the need for a formal model of java
play

The need for a formal model of Java Safety guarantees of Java - PowerPoint PPT Presentation

Sep 02, 2023 •140 likes •595 views

Making the Java Memory Model Safe Andreas Lochbihler Institute for Information Security ETH Zurich supported by DFG Sn11/10-1,2 The need for a formal model of Java Safety guarantees of Java definedness type safety security

  1. Making the Java Memory Model Safe ∗ Andreas Lochbihler Institute for Information Security ETH Zurich ∗ supported by DFG Sn11/10-1,2

  2. The need for a formal model of Java Safety guarantees of Java ◮ definedness ◮ type safety ◮ security architecture (sandbox) Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 2 / 9

  3. The need for a formal model of Java Safety guarantees of Java ◮ definedness ◮ type safety ◮ security architecture (sandbox) rely on KeY-System Krakatoa / Why3 Java Path Finder Joana Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 2 / 9

  4. The need for a formal model of Java Concurrency in Java Safety guarantees of Java ◮ threads ◮ definedness ◮ synchronisation primitives ◮ type safety ◮ memory model ◮ security architecture (sandbox) rely on KeY-System Krakatoa / Why3 Java Path Finder Joana Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 2 / 9

  5. The need for a formal model of Java Concurrency in Java Safety guarantees of Java ◮ threads ◮ definedness ◮ synchronisation primitives ◮ type safety ◮ memory model ◮ security architecture (sandbox) rely on Implications? KeY-System Krakatoa / Why3 Java Path Finder Joana Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 2 / 9

  6. Why do we need a memory model? initially: x = y = 0; y = 2; x = 1; j = y; i = x; Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 4 / 9

  7. Why do we need a memory model? interleaving semantics initially: x = y = 0; j == 0 j == 2 y = 2; i == 0 x = 1; j = y; i == 1 i = x; Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 4 / 9

  8. Why do we need a memory model? interleaving semantics initially: x = y = 0; j == 0 j == 2 y = 2; i == 0 x = 1; √ j = y; i == 1 i = x; Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 4 / 9

  9. Why do we need a memory model? interleaving semantics initially: x = y = 0; j == 0 j == 2 √ y = 2; i == 0 x = 1; √ j = y; i == 1 i = x; Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 4 / 9

  10. Why do we need a memory model? interleaving semantics initially: x = y = 0; j == 0 j == 2 √ y = 2; i == 0 x = 1; √ √ j = y; i == 1 i = x; Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 4 / 9

  11. Why do we need a memory model? interleaving semantics initially: x = y = 0; j == 0 j == 2 √ y = 2; i == 0 X x = 1; √ √ j = y; i == 1 i = x; Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 4 / 9

  12. Why do we need a memory model? interleaving semantics initially: x = y = 0; j == 0 j == 2 √ y = 2; i == 0 X x = 1; √ √ j = y; i == 1 i = x; compiler and hardware reorder statements j == 0 j == 2 √ j = y; i = x; i == 0 y = 2; x = 1; i == 1 Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 4 / 9

  13. Why do we need a memory model? Java memory model initially: x = y = 0; j == 0 j == 2 √ √ y = 2; i == 0 x = 1; √ √ j = y; i == 1 i = x; compiler and hardware reorder statements j == 0 j == 2 √ j = y; i = x; i == 0 y = 2; x = 1; i == 1 Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 4 / 9

  14. Why do we need a memory model? Java memory model data races initially: x = y = 0; j == 0 j == 2 √ √ y = 2; i == 0 x = 1; √ √ j = y; i == 1 i = x; compiler and hardware reorder statements j == 0 j == 2 √ j = y; i = x; i == 0 y = 2; x = 1; i == 1 Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 4 / 9

  15. Semantics in layers Java memory model set of well-formed candidate executions operational semantics shared memory Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 5 / 9

  16. Semantics in layers Java memory model set of well-formed candidate executions operational semantics shared allocation & memory type information Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 5 / 9

  17. Semantics in layers Java memory model set of well-formed candidate executions operational t : α semantics shared allocation & memory type information Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 5 / 9

  18. Semantics in layers Java memory model set of well-formed candidate executions thread communication operational t : α semantics shared allocation & memory type information Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 5 / 9

  19. Semantics in layers Java memory model set of well-formed candidate executions transition system thread communication 1 α . : . . t 1 operational t : α ′ t : 1 . α ′ . semantics . 1 . . . shared allocation & memory type information Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 5 / 9

  20. Semantics in layers Java memory model � [ t 1 : α 1 , t 2 : α 2 , . . . ] , set of well-formed [ t ′ 1 : α ′ 1 , t ′ 2 : α ′ 2 , . . . ] , candidate executions [ t ′′ 1 : α ′′ 1 , t ′′ 2 : α ′′ � 2 , . . . ] , . . . paths in the transition system thread communication 1 α . : . . t 1 operational t : α ′ t : 1 . α ′ . semantics . 1 . . . shared allocation & memory type information Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 5 / 9

  21. Semantics in layers legality constraints Java memory model pair read and write ops � [ t 1 : α 1 , t 2 : α 2 , . . . ] , set of well-formed [ t ′ 1 : α ′ 1 , t ′ 2 : α ′ 2 , . . . ] , legal candidate executions [ t ′′ 1 : α ′′ 1 , t ′′ 2 : α ′′ � 2 , . . . ] , . . . paths in the transition system thread communication 1 α . : . . t 1 operational t : α ′ t : 1 . α ′ . semantics . 1 . . . shared allocation & memory type information Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 5 / 9

  22. Semantics in layers need set of legality constraints Java memory model candidate executions pair read and write ops cf. [Batty et al.’15] � [ t 1 : α 1 , t 2 : α 2 , . . . ] , set of well-formed [ t ′ 1 : α ′ 1 , t ′ 2 : α ′ 2 , . . . ] , legal candidate executions [ t ′′ 1 : α ′′ 1 , t ′′ 2 : α ′′ � 2 , . . . ] , . . . paths in the transition system thread communication 1 α . : . . t 1 operational t : α ′ t : 1 . α ′ . semantics . 1 . . . shared allocation & memory type information Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 5 / 9

  23. Type safety for method calls Dynamic method lookup finds a unique method. class A { void m() {} } initially: x = y = null; r2 = y; r1 = x; if (r1 != null) r1.m(); x = r2; y = new A(); Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 6 / 9

  24. Type safety for method calls Dynamic method lookup finds a unique method. JMM allows reordering with allocations. class A { void m() {} } initially: x = y = null; r2 = y; r1 = x; reorder if (r1 != null) r1.m(); x = r2; y = new A(); Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 6 / 9

  25. Type safety for method calls Dynamic method lookup finds a unique method. JMM allows reordering with allocations. class A { void m() {} } initially: x = y = null; r2 = y; r1 = x; reorder if (r1 != null) r1.m(); x = r2; y = new A(); Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 6 / 9

  26. Type safety for method calls Dynamic method lookup finds a unique method. JMM allows reordering with allocations. class A { void m() {} } initially: x = y = null; r2 = y; r1 = x; reorder if (r1 != null) r1.m(); x = r2; y = new A(); object accessed before allocated Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 6 / 9

  27. Type safety for method calls Dynamic method lookup finds a unique method. JMM allows reordering with allocations. class A { void m() {} } initially: x = y = null; r2 = y; r1 = x; reorder if (r1 != null) r1.m(); x = r2; y = new A(); object accessed before allocated Separate type information of addresses from their allocation! Index addresses by dynamic type! Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 6 / 9

  28. Type safety for fields Accessed fields exist and contain only type-conform values. Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 7 / 9

  29. Type safety for fields progress Accessed fields exist and contain only type-conform values. Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 7 / 9

  30. Type safety for fields progress Accessed fields exist and contain only type-conform values. Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 7 / 9

  31. Type safety for fields progress subject reduction Accessed fields exist and contain only type-conform values. Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 7 / 9

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Model Checking Java Programs (Java PathFinder) Slides partially compiled from the NASA

Model Checking Java Programs (Java PathFinder) Slides partially compiled from the NASA

Model Checking Java Programs (Java PathFinder) Slides partially compiled from the NASA JavaPathFinder project and E. Clarkes course material Java PathFinder JPF is an explicit state software model checker for Java bytecode JPF is a Java

888 views • 35 slides
e Java Memory Model . Jesper qvist . . . e Java Environment . . . 2 . . e Java

e Java Memory Model . Jesper qvist . . . e Java Environment . . . 2 . . e Java

. e Java Memory Model . Jesper qvist . . . e Java Environment . . . 2 . . e Java Environment . . . 3 . . Java Execution . Possible reordering due to Compiler, JVM, or CPU! Plus visibility problems due to CPU caches! .

473 views • 21 slides
Multi-core in JVM/Java Concurrent programming in java Prior Java 5 Java 5 (2006)

Multi-core in JVM/Java Concurrent programming in java Prior Java 5 Java 5 (2006)

Multi-core in JVM/Java Concurrent programming in java Prior Java 5 Java 5 (2006) Java 7 (2010) Other topics Basic concurrency in Java Java Memory Model describes how threads interact through memory Single thread

812 views • 34 slides
1 Java compilation model Java bytecode format void spin () { int i; for (i = 0; i < 100;

1 Java compilation model Java bytecode format void spin () { int i; for (i = 0; i < 100;

The Java programming environment Introduction to JVM Based on material produced by Bill Venners 1 2 The Java platform The role of the virtual machime byte code generated by the Java front-end is an intermediate representation (IR)

834 views • 3 slides
Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for

Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for

Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for Analyzing Computing Systems Shilpi Goel shilpi@centtech.com Formal Verification Engineer Centaur Technology, Inc. Software and Reliability Can we rely

1.14k views • 78 slides
JAVA Java vs. Java Java Language Specification

JAVA Java vs. Java Java Language Specification

BR 10/05 JAVA Java vs. Java Java Language Specification http://java.sun.com/docs/books/jls/second_edition/html/j.title.doc.html Java programming language is compiled into java byte code Java Virtual Machine Specification

1.07k views • 44 slides
Using Formal Methods for VLSI Development Using Java and JML in the Real World Joseph

Using Formal Methods for VLSI Development Using Java and JML in the Real World Joseph

Using Formal Methods for VLSI Development Using Java and JML in the Real World Joseph Kiniry Department of Computer Science University College Dublin Asynchronous VLSI What is AVLSI? delay insensitive circuits power invariant

255 views • 13 slides
The Java Memory Model Jaroslav Sev c k University of Edinburgh Supported by ITI

The Java Memory Model Jaroslav Sev c k University of Edinburgh Supported by ITI

The Java Memory Model Jaroslav Sev c k University of Edinburgh Supported by ITI Techmedia The Java Memory Model p. 1/30 Overview Part I : Motivation for weak memory models: Compromise between standard optimisations and

813 views • 46 slides
Tutorial Intro. to Modern Formal Methods: Mechanized Formal Analysis Using Model Checking,

Tutorial Intro. to Modern Formal Methods: Mechanized Formal Analysis Using Model Checking,

Tutorial Intro. to Modern Formal Methods: Mechanized Formal Analysis Using Model Checking, Theorem Proving SMT Solving, Abstraction, and Static Analysis With SAL, PVS, and Yices, and more John Rushby Computer Science Laboratory SRI

1.89k views • 161 slides
Model-Checking Acknowledgment Formal Verification Formal verification means to apply

Model-Checking Acknowledgment Formal Verification Formal verification means to apply

Model-Checking Acknowledgment Formal Verification Formal verification means to apply mathematical arguments to prove the correctness of systems Systems have bugs Formal verification aims to find and correct such bugs Why? Computer systems

1.42k views • 122 slides
Java Path Finder (JPF) Christian Bergum Bergersen June 1, 2015 What is Java Path Finder?

Java Path Finder (JPF) Christian Bergum Bergersen June 1, 2015 What is Java Path Finder?

Java Path Finder (JPF) Christian Bergum Bergersen June 1, 2015 What is Java Path Finder? Java Path Finder is an open-source analysis system that automatically verifies/model check Java programs. Initially developed by NASA. The Java

615 views • 16 slides
Formal Definition of Computation Formal Definition of Computation p.1/28 Computation

Formal Definition of Computation Formal Definition of Computation p.1/28 Computation

Formal Definition of Computation Formal Definition of Computation p.1/28 Computation model The model of computation considered so far is the work performed by a finite automaton Formal Definition of Computation p.2/28

1.27k views • 69 slides
SAR-SSI 2012 1 Introduction Java Card security model Off-card security model Java class Byte

SAR-SSI 2012 1 Introduction Java Card security model Off-card security model Java class Byte

Samiya Hamadouche, Guillaume Bouffard , Jean-Louis Lanet, Bruno Dorsemaine , Bastien Nouhant, Alexandre Magloire, Arnaud Reygnaud guillaume.bouffard@xlim.fr bruno.dorsemaine@etu.unilim.fr SAR-SSI 2012 1 Introduction Java Card security model

227 views • 19 slides
Lecture A Motivation The model, informally The formal model Other thoughts February

Lecture A Motivation The model, informally The formal model Other thoughts February

Lecture A Motivation The model, informally The formal model Other thoughts February 6, 2009 ECS 235B Winter Quarter 2009 Slide #A-1 Matt Bishop, UC Davis Overview What is recordation? Why do it electronically? Models

946 views • 47 slides
Java Java Basics Java Program Statements Java Review Conditional statements

Java Java Basics Java Program Statements Java Review Conditional statements

Java Java Basics Java Program Statements Java Review Conditional statements Repetition statements (loops) Writing Classes in Java Selim Aksoy Class definitions Bilkent University Encapsulation and Java modifiers

346 views • 11 slides
Testing/Simulation Formal Analysis Real System Formal Model Partial coverage Complete coverage

Testing/Simulation Formal Analysis Real System Formal Model Partial coverage Complete coverage

Formal Methods Assurance for TTP John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby, SR I Formal Methods Assurance for TTP: 1 Formal Methods for Analysis and Assurance: The Idea Testing/Simulation Formal

200 views • 6 slides
Assessment: and the Social Acceptance of Onshore Windfarms in England IAIA15: contention,

Assessment: and the Social Acceptance of Onshore Windfarms in England IAIA15: contention,

Assessment: and the Social Acceptance of Onshore Windfarms in England IAIA15: contention, social movements and the politics of impact assessment Tara Muthoora: PhD Student, University of Liverpool, UK What if the community is the developer

545 views • 17 slides
The Supreme Courts Countermajoritarianism? What Impact Does Public Opinion Have on the Supreme

The Supreme Courts Countermajoritarianism? What Impact Does Public Opinion Have on the Supreme

The Supreme Courts Countermajoritarianism? What Impact Does Public Opinion Have on the Supreme Court Decisions? Evan Tompkins Bemidji State University What is a Countermajoritarian Institution? A Countermajoritarian Institution is an

480 views • 14 slides
Insurance Fraud in a Digital Age Legal Perspective Kieran Cowhey - 23 November 2018 The

Insurance Fraud in a Digital Age Legal Perspective Kieran Cowhey - 23 November 2018 The

Insurance Fraud in a Digital Age Legal Perspective Kieran Cowhey - 23 November 2018 The power of change is coming, and if we fail to see it, we could be dead too. CEO US Insurance Company Today Technology is changing the insurance

478 views • 24 slides
Please be advised that we are currently in a controlled vendor environment for the One Person One

Please be advised that we are currently in a controlled vendor environment for the One Person One

Please be advised that we are currently in a controlled vendor environment for the One Person One Record project. Please refrain from questions or discussion related to the One Person One Record project. Informatics utilizes health

879 views • 63 slides
Collaboration in the Non-Profit Sector: Legal Issues and the Utilization of Collaboration

Collaboration in the Non-Profit Sector: Legal Issues and the Utilization of Collaboration

Collaboration in the Non-Profit Sector: Legal Issues and the Utilization of Collaboration Agreements Presented by Dana Malkus, St. Louis University School of Law Legal Clinic May 1, 2013 Todays Agenda Collaboration: What, Why, and Why

228 views • 18 slides
Introduction The ICRP publication of TG 94 has two key objectives To clarify the ethical

Introduction The ICRP publication of TG 94 has two key objectives To clarify the ethical

IMPLEMENTING ETHICS IN RADIOLOGICAL PROTECTION DECISION MAKING: APPLICATION TO POST-ACCIDENT SITUATIONS Nicole E. Martinez Assistant Professor Environmental Engineering and Earth Sciences Clemson University In collaboration with Daniel E.

421 views • 27 slides
Pa Patient nt Ri Rights hts an and Ethi hics cs: Re Region ional al cha hallenge

Pa Patient nt Ri Rights hts an and Ethi hics cs: Re Region ional al cha hallenge

Pa Patient nt Ri Rights hts an and Ethi hics cs: Re Region ional al cha hallenge llenges an and way ay forw rward ard Thalia Arawi, PhD, Founding Director, Salim El-Hoss Bioethics & Professionalism Program (SHBPP) Clinical

775 views • 39 slides
P A C E Awareness Session Origin NIPEC Recording Care Project SINCE 2009.. Improve the

P A C E Awareness Session Origin NIPEC Recording Care Project SINCE 2009.. Improve the

Care Planning P A C E Awareness Session Origin NIPEC Recording Care Project SINCE 2009.. Improve the standards of nurse record keeping practice in the region Recording Care ...... Whats the point? Why Keep Records I I Int

527 views • 36 slides

More recommend