Reasoning about Trace Properties of Higher-order Programs
|
|
- Theodore Brice Fisher
- 5 years ago
- Views:
Transcription
1 Reasoning about Trace Properties of Higher-order Programs Limin Jia Joint work with Deepak Garg and Anupam Datta CyLab University
2 Goal: Compositional security S 1 ψ 1 + ϕ S 2 ψ 2! Do S 1 + S 2 satisfy a global security property ϕ based on local properties ψ 1 of S 1 and ψ 2 of S 2 that are checkable separately? 2"
3 Case study: an extensible hypervisor Guest OS Design Principles: Core handles basic functionalities Can be extended with other hyp apps Event handlers registered with core Event handlers access memory through narrow interfaces Guest mode Host mode Hardware virtualization support Hypervisor core Event Hub Event Handler Event Handler 3"
4 Case study: an extensible hypervisor Memory Integrity: Hypervisor s memory (code and data) is only written to by hypervisor s code (including event handlers) Guest mode Host mode Adversary model: Core is trusted Guest OS is untrusted Event handlers are not completely trusted Source code is only available for analysis at link time Confined to a set of interfaces Guest OS Hardware virtualization support Hypervisor core Event Handler Event Hub Event Handler 4"
5 Compositional security! How to reason about a composed system that include adversary-supplied code! Our approach! Interface-confined adversary! Use a type system to! Analyze the programs of trusted components! Provide abstractions of interface-confined adversary 5"
6 Outline! Background! Modeling language! Syntax! Trace semantics! Type system! Types! Semantics of types! Typing rules! Soundness! Case study 6"
7 Modeling language! Effective computation! Side effects that change the machine state! E.g., Pointer operations! Pure expressions (terms)! E.g., Expressions e ::= x true false n fun f(x) = e e 1 (e 2 ) comp(c) Action symbols A ::= read write Actions a ::= A a e Computations c ::= act(a) ret(e) fix f(x).c c e let x = c 1 in c 2 let x = e in c if e then c 1 else c 2 7"
8 Operational semantics (configuration) Shared state Configuration C ::= T 1 T 2 T n Tread T ::= ( i, K, c ) Thread ID Evaluation context Program being evaluated e.g. : memory (0, -, Windows 8) (100, -, Adobe Flash) (101, -, Chrome) e.g. : network messages (0, -, server) (100, -, router) (101, -, firewall) 8"
9 Operational semantics (top-level transition)! Configuration! C ::= σ T 1 T 2 T n! Individual thread transition! σ T σ T! System transition! C 1 (u) C 2 iff exists i, T i T i at time u! Trace! A trace T is a sequence of transitions! (u 0 ) C 1 (u 1 ) C 2 (u 2 ) (u n ) C n 9"
10 Operational semantics (expressions) (fun f(x) = e)(e ) β e[e /x] c β c comp(c) β comp(c ) e β e ret(e) β ret(e ) 10"
11 Operational semantics (computations)! Atomic actions! next(σ, a) = (σ, e)! E.g., next(σ, read l) = (σ, σ(l))! Thread next(, a ) = (, e) a * β a β ( i; x.c::k; act(a)) ( i; K; c[e/x]) ( i; x.c::k; ret(e)) ( i; K; c[e/x]) e * β comp(c ) ( i; K; let x = e in c) ( i; x.c::k; c ) 11"
12 Outline! Background! Modeling language! Syntax! Trace semantics! Type system! Types! Semantics of types! Typing rules! Soundness! Case study 12"
13 Types! Assertions! Specify properties of the trace! E.g. thread i read R to x at time u 1 and thread i read x at time u 2 and u 1 < u 2 ϕ = Read i R x u 1 Read i x y u 2 u 1 < u 2 Base types b ::= unit bool ptr time thread Expr types τ ::= b Π"x: τ 1. τ 2 comp(η c ) Comp types η ::= x : τ. ϕ ϕ Closed c types η c ::= u 1.u 2.i.(x:τ.ϕ, ϕ ) Π x:τ 1. u 1.u 2.i.(y:τ.ϕ, ϕ ) Assertions ϕ ::= P e 1 = e 2 T# ϕ ϕ 1 ϕ 2 ϕ 1 ϕ 2 x. ϕ x. ϕ ϕ 13"
14 Types! Assertions! Computation types! parameterized over time points u 1 u 2 and threadid i! Partial correctness (PC) types! Specify the effect of a computation even after it finishes evaluation! Invariant types! Specify the effect of a computation even when it has not finished Base types b ::= unit bool ptr time thread Expr types τ ::= b Π"x: τ 1. τ 2 comp(η c ) Comp types η ::= x : τ. ϕ ϕ Closed c types η c ::= u 1.u 2.i.(x:τ.ϕ, ϕ ) Π x:τ 1. u 1.u 2.i.(y:τ.ϕ, ϕ ) Assertions ϕ ::= P e 1 = e 2 T# ϕ ϕ 1 ϕ 2 ϕ 1 ϕ 2 x. ϕ x. ϕ ϕ 14"
15 Types! Assertions! Computation types! parameterized over time points u 1 u 2 and threadid I! Closed Computation types! Bind the thread ID and begin and end time Base types b ::= unit bool ptr time thread Expr types τ ::= b Π"x: τ 1. τ 2 comp(η c ) Comp types η ::= x : τ. ϕ ϕ Closed c types η c ::= u 1.u 2.i.(x:τ.ϕ, ϕ ) Π x:τ 1. u 1.u 2.i.(y:τ.ϕ, ϕ ) Assertions ϕ ::= P e 1 = e 2 T# ϕ ϕ 1 ϕ 2 ϕ 1 ϕ 2 x. ϕ x. ϕ ϕ 15"
16 Types! Assertions! Computation types! parameterized over time points u 1 u 2 and threadid I! Closed Computation types! Bind the thread ID and begin and end time! Expression types Base types b ::= unit bool ptr time thread Expr types τ ::= b Π"x: τ 1. τ 2 comp(η c ) Comp types η ::= x : τ. ϕ ϕ Closed c types η c ::= u 1.u 2.i.(x:τ.ϕ, ϕ ) Π x:τ 1. u 1.u 2.i.(y:τ.ϕ, ϕ ) Assertions ϕ ::= P e 1 = e 2 T# ϕ ϕ 1 ϕ 2 ϕ 1 ϕ 2 x. ϕ x. ϕ ϕ 16"
17 Types Examples! ϕ = u, u 1 < u < u 2 a v, Write i a u! e : comp(u 1.u 2.i.(y:nat.ϕ, T))! g : Π"y:nat.comp(u 1.u 2.i.(r:unit.ϕ, T) (τ g )! f : Π"g:"τ g. Π"x: nat. comp(u 1.u 2.i.(r:unit. ϕ, T)) 17"
18 Outline! Background! Modeling language! Syntax! Trace semantics! Type system! Types! Semantics of types! Typing rules! Soundness! Case study 18"
19 Semantics of types (simplified)! [[ x:τ.ϕ ]] u1.u 2.i ; Δ = { c (1) a trace T contains completed computation of c from time t b to t e by thread I (2) upon completing, c returns e (3) T #Δ Composi3onality"is"built"into"the"seman3cs" then T ϕ[t b, t e, I, e/ u 1, u 2, i, x] and e [[τ]] } (t b ) σ T 1 T 2 (I, x.c ::K, c) T n σ (t e ) T 1 T 2 (I, K, c [e/x]) T n 19"
20 Semantics of types (cont.)! [[ ϕ ]] u1.u2.i ; Δ = { c (1) a trace T contains unfinshed computation of c from time t b to t e by thread I (2) T #Δ then T ϕ[t b, t e, I/ u 1, u 2, i] } (t b ) σ T 1 T 2 (I, K, c) T n σ (t e ) T 1 T 2 (I, K, c ) T n Evaluating c 20"
21 Outline! Background! Modeling language! Syntax! Trace semantics! Type system! Types! Semantics of types! Typing rules! Soundness! Case study 21"
22 Typing judgments variable typing Γ ; Δ G e : global logical assumptions (e.g., x > 3) u 1.u 2.i; Γ; Δ G ; Δ L c : x:τ.ϕ parameters: beginning, ending time points, thread id u 1.u 2.i; Γ; Δ G ; Δ L c : ϕ logical assumptions (e.g., thread i has written 3 to memory address l u 1.u 2.i; Γ; Δ G ; Δ L idle ϕ ϕ is true when thread i is idle (e.g. thread i does not write to memory) Γ;Δ G ; Δ L ϕ ϕ is true (e.g. memory integrity) 22"
23 Typing rules partial correctness! u 1.u 2.i; Γ;Δ G ; Δ L #c : x:τ.ϕ u 0, u 1, i ; Γ ; Δ G ; Δ, u 0 u 1 idle ϕ 0 u 1, u 2, i ; Γ, u 0 ; Δ G ; Δ, u 0 < u 1 u 2, ϕ 0 c 1 : (x:τ. ϕ 1 ) u 2, u 3, i ; Γ, u 0, u 1 ; Δ G ; Δ, u 0 < u 1 < u 2 u 3, ϕ 0, ϕ 1 c 2 : (y:τ. ϕ 2 ) u 0, u 3, i ; Γ ; Δ G ; Δ let x = c 1 in c 2 : y: τ. u 1,u 2,x, u 0 < u 1 < u 2 u 3 ϕ 0 ϕ 1 ϕ 2 idle c 1 ϕ c 2 1 ϕ 2 ϕ 0 u 0 u 1 u 2 u 3 23"
24 Typing rules partial correctness! Example: let x = read addr in read x : y:exp. u 1,u 2,x, u 0 < u 1 < u 2 u 3 v, Mem(addr, v)@u 2 x = v v, Mem(x, v )@u 3 y = v idle c 1 ϕ c 2 1 ϕ 2 ϕ 0 u 0 u 1 u 2 u 3 24"
25 Typing rules invariant (sequencing)! u 1.u 2.i; Γ;Δ G ; Δ L #c : ϕ! u 1.u 2.i; Γ;Δ G ; Δ L #let x = c 1 in c 2 : ϕ! Example: let x = read addr in read x : a, u, u1 < u < u2 Write i u idle c 1 c 2 ϕ pc1 ϕ 0 ϕ inv1 ϕ inv2 ϕ 0 ϕ ϕ 0 ϕ inv1 ϕ ϕ 0 ϕ inv1 ϕ inv2 ϕ 25"
26 Typing rules (expressions) u 1.u 2.i; Γ; Δ G ; c : x:τ.ϕ 1 u 1.u 2.i; Γ; Δ G ; c : ϕ 2 Γ ; Δ G comp(c) : u 1.u 2.i.(x:τ.ϕ 1, ϕ 2 ) 26"
27 Typing rules (Honest)! Honest rule transition from reasoning about trusted program to trace properties of the system! Example:! u 1.u 2.i; ; ; let x = read R in read x : u, u 1 < u < u 2 a, v, Write i a u! ; start(user, c, u 0 ) ; start(user, c, u 0 )! ; start(user, c, u 0 ) ; u, u > u 0, u, u 0 < u < u a, v, Write user a u u 1.u 2.i; ; Δ G ; Δ L c : ϕ ; Δ G ; Δ L start(i, c, u 0 ) ; Δ G ; Δ L u, u > u, ϕ[u 0, u, I/ u 1, u 2, i] Honest 27"
28 Reasoning about adversary! Adversary typing! What s stored in L ihub is not entirely under the control of the hypervisor! let x = read L ihub (x = download url) in let y = x in ret y! Idea:! Interface-confined adversary! Event handlers can only access core s memory through narrowly defined interfaces! No need to analyze the code! Analyze the interfaces! Ensure that the code is confined to these set of interfaces 28"
29 Adversary typing confine! Ensure that the code is confined to these set of interfaces! Interface-confined code is type-checked against a simple type system! Booleans cannot be used as functions! E.g., Java bytecode verifier! Typing for trusted programs:! u 1.u 2.i; Γ;Δ G ; Δ L c : x:τ. ϕ! Typing requirement for interface-confined programs! Ξ c : π c cannot perform any actions beyond the interfaces Simple types, no effects π ::= b Π x:π 1.π 2 O(π) 29"
30 Confine (cont.)! Predicate stype(e, π) internalizes e : π! Empty typing context ensures that e cannot perform any effectful actions beyond the interfaces! Judgment (confine τ ##π###u 1.u 2.i.ϕ)! Decorating π with effects (u 1.u 2.i.ϕ) results in τ! Examples:! confine (comp(u 1.u 2.i.(y:nat.ϕ, ϕ))) O(nat) u 1.u 2.i.ϕ! confine Π g: (Π y:nat.comp(u 1.u 2.i.(r:unit.ϕ, ϕ)). Π x: nat. comp(u 1.u 2.i.(r:unit. ϕ, ϕ)) (Π g: (Π y:nat.o unit). Π x: nat. O unit) (u 1.u 2.i.ϕ)! ϕ = u, u 1 < u < u 2 a, v, Write i a u 30"
31 Confine (cont.)! Predicate stype(e, π) internalizes e : π! Empty typing context ensures that e cannot perform any effectful actions beyond the interfaces! Judgment (confine τ ##π###u 1.u 2.i.ϕ)! Decorating π with effects (u 1.u 2.i.ϕ) results in τ T #ϕ[u b, u m, I / u 1, u 2, i] ϕ[u m, u e, I / u 1, u 2, i] implies T #ϕ[u b, u e, I / u 1, u 2, i] u 1, u 2, i ; Γ ; Δ G ; idle ϕ u Γ ; Δ G ; stype(e, π) Γ ; Δ G e : τ 1.u 2.i.ϕ is composable Confine τ π u 1.u 2.i.ϕ 31"
32 Practical aspects of confine! stype(e, π) assertion can be obtained by applying a simply type checking procedure to e when it is downloaded (linked to) by trusted component! E.g., Java bytecode verifier! Asymmetric typing requirements for trusted and untrusted components! No properties are derived about the untrusted code during the simple type checking in contrast to Proof Carrying Code 32"
33 Beta rule! let x = read Lihub in let y = x in ret y stype(ihub, π) x = ihub v, mem (Lihub, u 2 (v = ihub) v, mem (Lihub, u 2 (x = v) ihub : τ x :? Γ ; Δ G e : τ Γ; Δ G ; e = e Beta Γ ; Δ G e : τ 33"
34 Semantics for types (revisited)! Logical relation [[Πx:τ 1. τ 2 ]] = {fun f(x) =e v [[τ 1 ]] e[v/x] [[τ 2 ]]}! [[τ]] = {e e * β v and v [[τ]]} Beta equivalence Γ ; Δ G e : τ Γ; Δ G ; e = e Beta Γ ; Δ G e : τ 34"
35 Outline! Background! Modeling language! Syntax! Trace semantics! Type system! Types! Semantics of types! Typing rules! Soundness! Case study 35"
36 Soundness of the type system 1) If Γ ; Δ G e : then for all substitution δ for Γ, Δ G δ eδ [[τ]] 2) If u 1.u 2.i;#Γ;Δ G ;#Δ L## #c#:#x:τ.ϕ then for all substitution δ for Γ, Δ G δ cδ [[x:τ.ϕ]]# u1.u2.i;#δl δ 3) If u 1.u 2.i;#Γ;Δ G ;#Δ L## #c#:#ϕ#then for all substitution δ for Γ, Δ G δ cδ [[ϕ]]# u1.u2.i;#δl δ 4) If Γ; Δ G ; Δ L ϕ then for all substitution δ for Γ, for all trace T, T ϕδ L and Δ G δ T ϕδ 36"
37 Outline! Background! Modeling language! Syntax! Trace semantics! Type system! Types! Semantics of types! Typing rules! Soundness! Case study 37"
38 Case study: an extensible hypervisor Verified Memory Integrity on the Design Core is trusted Encode the program logic in our Guest#mode# language Use type system to derive its invariant Host#mode# Guest OS is untrusted Hardware axioms are used to confine its ability Event Handlers are not completely trusted R # L core# : " Guest#OS# Hardware# virtualizabon## support# XMHF#core# Confined to a set of interfaces Use Confine rule Beta rule is used to reason about jumping to code locations Core, and ihub Inductive reasoning over the length of the trace Event## Handler# L ihub #:" # Event#Hub# Event# Handler# 38"
39 Summary! Design a type system for reasoning about trace properties of systems that contain adversarial components! Monad! Confine and beta rule! Define trace semantics for types! Prove soundness! Verified the program logic of an extensible hypervisor 39"
40 Related Work! PCL [Datta et al.] LS 2 [Garg et al.]! Hoare Type Theory (Ynot) [Nanevski et al.] 40"
41 Thanks! Apply to CMU ECE
Compositional System Security in the Presence of Interface-Confined Adversaries
Compositional System Security in the Presence of Interface-Confined Adversaries Deepak Garg, Jason Franklin, Dilsun Kaynar, Anupam Datta February 19, 2010 CMU-CyLab-10-004 CyLab Carnegie Mellon University
More informationCompositional System Security with Interface-Confined Adversaries
MFPS 2010 Compositional System Security with Interface-Confined Adversaries Deepak Garg, Jason Franklin, Dilsun Kaynar, Anupam Datta CyLab, Carnegie Mellon University Pittsburgh PA, USA Abstract This paper
More informationDynamic Semantics. Dynamic Semantics. Operational Semantics Axiomatic Semantics Denotational Semantic. Operational Semantics
Dynamic Semantics Operational Semantics Denotational Semantic Dynamic Semantics Operational Semantics Operational Semantics Describe meaning by executing program on machine Machine can be actual or simulated
More informationReasoning with Higher-Order Abstract Syntax and Contexts: A Comparison
1 Reasoning with Higher-Order Abstract Syntax and Contexts: A Comparison Amy Felty University of Ottawa July 13, 2010 Joint work with Brigitte Pientka, McGill University 2 Comparing Systems We focus on
More informationAxiomatic Semantics. Operational semantics. Good for. Not good for automatic reasoning about programs
Review Operational semantics relatively l simple many flavors (small vs. big) not compositional (rule for while) Good for describing language implementation reasoning about properties of the language eg.
More informationRelations to first order logic
An Introduction to Description Logic IV Relations to first order logic Marco Cerami Palacký University in Olomouc Department of Computer Science Olomouc, Czech Republic Olomouc, November 6 th 2014 Marco
More informationInformation Flow Inference for ML
Information Flow Inference for ML Vincent Simonet INRIA Rocquencourt Projet Cristal MIMOSA September 27, 2001 Information flow account number bank applet order vendor account H order L bank H vendor L
More informationAn Introduction to Modal Logic III
An Introduction to Modal Logic III Soundness of Normal Modal Logics Marco Cerami Palacký University in Olomouc Department of Computer Science Olomouc, Czech Republic Olomouc, October 24 th 2013 Marco Cerami
More informationAutomata-Theoretic Model Checking of Reactive Systems
Automata-Theoretic Model Checking of Reactive Systems Radu Iosif Verimag/CNRS (Grenoble, France) Thanks to Tom Henzinger (IST, Austria), Barbara Jobstmann (CNRS, Grenoble) and Doron Peled (Bar-Ilan University,
More informationA Short Introduction to Hoare Logic
A Short Introduction to Hoare Logic Supratik Chakraborty I.I.T. Bombay June 23, 2008 Supratik Chakraborty (I.I.T. Bombay) A Short Introduction to Hoare Logic June 23, 2008 1 / 34 Motivation Assertion checking
More informationCMSC 336: Type Systems for Programming Languages Lecture 10: Polymorphism Acar & Ahmed 19 February 2008
CMSC 336: Type Systems for Programming Languages Lecture 10: Polymorphism Acar & Ahmed 19 February 2008 Contents 1 Polymorphism 1 2 Polymorphic λ-calculus: Syntax 1 3 Static Semantics 2 4 Dynamic Semantics
More informationEDA045F: Program Analysis LECTURE 10: TYPES 1. Christoph Reichenbach
EDA045F: Program Analysis LECTURE 10: TYPES 1 Christoph Reichenbach In the last lecture... Performance Counters Challenges in Dynamic Performance Analysis Taint Analysis Binary Instrumentation 2 / 44 Types
More informationComputer Science Introductory Course MSc - Introduction to Java
Computer Science Introductory Course MSc - Introduction to Java Lecture 1: Diving into java Pablo Oliveira ENST Outline 1 Introduction 2 Primitive types 3 Operators 4 5 Control Flow
More informationAxiomatic Semantics: Verification Conditions. Review of Soundness and Completeness of Axiomatic Semantics. Announcements
Axiomatic Semantics: Verification Conditions Meeting 12, CSCI 5535, Spring 2009 Announcements Homework 4 is due tonight Wed forum: papers on automated testing using symbolic execution 2 Questions? Review
More informationLecture Notes: Axiomatic Semantics and Hoare-style Verification
Lecture Notes: Axiomatic Semantics and Hoare-style Verification 17-355/17-665/17-819O: Program Analysis (Spring 2018) Claire Le Goues and Jonathan Aldrich clegoues@cs.cmu.edu, aldrich@cs.cmu.edu It has
More informationStructuring the verification of heap-manipulating programs
Structuring the verification of heap-manipulating programs Aleksandar Nanevski (IMDEA Madrid) Viktor Vafeiadis (MSR / Univ. of Cambridge) Josh Berdine (MSR Cambridge) Hoare/Separation Logic Hoare logic
More informationFloyd-Hoare Style Program Verification
Floyd-Hoare Style Program Verification Deepak D Souza Department of Computer Science and Automation Indian Institute of Science, Bangalore. 9 Feb 2017 Outline of this talk 1 Overview 2 Hoare Triples 3
More informationAxiomatic Semantics. Lecture 9 CS 565 2/12/08
Axiomatic Semantics Lecture 9 CS 565 2/12/08 Axiomatic Semantics Operational semantics describes the meaning of programs in terms of the execution steps taken by an abstract machine Denotational semantics
More informationRoy L. Crole. Operational Semantics Abstract Machines and Correctness. University of Leicester, UK
Midlands Graduate School, University of Birmingham, April 2008 1 Operational Semantics Abstract Machines and Correctness Roy L. Crole University of Leicester, UK Midlands Graduate School, University of
More informationLecture 2: Axiomatic semantics
Chair of Software Engineering Trusted Components Prof. Dr. Bertrand Meyer Lecture 2: Axiomatic semantics Reading assignment for next week Ariane paper and response (see course page) Axiomatic semantics
More informationPropositional Logic: Models and Proofs
Propositional Logic: Models and Proofs C. R. Ramakrishnan CSE 505 1 Syntax 2 Model Theory 3 Proof Theory and Resolution Compiled at 11:51 on 2016/11/02 Computing with Logic Propositional Logic CSE 505
More informationA Tableau Calculus for Minimal Modal Model Generation
M4M 2011 A Tableau Calculus for Minimal Modal Model Generation Fabio Papacchini 1 and Renate A. Schmidt 2 School of Computer Science, University of Manchester Abstract Model generation and minimal model
More informationCOMPUTER SCIENCE TRIPOS
CST.2014.6.1 COMPUTER SCIENCE TRIPOS Part IB Thursday 5 June 2014 1.30 to 4.30 pm COMPUTER SCIENCE Paper 6 Answer five questions. Submit the answers in five separate bundles, each with its own cover sheet.
More informationCMSC 631 Program Analysis and Understanding Fall Type Systems
Program Analysis and Understanding Fall 2017 Type Systems Type Systems A type system is a tractable syntactic method for proving the absence of certain program behaviors by classifying phrases according
More informationFormal Methods for Java
Formal Methods for Java Lecture 12: Soundness of Sequent Calculus Jochen Hoenicke Software Engineering Albert-Ludwigs-University Freiburg June 12, 2017 Jochen Hoenicke (Software Engineering) Formal Methods
More informationTyped Arithmetic Expressions
Typed Arithmetic Expressions CS 550 Programming Languages Jeremy Johnson TAPL Chapters 3 and 5 1 Types and Safety Evaluation rules provide operational semantics for programming languages. The rules provide
More informationThe L Machines are very high-level, in two senses:
What is a Computer? State of the machine. CMPSCI 630: Programming Languages An Abstract Machine for Control Spring 2009 (with thanks to Robert Harper) Internal registers, memory, etc. Initial and final
More informationIntroduction to Axiomatic Semantics
#1 Introduction to Axiomatic Semantics #2 How s The Homework Going? Remember that you can t just define a meaning function in terms of itself you must use some fixed point machinery. #3 Observations A
More informationPSL Model Checking and Run-time Verification via Testers
PSL Model Checking and Run-time Verification via Testers Formal Methods 2006 Aleksandr Zaks and Amir Pnueli New York University Introduction Motivation (Why PSL?) A new property specification language,
More informationModeling and Analysis of Communicating Systems
Modeling and Analysis of Communicating Systems Lecture 5: Sequential Processes Jeroen Keiren and Mohammad Mousavi j.j.a.keiren@vu.nl and m.r.mousavi@hh.se Halmstad University March 2015 Outline Motivation
More informationPredicate Logic. Xinyu Feng 09/26/2011. University of Science and Technology of China (USTC)
University of Science and Technology of China (USTC) 09/26/2011 Overview Predicate logic over integer expressions: a language of logical assertions, for example x. x + 0 = x Why discuss predicate logic?
More informationProgram verification. 18 October 2017
Program verification 18 October 2017 Example revisited // assume(n>2); void partition(int a[], int n) { int pivot = a[0]; int lo = 1, hi = n-1; while (lo
More informationAlgebraic Trace Theory
Algebraic Trace Theory EE249 Roberto Passerone Material from: Jerry R. Burch, Trace Theory for Automatic Verification of Real-Time Concurrent Systems, PhD thesis, CMU, August 1992 October 21, 2002 ee249
More informationOperational Semantics
Operational Semantics Semantics and applications to verification Xavier Rival École Normale Supérieure Xavier Rival Operational Semantics 1 / 50 Program of this first lecture Operational semantics Mathematical
More informationProgramming with Dependent Types in Coq
Programming with Dependent Types in Coq Matthieu Sozeau LRI, Univ. Paris-Sud - Démons Team & INRIA Saclay - ProVal Project PPS Seminar February 26th 2009 Paris, France Coq A higher-order, polymorphic logic:
More informationSeparation Logic and the Mashup Isolation Problem
Separation Logic and the Mashup Isolation Problem Dept. of Computer Science, Stanford University Phd Qualifier Exam Talk Outline 1 Background Hoare Logic Intuition behind Separation Logic 2 The Mashup
More informationSyntax and semantics of a GPU kernel programming language
Syntax and semantics of a GPU kernel programming language John Wickerson April 17, 2016 Abstract This document accompanies the article The Design and Implementation of a Verification Technique for GPU
More informationThe Expressivity of Universal Timed CCP: Undecidability of Monadic FLTL and Closure Operators for Security
The Expressivity of Universal Timed CCP: Undecidability of Monadic FLTL and Closure Operators for Security Carlos Olarte and Frank D. Valencia INRIA /CNRS and LIX, Ecole Polytechnique Motivation Concurrent
More informationProgram Verification using Separation Logic Lecture 0 : Course Introduction and Assertion Language. Hongseok Yang (Queen Mary, Univ.
Program Verification using Separation Logic Lecture 0 : Course Introduction and Assertion Language Hongseok Yang (Queen Mary, Univ. of London) Dream Automatically verify the memory safety of systems software,
More informationCoinductive big-step semantics and Hoare logics for nontermination
Coinductive big-step semantics and Hoare logics for nontermination Tarmo Uustalu, Inst of Cybernetics, Tallinn joint work with Keiko Nakata COST Rich Models Toolkit meeting, Madrid, 17 18 October 2013
More informationAlgebraic Trace Theory
Algebraic Trace Theory EE249 Presented by Roberto Passerone Material from: Jerry R. Burch, Trace Theory for Automatic Verification of Real-Time Concurrent Systems, PhD thesis, CMU, August 1992 October
More informationFormal Methods for Java
Formal Methods for Java Lecture 20: Sequent Calculus Jochen Hoenicke Software Engineering Albert-Ludwigs-University Freiburg January 15, 2013 Jochen Hoenicke (Software Engineering) Formal Methods for Java
More informationPropositional Logic: Part II - Syntax & Proofs 0-0
Propositional Logic: Part II - Syntax & Proofs 0-0 Outline Syntax of Propositional Formulas Motivating Proofs Syntactic Entailment and Proofs Proof Rules for Natural Deduction Axioms, theories and theorems
More informationTheories of Programming Languages Assignment 5
Theories of Programming Languages Assignment 5 December 17, 2012 1. Lambda-Calculus (see Fig. 1 for initions of = β, normal order evaluation and eager evaluation). (a) Let Ω = ((λx. x x) (λx. x x)), and
More informationHoare Logic: Part II
Hoare Logic: Part II COMP2600 Formal Methods for Software Engineering Jinbo Huang Australian National University COMP 2600 Hoare Logic II 1 Factorial {n 0} fact := 1; i := n; while (i >0) do fact := fact
More informationNatural Deduction. Formal Methods in Verification of Computer Systems Jeremy Johnson
Natural Deduction Formal Methods in Verification of Computer Systems Jeremy Johnson Outline 1. An example 1. Validity by truth table 2. Validity by proof 2. What s a proof 1. Proof checker 3. Rules of
More informationTheoretical Foundations of the UML
Theoretical Foundations of the UML Lecture 17+18: A Logic for MSCs Joost-Pieter Katoen Lehrstuhl für Informatik 2 Software Modeling and Verification Group moves.rwth-aachen.de/teaching/ws-1718/fuml/ 5.
More informationSimply Typed Lambda Calculus
Simply Typed Lambda Calculus Language (ver1) Lambda calculus with boolean values t ::= x variable x : T.t abstraction tt application true false boolean values if ttt conditional expression Values v ::=
More informationHuman-Readable Machine-Verifiable Proofs for Teaching Constructive Logic
Human-Readable Machine-Verifiable Proofs for Teaching Constructive Logic Andreas Abel, Bor-Yuh Evan Chang, and Frank Pfenning Workshop on Proof Transformations, Proof Presentations and Complexity of Proofs
More informationRealizability Semantics of Parametric Polymorphism, General References, and Recursive Types
Realizability Semantics of Parametric Polymorphism, General References, and Recursive Types Lars Birkedal IT University of Copenhagen Joint work with Kristian Støvring and Jacob Thamsborg Oct, 2008 Lars
More informationA Logical Method for Policy Enforcement over Evolving Audit Logs
A Logical Method for Policy Enforcement over Evolving Audit Logs Deepak Garg, Limin Jia, Anupam Datta February 9, 2011 (revised February 24, 2011) CMU-CyLab-11-002 CyLab Carnegie Mellon University Pittsburgh,
More informationOutline. Formale Methoden der Informatik First-Order Logic for Forgetters. Why PL1? Why PL1? Cont d. Motivation
Outline Formale Methoden der Informatik First-Order Logic for Forgetters Uwe Egly Vienna University of Technology Institute of Information Systems Knowledge-Based Systems Group Motivation Syntax of PL1
More informationSoftwaretechnik. Lecture 13: Design by Contract. Peter Thiemann University of Freiburg, Germany
Softwaretechnik Lecture 13: Design by Contract Peter Thiemann University of Freiburg, Germany 25.06.2012 Table of Contents Design by Contract Contracts for Procedural Programs Contracts for Object-Oriented
More informationPredicate Logic. Xinyu Feng 11/20/2013. University of Science and Technology of China (USTC)
University of Science and Technology of China (USTC) 11/20/2013 Overview Predicate logic over integer expressions: a language of logical assertions, for example x. x + 0 = x Why discuss predicate logic?
More informationSoftwaretechnik. Lecture 13: Design by Contract. Peter Thiemann University of Freiburg, Germany
Softwaretechnik Lecture 13: Design by Contract Peter Thiemann University of Freiburg, Germany 25.06.2012 Table of Contents Design by Contract Contracts for Procedural Programs Contracts for Object-Oriented
More informationTemporal Logic of Actions
Advanced Topics in Distributed Computing Dominik Grewe Saarland University March 20, 2008 Outline Basic Concepts Transition Systems Temporal Operators Fairness Introduction Definitions Example TLC - A
More informationDeclarative Computation Model. Conditional. Case statement. Procedure values (2) Procedure values. Sequential declarative computation model
Declarative Computation Model Kernel language semantics revisited (VRH.4.5) From kernel to practical language (VRH.6) Exceptions (VRH.7) Carlos Varela RPI October 0, 009 Adapted with permission from: Seif
More informationSoundness and Completeness of Axiomatic Semantics
#1 Soundness and Completeness of Axiomatic Semantics #2 One-Slide Summary A system of axiomatic semantics is sound if everything we can prove is also true: if ` { A } c { B } then ² { A } c { B } We prove
More informationAutomatic Verification of Parameterized Data Structures
Automatic Verification of Parameterized Data Structures Jyotirmoy V. Deshmukh, E. Allen Emerson and Prateek Gupta The University of Texas at Austin The University of Texas at Austin 1 Outline Motivation
More informationDeductive Verification
Deductive Verification Mooly Sagiv Slides from Zvonimir Rakamaric First-Order Logic A formal notation for mathematics, with expressions involving Propositional symbols Predicates Functions and constant
More informationAbstracting Definitional Interpreters. David Van Horn
Abstracting Definitional Interpreters David Van Horn Abstracting Definitional Interpreters David Van Horn Northeastern University Definitional interpreters written in monadic style can express a wide variety
More informationMeta-reasoning in the concurrent logical framework CLF
Meta-reasoning in the concurrent logical framework CLF Jorge Luis Sacchini (joint work with Iliano Cervesato) Carnegie Mellon University Qatar campus Nagoya University, 27 June 2014 Jorge Luis Sacchini
More informationA Compositional Logic for Control Flow
A Compositional Logic for Control Flow Gang Tan and Andrew W. Appel Princeton University {gtan,appel}@cs.princeton.edu 10 Jan, 2005 Abstract We present a program logic, L c, which modularly reasons about
More informationProgram Verification Using Separation Logic
Program Verification Using Separation Logic Cristiano Calcagno Adapted from material by Dino Distefano Lecture 1 Goal of the course Study Separation Logic having automatic verification in mind Learn how
More informationThe TLA + proof system
The TLA + proof system Stephan Merz Kaustuv Chaudhuri, Damien Doligez, Leslie Lamport INRIA Nancy & INRIA-MSR Joint Centre, France Amir Pnueli Memorial Symposium New York University, May 8, 2010 Stephan
More informationEXP. LOGIC: M.Ziegler PSPACE. NPcomplete. School of Computing PSPACE CH #P PH. Martin Ziegler 박세원신승우조준희 ( 박찬수 ) complete. co- P NP. Re a ) Computation
EXP PSPACE complete PSPACE CH #P PH conpcomplete NPcomplete co- NP P NP P L NP School of Computing Martin Ziegler 박세원신승우조준희 ( 박찬수 ) Complexity and Re a ) Computation Please ask questions! Informal Logic
More information(2) (15pts) Using Prolog, implement a type-checker for the following small subset of System F:
CS 6371 Advanced Programming Languages Sample Spring 2018 Final Exam This sample final exam is LONGER than a real final exam (to give you more practice problems) and has a medium difficulty level. You
More informationFirst-order logic Syntax and semantics
1 / 43 First-order logic Syntax and semantics Mario Alviano University of Calabria, Italy A.Y. 2017/2018 Outline 2 / 43 1 Motivation Why more than propositional logic? Intuition 2 Syntax Terms Formulas
More informationCSE 505, Fall 2008, Midterm Examination 29 October Please do not turn the page until everyone is ready.
CSE 505, Fall 2008, Midterm Examination 29 October 2008 Please do not turn the page until everyone is ready. Rules: The exam is closed-book, closed-note, except for one side of one 8.5x11in piece of paper.
More informationOutline. Overview. Syntax Semantics. Introduction Hilbert Calculus Natural Deduction. 1 Introduction. 2 Language: Syntax and Semantics
Introduction Arnd Poetzsch-Heffter Software Technology Group Fachbereich Informatik Technische Universität Kaiserslautern Sommersemester 2010 Arnd Poetzsch-Heffter ( Software Technology Group Fachbereich
More informationAxiomatic Semantics: Verification Conditions. Review of Soundness of Axiomatic Semantics. Questions? Announcements
Axiomatic Semantics: Verification Conditions Meeting 18, CSCI 5535, Spring 2010 Announcements Homework 6 is due tonight Today s forum: papers on automated testing using symbolic execution Anyone looking
More informationAutomated Reasoning Lecture 5: First-Order Logic
Automated Reasoning Lecture 5: First-Order Logic Jacques Fleuriot jdf@inf.ac.uk Recap Over the last three lectures, we have looked at: Propositional logic, semantics and proof systems Doing propositional
More informationIntroduction to Z3. Bow-Yaw Wang. December 19, Institute of Information Science Academia Sinica, Taiwan
Introduction to Z3 Bow-Yaw Wang Institute of Information Science Academia Sinica, Taiwan December 19, 2017 Bow-Yaw Wang (Academia Sinica) Introduction to Z3 December 19, 2017 1 / 26 Outline 1 Introduction
More informationRelative Hilbert-Post completeness for exceptions
Relative Hilbert-Post completeness for exceptions Dominique Duval with J.-G. Dumas, B. Ekici, D. Pous, J.-C. Reynaud LJK University of Grenoble-Alpes and ENS Lyon November 12., 2015 MACIS 2015, Berlin
More informationPredicate Logic. x. x + 0 = x. Predicate logic over integer expressions: a language of logical assertions, for example. Why discuss predicate logic?
Predicate Logic Predicate logic over integer expressions: a language of logical assertions, for example x. x + 0 = x Why discuss predicate logic? It is an example of a simple language It has simple denotational
More informationMonadic Refinements for Relational Cost Analysis (Appendix)
Monadic Refinements for Relational Cost Analysis (Appendix) Ivan Radiček Gilles Barthe Marco Gaboardi Deepak Garg Florian Zuleger Structure of the Appendix In the appendix we give material that was omitted
More informationSeparation Logic and the Mashup Isolation Problem
Separation Logic and the Mashup Isolation Problem Ankur Taly Computer Science Department, Stanford University Abstract. This work was done as part of my PhD qualifier exam. My qualifier exam problem was
More informationIntroduction to Kleene Algebras
Introduction to Kleene Algebras Riccardo Pucella Basic Notions Seminar December 1, 2005 Introduction to Kleene Algebras p.1 Idempotent Semirings An idempotent semiring is a structure S = (S, +,, 1, 0)
More informationReasoning Under Uncertainty: Introduction to Probability
Reasoning Under Uncertainty: Introduction to Probability CPSC 322 Lecture 23 March 12, 2007 Textbook 9 Reasoning Under Uncertainty: Introduction to Probability CPSC 322 Lecture 23, Slide 1 Lecture Overview
More informationLectures on Separation Logic. Lecture 2: Foundations
Lectures on Separation Logic. Lecture 2: Foundations Peter O Hearn Queen Mary, University of London Marktoberdorf Summer School, 2011 Outline for this lecture Part I : Assertions and Their Semantics Part
More informationCOMP3151/9151 Foundations of Concurrency Lecture 1a
1 COMP3151/9151 Foundations of Concurrency Lecture 1a Concurrency Appreciation Kai Engelhardt CSE, UNSW (and NICTA) Revision: 1.9 of Date: 2017/07/24 00:45:24 UTC (Credits: parts borrowed from M. Ben-Ari)
More informationInformation Flow Inference for ML
POPL 02 INRIA Rocquencourt Projet Cristal Francois.Pottier@inria.fr http://cristal.inria.fr/~fpottier/ Vincent.Simonet@inria.fr http://cristal.inria.fr/~simonet/ Information flow analysis account number
More informationChapter 2. Assertions. An Introduction to Separation Logic c 2011 John C. Reynolds February 3, 2011
Chapter 2 An Introduction to Separation Logic c 2011 John C. Reynolds February 3, 2011 Assertions In this chapter, we give a more detailed exposition of the assertions of separation logic: their meaning,
More informationPropositional and Predicate Logic - VII
Propositional and Predicate Logic - VII Petr Gregor KTIML MFF UK WS 2015/2016 Petr Gregor (KTIML MFF UK) Propositional and Predicate Logic - VII WS 2015/2016 1 / 11 Theory Validity in a theory A theory
More informationLearning Goals of CS245 Logic and Computation
Learning Goals of CS245 Logic and Computation Alice Gao April 27, 2018 Contents 1 Propositional Logic 2 2 Predicate Logic 4 3 Program Verification 6 4 Undecidability 7 1 1 Propositional Logic Introduction
More informationTowards Algorithmic Synthesis of Synchronization for Shared-Memory Concurrent Programs
Towards Algorithmic Synthesis of Synchronization for Shared-Memory Concurrent Programs Roopsha Samanta The University of Texas at Austin July 6, 2012 Roopsha Samanta Algorithmic Synthesis of Synchronization
More informationINF5390 Kunstig intelligens. Logical Agents. Roar Fjellheim
INF5390 Kunstig intelligens Logical Agents Roar Fjellheim Outline Knowledge-based agents The Wumpus world Knowledge representation Logical reasoning Propositional logic Wumpus agent Summary AIMA Chapter
More informationVerifying Concurrent Memory Reclamation Algorithms with Grace
Verifying Concurrent Memory Reclamation Algorithms with Grace Alexey Gotsman, Noam Rinetzky, and Hongseok Yang 1 IMDEA Software Institute 2 Tel-Aviv University 3 University of Oxford Abstract. Memory management
More informationSDS developer guide. Develop distributed and parallel applications in Java. Nathanaël Cottin. version
SDS developer guide Develop distributed and parallel applications in Java Nathanaël Cottin sds@ncottin.net http://sds.ncottin.net version 0.0.3 Copyright 2007 - Nathanaël Cottin Permission is granted to
More informationINDUCTIVE DEFINITION
1 INDUCTIVE DEFINITION OUTLINE Judgements Inference Rules Inductive Definition Derivation Rule Induction 2 META-VARIABLES A symbol in a meta-language that is used to describe some element in an object
More informationModel Checking with CTL. Presented by Jason Simas
Model Checking with CTL Presented by Jason Simas Model Checking with CTL Based Upon: Logic in Computer Science. Huth and Ryan. 2000. (148-215) Model Checking. Clarke, Grumberg and Peled. 1999. (1-26) Content
More informationProof Calculus for Partial Correctness
Proof Calculus for Partial Correctness Bow-Yaw Wang Institute of Information Science Academia Sinica, Taiwan September 7, 2016 Bow-Yaw Wang (Academia Sinica) Proof Calculus for Partial Correctness September
More informationFirst-Order Logic. 1 Syntax. Domain of Discourse. FO Vocabulary. Terms
First-Order Logic 1 Syntax Domain of Discourse The domain of discourse for first order logic is FO structures or models. A FO structure contains Relations Functions Constants (functions of arity 0) FO
More informationSoftware Engineering
Software Engineering Lecture 07: Design by Contract Peter Thiemann University of Freiburg, Germany 02.06.2014 Table of Contents Design by Contract Contracts for Procedural Programs Contracts for Object-Oriented
More informationFirst Order Logic (FOL) 1 znj/dm2017
First Order Logic (FOL) 1 http://lcs.ios.ac.cn/ znj/dm2017 Naijun Zhan March 19, 2017 1 Special thanks to Profs Hanpin Wang (PKU) and Lijun Zhang (ISCAS) for their courtesy of the slides on this course.
More informationIris: Higher-Order Concurrent Separation Logic. Lecture 4: Basic Separation Logic: Proving Pointer Programs
1 Iris: Higher-Order Concurrent Separation Logic Lecture 4: Basic Separation Logic: Proving Pointer Programs Lars Birkedal Aarhus University, Denmark November 10, 2017 2 Overview Earlier: Operational Semantics
More informationBeyond First-Order Logic
Beyond First-Order Logic Software Formal Verification Maria João Frade Departmento de Informática Universidade do Minho 2008/2009 Maria João Frade (DI-UM) Beyond First-Order Logic MFES 2008/09 1 / 37 FOL
More informationECEN 651: Microprogrammed Control of Digital Systems Department of Electrical and Computer Engineering Texas A&M University
ECEN 651: Microprogrammed Control of Digital Systems Department of Electrical and Computer Engineering Texas A&M University Prof. Mi Lu TA: Ehsan Rohani Laboratory Exercise #4 MIPS Assembly and Simulation
More informationSubtyping and Intersection Types Revisited
Subtyping and Intersection Types Revisited Frank Pfenning Carnegie Mellon University International Conference on Functional Programming (ICFP 07) Freiburg, Germany, October 1-3, 2007 Joint work with Rowan
More informationDesign of Distributed Systems Melinda Tóth, Zoltán Horváth
Design of Distributed Systems Melinda Tóth, Zoltán Horváth Design of Distributed Systems Melinda Tóth, Zoltán Horváth Publication date 2014 Copyright 2014 Melinda Tóth, Zoltán Horváth Supported by TÁMOP-412A/1-11/1-2011-0052
More information