11 research outputs found
Relational Symbolic Execution
Symbolic execution is a classical program analysis technique used to show
that programs satisfy or violate given specifications. In this work we
generalize symbolic execution to support program analysis for relational
specifications in the form of relational properties - these are properties
about two runs of two programs on related inputs, or about two executions of a
single program on related inputs. Relational properties are useful to formalize
notions in security and privacy, and to reason about program optimizations. We
design a relational symbolic execution engine, named RelSym which supports
interactive refutation, as well as proving of relational properties for
programs written in a language with arrays and for-like loops
Securing the Foundations of Practical Information Flow Control
Language-based information flow control (IFC) promises to secure computer programs against malicious or incompetent programmers by addressing key shortcomings of modern programming languages. In spite of showing great promise, the field remains under-utilised in practise. This thesis makes contributions to the theoretical foundations of IFC aimed at making the techniques practically applicable. The paper addresses two primary topics, IFC as a library and IFC without false alarms. The contributions range from foundational observations about soundness and completeness, to practical considerations of efficiency and expressiveness
A Hybrid Approach for Proving Noninterference of Java Programs
Several tools and approaches for proving noninterference properties for Java and other languages exist. Some of them have a high degree of automation or are even fully automatic, but overapproximate the actual information flow, and hence, may produce false positives. Other tools, such as those based on theorem proving, are precise, but may need interaction, and hence, analysis is time-consuming.
In this paper, we propose a hybrid approach that aims at obtaining the best of both approaches:
We want to use fully automatic analysis as much as possible and only at places in a program where, due to overapproximation, the automatic approaches fail, we resort to more precise, but interactive analysis, where the latter involves only the verification of specific functional properties in certain parts of the program, rather than checking more intricate noninterference properties for the whole program.
To illustrate the hybrid approach, in a case study we use the hybrid approach–along with the fully automatic tool Joana for checking noninterference properties for Java programs and the theorem prover KeY for the verification of Java programs–and the CVJ framework proposed by Küsters, Truderung, and Graf to establish cryptographic privacy properties for a non-trivial Java program, namely an e-voting system. The CVJ framework allows one to establish cryptographic indistinguishability properties for Java programs by checking (standard) noninterference properties for such programs
Relational Cost Analysis for Functional-Imperative Programs
Relational cost analysis aims at formally establishing bounds on the
difference in the evaluation costs of two programs. As a particular case, one
can also use relational cost analysis to establish bounds on the difference in
the evaluation cost of the same program on two different inputs. One way to
perform relational cost analysis is to use a relational type-and-effect system
that supports reasoning about relations between two executions of two programs.
Building on this basic idea, we present a type-and-effect system, called
ARel, for reasoning about the relative cost of array-manipulating, higher-order
functional-imperative programs. The key ingredient of our approach is a new
lightweight type refinement discipline that we use to track relations
(differences) between two arrays. This discipline combined with Hoare-style
triples built into the types allows us to express and establish precise
relative costs of several interesting programs which imperatively update their
data.Comment: 14 page
Executable Refinement Types
This dissertation introduces executable refinement types, which refine
structural types by semi-decidable predicates, and establishes their metatheory
and accompanying implementation techniques. These results are useful for
undecidable type systems in general.
Particular contributions include: (1) Type soundness and a logical relation
for extensional equivalence for executable refinement types (though type
checking is undecidable); (2) hybrid type checking for executable refinement
types, which blends static and dynamic checks in a novel way, in some sense
performing better statically than any decidable approximation; (3) a type
reconstruction algorithm - reconstruction is decidable even though type
checking is not, when suitably redefined to apply to undecidable type systems;
(4) a novel use of existential types with dependent types to ensure that the
language of logical formulae is closed under type checking (5) a prototype
implementation, Sage, of executable refinement types such that all dynamic
errors are communicated back to the compiler and are thenceforth static errors.Comment: Ph.D. dissertation. Accepted by the University of California, Santa
Cruz, in March 2014. 278 pages (295 including frontmatter
Dependent Type Theory for Verification of Information Flow and Access Control Policies
We present Relational Hoare Type Theory (RHTT), a novel language and verification system capable of expressing and verifying rich information flow and access control policies via dependent types. We show that a number of security policies which have been formalized separately in the literature can all be expressed in types, abstract predicates, and modules. Example security policies include conditional declassification, information erasure, and state-dependent information flow and access control. RHTT can reason about such policies in the presence of dynamic memory allocation, deallocation, pointer aliasing and arithmetic