Certificate Translation for Specification Preserving Advices Gilles - - PowerPoint PPT Presentation

César Kunz (with Gilles Barthe) Certificate Translation for Specification Preserving Advices FOAL 2008

Certificate Translation for Specification Preserving Advices

FOAL 2008 Gilles Barthe and César Kunz INRIA Sophia Antipolis - Méditerranée

César Kunz (with Gilles Barthe) Certificate Translation for Specification Preserving Advices FOAL 2008

MOTIVATION SPECIFICATION PRESERVING ADVICES PROVING SPECIFICATION PRESERVING ADVICES REDUCING PROOF OBLIGATIONS IMPROVING THE VERIFICATION POWER CERTIFICATE TRANSLATION

César Kunz (with Gilles Barthe) Certificate Translation for Specification Preserving Advices FOAL 2008

3

Local reasoning on:

• Baseline Code (to understand main functionality)

César Kunz (with Gilles Barthe) Certificate Translation for Specification Preserving Advices FOAL 2008

4

Local reasoning on:

• Baseline Code (to understand main functionality)
• Advice Code

(to understand the implemented aspect Incremental concerns:

• Contract enforcement
• Logging / Profiling
• Evolving Security Requirements

César Kunz (with Gilles Barthe) Certificate Translation for Specification Preserving Advices FOAL 2008

5

Local reasoning on:

• Baseline Code (to understand main functionality)
• Advice Code

(to understand the implemented aspect Global analysis of pointcuts to understand interaction of aspects Incremental concerns:

• Contract enforcement
• Logging / Profiling
• Evolving Security Requirements

César Kunz (with Gilles Barthe) Certificate Translation for Specification Preserving Advices FOAL 2008

6

Dantas & Walker [POPL06]:

• characterize Harmless Advices that

allow local reasoning

• information flow analysis to check

advice non-interference.

Producer vs Consumer Perspective

Obliviousness -> Local Reasoning? Syntactic Obliviousness vs. Semantic Obliviousness Syntactic Obliviousness is not enough baseline code Satisfies contract P Advice code baseline code Satisfies contract P

• functional properties (logic formulae)
• Absence of null pointer access
• Type Safety, etc.

PCC setting: contract enforcement Contract preserv. vs semantic preserv weaker requirement

César Kunz (with Gilles Barthe) Certificate Translation for Specification Preserving Advices FOAL 2008

7

MOTIVATION SPECIFICATION PRESERVING ADVICES PROVING SPECIFICATION PRESERVING ADVICES REDUCING PROOF OBLIGATIONS IMPROVING THE VERIFICATION POWER CERTIFICATE TRANSLATION

César Kunz (with Gilles Barthe) Certificate Translation for Specification Preserving Advices FOAL 2008

8

Strong specification Harmless

• Spec. preserving

NO NO

Specification Preserving Advices

César Kunz (with Gilles Barthe) Certificate Translation for Specification Preserving Advices FOAL 2008

9

Harmless

• Spec. preserving

NO YES

Specification Preserving Advices

César Kunz (with Gilles Barthe) Certificate Translation for Specification Preserving Advices FOAL 2008

10

Harmless

• Spec. preserving

YES NO

Specification Preserving Advices

César Kunz (with Gilles Barthe) Certificate Translation for Specification Preserving Advices FOAL 2008

11

A specification preserving advice may modify variables in the specification.

• Output value may differ
• is not invalidated.
• is ensured.

Harmless

• Spec. preserving

NO YES

Specification Preserving Advices

César Kunz (with Gilles Barthe) Certificate Translation for Specification Preserving Advices FOAL 2008

12

MOTIVATION SPECIFICATION PRESERVING ADVICES PROVING SPECIFICATION PRESERVING ADVICES REDUCING PROOF OBLIGATIONS IMPROVING THE VERIFICATION POWER CERTIFICATE TRANSLATION

César Kunz (with Gilles Barthe) Certificate Translation for Specification Preserving Advices FOAL 2008

13

Proving spec-preservation

f f Verification of spec. preservation: wp-based Vcgen over modified advice code. Baseline Code Verification: wp-based Vcgen

César Kunz (with Gilles Barthe) Certificate Translation for Specification Preserving Advices FOAL 2008

14

f f

Proving spec-preservation

César Kunz (with Gilles Barthe) Certificate Translation for Specification Preserving Advices FOAL 2008

15

MOTIVATION SPECIFICATION PRESERVING ADVICES PROVING SPECIFICATION PRESERVING ADVICES REDUCING PROOF OBLIGATIONS IMPROVING THE VERIFICATION POWER CERTIFICATE TRANSLATION

César Kunz (with Gilles Barthe) Certificate Translation for Specification Preserving Advices FOAL 2008

16

Specification Harmless Advices

César Kunz (with Gilles Barthe) Certificate Translation for Specification Preserving Advices FOAL 2008

17

Specification Harmless Advices

César Kunz (with Gilles Barthe) Certificate Translation for Specification Preserving Advices FOAL 2008

18

Specification Harmless Advices

César Kunz (with Gilles Barthe) Certificate Translation for Specification Preserving Advices FOAL 2008

19

Does not modify V and res=x Does not modify V

Specification Harmless Advices

César Kunz (with Gilles Barthe) Certificate Translation for Specification Preserving Advices FOAL 2008

20

Does not modify V and res=x Does not modify V

Specification Harmless Advices

César Kunz (with Gilles Barthe) Certificate Translation for Specification Preserving Advices FOAL 2008

21

Does not modify V and res=x Does not modify V Does not modify V and res=x Does not modify V

Specification Harmless Advices

César Kunz (with Gilles Barthe) Certificate Translation for Specification Preserving Advices FOAL 2008

22

Does not modify V and res=x Does not modify V Does not modify V and res=x Does not modify V

Specification Harmless Advices

César Kunz (with Gilles Barthe) Certificate Translation for Specification Preserving Advices FOAL 2008

23

MOTIVATION SPECIFICATION PRESERVING ADVICES PROVING SPECIFICATION PRESERVING ADVICES REDUCING PROOF OBLIGATIONS IMPROVING THE VERIFICATION POWER CERTIFICATE TRANSLATION

César Kunz (with Gilles Barthe) Certificate Translation for Specification Preserving Advices FOAL 2008

24

f f

IMPROVING THE VERIFICATION POWER

César Kunz (with Gilles Barthe) Certificate Translation for Specification Preserving Advices FOAL 2008

25

f f g g

IMPROVING THE VERIFICATION POWER

César Kunz (with Gilles Barthe) Certificate Translation for Specification Preserving Advices FOAL 2008

26

Drawback Multiple advised procedures = multiple verification invariants. f f g g Or you want to verify the advice locally without considering for the moment in which contexts it will be executed!

IMPROVING THE VERIFICATION POWER

César Kunz (with Gilles Barthe) Certificate Translation for Specification Preserving Advices FOAL 2008

27

Drawback (specification of proceed improves modularity) Multiple advised procedures = multiple verification invariants. f f g g Or you want to verify the advice locally without considering for the moment in which contexts it will be executed!

IMPROVING THE VERIFICATION POWER

César Kunz (with Gilles Barthe) Certificate Translation for Specification Preserving Advices FOAL 2008

28

Some advices are be spec-preserving when combined but not when analyzed in isolation ... ... ... Interference is not always a bad thing.

IMPROVING THE VERIFICATION POWER

César Kunz (with Gilles Barthe) Certificate Translation for Specification Preserving Advices FOAL 2008

29

Baseline proc.

...

IMPROVING THE VERIFICATION POWER

César Kunz (with Gilles Barthe) Certificate Translation for Specification Preserving Advices FOAL 2008

30

Baseline proc. Baseline proc.

...

IMPROVING THE VERIFICATION POWER

César Kunz (with Gilles Barthe) Certificate Translation for Specification Preserving Advices FOAL 2008

31

Baseline proc. Baseline proc.

...

IMPROVING THE VERIFICATION POWER

César Kunz (with Gilles Barthe) Certificate Translation for Specification Preserving Advices FOAL 2008

32

Baseline proc. Baseline proc.

...

IMPROVING THE VERIFICATION POWER

César Kunz (with Gilles Barthe) Certificate Translation for Specification Preserving Advices FOAL 2008

33

Baseline proc.

. . .

... Baseline proc.

...

IMPROVING THE VERIFICATION POWER

César Kunz (with Gilles Barthe) Certificate Translation for Specification Preserving Advices FOAL 2008

34

Baseline proc.

. . .

... Baseline proc.

...

IMPROVING THE VERIFICATION POWER

César Kunz (with Gilles Barthe) Certificate Translation for Specification Preserving Advices FOAL 2008

35

Specification Refinement instead of Specification Preservation Baseline proc.

. . .

...

IMPROVING THE VERIFICATION POWER

César Kunz (with Gilles Barthe) Certificate Translation for Specification Preserving Advices FOAL 2008

36

MOTIVATION SPECIFICATION PRESERVING ADVICES PROVING SPECIFICATION PRESERVING ADVICES REDUCING PROOF OBLIGATIONS IMPROVING THE VERIFICATION POWER CERTIFICATE TRANSLATION

César Kunz (with Gilles Barthe) Certificate Translation for Specification Preserving Advices FOAL 2008

37

Certificate Translation

César Kunz (with Gilles Barthe) Certificate Translation for Specification Preserving Advices FOAL 2008

38

. . . . . . Execution OK Code Certificate Code Certificate Code Certificate Baseline Code Producer Advice Code Producer Advice Code Producer Producer Side Consumer Side Consider the situation:

• Client verification and execution environment not AOP-oriented
• Code generated by multiple producers is weaved before execution

Proof Checker Weaved Code Code Weaving

Certificate Translation

César Kunz (with Gilles Barthe) Certificate Translation for Specification Preserving Advices FOAL 2008

39

. . . Code Certificate Code Certificate Code Certificate . . . Weaved Code Execution Proof Checker OK Baseline Code Producer Advice Code Producer Advice Code Producer Producer Side Consumer Side Code Weaving

Certificate Translation

Certificate Consider the situation:

• Client verification and execution environment not AOP-oriented
• Code generated by multiple producers is weaved before execution

Certificate Translation

César Kunz (with Gilles Barthe) Certificate Translation for Specification Preserving Advices FOAL 2008

40

Baseline Source Code

Compiler

Low level Code

Certificate Translation

High level/structured Low level/stack based

César Kunz (with Gilles Barthe) Certificate Translation for Specification Preserving Advices FOAL 2008

41

Baseline Source Code

Certificate Translation

Certificate

Compiler

Low level Code Certificate

Certificate Translation

High level/structured Low level/stack based

César Kunz (with Gilles Barthe) Certificate Translation for Specification Preserving Advices FOAL 2008

42

Baseline Source Code Advice Source Code Final Weaved Code

Certificate Translation

Certificate

Compiler

Low level Code Certificate

Compiler + Weaving

Certificate Translation

High level/structured Low level/stack based

César Kunz (with Gilles Barthe) Certificate Translation for Specification Preserving Advices FOAL 2008

43

Baseline Source Code Advice Source Code Final Weaved Code

Certificate Translation

Certificate

Compiler

Low level Code Certificate

• Cert. Trans.

for adv. weaving Compiler + Weaving

Certificate

• preserv.

Certificate

Certificate Translation

High level/structured Low level/stack based

César Kunz (with Gilles Barthe) Certificate Translation for Specification Preserving Advices FOAL 2008

44

Conclusions

• A more flexible notion of non-interfering advices
• Stronger non-interference analyses reduce proof obligations
• Certificate translation targetting a typical backend