HSF(C): A Software Verifier Based on Horn Clauses

Abstract. HSF(C) is a tool that automates verification of safety and liveness properties for C programs. This paper describes the verification approach taken by HSF(C) and provides instructions on how to install and use the tool. 1 Verification Approach HSF(C) is a tool for verification of C programs based on predicate abstraction and refinement following the counterexample-guided abstraction refinement (CE-GAR) paradigm [4]. There are a number of successful tools [1, 7, 5, 10, 2] based on abstraction refinement. We give here a brief description of our verification algorithm; interested readers can find more details about the underlying theory behind our implementation in [10, 6]. The algorithm used in HSF(C) is a generalization of the CEGAR scheme that deals with Horn-like clauses instead of transition systems/programs with procedures. We use Horn clauses to represent both the program to be verified and the proof rule used for verification, i.e., safety checking for programs wit

ValueGuard: Protection of Native Applications against Data-Only Buffer Overflows

Code injection attacks that target the control-data of an application have been prevalent amongst exploit writers for over 20 years. Today however, these attacks are getting increasingly harder for attackers to successfully exploit due to numerous countermeasures that are deployed by modern operating systems. We believe that this fact will drive exploit writers away from classic control-data attacks and towards data-only attacks. In data-only attacks, the attacker changes key data structures that are used by the program’s logic and thus forces the control flow into existing parts of the program that would be otherwise unreachable, e.g. overflowing into a boolean variable that states whether the current user is an administrator or not and setting it to “true” thereby gaining access to the administrative functions of the program. In this paper we present ValueGuard, a canary-based defense mechanism to protect applications against data-only buffer overflow attacks. ValueGuard inserts canary values in front of all variables and verifies their integrity whenever these variables are used. In this way, if a buffer overflow has occurred that changed the contents of a variable, ValueGuard will detect it since the variable’s canary will have also been changed. The countermeasure itself can be used either as a testing tool for applications before their final deployment or it can be applied selectively to legacy or high-risk parts of programs that we want to protect at run-time, without incurring extra time-penalties to the rest of the applications.status: publishe

On the expressiveness of forwarding in higher-order communication

Abstract. In higher-order process calculi the values exchanged in communications may contain processes. There are only two capabilities for received processes: execution and forwarding. Here we propose a limited form of forwarding: output actions can only communicate the parallel composition of statically known closed processes and processes received through previously executed input actions. We study the expressiveness of a higher-order process calculus featuring this style of communication. Our main result shows that in this calculus termination is decidable while convergence is undecidable.

Efficient Generation of Correctness Certificates for the Abstract Domain of Polyhedra

Polyhedra form an established abstract domain for inferring runtime properties of programs using abstract interpretation. Computations on them need to be certified for the whole static analysis results to be trusted. In this work, we look at how far we can get down the road of a posteriori verification to lower the overhead of certification of the abstract domain of polyhedra. We demonstrate methods for making the cost of inclusion certificate generation negligible. From a performance point of view, our single-representation, constraints-based implementation compares with state-of-the-art implementations

Partial derivative automata formalized in Coq

In this paper we present a computer assisted proof of the correctness of a partial derivative automata construction from a regular expression within the Coq proof assistant. This proof is part of a for- malization of Kleene algebra and regular languages in Coq towards their usage in program certification.Fundação para a Ciência e Tecnologia (FCT) Program POSI, RESCUE (PTDC/EIA/65862/2006), SFRH/BD/33233/2007

An overview of the ciao multiparadigm language and program development environment and its design philosophy

We describe some of the novel aspects and motivations behind the design and implementation of the Ciao multiparadigm programming system. An important aspect of Ciao is that it provides the programmer with a large number of useful features from different programming paradigms and styles, and that the use of each of these features can be turned on and off at will for each program module. Thus, a given module may be using e.g. higher order functions and constraints, while another module may be using objects, predicates, and concurrency. Furthermore, the language is designed to be extensible in a simple and modular way. Another important aspect of Ciao is its programming environment, which provides a powerful preprocessor (with an associated assertion language) capable of statically finding non-trivial bugs, verifying that programs comply with specifications, and performing many types of program optimizations. Such optimizations produce code that is highly competitive with other dynamic languages or, when the highest levéis of optimization are used, even that of static languages, all while retaining the interactive development environment of a dynamic language. The environment also includes a powerful auto-documenter. The paper provides an informal overview of the language and program development environment. It aims at illustrating the design philosophy rather than at being exhaustive, which would be impossible in the format of a paper, pointing instead to the existing literature on the system

satin: A Component Model for Mobile Self Organisation

We have recently witnessed a growing interest in self organising systems, both in research and in practice. These systems re-organise in response to new or changing conditions in the environment. The need for self organisation is often found in mobile applications; these applications are typically hosted in resource-constrained environments and may have to dynamically reorganise in response to changes of user needs, to heterogeneity and connectivity challenges, as well as to changes in the execution context and physical environment. We argue that physically mobile applications benefit from the use of self organisation primitives. We show that a component model that incorporates code mobility primitives assists in building self organising mobile systems. We present satin, a lightweight component model, which represents a mobile system as a set of interoperable local components. The model supports reconfiguration, by offering code migration services. We discuss an implementation of the satin middleware, based on the component model and evaluate our work by adapting existing open source software as satin components and by building and testing a system that manages the dynamic update of components on mobile hosts

Run Time Models in Adaptive Service Infrastructure

Software in the near ubiquitous future will need to cope with vari- ability, as software systems get deployed on an increasingly large diversity of computing platforms and operates in different execution environments. Heterogeneity of the underlying communication and computing infrastruc- ture, mobility inducing changes to the execution environments and therefore changes to the availability of resources and continuously evolving requirements require software systems to be adaptable according to the context changes. Software systems should also be reliable and meet the user's requirements and needs. Moreover, due to its pervasiveness, software systems must be de- pendable. Supporting the validation of these self-adaptive systems to ensure dependability requires a complete rethinking of the software life cycle. The traditional division among static analysis and dynamic analysis is blurred by the need to validate dynamic systems adaptation. Models play a key role in the validation of dependable systems, dynamic adaptation calls for the use of such models at run time. In this paper we describe the approach we have un- dertaken in recent projects to address the challenge of assessing dependability for adaptive software systems