500 research outputs found
On Pitts' Relational Properties of Domains
Andrew Pitts' framework of relational properties of domains is a powerful
method for defining predicates or relations on domains, with applications
ranging from reasoning principles for program equivalence to proofs of adequacy
connecting denotational and operational semantics. Its main appeal is handling
recursive definitions that are not obviously well-founded: as long as the
corresponding domain is also defined recursively, and its recursion pattern
lines up appropriately with the definition of the relations, the framework can
guarantee their existence. Pitts' original development used the Knaster-Tarski
fixed-point theorem as a key ingredient. In these notes, I show how his
construction can be seen as an instance of other key fixed-point theorems: the
inverse limit construction, the Banach fixed-point theorem and the Kleene
fixed-point theorem. The connection underscores how Pitts' construction is
intimately tied to the methods for constructing the base recursive domains
themselves, and also to techniques based on guarded recursion, or
step-indexing, that have become popular in the last two decades
A Methodology For Micro-Policies
This thesis proposes a formal methodology for defining, specifying, and
reasoning about micro-policies — security policies based on fine-grained tagging
that include forms of access control, memory safety, compartmentalization, and
information-flow control. Our methodology is based on a symbolic machine that
extends a conventional RISC-like architecture with tags. Tags express security
properties of parts of the program state ( this is an instruction, this is
secret, etc.), and are checked and propagated on every instruction according to
flexible user-supplied rules. We apply this methodology to two widely studied
policies, information-flow control and heap memory safety, implementing them
with the symbolic machine and formally characterizing their security guarantees:
for information-flow control, we prove a classic notion of
termination-insensitive noninterference; for memory safety, a novel property
that protects memory regions that a program cannot validly reach through the
pointers it possesses — which, we believe, provides a useful criterion for
evaluating and comparing different flavors of memory safety. We show how the
symbolic machine can be realized with a more practical processor design, where a
software monitor takes advantage of a hardware cache to speed up its execution
while protecting itself from potentially malicious user-level code. Our
development has been formalized and verified in the Coq proof assistant,
attesting that our methodology can provide rigorous security guarantees
Really Natural Linear Indexed Type Checking
Recent works have shown the power of linear indexed type systems for
enforcing complex program properties. These systems combine linear types with a
language of type-level indices, allowing more fine-grained analyses. Such
systems have been fruitfully applied in diverse domains, including implicit
complexity and differential privacy. A natural way to enhance the
expressiveness of this approach is by allowing the indices to depend on runtime
information, in the spirit of dependent types. This approach is used in DFuzz,
a language for differential privacy. The DFuzz type system relies on an index
language supporting real and natural number arithmetic over constants and
variables. Moreover, DFuzz uses a subtyping mechanism to make types more
flexible. By themselves, linearity, dependency, and subtyping each require
delicate handling when performing type checking or type inference; their
combination increases this challenge substantially, as the features can
interact in non-trivial ways. In this paper, we study the type-checking problem
for DFuzz. We show how we can reduce type checking for (a simple extension of)
DFuzz to constraint solving over a first-order theory of naturals and real
numbers which, although undecidable, can often be handled in practice by
standard numeric solvers
Beyond Good and Evil: Formalizing the Security Guarantees of Compartmentalizing Compilation
Compartmentalization is good security-engineering practice. By breaking a
large software system into mutually distrustful components that run with
minimal privileges, restricting their interactions to conform to well-defined
interfaces, we can limit the damage caused by low-level attacks such as
control-flow hijacking. When used to defend against such attacks,
compartmentalization is often implemented cooperatively by a compiler and a
low-level compartmentalization mechanism. However, the formal guarantees
provided by such compartmentalizing compilation have seen surprisingly little
investigation.
We propose a new security property, secure compartmentalizing compilation
(SCC), that formally characterizes the guarantees provided by
compartmentalizing compilation and clarifies its attacker model. We reconstruct
our property by starting from the well-established notion of fully abstract
compilation, then identifying and lifting three important limitations that make
standard full abstraction unsuitable for compartmentalization. The connection
to full abstraction allows us to prove SCC by adapting established proof
techniques; we illustrate this with a compiler from a simple unsafe imperative
language with procedures to a compartmentalized abstract machine.Comment: Nit
Sistema setorias de inovação: o caso do Café Conilon no Espírito Santo
XX Encontro Nacional de Economia Política: desenvolvimento Latino-Americano, Integração e Inserção Internacional - UNILA, Foz do Iguaçu, 26 a 29 de maio de 2015A cafeicultura do tipo conilon no Espírito Santo vem apresentando, nos
últimos anos, um crescimento expressivo em termos de produtividade.
O avanço no melhoramento genético e em melhorias de processo,
associado à mudanças institucionais, são apontados como fatores que
permitiram o desenvolvimento da atividade no Estado. Este trabalho
tem por objetivo analisar as inovações tecnológicas e institucionais da
produção do conilon no Espírito Santo a partir do referencial teórico de
Sistema Setorial de Inovação, para o qual conhecimento, aprendizado
e interações entre agentes são elementos fundamentais para o
desenvolvimento de inovações. O trabalho utilizou como metodologia
pesquisa bibliográfi ca e documental e, em especial, entrevistas com
representantes de algumas das principais instituições envolvidas.
Através da caracterização dos principais atores que compõem esse
sistema, da análise do processo de geração e difusão das tecnologias
para o setor e da caracterização do arranjo institucional que dá suporte
à produção do conilon, mostra-se como uma cultura agrícola que não
existia em escala comercial no Espírito Santo até a década de 1970 se
tornou tão importante para o estado e passou a ser considerada uma
referência em termos de pesquisa e desenvolvimento de tecnologiasBanco Nacional de Desenvolvimento Econômico e Social (BNDES); Usina Hidrelétrica de Itaipu (ITAIPU); Coordenação de Aperfeiçoamento de Pessoal de Nível Superior (CAPES) e Universidade Federal da Integração Latino-Americana (UNILA
A Verified Information-Flow Architecture
SAFE is a clean-slate design for a highly secure computer system, with
pervasive mechanisms for tracking and limiting information flows. At the lowest
level, the SAFE hardware supports fine-grained programmable tags, with
efficient and flexible propagation and combination of tags as instructions are
executed. The operating system virtualizes these generic facilities to present
an information-flow abstract machine that allows user programs to label
sensitive data with rich confidentiality policies. We present a formal,
machine-checked model of the key hardware and software mechanisms used to
dynamically control information flow in SAFE and an end-to-end proof of
noninterference for this model.
We use a refinement proof methodology to propagate the noninterference
property of the abstract machine down to the concrete machine level. We use an
intermediate layer in the refinement chain that factors out the details of the
information-flow control policy and devise a code generator for compiling such
information-flow policies into low-level monitor code. Finally, we verify the
correctness of this generator using a dedicated Hoare logic that abstracts from
low-level machine instructions into a reusable set of verified structured code
generators
- …