15 research outputs found
Hyperhierarchy of Semantics - A Formal Framework for Hyperproperties Verification
Hyperproperties are becoming the, de facto, standard for reasoning about systems executions. They differ from classical trace properties since they are represented by sets of sets of executions instead of sets of executions. In this paper, we extend and lift the hierarchy of semantics developed in 2002 by P. Cousot in order to cope with verifica- tion of hyperproperties. In the standard hierarchy, semantics at different levels of abstraction are related with each other by abstract interpre- tation. In the same spirit, we propose an hyperhierarchy of semantics adding a new, more concrete, hyper level. The semantics defined at this hyper level are suitable for hyperproperties verification. Furthermore, all the semantics in the hyperhierarchy (the standard and the hyper ones) are still related by abstract interpretation
A Categorical Framework for Program Semantics and Semantic Abstraction
Categorical semantics of type theories are often characterized as
structure-preserving functors. This is because in category theory both the
syntax and the domain of interpretation are uniformly treated as structured
categories, so that we can express interpretations as structure-preserving
functors between them. This mathematical characterization of semantics makes it
convenient to manipulate and to reason about relationships between
interpretations. Motivated by this success of functorial semantics, we address
the question of finding a functorial analogue in abstract interpretation, a
general framework for comparing semantics, so that we can bring similar
benefits of functorial semantics to semantic abstractions used in abstract
interpretation. Major differences concern the notion of interpretation that is
being considered. Indeed, conventional semantics are value-based whereas
abstract interpretation typically deals with more complex properties. In this
paper, we propose a functorial approach to abstract interpretation and study
associated fundamental concepts therein. In our approach, interpretations are
expressed as oplax functors in the category of posets, and abstraction
relations between interpretations are expressed as lax natural transformations
representing concretizations. We present examples of these formal concepts from
monadic semantics of programming languages and discuss soundness.Comment: MFPS 202
Verifying Bounded Subset-Closed Hyperproperties
Hyperproperties are quickly becoming very popular in the context of systems security, due to their expressive power. They differ from classic trace properties since they are represented by sets of sets of executions instead of sets of executions. This allows us, for instance, to capture information flow security specifications, which cannot be expressed as trace properties, namely as predicates over single executions. In this work, we reason about how it is possible to move standard abstract interpretation-based static analysis methods, designed for trace properties, towards the verification of hyperproperties. In particular, we focus on the verification of bounded subset-closed hyperproperties which are easier to verify than generic hyperproperties. It turns out that a lot of interesting specifications (e.g., Non-Interference) lie in this category
Statically Analyzing Information Flows - An Abstract Interpretation-based Hyperanalysis for Non-Interference.
In the context of systems security, information flows play a central role. Unhandled information flows potentially leave the door open to very dangerous types of attacks, such as code injection or sen- sitive information leakage. Information flows verification is based on the definition of Non-Interference [8], which is known to be an hyperproperty [7], i.e., a property of sets of executions. The sound verification of hyperproperties is not trivial [3, 16]: It is not easy to adapt classic verification methods, used for trace properties, in order to deal with hyperproperties. In the present work, we design an abstract interpretation-based static analyzer soundly checking Non-Interference. In particular, we define an hyper abstract do- main, able to approximate the information flows occurring in the analyzed programs
Relational Symbolic Execution
Symbolic execution is a classical program analysis technique used to show
that programs satisfy or violate given specifications. In this work we
generalize symbolic execution to support program analysis for relational
specifications in the form of relational properties - these are properties
about two runs of two programs on related inputs, or about two executions of a
single program on related inputs. Relational properties are useful to formalize
notions in security and privacy, and to reason about program optimizations. We
design a relational symbolic execution engine, named RelSym which supports
interactive refutation, as well as proving of relational properties for
programs written in a language with arrays and for-like loops
Hyper Hoare Logic: (Dis-)Proving Program Hyperproperties (extended version)
Hoare logics are proof systems that allow one to formally establish
properties of computer programs. Traditional Hoare logics prove properties of
individual program executions (so-called trace properties, such as functional
correctness). Hoare logic has been generalized to prove also properties of
multiple executions of a program (so-called hyperproperties, such as
determinism or non-interference). These program logics prove the absence of
(bad combinations of) executions. On the other hand, program logics similar to
Hoare logic have been proposed to disprove program properties (e.g.,
Incorrectness Logic), by proving the existence of (bad combinations of)
executions. All of these logics have in common that they specify program
properties using assertions over a fixed number of states, for instance, a
single pre- and post-state for functional properties or pairs of pre- and
post-states for non-interference.
In this paper, we present Hyper Hoare Logic, a generalization of Hoare logic
that lifts assertions to properties of arbitrary sets of states. The resulting
logic is simple yet expressive: its judgments can express arbitrary trace- and
hyperproperties over the terminating executions of a program. By allowing
assertions to reason about sets of states, Hyper Hoare Logic can reason about
both the absence and the existence of (combinations of) executions, and,
thereby, supports both proving and disproving program (hyper-)properties within
the same logic. In fact, we prove that Hyper Hoare Logic subsumes the
properties handled by numerous existing correctness and incorrectness logics,
and can express hyperproperties that no existing Hoare logic can. We also prove
that Hyper Hoare Logic is sound and complete, and admits powerful
compositionality rules. All our technical results have been proved in
Isabelle/HOL
Collecting operational abstract interpreters
The theory of abstract interpretation, introduced by Cousot and Cousot in
1977, is a general theory of the approximation of formal program semantics. It is a useful tool to prove the accuracy of static analysis and permits to express mathematically the link between the output of practical, approximate analysis and the original uncomputable program semantics.
Given a programming language, abstract interpretation consists of giving
several semantics linked by a relation of abstraction; a semantics is intended to be the mathematical characterization of a program’s possible behavior. There are several approaches to semantics each one focused on different properties of a given program. For instance, operational semantics focuses on how to execute a program, and in particular, structural operational semantics deals with how the single step of the computation takes place. On the other hand, the denotational approach is merely interested in the effect of the program’s computation, i.e., to find a relationship between input and output data passing through mathematical structures. It is clear that, since these two approaches are different, the final results must be coherent with each other, and this induces to speculate they may be considered equivalent in a suitable sense. Thanks to its streamlined notions and proofs, the denotational approach to abstract interpretation has already been studied many times, and many properties have been developed and well formalized. Instead, the operational correspondent versions have rarely been strictly formalized and proved, even if intuitively accepted as true. The main purpose of this work is to fill this gap: to study in detail the operational approach to abstract interpretation and to formalize in this particular setting some of the
well-known denotational properties, providing mathematical proofs