12,510 research outputs found
Security Policy Specification Using a Graphical Approach
A security policy states the acceptable actions of an information system, as
the actions bear on security. There is a pressing need for organizations to
declare their security policies, even informal statements would be better than
the current practice. But, formal policy statements are preferable to support
(1) reasoning about policies, e.g., for consistency and completeness, (2)
automated enforcement of the policy, e.g., using wrappers around legacy systems
or after the fact with an intrusion detection system, and (3) other formal
manipulation of policies, e.g., the composition of policies. We present LaSCO,
the Language for Security Constraints on Objects, in which a policy consists of
two parts: the domain (assumptions about the system) and the requirement (what
is allowed assuming the domain is satisfied). Thus policies defined in LaSCO
have the appearance of conditional access control statements. LaSCO policies
are specified as expressions in logic and as directed graphs, giving a visual
view of policy. LaSCO has a simple semantics in first order logic (which we
provide), thus permitting policies we write, even for complex policies, to be
very perspicuous. LaSCO has syntax to express many of the situations we have
found to be useful on policies or, more interesting, the composition of
policies. LaSCO has an object-oriented structure, permitting it to be useful to
describe policies on the objects and methods of an application written in an
object-oriented language, in addition to the traditional policies on operating
system objects. A LaSCO specification can be automatically translated into
executable code that checks an invocation of a program with respect to a
policy. The implementation of LaSCO is in Java, and generates wrappers to check
Java programs with respect to a policy.Comment: 28 pages, 22 figures, in color (but color is not essential for
viewing); UC Davis CS department technical report (July 22, 1998
Engineering Object-Oriented Semantics Using Graph Transformations
In this paper we describe the application of the theory of graph transformations to the practise of language design. We have defined the semantics of a small but realistic object-oriented language (called TAAL) by mapping the language constructs to graphs and their operational semantics to graph transformation rules. In the process we establish a mapping between UML models and graphs.
TAAL was developed for the purpose of this paper, as an extensive case study in engineering object-oriented language semantics using graph transformation. It incorporates the basic aspects of many commonly used object-oriented programming languages: apart from essential imperative programming constructs, it includes inheritance, object creation and method overriding. The language specification is based on a number of meta-models written in UML.
Both the static and dynamic semantics are defined using graph rewriting rules.
In the course of the case study, we have built an Eclipse plug-in that automatically transforms arbitrary TAAL programs into graphs, in a graph format readable by another tool. This second tool is called Groove, and it is able to execute graph transformations. By combining both tools we are able to visually simulate the execution of any TAAL program
Interacting via the Heap in the Presence of Recursion
Almost all modern imperative programming languages include operations for
dynamically manipulating the heap, for example by allocating and deallocating
objects, and by updating reference fields. In the presence of recursive
procedures and local variables the interactions of a program with the heap can
become rather complex, as an unbounded number of objects can be allocated
either on the call stack using local variables, or, anonymously, on the heap
using reference fields. As such a static analysis is, in general, undecidable.
In this paper we study the verification of recursive programs with unbounded
allocation of objects, in a simple imperative language for heap manipulation.
We present an improved semantics for this language, using an abstraction that
is precise. For any program with a bounded visible heap, meaning that the
number of objects reachable from variables at any point of execution is
bounded, this abstraction is a finitary representation of its behaviour, even
though an unbounded number of objects can appear in the state. As a
consequence, for such programs model checking is decidable.
Finally we introduce a specification language for temporal properties of the
heap, and discuss model checking these properties against heap-manipulating
programs.Comment: In Proceedings ICE 2012, arXiv:1212.345
Statically checking confidentiality via dynamic labels
This paper presents a new approach for verifying confidentiality
for programs, based on abstract interpretation. The
framework is formally developed and proved correct in the
theorem prover PVS. We use dynamic labeling functions
to abstractly interpret a simple programming language via
modification of security levels of variables. Our approach
is sound and compositional and results in an algorithm for
statically checking confidentiality
A Type-Safe Model of Adaptive Object Groups
Services are autonomous, self-describing, technology-neutral software units
that can be described, published, discovered, and composed into software
applications at runtime. Designing software services and composing services in
order to form applications or composite services requires abstractions beyond
those found in typical object-oriented programming languages. This paper
explores service-oriented abstractions such as service adaptation, discovery,
and querying in an object-oriented setting. We develop a formal model of
adaptive object-oriented groups which offer services to their environment.
These groups fit directly into the object-oriented paradigm in the sense that
they can be dynamically created, they have an identity, and they can receive
method calls. In contrast to objects, groups are not used for structuring code.
A group exports its services through interfaces and relies on objects to
implement these services. Objects may join or leave different groups. Groups
may dynamically export new interfaces, they support service discovery, and they
can be queried at runtime for the interfaces they support. We define an
operational semantics and a static type system for this model of adaptive
object groups, and show that well-typed programs do not cause
method-not-understood errors at runtime.Comment: In Proceedings FOCLASA 2012, arXiv:1208.432
A formally verified compiler back-end
This article describes the development and formal verification (proof of
semantic preservation) of a compiler back-end from Cminor (a simple imperative
intermediate language) to PowerPC assembly code, using the Coq proof assistant
both for programming the compiler and for proving its correctness. Such a
verified compiler is useful in the context of formal methods applied to the
certification of critical software: the verification of the compiler guarantees
that the safety properties proved on the source code hold for the executable
compiled code as well
An efficient, parametric fixpoint algorithm for analysis of java bytecode
Abstract interpretation has been widely used for the analysis of object-oriented languages and, in particular, Java source and bytecode. However, while most existing work deals with the problem of flnding expressive abstract domains that track accurately the characteristics of a particular concrete property, the underlying flxpoint algorithms have received comparatively less attention. In fact, many existing (abstract interpretation based—) flxpoint algorithms rely on relatively inefHcient techniques for solving inter-procedural caligraphs or are speciflc and tied to particular analyses. We also argüe that the design of an efficient fixpoint algorithm is pivotal to supporting the analysis of large programs. In this paper we introduce a novel algorithm for analysis of Java bytecode which includes a number of optimizations in order to reduce the number of iterations. The algorithm is parametric -in the sense that it is independent of the abstract domain used and it can be applied to different domains as "plug-ins"-, multivariant, and flow-sensitive. Also, is based on a program transformation, prior to the analysis, that results in a highly uniform representation of all the features in the language and therefore simplifies analysis. Detailed descriptions of decompilation solutions are given and discussed with an example. We also provide some performance data from a preliminary implementation of the analysis
- …