{"title":"Verification challenges of pervasive information flow","authors":"B. Pierce","doi":"10.1145/2103776.2103778","DOIUrl":"https://doi.org/10.1145/2103776.2103778","url":null,"abstract":"The CRASH/SAFE project aims to design a new computer system that is highly resistant to cyber-attack. 'It offers a rare opportunity to rethink the hardware / OS / software stack from a completely clean slate, unhampered by legacy constraints.' We are building novel hardware, a new high-level programming language, and a suite of modern operating system services, all embodying fundamental security principles -- separation of privilege, least privilege, mutual suspicion, etc. -- down to their very bones. Achieving these goals demands a co-design methodology in which all system layers are designed together, with a ruthless insistence on simplicity, security, and verifiability at every level.\u0000 I will describe the current state of the CRASH/SAFE design and discuss some of the most interesting verification challenges that it raises.","PeriodicalId":153056,"journal":{"name":"Programming Languages meets Program Verification","volume":"43 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2012-01-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121058816","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
A. Amighi, S. Blom, M. Huisman, Marina Zaharieva-Stojanovski
{"title":"The VerCors project: setting up basecamp","authors":"A. Amighi, S. Blom, M. Huisman, Marina Zaharieva-Stojanovski","doi":"10.1145/2103776.2103785","DOIUrl":"https://doi.org/10.1145/2103776.2103785","url":null,"abstract":"This paper describes the first results and on-going work in the VerCors project. The VerCors project is about Verification of Concurrent Data Structures. Its goal is to develop a specification language and program logic for concurrent programs, and in particular for concurrent data structures, as these are the essential building blocks of many different concurrent programs. The program logic is based on our earlier work on permission-based separation logic for Java. This is an extension of Hoare logic that is particularly convenient to reason about concurrent programs.\u0000 The paper first describes the tool set that is currently being built to support reasoning with this logic. It supports a specification language that combines features of separation logic with JML. For the verification, the program and its annotations are encoded into Chalice, and then we reuse the Chalice translation to Boogie to generate the proof obligations.\u0000 Next, the paper describes our first results on data structure specifications. We use histories to keep track of the changes to the data structures, and we show how these histories allow us to derive other conclusions about the data structure implementations. We also discuss how we plan to reason about volatile variables, and how we will use this to verify lock-free data structures.\u0000 Throughout the paper, we discuss our plans for future work within the VerCors project.","PeriodicalId":153056,"journal":{"name":"Programming Languages meets Program Verification","volume":"29 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2012-01-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126387036","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Peter-Michael Osera, Vilhelm Sjöberg, S. Zdancewic
{"title":"Dependent interoperability","authors":"Peter-Michael Osera, Vilhelm Sjöberg, S. Zdancewic","doi":"10.1145/2103776.2103779","DOIUrl":"https://doi.org/10.1145/2103776.2103779","url":null,"abstract":"In this paper we study the problem of interoperability --- combining constructs from two separate programming languages within one program --- in the case where one of the two languages is dependently typed and the other is simply typed.We present a core calculus called SD, which combines dependently- and simply-typed sub-languages and supports user-defined (dependent) datatypes, among other standard features. SD has \"boundary terms\" that mediate the interaction between the two sub-languages. The operational semantics of SD demonstrates how the necessary dynamic checks, which must be done when passing a value from the simply-typed world to the dependently typed world, can be extracted from the dependent type constructors themselves, modulo user-defined functions for marshaling values across the boundary.We establish type-safety and other meta-theoretic properties of SD, and contrast this approach to others in the literature.","PeriodicalId":153056,"journal":{"name":"Programming Languages meets Program Verification","volume":"36 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2012-01-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125062390","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"A hoare calculus for the verification of synchronous languages","authors":"Manuel Gesell, K. Schneider","doi":"10.1145/2103776.2103782","DOIUrl":"https://doi.org/10.1145/2103776.2103782","url":null,"abstract":"The synchronous model of computation divides the execution of a program into macro steps that consist of finitely many atomic micro steps (like assignments). The micro steps of a macro step are executed within the same variable environment (i.e. in parallel) but all updates to the variables are synchronously performed at the level of macro steps. The availability of a formally defined semantics allows one to use formal methods for the verification of synchronous programs. To this end, model checking is already widely used for synchronous programs, but the use of interactive verification e.g. by using a Hoare calculus, is only in its infancies. One reason for this situation is that the assignment rule of the classic Hoare calculus implicitly defines a sequential programming model which is only a special case of the synchronous model of computation.\u0000 In this paper, we therefore suggest a generalization of the classic Hoare calculus to deal with synchronous programs. The main idea is thereby that the assignment rule refers to all assignments made in a macro step so that the synchronous model of computation is axiomatized. It is possible to rewrite all synchronous programs so that the assignments of every macro step are collected in a single tuple assignment. This way, our generalization of the assignment rule is applicable to arbitrary synchronous programs. We present non-trivial case studies that show the feasibility of our approach.","PeriodicalId":153056,"journal":{"name":"Programming Languages meets Program Verification","volume":"426 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2012-01-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122921802","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Formal network packet processing with minimal fuss: invertible syntax descriptions at work","authors":"Reynald Affeldt, David Nowak, Y. Oiwa","doi":"10.1145/2103776.2103781","DOIUrl":"https://doi.org/10.1145/2103776.2103781","url":null,"abstract":"An error in an Internet protocol or its implementation is rarely benign: at best, it leads to malfunctions, at worst, to security holes. These errors are all the more likely that the official documentation for Internet protocols (the RFCs) is written in natural language. To prevent ambiguities and pave the way to formal verification of Internet protocols and their implementations, we advocate formalization of RFCs in a proof-assistant. As a first step towards this goal, we propose in this paper to use invertible syntax descriptions to formalize network packet processing. Invertible syntax descriptions consist in a library of combinators that can be used interchangeably as parsers or pretty-printers: network packet processing specified this way is not only unambiguous, it can also be turned into a trustful reference implementation, all the more trustful that there is no risk for inconsistencies between the parser and the pretty-printer. Concretely, we formalize invertible syntax descriptions in the Coq proof-assistant and extend them to deal with data-dependent constraints, an essential feature when it comes to parsing network packets. The usefulness of our formalization is demonstrated with an application to TLS, the protocol on which e-commerce relies.","PeriodicalId":153056,"journal":{"name":"Programming Languages meets Program Verification","volume":"35 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2012-01-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133363382","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Robust, generic, modularly-verified map: a software verification challenge problem","authors":"Derek Bronish, Hampton Smith","doi":"10.1145/1929529.1929533","DOIUrl":"https://doi.org/10.1145/1929529.1929533","url":null,"abstract":"Maps are a fundamental component in the development of modern software. The ability to associate keys with values in the manner of a partial mathematical function is important for a wide range of applications, and also accommodates a broad variety of implementations with diverse performance profiles. The foundational-yet-sophisticated nature of this problem makes it an ideal benchmark for software verification efforts. A tension between modular reasoning and the usefulness of the component can be observed particularly in systems where the keys may be reference types. Criteria for modular verification of a robust map component are elaborated, and existing attempts to verify a map component are surveyed.","PeriodicalId":153056,"journal":{"name":"Programming Languages meets Program Verification","volume":"60 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-01-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126162166","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Reasoning about digital artifacts with ACL2","authors":"J. S. Moore","doi":"10.1145/1929529.1929538","DOIUrl":"https://doi.org/10.1145/1929529.1929538","url":null,"abstract":"ACL2 is both a programming language in which computing systems can be modeled and a tool to help a designer prove properties of such models. ACL2 stands for A Computational Logic for Applicative Common Lisp'' and provides mechanized reasoning support for a first-order axiomatization of an extended subset of functional Common Lisp. Most often, ACL2 is used to produce operational semantic models of artifacts. Such models can be executed as functional Lisp programs and so have dual use as both pre-fabrication simulation engines and as analyzable mathematical models of intended (or at least designed) behavior.\u0000 This project had its start 40 years ago in Edinburgh with the first Boyer-Moore Pure Lisp theorem prover and has evolved proofs about list concatenation and reverse to proofs about industrial models.\u0000 Industrial use of theorem provers to answer design questions of critical importance is so surprising to people outside of the theorem proving community that it bears emphasis. In the 1980s, the earlier Boyer-Moore theorem prover, Nqthm, was used to verify the ``Computational Logic stack'' -- a hardware/software stack starting with the NDL description of the netlist for a microprocessor and ascending through a machine code ISA, an assembler, linker, and loader, two compilers (for subsets of Pascal and Lisp), an operating system, and some simple applications. The system components were proved to compose so that properties proved of high-level software were guaranteed by the binary image produced by the composition. At around the same time, Nqthm was used to verify 21 of the 22 subroutines in the MC68020 binary machine code produced from the Berkeley C String Library by gcc -o, identifying bugs in the library as a result.\u0000 Applications like these convinced us that (a) industrial scale formal methods was practical and (b) Nqthm's Pure Lisp produced uncompetitive results compared to C when used for simulation engines. We therefore designed ACL2, which initially was Nqthm recoded to support applicative Common Lisp.\u0000 The 1990s saw the first industrial application of ACL2, to verify the correspondence between a gate-level description of the Motorola CAP DSP and its microcode engine. The Lisp model of the microcode engine was proved to be bit- and cycle-accurate but operated several times faster than the gate-level simulator in C because of the competitive execution speed of Lisp and the higher level of trusted abstraction. Furthermore, it was used to discover previously unknown microcode hazards. An executable Lisp predicate was verified to detect all hazards and subsequently used by microcode programmers to check code. This project and a subsequent one at AMD to verify the floating point division operation on the AMD K5 microprocessor demonstrated the practicality of ACL2 but also highlighted the need to develop better Lisp system programming tools wedded to formal methods, formal modeling, proof development, and ``proof maintenance'' in the face of evo","PeriodicalId":153056,"journal":{"name":"Programming Languages meets Program Verification","volume":"19 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-01-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132166746","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Local actions for a curry-style operational semantics","authors":"Gordon Stewart, A. Appel","doi":"10.1145/1929529.1929535","DOIUrl":"https://doi.org/10.1145/1929529.1929535","url":null,"abstract":"Soundness proofs of program logics such as Hoare logics and type systems are often made easier by decorating the operational semantics with information that is useful in the proof. However, modifying the operational semantics to carry around such information can make it more difficult to show that the operational semantics corresponds to what actually occurs on a real machine.\u0000 In this work we present a program logic framework targeting operational semantics in Curry-style---that is, operational semantics without proof decorations such as separation algebras, share models, and step indexes. Although we target Curry-style operational semantics, our framework permits local reasoning via the frame rule and retains expressive assertions in the program logic. Soundness of the program logic is derived mechanically from simple properties of primitive commands and expressions.\u0000 We demonstrate our framework by deriving a separation logic for the model of a core imperative programming language with external function calls. We also apply our framework in a more realistic setting in the soundness proof of a separation logic for CompCert's Cminor. Our proofs are machine-checked in Coq.","PeriodicalId":153056,"journal":{"name":"Programming Languages meets Program Verification","volume":"97 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-01-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124452124","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"IDRIS ---: systems programming meets full dependent types","authors":"Edwin C. Brady","doi":"10.1145/1929529.1929536","DOIUrl":"https://doi.org/10.1145/1929529.1929536","url":null,"abstract":"Dependent types have emerged in recent years as a promising approach to ensuring program correctness. However, existing dependently typed languages such as Agda and Coq work at a very high level of abstraction, making it difficult to map verified programs to suitably efficient executable code. This is particularly problematic for programs which work with bit level data, e.g. network packet processing, binary file formats or operating system services. Such programs, being fundamental to the operation of computers in general, may stand to benefit significantly from program verification techniques. This paper describes the use of a dependently typed programming language, Idris, for specifying and verifying properties of low-level systems programs, taking network packet processing as an extended example. We give an overview of the distinctive features of Idris which allow it to interact with external systems code, with precise types. Furthermore, we show how to integrate tactic scripts and plugin decision procedures to reduce the burden of proof on application developers. The ideas we present are readily adaptable to languages with related type systems.","PeriodicalId":153056,"journal":{"name":"Programming Languages meets Program Verification","volume":"7 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-01-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125416170","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Flexible in-lined reference monitor certification: challenges and future directions","authors":"Meera Sridhar, Kevin W. Hamlen","doi":"10.1145/1929529.1929537","DOIUrl":"https://doi.org/10.1145/1929529.1929537","url":null,"abstract":"Over the last few years, in-lined reference monitors (IRM's) have gained much popularity as successful security enforcement mechanisms. Aspect-oriented programming (AOP) provides one elegant paradigm for implementing IRM frameworks. There is a foreseen need to enhance both AOP-style and non-AOP IRM's with static certification due to two main concerns. Firstly, the Trusted Computing Base (TCB) can grow large quickly in an AOP-style IRM framework. Secondly, in many practical settings, such as in the domain of web-security, aspectually encoded policy implementations and the rewriters that apply them to untrusted code are subject to frequent change. Replacing the rewriter with a small, light-weight, yet powerful certifier that is policy-independent and less subject to change addresses both these concerns.\u0000 The goal of this paper is two-fold. First, interesting issues encountered in the process of building certification systems for IRM frameworks, such as policy specification, certifier soundness, and certifier completeness, are explored in the light of related work. In the second half of the paper, three prominent unsolved problems in the domain of IRM certification are examined: runtime code-generation via eval, IRM certification in the presence of concurrency, and formal verification of transparency. Promising directions suggested by recent work related to these problems are highlighted.","PeriodicalId":153056,"journal":{"name":"Programming Languages meets Program Verification","volume":"7 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-01-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127438300","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
