resource guarantees and pcc
play

Resource Guarantees and PCC 50 ways* to say it with a proof Ian - PowerPoint PPT Presentation

Nov 14, 2023 •96 likes •469 views

Resource Guarantees and PCC 50 ways* to say it with a proof Ian Stark Laboratory for Foundations of Computer Science School of Informatics The University of Edinburgh Proof Carrying Code workshop Friday 11 August 2006

  1. Resource Guarantees and PCC 50 ways* to say it with a proof Ian Stark Laboratory for Foundations of Computer Science School of Informatics The University of Edinburgh Proof Carrying Code workshop Friday 11 August 2006 http://www.inf.ed.ac.uk/~stark *Note: Contents may vary

  2. Typed Java We know that: ● Well-typed programs don’t go wrong ● All Java programs are strictly typed So we deduce that: ● No Java program will go wrong Even better, Java is typed both at source and bytecode level, so we can conclude this twice over. Sadly, life is not so simple. Typing in Java and Java bytecode is a good thing, but not the end of the story; and PCC is one means to add to its effectiveness. Resource Guarantees Ian Stark (LFCS Edinburgh) PCC workshop 2006-08-11 1/35

  3. Talk Overview Mobile Resource Guarantees ● PCC for guaranteed bounds on time and heap space ● Certified code runs on standard Java virtual machine ● Certifying compiler infers resource types for a high-level ML- like source language ● Guarantees are proofs in resource-aware bytecode logic Varieties of Proof-Carrying Code ● Configurations for code producers and consumers ● Resource policy language ● Validation of compiler optimisations ● Probabilistically checkable proofs ● e-Science and the Grid Resource Guarantees Ian Stark (LFCS Edinburgh) PCC workshop 2006-08-11 2/35

  4. Mobile Resource Guarantees (MRG) MRG: 3-year research collaboration between Edinburgh and Munich, funded by the European Commission as a “Future and Emerging Technology” in global computing. The aim was to implement a proof-carrying code framework for Java bytecode providing guarantees of resource usage. Java bytecode: Standardised and portable virtual machine. Resource guarantees: Practically useful and more tractable than verifying full correctness. Resource Guarantees Ian Stark (LFCS Edinburgh) PCC workshop 2006-08-11 3/35

  5. MRG Framework Network Code producer Code consumer Source Resource Resource program types policy Certifying Proof compiler checker Guarantee Guarantee certificate certificate Java Java JVM classfile classfile OK? Resource Guarantees Ian Stark (LFCS Edinburgh) PCC workshop 2006-08-11 4/35

  6. Camelot [Mackenzie/Wolverson ‘04] type intlist = !Nil | Cons of int * intlist type intlist = !Nil | Cons of int * intlist let rev l acc = match l with let rev l acc = match l with Nil => acc Nil => acc | Cons(h,t)@d => rev t (Cons(h,acc)@d) | Cons(h,t)@d => rev t (Cons(h,acc)@d) let reverse l = rev l Nil let reverse l = rev l Nil ML-like source language with: ● Explicit heap cell manipulation Cons(h,t)@d ● Freelist annotations (x,xs)@_ ● Hooks to Java objects and libraries obj#meth x y Compiles to Java bytecode, executes on standard JVM. Resource Guarantees Ian Stark (LFCS Edinburgh) PCC workshop 2006-08-11 5/35

  7. Space Types [Hofmann/Jost POPL ‘03] let insert e l = let insert e l = match l with [] -> e::[] match l with [] -> e::[] | (h::t)@_ -> if h >= e then e::(h::t) | (h::t)@_ -> if h >= e then e::(h::t) else h::(insert e t) else h::(insert e t) let sort l = let sort l = match l with [] -> [] | h::t -> insert h (sort t) match l with [] -> [] | h::t -> insert h (sort t) Type system to describe heap cell usage: insert: 1, list(0) -> list(0), 0 insert: 1, list(0) -> list(0), 0 sort : 0, list(1) -> list(0), 0 sort : 0, list(1) -> list(0), 0 ● Input and output heap sizes related to argument and result data sizes respectively: gives composability. ● Includes user-defined datatypes. ● Types inferred via a separate linear constraint solver. Resource Guarantees Ian Stark (LFCS Edinburgh) PCC workshop 2006-08-11 6/35

  8. Grail [Beringer/Mackenzie/S. ‘03] fun loop(int n, int a) = fun loop(int n, int a) = let val a = mul a n // Multiply into let val a = mul a n // Multiply into val n = sub n 1 // accumulator, val n = sub n 1 // accumulator, in // decrement and in // decrement and test(n,a) // test again. test(n,a) // test again. end end Highly structured form of Java bytecode. ● Functional view, target for Camelot compiler. ● Imperative view as static single assigment. ● Views are equivalent, including resource usage. ● Binary format is executable .class files, with tools to interconvert with functional presentation. Tight constraints on control flow and stack use greatly simplify reasoning about bytecode. Resource Guarantees Ian Stark (LFCS Edinburgh) PCC workshop 2006-08-11 7/35

  9. [Aspinall/Beringer/Hofmann Bytecode Logic /Loidl/Momigliano ’04] G ⊳ e : P Assertions: P : Env ✕ Heap ✕ Heap ✕ Value ✕ Resource ➙ Bool Predicates: ⊨ e : P iff ∀ E , h , h' , v , e . E ⊢ h , e ⇓ h' , v , r ⇒ P ( E , h , h' , v , r ) Validity: Logic of assertions about Grail code fragments ● Syntax-directed derivation rules for G ⊳ e : P ● Sound and complete for Grail operational semantics ● Isabelle implementation (shallow embedding) ● Resource aware: heap size, stack depth, instructions,… ● Applies to complete recursive object-oriented programs ● Partial correctness — separate logic for termination Resource Guarantees Ian Stark (LFCS Edinburgh) PCC workshop 2006-08-11 8/35

  10. [Aspinall/Beringer/ Resource Algebras Momigliano ’06] Grail operational semantics and bytecode logic refer to an element r ∈ Resource from an arbitrary resource algebra: E ⊢ h , e ⇓ h' , v , r G ⊳ e : P : … ✕ Resource ➙ Bool E ⊢ h , e ⇓ h' , v , r G ⊳ e : P : … ✕ Resource ➙ Bool Resource algebra = Partially ordered monoid ( R , 0, +, ≤ ) with constants R int , R getf , R if , … for all Grail operations Current implementation measures heap space, instructions, jumps, method invocations and maximum call depth. Other possibilities: stack size, specific method invocation, safety flags, system calls, even a complete instruction trace. Resource Guarantees Ian Stark (LFCS Edinburgh) PCC workshop 2006-08-11 9/35

  11. [Momigliano/Shkaravska/ Automated Certification Beringer/Hofmann ’04] Encode Camelot resource typing n , Γ ⊢ e : A , m as a bytecode logic expression (U is a set of variables G ⊳ e : 〚 U , n , Γ ▶ A , m 〛 for checking linearity) Form〚 U , n , Γ ▶ A , m 〛 expands to a predicate describing a freelist on the heap of the necessary size. These predicates form a derived logic: all typing rules give valid deductions in the derived logic. So resource typings compile to resource logic proofs – in fact, to tactics that execute these proofs in Isabelle. It is these tactics that are parcelled up with bytecode. Resource Guarantees Ian Stark (LFCS Edinburgh) PCC workshop 2006-08-11 10/35

  12. MRG Framework Network Code producer Code consumer Camelot Space Resource source types policy Certifying Proof compiler checker Bytecode Bytecode logic proof logic proof Java Java JVM classfile classfile OK? Resource Guarantees Ian Stark (LFCS Edinburgh) PCC workshop 2006-08-11 11/35

  13. Demonstration Departmental phonebook application Buzzword profile: ● J2ME – Java 2 Micro Edition ● CLDC – Connected Limited Device Configuration ● MIDP – Mobile Interactive Device Profile i.e. it runs on a cellphone, smartphone or PDA Resource Guarantees Ian Stark (LFCS Edinburgh) PCC workshop 2006-08-11 12/35

  14. PCC configurations The simplest arrangement for proof-carrying code is this: Code Code producer consumer Code + proof Resource Guarantees Ian Stark (LFCS Edinburgh) PCC workshop 2006-08-11 13/35

  15. PCC configurations In the MRG demonstration, there was a third party controlling the interaction: Code Code producer consumer Code + proof User Resource Guarantees Ian Stark (LFCS Edinburgh) PCC workshop 2006-08-11 14/35

  16. PCC configurations Once code has been independently checked, it might be signed and sent on to the user: Code Code producer checker Code + proof Signed code User Resource Guarantees Ian Stark (LFCS Edinburgh) PCC workshop 2006-08-11 15/35

  17. PCC configurations Mobius – Mobility, Ubiquity and Security: EC project on PCC for Java on small devices, such as mobile phone midlets . Application Network provider operator Code Signed code Mobile devices, cellphones, … Resource use (memory, cpu, network) is a significant issue. Network operators currently test and sign code variations for each different kind of handset. Resource Guarantees Ian Stark (LFCS Edinburgh) PCC workshop 2006-08-11 16/35

  18. PCC configurations Application providers and network operators already have a trust relationship, which PCC can strengthen: Application Network provider operator Code + proof Signed code Mobile devices, cellphones, … Private source code: PCC supports validation without source release, which is essential in practice. Resource Guarantees Ian Stark (LFCS Edinburgh) PCC workshop 2006-08-11 17/35

  19. PCC configurations The chain may be longer, with developers who in turn use libraries, and all parties seeking guarantees of safety: Application Network provider operator Code Code + proof Signed code Application developer Mobile devices, cellphones, … Certified libraries Resource Guarantees Ian Stark (LFCS Edinburgh) PCC workshop 2006-08-11 18/35

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Mobile Resource Guarantees Ian Stark Laboratory for Foundations of Computer Science School of

Mobile Resource Guarantees Ian Stark Laboratory for Foundations of Computer Science School of

Mobile Resource Guarantees Ian Stark Laboratory for Foundations of Computer Science School of Informatics, University of Edinburgh David Aspinall, Stephen Gilmore, Don Sannella, *Kenneth MacKenzie, *Lennart Beringer, Michal Kone n LMU

146 views • 14 slides
Resource Allocation for stor - serv : Netw ork Storage Service w ith QoS Guarantees John Chuang

Resource Allocation for stor - serv : Netw ork Storage Service w ith QoS Guarantees John Chuang

Resource Allocation for stor - serv : Netw ork Storage Service w ith QoS Guarantees John Chuang chuang@ sims.berkeley.edu NetStore99 October 14 1999 Outline Introduction: what is stor - serv ? Resource allocation: model &

480 views • 27 slides
Resource-bounded functional programming on the JVM and .NET Stephen Gilmore Mobile Resource

Resource-bounded functional programming on the JVM and .NET Stephen Gilmore Mobile Resource

I V N E U R S E I H T Y T O H F G R E U D B I N Resource-bounded functional programming on the JVM and .NET Stephen Gilmore Mobile Resource Guarantees Project Laboratory for Foundations of Computer Science The University

425 views • 17 slides
Resource Control and Reservation October 30, 2001 RSVP 2 Resource Control and Reservation

Resource Control and Reservation October 30, 2001 RSVP 2 Resource Control and Reservation

RSVP 1 Resource Control and Reservation October 30, 2001 RSVP 2 Resource Control and Reservation policing: hold sources to committed resources scheduling: isolate flows, guarantees resource reservation: establish flows October 30,

389 views • 35 slides
Improving QOS in IP Networks Principles for QOS Guarantees Improving QOS in IP Networks

Improving QOS in IP Networks Principles for QOS Guarantees Improving QOS in IP Networks

Improving QOS in IP Networks Principles for QOS Guarantees Improving QOS in IP Networks Principles for QOS Guarantees Thus far: making the best of best effort Example: 1MbpsI P phone, FTP share 1.5 Mbps link. Future: next generation

426 views • 6 slides
Implicit Guarantees and Risk Taking: Implicit Guarantees and Risk Taking: Implicit Guarantees and

Implicit Guarantees and Risk Taking: Implicit Guarantees and Risk Taking: Implicit Guarantees and

Implicit Guarantees and Risk Taking: Implicit Guarantees and Risk Taking: Implicit Guarantees and Risk Taking: Implicit Guarantees and Risk Taking: Evidence from Money Market Funds Evidence from Money Market Funds Money and Payments Workshop

742 views • 45 slides
Resource Resource Management Management RESOURCE MANAGEMENT RESOURCE MANAGEMENT We have a

Resource Resource Management Management RESOURCE MANAGEMENT RESOURCE MANAGEMENT We have a

Moreno Baricevic Stefano Cozzini CNR-IOM DEMOCRITOS Trieste, ITALY Resource Resource Management Management RESOURCE MANAGEMENT RESOURCE MANAGEMENT We have a pool of users and a pool of resources, then what? some software that controls

538 views • 22 slides
Incremental Consistency Guarantees For Replicated Objects Rachid Guerraoui, Matej Pavlovic,

Incremental Consistency Guarantees For Replicated Objects Rachid Guerraoui, Matej Pavlovic,

Incremental Consistency Guarantees For Replicated Objects Rachid Guerraoui, Matej Pavlovic, Dragos-Adrian Seredinschi SOCIAL MEDIA APPLICATION replicate Incremental Consistency Guarantees Incremental Consistency Guarantees 2 Dragos-Adrian

749 views • 50 slides
IRMA Initiative for Risk Mitigation in Africa PARTIAL RISK GUARANTEES AND INSURANCE PRODUCTS

IRMA Initiative for Risk Mitigation in Africa PARTIAL RISK GUARANTEES AND INSURANCE PRODUCTS

IRMA Initiative for Risk Mitigation in Africa PARTIAL RISK GUARANTEES AND INSURANCE PRODUCTS PANEL 24 April 2102 PARTIAL RISK GUARANTEES AND INSURANCE PRODUCTS PANEL Product initiatives Stewart Kinloch Partial Risk Guarantees

481 views • 9 slides
Consistency in key- value stores Monika Moser Consistency guarantees explain a system's

Consistency in key- value stores Monika Moser Consistency guarantees explain a system's

Consistency in key- value stores Monika Moser Consistency guarantees explain a system's behavior Where is my data I just updated? The consistency guarantees of a system influence the behavior perceived by a client. An ideal world The result

591 views • 31 slides
Reserving for Investment Guarantees The Stochastic Modelling Approach Wai-Sum Chan, Ph.D.,

Reserving for Investment Guarantees The Stochastic Modelling Approach Wai-Sum Chan, Ph.D.,

Reserving for Investment Guarantees The Stochastic Modelling Approach Wai-Sum Chan, Ph.D., F.S.A., C.Stat. ASHK 6th Appointed Actuaries Symposium November 15, 2006 Reserving for Investment Guarantees p. 1/47 What is Stochastic Modelling?

1.25k views • 98 slides
Recovery Guarantees for One-hidden-layer Neural Networks Kai Zhong Joint work with Zhao Song

Recovery Guarantees for One-hidden-layer Neural Networks Kai Zhong Joint work with Zhao Song

Recovery Guarantees for One-hidden-layer Neural Networks Kai Zhong Joint work with Zhao Song , Prateek Jain , Peter L. Bartlett , Inderjit S. Dhillon UT-Austin, MSR India, UC Berkeley Kai Zhong Recovery Guarantees

355 views • 32 slides
GUARANTEES IN DEBT COLLECTION Presented by : Chloe Jolliffe 12 February 2019 Agenda Who takes

GUARANTEES IN DEBT COLLECTION Presented by : Chloe Jolliffe 12 February 2019 Agenda Who takes

GUARANTEES IN DEBT COLLECTION Presented by : Chloe Jolliffe 12 February 2019 Agenda Who takes guarantees? Why have a guarantee? What do we need to include in a guarantee to make it enforceable? What are the applicable terms?

241 views • 20 slides
Adaptive Caching Algorithms with Optimality Guarantees for NDN Networks Stratis Ioannidis and

Adaptive Caching Algorithms with Optimality Guarantees for NDN Networks Stratis Ioannidis and

Adaptive Caching Algorithms with Optimality Guarantees for NDN Networks Stratis Ioannidis and Edmund Yeh A Caching Network Nodes in the network store content items (e.g., files, file chunks) 1 Adaptive Caching Networks w. Optimality Guarantees

734 views • 57 slides
Equity Based Insurance Guarantees Inforce Management Stephen Gruber SOA Antitrust Compliance

Equity Based Insurance Guarantees Inforce Management Stephen Gruber SOA Antitrust Compliance

Equity-Based Insurance Guarantees Conference Nov. 5-6, 2018 Chicago, IL Equity Based Insurance Guarantees Inforce Management Stephen Gruber SOA Antitrust Compliance Guidelines SOA Presentation Disclaimer Sponsored by EQUITY BASED INSURANCE

509 views • 28 slides
The Defensora del Pueblo wants to strengthen consumers guarantees before their electricity is

The Defensora del Pueblo wants to strengthen consumers guarantees before their electricity is

Presentation of the Annual Report 2013 The Defensora del Pueblo wants to strengthen consumers guarantees before their electricity is cut off for non-payment or fraud The Ombudsman Office has recommended the Government that consumers

308 views • 4 slides
Separation Logic, Abstraction and Inheritance M. Parkinson, G. Bierman, in Proc. POPL , 2008

Separation Logic, Abstraction and Inheritance M. Parkinson, G. Bierman, in Proc. POPL , 2008

Separation Logic, Abstraction and Inheritance M. Parkinson, G. Bierman, in Proc. POPL , 2008 Timothe Martiel Research Topics in Software Engineering 1 / 19 Outline 1 From Separation Logic to Inheritance 2 Beyond Separation Logic 3 What About

553 views • 24 slides
Verification of cryptographic protocols: techniques, tools and link to cryptanalysis Vronique

Verification of cryptographic protocols: techniques, tools and link to cryptanalysis Vronique

Verification of cryptographic protocols: techniques, tools and link to cryptanalysis Vronique Cortier INRIA project Cassis, Loria CNRS, Nancy, France French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of

605 views • 46 slides
Desynchronisation of coupled bistable oscillators perturbed by additive white noise Joint work

Desynchronisation of coupled bistable oscillators perturbed by additive white noise Joint work

Numerics and Theory for Stochastic Evolution Equations University of Bielefeld, 2224 November 2006 Barbara Gentz, University of Bielefeld http://www.math.uni-bielefeld.de/ gentz Desynchronisation of coupled bistable oscillators perturbed

698 views • 49 slides
Limits and new directions in PID J. Vavra, SLAC Reach of the present PID techniques TRD e

Limits and new directions in PID J. Vavra, SLAC Reach of the present PID techniques TRD e

Limits and new directions in PID J. Vavra, SLAC Reach of the present PID techniques TRD e identification TOF dE/dx hadron identification RICH 10 3 10 4 10 0 10 -1 10 1 10 2 p [GeV/c] TOF & dE/dx cover the lowest momentum

557 views • 40 slides
Verification techniques for cryptographic protocols eronique Cortier 1 V RTA08 1 LORIA, CNRS

Verification techniques for cryptographic protocols eronique Cortier 1 V RTA08 1 LORIA, CNRS

Introduction Formal models Adding equational theories Towards more guarantees Verification techniques for cryptographic protocols eronique Cortier 1 V RTA08 1 LORIA, CNRS - INRIA Cassis project, Nancy Universities 1/45 V eronique

785 views • 76 slides
On Securely Manipulating XML Data Houari Mahfoud and Abdessamad Imine Houari Mahfoud and

On Securely Manipulating XML Data Houari Mahfoud and Abdessamad Imine Houari Mahfoud and

On Securely Manipulating XML Data Houari Mahfoud and Abdessamad Imine Houari Mahfoud and Abdessamad Imine CASSIS Team CASSIS Team INRIA-LORIA Grand-Est, Nancy, France INRIA-LORIA Grand-Est, Nancy, France 5TH INTERNATIONAL SYMPOSIUM ON

905 views • 30 slides
Z3 - a Tutorial Leonardo de Moura Nikolaj Bjrner Microsoft Research Microsoft Research

Z3 - a Tutorial Leonardo de Moura Nikolaj Bjrner Microsoft Research Microsoft Research

Z3 - a Tutorial Leonardo de Moura Nikolaj Bjrner Microsoft Research Microsoft Research leonardo@microsoft.com nbjorner@microsoft.com Abstract This tutorial introduces the use of the state-of-the-art Satisfiability Modulo Theories Solver

1k views • 61 slides
Models and proofs for security protocols eronique Cortier 1 V 1 LORIA, CNRS - INRIA Cassis

Models and proofs for security protocols eronique Cortier 1 V 1 LORIA, CNRS - INRIA Cassis

Terms Intruder Decidability Models and proofs for security protocols eronique Cortier 1 V 1 LORIA, CNRS - INRIA Cassis project, Universit e de Lorraine 1/13 Terms Intruder Decidability Messages Messages are abstracted by terms. Agents

295 views • 27 slides

More recommend