1. INSTITUTE FOR THEORETICAL INFORMATICS – APPLICATION-ORIENTED FORMAL VERIFICATION
Deductive Verification of Concurrent Programs and
Its Application to Secure Information Flow for Java
Daniel Grahl | 29/10/2015
KIT – University of the State of Baden-Wuerttemberg and
National Laboratory of the Helmholtz Association
www.kit.edu
2. Overall Goal
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 1
3. Overall Goal
information flow analysis
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 1
4. Overall Goal
information flow analysis
for concurrent Java
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 1
5. Overall Goal
Ultimately precise
information flow analysis
for concurrent Java
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 1
6. Overall Goal
Ultimately precise modular
information flow analysis
for concurrent Java
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 1
7. Overall Goal
Ultimately precise modular
information flow analysis
with functional declassification
for concurrent Java
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 1
8. Overall Goal
Ultimately precise modular
information flow analysis
with functional declassification
for concurrent Java
semantics
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 1
9. Overall Goal
Ultimately precise modular
information flow analysis
with functional declassification
for concurrent Java
semantics analysis
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 1
10. Overall Goal
Ultimately precise modular
information flow analysis
with functional declassification
for concurrent Java
semantics analysis information flow
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 1
11. Motivation: Information Flow
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 2
12. Motivation: Information Flow
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 2
13. Motivation: Information Flow
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 2
14. Motivation: Information Flow
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 2
19. Noninterference
State of the Art Information Flow Analysis for Java
Type systems
Program dependence graphs
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 3
20. Noninterference
Hin
Lin
State of the Art Information Flow Analysis for Java
Type systems
Program dependence graphs
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 3
21. Noninterference
Hin
Lin Lout
State of the Art Information Flow Analysis for Java
Type systems
Program dependence graphs
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 3
22. Noninterference
Hin
Lin Lout
State of the Art Information Flow Analysis for Java
Type systems
Program dependence graphs
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 3
23. Noninterference
Hin
Lin Lout
f(Hin)
State of the Art Information Flow Analysis for Java
Type systems
Program dependence graphs
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 3
24. Noninterference
Hin
Lin Lout
f(Hin)
State of the Art Information Flow Analysis for Java
Type systems
Program dependence graphs
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 3
25. Noninterference
Hin
Lin Lout
f(Hin)
State of the Art Information Flow Analysis for Java
Type systems
Program dependence graphs
syntactical analysis incomplete
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 3
26. Theorem Proving for IF Analysis
Formalize in logic
Symbolic execution
Theorem proving
Dynamic Logic defined for
sequential programs
Challenge extending to
multi-threading!
∀ Heap h1, h1, h2, h2; ∀ Field f;
(f ∈ L → f @h1
.
= f @h1)
∧ {heap := h1} π h2
.
= heap
∧ {heap := h1} π h2
.
= heap
→ (f ∈ L → f @h2
.
= f @h2)
Provable in !
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 4
27. Theorem Proving for IF Analysis
Formalize in logic
Symbolic execution
Theorem proving
Dynamic Logic defined for
sequential programs
Challenge extending to
multi-threading!
∀ Heap h1, h1, h2, h2; ∀ Field f;
(f ∈ L → f @h1
.
= f @h1)
∧ {heap := h1} π h2
.
= heap
∧ {heap := h1} π h2
.
= heap
→ (f ∈ L → f @h2
.
= f @h2)
Provable in !
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 4
28. Theorem Proving for IF Analysis
Formalize in logic
Symbolic execution
Theorem proving
Dynamic Logic defined for
sequential programs
Challenge extending to
multi-threading!
∀ Heap h1, h1, h2, h2; ∀ Field f;
(f ∈ L → f @h1
.
= f @h1)
∧ {heap := h1} π h2
.
= heap
∧ {heap := h1} π h2
.
= heap
→ (f ∈ L → f @h2
.
= f @h2)
Provable in !
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 4
29. Theorem Proving for IF Analysis
Formalize in logic
Symbolic execution
Theorem proving
Dynamic Logic defined for
sequential programs
Challenge extending to
multi-threading!
∀ Heap h1, h1, h2, h2; ∀ Field f;
(f ∈ L → f @h1
.
= f @h1)
∧ {heap := h1} π h2
.
= heap
∧ {heap := h1} π h2
.
= heap
→ (f ∈ L → f @h2
.
= f @h2)
Provable in !
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 4
46. Program Transitions
t
σt σt
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 7
51. Explicit Interleaving Semantics
{
X++;
}
semantics of release determined by scheduler
semantics of assignment as for sequential programs
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 8
52. Explicit Interleaving Semantics
{
int a = X;
X = a + 1;
}
semantics of release determined by scheduler
semantics of assignment as for sequential programs
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 8
53. Explicit Interleaving Semantics
{
release;
int a = X;
release;
X = a + 1;
release;
}
semantics of release determined by scheduler
semantics of assignment as for sequential programs
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 8
54. Explicit Interleaving Semantics
{
release; σ∗
Σ(t)
int a = X;
release; σ∗
Σ(t)
X = a + 1;
release; σ∗
Σ(t)
}
semantics of release determined by scheduler
semantics of assignment as for sequential programs
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 8
55. Explicit Interleaving Semantics
{
release; σ∗
Σ(t)
int a = X; {a → X}
release; σ∗
Σ(t)
X = a + 1; {heap → heap{X → a + 1}}
release; σ∗
Σ(t)
}
semantics of release determined by scheduler
semantics of assignment as for sequential programs
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 8
56. How to Reason About Interleavings?
Scheduler not part of program
Environment may differ
Modularity
Abstraction
Symbolic approach
Thread-local reasoning
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 9
57. How to Reason About Interleavings?
Scheduler not part of program
Environment may differ
Modularity
Abstraction
Symbolic approach
Thread-local reasoning
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 9
58. How to Reason About Interleavings?
Scheduler not part of program
Environment may differ
Modularity
Abstraction
Symbolic approach
Thread-local reasoning
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 9
59. How to Reason About Interleavings?
Scheduler not part of program
Environment may differ
Modularity
Abstraction
Symbolic approach
Thread-local reasoning
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 9
60. How to Reason About Interleavings?
Scheduler not part of program
Environment may differ
Modularity
Abstraction
Symbolic approach
Thread-local reasoning
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 9
61. How to Reason About Interleavings?
Scheduler not part of program
Environment may differ
Modularity
Abstraction
Symbolic approach
Thread-local reasoning
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 9
62. How to Reason About Interleavings?
Scheduler not part of program
Environment may differ
Rely / Guarantee [Jones, 1983]
Modularity
Abstraction
Symbolic approach
Thread-local reasoning
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 9
63. How to Reason About Interleavings?
Scheduler not part of program
Environment may differ
Rely / Guarantee [Jones, 1983]
Modularity
Abstraction
Symbolic approach
Thread-local reasoning
now for Java!
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 9
64. Rely / Guarantee
σt σtσ∗
Σ(t)
We rely on ρ for every
environment step
ρ → {v := ?}[. . . ]φ
[v = X; . . . ]φ
We guarantee γ
for every own atomic step
γ ∧ {X := v}[. . . ]φ
[X = v; . . . ]φ
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 10
65. Rely / Guarantee
σt σtσ∗
Σ(t)
ρ
We rely on ρ for every
environment step
ρ → {v := ?}[. . . ]φ
[v = X; . . . ]φ
We guarantee γ
for every own atomic step
γ ∧ {X := v}[. . . ]φ
[X = v; . . . ]φ
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 10
66. Rely / Guarantee
σt σtσ∗
Σ(t)
γ ρ γ
We rely on ρ for every
environment step
ρ → {v := ?}[. . . ]φ
[v = X; . . . ]φ
We guarantee γ
for every own atomic step
γ ∧ {X := v}[. . . ]φ
[X = v; . . . ]φ
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 10
67. Rely / Guarantee
σt σtσ∗
Σ(t)
γ ρ γ
We rely on ρ for every
environment step
ρ → {v := ?}[. . . ]φ
[v = X; . . . ]φ
We guarantee γ
for every own atomic step
γ ∧ {X := v}[. . . ]φ
[X = v; . . . ]φ
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 10
68. Rely / Guarantee
σt σtσ∗
Σ(t)
γ ρ γ
We rely on ρ for every
environment step
ρ → {v := ?}[. . . ]φ
[v = X; . . . ]φ
We guarantee γ
for every own atomic step
γ ∧ {X := v}[. . . ]φ
[X = v; . . . ]φ
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 10
69. Modular Rely / Guarantee
Global Soundness Condition
t =t
γt → ρt
Novel Approach: Contract Framework
Assume as system invariant
Prove maintenance locally on fork
(ρt ∨ γt → ρt ) ∧ (γt → ρt ) ∧ [. . . ]φ
[t’.start(); . . . ]φ
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 11
70. Modular Rely / Guarantee
Global Soundness Condition
t =t
γt → ρt
Novel Approach: Contract Framework
Assume as system invariant
Prove maintenance locally on fork
(ρt ∨ γt → ρt ) ∧ (γt → ρt ) ∧ [. . . ]φ
[t’.start(); . . . ]φ
breaks modularity
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 11
71. Modular Rely / Guarantee
Global Soundness Condition
t =t
γt → ρt
Novel Approach: Contract Framework
Assume as system invariant
Prove maintenance locally on fork
(ρt ∨ γt → ρt ) ∧ (γt → ρt ) ∧ [. . . ]φ
[t’.start(); . . . ]φ
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 11
72. Modular Rely / Guarantee
Global Soundness Condition
t =t
γt → ρt
Novel Approach: Contract Framework
Assume as system invariant
Prove maintenance locally on fork
(ρt ∨ γt → ρt ) ∧ (γt → ρt ) ∧ [. . . ]φ
[t’.start(); . . . ]φ
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 11
73. Modular Rely / Guarantee
Global Soundness Condition
t =t
γt → ρt
Novel Approach: Contract Framework
Assume as system invariant
Prove maintenance locally on fork
(ρt ∨ γt → ρt ) ∧ (γt → ρt ) ∧ [. . . ]φ
[t’.start(); . . . ]φ
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 11
74. KeY Implementation
New calculus
13 rule templates total
Java semantics for free
Generate from
specification
Keep non-splitting
Proof obligations
guarantee
global soundness
Specification in JML
class T extends Thread {
//@ relies_on L==prev(L);
//@ guarantees L>=prev(L);
}
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 12
75. KeY Implementation
New calculus
13 rule templates total
Java semantics for free
Generate from
specification
Keep non-splitting
Proof obligations
guarantee
global soundness
Specification in JML
class T extends Thread {
//@ relies_on L==prev(L);
//@ guarantees L>=prev(L);
}
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 12
76. KeY Implementation
New calculus
13 rule templates total
Java semantics for free
Generate from
specification
Keep non-splitting
Proof obligations
guarantee
global soundness
Specification in JML
class T extends Thread {
//@ relies_on L==prev(L);
//@ guarantees L>=prev(L);
}
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 12
77. KeY Implementation
New calculus
13 rule templates total
Java semantics for free
Generate from
specification
Keep non-splitting
Proof obligations
guarantee
global soundness
Specification in JML
class T extends Thread {
//@ relies_on L==prev(L);
//@ guarantees L>=prev(L);
}
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 12
78. KeY Implementation
New calculus
13 rule templates total
Java semantics for free
Generate from
specification
Keep non-splitting
Proof obligations
guarantee
global soundness
Specification in JML
class T extends Thread {
//@ relies_on L==prev(L);
//@ guarantees L>=prev(L);
}
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 12
79. KeY Implementation
New calculus
13 rule templates total
Java semantics for free
Generate from
specification
Keep non-splitting
Proof obligations
guarantee
global soundness
Specification in JML
class T extends Thread {
//@ relies_on L==prev(L);
//@ guarantees L>=prev(L);
}
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 12
80. Summary Concurrency Verification
Contributions
Adapt rely /guarantee to dynamic logic
Soundness proof
Easy to extend existing calculus
Thread-modular
Program transformation on the fly
Reusable proof results
Implemented in
Extension to JML
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 13
81. Summary Concurrency Verification
Contributions
Adapt rely /guarantee to dynamic logic
Soundness proof
Easy to extend existing calculus
Thread-modular
Program transformation on the fly
Reusable proof results
Implemented in
Extension to JML
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 13
82. Summary Concurrency Verification
Contributions
Adapt rely /guarantee to dynamic logic
Soundness proof
Easy to extend existing calculus
Thread-modular
Program transformation on the fly
Reusable proof results
Implemented in
Extension to JML
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 13
83. Summary Concurrency Verification
Contributions
Adapt rely /guarantee to dynamic logic
Soundness proof
Easy to extend existing calculus
Thread-modular
Program transformation on the fly
Reusable proof results
Implemented in
Extension to JML
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 13
84. Summary Concurrency Verification
Contributions
Adapt rely /guarantee to dynamic logic
Soundness proof
Easy to extend existing calculus
Thread-modular
Program transformation on the fly
Reusable proof results
Implemented in
Extension to JML
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 13
85. Summary Concurrency Verification
Contributions
Adapt rely /guarantee to dynamic logic
Soundness proof
Easy to extend existing calculus
Thread-modular
Program transformation on the fly
Reusable proof results
Implemented in
Extension to JML
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 13
86. Summary Concurrency Verification
Contributions
Adapt rely /guarantee to dynamic logic
Soundness proof
Easy to extend existing calculus
Thread-modular
Program transformation on the fly
Reusable proof results
Implemented in
Extension to JML
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 13
87. Summary Concurrency Verification
Contributions
Adapt rely /guarantee to dynamic logic
Soundness proof
Easy to extend existing calculus
Thread-modular
Program transformation on the fly
Reusable proof results
Implemented in
Extension to JML
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 13
88. Summary Concurrency Verification
Contributions
Adapt rely /guarantee to dynamic logic
Soundness proof
Easy to extend existing calculus
Thread-modular
Program transformation on the fly
Reusable proof results
Implemented in
Extension to JML
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 13
89. Concurrent Noninterference
Prove noninterference for thread, with interleaving semantics
Security may depend on scheduler
Define modular scheduler-independent security
Specify interference by other threads with rely / guarantee
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 14
90. Concurrent Noninterference
Prove noninterference for thread, with interleaving semantics
Security may depend on scheduler
Define modular scheduler-independent security
Specify interference by other threads with rely / guarantee
H = 0;
L = H;
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 14
91. Concurrent Noninterference
Prove noninterference for thread, with interleaving semantics
Security may depend on scheduler
Define modular scheduler-independent security
Specify interference by other threads with rely / guarantee
H = 0;
L = H;
secure !
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 14
92. Concurrent Noninterference
Prove noninterference for thread, with interleaving semantics
Security may depend on scheduler
Define modular scheduler-independent security
Specify interference by other threads with rely / guarantee
H = 0;
L = H;
H = H;
secure ! secure !
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 14
93. Concurrent Noninterference
Prove noninterference for thread, with interleaving semantics
Security may depend on scheduler
Define modular scheduler-independent security
Specify interference by other threads with rely / guarantee
H = 0;
L = H;
y = H;
H = y;
Σ
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 14
94. Concurrent Noninterference
Prove noninterference for thread, with interleaving semantics
Security may depend on scheduler
Define modular scheduler-independent security
Specify interference by other threads with rely / guarantee
H = 0;
L = H;
y = H;
H = y;
Σ
Σ
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 14
95. Concurrent Noninterference
Prove noninterference for thread, with interleaving semantics
Security may depend on scheduler
Define modular scheduler-independent security
Specify interference by other threads with rely / guarantee
H = 0;
L = H;
y = H;
H = y;
Σ
Σ
Σ
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 14
96. Concurrent Noninterference
Prove noninterference for thread, with interleaving semantics
Security may depend on scheduler
Define modular scheduler-independent security
Specify interference by other threads with rely / guarantee
H = 0;
L = H;
y = H;
H = y;
insecure %
Σ
Σ
Σ
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 14
97. Concurrent Noninterference
Prove noninterference for thread, with interleaving semantics
Security may depend on scheduler
Define modular scheduler-independent security
Specify interference by other threads with rely / guarantee
H = 0;
L = H;
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 14
98. Concurrent Noninterference
Prove noninterference for thread, with interleaving semantics
Security may depend on scheduler
Define modular scheduler-independent security
Specify interference by other threads with rely / guarantee
H = 0;
L = H;
secure !
if no write to H or L
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 14
99. Concurrent Noninterference
Prove noninterference for thread, with interleaving semantics
Security may depend on scheduler
Define modular scheduler-independent security
Specify interference by other threads with rely / guarantee
H = 0;
L = H;
secure !if ρ = H
.
= H ∧ L
.
= L
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 14
103. Proving Concurrent Noninterference
Prove interplay between threads benign
Rely / guarantee allows to specify full functional behavior
Conservative extension of sequential calculus
Reusable modular proofs
+
Prove noninterference for every thread class
Same formalization as for sequential programs
Includes absence of probabilistic leaks through scheduler
Additional channels in full Java
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 16
104. Proving Concurrent Noninterference
Prove interplay between threads benign
Rely / guarantee allows to specify full functional behavior
Conservative extension of sequential calculus
Reusable modular proofs
+
Prove noninterference for every thread class
Same formalization as for sequential programs
Includes absence of probabilistic leaks through scheduler
Additional channels in full Java
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 16
105. Proving Concurrent Noninterference
Prove interplay between threads benign
Rely / guarantee allows to specify full functional behavior
Conservative extension of sequential calculus
Reusable modular proofs
+
Prove noninterference for every thread class
Same formalization as for sequential programs
Includes absence of probabilistic leaks through scheduler
Additional channels in full Java
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 16
106. Thesis Contributions I
Verification of concurrent Java
Scheduler-parametric semantics of a multi-threaded language
Combination of dynamic and temporal logic
Adaptation of modular rely / guarantee in dynamic logic
Rely / gurantee with dynamic framing [TR 15-3]
Implementation in KeY [VSTTE ’14]
JML extension for concurrency
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 17
107. Thesis Contributions II
Precise information flow analysis for concurrent Java
Flexible notion of noninterference with declassification
Formalization of concurrent noninterference [FCS ’15]
Formalization of trace-based extensions to NI
Analysis of timing leaks [TR 14-5]
Attacker model refined for Java [LOPSTR ’13]
Support RIFL input
Case study: e-voting
Functional verification [TR 14-11, S&P poster ’15]
Hybrid IF analysis [GRSRD ’13, CSF ’15]
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 18
108. Thesis Contributions II
Precise information flow analysis for concurrent Java
Flexible notion of noninterference with declassification
Formalization of concurrent noninterference [FCS ’15]
Formalization of trace-based extensions to NI
Analysis of timing leaks [TR 14-5]
Attacker model refined for Java [LOPSTR ’13]
Support RIFL input
Case study: e-voting
Functional verification [TR 14-11, S&P poster ’15]
Hybrid IF analysis [GRSRD ’13, CSF ’15]
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 18
109. Thesis Contributions II
Precise information flow analysis for concurrent Java
Flexible notion of noninterference with declassification
Formalization of concurrent noninterference [FCS ’15]
Formalization of trace-based extensions to NI
Analysis of timing leaks [TR 14-5]
Attacker model refined for Java [LOPSTR ’13]
Support RIFL input
Case study: e-voting
Functional verification [TR 14-11, S&P poster ’15]
Hybrid IF analysis [GRSRD ’13, CSF ’15]
Introduction Concurrent Programs Verification Information Flow Analysis Closing
Daniel Grahl – Verification of Concurrent Programs 29/10/2015 18