| 1. |
- Aktug, Irem, 1980-
(author)
-
Algorithmic Verification Techniques for Mobile Code
- 2008
-
Doctoral thesis (other academic/artistic)abstract
- Modern computing platforms strive to support mobile code without putting system security at stake. These platforms can be viewed as open systems, as the mobile code adds new components to the running system. Establishing that such platforms function correctly can be divided into two steps. First, it is shown that the system functions correctly regardless of the mobile components that join it, provided that they satisfy certain assumptions. These assumptions can, for instance, restrict the behavior of the component to ensure that the security policy of the platform is not violated. Second, the mobile component is checked to satisfy its assumptions, before it is allowed to join the system. This thesis presents algorithmic verification techniques to support this methodology. In the first two parts, we present techniques for the verification of open systems relative to the given component assumptions. In the third part, a technique for the quick certification of mobile code is presented for the case where a particular type of program rewriting is used as a means of enforcing the component assumptions.In the first part of this study, we present a framework for the verification of open systems based on explicit state space representation. We propose Extended Modal Transition Systems (EMTS) as a suitable structure for representing the state space of open systems when assumptions on components are written in the modal μ-calculus. EMTSs are based on the Modal Transition Systems (MTS) of Larsen and provide a formalism for graphical specification and facilitate a thorough understanding of the system by visualization. In interactive verification, this state space representation enables proof reuse and aids the user guiding the verification process. We present a construction of state space representations from process algebraic open system descriptions based on a maximal model construction for the modal μ-calculus. The construction is sound and complete for systems with a single unknown component and sound for those without dynamic process reation. We also suggest a tableau-based proof system for establishing temporal properties of open systems represented as EMTS. The proof system is sound in general and complete for prime formulae.The problem of open system correctness also arises in compositional verification, where the problem of showing a global property of a system is reduced to showing local properties of components. In the second part, we extend an existing compositional verification framework for Java bytecode programs. The framework employs control flow graphs with procedures to model component implementations and open systems for the purpose of checking control-flow properties. We generalize these models to capture exceptional and multi-threaded behavior. The resulting control flow graphs are specifically tailored to support the compositional verification principle; however, they are sufficiently intuitive and standard to be useful on their own. We describe how the models can be extracted from program code and give preliminary experimental results for our implementation of the extraction of control flow graphs with exceptions. We also discuss further tool support and practical applications of the method.In the third part of the thesis, we develop a technique for the certification of safe mobile code, by adapting the proof-carrying code scheme of Necula to the case of security policies expressed as security automata. In particular, we describe how proofs of policy compliance can be automatically generated for programs that include a monitor for the desired policy. A monitor is an entity that observes the execution of a program and terminates the program if a violation to the property is about to occur. One way to implement such a monitor is by rewriting the program to make it self-monitoring. Given a property, we characterize self-monitoring of Java bytecode programs for this property by an annotation scheme with annotations in the style of Floyd-Hoare logics. The annotations generated by this scheme can be extended in a straightforward way to form a correctness proof in the sense of axiomatic semantics of programs. The proof generated in this manner essentially establishes that the program satisfies the property because it contains a monitor for it. The annotations that comprise the proofs are simple and efficiently checkable, thus facilitate certification of mobile code on devices with restricted computing power such as mobile phones.
|
|
| 2. |
- Aktug, Irem, et al.
(author)
-
Provably Correct Runtime Monitoring
- 2009
-
In: Journal of Logic and Algebraic Programming. - : Elsevier BV. - 1567-8326 .- 1873-5940. ; 78:5, s. 304-339
-
Journal article (peer-reviewed)abstract
- Runtime monitoring is an established technique to enforce a wide range of program safety and security properties. We present a formalization of monitoring and monitor inlining, for the Java Virtual Machine. Monitors are security automata given in a special-purpose monitor specification language, ConSpec. The automata operate on finite or infinite strings of calls to a fixed API, allowing local dependencies on parameter values and heap content. We use a two-level class file annotation scheme to characterize two key properties: (i) that the program is correct with respect to the monitor as a constraint on allowed program behavior, and (ii) that the program has a copy of the given monitor embedded into it. As the main application of these results we sketch a simple inlining algorithm and show how the two-level annotations can be completed to produce a fully annotated program which is valid in the standard sense of Floyd/Hoare logic. This establishes the mediation property that inlined programs are guaranteed to adhere to the intended policy. Furthermore, validity can be checked efficiently using a weakest precondition based annotation checker, thus preparing the ground for on-device checking of policy adherence in a proof-carrying code setting.
|
|
| 3. |
- Aktug, Irem, et al.
(author)
-
Provably correct runtime monitoring (extended abstract)
- 2008
-
In: Fm 2008: Formal Methods, Proceedings. - Berlin, Heidelberg : Springer Berlin Heidelberg. - 9783540682356 ; , s. 262-277
-
Conference paper (peer-reviewed)abstract
- Runtime monitoring is an established technique for enforcing a wide range of program safety and security properties. We present a formalization of monitoring and monitor inlining, for the Java Virtual Machine. Monitors are security automata given in a special-purpose monitor specification language, ConSpec. The automata operate on finite or infinite strings of calls to a fixed API, allowing local dependencies on parameter values and heap content. We use a two-level class file annotation scheme to characterize two key properties: (i) that the program is correct with respect to the monitor as a constraint on allowed program behavior, and (ii) that the program has an instance of the given monitor embedded into it, which yields state changes at prescribed points according to the monitor's transition function. As our main application of these results we describe a concrete inliner, and use the annotation scheme to characterize its correctness. For this inliner, correctness of the level II annotations can be decided efficiently by a weakest precondition annotation checker, thus allowing on-device checking of inlining correctness in a proof-carrying code setting.
|
|
| 4. |
- Aktug, Irem
(author)
-
State space representation for verification of open systems
- 2006
-
Licentiate thesis (other academic/artistic)abstract
- When designing an open system, there might be no implementation available for cer- tain components at verification time. For such systems, verification has to be based on assumptions on the underspecified components. In this thesis, we present a framework for the verification of open systems through explicit state space representation. We propose Extended Modal Transition Systems (EMTS) as a suitable structure for representing the state space of open systems when assumptions on components are writ- ten in the modal μ-calculus. EMTSs are based on the Modal Transition Systems (MTS) of Larsen. This representation supports state space exploration based verification tech- niques, and provides an alternative formalism for graphical specification. In interactive verification, it enables proof reuse and facilitates visualization for the user guiding the verification process. We present a two-phase construction from process algebraic open system descriptions to such state space representations. The first phase deals with component assumptions, and is essentially a maximal model construction for the modal μ-calculus that makes use of a powerset construction for the fixed point cases. In the second phase, the models obtained are combined according to the structure of the open system to form the complete state space. The construction is sound and complete for systems with a single unknown component and sound for those without dynamic process creation. We suggest a tableau-based proof system for establishing open system properties of the state space representation. The proof system is sound and it is complete for modal μ-calculus formulae with only prime subformulae. A complete framework based on the state space representation is offered for the auto- matic verification of open systems. The process begins with specifying the open system by a process algebraic term with assumptions. Then, the state space representation is ex- tracted from this description using the construction described above. Finally, open system properties can be checked on this representation using the proof system.
|
|
| 5. |
- Alshnakat, Anoud, et al.
(author)
-
HOL4P4 : Semantics for a Verified Data Plane
- 2022
-
In: EuroP4 2022. - New York, NY, USA : Association for Computing Machinery (ACM). ; , s. 39-45
-
Conference paper (peer-reviewed)abstract
- We introduce a formal semantics of P4 for the HOL4 interactive theorem prover. We exploit properties of the language, like the absence of call by reference and the copy-in/copy-out mechanism, to define a heapless small-step semantics that is abstract enough to simplify verification, but that covers the main aspects of the language: interaction with the architecture via externs, table match, and parsers. Our formalization is written in the Ott metalanguage, which allows us to export definitions to multiple interactive theorem provers. The exported HOL4 semantics allows us to establish machine-checkable proofs regarding the semantics, properties of P4 programs, and soundness of analysis tools.
|
|
| 6. |
- Alshnakat, Anoud, et al.
(author)
-
HOL4P4: Mechanized Small-Step Semantics for P4
- 2024
-
In: Proceedings of the ACM on Programming Languages. - : Association for Computing Machinery (ACM). - 2475-1421. ; 8:OOPSLA1
-
Journal article (peer-reviewed)abstract
- We present the first semantics of the network data plane programming language P4 able to adequately capture all key features of P416, the most recent version of P4, including external functions (externs) and concurrency. These features are intimately related since, in P4, extern invocations are the only points at which one execution thread can affect another. Reflecting P4's lack of a general-purpose memory and the presence of multithreading the semantics is given in small-step style and eschews the use of a heap. In addition to the P4 language itself, we provide an architectural level semantics, which allows the composition of P4-programmed blocks, models end-to-end packet processing, and can take into account features such as arbitration and packet recirculation. A corresponding type system is provided with attendant progress, preservation, and type-soundness theorems. Semantics, type system, and meta-theory are formalized in the HOL4 theorem prover. From this formalization, we derive a HOL4 executable semantics that supports verified execution of programs with partially symbolic packets able to validate simple end-to-end program properties.
|
|
| 7. |
- Amadio, Roberto, et al.
(author)
-
A Proof System for the pi-calculus
- 1996. - 9
-
Reports (other academic/artistic)abstract
- We study the problem of specifying and verifying properties of pi-calculus processes while relying on a bisimulation semantics. As our property specification language we use a version of the modal mu-calculus adapted to the pi-calculus. We show that the logical language is sufficiently expressive to characterize by means of a finite formula a process up to any approximation of the bisimulation relation. We consider the problem of checking that a process of the pi-calculus satisfies a specification expressed in this modal mu-calculus. We develop an algorithm which is sound in general, and complete for processes having a finite reachability property. Finally, we present a proof system which can be applied to prove non-recursive properties of arbitrary processes. We show that the system is complete on the non-recursive fragment of the logical language.
|
|
| 8. |
- Amadio, Roberto, et al.
(author)
-
Reasoning about Higher-Order Processes
- 1994. - 1
-
Reports (other academic/artistic)abstract
- We address the specification and verification problem for process calculi such as Chocs, CML and Facile where processes or functions are transmissible values. Our work takes place in the context of a static treatment of restriction and of a bisimulation-based semantics. As a paradigmatic and simple case we concentrate on (Plain) Chocs. We show that Chocs bisimulation can be characterized by an extension of Hennessy-Milner logic including a constructive implication, or function space constructor. This result is a non-trivial extension of the classical characterization result for labelled transition systems. In the second part of the paper we address the problem of developing a proof system for the verification of process specifications. Building on previous work for CCS we present an infinitary sound and complete proof system for the fragment of the calculus not handling restriction.
|
|
| 9. |
|
|
| 10. |
|
|
