Advances in Programming Languages

Similar documents
Cloud Computing. Up until now

CSCI E 98: Managed Environments for the Execution of Programs

Trustworthy Software Systems

An Easier Way for Cross-Platform Data Acquisition Application Development

sel4: from Security to Safety Gernot Heiser, Anna Lyons NICTA and UNSW Australia

Automated Program Behavior Analysis

Software Testing & Analysis (F22ST3): Static Analysis Techniques 2. Andrew Ireland

Antonio Kung, Trialog. HIJA technical coordinator. Scott Hansen, The Open Group. HIJA coordinator

White Paper. Java Security. What You Need to Know, and How to Protect Yourself

Automated Theorem Proving - summary of lecture 1

Code Generation for High-Assurance Java Card Applets

The Course.

Fachbereich Informatik und Elektrotechnik SunSPOT. Ubiquitous Computing. Ubiquitous Computing, Helmut Dispert

PROGRAM LOGICS FOR CERTIFIED COMPILERS

Chapter 3: Operating-System Structures. Common System Components

Applications of formal verification for secure Cloud environments at CEA LIST

Introduction to Static Analysis for Assurance

Restraining Execution Environments

IoT Security Platform

Outline. 1 Denitions. 2 Principles. 4 Implementation and Evaluation. 5 Debugging. 6 References

FROM SAFETY TO SECURITY SOFTWARE ASSESSMENTS AND GUARANTEES FLORENT KIRCHNER (LIST)

Outline. hardware components programming environments. installing Python executing Python code. decimal and binary notations running Sage

Objectives. Chapter 2: Operating-System Structures. Operating System Services (Cont.) Operating System Services. Operating System Services (Cont.

The CompCert verified C compiler

General Introduction

Kernel Types System Calls. Operating Systems. Autumn 2013 CS4023

Monitoring Java enviroment / applications

VDM vs. Programming Language Extensions or their Integration

Secure Software Programming and Vulnerability Analysis

Jonathan Worthington Scarborough Linux User Group

Rigorous Software Development CSCI-GA

Thomas Jefferson High School for Science and Technology Program of Studies Foundations of Computer Science. Unit of Study / Textbook Correlation

An Introduction to CODE SIGNING

Example of Standard API

Basic Unix/Linux 1. Software Testing Interview Prep

1/20/2016 INTRODUCTION

Real Time Programming: Concepts

Static Analysis. Find the Bug! : Analysis of Software Artifacts. Jonathan Aldrich. disable interrupts. ERROR: returning with interrupts disabled

Design by Contract beyond class modelling

language 1 (source) compiler language 2 (target) Figure 1: Compiling a program

C# and Other Languages

Interpreters and virtual machines. Interpreters. Interpreters. Why interpreters? Tree-based interpreters. Text-based interpreters

Compute Cluster Server Lab 3: Debugging the parallel MPI programs in Microsoft Visual Studio 2005

Lecture 12: Software protection techniques. Software piracy protection Protection against reverse engineering of software

System Structures. Services Interface Structure

Towards practical reactive security audit using extended static checkers 1

Lecture 1 Introduction to Android

Instrumentation Software Profiling

Rigorous Software Engineering Hoare Logic and Design by Contracts

Static Analysis of Dynamic Properties - Automatic Program Verification to Prove the Absence of Dynamic Runtime Errors

How To Write A Program Verification And Programming Book

Rigorous Software Development CSCI-GA

The Eighth International Conference INCOSE_IL Formal Methods Security Tools in the Service of Cyber Security

Mobile Application Languages XML, Java, J2ME and JavaCard Lesson 04 Java

CS3600 SYSTEMS AND NETWORKS

Software Engineering Techniques

Bypassing Memory Protections: The Future of Exploitation

Experimental Evaluation of Distributed Middleware with a Virtualized Java Environment

Last Class: OS and Computer Architecture. Last Class: OS and Computer Architecture

Best Practices for Verification, Validation, and Test in Model- Based Design

ONLINE EXERCISE SYSTEM A Web-Based Tool for Administration and Automatic Correction of Exercises

Monitoring, Tracing, Debugging (Under Construction)

WESTMORELAND COUNTY PUBLIC SCHOOLS Integrated Instructional Pacing Guide and Checklist Computer Math

1. Overview of the Java Language

CS 40 Computing for the Web

evm Virtualization Platform for Windows

Characteristics of Java (Optional) Y. Daniel Liang Supplement for Introduction to Java Programming

Software testing. Objectives

Decomposition into Parts. Software Engineering, Lecture 4. Data and Function Cohesion. Allocation of Functions and Data. Component Interfaces

QUIRE: : Lightweight Provenance for Smart Phone Operating Systems

MPI-Checker Static Analysis for MPI

Chapter 1 Fundamentals of Java Programming

CS 51 Intro to CS. Art Lee. September 2, 2014

Java Programming. Binnur Kurt Istanbul Technical University Computer Engineering Department. Java Programming. Version 0.0.

Operating Systems 4 th Class

APPLETS AND NETWORK SECURITY: A MANAGEMENT OVERVIEW

Digital signature Solution for the Secure Electronic invoicing application

Course Title: Software Development

Lesson 06: Basics of Software Development (W02D2

Computer-Assisted Theorem Proving for Assuring the Correct Operation of Software

Source Code Security Analysis Tool Functional Specification Version 1.0

Introduction to Virtual Machines

StaRVOOrS: A Tool for Combined Static and Runtime Verification of Java

Driving force. What future software needs. Potential research topics

Smart Cards a(s) Safety Critical Systems

Operating Systems. Notice that, before you can run programs that you write in JavaScript, you need to jump through a few hoops first

Formal Verification and Linear-time Model Checking

Microcontrollers Deserve Protection Too

Software Engineering Reference Framework

Information and Communications Technology Courses at a Glance

02 B The Java Virtual Machine

CS420: Operating Systems OS Services & System Calls

Transcription:

Advances in Programming Languages Lecture 13: Certifying Correctness Ian Stark School of Informatics The University of Edinburgh Tuesday 4 November 2014 Semester 1 Week 8 http://www.inf.ed.ac.uk/teaching/courses/apl

Topic: Programming for Correctness The following lectures cover some language techniques and tools for improving program correctness: Specification and Verification Practical Java tools for Correctness Certifying Correctness The focus here is not necessarily on changing what a program does, or making it do that thing faster, or using less memory, or less power. Instead we want to make sure that what it does is the right thing to do. Following previous lectures on Hoare logic and the Java Modeling Language, this looks at how these can be taken beyond local checking of individual programs.

Previous Homework! JML is just one of many frameworks for specifying and verifying code in various programming languages. Examples include Java annotations, FindBugs TM, QuickCheck, the C specification language ACSL and Frama-C platform, Spec#; and others taking a wide range of approaches. Your homework is to find out about one particular such system. Post this Find some information online about Microsoft s Code Contracts. Post about it to the mailing list, the blog, or the Facebook group.

Outline 1 Proving Programs Correct 2 Certifying Code 3 Verifying Complete Systems 4 Conclusion

Outline 1 Proving Programs Correct 2 Certifying Code 3 Verifying Complete Systems 4 Conclusion

Specification and Verification Specification Stating what properties a program ought to have, either before it is written at all, or by annotating existing code. For example, we might do this with Hoare preconditions and postconditions; object invariants; code contracts; or annotations about non-null pointers, lack of side-effects, control of exceptions, etc. Verification Checking that a program does indeed have these desired properties. This is static checking, which might be straightforwardly automatic, or require additional user annotations such as loop invariants or library specifications. Some static checkers turn the problem into verification conditions in formal logic and pass these to an external automated theorem prover perhaps one able to reason about arithmetic, arrays, bitvectors, or other relevant theories.

Lightweight Verification Proving arbitrary assertions can be arbitrarily difficult. In lightweight verification we simplify things by focusing on standard properties of common interest, rather than full functional correctness. For example: Exception freedom no uncaught exception is raised. Pointer validity no null pointer is ever dereferenced. Arithmetic safety no arithmetic expression divides by zero or overflows. Race freedom access to shared state does not conflict in different threads. Standard properties are easy for the programmer to indicate, providing shorthand for possibly complex logical expressions. Standard properties may be easier for tools to handle, using ad hoc static analyses or decidable fragments of logic. If a tool cannot establish a property, the programmer may be able to add additional annotations, or may have to rewrite the code.

Many Different Things to Check The list below presents some of the many things that ESC/Java2 checks in source code. Other tools provide similar checks, often specialising in a particular area and possibly relying on user interaction or additional programmer annotations. Null pointer dereference Negative array index Array index too large Invalid type casts Array storage type mismatch Divide by zero Negative array size Unreachable code Deadlock in concurrent code Race condition Unchecked exception Object invariant broken Loop invariant broken Precondition not satisfied Postcondition not satisfied Assertion not satisfied

Outline 1 Proving Programs Correct 2 Certifying Code 3 Verifying Complete Systems 4 Conclusion

Once We Have Verified Code, What Then? Oxford English Dictionary Certify v. trans. To make (a thing) certain; to guarantee as certain, attest in an authoritative manner; to give certain information of. Once we have verified code, or shown it satisfies some key property, how do we communicate this to others? How do we decide whether code from other sources is trustworthy? Informal argument written in English Check-list of manually measured/assessed criteria Set of executable tests that are checked automatically A signature of an authority, analogue or digital Transcript of input and output to a verification system Digital evidence checked electronically

Once We Have Verified Code, What Then? Oxford English Dictionary Certify v. trans. To make (a thing) certain; to guarantee as certain, attest in an authoritative manner; to give certain information of. Once we have verified code, or shown it satisfies some key property, how do we communicate this to others? How do we decide whether code from other sources is trustworthy? Informal argument written in English Check-list of manually measured/assessed criteria Set of executable tests that are checked automatically A signature of an authority, analogue or digital Transcript of input and output to a verification system Digital evidence checked electronically

Code Signing Digital signatures are a very widely-used mechanism for certifying code: mobile device apps; Microsoft updates; Windows Driver Signing; Debian Linux package archives; browser plugins;... This code signing is better than trusting unauthenticated code; a digital version of shrink-wrapping products with holographic stamps. However, this is authenticating the supplier of the product, and doesn t directly say anything about the product itself.

What Does Code Signing Ensure? Code signing has two particular fallibilities.

What Does Code Signing Ensure? Code signing has two particular fallibilities. The signature chain may be compromised.

What Does Code Signing Ensure? Code signing has two particular fallibilities. The signature chain may be compromised. Microsoft Security Bulletin MS01-017 - Critical In mid-march 2001, VeriSign, Inc., advised Microsoft that on January 29 and 30, 2001, it issued two VeriSign Class 3 code-signing digital certificates to an individual who fraudulently claimed to be a Microsoft employee. The common name assigned to both certificates is "Microsoft Corporation".

What Does Code Signing Ensure? Code signing has two particular fallibilities. The signature chain may be compromised. Microsoft Security Bulletin MS01-017 - Critical In mid-march 2001, VeriSign, Inc., advised Microsoft that on January 29 and 30, 2001, it issued two VeriSign Class 3 code-signing digital certificates to an individual who fraudulently claimed to be a Microsoft employee. The common name assigned to both certificates is "Microsoft Corporation". The code being signed may not in fact be trustworthy. This might be because the signer failed to check properly, procedures weren t adequate, or that they weren t followed.

What Does Code Signing Ensure? Code signing has two particular fallibilities. The signature chain may be compromised. Microsoft Security Bulletin MS01-017 - Critical In mid-march 2001, VeriSign, Inc., advised Microsoft that on January 29 and 30, 2001, it issued two VeriSign Class 3 code-signing digital certificates to an individual who fraudulently claimed to be a Microsoft employee. The common name assigned to both certificates is "Microsoft Corporation". The code being signed may not in fact be trustworthy. This might be because the signer failed to check properly, procedures weren t adequate, or that they weren t followed.

What are we Missing Here? Aside from errors in implementation or procedure, there is a deeper issue that code signing delegates trust to somebody else rather than examining the code for ourselves. Digital signatures authenticate the supplier of code, not the code itself. What if we could check the code ourselves, directly? One challenge here is that correctness proofs are hard; and even harder if we don t have the source code, its annotations, or any insight from the programmer. Often, however, checking a proof is much simpler than finding a proof. This lies behind research into Proof-Carrying Code (PCC) and, more generally evidence-based security.

Proof-Carrying Code PCC was originally proposed by George Necula and Peter Lee in 1996 with the example of network packet filters. It has since been applied in a variety of contexts to provide assurances about code safety. The general mechanism is as follows. A code producer bundles together: Executable code; A formal statement about the code s behaviour the guarantee; A proof that the code satisfies the guarantee. The code consumer receives the bundle and checks: That the guarantee ensures the desired security or safety properties; That the proof does show the code satisfies the guarantee.

Code producer Network Code consumer Source program Resource types Resource policy Certifying compiler Proof checker Guarantee certificate Guarantee certificate Java classfile Java classfile OK? JVM

Digital Evidence The PCC framework can extend beyond proofs to all kinds of digital evidence. Machine-checked proofs; fixpoints for abstract interpretation; loop invariants for bytecode logics; constraint solutions;... These may show different kinds of properties: Type safety, memory safety, stack and array bounds; Secure information flow, noninterference, declassification; Resource usage, access policies; Invocation protocols, method contracts;... Some existing examples: Stackmaps in the Java bytecode verifier; similarly for.net; Typed Assembly Language (TAL) in the Verve OS from Microsoft Research.

Wholesale Using Digital Evidence Evidence Software Developers App Store Users Flows for Digital Evidence Flows for Digital Evidence From store to user, evidence to satisfy security/resource policy store to user, evidence to satisfy security/resource policy From store From to store developer, to developer, stating objective stating acceptance objective acceptance policies policies From developer From developer to store, providing to store, evidence providing toevidence meet these to meet these Ian Stark Ian Stark Mobius Advances Digital in Programming Evidence to Languages Guarantee / Trustworthy Lecture 13: Certifying Mobile Code Correctness fet09 Prague 2009-04-23 2014-11-04

Summary on PCC and Digital Evidence Trust in mobile code can strengthened by supplementing digital signatures with digital evidence. Digital Signatures Cryptographic, confirming that software has been approved Checked against external trust hierarchy of public keys Digital Evidence Certificate presenting data about the software itself Confirms key aspects of software behaviour Can be independently checked, without external authority Both rely on mathematical foundations to ensure that no certificate can be forged, and that code cannot be tampered with. Both can work without revealing any original source code.

Some Edinburgh Projects on Digital Evidence Mobile Resource Guarantees Edinburgh/Munich 2002 2005 Mobius: Mobility, Ubiquity and Security Enabling proof-carrying code for Java on mobile devices European integrated project 2004 2009 App Guarden: Resilient Application Stores Edinburgh 2013 2016 UK national cybersecurity programme GCHQ/EPSRC/BIS Mobility and Security http://www.lfcs.ed.ac.uk/m+s

Outline 1 Proving Programs Correct 2 Certifying Code 3 Verifying Complete Systems 4 Conclusion

There s More to Check than Code Static checkers make it possible to verify properties of source code. Proof-carrying code and digital evidence lets users check properties of executable binaries. But how do we get from proofs about source code to proofs about binaries? And there is more what must we do to trust all the other components? Compiler Bytecode engine / JIT compiler Hardware execution of machine code Libraries Host operating system

Compiler Correctness Compiler correctness has been a concern ever since there were compilers. Different people take different views on this; two of these we can stereotype as follows.

Compiler Correctness Compiler correctness has been a concern ever since there were compilers. Different people take different views on this; two of these we can stereotype as follows. Programming-Language Researchers Compilers are complicated pieces of code. We rely on them, but they are buggy.

Compiler Correctness Compiler correctness has been a concern ever since there were compilers. Different people take different views on this; two of these we can stereotype as follows. Programming-Language Researchers Compilers are complicated pieces of code. We rely on them, but they are buggy. Like other complicated pieces of code we ought to verify that they do what is intended, and fix them if they don t.

Compiler Correctness Compiler correctness has been a concern ever since there were compilers. Different people take different views on this; two of these we can stereotype as follows. Programming-Language Researchers Compilers are complicated pieces of code. We rely on them, but they are buggy. Like other complicated pieces of code we ought to verify that they do what is intended, and fix them if they don t. Compiler Researchers Compilers are very complicated pieces of code. We rely on them and they are buggy. But that s life.

Compiler Correctness Compiler correctness has been a concern ever since there were compilers. Different people take different views on this; two of these we can stereotype as follows. Programming-Language Researchers Compilers are complicated pieces of code. We rely on them, but they are buggy. Like other complicated pieces of code we ought to verify that they do what is intended, and fix them if they don t. Compiler Researchers Compilers are very complicated pieces of code. We rely on them and they are buggy. But that s life. The underlying hardware also has bugs. There haven t been any verified CPU cores since the 1980s. We just hope the bugs are rare, and for controlling nuclear power stations it s probably best to only use old CPU architectures.

Translation Validation The idea of translation validation is that rather than verifying a whole compiler, we check that individual compilations actually performed are correct. This can be even be refined to individual optimisation steps, or specific code transformations. Translation validation relaxes the requirement that the compiler be globally correct. Instead, the compiler checks that it has produced the right result each time. Some input programs may produce errors or trigger compiler bugs; validations cannot be produced for these programs. Amir Pnueli, Michael Siegel and Eli Singerman. Translation Validation, TACAS 98. http://portal.acm.org/citation.cfm?id=691453 George C. Necula. Translation Validation for an Optimizing Compiler, SIGPLAN Notices, 35/5, 2000. http://doi.acm.org/10.1145/358438.349314.

Complete Compiler Verification The CompCert project, led by Xavier Leroy, maintains a C compiler for PowerPC, ARM and x86 that has been formally verified using the Coq theorem-prover. This verification shows that the compiler is semantics-preserving. As a result any safety property proved on the source code is sure to hold also for the compiled executable binary. http://compcert.inria.fr

Further Compiler Verification Following Leroy s lead, other projects have built further verified compilers. For example: CerCo: Certified Complexity A verified C compiler that provides cycle-precise execution costs for an embedded microcontroller. Edinburgh / Bologna / Paris CompCertTSO: A Verified Compiler for Relaxed-Memory Concurrency http://cerco.cs.unibo.it Enhances CompCert with concurrency primitives for thread management and synchronisation, and checks their semantics against the Total Store Order (TSO) weak memory model. Cambridge CakeML: A Verified Implementation of ML http://www.cl.cam.ac.uk/~pes20/compcerttso Verified compiler from ML to x86-64; the compiler is self-hosting (can compile itself) Cambridge / NICTA Canberra / Kent https://cakeml.org

Platform Verification Other projects aim to verify yet more of the tower between source and execution. For example: SAFE: A Secure Computing Platform Built on a tagged hardware architecture that allows per-instruction checking of safety and security policies. http://www.crash-safe.org DARPA Clean-Slate Design of Resilient, Adaptive, Secure Hosts (CRASH) sel4: Secure OS Kernel Verified implementation of the L4 operating system microkernel. National ICT Australia (NICTA) http://sel4.systems REMS: Rigorous Engineering for Mainstream Systems Programming-language and verification support for processor architectures, systems programming, and concurrent software. Cambridge / London / Edinburgh http://rems.io HACMS: High-Assurance Cyber-Military Systems Formal verification for embedded control systems and autonomous vehicles US DARPA http://is.gd/darpa_hacms

Outline 1 Proving Programs Correct 2 Certifying Code 3 Verifying Complete Systems 4 Conclusion

Summary Proving Programs Correct Specification states what properties are expected of a program. Verification checks that the code given does have those properties Lightweight specification and verification focus on simple safety properties rather than detailed functional correctness. Certifying Code Digital Signatures authenticate the supplier of code. Proof-Carrying Code certifies the code itself and can be independently checked. Verifying Complete Systems Translation Validation checks compilation of individual programs, or even individual compilation steps. Compiler Verification checks the compiler itself, as in the CompCert C compiler. Platform Verification looks at other components between source and runtime behaviour.

Coursework Assignment! The assignment instructions are now available as a single PDF. This contains all the material from the previous web page. http://blog.inf.ed.ac.uk/apl14/coursework Your final report is due at the end of this week. When: By 3pm Friday 7 November 2014 What: A PDF file containing an 8 10 page report on your chosen topic How: Command submit apl 2 report.pdf on any DICE machine

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information