Program Analysis Probably Counts
|
|
- Allison O’Brien’
- 5 years ago
- Views:
Transcription
1 Probably Counts 1 c.hankin@imperial.ac.uk joint work with Alessandra Di Pierro 2 and Herbert Wiklicky 1 1 Department of Computing, 2 Dipartimento di Informatica, Università di Verona Computer Journal Lecture, November 2008
2 Outline 1 Introduction 2 Information Flow 3 Covert Channels 4 Conclusions
3 Outline 1 Introduction 2 Information Flow 3 Covert Channels 4 Conclusions
4 Outline 1 Introduction 2 Information Flow 3 Covert Channels 4 Conclusions
5 Outline 1 Introduction 2 Information Flow 3 Covert Channels 4 Conclusions
6 Aim: to determine properties of program run-time (dynamic) behavior without running it (statically) Based on formal model (semantics) of program Most interesting problems are undecidable Turing s Halting Problem Program analysis uses abstract semantics where issues are decidable, e.g. rule of signs: Penalty is safe (or close) answers rather than accurate answers false positives ( + = {, })
7 Aim: to determine properties of program run-time (dynamic) behavior without running it (statically) Based on formal model (semantics) of program Most interesting problems are undecidable Turing s Halting Problem Program analysis uses abstract semantics where issues are decidable, e.g. rule of signs: Penalty is safe (or close) answers rather than accurate answers false positives ( + = {, })
8 Aim: to determine properties of program run-time (dynamic) behavior without running it (statically) Based on formal model (semantics) of program Most interesting problems are undecidable Turing s Halting Problem Program analysis uses abstract semantics where issues are decidable, e.g. rule of signs: Penalty is safe (or close) answers rather than accurate answers false positives ( + = {, })
9 Aim: to determine properties of program run-time (dynamic) behavior without running it (statically) Based on formal model (semantics) of program Most interesting problems are undecidable Turing s Halting Problem Program analysis uses abstract semantics where issues are decidable, e.g. rule of signs: Penalty is safe (or close) answers rather than accurate answers false positives ( + = {, })
10 Aim: to determine properties of program run-time (dynamic) behavior without running it (statically) Based on formal model (semantics) of program Most interesting problems are undecidable Turing s Halting Problem Program analysis uses abstract semantics where issues are decidable, e.g. rule of signs: = Penalty is safe (or close) answers rather than accurate answers false positives ( + = {, })
11 Aim: to determine properties of program run-time (dynamic) behavior without running it (statically) Based on formal model (semantics) of program Most interesting problems are undecidable Turing s Halting Problem Program analysis uses abstract semantics where issues are decidable, e.g. rule of signs: = = Penalty is safe (or close) answers rather than accurate answers false positives ( + = {, })
12 Aim: to determine properties of program run-time (dynamic) behavior without running it (statically) Based on formal model (semantics) of program Most interesting problems are undecidable Turing s Halting Problem Program analysis uses abstract semantics where issues are decidable, e.g. rule of signs: = = Penalty is safe (or close) answers rather than accurate answers false positives ( + = {, })
13 Program Semantics Complete Partial Orders + Continuous Functions Labelled Transition Systems Hilbert Spaces + Bounded, Linear Operators Decidability: restrict to variables (etc) in program under analysis restrict sets of values to finite sets truncate iterations
14 Program Semantics Complete Partial Orders + Continuous Functions Labelled Transition Systems Hilbert Spaces + Bounded, Linear Operators Decidability: restrict to variables (etc) in program under analysis restrict sets of values to finite sets truncate iterations
15 Program Semantics Complete Partial Orders + Continuous Functions Labelled Transition Systems Hilbert Spaces + Bounded, Linear Operators Decidability: restrict to variables (etc) in program under analysis restrict sets of values to finite sets truncate iterations
16 Program Semantics Complete Partial Orders + Continuous Functions Labelled Transition Systems Hilbert Spaces + Bounded, Linear Operators Decidability: restrict to variables (etc) in program under analysis restrict sets of values to finite sets truncate iterations
17 Abstraction Consider a Concrete Domain C and an Abstract Domain D: C T C A A D D T # With an abstraction A : C D and a concretisation G : D C: T # = GTA
18 Abstraction Consider a Concrete Domain C and an Abstract Domain D: C T C A A D D T # With an abstraction A : C D and a concretisation G : D C: T # = GTA
19 Abstraction Consider a Concrete Domain C and an Abstract Domain D: C T C A A D D T # With an abstraction A : C D and a concretisation G : D C: T # = GTA
20 Abstraction Consider a Concrete Domain C and an Abstract Domain D: C T C A A D D T # With an abstraction A : C D and a concretisation G : D C: T # = GTA Abstract Interpretation: (A, G) form a Galois Connection.
21 Abstraction Consider a Concrete Domain C and an Abstract Domain D: C T C A A D D T # With an abstraction A : C D and a concretisation G : D C: T # = GTA Probabilistic Abst.Int.: (A, G) Moore-Penrose Pseudo-Inverse.
22 Galois Connections Definition Let C = (C, ) and D = (D, ) be two partially ordered sets. If there are two functions α : C D and γ : D C such that for all c C and all d D: c C γ(d) iff α(c) d, then (C, α, γ, D) form a Galois connection.
23 Moore Penrose Pseudo-Inverse Definition Let C and D be two Hilbert spaces and A : C D a bounded linear map. A bounded linear map A = G : D C is the Moore-Penrose pseudo-inverse of A iff (i) A G = P A, (ii) G A = P G, where P A and P G denote orthogonal projections onto the ranges of A and G. An (orthogonal) projection is an operator P with P = P = PP.
24 Moore Penrose Pseudo-Inverse Definition Let C and D be two Hilbert spaces and A : C D a bounded linear map. A bounded linear map A = G : D C is the Moore-Penrose pseudo-inverse of A iff (i) A G = P A, (ii) G A = P G, where P A and P G denote orthogonal projections onto the ranges of A and G. An (orthogonal) projection is an operator P with P = P = PP.
25 Moore-Penrose Pseudo-Inverse II Definition An operator A B(H) is Moore-Penrose invertible if there exists an element G B(H) such that: (i) AGA = A, (ii) GAG = G, (iii) (AG) = AG, (iv) (GA) = GA. If it exists G = A is called Moore-Penrose pseudo-inverse.
26 Example: Function Approximation Concrete and abstract domain are step-functions on [a, b]. The set of (real-valued) step-function T n is based on the sub-division of the interval into n sub-intervals. Each step function in T n corresponds to a vector in R n.
27 Example: Function Approximation Concrete and abstract domain are step-functions on [a, b]. The set of (real-valued) step-function T n is based on the sub-division of the interval into n sub-intervals. Each step function in T n corresponds to a vector in R n.
28 Example: Function Approximation Concrete and abstract domain are step-functions on [a, b]. The set of (real-valued) step-function T n is based on the sub-division of the interval into n sub-intervals. Each step function in T n corresponds to a vector in R n.
29 Example: Function Approximation Concrete and abstract domain are step-functions on [a, b]. The set of (real-valued) step-function T n is based on the sub-division of the interval into n sub-intervals. Each step function in T n corresponds to a vector in R n.
30 Example: Function Approximation Concrete and abstract domain are step-functions on [a, b]. The set of (real-valued) step-function T n is based on the sub-division of the interval into n sub-intervals. Each step function in T n corresponds to a vector in R n. ( )
31 Example: Geometric Interpretation
32 Example: Geometric Interpretation
33 Example: Geometric Interpretation
34 Example: Geometric Interpretation
35 Example: Geometric Interpretation
36 Example: AI vs PAI
37 Example: AI vs PAI
38 Example: AI vs PAI
39 Example: AI vs PAI
40 Example: AI vs PAI
41 Denning s notion of information flow Following Denning we divide information flows into two classes: direct and indirect. Indirect flows are just the transitive flows (a flow from x to y followed by a flow from y to z implies a flow from x to z). The direct flows are further divided: Explicit flows arise from assignments; for example, x := y + z causes explicit information flows from both y and z to x.
42 Denning s notion of information flow Following Denning we divide information flows into two classes: direct and indirect. Indirect flows are just the transitive flows (a flow from x to y followed by a flow from y to z implies a flow from x to z). The direct flows are further divided: Explicit flows arise from assignments; for example, x := y + z causes explicit information flows from both y and z to x.
43 Denning contd. Implicit flows arise when one variable s value influences the value assigned to another by determining the flow of control. There are two types of implicit flow (though Denning only considered the first type in detail): Local flows arise from guards in conditionals: if x then y := z else y := w. Here there is local implicit information flow from x to y, in addition to the explicit flows from z and w.
44 Denning contd. Implicit flows arise when one variable s value influences the value assigned to another by determining the flow of control. There are two types of implicit flow (though Denning only considered the first type in detail): Global flows arise from guards in while loops x := y; (while w do x := z);. Here there is a global implicit flow from w to all subsequent program points, since reaching those points carries the information that the loop terminated and hence, in this example, that w was false.
45 The Language S Statement C Command l Lab x Ide a Arith-exp b Bool-exp S ::= C l C ::= skip x := a S 1 ; S 2 if b then S 1 else S 2 while b do S new x. S
46 The Analysis We write (Ĝ, D) = S when (Ĝ, D) is an acceptable Information Flow Analysis of the statement S. (Ĝ, D) = skip l iff D(l) Id (Ĝ, D) = (x := a) l iff D(l) Id[x FV(a)] (Ĝ, D) = (C l 1 1 ; Cl 2 2 )l iff (Ĝ, D) = C l 1 1 (Ĝ, D) = C l 2 2 Ĝ(l) Ĝ(l 1) Ĝ(l 2) ; D(l 1 ) D(l) D(l 2 ) ; D(l 1 )
47 The Analysis We write (Ĝ, D) = S when (Ĝ, D) is an acceptable Information Flow Analysis of the statement S. (Ĝ, D) = skip l iff D(l) Id (Ĝ, D) = (x := a) l iff D(l) Id[x FV(a)] (Ĝ, D) = (C l 1 1 ; Cl 2 2 )l iff (Ĝ, D) = C l 1 1 (Ĝ, D) = C l 2 2 Ĝ(l) Ĝ(l 1) Ĝ(l 2) ; D(l 1 ) D(l) D(l 2 ) ; D(l 1 )
48 The Security Test Having analysed a program, C l, we determine that there is no breach of security if both {x x H} Ĝ(l) =, and x L. y H.x D(l) y i.e. there are no global information flows from high variables and no low variable depends on any high variable. h := l; l := h [l h]; [h l] l := h; h := l [h l]; [l h]
49 The Security Test Having analysed a program, C l, we determine that there is no breach of security if both {x x H} Ĝ(l) =, and x L. y H.x D(l) y i.e. there are no global information flows from high variables and no low variable depends on any high variable. h := l; l := h [l h]; [h l] l := h; h := l [h l]; [l h]
50 The Security Test Having analysed a program, C l, we determine that there is no breach of security if both {x x H} Ĝ(l) =, and x L. y H.x D(l) y i.e. there are no global information flows from high variables and no low variable depends on any high variable. h := l; l := h [l h]; [h l] l := h; h := l [h l]; [l h]
51 Adding quantities Early work on language-based security precluded the use of high security variables to affect control flow. Specifically, conditions were restricted to using only low security information. If this restriction is weakened, high security data may be leaked through the different timing behaviour of alternative control paths. This kind of leakage of information is said to form a covert timing channel
52 Adding quantities Early work on language-based security precluded the use of high security variables to affect control flow. Specifically, conditions were restricted to using only low security information. If this restriction is weakened, high security data may be leaked through the different timing behaviour of alternative control paths. This kind of leakage of information is said to form a covert timing channel
53 Adding quantities Early work on language-based security precluded the use of high security variables to affect control flow. Specifically, conditions were restricted to using only low security information. If this restriction is weakened, high security data may be leaked through the different timing behaviour of alternative control paths. This kind of leakage of information is said to form a covert timing channel
54 Adding quantities Early work on language-based security precluded the use of high security variables to affect control flow. Specifically, conditions were restricted to using only low security information. If this restriction is weakened, high security data may be leaked through the different timing behaviour of alternative control paths. This kind of leakage of information is said to form a covert timing channel
55 The Language: Syntax op ::= + =! = < <= e ::= v x e op e C, D ::= x := e skipasn x e if (e) then C else D skipif e C while (e) do C C; D [choose] p C or D v ::= n TRUE FALSE J.Agat: Transforming Out Timing Leaks, POPL 2000.
56 The Language: Syntax op ::= + =! = < <= e ::= v x e op e C, D ::= x := e skipasn x e if (e) then C else D skipif e C while (e) do C C; D [choose] p C or D v ::= n TRUE FALSE J.Agat: Transforming Out Timing Leaks, POPL 2000.
57 The Language: Syntax op ::= + =! = < <= e ::= v x e op e C, D ::= x := e skipasn x e if (e) then C else D skipif e C while (e) do C C; D [choose] p C or D v ::= n TRUE FALSE J.Agat: Transforming Out Timing Leaks, POPL 2000.
58 Operational Semantics (Choose) E [choose] p C or D p:t ch E C E [choose] p C or D (1 p):t ch E D (If) E e TRUE E if (e) then C else D 1:t e t br E C E e FALSE E if (e) then C else D 1:t e t br E D
59 Security Types Security levels Base types Security types s ::= L H τ ::= Int Bool τ ::= τ s Sub-typing s 1 s 2 τ s1 τ s2
60 Low Equivalence We associate to every variable x a security level Γ(x) τ {L,H} Identify environments which agree on the low variables: E 1 = L E 2 iff l with Γ(l) = τ L : E 1 (l) = E 2 (l)
61 Low Equivalence We associate to every variable x a security level Γ(x) τ {L,H} Identify environments which agree on the low variables: E 1 = L E 2 iff l with Γ(l) = τ L : E 1 (l) = E 2 (l)
62 Γ-Bisimilarity (Agat) Γ-Bisimilarity Γ is the largest symmetric relation on commands that satisfies: C 1 Γ C 2 if for all E 1, E 2 such that E 1 = L E 2 we have E 1 C 1 as E 1 D 1 implies E 2 C 2 and E 1 = L E 2 and D 1 Γ D 2 E 1 C 1 E 1 = L E 2. ts E 1 implies E 2 C 2 ts as E 2 D 2 E 2 and
63 Lifted Bisimilarity We have to deal for probabilistic programs we need to consider distributions Dist(Conf). An equivalence relation S S on S can be lifted to an (equivalence) relation Dist(S) Dist(S) on distributions on S via µ ν iff [s] S/ : µ([s] ) = ν([s] ).
64 Lifted Bisimilarity We have to deal for probabilistic programs we need to consider distributions Dist(Conf). An equivalence relation S S on S can be lifted to an (equivalence) relation Dist(S) Dist(S) on distributions on S via µ ν iff [s] S/ : µ([s] ) = ν([s] ).
65 Probabilistic Time Bisimilarity A probabilistic time bisimilarity PT = is the largest symmetric relation on configurations such that whenever c 1 c 2, then c 1 = χ 1 implies χ 2 such that c 2 = χ 2 and χ 1 L χ 2 with E 1 C L E 2 C iff l with Γ(l) = τ L : E 1 (l) = E 2 (l)
66 Note: L = ( L) ( ) L s : :2 4 :1 4 :2 s 1 1 s 1 2 s 1 3 s 1 4 s : :2 4 1 :1 4 :1 s 2 1 s 2 2 s 2 3 s 2 4 χ 1 (t, l) χ 2 (t, l)
67 Note: L = ( L) ( ) L s : :2 4 :1 4 :2 s 1 1 s 1 2 s 1 3 s 1 4 s : :2 4 1 :1 4 :1 s 2 1 s 2 2 s 2 3 s 2 4 χ 1 (t, l) χ 2 (t, l)
68 Security Typing I (Assign H ) Γ e : τ s Γ = x : τ H s H Γ x := e : skipasn x e (Assign L ) Γ e : τ L Γ = x : τ L Γ x := e : x := e (Seq) Γ C : C L Γ D : D L Γ C; D : C L ; D L
69 Security Typing II (If H ) Γ e : Bool H Γ C : C L Γ D : D L Γ if (e) then C else D : skipif e C L C L D L (If L ) Γ e : Bool L Γ C : C L Γ D : D L Γ if (e) then C else D : if (e) then C L else D L (While) Γ e : Bool L Γ C : C L Γ while (e) do C : while (e) do C L
70 Security Typing III (Choose) Γ C : C L Γ D : D L Γ [choose] p C or D : [choose] p C L or D L (SkipAsn) Γ skipasn x e : skipasn x e (SkipIf) Γ C : C L Γ skipif e C : skipif e C L
71 Transformation I Γ C D D L (Assign H ) Γ e : τ s Γ = x : τ H s H Γ x := e x := e skipasn x e (Assign L ) Γ e : τ L Γ = x : τ L Γ x := e x := e x := e (Seq) Γ C 1 D 1 D 1L Γ C 2 D 2 D 2L Γ C 1 ; C 2 D 1 ; D 2 D 1L ; D 2L
72 Transformation I Γ C D D L (Assign H ) Γ e : τ s Γ = x : τ H s H Γ x := e x := e skipasn x e (Assign L ) Γ e : τ L Γ = x : τ L Γ x := e x := e x := e (Seq) Γ C 1 D 1 D 1L Γ C 2 D 2 D 2L Γ C 1 ; C 2 D 1 ; D 2 D 1L ; D 2L
73 Transformation II (Deterministic) (If H ) Γ e : Bool H ge(d 1L ) = ge(d 2L ) = Γ C 1 D 1 D 1L Γ C 2 D 2 D 2L Γ if (e) then C 1 else C 2 if (e) then D 1 ; D 2L else D 1L ; D 2 skipif e (D 1L ; D 2L ) (If L ) Γ e : Bool L Γ C 1 D 1 D 1L Γ C 2 D 2 D 2L Γ if (e) then C 1 else C 2 if (e) then D 1 else D 2 if (e) then D 1L else D 2L
74 Transformation II (Probabilistic) (If H ) Γ e : Bool H ge(d 1L ) = ge(d 2L ) = Γ C 1 D 1 D 1L Γ C 2 D 2 D 2L Γ if (e) then C 1 else C 2 if (e) then ([choose] p D 1 or D 1 ; D 2L ) else ([choose] p D 2 or D 1L ; D 2 ) skipif e (D 1L ; D 2L ) (If L ) Γ e : Bool L Γ C 1 D 1 D 1L Γ C 2 D 2 D 2L Γ if (e) then C 1 else C 2 if (e) then D 1 else D 2 if (e) then D 1L else D 2L
75 Transformation III (While) Γ e : Bool L Γ C D D L Γ while (e) do C while (e) do D while (e) do D L (Choose) Γ C 1 D 1 D 1L Γ C 2 D 2 D 2L Γ [choose] p C 1 or C 2 [choose] p D 1 or D 2 [choose] p D 1L or D 2L
76 Transformation IV (SkipAsn) Γ skipasn x e skipasn x e skipasn x e (SkipIf) Γ C D D L Γ skipif e C skipif e D skipif e D L
77 Global Effects ge(x := e) = {x} ge(c 1 ; C 2 ) = ge(c 1 ) ge(c 2 ) ge(if (e) then C 1 else C 2 ) = ge(c 1 ) ge(c 2 ) ge(while (e) do C) = ge(c) ge([choose] p C 1 or C 2 ) = ge(c 1 ) ge(c 2 ) ge(skipasn x e) = ge(skipif e C) = ge(c)
78 Probabilistic Program Transformation i := 1; while i<=3 do if k[i]==1 then s := s; else skip; fi; i := i+1; od;
79 Probabilistic Program Transformation i := 1; while i<=3 do if k[i]==1 then s := s; else skip; fi; i := i+1; od; i := 1; while i<=3 do if k[i]==1 then s := s; [skip] else [s := s]; skip fi; i := i+1; od;
80 Probabilistic Program Transformation i := 1; while i<=3 do if k[i]==1 then choose p: s := s; [skip] or 1-p: ro else choose p: or 1-p: ro fi; i := i+1; od; s := s skip [s := s]; skip
81 Application: Security Tradeoffs c(p) δ (p) t(p)
82 Commercial Applications AbsInt tools used by major car and electronic goods manufacturers such as BMW, Daimler and Bosch. Another example is the work of Polyspace (recently taken over by The MathWorks) work with Airbus on the verification of fly-by-wire software.
83 Embedded Systems Henzinger and Sifakis make an eloquent case for the reappraisal of the foundations of computing. They call for a new scientific foundation which... will systematically and even-handedly integrate computation and physicality... ". They identify the a list of issues that must be dealt with which include: computation and physical constraints nondeterminism and probabilities functional and performance requirements qualitative and quantitative analysis, and Boolean and real values
84 Concluding Remarks Clark, Hunt and Malacaria use information theoretic ideas as a basis for studying information flow. General theme of incorporating quantitative and probabilistic techniques into program analysis and reasoning is certain to expand. It remains to be seen which approach will eventually prevail but, whichever does, there is no doubt that the arsenal of techniques will be enrichened and program analysis probably will count! Thank you
85 Concluding Remarks Clark, Hunt and Malacaria use information theoretic ideas as a basis for studying information flow. General theme of incorporating quantitative and probabilistic techniques into program analysis and reasoning is certain to expand. It remains to be seen which approach will eventually prevail but, whichever does, there is no doubt that the arsenal of techniques will be enrichened and program analysis probably will count! Thank you
Probabilistic Program Analysis
Probabilistic Program Analysis Data Flow Analysis and Regression Alessandra Di Pierro University of Verona, Italy alessandra.dipierro@univr.it Herbert Wiklicky Imperial College London, UK herbert@doc.ic.ac.uk
More informationDynamic Noninterference Analysis Using Context Sensitive Static Analyses. Gurvan Le Guernic July 14, 2007
Dynamic Noninterference Analysis Using Context Sensitive Static Analyses Gurvan Le Guernic July 14, 2007 1 Abstract This report proposes a dynamic noninterference analysis for sequential programs. This
More informationSpring 2015 Program Analysis and Verification. Lecture 4: Axiomatic Semantics I. Roman Manevich Ben-Gurion University
Spring 2015 Program Analysis and Verification Lecture 4: Axiomatic Semantics I Roman Manevich Ben-Gurion University Agenda Basic concepts of correctness Axiomatic semantics (pages 175-183) Hoare Logic
More informationDERIVING AND PROVING ABSTRACT NON-INTERFERENCE
DERIVING AND PROVING ABSTRACT NON-INTERFERENCE Roberto Giacobazzi and Isabella Mastroeni Dipartimento di Informatica Università di Verona Italy Paris, February 20th, 2004 Deriving and Proving Abstract
More informationSpring 2016 Program Analysis and Verification. Lecture 3: Axiomatic Semantics I. Roman Manevich Ben-Gurion University
Spring 2016 Program Analysis and Verification Lecture 3: Axiomatic Semantics I Roman Manevich Ben-Gurion University Warm-up exercises 1. Define program state: 2. Define structural semantics configurations:
More informationHoare Logic (I): Axiomatic Semantics and Program Correctness
Hoare Logic (I): Axiomatic Semantics and Program Correctness (Based on [Apt and Olderog 1991; Gries 1981; Hoare 1969; Kleymann 1999; Sethi 199]) Yih-Kuen Tsay Dept. of Information Management National Taiwan
More informationProbabilistic Semantics and Program Analysis
Probabilistic Semantics and Program Analysis Alessandra Di Pierro 1, Chris Hankin 2, and Herbert Wiklicky 2 1 University of Verona, Ca Vignal 2 - Strada le Grazie 15, 714 Verona, Italy dipierro@sci.univr.it
More informationStatic Program Analysis
Static Program Analysis Lecture 13: Abstract Interpretation III (Abstract Interpretation of WHILE Programs) Thomas Noll Lehrstuhl für Informatik 2 (Software Modeling and Verification) noll@cs.rwth-aachen.de
More informationEDA045F: Program Analysis LECTURE 10: TYPES 1. Christoph Reichenbach
EDA045F: Program Analysis LECTURE 10: TYPES 1 Christoph Reichenbach In the last lecture... Performance Counters Challenges in Dynamic Performance Analysis Taint Analysis Binary Instrumentation 2 / 44 Types
More informationDynamic Dependency Monitoring to Secure Information Flow
Dynamic Dependency Monitoring to Secure Information Flow Paritosh Shroff Scott F. Smith Mark Thober Department of Computer Science Johns Hopkins University {pari,scott,mthober}@cs.jhu.edu Abstract Although
More informationStatic Program Analysis using Abstract Interpretation
Static Program Analysis using Abstract Interpretation Introduction Static Program Analysis Static program analysis consists of automatically discovering properties of a program that hold for all possible
More informationIntroduction to Turing Machines
Introduction to Turing Machines Deepak D Souza Department of Computer Science and Automation Indian Institute of Science, Bangalore. 12 November 2015 Outline 1 Turing Machines 2 Formal definitions 3 Computability
More informationChapter 2. Reductions and NP. 2.1 Reductions Continued The Satisfiability Problem (SAT) SAT 3SAT. CS 573: Algorithms, Fall 2013 August 29, 2013
Chapter 2 Reductions and NP CS 573: Algorithms, Fall 2013 August 29, 2013 2.1 Reductions Continued 2.1.1 The Satisfiability Problem SAT 2.1.1.1 Propositional Formulas Definition 2.1.1. Consider a set of
More informationPrinciples of Program Analysis: A Sampler of Approaches
Principles of Program Analysis: A Sampler of Approaches Transparencies based on Chapter 1 of the book: Flemming Nielson, Hanne Riis Nielson and Chris Hankin: Principles of Program Analysis Springer Verlag
More informationStatic Program Analysis
Static Program Analysis Lecture 16: Abstract Interpretation VI (Counterexample-Guided Abstraction Refinement) Thomas Noll Lehrstuhl für Informatik 2 (Software Modeling and Verification) noll@cs.rwth-aachen.de
More informationProgram verification using Hoare Logic¹
Program verification using Hoare Logic¹ Automated Reasoning - Guest Lecture Petros Papapanagiotou Part 2 of 2 ¹Contains material from Mike Gordon s slides: Previously on Hoare Logic A simple while language
More informationVerifying Safety Properties of Hybrid Systems.
Verifying Safety Properties of Hybrid Systems. Sriram Sankaranarayanan University of Colorado, Boulder, CO. October 22, 2010. Talk Outline 1. Formal Verification 2. Hybrid Systems 3. Invariant Synthesis
More informationDecision Procedures. Jochen Hoenicke. Software Engineering Albert-Ludwigs-University Freiburg. Winter Term 2016/17
Decision Procedures Jochen Hoenicke Software Engineering Albert-Ludwigs-University Freiburg Winter Term 2016/17 Jochen Hoenicke (Software Engineering) Decision Procedures Winter Term 2016/17 1 / 436 Program
More informationFast Probabilistic Simulation, Nontermination, and Secure Information Flow
Fast Probabilistic Simulation, Nontermination, and Secure Information Flow Geoffrey Smith Rafael Alpízar Florida International University {smithg,ralpi00}@cis.fiu.edu Abstract In secure information flow
More informationG54FOP: Lecture 17 & 18 Denotational Semantics and Domain Theory III & IV
G54FOP: Lecture 17 & 18 Denotational Semantics and Domain Theory III & IV Henrik Nilsson University of Nottingham, UK G54FOP: Lecture 17 & 18 p.1/33 These Two Lectures Revisit attempt to define denotational
More informationA Cryptographic Decentralized Label Model
A Cryptographic Decentralized Label Model Jeffrey A. Vaughan and Steve Zdancewic Department of Computer and Information Science University of Pennsylvania IEEE Security and Privacy May 22, 2007 Information
More informationAlgorithmic verification
Algorithmic verification Ahmed Rezine IDA, Linköpings Universitet Hösttermin 2018 Outline Overview Model checking Symbolic execution Outline Overview Model checking Symbolic execution Program verification
More informationProbabilistic data flow analysis: a linear equational approach
Probabilistic data flow analysis: a linear equational approach Alessandra Di Pierro University of Verona Verona, Italy alessandra.dipierro@univr.it Herbert Wiklicky Imperial College London London, UK herbert@doc.ic.ac.uk
More informationDenotational Semantics of Programs. : SimpleExp N.
Models of Computation, 2010 1 Denotational Semantics of Programs Denotational Semantics of SimpleExp We will define the denotational semantics of simple expressions using a function : SimpleExp N. Denotational
More informationAxiomatic Semantics. Operational semantics. Good for. Not good for automatic reasoning about programs
Review Operational semantics relatively l simple many flavors (small vs. big) not compositional (rule for while) Good for describing language implementation reasoning about properties of the language eg.
More informationReasoning About Imperative Programs. COS 441 Slides 10b
Reasoning About Imperative Programs COS 441 Slides 10b Last time Hoare Logic: { P } C { Q } Agenda If P is true in the initial state s. And C in state s evaluates to s. Then Q must be true in s. Program
More informationComputability and Complexity
Computability and Complexity Lecture 5 Reductions Undecidable problems from language theory Linear bounded automata given by Jiri Srba Lecture 5 Computability and Complexity 1/14 Reduction Informal Definition
More informationAngelo Troina. Joint work with: Ruggero Lanotte (University of Insubria at Como) Andrea Maggiolo Schettini (University of Pisa)
Angelo Troina Dipartimento di Informatica, Università di Pisa, Italy Probabilistic Joint work with: Ruggero Lanotte (University of Insubria at Como) Andrea Maggiolo Schettini (University of Pisa) 1/23
More informationSection 14.1 Computability then else
Section 14.1 Computability Some problems cannot be solved by any machine/algorithm. To prove such statements we need to effectively describe all possible algorithms. Example (Turing machines). Associate
More informationProbabilistic Applicative Bisimulation and Call-by-Value Lam
Probabilistic Applicative and Call-by-Value Lambda Calculi Joint work with Ugo Dal Lago ENS Lyon February 9, 2014 Probabilistic Applicative and Call-by-Value Lam Introduction Fundamental question: when
More informationFormal Methods for Probabilistic Systems
Formal Methods for Probabilistic Systems Annabelle McIver Carroll Morgan Source-level program logic Meta-theorems for loops Examples Relational operational model Standard, deterministic, terminating...
More informationCSE 505, Fall 2005, Midterm Examination 8 November Please do not turn the page until everyone is ready.
CSE 505, Fall 2005, Midterm Examination 8 November 2005 Please do not turn the page until everyone is ready. Rules: The exam is closed-book, closed-note, except for one side of one 8.5x11in piece of paper.
More informationClassical Program Logics: Hoare Logic, Weakest Liberal Preconditions
Chapter 1 Classical Program Logics: Hoare Logic, Weakest Liberal Preconditions 1.1 The IMP Language IMP is a programming language with an extensible syntax that was developed in the late 1960s. We will
More informationThe Expressivity of Universal Timed CCP: Undecidability of Monadic FLTL and Closure Operators for Security
The Expressivity of Universal Timed CCP: Undecidability of Monadic FLTL and Closure Operators for Security Carlos Olarte and Frank D. Valencia INRIA /CNRS and LIX, Ecole Polytechnique Motivation Concurrent
More informationQuantitative analysis of secure information flow via Probabilistic Semantics
Quantitative analysis of secure information flow via Probabilistic Semantics Chunyan Mu Department of Computer Science King s College London The Strand, London WCR LS Email: Chunyan.Mu@kcl.ac.uk David
More informationSemantics and Verification of Software
Semantics and Verification of Software Thomas Noll Software Modeling and Verification Group RWTH Aachen University http://moves.rwth-aachen.de/teaching/ss-15/sv-sw/ The Denotational Approach Denotational
More informationDecidability: Church-Turing Thesis
Decidability: Church-Turing Thesis While there are a countably infinite number of languages that are described by TMs over some alphabet Σ, there are an uncountably infinite number that are not Are there
More informationSAT, NP, NP-Completeness
CS 473: Algorithms, Spring 2018 SAT, NP, NP-Completeness Lecture 22 April 13, 2018 Most slides are courtesy Prof. Chekuri Ruta (UIUC) CS473 1 Spring 2018 1 / 57 Part I Reductions Continued Ruta (UIUC)
More informationProbabilistic Model Checking and [Program] Analysis (CO469)
Probabilistic Model Checking and [Program] Analysis (CO469) Program Analysis Herbert Wiklicky herbert@doc.ic.ac.uk Spring 208 / 64 Overview Topics we will cover in this part will include:. Language WHILE
More informationOperational Semantics
Operational Semantics Semantics and applications to verification Xavier Rival École Normale Supérieure Xavier Rival Operational Semantics 1 / 50 Program of this first lecture Operational semantics Mathematical
More informationAbstraction in Program Analysis & Model Checking. Abstraction in Model Checking. Motivations & Results
On Completeness in Abstract Model Checking from the Viewpoint of Abstract Interpretation Abstraction in Program Analysis & Model Checking Abstract interpretation has been successfully applied in: static
More informationCMSC 631 Program Analysis and Understanding Fall Abstract Interpretation
Program Analysis and Understanding Fall 2017 Abstract Interpretation Based on lectures by David Schmidt, Alex Aiken, Tom Ball, and Cousot & Cousot What is an Abstraction? A property from some domain Blue
More informationTimed Automata VINO 2011
Timed Automata VINO 2011 VeriDis Group - LORIA July 18, 2011 Content 1 Introduction 2 Timed Automata 3 Networks of timed automata Motivation Formalism for modeling and verification of real-time systems.
More informationExam Computability and Complexity
Total number of points:... Number of extra sheets of paper:... Exam Computability and Complexity by Jiri Srba, January 2009 Student s full name CPR number Study number Before you start, fill in the three
More informationCalculating axiomatic semantics from program equations by means of functional predicate calculus
Calculating axiomatic semantics from program equations by means of functional predicate calculus (Some initial results of recent work not for dissemination) Raymond Boute INTEC Ghent University 2004/02
More informationComputational Models Lecture 8 1
Computational Models Lecture 8 1 Handout Mode Nachum Dershowitz & Yishay Mansour. Tel Aviv University. May 17 22, 2017 1 Based on frames by Benny Chor, Tel Aviv University, modifying frames by Maurice
More informationNotes for Lecture Notes 2
Stanford University CS254: Computational Complexity Notes 2 Luca Trevisan January 11, 2012 Notes for Lecture Notes 2 In this lecture we define NP, we state the P versus NP problem, we prove that its formulation
More information1 Introduction. 2 Recap The Typed λ-calculus λ. 3 Simple Data Structures
CS 6110 S18 Lecture 21 Products, Sums, and Other Datatypes 1 Introduction In this lecture, we add constructs to the typed λ-calculus that allow working with more complicated data structures, such as pairs,
More informationSoftware Verification
Software Verification Grégoire Sutre LaBRI, University of Bordeaux, CNRS, France Summer School on Verification Technology, Systems & Applications September 2008 Grégoire Sutre Software Verification VTSA
More informationNICTA Advanced Course. Theorem Proving Principles, Techniques, Applications
NICTA Advanced Course Theorem Proving Principles, Techniques, Applications λ 1 CONTENT Intro & motivation, getting started with Isabelle Foundations & Principles Lambda Calculus Higher Order Logic, natural
More informationAlan Bundy. Automated Reasoning LTL Model Checking
Automated Reasoning LTL Model Checking Alan Bundy Lecture 9, page 1 Introduction So far we have looked at theorem proving Powerful, especially where good sets of rewrite rules or decision procedures have
More information«ATutorialon Abstract Interpretation»
«ATutorialon Abstract Interpretation» Patrick Cousot École normale supérieure 45 rue d Ulm 75230 Paris cedex 05, France Patrick.Cousot@ens.fr www.di.ens.fr/~cousot VMCAI 05 Industrial Day VMCAI 05 Industrial
More informationDecidability: Reduction Proofs
Decidability: Reduction Proofs Basic technique for proving a language is (semi)decidable is reduction Based on the following principle: Have problem A that needs to be solved If there exists a problem
More informationRoy L. Crole. Operational Semantics Abstract Machines and Correctness. University of Leicester, UK
Midlands Graduate School, University of Birmingham, April 2008 1 Operational Semantics Abstract Machines and Correctness Roy L. Crole University of Leicester, UK Midlands Graduate School, University of
More informationPrinciples of Program Analysis: Abstract Interpretation
Principles of Program Analysis: Abstract Interpretation Transparencies based on Chapter 4 of the book: Flemming Nielson, Hanne Riis Nielson and Chris Hankin: Principles of Program Analysis. Springer Verlag
More informationT Reactive Systems: Temporal Logic LTL
Tik-79.186 Reactive Systems 1 T-79.186 Reactive Systems: Temporal Logic LTL Spring 2005, Lecture 4 January 31, 2005 Tik-79.186 Reactive Systems 2 Temporal Logics Temporal logics are currently the most
More informationPartial model checking via abstract interpretation
Partial model checking via abstract interpretation N. De Francesco, G. Lettieri, L. Martini, G. Vaglini Università di Pisa, Dipartimento di Ingegneria dell Informazione, sez. Informatica, Via Diotisalvi
More informationStatic Program Analysis
Static Program Analysis Thomas Noll Software Modeling and Verification Group RWTH Aachen University https://moves.rwth-aachen.de/teaching/ss-18/spa/ Recap: Interprocedural Dataflow Analysis Outline of
More informationDecidability and Undecidability
Decidability and Undecidability Major Ideas from Last Time Every TM can be converted into a string representation of itself. The encoding of M is denoted M. The universal Turing machine U TM accepts an
More informationHoare Logic and Model Checking
Hoare Logic and Model Checking Kasper Svendsen University of Cambridge CST Part II 2016/17 Acknowledgement: slides heavily based on previous versions by Mike Gordon and Alan Mycroft Introduction In the
More informationPropositional Dynamic Logic
Propositional Dynamic Logic Contents 1 Introduction 1 2 Syntax and Semantics 2 2.1 Syntax................................. 2 2.2 Semantics............................... 2 3 Hilbert-style axiom system
More informationA Multi-Periodic Synchronous Data-Flow Language
Julien Forget 1 Frédéric Boniol 1 David Lesens 2 Claire Pagetti 1 firstname.lastname@onera.fr 1 ONERA - Toulouse, FRANCE 2 EADS Astrium Space Transportation - Les Mureaux, FRANCE November 19, 2008 1 /
More informationLanguage-based Information Security. CS252r Spring 2012
Language-based Information Security CS252r Spring 2012 This course Survey of key concepts and hot topics in language-based information security The use of programming language abstractions and techniques
More informationDesign of Distributed Systems Melinda Tóth, Zoltán Horváth
Design of Distributed Systems Melinda Tóth, Zoltán Horváth Design of Distributed Systems Melinda Tóth, Zoltán Horváth Publication date 2014 Copyright 2014 Melinda Tóth, Zoltán Horváth Supported by TÁMOP-412A/1-11/1-2011-0052
More informationComputational Models Lecture 8 1
Computational Models Lecture 8 1 Handout Mode Ronitt Rubinfeld and Iftach Haitner. Tel Aviv University. April 18/ May 2, 2016 1 Based on frames by Benny Chor, Tel Aviv University, modifying frames by Maurice
More informationTime and Timed Petri Nets
Time and Timed Petri Nets Serge Haddad LSV ENS Cachan & CNRS & INRIA haddad@lsv.ens-cachan.fr DISC 11, June 9th 2011 1 Time and Petri Nets 2 Timed Models 3 Expressiveness 4 Analysis 1/36 Outline 1 Time
More informationFORMAL LANGUAGES, AUTOMATA AND COMPUTATION
FORMAL LANGUAGES, AUTOMATA AND COMPUTATION DECIDABILITY ( LECTURE 15) SLIDES FOR 15-453 SPRING 2011 1 / 34 TURING MACHINES-SYNOPSIS The most general model of computation Computations of a TM are described
More informationLogic in Computer Science. Frank Wolter
Logic in Computer Science Frank Wolter Meta Information Slides, exercises, and other relevant information are available at: http://www.liv.ac.uk/~frank/teaching/comp118/comp118.html The module has 18 lectures.
More informationESE601: Hybrid Systems. Introduction to verification
ESE601: Hybrid Systems Introduction to verification Spring 2006 Suggested reading material Papers (R14) - (R16) on the website. The book Model checking by Clarke, Grumberg and Peled. What is verification?
More informationSeptember 14. Fall Software Foundations CIS 500
CIS 500 Software Foundations Fall 2005 September 14 CIS 500, September 14 1 Announcements I will be away September 19-October 5. I will be reachable by email. Fastest response cis500@cis.upenn.edu No office
More informationDenotational semantics
Denotational semantics The method define syntax (syntactic domains) define semantic domains define semantic functions use compositional definitions Andrzej Tarlecki: Semantics & Verification - 63 - Syntactic
More informationHomework Assignment 6 Answers
Homework Assignment 6 Answers CSCI 2670 Introduction to Theory of Computing, Fall 2016 December 2, 2016 This homework assignment is about Turing machines, decidable languages, Turing recognizable languages,
More informationComputational Models Lecture 8 1
Computational Models Lecture 8 1 Handout Mode Ronitt Rubinfeld and Iftach Haitner. Tel Aviv University. May 11/13, 2015 1 Based on frames by Benny Chor, Tel Aviv University, modifying frames by Maurice
More informationLecture 12: Core State Machines II
Software Design, Modelling and Analysis in UML Lecture 12: Core State Machines II 2015-12-15 12 2015-12-15 main Prof. Dr. Andreas Podelski, Dr. Bernd Westphal Albert-Ludwigs-Universität Freiburg, Germany
More informationPrinciples of Program Analysis: Control Flow Analysis
Principles of Program Analysis: Control Flow Analysis Transparencies based on Chapter 3 of the book: Flemming Nielson, Hanne Riis Nielson and Chris Hankin: Principles of Program Analysis. Springer Verlag
More informationMarie Farrell Supervisors: Dr Rosemary Monahan & Dr James Power Principles of Programming Research Group
EXAMINING REFINEMENT: THEORY, TOOLS AND MATHEMATICS Marie Farrell Supervisors: Dr Rosemary Monahan & Dr James Power Principles of Programming Research Group PROBLEM Different formalisms do not integrate
More informationCS154, Lecture 10: Rice s Theorem, Oracle Machines
CS154, Lecture 10: Rice s Theorem, Oracle Machines Moral: Analyzing Programs is Really, Really Hard But can we more easily tell when some program analysis problem is undecidable? Problem 1 Undecidable
More informationLogic Model Checking
Logic Model Checking Lecture Notes 10:18 Caltech 101b.2 January-March 2004 Course Text: The Spin Model Checker: Primer and Reference Manual Addison-Wesley 2003, ISBN 0-321-22862-6, 608 pgs. the assignment
More informationClassical First-Order Logic
Classical First-Order Logic Software Formal Verification Maria João Frade Departmento de Informática Universidade do Minho 2008/2009 Maria João Frade (DI-UM) First-Order Logic (Classical) MFES 2008/09
More informationA Humble Introduction to DIJKSTRA S A A DISCIPLINE OF PROGRAMMING
A Humble Introduction to DIJKSTRA S A A DISCIPLINE OF PROGRAMMING Do-Hyung Kim School of Computer Science and Engineering Sungshin Women s s University CONTENTS Bibliographic Information and Organization
More information1 Computational Problems
Stanford University CS254: Computational Complexity Handout 2 Luca Trevisan March 31, 2010 Last revised 4/29/2010 In this lecture we define NP, we state the P versus NP problem, we prove that its formulation
More informationthat shows the semi-decidability of the problem (i.e. a semi-decision procedure for EXISTS-HALTING) and argue that it is correct.
Exercise 1 (15) Consider the following problem: EXISTS-HALTING INSTANCE: A program Π, which takes as input a string over the alphabet {a, b, c,..., z}. QUESTION: Does there exist an input I, such that
More informationPROOFS IN PREDICATE LOGIC AND COMPLETENESS; WHAT DECIDABILITY MEANS HUTH AND RYAN 2.3, SUPPLEMENTARY NOTES 2
PROOFS IN PREDICATE LOGIC AND COMPLETENESS; WHAT DECIDABILITY MEANS HUTH AND RYAN 2.3, SUPPLEMENTARY NOTES 2 Neil D. Jones DIKU 2005 12 September, 2005 Some slides today new, some based on logic 2004 (Nils
More informationCOP4020 Programming Languages. Introduction to Axiomatic Semantics Prof. Robert van Engelen
COP4020 Programming Languages Introduction to Axiomatic Semantics Prof. Robert van Engelen Assertions and Preconditions Assertions are used by programmers to verify run-time execution An assertion is a
More informationLecture 12: Mapping Reductions
Lecture 12: Mapping Reductions October 18, 2016 CS 1010 Theory of Computation Topics Covered 1. The Language EQ T M 2. Mapping Reducibility 3. The Post Correspondence Problem 1 The Language EQ T M The
More information(2) (15pts) Using Prolog, implement a type-checker for the following small subset of System F:
CS 6371 Advanced Programming Languages Sample Spring 2018 Final Exam This sample final exam is LONGER than a real final exam (to give you more practice problems) and has a medium difficulty level. You
More informationComputability, Undeciability and the Halting Problem
Computability, Undeciability and the Halting Problem 12/01/16 http://www.michael-hogg.co.uk/game_of_life.php Discrete Structures (CS 173) Lecture B Gul Agha 1 Based on slides by Derek Hoiem, University
More informationAbstract Non-Interference - An Abstract Interpretation-based approach to Secure Information Flow
Isabella Mastroeni Abstract Non-Interference - An Abstract Interpretation-based approach to Secure Information Flow Ph.D. Thesis 31 Marzo 2005 Università degli Studi di Verona Dipartimento di Informatica
More informationProgram Verification Using Separation Logic
Program Verification Using Separation Logic Cristiano Calcagno Adapted from material by Dino Distefano Lecture 1 Goal of the course Study Separation Logic having automatic verification in mind Learn how
More informationA Logic for Information Flow Analysis with an Application to Forward Slicing of Simple Imperative Programs
A Logic for Information Flow Analysis with an Application to Forward Slicing of Simple Imperative Programs Torben Amtoft and Anindya Banerjee a,1,2 a Department of Computing and Information Sciences Kansas
More informationProcess Algebras and Concurrent Systems
Process Algebras and Concurrent Systems Rocco De Nicola Dipartimento di Sistemi ed Informatica Università di Firenze Process Algebras and Concurrent Systems August 2006 R. De Nicola (DSI-UNIFI) Process
More informationOn the satisfiability problem for a 4-level quantified syllogistic and some applications to modal logic
On the satisfiability problem for a 4-level quantified syllogistic and some applications to modal logic Domenico Cantone and Marianna Nicolosi Asmundo Dipartimento di Matematica e Informatica Università
More informationEqualities and Uninterpreted Functions. Chapter 3. Decision Procedures. An Algorithmic Point of View. Revision 1.0
Equalities and Uninterpreted Functions Chapter 3 Decision Procedures An Algorithmic Point of View D.Kroening O.Strichman Revision 1.0 Outline Decision Procedures Equalities and Uninterpreted Functions
More informationCOMP2111 Glossary. Kai Engelhardt. Contents. 1 Symbols. 1 Symbols 1. 2 Hoare Logic 3. 3 Refinement Calculus 5. rational numbers Q, real numbers R.
COMP2111 Glossary Kai Engelhardt Revision: 1.3, May 18, 2018 Contents 1 Symbols 1 2 Hoare Logic 3 3 Refinement Calculus 5 1 Symbols Booleans B = {false, true}, natural numbers N = {0, 1, 2,...}, integers
More informationInduction; Operational Semantics. Fall Software Foundations CIS 500
CIS 500 Software Foundations Fall 2005 Induction; Operational Semantics CIS 500, Induction; Operational Semantics 1 Announcements Review recitations start this week. You may go to any recitation section
More informationA logical framework to deal with variability
A logical framework to deal with variability (research in progress) M.H. ter Beek joint work with P. Asirelli, A. Fantechi and S. Gnesi ISTI CNR Università di Firenze XXL project meeting Pisa, 21 June
More informationRelative Hilbert-Post completeness for exceptions
Relative Hilbert-Post completeness for exceptions Dominique Duval with J.-G. Dumas, B. Ekici, D. Pous, J.-C. Reynaud LJK University of Grenoble-Alpes and ENS Lyon November 12., 2015 MACIS 2015, Berlin
More informationUndecidable Problems and Reducibility
University of Georgia Fall 2014 Reducibility We show a problem decidable/undecidable by reducing it to another problem. One type of reduction: mapping reduction. Definition Let A, B be languages over Σ.
More informationTableau-based decision procedures for the logics of subinterval structures over dense orderings
Tableau-based decision procedures for the logics of subinterval structures over dense orderings Davide Bresolin 1, Valentin Goranko 2, Angelo Montanari 3, and Pietro Sala 3 1 Department of Computer Science,
More informationSmoothing a Program Soundly and Robustly
Smoothing a Program Soundly and Robustly Swarat Chaudhuri 1 and Armando Solar-Lezama 2 1 Rice University 2 MIT Abstract. We study the foundations of smooth interpretation, a recentlyproposed program approximation
More information