9,341 research outputs found
(Un)Decidability Results for Word Equations with Length and Regular Expression Constraints
We prove several decidability and undecidability results for the
satisfiability and validity problems for languages that can express solutions
to word equations with length constraints. The atomic formulas over this
language are equality over string terms (word equations), linear inequality
over the length function (length constraints), and membership in regular sets.
These questions are important in logic, program analysis, and formal
verification. Variants of these questions have been studied for many decades by
mathematicians. More recently, practical satisfiability procedures (aka SMT
solvers) for these formulas have become increasingly important in the context
of security analysis for string-manipulating programs such as web applications.
We prove three main theorems. First, we give a new proof of undecidability
for the validity problem for the set of sentences written as a forall-exists
quantifier alternation applied to positive word equations. A corollary of this
undecidability result is that this set is undecidable even with sentences with
at most two occurrences of a string variable. Second, we consider Boolean
combinations of quantifier-free formulas constructed out of word equations and
length constraints. We show that if word equations can be converted to a solved
form, a form relevant in practice, then the satisfiability problem for Boolean
combinations of word equations and length constraints is decidable. Third, we
show that the satisfiability problem for quantifier-free formulas over word
equations in regular solved form, length constraints, and the membership
predicate over regular expressions is also decidable.Comment: Invited Paper at ADDCT Workshop 2013 (co-located with CADE 2013
Pengines: Web Logic Programming Made Easy
When developing a (web) interface for a deductive database, functionality
required by the client is provided by means of HTTP handlers that wrap the
logical data access predicates. These handlers are responsible for converting
between client and server data representations and typically include options
for paginating results. Designing the web accessible API is difficult because
it is hard to predict the exact requirements of clients. Pengines changes this
picture. The client provides a Prolog program that selects the required data by
accessing the logical API of the server. The pengine infrastructure provides
general mechanisms for converting Prolog data and handling Prolog
non-determinism. The Pengines library is small (2000 lines Prolog, 150 lines
JavaScript). It greatly simplifies defining an AJAX based client for a Prolog
program and provides non-deterministic RPC between Prolog processes as well as
interaction with Prolog engines similar to Paul Tarau's engines. Pengines are
available as a standard package for SWI-Prolog 7.Comment: To appear in Theory and Practice of Logic Programmin
Data-flow Analysis of Programs with Associative Arrays
Dynamic programming languages, such as PHP, JavaScript, and Python, provide
built-in data structures including associative arrays and objects with similar
semantics-object properties can be created at run-time and accessed via
arbitrary expressions. While a high level of security and safety of
applications written in these languages can be of a particular importance
(consider a web application storing sensitive data and providing its
functionality worldwide), dynamic data structures pose significant challenges
for data-flow analysis making traditional static verification methods both
unsound and imprecise. In this paper, we propose a sound and precise approach
for value and points-to analysis of programs with associative arrays-like data
structures, upon which data-flow analyses can be built. We implemented our
approach in a web-application domain-in an analyzer of PHP code.Comment: In Proceedings ESSS 2014, arXiv:1405.055
Type-based Dependency Analysis for JavaScript
Dependency analysis is a program analysis that determines potential data flow
between program points. While it is not a security analysis per se, it is a
viable basis for investigating data integrity, for ensuring confidentiality,
and for guaranteeing sanitization. A noninterference property can be stated and
proved for the dependency analysis. We have designed and implemented a
dependency analysis for JavaScript. We formalize this analysis as an
abstraction of a tainting semantics. We prove the correctness of the tainting
semantics, the soundness of the abstraction, a noninterference property, and
the termination of the analysis.Comment: Technical Repor
- …