30 research outputs found
Relational Symbolic Execution
Symbolic execution is a classical program analysis technique used to show
that programs satisfy or violate given specifications. In this work we
generalize symbolic execution to support program analysis for relational
specifications in the form of relational properties - these are properties
about two runs of two programs on related inputs, or about two executions of a
single program on related inputs. Relational properties are useful to formalize
notions in security and privacy, and to reason about program optimizations. We
design a relational symbolic execution engine, named RelSym which supports
interactive refutation, as well as proving of relational properties for
programs written in a language with arrays and for-like loops
Proving Differential Privacy with Shadow Execution
Recent work on formal verification of differential privacy shows a trend
toward usability and expressiveness -- generating a correctness proof of
sophisticated algorithm while minimizing the annotation burden on programmers.
Sometimes, combining those two requires substantial changes to program logics:
one recent paper is able to verify Report Noisy Max automatically, but it
involves a complex verification system using customized program logics and
verifiers.
In this paper, we propose a new proof technique, called shadow execution, and
embed it into a language called ShadowDP. ShadowDP uses shadow execution to
generate proofs of differential privacy with very few programmer annotations
and without relying on customized logics and verifiers. In addition to
verifying Report Noisy Max, we show that it can verify a new variant of Sparse
Vector that reports the gap between some noisy query answers and the noisy
threshold. Moreover, ShadowDP reduces the complexity of verification: for all
of the algorithms we have evaluated, type checking and verification in total
takes at most 3 seconds, while prior work takes minutes on the same algorithms.Comment: 23 pages, 12 figures, PLDI'1
Coupled Relational Symbolic Execution for Differential Privacy
Differential privacy is a de facto standard in data privacy with applications
in the private and public sectors. Most of the techniques that achieve
differential privacy are based on a judicious use of randomness. However,
reasoning about randomized programs is difficult and error prone. For this
reason, several techniques have been recently proposed to support designer in
proving programs differentially private or in finding violations to it. In this
work we propose a technique based on symbolic execution for reasoning about
differential privacy. Symbolic execution is a classic technique used for
testing, counterexample generation and to prove absence of bugs. Here we use
symbolic execution to support these tasks specifically for differential
privacy. To achieve this goal, we leverage two ideas that have been already
proven useful in formal reasoning about differential privacy: relational
reasoning and probabilistic coupling. Our technique integrates these two ideas
and shows how such a combination can be used to both verify and find violations
to differential privacy