School of Computer & Communication Sciences École Polytechnique Fédérale de Lausanne

Similar documents
Intro to semantics; Small-step semantics Lecture 1 Tuesday, January 29, 2013

Static Program Analysis Part 1 the TIP language

Q Body of techniques supported by. R precise mathematics. R powerful analysis tools. Q Rigorous, effective mechanisms for system.

Formal Semantics of Programming Languages

System Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements

Formal Semantics of Programming Languages

Proof Carrying Code(PCC)

A concrete memory model for CompCert

Type Theory meets Effects. Greg Morrisett

! Use of formal notations. ! in software system descriptions. ! for a broad range of effects. ! and varying levels of use. !

CS558 Programming Languages

Formal Methods. CITS5501 Software Testing and Quality Assurance

Static Analysis in Practice

Pierce Ch. 3, 8, 11, 15. Type Systems

Software Security: Vulnerability Analysis

CS6202: Advanced Topics in Programming Languages and Systems Lecture 0 : Overview

CSE 403: Software Engineering, Fall courses.cs.washington.edu/courses/cse403/16au/ Static Analysis. Emina Torlak

Having a BLAST with SLAM

CS558 Programming Languages

Having a BLAST with SLAM

No model may be available. Software Abstractions. Recap on Model Checking. Model Checking for SW Verif. More on the big picture. Abst -> MC -> Refine

Having a BLAST with SLAM

The Boogie Intermediate Language

Lectures 20, 21: Axiomatic Semantics

Lecture 10 Design by Contract

G Programming Languages - Fall 2012

Program Verification. Aarti Gupta

Lecture 11 Lecture 11 Nov 5, 2014

Formal Verification! Prof. Leon Osterweil! Computer Science 520/620! Spring 2012!

Correctness of specifications. Correctness. Correctness of specifications (2) Example of a Correctness Proof. Testing versus Correctness Proofs

Static Program Analysis

Formal Methods of Software Design, Eric Hehner, segment 24 page 1 out of 5

COMP 181. Agenda. Midterm topics. Today: type checking. Purpose of types. Type errors. Type checking

PROGRAM ANALYSIS & SYNTHESIS

Introduction to Formal Methods

Chapter 1. Introduction

Chapter 3 (part 3) Describing Syntax and Semantics

COS 320. Compiling Techniques

Secure Programming. An introduction to Splint. Informatics and Mathematical Modelling Technical University of Denmark E

Lecture 4: MIPS Instruction Set

Program logics for relaxed consistency

Static program checking and verification

Formal Verification. Lecture 10

Critical Analysis of Computer Science Methodology: Theory

Principles of Program Analysis. Lecture 1 Harry Xu Spring 2013

Distributed Systems Programming (F21DS1) Formal Verification

Recap. Advanced static analysis jobs. Secure Programming Lecture 14: Static Analysis II. Program understanding tools

CS 161 Computer Security

CS61C Machine Structures. Lecture 3 Introduction to the C Programming Language. 1/23/2006 John Wawrzynek. www-inst.eecs.berkeley.

Programming Languages Fall 2014

Advances in Programming Languages

Program Static Analysis. Overview

CITS5501 Software Testing and Quality Assurance Formal methods

Program Analysis: Lecture 02 Page 1 of 32

Formal Verification in Industry

Axiomatic Rules. Lecture 18: Axiomatic Semantics & Type Safety. Correctness using Axioms & Rules. Axiomatic Rules. Steps in Proof

Advances in Programming Languages

Static Analysis in C/C++ code with Polyspace

22c:111 Programming Language Concepts. Fall Types I

Static Analysis of C++ Projects with CodeSonar

Testing. Wouter Swierstra and Alejandro Serrano. Advanced functional programming - Lecture 2. [Faculty of Science Information and Computing Sciences]

The design of a programming language for provably correct programs: success and failure

Type Inference Systems. Type Judgments. Deriving a Type Judgment. Deriving a Judgment. Hypothetical Type Judgments CS412/CS413

Main Goal. Language-independent program verification framework. Derive program properties from operational semantics

Type checking. Jianguo Lu. November 27, slides adapted from Sean Treichler and Alex Aiken s. Jianguo Lu November 27, / 39

Formal Methods for Java

CS558 Programming Languages

Principles of Software Construction: Objects, Design and Concurrency. Static Analysis. toad Spring 2013

Harvard School of Engineering and Applied Sciences CS 152: Programming Languages

Types. Type checking. Why Do We Need Type Systems? Types and Operations. What is a type? Consensus

Formal Verification for UML/SysML models

Lecture Outline. COOL operational semantics. Operational Semantics of Cool. Motivation. Notation. The rules. Evaluation Rules So Far.

Lecture 6: Sequential Sorting

Operational Semantics. One-Slide Summary. Lecture Outline

Why. an intermediate language for deductive program verification

Lecture 1 Contracts : Principles of Imperative Computation (Fall 2018) Frank Pfenning

Push-button verification of Files Systems via Crash Refinement

Simply-Typed Lambda Calculus

The UPPAAL Model Checker. Julián Proenza Systems, Robotics and Vision Group. UIB. SPAIN

CS 11 Haskell track: lecture 1

Mixing Type Checking and Symbolic Execution. Khoo Yit Phang (UMD College Park) Bor-Yuh Evan Chang (CU Boulder) Jeffrey S. Foster (UMD College Park)

Software Testing CS 408. Lecture 11: Review 2/20/18

Lecture 10. Pointless Tainting? Evaluating the Practicality of Pointer Tainting. Asia Slowinska, Herbert Bos. Advanced Operating Systems

Type Systems. Today. 1. Organizational Matters. 1. Organizational Matters. Lecture 1 Oct. 20th, 2004 Sebastian Maneth. 1. Organizational Matters

Program Verification (6EC version only)

TYPES, VALUES AND DECLARATIONS

Two s Complement Review. Two s Complement Review. Agenda. Agenda 6/21/2011

Static Analysis! Prof. Leon J. Osterweil! CS 520/620! Fall 2012! Characteristics of! System to be! built must! match required! characteristics!

Having a BLAST with SLAM

CS61C : Machine Structures

Behavioral Equivalence

A Context-Sensitive Memory Model for Verification of C/C++ Programs

The SPIN Model Checker

Announcements. assign0 due tonight. Labs start this week. No late submissions. Very helpful for assign1

Formal methods for software security

Topic Formal Methods. ICS 121 Lecture Notes. What are Formal Methods? What are Formal Methods? Formal Specification in Software Development

CS152: Programming Languages. Lecture 11 STLC Extensions and Related Topics. Dan Grossman Spring 2011

In Our Last Exciting Episode

0/38. Detecting Invariants. Andreas Zeller + Andreas Gross. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

Programming Languages

Transcription:

Principles of Dependable Systems Building Reliable Software School of Computer & Communication Sciences École Polytechnique Fédérale de Lausanne Winter 2006-2007

Outline Class Projects: mtgs next week OP2 + OP3: next week Building reliable software Program Analysis Specifications Model Checking Theorem Proving 2

Reliability Definition Recap of last week's lecture Hardware reliability 3

Example: Memory Leaks (1) Proving absence of memory leaks Code Inspection Testing Formally 4

Example: Memory Leaks (2) Build abstract model of system allocate(blk), read(blk), write(blk), free(blk), copy(blk1, blk2),... State property precisely Exec :=... allocate(b)... [ read(b) write(b) ] free(b)...!( read(b), write(b),... )* Prove model has property Extended regular expression generation & match... Prove model is accurate 5

Example: Bell-LaPadula Model for multi-level security (1973) U.S. Air Force was concerned... Formal state transition model: subjects, labeled objects, and access control rules 2 core properties Simple Security Property (no read above) *-Property (no write below) 6

Example: MLS System Honeywell SCOMP (1983) derivative of Multics hardware + software formally verified used for mail guards time-phased force deployment data system Provided basis for Orange Book one of only 3 implementations of A1 level 7

Principle: Refinement Model A e.g., ABS customer spec refines Model B e.g., Design diagram refines Model C e.g., Microcode refines Model D e.g., Hardware implementation 8

Concrete Realizations Program Analysis Static Analysis Model Checking Theorem Proving 9

Static Analysis Useful questions: Does program terminate? Does x stay constant? Can p ever be NULL? Do p and q ever point to the same data structure in the heap? Equally hard: int a=1 ; if ( procedure( gettime() ) ) a=2 ; Sound approximations 10

Type Checking Type = set of constraints Can be static or dynamic Conservative... int a=1 ; float x=2.0 ; if ( array[a+x] > 0 ) printf( "yes" ) ; Memory safety: arbitrary bit patterns? "If program compiles, it is correct" 11

Domain-Specific Rules We know the rules: check length of incoming strings don t use freed memory... Metacompilation: compiler checks rules programmers can write them, or statistically inferred 12

Example: Using Freed Mem... connection->buffer = malloc(... ); if (NULL == connection->buffer) { free( connection ); printf( "Out of memory" ); goto done; } Track state of connection Allocated Freed... /* connection establishment */... done: return connection; Bug! How might we infer this rule? 13

Data Flow Analysis print STDERR "Enter file name:"; $x=<stdin>; # $x is tainted (user input)... more code... $z="/tmp/safe_file.txt"; $y="$sysdir/$x"; system("cat $y"); # $z is clean # $y is tainted # disallowed! system("cat $z"); # OK Why might tainted data be bad? 14

Static Analysis Pros/Cons Benefits done at compile time don t need to execute code (like in testing) don t need to understand intention of the code Drawbacks checked properties are shallow (close to the code) more aggressive more false positives 15

Outline Class Projects: mtgs next week OP2 + OP3: next week Building reliable software Program Analysis Specifications Model Checking Theorem Proving 16

Formal Verification Model Checking Theorem Proving... both require a formal specification of system properties of interest 17

Writing Specifications Use computer-understandable language Concise Unambiguous Complete Say what without saying how "how" is implementation... Spec languages vs. prog languages 18

State Machine Specs 1) Define system states 2) Define all legal state-modifying ops result: TYPE = [output: BRKTYPE, state: BRKTYPE] ABS_apply_brakes( command: CMDTYPE, brk_state: BRKTYPE ) : result = (IF (command == APPLY) THEN return [brk_state,[~brk_state[left], ~brk_state[right]] ELSE return [brk_state, brk_state]) 19

Axiomatic Specs Implicit statements about operations Pre- and post-conditions binary_search( Array, Key ) Index PRE: ordered( Array ) ( Key in Array ) POST: Array[Index]==Key Invariants: pre/post-conditions for all ops INVAR: ordered(array) size(array)<100 20

Model Checking Exhaustively search states of system BRKSTATUS: TYPE = ONEOF( applied, released ) BRKTYPE: TYPE = [ BRKSTATUS, BRKSTATUS ] result: TYPE = [output: BRKTYPE, state: BRKTYPE] ABS_apply_brakes( command: CMDTYPE, brk_state: BRKTYPE ) : result = (IF (command == APPLY) THEN return[ brk_state, [~brk_state[left], ~brk_state[right] ] ELSE return[ brk_state, brk_state ]) INVAR: ( brake_state[left] == brake_state[right] ) Does invariant hold? Finite model guaranteed termination

Model Checking: Pros/Cons Benefits completely automatic (unlike theorem proving) provides counter examples works on partial specs (good for large systems) more interesting properties than static analysis Drawbacks state space explosion (exponential) writing and maintaining abstract model is hard coarse models far from actual implementation 22

Theorem Provers 1) Specify system using logic 2) Provide context (axioms+inference rules) 3) Specify desired properties (theorems) 4) Machine generates proof of theorem Theorem prover = fancy pattern matcher Needs user guidance (lemmas, defs) 23

Example: ABS (1) Modified ABS system RULE: x div by 2 (x+2) div by 2 ABS_apply_brakes( command: CMDTYPE, brk_state: BRKTYPE ) : result =... brk_state[left] += 10 brk_state[right] += 10... INVAR: ( for all i, brake_state[i] div by 2 ) Need helper lemma... 24

Example: ABS (2) LEMMA: x div by 2 (x+10) div by 2 PROOF: x div by 2 x+2 div by 2... (inductive proof)... Using Lemma, prover can do its job... ABS_apply_brakes( command: CMDTYPE, brk_state: BRKTYPE ) : result =... brk_state[left] += 10 brk_state[right] += 10... INVAR: ( for all i, brake_state[i] div by 2 ) Done? 25

Example: ABS (3) Tell prover about associativity AXIOM: (x+y)+z == x+(y+z) Tell prover about transitivity AXIOM: (P1 P2 AND P2 P3) (P1 P3) Now prover can do its job LEMMA: x div by 2 (x+10) div by 2 PROOF: x div by 2 x+2 div by 2 x+2 div by 2 (x+4) div by 2 (associativity)... (inductive proof)... x div by 2 (x+10) div by 2 (transitivity) 26

Theorem Proving: Pros/Cons Benefits handle unbounded # of states solid proofs (if assumptions are correct) Drawbacks Specs are very abstract, far from real sys Prover requires human guidance slow, error-prone process requires human to have an idea about the proof 27

Example of Theorem Prover Java bytecode verifier bytecode = model of the program properties to be proven types are used correctly types are preserved no object access violations no forged pointers 28

Myths (1) 1. Formal Methods guarantee sw is perfect... They help find errors early on; do not eliminate need for testing 2. Formal methods are all about proofs... They work because they make you think hard about your proposed system (adapted from J. Anthony Hall, Seven Myths of Formal Methods, IEEE Software 5(7), Sep. 1990) 29

Myths (2) 3. They require trained mathematicians... Mathematical specs aren't necessarily harder to read/write with than programs. 4. They increase cost of development... Sometimes they actually decrease the cost; no good evidence either way. (adapted from J. Anthony Hall, Seven Myths of Formal Methods, IEEE Software 5(7), Sep. 1990) 30

Myths (3) 5. Formal methods aren't useful to clients Depending on the client, it might actually help them understand what they're buying. 6. They are not used on real, large-scale sw Some large practical projects have used them successfully; more engineering is required (adapted from J. Anthony Hall, Seven Myths of Formal Methods, IEEE Software 5(7), Sep. 1990) 31

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback