = n){b ∗ (c + i) = x ∗ (c + i) ∧ b ≤ x ∧ 0 ≤ c + i}
(x , b)→ i := c + i{b ∗ i = x ∗ i ∧ b ≤ x ∧ 0 ≤ i}
(x , b)→ j := x ∗ i;{j = x ∗ i ∧ b ≤ x ∧ 0 ≤ i}endwhile;{n ∗ b ≤ j}
Marktoberdorf, August 2007 Compilation of certificates
![Page 114: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/114.jpg)
Program transformation
{j = 0}{j = b ∗ 0 ∧ b ≤ b ∧ 0 ≤ 0}i := 0;{j = b ∗ i ∧ b ≤ b ∧ 0 ≤ i}
(i , 0)→ x := b;{Inv : j = x ∗ i ∧ b ≤ x ∧ 0 ≤ i}
(x , b)→ while(i! = n){b ∗ (c + i) = x ∗ (c + i) ∧ b ≤ x ∧ 0 ≤ c + i}
(x , b)→ i := c + i{b ∗ i = x ∗ i ∧ b ≤ x ∧ 0 ≤ i}
(x , b)→ j := b ∗ i;{j = x ∗ i ∧ b ≤ x ∧ 0 ≤ i}endwhile;{n ∗ b ≤ j}
Marktoberdorf, August 2007 Compilation of certificates
![Page 115: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/115.jpg)
WP Computation of optimized program
{j = 0}{j = b ∗ 0 ∧ b ≤ b ∧ 0 ≤ 0}i := 0;{j = b ∗ i ∧ b ≤ b ∧ 0 ≤ i}
(i , 0)→ x := b;{Inv : j = x ∗ i ∧ b ≤ x ∧ 0 ≤ i}
(x , b)→ while(i! = n){b ∗ (c + i) = x ∗ (c + i) ∧ b ≤ x ∧ 0 ≤ c + i}
(x , b)→ i := c + i{b ∗ i = x ∗ i ∧ b ≤ x ∧ 0 ≤ i}
(x , b)→ j := b ∗ i;{j = x ∗ i ∧ b ≤ x ∧ 0 ≤ i}endwhile;{n ∗ b ≤ j}
Marktoberdorf, August 2007 Compilation of certificates
![Page 116: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/116.jpg)
WP Computation of optimized program
{j = 0}{j = b ∗ 0 ∧ b ≤ b ∧ 0 ≤ 0}i := 0;{j = b ∗ i ∧ b ≤ b ∧ 0 ≤ i}
(i , 0)→ x := b;{Inv : j = x ∗ i ∧ b ≤ x ∧ 0 ≤ i}
(x , b)→ while(i! = n){b ∗ (c + i) = x ∗ (c + i) ∧ b ≤ x ∧ 0 ≤ c + i}
(x , b)→ i := c + i{b ∗ i = x ∗ i ∧ b ≤ x ∧ 0 ≤ i}
(x , b)→ j := b ∗ i;{j = x ∗ i ∧ b ≤ x ∧ 0 ≤ i}endwhile;{n ∗ b ≤ j}
Marktoberdorf, August 2007 Compilation of certificates
![Page 117: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/117.jpg)
WP Computation of optimized program
{j = 0}{j = b ∗ 0 ∧ b ≤ b ∧ 0 ≤ 0}i := 0;{j = b ∗ i ∧ b ≤ b ∧ 0 ≤ i}
(i , 0)→ x := b;{Inv : j = x ∗ i ∧ b ≤ x ∧ 0 ≤ i}
(x , b)→ while(i! = n){b ∗ (c + i) = x ∗ (c + i) ∧ b ≤ x ∧ 0 ≤ c + i}
(x , b)→ i := c + i{b ∗ i = x ∗ i ∧ b ≤ x ∧ 0 ≤ i}
(x , b)→ j := b ∗ i;{j = x ∗ i ∧ b ≤ x ∧ 0 ≤ i}endwhile;{n ∗ b ≤ j}
Marktoberdorf, August 2007 Compilation of certificates
![Page 118: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/118.jpg)
WP Computation of optimized program
{j = 0}{j = b ∗ 0 ∧ b ≤ b ∧ 0 ≤ 0}i := 0;{j = b ∗ i ∧ b ≤ b ∧ 0 ≤ i}
(i , 0)→ x := b;{Inv : j = x ∗ i ∧ b ≤ x ∧ 0 ≤ i}
(x , b)→ while(i! = n){b ∗ (c + i) = x ∗ (c + i) ∧ b ≤ x ∧ 0 ≤ c + i}
(x , b)→ i := c + i{b ∗ i = x ∗ i ∧ b ≤ x ∧ 0 ≤ i}
(x , b)→ j := b ∗ i;{j = x ∗ i ∧ b ≤ x ∧ 0 ≤ i}endwhile;{n ∗ b ≤ j}
Marktoberdorf, August 2007 Compilation of certificates
![Page 119: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/119.jpg)
WP Computation of optimized program
{j = 0}{j = b ∗ 0 ∧ b ≤ b ∧ 0 ≤ 0}i := 0;{j = b ∗ i ∧ b ≤ b ∧ 0 ≤ i}
(i , 0)→ x := b;{Inv : j = x ∗ i ∧ b ≤ x ∧ 0 ≤ i}
(x , b)→ while(i! = n){b ∗ (c + i) = x ∗ (c + i) ∧ b ≤ x ∧ 0 ≤ c + i}
(x , b)→ i := c + i{b ∗ i = x ∗ i ∧ b ≤ x ∧ 0 ≤ i}
(x , b)→ j := b ∗ i;{j = x ∗ i ∧ b ≤ x ∧ 0 ≤ i}endwhile;{n ∗ b ≤ j}
Marktoberdorf, August 2007 Compilation of certificates
![Page 120: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/120.jpg)
Proof Obligations
{j = 0}{j = b ∗ 0 ∧ b ≤ b ∧ 0 ≤ 0}i := 0;{j = b ∗ i ∧ b ≤ b ∧ 0 ≤ i}x := b;{Inv : j = x ∗ i ∧ b ≤ x ∧ 0 ≤ i}while(i! = n){b ∗ (c + i) = x ∗ (c + i) ∧ b ≤ x ∧ 0 ≤ c + i}i := c + i{b ∗ i = x ∗ i ∧ b ≤ x ∧ 0 ≤ i}j := b ∗ i;{j = x ∗ i ∧ b ≤ x ∧ 0 ≤ i}endwhile;{n ∗ b ≤ j}
Proof Obligations:
1 j = 0⇒ j = b ∗ 0 ∧ b ≤ b ∧ 0 ≤ 0
2j = x ∗ i ∧ b ≤ x ∧ 0 ≤ i ∧ i 6= n⇒ b ∗ (c + i) = x ∗ (c + i) ∧ b ≤ x ∧ 0 ≤ c + i
3 j = x ∗ i ∧ b ≤ x ∧ 0 ≤ i ∧ i = n⇒ n ∗ b ≤ j
Marktoberdorf, August 2007 Compilation of certificates
![Page 121: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/121.jpg)
Proof Obligations
{j = 0}{j = b ∗ 0 ∧ b ≤ b ∧ 0 ≤ 0}i := 0;{j = b ∗ i ∧ b ≤ b ∧ 0 ≤ i}x := b;{Inv : j = x ∗ i ∧ b ≤ x ∧ 0 ≤ i}while(i! = n){b ∗ (c + i) = x ∗ (c + i) ∧ b ≤ x ∧ 0 ≤ c + i}i := c + i{b ∗ i = x ∗ i ∧ b ≤ x ∧ 0 ≤ i}j := b ∗ i;{j = x ∗ i ∧ b ≤ x ∧ 0 ≤ i}endwhile;{n ∗ b ≤ j}
Proof Obligations:
1 j = 0⇒ j = b ∗ 0 ∧ b ≤ b ∧ 0 ≤ 0
2j = x ∗ i ∧ b ≤ x ∧ 0 ≤ i ∧ i 6= n Unprovable
withoutknowingx = b
⇒ b ∗ (c + i) = x ∗ (c + i) ∧ b ≤ x ∧ 0 ≤ c + i
3 j = x ∗ i ∧ b ≤ x ∧ 0 ≤ i ∧ i = n⇒ n ∗ b ≤ j
Marktoberdorf, August 2007 Compilation of certificates
![Page 122: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/122.jpg)
Proof Obligations
{j = 0}{j = b ∗ 0 ∧ b ≤ b ∧ 0 ≤ 0}i := 0;{j = b ∗ i ∧ b ≤ b ∧ 0 ≤ i}x := b;{Inv : j = x ∗ i ∧ b ≤ x ∧ 0 ≤ i∧x = b}while(i! = n){b ∗ (c + i) = x ∗ (c + i) ∧ b ≤ x ∧ 0 ≤ c + i}i := c + i{b ∗ i = x ∗ i ∧ b ≤ x ∧ 0 ≤ i}j := b ∗ i;{j = x ∗ i ∧ b ≤ x ∧ 0 ≤ i}endwhile;{n ∗ b ≤ j}
Proof Obligations:
1 j = 0⇒ j = b ∗ 0 ∧ b ≤ b ∧ 0 ≤ 0
2j = x ∗ i ∧ b ≤ x ∧ 0 ≤ i∧x = b ∧ i 6= n Solution:
strengthenannotations
⇒ b ∗ (c + i) = x ∗ (c + i) ∧ b ≤ x ∧ 0 ≤ c + i
3 j = x ∗ i ∧ b ≤ x ∧ 0 ≤ i ∧ i = n⇒ n ∗ b ≤ j
Marktoberdorf, August 2007 Compilation of certificates
![Page 123: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/123.jpg)
Strengthening annotations
allows to verify proof obligations of original program
but also introduces new proof obligations
S1{ϕ1}S2{ϕ2}S3{ϕ3}
ϕ1 ⇒ wp(S1, ϕ2)
ϕ2 ⇒ wp(S2, ϕ3)
S1{ϕ1∧ψ1}S2{ϕ2∧ψ2}S3{ϕ3∧ψ3}
ϕ1∧ψ1 ⇒ wp(S1, ϕ2∧ψ2)
ϕ2∧ψ2 ⇒ wp(S2, ϕ3∧ψ3)
If the analysis is correct,
ψ1 ⇒ wp(S1, ψ2)
ψ2 ⇒ wp(S2, ψ3)
are valid proof obligations.
Marktoberdorf, August 2007 Compilation of certificates
![Page 124: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/124.jpg)
Strengthening annotations
allows to verify proof obligations of original program
but also introduces new proof obligations
S1{ϕ1}S2{ϕ2}S3{ϕ3}
ϕ1 ⇒ wp(S1, ϕ2)
ϕ2 ⇒ wp(S2, ϕ3)
S1{ϕ1∧ψ1}S2{ϕ2∧ψ2}S3{ϕ3∧ψ3}
ϕ1∧ψ1 ⇒ wp(S1, ϕ2∧ψ2)
ϕ2∧ψ2 ⇒ wp(S2, ϕ3∧ψ3)
If the analysis is correct,
ψ1 ⇒ wp(S1, ψ2)
ψ2 ⇒ wp(S2, ψ3)
are valid proof obligations.
Marktoberdorf, August 2007 Compilation of certificates
![Page 125: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/125.jpg)
Strengthening annotations
allows to verify proof obligations of original program
but also introduces new proof obligations
S1{ϕ1}S2{ϕ2}S3{ϕ3}
ϕ1 ⇒ wp(S1, ϕ2)
ϕ2 ⇒ wp(S2, ϕ3)
S1{ϕ1∧ψ1}S2{ϕ2∧ψ2}S3{ϕ3∧ψ3}
ϕ1∧ψ1 ⇒ wp(S1, ϕ2∧ψ2)
ϕ2∧ψ2 ⇒ wp(S2, ϕ3∧ψ3)
If the analysis is correct,
ψ1 ⇒ wp(S1, ψ2)
ψ2 ⇒ wp(S2, ψ3)
are valid proof obligations.
Marktoberdorf, August 2007 Compilation of certificates
![Page 126: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/126.jpg)
Strengthening annotations
allows to verify proof obligations of original program
but also introduces new proof obligations
S1{ϕ1}S2{ϕ2}S3{ϕ3}
ϕ1 ⇒ wp(S1, ϕ2)
ϕ2 ⇒ wp(S2, ϕ3)
S1{ϕ1∧ψ1}S2{ϕ2∧ψ2}S3{ϕ3∧ψ3}
ϕ1∧ψ1 ⇒ wp(S1, ϕ2∧ψ2)
ϕ2∧ψ2 ⇒ wp(S2, ϕ3∧ψ3)
If the analysis is correct,
ψ1 ⇒ wp(S1, ψ2)
ψ2 ⇒ wp(S2, ψ3)
are valid proof obligations.
Marktoberdorf, August 2007 Compilation of certificates
![Page 127: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/127.jpg)
Strengthening annotations
allows to verify proof obligations of original program
but also introduces new proof obligations
S1{ϕ1}S2{ϕ2}S3{ϕ3}
ϕ1 ⇒ wp(S1, ϕ2)
ϕ2 ⇒ wp(S2, ϕ3)
S1{ϕ1∧ψ1}S2{ϕ2∧ψ2}S3{ϕ3∧ψ3}
ϕ1∧ψ1 ⇒ wp(S1, ϕ2)∧wp(S1, ψ2)
ϕ2∧ψ2 ⇒ wp(S2, ϕ3)∧wp(S2, ψ3)
If the analysis is correct,
ψ1 ⇒ wp(S1, ψ2)
ψ2 ⇒ wp(S2, ψ3)
are valid proof obligations.
Marktoberdorf, August 2007 Compilation of certificates
![Page 128: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/128.jpg)
Strengthening annotations
allows to verify proof obligations of original program
but also introduces new proof obligations
S1{ϕ1}S2{ϕ2}S3{ϕ3}
ϕ1 ⇒ wp(S1, ϕ2)
ϕ2 ⇒ wp(S2, ϕ3)
S1{ϕ1∧ψ1}S2{ϕ2∧ψ2}S3{ϕ3∧ψ3}
ϕ1∧ψ1 ⇒ wp(S1, ϕ2)∧wp(S1, ψ2)
ϕ2∧ψ2 ⇒ wp(S2, ϕ3)∧wp(S2, ψ3)
If the analysis is correct,
ψ1 ⇒ wp(S1, ψ2)
ψ2 ⇒ wp(S2, ψ3)
are valid proof obligations.
Marktoberdorf, August 2007 Compilation of certificates
![Page 129: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/129.jpg)
Certifying/Proof producing analyzer
A certifying analyzer extends a standard analyzer with a procedurethat generates a certificate for the result of the analysis
Certifying analyzers exist under mild hypotheses:results of the analysis expressible as assertionsabstract transfer functions are correct w.r.t. wp. . .
Ad hoc construction of certificates yields compact certificates
Marktoberdorf, August 2007 Compilation of certificates
![Page 130: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/130.jpg)
Certifying/Proof producing analyzer
A certifying analyzer extends a standard analyzer with a procedurethat generates a certificate for the result of the analysis
Certifying analyzers exist under mild hypotheses:results of the analysis expressible as assertionsabstract transfer functions are correct w.r.t. wp. . .
Ad hoc construction of certificates yields compact certificates
Marktoberdorf, August 2007 Compilation of certificates
![Page 131: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/131.jpg)
Certifying/Proof producing analyzer
A certifying analyzer extends a standard analyzer with a procedurethat generates a certificate for the result of the analysis
Certifying analyzers exist under mild hypotheses:results of the analysis expressible as assertionsabstract transfer functions are correct w.r.t. wp. . .
Ad hoc construction of certificates yields compact certificates
Marktoberdorf, August 2007 Compilation of certificates
![Page 132: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/132.jpg)
Certifying analysis for constant propagation
{true}{b = b}i := 0;{b = b}x := b;{Inv : x = b}while(i! = n){x = b}i := c + i{x = b}j := b ∗ i;{x = b}endwhile;{true}
Marktoberdorf, August 2007 Compilation of certificates
![Page 133: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/133.jpg)
Certifying analysis for constant propagation
{true}{b = b}i := 0;{b = b}x := b;{Inv : x = b}while(i! = n){x = b}i := c + i{x = b}j := b ∗ i;{x = b}endwhile;{true}
With proof obligations:x = b ∧ i = n⇒ truex = b ∧ i 6= n⇒ x = btrue⇒ b = b
Marktoberdorf, August 2007 Compilation of certificates
![Page 134: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/134.jpg)
{φ1} + {φA1} → {φ1 ∧ φA
1} {φ′1 ∧ φA1}
S1 S1 S1 → SO1
{φ2} + {φA2} → {φ2 ∧ φA
2} {φ′2 ∧ φA2}
S2 S2 S2 → SO2
... +... →
......
Sn−1 Sn−1 Sn−1 → SOn−1
{φn} + {φAn} → {φn ∧ φA
n} {φ′n ∧ φAn}
Sn Sn Sn → SOn
Translation consists of:1 Specifying and certifying automatically the result of the analysis2 Merging annotations (trivial)3 Merging certificates
Marktoberdorf, August 2007 Compilation of certificates
![Page 135: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/135.jpg)
{φ1} + {φA1} → {φ1 ∧ φA
1} {φ′1 ∧ φA1}
S1 S1 S1 → SO1
{φ2} + {φA2} → {φ2 ∧ φA
2} {φ′2 ∧ φA2}
S2 S2 S2 → SO2
... +... →
......
Sn−1 Sn−1 Sn−1 → SOn−1
{φn} + {φAn} → {φn ∧ φA
n} {φ′n ∧ φAn}
Sn Sn Sn → SOn
Translation consists of:1 Specifying and certifying automatically the result of the analysis2 Merging annotations (trivial)3 Merging certificates
Marktoberdorf, August 2007 Compilation of certificates
![Page 136: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/136.jpg)
{φ1} + {φA1} → {φ1 ∧ φA
1} {φ′1 ∧ φA1}
S1 S1 S1 → SO1
{φ2} + {φA2} → {φ2 ∧ φA
2} {φ′2 ∧ φA2}
S2 S2 S2 → SO2
... +... →
......
Sn−1 Sn−1 Sn−1 → SOn−1
{φn} + {φAn} → {φn ∧ φA
n} {φ′n ∧ φAn}
Sn Sn Sn → SOn
Translation consists of:1 Specifying and certifying automatically the result of the analysis2 Merging annotations (trivial)3 Merging certificates
Marktoberdorf, August 2007 Compilation of certificates
![Page 137: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/137.jpg)
{φ1} + {φA1} → {φ1 ∧ φA
1} {φ′1 ∧ φA1}
S1 S1 S1 → SO1
{φ2} + {φA2} → {φ2 ∧ φA
2} {φ′2 ∧ φA2}
S2 S2 S2 → SO2
... +... →
......
Sn−1 Sn−1 Sn−1 → SOn−1
{φn} + {φAn} → {φn ∧ φA
n} {φ′n ∧ φAn}
Sn Sn Sn → SOn
Translation consists of:1 Specifying and certifying automatically the result of the analysis2 Merging annotations (trivial)3 Merging certificates
Marktoberdorf, August 2007 Compilation of certificates
![Page 138: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/138.jpg)
Certificates
Merging of certificates is not tied to a particular certificate format, butto the existence of functions to manipulate them.
Proof algebra
axiom : P(Γ; A; ∆ ` A)ring : P(Γ ` n1 = n2) if n1 = n2 is a ring equalityintro⇒ : P(Γ; A ` B)→ P(Γ ` A⇒ B)elim⇒ : P(Γ ` A⇒ B)→ P(Γ ` A)→ P(Γ ` B)elim= : P(Γ ` e1 = e2)→ P(Γ ` A[e1/r ])→ P(Γ ` A[e2/r ])subst : P(Γ ` A)→ P(Γ[e/r ] ` A[e/r ])
Marktoberdorf, August 2007 Compilation of certificates
![Page 139: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/139.jpg)
Merging certificatesWe need to build from the original and analysis certificates:
φ1 ⇒ wp(S, φ2)———————{φ1}S{φ2}
a1 ⇒ wp(S, a2)——————{a1}S{a2}
the certificate for the optimized program:
φ1 ∧ a1 ⇒ wp(S′, φ2 ∧ a2)———————————{φ1 ∧ a1}S′{φ2 ∧ a2}
by using the gluing lemma
∀φ,wp(ins, φ) ∧ a⇒ wp(ins′, φ)
where ins′ is the optimization of ins, and a is the result of the analysis
We really construct by well-founded induction a proof term of
wpP(k) ∧ a(k) =⇒ wpP′(k)
Marktoberdorf, August 2007 Compilation of certificates
![Page 140: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/140.jpg)
Merging certificatesWe need to build from the original and analysis certificates:
φ1 ⇒ wp(S, φ2)———————{φ1}S{φ2}
a1 ⇒ wp(S, a2)——————{a1}S{a2}
the certificate for the optimized program:
φ1 ∧ a1 ⇒ wp(S′, φ2 ∧ a2)———————————{φ1 ∧ a1}S′{φ2 ∧ a2}
by using the gluing lemma
∀φ,wp(ins, φ) ∧ a⇒ wp(ins′, φ)
where ins′ is the optimization of ins, and a is the result of the analysis
We really construct by well-founded induction a proof term of
wpP(k) ∧ a(k) =⇒ wpP′(k)
Marktoberdorf, August 2007 Compilation of certificates
![Page 141: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/141.jpg)
Merging certificatesWe need to build from the original and analysis certificates:
φ1 ⇒ wp(S, φ2)———————{φ1}S{φ2}
a1 ⇒ wp(S, a2)——————{a1}S{a2}
the certificate for the optimized program:
φ1 ∧ a1 ⇒ wp(S′, φ2 ∧ a2)———————————{φ1 ∧ a1}S′{φ2 ∧ a2}
by using the gluing lemma
∀φ,wp(ins, φ) ∧ a⇒ wp(ins′, φ)
where ins′ is the optimization of ins, and a is the result of the analysis
We really construct by well-founded induction a proof term of
wpP(k) ∧ a(k) =⇒ wpP′(k)
Marktoberdorf, August 2007 Compilation of certificates
![Page 142: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/142.jpg)
Merging certificatesWe need to build from the original and analysis certificates:
φ1 ⇒ wp(S, φ2)———————{φ1}S{φ2}
a1 ⇒ wp(S, a2)——————{a1}S{a2}
the certificate for the optimized program:
φ1 ∧ a1 ⇒ wp(S′, φ2 ∧ a2)———————————{φ1 ∧ a1}S′{φ2 ∧ a2}
by using the gluing lemma
∀φ,wp(ins, φ) ∧ a⇒ wp(ins′, φ)
where ins′ is the optimization of ins, and a is the result of the analysis
We really construct by well-founded induction a proof term of
wpP(k) ∧ a(k) =⇒ wpP′(k)
Marktoberdorf, August 2007 Compilation of certificates
![Page 143: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/143.jpg)
Illustrating: ∀φ,wp(ins, φ) ∧ a⇒ wp(ins′, φ)
If the value of e is known to be n, then
. . .y := e. . .
n=e−→. . .y := n. . .
The gluing lemma states in this case:
Under the hypothesis that the result of the analysis is valid n = e
the weakest precondition applied to the transformed instruction
wp(y := n, ϕ) (≡ ϕ[n/y ])
can be derived from the original one:
wp(y := e, ϕ) (≡ ϕ[e/y ])
Marktoberdorf, August 2007 Compilation of certificates
![Page 144: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/144.jpg)
Illustrating: ∀φ,wp(ins, φ) ∧ a⇒ wp(ins′, φ)
If the value of e is known to be n, then
. . .y := e. . .
n=e−→. . .y := n. . .
The gluing lemma states in this case:
Under the hypothesis that the result of the analysis is valid n = e
the weakest precondition applied to the transformed instruction
wp(y := n, ϕ) (≡ ϕ[n/y ])
can be derived from the original one:
wp(y := e, ϕ) (≡ ϕ[e/y ])
Marktoberdorf, August 2007 Compilation of certificates
![Page 145: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/145.jpg)
Illustrating: ∀φ,wp(ins, φ) ∧ a⇒ wp(ins′, φ)
If the value of e is known to be n, then
. . .y := e. . .
n=e−→. . .y := n. . .
The gluing lemma states in this case:
Under the hypothesis that the result of the analysis is valid n = e
the weakest precondition applied to the transformed instruction
wp(y := n, ϕ) (≡ ϕ[n/y ])
can be derived from the original one:
wp(y := e, ϕ) (≡ ϕ[e/y ])
Marktoberdorf, August 2007 Compilation of certificates
![Page 146: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/146.jpg)
Illustrating: ∀φ,wp(ins, φ) ∧ a⇒ wp(ins′, φ)
If the value of e is known to be n, then
. . .y := e. . .
n=e−→. . .y := n. . .
The gluing lemma states in this case:
Under the hypothesis that the result of the analysis is valid n = e
the weakest precondition applied to the transformed instruction
wp(y := n, ϕ) (≡ ϕ[n/y ])
can be derived from the original one:
wp(y := e, ϕ) (≡ ϕ[e/y ])
Marktoberdorf, August 2007 Compilation of certificates
![Page 147: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/147.jpg)
Illustrating: ∀φ,wp(ins, φ) ∧ a⇒ wp(ins′, φ)
If the value of e is known to be n, then
. . .y := e. . .
n=e−→. . .y := n. . .
The gluing lemma states in this case:
Under the hypothesis that the result of the analysis is valid n = e
the weakest precondition applied to the transformed instruction
wp(y := n, ϕ) (≡ ϕ[n/y ])
can be derived from the original one:
wp(y := e, ϕ) (≡ ϕ[e/y ])
Marktoberdorf, August 2007 Compilation of certificates
![Page 148: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/148.jpg)
Illustrating: ∀φ,wp(ins, φ) ∧ a⇒ wp(ins′, φ)
If the value of e is known to be n, then
. . .y := e. . .
n=e−→. . .y := n. . .
The gluing lemma states in this case:
Under the hypothesis that the result of the analysis is valid n = e
the weakest precondition applied to the transformed instruction
wp(y := n, ϕ) (≡ ϕ[n/y ])
can be derived from the original one:
wp(y := e, ϕ) (≡ ϕ[e/y ])
Marktoberdorf, August 2007 Compilation of certificates
![Page 149: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/149.jpg)
Illustrating: ∀φ,wp(ins, φ) ∧ a⇒ wp(ins′, φ)
{ϕ1}x := 5;{ϕ2}y := x{ϕ3}
{true}x := 5;{x = 5}y := x{x = 5}
{ϕ1 ∧ true}x := 5;{ϕ2 ∧ x = 5}y := 5{ϕ3 ∧ x = 5}
Original PO’s:
ϕ1 ⇒ ϕ2[5/x ]
ϕ2 ⇒ ϕ3[x/y ]
Analysis PO’s :
true⇒ 5 = 5
x = 5⇒ x = 5
Final PO’s:
ϕ1 ∧ true⇒ ϕ2[5/x ] ∧ 5 = 5
ϕ2∧x = 5⇒ ϕ3[5/y ]∧x = 5
Original and new proof obligations differ
With the gluing lemma (∀φ, e.x = e ∧ φ[x/y ]⇒ φ[e/y ]), the original POentails the new PO
Marktoberdorf, August 2007 Compilation of certificates
![Page 150: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/150.jpg)
Illustrating: ∀φ,wp(ins, φ) ∧ a⇒ wp(ins′, φ)
{ϕ1}x := 5;{ϕ2}y := x{ϕ3}
{true}x := 5;{x = 5}y := x{x = 5}
{ϕ1 ∧ true}x := 5;{ϕ2 ∧ x = 5}y := 5{ϕ3 ∧ x = 5}
Original PO’s:
ϕ1 ⇒ ϕ2[5/x ]
ϕ2 ⇒ ϕ3[x/y ]
Analysis PO’s :
true⇒ 5 = 5
x = 5⇒ x = 5
Final PO’s:
ϕ1 ∧ true⇒ ϕ2[5/x ] ∧ 5 = 5
ϕ2∧x = 5⇒ ϕ3[5/y ]∧x = 5
Original and new proof obligations differ
With the gluing lemma (∀φ, e.x = e ∧ φ[x/y ]⇒ φ[e/y ]), the original POentails the new PO
Marktoberdorf, August 2007 Compilation of certificates
![Page 151: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/151.jpg)
Illustrating: ∀φ,wp(ins, φ) ∧ a⇒ wp(ins′, φ)
{ϕ1}x := 5;{ϕ2}y := x{ϕ3}
{true}x := 5;{x = 5}y := x{x = 5}
{ϕ1 ∧ true}x := 5;{ϕ2 ∧ x = 5}y := 5{ϕ3 ∧ x = 5}
Original PO’s:
ϕ1 ⇒ ϕ2[5/x ]
ϕ2 ⇒ ϕ3[x/y ]
Analysis PO’s :
true⇒ 5 = 5
x = 5⇒ x = 5
Final PO’s:
ϕ1 ∧ true⇒ ϕ2[5/x ] ∧ 5 = 5
ϕ2∧x = 5⇒ ϕ3[5/y ]∧x = 5
Original and new proof obligations differ
With the gluing lemma (∀φ, e.x = e ∧ φ[x/y ]⇒ φ[e/y ]), the original POentails the new PO
Marktoberdorf, August 2007 Compilation of certificates
![Page 152: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/152.jpg)
Illustrating: ∀φ,wp(ins, φ) ∧ a⇒ wp(ins′, φ)
{ϕ1}x := 5;{ϕ2}y := x{ϕ3}
{true}x := 5;{x = 5}y := x{x = 5}
{ϕ1 ∧ true}x := 5;{ϕ2 ∧ x = 5}y := 5{ϕ3 ∧ x = 5}
Original PO’s:
ϕ1 ⇒ ϕ2[5/x ]
ϕ2 ⇒ ϕ3[x/y ]
Analysis PO’s :
true⇒ 5 = 5
x = 5⇒ x = 5
Final PO’s:
ϕ1 ∧ true⇒ ϕ2[5/x ] ∧ 5 = 5
ϕ2∧x = 5⇒ ϕ3[5/y ]∧x = 5
Original and new proof obligations differ
With the gluing lemma (∀φ, e.x = e ∧ φ[x/y ]⇒ φ[e/y ]), the original POentails the new PO
Marktoberdorf, August 2007 Compilation of certificates
![Page 153: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/153.jpg)
Illustrating: ∀φ,wp(ins, φ) ∧ a⇒ wp(ins′, φ)
{ϕ1}x := 5;{ϕ2}y := x{ϕ3}
{true}x := 5;{x = 5}y := x{x = 5}
{ϕ1 ∧ true}x := 5;{ϕ2 ∧ x = 5}y := 5{ϕ3 ∧ x = 5}
Original PO’s:
ϕ1 ⇒ ϕ2[5/x ]
ϕ2 ⇒ ϕ3[x/y ]
Analysis PO’s :
true⇒ 5 = 5
x = 5⇒ x = 5
Final PO’s:
ϕ1 ∧ true⇒ ϕ2[5/x ] ∧ 5 = 5
ϕ2∧x = 5⇒ ϕ3[5/y ]∧x = 5
Original and new proof obligations differ
With the gluing lemma (∀φ, e.x = e ∧ φ[x/y ]⇒ φ[e/y ]), the original POentails the new PO
Marktoberdorf, August 2007 Compilation of certificates
![Page 154: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/154.jpg)
Illustrating: ∀φ,wp(ins, φ) ∧ a⇒ wp(ins′, φ)
Optimizing compilers try to avoid duplication of computations.
If x already stores the value of e, then
. . .y := e. . .
x=e−→. . .y := x. . .
The gluing lemma states in this case:
Under the hypothesis that the result of the analysis is valid x = e
the weakest precondition applied to the transformed instruction
wp(y := x , ϕ) (≡ ϕ[x/y ])
can be derived from the original one:
wp(y := e, ϕ) (≡ ϕ[e/y ])
Marktoberdorf, August 2007 Compilation of certificates
![Page 155: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/155.jpg)
Illustrating: ∀φ,wp(ins, φ) ∧ a⇒ wp(ins′, φ)
Optimizing compilers try to avoid duplication of computations.
If x already stores the value of e, then
. . .y := e. . .
x=e−→. . .y := x. . .
The gluing lemma states in this case:
Under the hypothesis that the result of the analysis is valid x = e
the weakest precondition applied to the transformed instruction
wp(y := x , ϕ) (≡ ϕ[x/y ])
can be derived from the original one:
wp(y := e, ϕ) (≡ ϕ[e/y ])
Marktoberdorf, August 2007 Compilation of certificates
![Page 156: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/156.jpg)
Illustrating: ∀φ,wp(ins, φ) ∧ a⇒ wp(ins′, φ)
Optimizing compilers try to avoid duplication of computations.
If x already stores the value of e, then
. . .y := e. . .
x=e−→. . .y := x. . .
The gluing lemma states in this case:
Under the hypothesis that the result of the analysis is valid x = e
the weakest precondition applied to the transformed instruction
wp(y := x , ϕ) (≡ ϕ[x/y ])
can be derived from the original one:
wp(y := e, ϕ) (≡ ϕ[e/y ])
Marktoberdorf, August 2007 Compilation of certificates
![Page 157: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/157.jpg)
Illustrating: ∀φ,wp(ins, φ) ∧ a⇒ wp(ins′, φ)
Optimizing compilers try to avoid duplication of computations.
If x already stores the value of e, then
. . .y := e. . .
x=e−→. . .y := x. . .
The gluing lemma states in this case:
Under the hypothesis that the result of the analysis is valid x = e
the weakest precondition applied to the transformed instruction
wp(y := x , ϕ) (≡ ϕ[x/y ])
can be derived from the original one:
wp(y := e, ϕ) (≡ ϕ[e/y ])
Marktoberdorf, August 2007 Compilation of certificates
![Page 158: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/158.jpg)
Illustrating: ∀φ,wp(ins, φ) ∧ a⇒ wp(ins′, φ)
Optimizing compilers try to avoid duplication of computations.
If x already stores the value of e, then
. . .y := e. . .
x=e−→. . .y := x. . .
The gluing lemma states in this case:
Under the hypothesis that the result of the analysis is valid x = e
the weakest precondition applied to the transformed instruction
wp(y := x , ϕ) (≡ ϕ[x/y ])
can be derived from the original one:
wp(y := e, ϕ) (≡ ϕ[e/y ])
Marktoberdorf, August 2007 Compilation of certificates
![Page 159: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/159.jpg)
Illustrating: ∀φ,wp(ins, φ) ∧ a⇒ wp(ins′, φ)
Optimizing compilers try to avoid duplication of computations.
If x already stores the value of e, then
. . .y := e. . .
x=e−→. . .y := x. . .
The gluing lemma states in this case:
Under the hypothesis that the result of the analysis is valid x = e
the weakest precondition applied to the transformed instruction
wp(y := x , ϕ) (≡ ϕ[x/y ])
can be derived from the original one:
wp(y := e, ϕ) (≡ ϕ[e/y ])
Marktoberdorf, August 2007 Compilation of certificates
![Page 160: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/160.jpg)
Applicability of method
Certificate translators for constant propagation, common sub-expressionelimination. . .
However, representing the result of the analysis as assertions is onlypossible for analyses that focus on state properties
Several program analyses focus on execution traces, e.g. dead variableelimination. We have developed ad-hoc techniques for those.
Marktoberdorf, August 2007 Compilation of certificates
![Page 161: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/161.jpg)
Applicability of method
Certificate translators for constant propagation, common sub-expressionelimination. . .
However, representing the result of the analysis as assertions is onlypossible for analyses that focus on state properties
Several program analyses focus on execution traces, e.g. dead variableelimination. We have developed ad-hoc techniques for those.
Marktoberdorf, August 2007 Compilation of certificates
![Page 162: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/162.jpg)
Applicability of method
Certificate translators for constant propagation, common sub-expressionelimination. . .
However, representing the result of the analysis as assertions is onlypossible for analyses that focus on state properties
Several program analyses focus on execution traces, e.g. dead variableelimination. We have developed ad-hoc techniques for those.
Marktoberdorf, August 2007 Compilation of certificates
![Page 163: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/163.jpg)
Ongoing work
PrototypeSource language: imperative language with functions and arraysTarget language: RTL with functions and arraysCompiler: performs common optimizationsVerification condition generator: interfaced with Coq
CertificatesSize of certificates does not seem to explode, provided one doeslocal normalization of certificatesType checking modulo selected isomorphisms of types could limitcertificate growth
Abstract framework to prove the existence and correctness ofcerticate translatorsMore expressive languages, more complete compilation chains
Marktoberdorf, August 2007 Compilation of certificates
![Page 164: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/164.jpg)
Concluding remarks
Marktoberdorf, August 2007 Compilation of certificates
![Page 165: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/165.jpg)
Contents
Two verification methods for bytecode and their relation to verificationmethods for source code
Type system for information flow based confidentiality policiesVerification condition generator for logical specifications
Virtual machine
Source programJif typechecker
API
Bytecode program
Jif types
Operating system
Information flowtypes
Security envRegions
BCV
Inf flow
Virtual machineOperating system
Source program
Bytecode program
Interactiveproofs
API
JML specification
specificationBytecode
Certificate
Certificate
Certificatechecker
Marktoberdorf, August 2007 Compilation of certificates
![Page 166: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/166.jpg)
Contents
Two verification methods for bytecode and their relation to verificationmethods for source code
Type system for information flow based confidentiality policiesVerification condition generator for logical specifications
Virtual machine
Source programJif typechecker
API
Bytecode program
Jif types
Operating system
Information flowtypes
Security envRegions
BCV
Inf flow
Virtual machineOperating system
Source program
Bytecode program
Interactiveproofs
API
JML specification
specificationBytecode
Certificate
Certificate
Certificatechecker
Marktoberdorf, August 2007 Compilation of certificates
![Page 167: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/167.jpg)
Contents
Two verification methods for bytecode and their relation to verificationmethods for source code
Type system for information flow based confidentiality policiesVerification condition generator for logical specifications
Virtual machine
Source programJif typechecker
API
Bytecode program
Jif types
Operating system
Information flowtypes
Security envRegions
BCV
Inf flow
Virtual machineOperating system
Source program
Bytecode program
Interactiveproofs
API
JML specification
specificationBytecode
Certificate
Certificate
Certificatechecker
Marktoberdorf, August 2007 Compilation of certificates
![Page 168: Compilation of certificates - TUM · 2009-12-22 · Compilation of certificates ... (VM, API,. . . ) lack of appropriate security mechanisms to guarantee security on consumer side](https://reader030.fdocuments.in/reader030/viewer/2022040614/5f0bd5ae7e708231d43271c0/html5/thumbnails/168.jpg)
Deployment of secure mobile code can benefit from:advanced verification mechanisms at bytecode levelmethods to “compile” evidence from producer to consumermachine checked proofs of verification mechanisms onconsumer side (use reflection)
Many challenges ahead e.g.:proof carrying code in distributed setting (result certification)combination of language-based and cryptographic-basedsecurity
http://mobius.inria.fr
Marktoberdorf, August 2007 Compilation of certificates