Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Type-based Dependency Analysis

RS³ Topic Workshop on Concurrent Noninterference
Darmstadt, Germany, June 2012.

  • Login to see the comments

  • Be the first to like this

Type-based Dependency Analysis

  1. 1. Type-based Dependency Analysis RS3 Topic Workshop on Concurrent Noninterference University of Freiburg Matthias Keil Institute for Computer Science Faculty of Engineering University of Freiburg June 2012
  2. 2. Outline University of Freiburg 1 Dependencies 2 Formalization Dependency Type 3 Abstract Analysis 4 Soundness Noninterference Correctness Termination 5 Dependency-based Access Permission Contracts Matthias Keil Type-based Dependency Analysis June 2012 2 / 60
  3. 3. Outline University of Freiburg 1 Dependencies 2 Formalization Dependency Type 3 Abstract Analysis 4 Soundness Noninterference Correctness Termination 5 Dependency-based Access Permission Contracts Matthias Keil Type-based Dependency Analysis June 2012 3 / 60
  4. 4. Definitions Recap University of Freiburg Values ∋ v ::= φ, ψ, π Expressions ∋ e ::= e(v) | if(v) e e(ψ) ⇓ φ (1.1) Matthias Keil Type-based Dependency Analysis June 2012 4 / 60
  5. 5. Definitions Recap University of Freiburg Values ∋ v ::= φ, ψ, π Expressions ∋ e ::= e(v) | if(v) e e(ψ) ⇓ φ (1.1) Definition (Dependency) ∃ ψi , ψj | ψi = ψj : e[ψ → ψi ] ⇓ φi ∧ e[ψ → ψj ] ⇓ φj ∧ φi = φj ⇒ φ ❀ ψ (1.2) Matthias Keil Type-based Dependency Analysis June 2012 4 / 60
  6. 6. Definitions Recap University of Freiburg Values ∋ v ::= φ, ψ, π Expressions ∋ e ::= e(v) | if(v) e e(ψ) ⇓ φ (1.3) Definition (Independency) ∀ ψi , ψj | ψi = ψj : e[ψ → ψi ] ⇓ φi ∧ e[ψ → ψj ] ⇓ φj ∧ φi = φj ⇒ φ ❀ ψ (1.4) Matthias Keil Type-based Dependency Analysis June 2012 5 / 60
  7. 7. Definitions Recap University of Freiburg Definition (Direct Dependency [Den76, DD77]) e(ψ) ⇓ φ ⇒ φ ❀ ψ Definition (Indirect Dependency [Den76, DD77]) if (ψ) e ⇓ φ ⇒ φ ❀ ψ Definition (Transitiv Relation [Den76, DD77]) φ ❀ π ∧ π ❀ ψ ⇒ φ ❀ ψ Matthias Keil Type-based Dependency Analysis June 2012 6 / 60
  8. 8. Outline University of Freiburg 1 Dependencies 2 Formalization Dependency Type 3 Abstract Analysis 4 Soundness Noninterference Correctness Termination 5 Dependency-based Access Permission Contracts Matthias Keil Type-based Dependency Analysis June 2012 7 / 60
  9. 9. Syntax of λJS [Int99] University of Freiburg Constant ∋ c ::= bool | num | str | undefined | null Variable ∋ x ::= x0 . . . Value ∋ v ::= c | ξℓ Expression ∋ e ::= v | x | let (x = e) in e | op(e . . . ) | e.e | e.e = e | e(e) | newℓ | if (e) e, e | λℓx.e | e; e | traceι(e) Matthias Keil Type-based Dependency Analysis June 2012 8 / 60
  10. 10. Semantic domains University of Freiburg Location ∋ ξℓ Function ∋ λℓx.e Closure ∋ f ::= Environment × Function Properties ∋ P ::= str → Value Object ∋ o ::= Properties × Closure Environment ∋ ρ ::= Variable → Value Heap ∋ H ::= Location → Object Definition (Judgement λJS) H, ρ ⊢ e ⇓ H′ | v (2.1) Matthias Keil Type-based Dependency Analysis June 2012 9 / 60
  11. 11. Dependency Type University of Freiburg Basic Value ∋ v ::= c | ξℓ Value ∋ ω ::= v : κ Dependency Type ∋ κ ::= ∅ | ι | κ • κ Definition (Judgement λD JS) H, ρ, κ ⊢ e ⇓ H′ | ω (2.2) Matthias Keil Type-based Dependency Analysis June 2012 10 / 60
  12. 12. Evaluation of λD JS Semantics University of Freiburg (DT-Constant) H, ρ, κ ⊢ c ⇓ H | c : κ (DT-Variable) H, ρ, κ ⊢ x ⇓ H | ρ(x) • κ (DT-Operation) H, ρ, κ ⊢ e0 ⇓ H′ | v0 : κ0 ... Hn−1 , ρ, κ ⊢ en ⇓ Hn | vn : κn vop = ⇓v op (v0 . . . vn) H, ρ, κ ⊢ op(e0 . . . en) ⇓ Hn | vop : κ0 • . . . • κn Matthias Keil Type-based Dependency Analysis June 2012 11 / 60
  13. 13. Evaluation of λD JS Semantics University of Freiburg (DT-Let) H, ρ, κ ⊢ e0 ⇓ H′ | v0 : κ0 H′ , ρ[x → v0 : κ0], κ ⊢ e1 ⇓ H′′ | v1 : κ1 H, ρ, κ ⊢ let (x = e0) in e1 ⇓ H′′ | v1 : κ1 (DT-FunctionCreation) ξℓ /∈ dom(H) H, ρ, κ ⊢ λℓ x.e ⇓ H[ξℓ → ρ, λℓ x.e ] | ξℓ : κ (DT-FunctionApplication) H, ρ, κ ⊢ e0 ⇓ H′ | ξℓ : κ0 P, ˙ρ, λℓ x.e = H′ (ξℓ ) H′ , ρ, κ ⊢ e1 ⇓ H′′ | v1 : κ1 H′′ , ˙ρ[x → v1 : κ1], κ • κ0 ⊢ e ⇓ H′′′ | v : κv H, ρ, κ ⊢ e0(e1) ⇓ H′′′ | v : κv Matthias Keil Type-based Dependency Analysis June 2012 12 / 60
  14. 14. Evaluation of λD JS Semantics University of Freiburg (DT-ObjectCreation) ξℓ /∈ dom(H) H, ρ, κ ⊢ newℓ ⇓ H[ξℓ → ∅] | ξℓ : κ (DT-PropertyReference) H, ρ, κ ⊢ e0 ⇓ H′ | ξℓ : κξℓ H′ , ρ, κ ⊢ e1 ⇓ H′′ | str : κstr H, ρ, κ ⊢ e0.e1 ⇓ H′′ | H′′ (ξℓ )(str) • κξℓ • κstr (DT-PropertyAssignment) H, ρ, κ ⊢ e0 ⇓ H′ | ξℓ : κξℓ H′ , ρ, κ ⊢ e1 ⇓ H′′ | str : κstr H′′ , ρ, κ ⊢ e2 ⇓ H′′′ | v : κv H, ρ, κ ⊢ e0.e1 = e2 ⇓ H′′′ [ξℓ , str → v : κv • κξℓ • κstr] | v : κv Matthias Keil Type-based Dependency Analysis June 2012 13 / 60
  15. 15. Evaluation of λD JS Semantics University of Freiburg (DT-ConditionTrue) H, ρ, κ ⊢ e0 ⇓ H′ | v0 : κ0 v0 = true H′ , ρ, κ • κ0 ⊢ e1 ⇓ H′′ 1 | v1 : κ1 H, ρ, κ ⊢ if (e0) e1, e2 ⇓ H′′ 1 | v1 : κ1 (DT-ConditionFalse) H, ρ, κ ⊢ e0 ⇓ H′ | v0 : κ0 v0 = true H′ , ρ, κ • κ0 ⊢ e2 ⇓ H′′ 2 | v2 : κ2 H, ρ, κ ⊢ if (e0) e1, e2 ⇓ H′′ 2 | v2 : κ2 Matthias Keil Type-based Dependency Analysis June 2012 14 / 60
  16. 16. Evaluation of λD JS Semantics University of Freiburg (DT-Sequence) H, ρ, κ ⊢ e0 ⇓ H′ | v0 : κ0 H′ , ρ, κ ⊢ e1 ⇓ H′′ | v1 : κ1 H, ρ, κ ⊢ e0; e1 ⇓ H′′ | v1 : κ1 (DT-Trace) H, ρ, κ • ι ⊢ e ⇓ H′ | v : κv H, ρ, κ ⊢ traceι (e) ⇓ H′ | v : κv Matthias Keil Type-based Dependency Analysis June 2012 15 / 60
  17. 17. Outline University of Freiburg 1 Dependencies 2 Formalization Dependency Type 3 Abstract Analysis 4 Soundness Noninterference Correctness Termination 5 Dependency-based Access Permission Contracts Matthias Keil Type-based Dependency Analysis June 2012 16 / 60
  18. 18. Lattice Value University of Freiburg Undefined ::= {undefined, ⊥} Null ::= {null, ⊥} Bool ::= {true, false, ⊥} Infinity ::= {+Infinity, −Infinity} UInt ::= {0 . . . 4294967295} NotUInt ::= {. . . , −1, −1.1, 1.1, . . . } Num ::= Infinity ∪ UInt ∪ NotUInt ∪ {NaN, ⊥} UIntString ::= {′′0′′ . . .′′ 4294967295′′} NotUIntString ::= {′′a′′,′′ b′′, . . . } String ::= UIntString ∪ NotUIntString ∪ {⊥} Lattice Value ∋ L ::= Undefined × Null × Bool × Num × String Matthias Keil Type-based Dependency Analysis June 2012 17 / 60
  19. 19. Abstract Semantic Domains University of Freiburg SourceLocation ∋ ℓ, ι ::= sourcefile × linenumber Label ∋ Ξ ::= {SourceLocation . . . } Abstract Closure ∋ Λℓ ::= Scope × Function PropertyMap ∋ ∆ ::= Lattice Value → Abstract Value Abstract Value ∋ ϑ ::= Lattice Value × Label × Dependency Abstract Object ∋ θ ::= PropertyMap × Abstract Closure FunctionStore ∋ F ::= State × Abstract Value× State × Abstract Value Scope ∋ σ ::= Variable → Abstract Value State ∋ Γ ::= (SourceLocation → Abstract Object) ×Dependency Matthias Keil Type-based Dependency Analysis June 2012 18 / 60
  20. 20. Dependency D University of Freiburg Trace ∋ τ ::= SourceLocation → ℘(Abstract Value) Dependency ∋ D ::= ∅ | τ | D0 ⊔ D1 (ι) = τι (3.1) (ι, ϑ) ≡ V(ϑ), Dϑ ⊔ τι (3.2) Matthias Keil Type-based Dependency Analysis June 2012 19 / 60
  21. 21. Judgement University of Freiburg Γ, σ ⊢ e ⇓ Γ′ | ϑ (3.3) Matthias Keil Type-based Dependency Analysis June 2012 20 / 60
  22. 22. Evaluation Abstract Semantics University of Freiburg (A-Constant) Γ, σ ⊢ c ⇓ Γ | c, ∅, DΓ (A-Variable) Γ, σ ⊢ x ⇓ Γ | σ(x) ⊔ DΓ (A-Let) Γ, σ ⊢ e0 ⇓ Γ′ | ϑ0 Γ′ , σ[x → ϑ0] ⊢ e1 ⇓ Γ′′ | ϑ1 Γ, σ ⊢ let (x = e0) in e1 ⇓ Γ′′ | ϑ1 Matthias Keil Type-based Dependency Analysis June 2012 21 / 60
  23. 23. Evaluation Abstract Semantics University of Freiburg (A-Operation) Γ, σ ⊢ e0 ⇓ Γ′ | ϑ0 ... Γn−1 , σ ⊢ en ⇓ Γn | ϑn L, Ξ =⇓ϑ op (V(ϑ0) . . . V(ϑn)) Γ, σ ⊢ op(e0 . . . en) ⇓ Γn | L, Ξ, Dϑ0 ⊔ · · · ⊔ Dϑn Matthias Keil Type-based Dependency Analysis June 2012 22 / 60
  24. 24. Evaluation Abstract Semantics University of Freiburg (A-ObjectCreation1) ℓ /∈ dom(Γ) Γ, σ ⊢ newℓ ⇓ Γ[ℓ → ∅] | L⊥, {ℓ}, DΓ (A-ObjectCreation2) ℓ ∈ dom(Γ) Γ, σ ⊢ newℓ ⇓ Γ | L⊥, {ℓ}, DΓ Matthias Keil Type-based Dependency Analysis June 2012 23 / 60
  25. 25. Evaluation Abstract Semantics University of Freiburg (A-FunctionCreation1) ℓ /∈ dom(Γ) F[ℓ → Γ⊥, ϑ⊥, Γ⊥, ϑ⊥ ] Γ, σ ⊢ λℓ x.e ⇓ Γ[ℓ → σ, λℓ x.e ] | L⊥, {ℓ}, DΓ (A-FunctionCreation2) ℓ ∈ dom(Γ) ˙σ, λℓ x.e = Γ(ℓ)Λℓ Γ, σ ⊢ λℓ x.e ⇓ Γ[ℓ → σ ⊔ ˙σ, λℓ x.e ] | L⊥, {ℓ}, DΓ Matthias Keil Type-based Dependency Analysis June 2012 24 / 60
  26. 26. Evaluation Abstract Semantics University of Freiburg (A-FunctionApplication) Γ, σ ⊢ e0 ⇓ Γ′ | L0, Ξ0, D0 Γ′ , σ ⊢ e1 ⇓ Γ′′ | ϑ1 Γ′′ [D → DΓ′′ ⊔ D0] ⊢Π FA Γ′ (Ξ0), ϑ1 ⇓ Γ′′′ | ϑ Γ, σ ⊢ e0(e1) ⇓ S(Γ′′′ ), DΓ | ϑ (FA-Iteration1) Γ ⊢Λℓ FA Λℓ , ϑ ⇓ Γ′ | ϑ′ Γ′ ⊢Π FA Π, ϑ ⇓ Γ′′ | ϑ′′ Γ ⊢Π FA Λℓ ; Π, ϑ ⇓ Γ′′ | ϑ′ ⊔ ϑ′′ (FA-Iteration2) Γ ⊢Π FA ∅, ϑ ⇓ Γ | ϑ⊥ Matthias Keil Type-based Dependency Analysis June 2012 25 / 60
  27. 27. Evaluation Abstract Semantics University of Freiburg (FA-FunctionStore1) Γ, ϑ ⊑ F(Λℓ )Λℓ In Γ′ , ϑ′ = F(ℓ)Λℓ Out Γ ⊢Λℓ FA Λℓ , ϑ ⇓ Γ′ | ϑ′ (FA-FunctionStore2) Γ, ϑ ⊑ F(Λℓ )Λℓ In ˙σ, λℓ x.e = θΛℓ ¯Γ, ¯ϑ = F(ℓ)Λℓ In ⊔ Γ, ϑ F[ℓ, Λℓ In → ¯Γ, ¯ϑ ] ¯Γ, ˙σ[x → ¯ϑ] ⊢ e ⇓ ¯Γ′ | ¯ϑ′ F[ℓ, Λℓ Out → ¯Γ′ , ¯ϑ′ ] Γ ⊢Λℓ FA Λℓ , ϑ ⇓ ¯Γ′ | ¯ϑ′ Matthias Keil Type-based Dependency Analysis June 2012 26 / 60
  28. 28. Evaluation Abstract Semantics University of Freiburg (A-PropertyReference) Γ, σ ⊢ e0 ⇓ Γ′ | L0, Ξ0, D0 Γ′ , σ ⊢ e1 ⇓ Γ′′ | str, Ξ1, D1 ⊢Θ PR Γ′′ (Ξ0), str ⇓ ϑ Γ, σ ⊢ e0.e1 ⇓ Γ′′ | V(ϑ), D0 ⊔ D1 ⊔ Dϑ (PR-Iteration1) ⊢∆ PR ∆, L ⇓ ϑ ⊢Θ PR Θ, L ⇓ ϑ′ ⊢Θ PR ∆, Λℓ : Θ, L ⇓ ϑ ⊔ ϑ′ (PR-Iteration2) ⊢Θ PR ∅, L ⇓ ϑ⊥ Matthias Keil Type-based Dependency Analysis June 2012 27 / 60
  29. 29. Evaluation Abstract Semantics University of Freiburg (PR-Intersection) (L ⊓ Li =⊥) ⊢Θ PR ∆, L ⇓ ϑ′ ⊢∆ PR (Li : ϑi ); ∆, L ⇓ ϑi ⊔ ϑ′ (PR-NonIntersection) L ⊓ Li =⊥ ⊢Θ PR ∆, L ⇓ ϑ′ ⊢∆ PR (Li : ϑi ); ∆, L ⇓ ϑ′ (PR-Empty) ⊢∆ PR ∅, L ⇓ ϑundef Matthias Keil Type-based Dependency Analysis June 2012 28 / 60
  30. 30. Evaluation Abstract Semantics University of Freiburg (A-PopertyAssignment) Γ, σ ⊢ e0 ⇓ Γ′ | L0, Ξ0, D0 Γ′ , σ ⊢ e1 ⇓ Γ′′ | str, Ξ1, D1 Γ′′ , σ ⊢ e2 ⇓ Γ′′′ | ϑ Γ′′′ ⊢Ξ PA Ξ0, str, V(ϑ), D0 ⊔ D1 ⊔ Dϑ ⇓ Γ′′′′ Γ, σ ⊢ e0.e1 = e2 ⇓ Γ′′′′ | ϑ (PA-Iteration1) Γ ⊢ℓ PA ℓ, L, ϑ ⇓ Γ′ Γ′ ⊢Ξ PA Ξ, L, ϑ ⇓ Γ′′ Γ ⊢Ξ PA ℓ; Ξ, L, ϑ ⇓ Γ′′ (PA-Iteration2) Γ ⊢Ξ PA ∅, L, ϑ ⇓ Γ Matthias Keil Type-based Dependency Analysis June 2012 29 / 60
  31. 31. Evaluation Abstract Semantics University of Freiburg (PA-Assignment1) L ∈ dom(Γ(l)) Γ ⊢ℓ PA ℓ, L, ϑ ⇓ Γ[ℓ, L → Γ(ℓ)(L) ⊔ ϑ] (PA-Assignment2) L /∈ dom(Γ(ℓ)) Γ ⊢ℓ PA ℓ, L, ϑ ⇓ Γ[ℓ, L → ϑ] Matthias Keil Type-based Dependency Analysis June 2012 30 / 60
  32. 32. Evaluation Abstract Semantics University of Freiburg (A-ConditionTrue) Γ, σ ⊢ e0 ⇓ Γ′ | L0, Ξ0, D0 L0 = true Γ′ [D → DΓ′ ⊔ D0], σ ⊢ e1 ⇓ Γ′′ | ϑ1 Γ, σ ⊢ if (e0) e1, e2 ⇓ S(Γ′′ ), DΓ | ϑ1 (A-ConditionFalse) Γ, σ ⊢ e0 ⇓ Γ′ | L0, Ξ0, D0 L0 = false Γ′ [D → DΓ′ ⊔ D0], σ ⊢ e2 ⇓ Γ′′ | ϑ2 Γ, σ ⊢ if (e0) e1, e2 ⇓ S(Γ′′ ), DΓ | ϑ2 Matthias Keil Type-based Dependency Analysis June 2012 31 / 60
  33. 33. Evaluation Abstract Semantics University of Freiburg (A-Condition) Γ, σ ⊢ e0 ⇓ Γ′ | L0, Ξ0, D0 L0 = true ∧ L0 = false Γ′ [D → DΓ′ ⊔ D0], σ ⊢ e1 ⇓ Γ′′ 1 | ϑ1 Γ′ [D → DΓ′ ⊔ D0], σ ⊢ e2 ⇓ Γ′′ 2 | ϑ2 Γ, σ ⊢ if (e0) e1, e2 ⇓ S(Γ′′ 1 ⊔ Γ′′ 2), DΓ | ϑ1 ⊔ ϑ2 Matthias Keil Type-based Dependency Analysis June 2012 32 / 60
  34. 34. Evaluation Abstract Semantics University of Freiburg (A-Sequence) Γ, σ ⊢ e0 ⇓ Γ′ | ϑ0 Γ′ , σ ⊢ e1 ⇓ Γ′′ | ϑ1 Γ, σ ⊢ e0; e1 ⇓ Γ′′ | ϑ1 (A-Trace) τι = (ι) Γ[D → DΓ ⊔ τι], σ ⊢ e ⇓ Γ′ | ϑ Γ, σ ⊢ traceι (e) ⇓ S(Γ′ ), DΓ | ϑ Matthias Keil Type-based Dependency Analysis June 2012 33 / 60
  35. 35. Outline University of Freiburg 1 Dependencies 2 Formalization Dependency Type 3 Abstract Analysis 4 Soundness Noninterference Correctness Termination 5 Dependency-based Access Permission Contracts Matthias Keil Type-based Dependency Analysis June 2012 34 / 60
  36. 36. Soundness University of Freiburg 1 Noninterference on λD JS 2 Correctness (C-Consistency) 3 Termination Matthias Keil Type-based Dependency Analysis June 2012 35 / 60
  37. 37. Noninterference University of Freiburg H, ρ, κ ⊢ e ⇓ H′ | v : κv (4.1) ι /∈ κv : H, ρ, κ ⊢ ¯e ⇓ ˜H′ | v : κv (4.2) ¯e = e[ι → ˜e] (4.3) Matthias Keil Type-based Dependency Analysis June 2012 36 / 60
  38. 38. Substitution of ι University of Freiburg Definition (Substitution of ι) The substitution e[ι → ˜e] of ι in e is defined as: ∀e′ ∈ SubExp(e) : e′ [ι → ˜e] (4.4) traceι (eι)[ι → ˜e] ≡ traceι (˜e) (4.5) Termination-Insensitive Noninterference Matthias Keil Type-based Dependency Analysis June 2012 37 / 60
  39. 39. Bijection of ξℓ University of Freiburg Definition (Bijection of ξℓ ) The bijection ♭ : Location → Location from location ξℓ to location ξℓ′ maps permutations on heap entries. ♭ ::= ∅ | ♭[ξℓ → ξℓ′ ] (4.6) Definition (Bijection of v) The bijection ♭ for values is defined as: ♭(v) ::= ♭(ξℓ) v = ξℓ v v = ξℓ (4.7) Matthias Keil Type-based Dependency Analysis June 2012 38 / 60
  40. 40. κ-equivalence of H University of Freiburg Definition (κ-equivalence) Two heaps H0,H1 are κ-equivalent H0 ≡♭,κ H1 iff ∀ξℓ ∈ dom(♭) : H0(ξℓ ) ≡♭,κ H1(♭(ξℓ )) (4.8) The heaps H0,H1 only differ in values v : κv with any intersection with κ or in one-sided locations. Matthias Keil Type-based Dependency Analysis June 2012 39 / 60
  41. 41. κ-equivalence of o University of Freiburg Definition (κ-equivalence) Two objects o0,o1 are κ-equivalent P0, ρ0, λℓx.e0 ≡♭,κ P1, ρ1, λℓx.e1 iff ∀str ∈ dom(P0) : str ∈ dom(P1) ∧ P0(str) = P1(str) ∨ P0(str) = v : κv ∧ κ ∩ κv = ∅ (4.9) ∀str ∈ dom(P1) : str ∈ dom(P) ∧ P0(str) = P1(str) ∨ P1(str) = v : κv ∧ κ ∩ κv = ∅ (4.10) ρ0 ≡♭,κ ρ1 ∧ λℓ x.e0 ≡♭,κ λℓ x.e1 (4.11) The objects o0,o1 only differ in values v : κv with any intersection with κ. Matthias Keil Type-based Dependency Analysis June 2012 40 / 60
  42. 42. κ-equivalence of ρ University of Freiburg Definition (κ-equivalence) Two environments ρ0,ρ1 are κ-equivalent ρ0 ≡♭,κ ρ1 iff ∀x ∈ dom(ρ0) : x ∈ dom(ρ1) ∧ ρ0(x) = ρ1(x) ∨ ρ0(x) = v : κv ∧ κ ∩ κv = ∅ (4.12) ∀x ∈ dom(ρ1) : x ∈ dom(ρ0) ∧ ρ0(x) = ρ1(x) ∨ ρ1(x) = v : κv ∧ κ ∩ κv = ∅ (4.13) The environments ρ0,ρ1 only differ in values v : κv with any intersection with κ. Matthias Keil Type-based Dependency Analysis June 2012 41 / 60
  43. 43. κ-equivalence of ω University of Freiburg Definition (κ-equivalence) Two value ω0,ω1 are κ-equivalent v0 : κ0 ≡♭,κ v1 : κ1 iff κ ∩ κ0 = ∅ ∧ κ ∩ κ1 = ∅ → ♭(v0) = v1 (4.14) The values ω0,ω1 only differ in the case of any intersection with κ. Matthias Keil Type-based Dependency Analysis June 2012 42 / 60
  44. 44. κ-equivalence of e University of Freiburg Definition (κ-equivalence) Two expressions e0,e1 are κ-equivalent e0 ≡♭,κ e1 iff κ = {ι0, ..., ιn} → ∃e′ 0 . . . ∃e′ n : e0 = e1[ι0 → e′ 0] . . . [ιn → e′ n] (4.15) The expressions e0,e1 only differ below traceι(eι) subexpressions with ι ∈ κ. Matthias Keil Type-based Dependency Analysis June 2012 43 / 60
  45. 45. Context Dependency Theorem University of Freiburg Theorem (Context Dependency) We assume that ∀H, ρ, κ, e : H, ρ, κ ⊢ e ⇓ H′ | v : κv implies that κ ⊆ κv . Matthias Keil Type-based Dependency Analysis June 2012 44 / 60
  46. 46. Noninterference Theorem University of Freiburg Theorem (Noninterference) We assume ∀¯κ, ∀♭ that ∀H, ˜H, ρ, ˜ρ, κ, e : H, ρ, κ ⊢ e ⇓ H′ | v : κv . If ι /∈ ¯κ and H ≡♭,{ι|ι/∈¯κ} ˜H and ρ ≡♭,{ι|ι/∈¯κ} ˜ρ then ˜H, ˜ρ, κ ⊢ ¯e ⇓ ˜H′ | ˜v : ˜κv with ¯e = e[ι → ˜e] and e ≡♭,{ι|ι/∈¯κ} ¯e and H′ ≡♭,{ι|ι/∈¯κ} ˜H′ and v : κv ≡♭,{ι|ι/∈¯κ} ˜v : ˜κv . Matthias Keil Type-based Dependency Analysis June 2012 45 / 60
  47. 47. Correctness University of Freiburg ∀e : H, ρ, κ ⊢ e ⇓ H′ | ω (4.16) Γ, σ ⊢ e ⇓ Γ′ | ϑ (4.17) H ≺C Γ ∧ ρ ≺C σ ∧ κ ≺C DΓ → H′ ≺C Γ′ ∧ ω ≺C ϑ (4.18) Matthias Keil Type-based Dependency Analysis June 2012 46 / 60
  48. 48. C-Consistency University of Freiburg Definition (C-Consistency on dependencies κ ≺C D) ∀ι ∈ κ : τι ∈ D (4.19) Definition (C-Consistency on constants c ≺C L) c ∈ L (4.20) Matthias Keil Type-based Dependency Analysis June 2012 47 / 60
  49. 49. C-Consistency University of Freiburg Definition (C-Consistency on location ξℓ ≺C Ξ) ℓ ∈ Ξ (4.21) Definition (C-Consistency on values ω ≺C ϑ) κ ≺C D (4.22) v ∈ V(ϑ) ::= ℓ ∈ Ξ, v = ξℓ c ∈ L, v = c (4.23) Matthias Keil Type-based Dependency Analysis June 2012 48 / 60
  50. 50. C-Consistency University of Freiburg Definition (C-Consistency on properties P ≺C ∆) ∀str ∈ dom(P) : ∃L ∈ dom(∆) : str ∈ L ∧ P(str) ≺C ∆(L) (4.24) ∀str /∈ dom(P) : undefined ≺C ∆(str) (4.25) Definition (C-Consistency on objects o ≺C θ) P ≺C ∆ (4.26) ρ ≺C σ (4.27) Matthias Keil Type-based Dependency Analysis June 2012 49 / 60
  51. 51. C-Consistency University of Freiburg Definition (C-Consistency on scopes ρ ≺C σ) ∀x ∈ dom(ρ) : x ∈ dom(σ) ∧ ρ(x) ≺C σ(x) (4.28) Definition (C-Consistency on heaps H ≺C Γ) ∀ξℓ ∈ dom(H) : ℓ ∈ Σ ∧ H(ξℓ ) ≺C Σ(ℓ) (4.29) Matthias Keil Type-based Dependency Analysis June 2012 50 / 60
  52. 52. C-Consistency University of Freiburg Lemma (Subset C-Consistency) H ≺C Γ0 ∧ Γ0 ⊑ Γ1 → H ≺C Γ1 (4.30) v : κ ≺C ϑ0 ∧ ϑ0 ⊑ ϑ1 → v : κ ≺C ϑ1 (4.31) Lemma (C-Consistency on Property Update) ∀o, θ, L, ϑ | o ≺C θ : o ≺C θ[L → θ(L) ⊔ ϑ] (4.32) Matthias Keil Type-based Dependency Analysis June 2012 51 / 60
  53. 53. Correctness Theorem University of Freiburg Theorem (Correctness Relation) For all expressions e within the syntax of λD JS the following condition holds: ∀H, H′, ρ, v, κ : If H, ρ, κ ⊢ e ⇓ H′ | v than ∀Γ, σ with H ≺C Γ, ρ ≺C σ and κ ≺C DΓ: Γ, σ ⊢ e ⇓ Γ′ | ϑ with H′ ≺C Γ′ and v ≺C ϑ. Matthias Keil Type-based Dependency Analysis June 2012 52 / 60
  54. 54. Termination Theorem University of Freiburg Theorem (Termination) Γ, σ ⊢ e ⇓ Γ′ | ϑ with arbitrary e. 1 Monotony 2 Ascending chain condition Matthias Keil Type-based Dependency Analysis June 2012 53 / 60
  55. 55. Outline University of Freiburg 1 Dependencies 2 Formalization Dependency Type 3 Abstract Analysis 4 Soundness Noninterference Correctness Termination 5 Dependency-based Access Permission Contracts Matthias Keil Type-based Dependency Analysis June 2012 54 / 60
  56. 56. Access Permission Contracts [HBT12] Recap University of Freiburg 1 function fun () { 2 " Contract : a . b , a . b . c , a . ? , a . b ∗. c" 3 var x = a . b ; 4 a = {b : 5 } ; 5 } Matthias Keil Type-based Dependency Analysis June 2012 55 / 60
  57. 57. Dependency-based Access Permission Contracts University of Freiburg Dependency-based TAJS, static dependency analysis Contracts instead of traceι(e) C: Contract: a.b [r,w]; Evaluation 1 trace values ϑ / state Γ 2 create proof constraints L 3 validate constraints L Matthias Keil Type-based Dependency Analysis June 2012 56 / 60
  58. 58. Dependency-based Access Permission Contracts Principles University of Freiburg Constraint Based Proof constraints L at the end Lazy Enforcement No direct enforcement of contracts C Dynamic Extent Nested contracts C Pre-State Snapshot Γ, σ, ϑ at C Read-Write Protection Γ, σ, ϑ at C Matthias Keil Type-based Dependency Analysis June 2012 57 / 60
  59. 59. Dependency-based Access Permission Contracts Syntax University of Freiburg Contract ∋ C ::= ∅ | Q; C Permissions ∋ Q ::= A, Π AccessPath ∋ A ::= v.P Properties ∋ P ::= ǫ | p.P | p ∗ .P Variable ∋ v ::= {x . . .} Property ∋ p ::= {x . . .} PathPermission ∋ Π ::= πr ,πw Readable ∋ πr ::= ǫ | r Writeable ∋ πw ::= ǫ | w Matthias Keil Type-based Dependency Analysis June 2012 58 / 60
  60. 60. Dependency-based Access Permission Contracts Constraints University of Freiburg ReadConstraint ∋ R WriteConstraint ∋ W (DT-Permit) H, ρ, κ ⊢C Apply C, ιR, ιW ⇓ H′ | ρ′ | κ′ | L H′ , ρ′ , κ′ ⊢ e ⇓ H′′ | v : κv H′′ , ρ′ , κv ⊢C Check L H, ρ, κ ⊢ permitιR,ιW C in e ⇓ H′′ | v : κv Matthias Keil Type-based Dependency Analysis June 2012 59 / 60
  61. 61. Type-Based Dependency Analysis University of Freiburg Thank you for your attention. Matthias Keil Type-based Dependency Analysis June 2012 60 / 60
  62. 62. T. Amtoft and A. Banerjee. Information flow analysis in logical form. Static Analysis, pages 33–36, 2004. Torben Amtoft and Anindya Banerjee. A logic for information flow analysis with an application to forward slicing of simple imperative programs. Sci. Comput. Program., 64:3–28, January 2007. Martín Abadi. Access control in a core calculus of dependency. Electron. Notes Theor. Comput. Sci., 172:5–31, April 2007. Torben Amtoft, Sruthi Bandhakavi, and Anindya Banerjee. A logic for information flow in object-oriented programs. In Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages, POPL ’06, pages 91–102, New York, NY, USA, 2006. ACM. Martín Abadi, Anindya Banerjee, Nevin Heintze, and Jon G. Riecke. A core calculus of dependency. Matthias Keil Type-based Dependency Analysis June 2012 60 / 60
  63. 63. In Proceedings of the 26th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, POPL ’99, pages 147–160, New York, NY, USA, 1999. ACM. G. Balakrishnan and T. Reps. Recency-abstraction for heap-allocated storage. Static Analysis, pages 221–239, 2006. P. Cousot and R. Cousot. Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In Proceedings of the 4th ACM SIGACT-SIGPLAN symposium on Principles of programming languages, pages 238–252. ACM, 1977. Dorothy E. Denning and Peter J. Denning. Certification of programs for secure information flow. Commun. ACM, 20:504–513, July 1977. Dorothy E. Denning. A lattice model of secure information flow. Commun. ACM, 19:236–243, May 1976. Matthias Keil Type-based Dependency Analysis June 2012 60 / 60
  64. 64. Jeanne Ferrante, Karl J. Ottenstein, and Joe D. Warren. The program dependence graph and its use in optimization. ACM Trans. Program. Lang. Syst., 9:319–349, July 1987. Arjun Guha, Claudiu Saftoiu, and Shriram Krishnamurthi. The essence of javascript. In Proceedings of the 24th European conference on Object-oriented programming, ECOOP’10, pages 126–150, Berlin, Heidelberg, 2010. Springer-Verlag. Phillip Heidegger, Annette Bieniusa, and Peter Thiemann. Access permission contracts for scripting languages. In Proceedings of the 39th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages, POPL ’12, pages 111–122, New York, NY, USA, 2012. ACM. Nevin Heintze and Jon G. Riecke. The slam calculus: programming with secrecy and integrity. In Proceedings of the 25th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, POPL ’98, pages 365–377, New York, NY, USA, 1998. ACM. ECMA International. Matthias Keil Type-based Dependency Analysis June 2012 60 / 60
  65. 65. Standard ECMA-262, volume 3. 1999. ECMA International. Standard ECMA-262, volume 5. 2009. Neil D. Jones and Steven S. Muchnick. A flexible approach to interprocedural data flow analysis and programs with recursive data structures. In Proceedings of the 9th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, POPL ’82, pages 66–74, New York, NY, USA, 1982. ACM. Simon Holm Jensen, Magnus Madsen, and Anders Moller. Modeling the HTML DOM and browser API in static analysis of JavaScript web applications. In Proc. 8th joint meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE), September 2011. Simon Holm Jensen, Anders Moller, and Peter Thiemann. Matthias Keil Type-based Dependency Analysis June 2012 60 / 60
  66. 66. Type analysis for JavaScript. In Proc. 16th International Static Analysis Symposium, SAS ’09, volume 5673 of LNCS. Springer-Verlag, August 2009. Simon Holm Jensen, Anders Moller, and Peter Thiemann. Interprocedural analysis with lazy propagation. In Proc. 17th International Static Analysis Symposium (SAS), volume 6337 of LNCS. Springer-Verlag, September 2010. J.B. Kam and J.D. Ullman. Monotone data flow analysis frameworks. Acta Informatica, 7(3):305–317, 1977. Leo Meyerovich and Benjamin Livshits. ConScript: Specifying and enforcing fine-grained security policies for Javascript in the browser. In IEEE Symposium on Security and Privacy, May 2010. Sergio Maffeis, John C. Mitchell, and Ankur Taly. Isolating javascript with filters, rewriting, and wrappers. Matthias Keil Type-based Dependency Analysis June 2012 60 / 60
  67. 67. In Proceedings of the 14th European conference on Research in computer security, ESORICS’09, pages 505–522, Berlin, Heidelberg, 2009. Springer-Verlag. Andrew C. Myers. Jflow: practical mostly-static information flow control. In Proceedings of the 26th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, POPL ’99, pages 228–241, New York, NY, USA, 1999. ACM. Isabella Mastroeni and Damiano Zanardini. Data dependencies and program slicing: from syntax to abstract semantics. In Proceedings of the 2008 ACM SIGPLAN symposium on Partial evaluation and semantics-based program manipulation, PEPM ’08, pages 125–134, New York, NY, USA, 2008. ACM. F. Nielson, H.R. Nielson, and C. Hankin. Principles of program analysis. Springer-Verlag New York Inc, 1999. Franccois Pottier and Vincent Simonet. Information flow inference for ml. Matthias Keil Type-based Dependency Analysis June 2012 60 / 60
  68. 68. In Proceedings of the 29th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, POPL ’02, pages 319–330, New York, NY, USA, 2002. ACM. Andrei Sabelfeld and Andrew C. Myers. Language-based information-flow security. IEEE Journal on Selected Areas in Communications, 21:2003, 2003. M. Sharir and A. Pnueli. Two approaches to interprocedural data flow analysis. Program Flow Analysis: Theory and Applications, pages 189–234, 1981. Peter Thiemann. A prototype dependency calculus. In Proceedings of the 11th European Symposium on Programming Languages and Systems, ESOP ’02, pages 228–242, London, UK, UK, 2002. Springer-Verlag. Dennis Volpano, Cynthia Irvine, and Geoffrey Smith. A sound type system for secure flow analysis. J. Comput. Secur., 4:167–187, January 1996. Matthias Keil Type-based Dependency Analysis June 2012 60 / 60

×