10,760 research outputs found
Memory usage verification using Hip/Sleek.
Embedded systems often come with constrained memory footprints. It is therefore essential to ensure that software running on such platforms fulfils memory usage specifications at compile-time, to prevent memory-related software failure after deployment. Previous proposals on memory usage verification are not satisfactory as they usually can only handle restricted subsets of programs, especially when shared mutable data structures are involved. In this paper, we propose a simple but novel solution. We instrument programs with explicit memory operations so that memory usage verification can be done along with the verification of other properties, using an automated verification system Hip/Sleek developed recently by Chin et al.[10,19]. The instrumentation can be done automatically and is proven sound with respect to an underlying semantics. One immediate benefit is that we do not need to develop from scratch a specific system for memory usage verification. Another benefit is that we can verify more programs, especially those involving shared mutable data structures, which previous systems failed to handle, as evidenced by our experimental results
An Experiment in Ping-Pong Protocol Verification by Nondeterministic Pushdown Automata
An experiment is described that confirms the security of a well-studied class
of cryptographic protocols (Dolev-Yao intruder model) can be verified by
two-way nondeterministic pushdown automata (2NPDA). A nondeterministic pushdown
program checks whether the intersection of a regular language (the protocol to
verify) and a given Dyck language containing all canceling words is empty. If
it is not, an intruder can reveal secret messages sent between trusted users.
The verification is guaranteed to terminate in cubic time at most on a
2NPDA-simulator. The interpretive approach used in this experiment simplifies
the verification, by separating the nondeterministic pushdown logic and program
control, and makes it more predictable. We describe the interpretive approach
and the known transformational solutions, and show they share interesting
features. Also noteworthy is how abstract results from automata theory can
solve practical problems by programming language means.Comment: In Proceedings MARS/VPT 2018, arXiv:1803.0866
Non-polynomial Worst-Case Analysis of Recursive Programs
We study the problem of developing efficient approaches for proving
worst-case bounds of non-deterministic recursive programs. Ranking functions
are sound and complete for proving termination and worst-case bounds of
nonrecursive programs. First, we apply ranking functions to recursion,
resulting in measure functions. We show that measure functions provide a sound
and complete approach to prove worst-case bounds of non-deterministic recursive
programs. Our second contribution is the synthesis of measure functions in
nonpolynomial forms. We show that non-polynomial measure functions with
logarithm and exponentiation can be synthesized through abstraction of
logarithmic or exponentiation terms, Farkas' Lemma, and Handelman's Theorem
using linear programming. While previous methods obtain worst-case polynomial
bounds, our approach can synthesize bounds of the form
as well as where is not an integer. We present
experimental results to demonstrate that our approach can obtain efficiently
worst-case bounds of classical recursive algorithms such as (i) Merge-Sort, the
divide-and-conquer algorithm for the Closest-Pair problem, where we obtain
worst-case bound, and (ii) Karatsuba's algorithm for
polynomial multiplication and Strassen's algorithm for matrix multiplication,
where we obtain bound such that is not an integer and
close to the best-known bounds for the respective algorithms.Comment: 54 Pages, Full Version to CAV 201
SMT-based Model Checking for Recursive Programs
We present an SMT-based symbolic model checking algorithm for safety
verification of recursive programs. The algorithm is modular and analyzes
procedures individually. Unlike other SMT-based approaches, it maintains both
"over-" and "under-approximations" of procedure summaries. Under-approximations
are used to analyze procedure calls without inlining. Over-approximations are
used to block infeasible counterexamples and detect convergence to a proof. We
show that for programs and properties over a decidable theory, the algorithm is
guaranteed to find a counterexample, if one exists. However, efficiency depends
on an oracle for quantifier elimination (QE). For Boolean Programs, the
algorithm is a polynomial decision procedure, matching the worst-case bounds of
the best BDD-based algorithms. For Linear Arithmetic (integers and rationals),
we give an efficient instantiation of the algorithm by applying QE "lazily". We
use existing interpolation techniques to over-approximate QE and introduce
"Model Based Projection" to under-approximate QE. Empirical evaluation on
SV-COMP benchmarks shows that our algorithm improves significantly on the
state-of-the-art.Comment: originally published as part of the proceedings of CAV 2014; fixed
typos, better wording at some place
Algorithmic Verification of Asynchronous Programs
Asynchronous programming is a ubiquitous systems programming idiom to manage
concurrent interactions with the environment. In this style, instead of waiting
for time-consuming operations to complete, the programmer makes a non-blocking
call to the operation and posts a callback task to a task buffer that is
executed later when the time-consuming operation completes. A co-operative
scheduler mediates the interaction by picking and executing callback tasks from
the task buffer to completion (and these callbacks can post further callbacks
to be executed later). Writing correct asynchronous programs is hard because
the use of callbacks, while efficient, obscures program control flow.
We provide a formal model underlying asynchronous programs and study
verification problems for this model. We show that the safety verification
problem for finite-data asynchronous programs is expspace-complete. We show
that liveness verification for finite-data asynchronous programs is decidable
and polynomial-time equivalent to Petri Net reachability. Decidability is not
obvious, since even if the data is finite-state, asynchronous programs
constitute infinite-state transition systems: both the program stack and the
task buffer of pending asynchronous calls can be potentially unbounded.
Our main technical construction is a polynomial-time semantics-preserving
reduction from asynchronous programs to Petri Nets and conversely. The
reduction allows the use of algorithmic techniques on Petri Nets to the
verification of asynchronous programs.
We also study several extensions to the basic models of asynchronous programs
that are inspired by additional capabilities provided by implementations of
asynchronous libraries, and classify the decidability and undecidability of
verification questions on these extensions.Comment: 46 pages, 9 figure
Amortised resource analysis with separation logic
Type-based amortised resource analysis following Hofmann and Jost—where resources are associated with individual elements of data structures and doled out to the programmer under a linear typing discipline—have been successful in providing concrete resource bounds for functional programs, with good support for inference. In this work we translate the idea of amortised resource analysis to imperative languages by embedding a logic of resources, based on Bunched Implications, within Separation Logic. The Separation Logic component allows us to assert the presence and shape of mutable data structures on the heap, while the resource component allows us to state the resources associated with each member of the structure. We present the logic on a small imperative language with procedures and mutable heap, based on Java bytecode. We have formalised the logic within the Coq proof assistant and extracted a certified verification condition generator. We demonstrate the logic on some examples, including proving termination of in-place list reversal on lists with cyclic tails
CapablePtrs: Securely Compiling Partial Programs using the Pointers-as-Capabilities Principle
Capability machines such as CHERI provide memory capabilities that can be
used by compilers to provide security benefits for compiled code (e.g., memory
safety). The C to CHERI compiler, for example, achieves memory safety by
following a principle called "pointers as capabilities" (PAC). Informally, PAC
says that a compiler should represent a source language pointer as a machine
code capability. But the security properties of PAC compilers are not yet well
understood. We show that memory safety is only one aspect, and that PAC
compilers can provide significant additional security guarantees for partial
programs: the compiler can provide guarantees for a compilation unit, even if
that compilation unit is later linked to attacker-controlled machine code. This
paper is the first to study the security of PAC compilers for partial programs
formally. We prove for a model of such a compiler that it is fully abstract.
The proof uses a novel proof technique (dubbed TrICL, read trickle), which is
of broad interest because it reuses and extends the compiler correctness
relation in a natural way, as we demonstrate. We implement our compiler on top
of the CHERI platform and show that it can compile legacy C code with minimal
code changes. We provide performance benchmarks that show how performance
overhead is proportional to the number of cross-compilation-unit function
calls
- …