15 research outputs found

    Hyperhierarchy of Semantics - A Formal Framework for Hyperproperties Verification

    Get PDF
    Hyperproperties are becoming the, de facto, standard for reasoning about systems executions. They differ from classical trace properties since they are represented by sets of sets of executions instead of sets of executions. In this paper, we extend and lift the hierarchy of semantics developed in 2002 by P. Cousot in order to cope with verifica- tion of hyperproperties. In the standard hierarchy, semantics at different levels of abstraction are related with each other by abstract interpre- tation. In the same spirit, we propose an hyperhierarchy of semantics adding a new, more concrete, hyper level. The semantics defined at this hyper level are suitable for hyperproperties verification. Furthermore, all the semantics in the hyperhierarchy (the standard and the hyper ones) are still related by abstract interpretation

    A Categorical Framework for Program Semantics and Semantic Abstraction

    Full text link
    Categorical semantics of type theories are often characterized as structure-preserving functors. This is because in category theory both the syntax and the domain of interpretation are uniformly treated as structured categories, so that we can express interpretations as structure-preserving functors between them. This mathematical characterization of semantics makes it convenient to manipulate and to reason about relationships between interpretations. Motivated by this success of functorial semantics, we address the question of finding a functorial analogue in abstract interpretation, a general framework for comparing semantics, so that we can bring similar benefits of functorial semantics to semantic abstractions used in abstract interpretation. Major differences concern the notion of interpretation that is being considered. Indeed, conventional semantics are value-based whereas abstract interpretation typically deals with more complex properties. In this paper, we propose a functorial approach to abstract interpretation and study associated fundamental concepts therein. In our approach, interpretations are expressed as oplax functors in the category of posets, and abstraction relations between interpretations are expressed as lax natural transformations representing concretizations. We present examples of these formal concepts from monadic semantics of programming languages and discuss soundness.Comment: MFPS 202

    Verifying Bounded Subset-Closed Hyperproperties

    Get PDF
    Hyperproperties are quickly becoming very popular in the context of systems security, due to their expressive power. They differ from classic trace properties since they are represented by sets of sets of executions instead of sets of executions. This allows us, for instance, to capture information flow security specifications, which cannot be expressed as trace properties, namely as predicates over single executions. In this work, we reason about how it is possible to move standard abstract interpretation-based static analysis methods, designed for trace properties, towards the verification of hyperproperties. In particular, we focus on the verification of bounded subset-closed hyperproperties which are easier to verify than generic hyperproperties. It turns out that a lot of interesting specifications (e.g., Non-Interference) lie in this category

    Statically Analyzing Information Flows - An Abstract Interpretation-based Hyperanalysis for Non-Interference.

    Get PDF
    In the context of systems security, information flows play a central role. Unhandled information flows potentially leave the door open to very dangerous types of attacks, such as code injection or sen- sitive information leakage. Information flows verification is based on the definition of Non-Interference [8], which is known to be an hyperproperty [7], i.e., a property of sets of executions. The sound verification of hyperproperties is not trivial [3, 16]: It is not easy to adapt classic verification methods, used for trace properties, in order to deal with hyperproperties. In the present work, we design an abstract interpretation-based static analyzer soundly checking Non-Interference. In particular, we define an hyper abstract do- main, able to approximate the information flows occurring in the analyzed programs

    Relational Symbolic Execution

    Full text link
    Symbolic execution is a classical program analysis technique used to show that programs satisfy or violate given specifications. In this work we generalize symbolic execution to support program analysis for relational specifications in the form of relational properties - these are properties about two runs of two programs on related inputs, or about two executions of a single program on related inputs. Relational properties are useful to formalize notions in security and privacy, and to reason about program optimizations. We design a relational symbolic execution engine, named RelSym which supports interactive refutation, as well as proving of relational properties for programs written in a language with arrays and for-like loops

    Hyper Hoare Logic: (Dis-)Proving Program Hyperproperties (extended version)

    Full text link
    Hoare logics are proof systems that allow one to formally establish properties of computer programs. Traditional Hoare logics prove properties of individual program executions (so-called trace properties, such as functional correctness). Hoare logic has been generalized to prove also properties of multiple executions of a program (so-called hyperproperties, such as determinism or non-interference). These program logics prove the absence of (bad combinations of) executions. On the other hand, program logics similar to Hoare logic have been proposed to disprove program properties (e.g., Incorrectness Logic), by proving the existence of (bad combinations of) executions. All of these logics have in common that they specify program properties using assertions over a fixed number of states, for instance, a single pre- and post-state for functional properties or pairs of pre- and post-states for non-interference. In this paper, we present Hyper Hoare Logic, a generalization of Hoare logic that lifts assertions to properties of arbitrary sets of states. The resulting logic is simple yet expressive: its judgments can express arbitrary trace- and hyperproperties over the terminating executions of a program. By allowing assertions to reason about sets of states, Hyper Hoare Logic can reason about both the absence and the existence of (combinations of) executions, and, thereby, supports both proving and disproving program (hyper-)properties within the same logic. In fact, we prove that Hyper Hoare Logic subsumes the properties handled by numerous existing correctness and incorrectness logics, and can express hyperproperties that no existing Hoare logic can. We also prove that Hyper Hoare Logic is sound and complete, and admits powerful compositionality rules. All our technical results have been proved in Isabelle/HOL

    Collecting operational abstract interpreters

    Get PDF
    The theory of abstract interpretation, introduced by Cousot and Cousot in 1977, is a general theory of the approximation of formal program semantics. It is a useful tool to prove the accuracy of static analysis and permits to express mathematically the link between the output of practical, approximate analysis and the original uncomputable program semantics. Given a programming language, abstract interpretation consists of giving several semantics linked by a relation of abstraction; a semantics is intended to be the mathematical characterization of a program’s possible behavior. There are several approaches to semantics each one focused on different properties of a given program. For instance, operational semantics focuses on how to execute a program, and in particular, structural operational semantics deals with how the single step of the computation takes place. On the other hand, the denotational approach is merely interested in the effect of the program’s computation, i.e., to find a relationship between input and output data passing through mathematical structures. It is clear that, since these two approaches are different, the final results must be coherent with each other, and this induces to speculate they may be considered equivalent in a suitable sense. Thanks to its streamlined notions and proofs, the denotational approach to abstract interpretation has already been studied many times, and many properties have been developed and well formalized. Instead, the operational correspondent versions have rarely been strictly formalized and proved, even if intuitively accepted as true. The main purpose of this work is to fill this gap: to study in detail the operational approach to abstract interpretation and to formalize in this particular setting some of the well-known denotational properties, providing mathematical proofs
    corecore