defense

1. INSTITUTE FOR THEORETICAL INFORMATICS – APPLICATION-ORIENTED FORMAL VERIFICATION Deductive Veriﬁcation of Concurrent Programs and Its Application to Secure Information Flow for Java Daniel Grahl | 29/10/2015 KIT – University of the State of Baden-Wuerttemberg and National Laboratory of the Helmholtz Association www.kit.edu

2. Overall Goal Introduction Concurrent Programs Veriﬁcation Information Flow Analysis Closing Daniel Grahl – Veriﬁcation of Concurrent Programs 29/10/2015 1

3. Overall Goal information flow analysis Introduction Concurrent Programs Verification Information Flow Analysis Closing Daniel Grahl – Verification of Concurrent Programs 29/10/2015 1

4. Overall Goal information flow analysis for concurrent Java Introduction Concurrent Programs Verification Information Flow Analysis Closing Daniel Grahl – Verification of Concurrent Programs 29/10/2015 1

5. Overall Goal Ultimately precise information flow analysis for concurrent Java Introduction Concurrent Programs Verification Information Flow Analysis Closing Daniel Grahl – Verification of Concurrent Programs 29/10/2015 1

6. Overall Goal Ultimately precise modular information flow analysis for concurrent Java Introduction Concurrent Programs Verification Information Flow Analysis Closing Daniel Grahl – Verification of Concurrent Programs 29/10/2015 1

7. Overall Goal Ultimately precise modular information flow analysis with functional declassification for concurrent Java Introduction Concurrent Programs Verification Information Flow Analysis Closing Daniel Grahl – Verification of Concurrent Programs 29/10/2015 1

8. Overall Goal Ultimately precise modular information flow analysis with functional declassification for concurrent Java semantics Introduction Concurrent Programs Verification Information Flow Analysis Closing Daniel Grahl – Verification of Concurrent Programs 29/10/2015 1

9. Overall Goal Ultimately precise modular information flow analysis with functional declassification for concurrent Java semantics analysis Introduction Concurrent Programs Verification Information Flow Analysis Closing Daniel Grahl – Verification of Concurrent Programs 29/10/2015 1

10. Overall Goal Ultimately precise modular information flow analysis with functional declassification for concurrent Java semantics analysis information flow Introduction Concurrent Programs Verification Information Flow Analysis Closing Daniel Grahl – Verification of Concurrent Programs 29/10/2015 1

11. Motivation: Information Flow Introduction Concurrent Programs Veriﬁcation Information Flow Analysis Closing Daniel Grahl – Veriﬁcation of Concurrent Programs 29/10/2015 2

15. Motivation: Information Flow secret Introduction Concurrent Programs Veriﬁcation Information Flow Analysis Closing Daniel Grahl – Veriﬁcation of Concurrent Programs 29/10/2015 2

16. Motivation: Information Flow sum()secret Introduction Concurrent Programs Veriﬁcation Information Flow Analysis Closing Daniel Grahl – Veriﬁcation of Concurrent Programs 29/10/2015 2

17. Motivation: Information Flow sum()secret Introduction Concurrent Programs Veriﬁcation Information Flow Analysis Closing Daniel Grahl – Veriﬁcation of Concurrent Programs 29/10/2015 2

18. Motivation: Information Flow sum() publicsecret Introduction Concurrent Programs Veriﬁcation Information Flow Analysis Closing Daniel Grahl – Veriﬁcation of Concurrent Programs 29/10/2015 2

19. Noninterference State of the Art Information Flow Analysis for Java Type systems Program dependence graphs Introduction Concurrent Programs Veriﬁcation Information Flow Analysis Closing Daniel Grahl – Veriﬁcation of Concurrent Programs 29/10/2015 3

20. Noninterference Hin Lin State of the Art Information Flow Analysis for Java Type systems Program dependence graphs Introduction Concurrent Programs Veriﬁcation Information Flow Analysis Closing Daniel Grahl – Veriﬁcation of Concurrent Programs 29/10/2015 3

21. Noninterference Hin Lin Lout State of the Art Information Flow Analysis for Java Type systems Program dependence graphs Introduction Concurrent Programs Veriﬁcation Information Flow Analysis Closing Daniel Grahl – Veriﬁcation of Concurrent Programs 29/10/2015 3

22. Noninterference Hin Lin Lout State of the Art Information Flow Analysis for Java Type systems Program dependence graphs Introduction Concurrent Programs Veriﬁcation Information Flow Analysis Closing Daniel Grahl – Veriﬁcation of Concurrent Programs 29/10/2015 3

23. Noninterference Hin Lin Lout f(Hin) State of the Art Information Flow Analysis for Java Type systems Program dependence graphs Introduction Concurrent Programs Veriﬁcation Information Flow Analysis Closing Daniel Grahl – Veriﬁcation of Concurrent Programs 29/10/2015 3

24. Noninterference Hin Lin Lout f(Hin) State of the Art Information Flow Analysis for Java Type systems Program dependence graphs Introduction Concurrent Programs Veriﬁcation Information Flow Analysis Closing Daniel Grahl – Veriﬁcation of Concurrent Programs 29/10/2015 3

25. Noninterference Hin Lin Lout f(Hin) State of the Art Information Flow Analysis for Java Type systems Program dependence graphs syntactical analysis incomplete Introduction Concurrent Programs Veriﬁcation Information Flow Analysis Closing Daniel Grahl – Veriﬁcation of Concurrent Programs 29/10/2015 3

26. Theorem Proving for IF Analysis Formalize in logic Symbolic execution Theorem proving Dynamic Logic defined for sequential programs Challenge extending to multi-threading! ∀ Heap h1, h1, h2, h2; ∀ Field f; (f ∈ L → f @h1 . = f @h1) ∧ {heap := h1} π h2 . = heap ∧ {heap := h1} π h2 . = heap → (f ∈ L → f @h2 . = f @h2) Provable in ! Introduction Concurrent Programs Verification Information Flow Analysis Closing Daniel Grahl – Verification of Concurrent Programs 29/10/2015 4

30. Overview concurrent noninterference Introduction Concurrent Programs Veriﬁcation Information Flow Analysis Closing Daniel Grahl – Veriﬁcation of Concurrent Programs 29/10/2015 5

31. Overview concurrency concurrent noninterference Introduction Concurrent Programs Veriﬁcation Information Flow Analysis Closing Daniel Grahl – Veriﬁcation of Concurrent Programs 29/10/2015 5

32. Overview concurrency concurrent noninterference noninterference declassification Introduction Concurrent Programs Verification Information Flow Analysis Closing Daniel Grahl – Verification of Concurrent Programs 29/10/2015 5

33. Overview concurrency semantics concurrent noninterference noninterference declassification Introduction Concurrent Programs Verification Information Flow Analysis Closing Daniel Grahl – Verification of Concurrent Programs 29/10/2015 5

34. Overview concurrency verification methodology semantics concurrent noninterference noninterference declassification Introduction Concurrent Programs Verification Information Flow Analysis Closing Daniel Grahl – Verification of Concurrent Programs 29/10/2015 5

35. Shared Memory Concurrency X=3 Y=7 Introduction Concurrent Programs Veriﬁcation Information Flow Analysis Closing Daniel Grahl – Veriﬁcation of Concurrent Programs 29/10/2015 6

36. Shared Memory Concurrency X=3 Y=7 write(X,5) Introduction Concurrent Programs Veriﬁcation Information Flow Analysis Closing Daniel Grahl – Veriﬁcation of Concurrent Programs 29/10/2015 6

37. Shared Memory Concurrency X=5 Y=7 write(X,5) read(X):5 Introduction Concurrent Programs Veriﬁcation Information Flow Analysis Closing Daniel Grahl – Veriﬁcation of Concurrent Programs 29/10/2015 6

38. Shared Memory Concurrency X=5 Y=7 write(X,5) read(X):5 read(X):5 Introduction Concurrent Programs Veriﬁcation Information Flow Analysis Closing Daniel Grahl – Veriﬁcation of Concurrent Programs 29/10/2015 6

39. Shared Memory Concurrency X=5 Y=7 write(X,5) read(X):5 read(X):5 write(X,6) Introduction Concurrent Programs Veriﬁcation Information Flow Analysis Closing Daniel Grahl – Veriﬁcation of Concurrent Programs 29/10/2015 6

40. Shared Memory Concurrency X=6 Y=7 write(X,5) read(X):5 read(X):5 write(X,6) write(Y,6) Introduction Concurrent Programs Veriﬁcation Information Flow Analysis Closing Daniel Grahl – Veriﬁcation of Concurrent Programs 29/10/2015 6

41. Shared Memory Concurrency X=6 Y=6 write(X,5) read(X):5 read(X):5 write(X,6) write(Y,6) read(Y):6 Introduction Concurrent Programs Veriﬁcation Information Flow Analysis Closing Daniel Grahl – Veriﬁcation of Concurrent Programs 29/10/2015 6

42. Shared Memory Concurrency X=6 Y=6 write(X,5) read(X):5 read(X):5 write(X,6) write(Y,6) read(Y):6 write(Y,7) Introduction Concurrent Programs Veriﬁcation Information Flow Analysis Closing Daniel Grahl – Veriﬁcation of Concurrent Programs 29/10/2015 6

45. Program Transitions σ Introduction Concurrent Programs Veriﬁcation Information Flow Analysis Closing Daniel Grahl – Veriﬁcation of Concurrent Programs 29/10/2015 7

46. Program Transitions t σt σt Introduction Concurrent Programs Veriﬁcation Information Flow Analysis Closing Daniel Grahl – Veriﬁcation of Concurrent Programs 29/10/2015 7

47. Program Transitions t t Σσt σt σt Introduction Concurrent Programs Veriﬁcation Information Flow Analysis Closing Daniel Grahl – Veriﬁcation of Concurrent Programs 29/10/2015 7

48. Program Transitions t t t Σ Σ Σ σt σt σt σt Introduction Concurrent Programs Veriﬁcation Information Flow Analysis Closing Daniel Grahl – Veriﬁcation of Concurrent Programs 29/10/2015 7

49. Program Transitions t t t Σ Σ Σ σt σt σt σt Introduction Concurrent Programs Veriﬁcation Information Flow Analysis Closing Daniel Grahl – Veriﬁcation of Concurrent Programs 29/10/2015 7

50. Program Transitions t t t Σ Σ Σ σt σt σt σt σ∗ Σ(t) Introduction Concurrent Programs Veriﬁcation Information Flow Analysis Closing Daniel Grahl – Veriﬁcation of Concurrent Programs 29/10/2015 7

51. Explicit Interleaving Semantics { X++; } semantics of release determined by scheduler semantics of assignment as for sequential programs Introduction Concurrent Programs Veriﬁcation Information Flow Analysis Closing Daniel Grahl – Veriﬁcation of Concurrent Programs 29/10/2015 8

52. Explicit Interleaving Semantics { int a = X; X = a + 1; } semantics of release determined by scheduler semantics of assignment as for sequential programs Introduction Concurrent Programs Veriﬁcation Information Flow Analysis Closing Daniel Grahl – Veriﬁcation of Concurrent Programs 29/10/2015 8

53. Explicit Interleaving Semantics { release; int a = X; release; X = a + 1; release; } semantics of release determined by scheduler semantics of assignment as for sequential programs Introduction Concurrent Programs Veriﬁcation Information Flow Analysis Closing Daniel Grahl – Veriﬁcation of Concurrent Programs 29/10/2015 8

54. Explicit Interleaving Semantics { release; σ∗ Σ(t) int a = X; release; σ∗ Σ(t) X = a + 1; release; σ∗ Σ(t) } semantics of release determined by scheduler semantics of assignment as for sequential programs Introduction Concurrent Programs Veriﬁcation Information Flow Analysis Closing Daniel Grahl – Veriﬁcation of Concurrent Programs 29/10/2015 8

55. Explicit Interleaving Semantics { release; σ∗ Σ(t) int a = X; {a → X} release; σ∗ Σ(t) X = a + 1; {heap → heap{X → a + 1}} release; σ∗ Σ(t) } semantics of release determined by scheduler semantics of assignment as for sequential programs Introduction Concurrent Programs Veriﬁcation Information Flow Analysis Closing Daniel Grahl – Veriﬁcation of Concurrent Programs 29/10/2015 8

56. How to Reason About Interleavings? Scheduler not part of program Environment may differ Modularity Abstraction Symbolic approach Thread-local reasoning Introduction Concurrent Programs Veriﬁcation Information Flow Analysis Closing Daniel Grahl – Veriﬁcation of Concurrent Programs 29/10/2015 9

62. How to Reason About Interleavings? Scheduler not part of program Environment may differ Rely / Guarantee [Jones, 1983] Modularity Abstraction Symbolic approach Thread-local reasoning Introduction Concurrent Programs Veriﬁcation Information Flow Analysis Closing Daniel Grahl – Veriﬁcation of Concurrent Programs 29/10/2015 9

63. How to Reason About Interleavings? Scheduler not part of program Environment may differ Rely / Guarantee [Jones, 1983] Modularity Abstraction Symbolic approach Thread-local reasoning now for Java! Introduction Concurrent Programs Veriﬁcation Information Flow Analysis Closing Daniel Grahl – Veriﬁcation of Concurrent Programs 29/10/2015 9

64. Rely / Guarantee σt σtσ∗ Σ(t) We rely on ρ for every environment step ρ → {v := ?}[. . . ]φ [v = X; . . . ]φ We guarantee γ for every own atomic step γ ∧ {X := v}[. . . ]φ [X = v; . . . ]φ Introduction Concurrent Programs Veriﬁcation Information Flow Analysis Closing Daniel Grahl – Veriﬁcation of Concurrent Programs 29/10/2015 10

65. Rely / Guarantee σt σtσ∗ Σ(t) ρ We rely on ρ for every environment step ρ → {v := ?}[. . . ]φ [v = X; . . . ]φ We guarantee γ for every own atomic step γ ∧ {X := v}[. . . ]φ [X = v; . . . ]φ Introduction Concurrent Programs Veriﬁcation Information Flow Analysis Closing Daniel Grahl – Veriﬁcation of Concurrent Programs 29/10/2015 10

66. Rely / Guarantee σt σtσ∗ Σ(t) γ ρ γ We rely on ρ for every environment step ρ → {v := ?}[. . . ]φ [v = X; . . . ]φ We guarantee γ for every own atomic step γ ∧ {X := v}[. . . ]φ [X = v; . . . ]φ Introduction Concurrent Programs Veriﬁcation Information Flow Analysis Closing Daniel Grahl – Veriﬁcation of Concurrent Programs 29/10/2015 10

69. Modular Rely / Guarantee Global Soundness Condition t =t γt → ρt Novel Approach: Contract Framework Assume as system invariant Prove maintenance locally on fork (ρt ∨ γt → ρt ) ∧ (γt → ρt ) ∧ [. . . ]φ [t’.start(); . . . ]φ Introduction Concurrent Programs Veriﬁcation Information Flow Analysis Closing Daniel Grahl – Veriﬁcation of Concurrent Programs 29/10/2015 11

70. Modular Rely / Guarantee Global Soundness Condition t =t γt → ρt Novel Approach: Contract Framework Assume as system invariant Prove maintenance locally on fork (ρt ∨ γt → ρt ) ∧ (γt → ρt ) ∧ [. . . ]φ [t’.start(); . . . ]φ breaks modularity Introduction Concurrent Programs Veriﬁcation Information Flow Analysis Closing Daniel Grahl – Veriﬁcation of Concurrent Programs 29/10/2015 11

74. KeY Implementation New calculus 13 rule templates total Java semantics for free Generate from specification Keep non-splitting Proof obligations guarantee global soundness Specification in JML class T extends Thread { //@ relies_on L==prev(L); //@ guarantees L>=prev(L); } Introduction Concurrent Programs Verification Information Flow Analysis Closing Daniel Grahl – Verification of Concurrent Programs 29/10/2015 12

80. Summary Concurrency Verification Contributions Adapt rely /guarantee to dynamic logic Soundness proof Easy to extend existing calculus Thread-modular Program transformation on the fly Reusable proof results Implemented in Extension to JML Introduction Concurrent Programs Verification Information Flow Analysis Closing Daniel Grahl – Verification of Concurrent Programs 29/10/2015 13

89. Concurrent Noninterference Prove noninterference for thread, with interleaving semantics Security may depend on scheduler Define modular scheduler-independent security Specify interference by other threads with rely / guarantee Introduction Concurrent Programs Verification Information Flow Analysis Closing Daniel Grahl – Verification of Concurrent Programs 29/10/2015 14

90. Concurrent Noninterference Prove noninterference for thread, with interleaving semantics Security may depend on scheduler Define modular scheduler-independent security Specify interference by other threads with rely / guarantee H = 0; L = H; Introduction Concurrent Programs Verification Information Flow Analysis Closing Daniel Grahl – Verification of Concurrent Programs 29/10/2015 14

91. Concurrent Noninterference Prove noninterference for thread, with interleaving semantics Security may depend on scheduler Define modular scheduler-independent security Specify interference by other threads with rely / guarantee H = 0; L = H; secure ! Introduction Concurrent Programs Verification Information Flow Analysis Closing Daniel Grahl – Verification of Concurrent Programs 29/10/2015 14

92. Concurrent Noninterference Prove noninterference for thread, with interleaving semantics Security may depend on scheduler Define modular scheduler-independent security Specify interference by other threads with rely / guarantee H = 0; L = H; H = H; secure ! secure ! Introduction Concurrent Programs Verification Information Flow Analysis Closing Daniel Grahl – Verification of Concurrent Programs 29/10/2015 14

93. Concurrent Noninterference Prove noninterference for thread, with interleaving semantics Security may depend on scheduler Define modular scheduler-independent security Specify interference by other threads with rely / guarantee H = 0; L = H; y = H; H = y; Σ Introduction Concurrent Programs Verification Information Flow Analysis Closing Daniel Grahl – Verification of Concurrent Programs 29/10/2015 14

94. Concurrent Noninterference Prove noninterference for thread, with interleaving semantics Security may depend on scheduler Define modular scheduler-independent security Specify interference by other threads with rely / guarantee H = 0; L = H; y = H; H = y; Σ Σ Introduction Concurrent Programs Verification Information Flow Analysis Closing Daniel Grahl – Verification of Concurrent Programs 29/10/2015 14

95. Concurrent Noninterference Prove noninterference for thread, with interleaving semantics Security may depend on scheduler Define modular scheduler-independent security Specify interference by other threads with rely / guarantee H = 0; L = H; y = H; H = y; Σ Σ Σ Introduction Concurrent Programs Verification Information Flow Analysis Closing Daniel Grahl – Verification of Concurrent Programs 29/10/2015 14

96. Concurrent Noninterference Prove noninterference for thread, with interleaving semantics Security may depend on scheduler Define modular scheduler-independent security Specify interference by other threads with rely / guarantee H = 0; L = H; y = H; H = y; insecure % Σ Σ Σ Introduction Concurrent Programs Verification Information Flow Analysis Closing Daniel Grahl – Verification of Concurrent Programs 29/10/2015 14

97. Concurrent Noninterference Prove noninterference for thread, with interleaving semantics Security may depend on scheduler Define modular scheduler-independent security Specify interference by other threads with rely / guarantee H = 0; L = H; Introduction Concurrent Programs Verification Information Flow Analysis Closing Daniel Grahl – Verification of Concurrent Programs 29/10/2015 14

98. Concurrent Noninterference Prove noninterference for thread, with interleaving semantics Security may depend on scheduler Define modular scheduler-independent security Specify interference by other threads with rely / guarantee H = 0; L = H; secure ! if no write to H or L Introduction Concurrent Programs Verification Information Flow Analysis Closing Daniel Grahl – Verification of Concurrent Programs 29/10/2015 14

99. Concurrent Noninterference Prove noninterference for thread, with interleaving semantics Security may depend on scheduler Define modular scheduler-independent security Specify interference by other threads with rely / guarantee H = 0; L = H; secure !if ρ = H . = H ∧ L . = L Introduction Concurrent Programs Verification Information Flow Analysis Closing Daniel Grahl – Verification of Concurrent Programs 29/10/2015 14

100. Example Proof (∗) L@h1 . = L@h1 =⇒ true L@h1 . = L@h1 =⇒ 0 . = 0 L@h1 . = L@h1 =⇒ L@h1[L := 0] . = L@h1[L := 0] L@h1 . = L@h1 =⇒ L@h1[H := 0][L := 0] . = L@h1[H := 0][L := 0] L@h1 . = L@h1, L@anon(h1[H := 0]) . = L@h1[H := 0], L@anon(h1[H := 0]) . = L@h1[H := 0] =⇒ L@anon(h1[H := 0])[L := 0] . = L@anon(h1[H := 0])[L := 0] L@h1 . = L@h1, L@anon(h1[H := 0]) . = L@h1[H := 0], L@anon(h1[H := 0]) . = L@h1[H := 0] =⇒ L@anon(h1[H := 0])[L := H@h1[H := 0]] . = L@anon(h1[H := 0])[L := H@h1[H := 0]] L@h1 . = L@h1, L@anon(h1[H := 0]) . = L@h1[H := 0], L@anon(h1[H := 0]) . = L@h1[H := 0], H@anon(h1[H := 0]) . = H@h1[H := 0], H@anon(h1[H := 0]) . = H@h1[H := 0] =⇒ L@anon(h1[H := 0])[L := H@anon(h1[H := 0])] . = L@anon(h1[H := 0])[L := H@anon(h1[H := 0])] L@h1 . = L@h1, {heap := h1[H := 0]}{heap := anon(heap )}(L@heap . = L@heap ∧ H@heap . = H@heap ), {heap := h1[H := 0]}{heap := anon(heap )}(L@heap . = L@heap ∧ H@heap . = H@heap ), =⇒ L@anon(h1[H := 0])[L := H@anon(h1[H := 0])] . = L@anon(h1[H := 0])[L := H@anon(h1[H := 0])] L@h1 . = L@h1, {heap := h1[H := 0]}{heap := anon(heap )}(L@heap . = L@heap ∧ H@heap . = H@heap ), anon(h1[H := 0])[L := H@anon(heap)] . = h2, {heap := h1[H := 0]}{heap := anon(heap )}(L@heap . = L@heap ∧ H@heap . = H@heap ), anon(h1[H := 0])[L := H@anon(heap)] . = h2 =⇒ L@h2 . = L@h2 L@h1 . = L@h1, {heap := h1[H := 0]}{heap := anon(heap )}(L@heap . = L@heap ∧ H@heap . = H@heap ), anon(h1[H := 0])[L := H@anon(heap)] . = h2, {heap := h1[H := 0]}{heap := anon(heap )}(L@heap . = L@heap ∧ H@heap . = H@heap ), {heap := anon(h1[H := 0])[L := H@anon(heap)]}(heap . = h2) =⇒ L@h2 . = L@h2 L@h1 . = L@h1, {heap := h1[H := 0]}{heap := anon(heap )}(L@heap . = L@heap ∧ H@heap . = H@heap ), anon(h1[H := 0])[L := H@anon(heap)] . = h2, {heap := h1[H := 0]}{heap := anon(heap )}(L@heap . = L@heap ∧ H@heap . = H@heap ), {heap := h1[H := 0]}{heap := anon(heap )}{heap := heap[L := H@heap]} heap . = h2 =⇒ L@h2 . = L@h2 L@h1 . = L@h1, {heap := h1[H := 0]}{heap := anon(heap )}(L@heap . = L@heap ∧ H@heap . = H@heap ), anon(h1[H := 0])[L := H@anon(heap)] . = h2, {heap := h1[H := 0]}{heap := anon(heap )}(L@heap . = L@heap ∧ H@heap . = H@heap ), {heap := h1[H := 0]}{heap := anon(heap )} L=H; heap . = h2 =⇒ L@h2 . = L@h2 L@h1 . = L@h1, L@h1 . = L@h2, {heap := h1[H := 0]}{heap := anon(heap )}(L@heap . = L@heap ∧ H@heap . = H@heap ), anon(h1[H := 0])[L := H@anon(heap)] . = h2, {heap := h1[H := 0]} L=H; heap . = h2 =⇒ L@h2 . = L@h2 L@h1 . = L@h1, {heap := h1[H := 0]}{heap := anon(heap )}(L@heap . = L@heap ∧ H@heap . = H@heap ), anon(h1[H := 0])[L := H@anon(heap)] . = h2, {heap := h1} H=0; L=H; heap . = h2 =⇒ L@h2 . = L@h2 L@h1 . = L@h1, {heap := h1[H := 0]}{heap := anon(heap )}(L@heap . = L@heap ∧ H@heap . = H@heap ), {heap := anon(h1[H := 0])[L := H@anon(heap)]}(heap . = h2), {heap := h1} H=0; L=H; heap . = h2 =⇒ L@h2 . = L@h2 L@h1 . = L@h1, {heap := h1[H := 0]}{heap := anon(heap )}(L@heap . = L@heap ∧ H@heap . = H@heap ), {heap := h1[H := 0]}{heap := anon(heap )}{heap := heap[L := H@heap]} heap . = h2, {heap := h1} H=0; L=H; heap . = h2 =⇒ L@h2 . = L@h2 L@h1 . = L@h1, {heap := h1[H := 0]}{heap := anon(heap )}(L@heap . = L@heap ∧ H@heap . = H@heap ), {heap := h1[H := 0]}{heap := anon(heap )} L=H; heap . = h2, {heap := h1} H=0; L=H; heap . = h2 =⇒ L@h2 . = L@h2 L@h1 . = L@h2, {heap := h1[H := 0]} L=H; heap . = h2, {heap := h1} H=0; L=H; heap . = h2 =⇒ L@h2 . = L@h2 L@h1 . = L@h1, {heap := h1} H=0; L=H; heap . = h2, {heap := h1} H=0; L=H; heap . = h2 =⇒ L@h2 . = L@h2 L@h1 . = L@h1 ∧ {heap := h1} H=0; L=H; heap . = h2 ∧ {heap := h1} H=0; L=H; heap . = h2 =⇒ L@h2 . = L@h2 =⇒ L@h1 . = L@h1 ∧ {heap := h1} H=0; L=H; heap . = h2 ∧ {heap := h1} H=0; L=H; heap . = h2 → L@h2 . = L@h2 {heap := h1} H=0; L=H; heap . = h2 ∧ {heap := h1} H=0; L=H; heap . = h2 → (L@h1 . = L@h1 → L@h2 . = L@h2) Introduction Concurrent Programs Veriﬁcation Information Flow Analysis Closing Daniel Grahl – Veriﬁcation of Concurrent Programs 29/10/2015 15

101. Example Proof (∗) L@h1 . = L@h1 =⇒ true L@h1 . = L@h1 =⇒ 0 . = 0 L@h1 . = L@h1 =⇒ L@h1[L := 0] . = L@h1[L := 0] L@h1 . = L@h1 =⇒ L@h1[H := 0][L := 0] . = L@h1[H := 0][L := 0] L@h1 . = L@h1, L@anon(h1[H := 0]) . = L@h1[H := 0], L@anon(h1[H := 0]) . = L@h1[H := 0] =⇒ L@anon(h1[H := 0])[L := 0] . = L@anon(h1[H := 0])[L := 0] L@h1 . = L@h1, L@anon(h1[H := 0]) . = L@h1[H := 0], L@anon(h1[H := 0]) . = L@h1[H := 0] =⇒ L@anon(h1[H := 0])[L := H@h1[H := 0]] . = L@anon(h1[H := 0])[L := H@h1[H := 0]] L@h1 . = L@h1, L@anon(h1[H := 0]) . = L@h1[H := 0], L@anon(h1[H := 0]) . = L@h1[H := 0], H@anon(h1[H := 0]) . = H@h1[H := 0], H@anon(h1[H := 0]) . = H@h1[H := 0] =⇒ L@anon(h1[H := 0])[L := H@anon(h1[H := 0])] . = L@anon(h1[H := 0])[L := H@anon(h1[H := 0])] L@h1 . = L@h1, {heap := h1[H := 0]}{heap := anon(heap )}(L@heap . = L@heap ∧ H@heap . = H@heap ), {heap := h1[H := 0]}{heap := anon(heap )}(L@heap . = L@heap ∧ H@heap . = H@heap ), =⇒ L@anon(h1[H := 0])[L := H@anon(h1[H := 0])] . = L@anon(h1[H := 0])[L := H@anon(h1[H := 0])] L@h1 . = L@h1, {heap := h1[H := 0]}{heap := anon(heap )}(L@heap . = L@heap ∧ H@heap . = H@heap ), anon(h1[H := 0])[L := H@anon(heap)] . = h2, {heap := h1[H := 0]}{heap := anon(heap )}(L@heap . = L@heap ∧ H@heap . = H@heap ), anon(h1[H := 0])[L := H@anon(heap)] . = h2 =⇒ L@h2 . = L@h2 L@h1 . = L@h1, {heap := h1[H := 0]}{heap := anon(heap )}(L@heap . = L@heap ∧ H@heap . = H@heap ), anon(h1[H := 0])[L := H@anon(heap)] . = h2, {heap := h1[H := 0]}{heap := anon(heap )}(L@heap . = L@heap ∧ H@heap . = H@heap ), {heap := anon(h1[H := 0])[L := H@anon(heap)]}(heap . = h2) =⇒ L@h2 . = L@h2 L@h1 . = L@h1, {heap := h1[H := 0]}{heap := anon(heap )}(L@heap . = L@heap ∧ H@heap . = H@heap ), anon(h1[H := 0])[L := H@anon(heap)] . = h2, {heap := h1[H := 0]}{heap := anon(heap )}(L@heap . = L@heap ∧ H@heap . = H@heap ), {heap := h1[H := 0]}{heap := anon(heap )}{heap := heap[L := H@heap]} heap . = h2 =⇒ L@h2 . = L@h2 L@h1 . = L@h1, {heap := h1[H := 0]}{heap := anon(heap )}(L@heap . = L@heap ∧ H@heap . = H@heap ), anon(h1[H := 0])[L := H@anon(heap)] . = h2, {heap := h1[H := 0]}{heap := anon(heap )}(L@heap . = L@heap ∧ H@heap . = H@heap ), {heap := h1[H := 0]}{heap := anon(heap )} L=H; heap . = h2 =⇒ L@h2 . = L@h2 L@h1 . = L@h1, L@h1 . = L@h2, {heap := h1[H := 0]}{heap := anon(heap )}(L@heap . = L@heap ∧ H@heap . = H@heap ), anon(h1[H := 0])[L := H@anon(heap)] . = h2, {heap := h1[H := 0]} L=H; heap . = h2 =⇒ L@h2 . = L@h2 L@h1 . = L@h1, {heap := h1[H := 0]}{heap := anon(heap )}(L@heap . = L@heap ∧ H@heap . = H@heap ), anon(h1[H := 0])[L := H@anon(heap)] . = h2, {heap := h1} H=0; L=H; heap . = h2 =⇒ L@h2 . = L@h2 L@h1 . = L@h1, {heap := h1[H := 0]}{heap := anon(heap )}(L@heap . = L@heap ∧ H@heap . = H@heap ), {heap := anon(h1[H := 0])[L := H@anon(heap)]}(heap . = h2), {heap := h1} H=0; L=H; heap . = h2 =⇒ L@h2 . = L@h2 L@h1 . = L@h1, {heap := h1[H := 0]}{heap := anon(heap )}(L@heap . = L@heap ∧ H@heap . = H@heap ), {heap := h1[H := 0]}{heap := anon(heap )}{heap := heap[L := H@heap]} heap . = h2, {heap := h1} H=0; L=H; heap . = h2 =⇒ L@h2 . = L@h2 L@h1 . = L@h1, {heap := h1[H := 0]}{heap := anon(heap )}(L@heap . = L@heap ∧ H@heap . = H@heap ), {heap := h1[H := 0]}{heap := anon(heap )} L=H; heap . = h2, {heap := h1} H=0; L=H; heap . = h2 =⇒ L@h2 . = L@h2 L@h1 . = L@h2, {heap := h1[H := 0]} L=H; heap . = h2, {heap := h1} H=0; L=H; heap . = h2 =⇒ L@h2 . = L@h2 L@h1 . = L@h1, {heap := h1} H=0; L=H; heap . = h2, {heap := h1} H=0; L=H; heap . = h2 =⇒ L@h2 . = L@h2 L@h1 . = L@h1 ∧ {heap := h1} H=0; L=H; heap . = h2 ∧ {heap := h1} H=0; L=H; heap . = h2 =⇒ L@h2 . = L@h2 =⇒ L@h1 . = L@h1 ∧ {heap := h1} H=0; L=H; heap . = h2 ∧ {heap := h1} H=0; L=H; heap . = h2 → L@h2 . = L@h2 {heap := h1} H=0; L=H; heap . = h2 ∧ {heap := h1} H=0; L=H; heap . = h2 → (L@h1 . = L@h1 → L@h2 . = L@h2) Introduction Concurrent Programs Veriﬁcation Information Flow Analysis Closing Daniel Grahl – Veriﬁcation of Concurrent Programs 29/10/2015 15

102. Example Proof (∗) L@h1 . = L@h1 =⇒ true L@h1 . = L@h1 =⇒ 0 . = 0 L@h1 . = L@h1 =⇒ L@h1[L := 0] . = L@h1[L := 0] L@h1 . = L@h1 =⇒ L@h1[H := 0][L := 0] . = L@h1[H := 0][L := 0] (h1[H := 0]) . = L@h1[H := 0], L@anon(h1[H := 0]) . = L@h1[H := 0] =⇒ L@anon(h1[H := 0])[L := 0] . = L@an . = L@h1[H := 0], L@anon(h1[H := 0]) . = L@h1[H := 0] =⇒ L@anon(h1[H := 0])[L := H@h1[H := 0]] . = L@an h1[H := 0], H@anon(h1[H := 0]) . = H@h1[H := 0], H@anon(h1[H := 0]) . = H@h1[H := 0] =⇒ L@anon(h1[H := H@heap ), {heap := h1[H := 0]}{heap := anon(heap )}(L@heap . = L@heap ∧ H@heap . = H@heap ), =⇒ heap ), anon(h1[H := 0])[L := H@anon(heap)] . = h2, {heap := h1[H := 0]}{heap := anon(heap )}(L@heap . = non(h1[H := 0])[L := H@anon(heap)] . = h2, {heap := h1[H := 0]}{heap := anon(heap )}(L@heap . = L@heap )[L := H@anon(heap)] . = h2, {heap := h1[H := 0]}{heap := anon(heap )}(L@heap . = L@heap ∧ H@heap = on(h1[H := 0])[L := H@anon(heap)] . = h2, {heap := h1[H := 0]}{heap := anon(heap )}(L@heap . = L@heap := anon(heap )}(L@heap . = L@heap ∧ H@heap . = H@heap ), anon(h1[H := 0])[L := H@anon(heap)] . = h2, Introduction Concurrent Programs Veriﬁcation Information Flow Analysis Closing Daniel Grahl – Veriﬁcation of Concurrent Programs 29/10/2015 15

103. Proving Concurrent Noninterference Prove interplay between threads benign Rely / guarantee allows to specify full functional behavior Conservative extension of sequential calculus Reusable modular proofs + Prove noninterference for every thread class Same formalization as for sequential programs Includes absence of probabilistic leaks through scheduler Additional channels in full Java Introduction Concurrent Programs Veriﬁcation Information Flow Analysis Closing Daniel Grahl – Veriﬁcation of Concurrent Programs 29/10/2015 16

106. Thesis Contributions I Verification of concurrent Java Scheduler-parametric semantics of a multi-threaded language Combination of dynamic and temporal logic Adaptation of modular rely / guarantee in dynamic logic Rely / gurantee with dynamic framing [TR 15-3] Implementation in KeY [VSTTE ’14] JML extension for concurrency Introduction Concurrent Programs Verification Information Flow Analysis Closing Daniel Grahl – Verification of Concurrent Programs 29/10/2015 17

107. Thesis Contributions II Precise information flow analysis for concurrent Java Flexible notion of noninterference with declassification Formalization of concurrent noninterference [FCS ’15] Formalization of trace-based extensions to NI Analysis of timing leaks [TR 14-5] Attacker model refined for Java [LOPSTR ’13] Support RIFL input Case study: e-voting Functional verification [TR 14-11, S&P poster ’15] Hybrid IF analysis [GRSRD ’13, CSF ’15] Introduction Concurrent Programs Verification Information Flow Analysis Closing Daniel Grahl – Verification of Concurrent Programs 29/10/2015 18

110. Overview concurrency verification methodology semantics concurrent noninterference noninterference declassification Introduction Concurrent Programs Verification Information Flow Analysis Closing Daniel Grahl – Verification of Concurrent Programs 29/10/2015 19

111. Overview dynamic trace logic concurrency verification methodology semantics concurrent noninterference noninterference declassification Introduction Concurrent Programs Verification Information Flow Analysis Closing Daniel Grahl – Verification of Concurrent Programs 29/10/2015 19

112. Overview trace-based noninterference dynamic trace logic concurrency verification methodology semantics concurrent noninterference noninterference declassification Introduction Concurrent Programs Verification Information Flow Analysis Closing Daniel Grahl – Verification of Concurrent Programs 29/10/2015 19

113. Overview trace-based noninterference dynamic trace logic concurrency verification methodology semantics concurrent noninterference noninterference declassification object- sensitivity Introduction Concurrent Programs Verification Information Flow Analysis Closing Daniel Grahl – Verification of Concurrent Programs 29/10/2015 19

114. Overview trace-based noninterference dynamic trace logic concurrency verification methodology semantics concurrent noninterference RIFL specification noninterference declassification object- sensitivity Introduction Concurrent Programs Verification Information Flow Analysis Closing Daniel Grahl – Verification of Concurrent Programs 29/10/2015 19

115. Overview trace-based noninterference dynamic trace logic concurrency verification methodology semantics concurrent noninterference RIFL specification noninterference declassification e-voting verification object- sensitivity Introduction Concurrent Programs Verification Information Flow Analysis Closing Daniel Grahl – Verification of Concurrent Programs 29/10/2015 19

defense

Recommended

Recommended

More Related Content

Similar to defense

Similar to defense (20)

defense