173,990 research outputs found
Hybrid Monitors for Concurrent Noninterference
Controlling confidential information in concurrent systems is difficult, due to covert channels resulting from interaction between threads. This problem is exacerbated if threads share resources at fine granularity. In this work, we propose a novel monitoring framework to enforce strong information security in concurrent programs. Our monitors are hybrid, combining dynamic and static program analysis to enforce security in a sound and rather precise fashion. In our framework, each thread is guarded by its own local monitor, and there is a single global monitor. We instantiate our monitoring framework to support rely-guarantee style reasoning about the use of shared resources, at the granularity of individual memory locations, and then specialize local monitors further to enforce flow-sensitive progress-sensitive information-flow control. Our local monitors exploit rely-guarantee-style reasoning about shared memory to achieve high precision. Soundness of rely-guarantee-style reasoning is guaranteed by all monitors cooperatively. The global monitor is invoked only when threads synchronize, and so does not needlessly restrict concurrency. We prove that our hybrid monitoring approach enforces a knowledge-based progress-sensitive non-interference security condition.Engineering and Applied Science
Recommended from our members
Global and Local Monitors to Enforce Noninterference in Concurrent Programs
Controlling confidential information in concurrent systems is difficult, due to covert channels resulting from interaction between threads. This problem is exacerbated if threads share resources at fine granularity. In this work, we propose a novel monitoring framework to enforce strong information security in concurrent programs. Our monitors are hybrid, combining dynamic and static program analysis to enforce security in a sound and rather precise fashion. In our framework, each thread is guarded by its own local monitor, and there is a single global monitor. We instantiate our monitoring framework to support rely-guarantee style reasoning about the use of shared resources, at the granularity of individual memory locations, and then specialize local monitors further to enforce flow-sensitive progress-sensitive information-flow control. Our local monitors exploit rely-guarantee-style reasoning about shared memory to achieve high precision. Soundness of rely-guarantee-style reasoning is guaranteed by all monitors cooperatively. The global monitor is invoked only when threads synchronize, and so does not needlessly restrict concurrency. We prove that our hybrid monitoring approach enforces a knowledge-based progress-sensitive noninterference security condition.Engineering and Applied Science
Rely-Guarantee Based Reasoning for Message-Passing Programs
The difficulties of verifying concurrent programs lie in their inherent non-determinism and interferences. Rely-Guarantee reasoning is one useful approach to solve this problem for its capability in formally specifying inter- thread interferences. However, modern verification requires better locality and modularity. It is still a great challenge to verify a message-passing program in a modular and composable way. In this paper, we propose a new reasoning system for message-passing programs. It is a novel logic that supports Hoare style triples to specify and verify distributed programs modularly. We concretize the concept of event traces to represent interactions among distributed agents, and specify behav- iors of agents by their local traces with regard to environmental assumptions — an idea inspired by Rely-Guarantee reasoning. Based on trace semantics, the verification is compositional in both temporal and spatial dimensions. To show validity, we apply our logic to modularly prove several examples
Rely-guarantee protocols for safe interference over shared memory
Mutable state can be useful in certain algorithms, to structure programs, or for
efficiency purposes. However, when shared mutable state is used in non-local or nonobvious
ways, the interactions that can occur via aliases to that shared memory can be
a source of program errors. Undisciplined uses of shared state may unsafely interfere
with local reasoning as other aliases may interleave their changes to the shared state
in unexpected ways. We propose a novel technique, rely-guarantee protocols, that
structures the interactions between aliases and ensures that only safe interference is
possible.
We present a linear type system outfitted with our novel sharing mechanism that
enables controlled interference over shared mutable resources. Each alias is assigned
separate, local roles encoded in a protocol abstraction that constrains how an alias can
legally use that shared state. By following the spirit of rely-guarantee reasoning, our
rely-guarantee protocols ensure that only safe interference can occur but still allow
many interesting uses of shared state, such as going beyond invariant and monotonic
usages.
This thesis describes the three core mechanisms that enable our type-based technique
to work: 1) we show how a protocol models an alias’s perspective on how the
shared state evolves and constrains that alias’s interactions with the shared state; 2) we
show how protocols can be used while enforcing the agreed interference contract; and
finally, 3) we show how to check that all local protocols to some shared state can be
safely composed to ensure globally safe interference over that shared memory. The
interference caused by shared state is rooted at how the uses of di↵erent aliases to that
state may be interleaved (perhaps even in non-deterministic ways) at run-time. Therefore,
our technique is mostly agnostic as to whether this interference was the result
of alias interleaving caused by sequential or concurrent semantics. We show implementations
of our technique in both settings, and highlight their di↵erences. Because
sharing is “first-class” (and not tied to a module), we show a polymorphic procedure
that enables abstract compositions of protocols. Thus, protocols can be specialized or
extended without requiring specific knowledge of the interference produce by other
protocols to that state. We show that protocol composition can ensure safety even
when considering abstracted protocols. We show that this core composition mechanism
is sound, decidable (without the need for manual intervention), and provide an
algorithm implementation
Steps in modular specifications for concurrent modules
© 2015 Published by Elsevier B.V.The specification of a concurrent program module is a difficult problem. The specifications must be strong enough to enable reasoning about the intended clients without reference to the underlying module implementation. We survey a range of verification techniques for specifying concurrent modules, in particular highlighting four key concepts: auxiliary state, interference abstraction, resource ownership and atomicity. We show how these concepts combine to provide powerful approaches to specifying concurrent modules
Trace models of concurrent valuation algebras
This paper introduces Concurrent Valuation Algebras (CVAs), extending ordered
valuation algebras (OVAs) by incorporating two combine operators representing
parallel and sequential products that adhere to a weak exchange law. CVAs
present significant theoretical and practical advantages for specifying and
modelling concurrent and distributed systems. As a presheaf on a space of
domains, a CVA facilitates localised specifications, promoting modularity,
compositionality, and the capability to represent large and complex systems.
Moreover, CVAs facilitate lattice-based refinement reasoning, and are
compatible with standard methodologies such as Hoare and Rely-Guarantee logics.
We demonstrate the flexibility of CVAs through three trace models that
represent distinct paradigms of concurrent/distributed computing, and
interrelate them via morphisms. We also discuss the potential for importing a
powerful local computation framework from valuation algebras for the model
checking of concurrent and distributed systems.Comment: 25 page
Algebraic Principles for Rely-Guarantee Style Concurrency Verification Tools
We provide simple equational principles for deriving rely-guarantee-style
inference rules and refinement laws based on idempotent semirings. We link the
algebraic layer with concrete models of programs based on languages and
execution traces. We have implemented the approach in Isabelle/HOL as a
lightweight concurrency verification tool that supports reasoning about the
control and data flow of concurrent programs with shared variables at different
levels of abstraction. This is illustrated on two simple verification examples
- …