Verification and Certification of Java An experience report Gilles - - PowerPoint PPT Presentation

Verification and Certification of Java

An experience report Gilles Barthe

IMDEA Software, Madrid

Septembre 2009

Gilles Barthe Verification and Certification of Java

Context: formal methods for small devices

smartcard platform and applications (1999-2004)

formal verification of JavaCard bytecode verification automated construction of certified verifiers formal analysis of GlobalPlatform API

mobile phone applications (2004-2009)

program verification environments carrying evidence across abstraction layers formal verification of static analysers and program verifiers embedding certified verifiers

Acknowledgements Some work reported here is not my own. Many people are involved; I will try to acknowledge authors during the talk.

Gilles Barthe Verification and Certification of Java

Motivation: security and certification

Security is hard:

hard to formulate (security is always relative), harder to enforce

High standards forced by application domains:

banking, phone, moblie code, etc. control systems for energy, transportation, health etc.

Common criteria:

An international initiative to provide common structure and language for expressing security requirements, and unified security evaluation mechanisms mandate use of formal methods at highest levels

Gilles Barthe Verification and Certification of Java

The Mobius project (2005-2009)

Integrated Project within the FET pro-active Global Computing II Objective Establish a security architecture appropriate for global computers:

1

adopt a computational model that captures faithfully fundamental aspects of global computers

2

identify the trust and security requirements of such a model

3

develop on top of the computational model a security framework that enforces these requirements ⇒ Proof Carrying Code

4

provide the enabling technologies necessary for implementing the framework ⇒ Program analysis and program verification

5

validate the architecture

Gilles Barthe Verification and Certification of Java

Mobius architecture

Source program Source Specification (types + logics) Runtime environment Bytecode program Bytecode Specification

Certificate

Requirements

Certificate checker Certificate generation Certificate Certificate

Bytecode program Bytecode Specification

Interactive proofs Java compiler Spec compiler Proof compiler

Code producer Code consumer

Gilles Barthe Verification and Certification of Java

Selected issues

Specification languages Verification methods Carrying evidence across compilation Certified certifiers Embedding certifiers Fundamental hypothesis The platform behaves correctly (later)

Gilles Barthe Verification and Certification of Java

Specification languages

Behavioral languages a la JML Domain-specific languages for targetted classes of properties: resource policies, information flow policies, Commonalities + + Support for modular verification

• - Limited support for concurrency

Gilles Barthe Verification and Certification of Java

JML: Java Modeling Language

Annotation language for Java. Uses Java-like notation. Annotations are side-effect-free Java expressions + extra keywords (\exists, \forall, \old(−), \result, \throws. . . ) + logical operators and quantifiers. Design-by-Contract Pre- and postconditions define a contract between a class and its clients: Client must ensure precondition and may assume postcondition Method may assume precondition and must ensure postcondition

Gilles Barthe Verification and Certification of Java

Example

/*@ exceptional_behavior @ requires arg == null; @ signals (NullPointerException) true; @ also @ behavior @ requires arg != null; @ ensures \result == arg[0]; @ signals (IndexOutOfBoundsException) @ arg.length == 0; @*/ Object firstElement (Object [] arg) { return arg[0]; } JML specs can be as weak as one wants!

Gilles Barthe Verification and Certification of Java

Native specifications

Complex properties often use advanced specification features of JML (e.g. pure methods, model variables) Yet the expressive power of JML is (legitimately) constrained Native constructs allow fallback on more general specification languages (as used in theorem provers)

Native types Native methods

Gilles Barthe Verification and Certification of Java

Native types and methods

Native types and methods are declared in JML:

//@ public native class ObjectSet; //@ public native boolean withinBounds(Object[] tab, int i);

and specified in a separate file user extensions.v:

Definition ObjectSet := set Reference. Definition withinBounds:= ...

Native types are not standard Java/JML class types: Do not inherit from Object No constructors No casts No instance creation . . .

Gilles Barthe Verification and Certification of Java

Example: set library

We can define a set library to use in annotations. JML

/*@ public native class ObjectSet { @ public native static ObjectSet create(); @ public native static ObjectSet add(ObjectSet os, Object o); @ public native boolean member(Object o); @ public static native ObjectSet toSet(Object [] tab); @ } @*/

Coq

Definition ObjectSet := set Reference. Definition ObjectSet_create := empty_set. Definition ObjectSet_add (os: ObjectSet) (o: Reference) := set_add o os. Definition ObjectSet_member (this: ObjectSet) (o: Reference) := set_mem o this

Gilles Barthe Verification and Certification of Java

Tools for JML

Varying degree in precision and efficiency and correctness run-time verification and unit testing static checking and interactive verification: VC generator computes proof obligations from annotated

• programs. Proof obligations discharged by automatic provers, then

unresolved proof obligations are sent to a theorem prover. effective means of finding common programming errors (nullpointer dereferencing, indexing an array out of bounds), proving adherence to policies. Example applications: SSH implementation, design patterns using theorem provers, allows to deal with full correctness. Example application: collection libraries, APIs, etc there are also tools that generate JML specifications Concurrency Limited support for concurrency: RCC, Bogor General philosophy is thread-modular verification

Gilles Barthe Verification and Certification of Java

Example of verification

{ requires n = N} x := 0; while (n 0) do { Inv : x + n ∗ (n + 1)/2 = N(N + 1)/2} x := x + n; n := n − 1; { ensures x = N ∗ (N − 1)/2}

1

n = N ⇒ 0 + n ∗ (n + 1)/2 = N(N + 1)/2

2

x + n ∗ (n + 1)/2 = N(N + 1)/2 ∧ n 0 ⇒ x + n + (n − 1) ∗ (n − 1 + 1)/2 = N(N − 1)/2

3

x + n ∗ (n + 1)/2 = N(N + 1)/2 ∧ n = 0 ⇒ x = N ∗ (N − 1)/2

Gilles Barthe Verification and Certification of Java

Example of verification

{ requires n = N} //@0 + n ∗ (n + 1)/2 = N(N + 1)/2 x := 0; while (n 0) do { Inv : x + n ∗ (n + 1)/2 = N(N + 1)/2} {x + n + (n − 1) ∗ (n − 1 + 1)/2 = N(N + 1)/2} x := x + n; {x + (n − 1) ∗ (n − 1 + 1)/2 = N(N + 1)/2} n := n − 1; { ensures x = N ∗ (N − 1)/2}

1

n = N ⇒ 0 + n ∗ (n + 1)/2 = N(N + 1)/2

2

x + n ∗ (n + 1)/2 = N(N + 1)/2 ∧ n 0 ⇒ x + n + (n − 1) ∗ (n − 1 + 1)/2 = N(N − 1)/2

3

x + n ∗ (n + 1)/2 = N(N + 1)/2 ∧ n = 0 ⇒ x = N ∗ (N − 1)/2

Gilles Barthe Verification and Certification of Java

Example of verification

{ requires n = N} //@0 + n ∗ (n + 1)/2 = N(N + 1)/2 x := 0; while (n 0) do { Inv : x + n ∗ (n + 1)/2 = N(N + 1)/2} {x + n + (n − 1) ∗ (n − 1 + 1)/2 = N(N + 1)/2} x := x + n; {x + (n − 1) ∗ (n − 1 + 1)/2 = N(N + 1)/2} n := n − 1; { ensures x = N ∗ (N − 1)/2}

1

n = N ⇒ 0 + n ∗ (n + 1)/2 = N(N + 1)/2

2

x + n ∗ (n + 1)/2 = N(N + 1)/2 ∧ n 0 ⇒ x + n + (n − 1) ∗ (n − 1 + 1)/2 = N(N − 1)/2

3

x + n ∗ (n + 1)/2 = N(N + 1)/2 ∧ n = 0 ⇒ x = N ∗ (N − 1)/2

Gilles Barthe Verification and Certification of Java

Example of verification

{ requires n = N} //@0 + n ∗ (n + 1)/2 = N(N + 1)/2 x := 0; while (n 0) do { Inv : x + n ∗ (n + 1)/2 = N(N + 1)/2} {x + n + (n − 1) ∗ (n − 1 + 1)/2 = N(N + 1)/2} x := x + n; {x + (n − 1) ∗ (n − 1 + 1)/2 = N(N + 1)/2} n := n − 1; { ensures x = N ∗ (N − 1)/2}

1

n = N ⇒ 0 + n ∗ (n + 1)/2 = N(N + 1)/2

2

x + n ∗ (n + 1)/2 = N(N + 1)/2 ∧ n 0 ⇒ x + n + (n − 1) ∗ (n − 1 + 1)/2 = N(N − 1)/2

3

x + n ∗ (n + 1)/2 = N(N + 1)/2 ∧ n = 0 ⇒ x = N ∗ (N − 1)/2

Gilles Barthe Verification and Certification of Java

Example of verification

{ requires n = N} //@0 + n ∗ (n + 1)/2 = N(N + 1)/2 x := 0; while (n 0) do { Inv : x + n ∗ (n + 1)/2 = N(N + 1)/2} {x + n + (n − 1) ∗ (n − 1 + 1)/2 = N(N + 1)/2} x := x + n; {x + (n − 1) ∗ (n − 1 + 1)/2 = N(N + 1)/2} n := n − 1; { ensures x = N ∗ (N − 1)/2}

1

n = N ⇒ 0 + n ∗ (n + 1)/2 = N(N + 1)/2

2

x + n ∗ (n + 1)/2 = N(N + 1)/2 ∧ n 0 ⇒ x + n + (n − 1) ∗ (n − 1 + 1)/2 = N(N − 1)/2

3

x + n ∗ (n + 1)/2 = N(N + 1)/2 ∧ n = 0 ⇒ x = N ∗ (N − 1)/2

Gilles Barthe Verification and Certification of Java

Specialized verification frameworks

The case of resource policies

Many important policies are concerned with resources: Memory, execution time, execution steps. Bits sent or received by an application over a socket. Number of SMSs sent or received, money spent. Number of files left open. Number of accesses to a database. Number of calls to a procedure. Data sizes. Energy consumption. . . .

Gilles Barthe Verification and Certification of Java

User-definable / Generic: A cost model describes an upper/lower bound cost of each primitive

• peration (e.g., bytecode instruction).

Such cost models can be:

Provided by the user, via a language of assertions. Some predefined in system libraries.

For platform-dependent resources such as execution time or energy consumption model needs to consider low level factors.

Gilles Barthe Verification and Certification of Java

The Assertion Language

Used by programmers to describe resources and also other inputs to the resource analysis such as argument sizes, size metrics, etc. state resource-related specifications which allows finding bugs, verifying the program, etc. Used by the system to produce the output of the resource analysis improve both accuracy and scalability

< assrt > ::= @ requires ( < prop >∗ ) | @ ensures ( < prop >∗ ) | @ costs ( < resource usage >∗ ) < resource usage > ::= res usage(< approx >, res name, < arith expr >) < approx def > ::= approx def(< approx >, arith function) < prop > ::= size(var, < approx >, < sz metric >, < arith expr >) | size metric(var, < sz metric >) < approx > ::= ub | lb | o < sz metric > ::= value | length | size < arith expr > ::= < sz val > | ⊖(< sz val >∗) < sz val > ::= num | < sz metric > (var)

Gilles Barthe Verification and Certification of Java

Generic Framework and Application

Intermediate Representation Resource Usage Analysis Java bytecode Data Dependency Analysis Size Analysis Size

• Rel. Equations

Solver Recurrence Upper−bound Upper−bound Size Rel. Gilles Barthe Verification and Certification of Java

Generic Framework and Application

Intermediate Representation Resource Usage Analysis Data Dependency Analysis Size Analysis Size

• Rel. Equations

Upper−bound Size Rel. Solver Recurrence Upper−bound Java bytecode Energy Consumption Model Gilles Barthe Verification and Certification of Java

Generic Framework and Application

Intermediate Representation Resource Usage Analysis Energy Consumption Model Data Dependency Analysis Size Analysis Size

• Rel. Equations

Upper−bound Size Rel. Solver Recurrence Upper−bound Java bytecode Upper−bound Energy cons. Energy Cons. Equations Gilles Barthe Verification and Certification of Java

Resource analysis examples

Program Resource(s) t Resource Usage Func. BST Heap usage 367 O(2n) n ≡ tree depth CellPhone SMS monetary cost 386 O(n2) n ≡ packets length Client Bytes received and 527 O(n) n ≡ stream length bandwidth required O(1) — Dhrystone Energy consumption 759 O(n) n ≡ int value Divbytwo Stack usage 219 O(log2(n)) n ≡ int value Files Files left open and 649 O(n) n ≡ number of files Data stored O(n × m) m ≡ stream length Join DB accesses 460 O(n × m) n, m ≡ table records Screen Screen width 536 O(n) n ≡ stream length

The analysis is able to infer resource information about low-level properties such as:

Stack usage. Energy consumption.

Gilles Barthe Verification and Certification of Java

From specialized methods to deductive proofs

Compile resource annotations into JML, then perform verification as usual Apply specialized methods, e.g. abstract interpretation A challenge Transform abstract interpretation proofs in deductive proofs. Two main benefits: a unifying framework for checking proofs independently checkable certificates

Gilles Barthe Verification and Certification of Java

Reducing Proof Obligations

Consider the code: {ϕ} x := a[i]; {φ} A sound wp must consider both branches {ϕ} if (0 i < |a|) then x := a[i]; else halt(); {φ} then ϕ is defined as ϕ1 ∧ ϕ2 where ϕ1 0 i < |a| ⇒ wp(x := a[i], φ), and ϕ2 ¬(0 i < |a|) ⇒ χ if the analysis infers the condition 0 i < |a| before the array access, then one can simply define ϕ as φ1

Gilles Barthe Verification and Certification of Java

Reducing Specification Effort

x := 0; i := 0; while (i < |A|) do Inv : (0 k < i) ⇒ A[k] = 0 A[i] := x; i := i + 1; (0 k < N) ⇒ A[k] = 0 Unprovable verification condition (0 k < i) ⇒ A[k] = 0 ∧ i < |A| ⇒ (0 k < i + 1) ⇒ [A | i → x][k] = 0

Gilles Barthe Verification and Certification of Java

Reducing Specification Effort

x := 0; (x = 0) −→ i := 0; (x = 0) −→ while (i < |A|) do Inv : (0 k < i) ⇒ A[k] = 0 (x = 0) −→ A[i] := x; (x = 0) −→ i := i + 1; (0 k < N) ⇒ A[k] = 0 Unprovable verification condition (0 k < i) ⇒ A[k] = 0 ∧ i < |A| ⇒ (0 k < i + 1) ⇒ [A | i → x][k] = 0

Gilles Barthe Verification and Certification of Java

Reducing Specification Effort

x := 0; (x = 0) −→ i := 0; (x = 0) −→ while (i < |A|) do Inv : (0 k < i) ⇒ A[k] = 0 (x = 0) −→ A[i] := x; (x = 0) −→ i := i + 1; (0 k < N) ⇒ A[k] = 0 Unprovable verification condition (0 k < i) ⇒ A[k] = 0 ∧ i < |A| ⇒ (0 k < i + 1) ⇒ [A | i → x][k] = 0 becomes valid after strengthening with the result of the analysis: (0 k < i) ⇒ A[k] = 0 ∧ i < |A| ∧ x = 0 ⇒ (0 k < i + 1) ⇒ [A | i → x][k] = 0

Gilles Barthe Verification and Certification of Java

Hybrid verification examples

Branching is a major source of imprecision in static analysis, and leads to an explosion of verification conditions. It is very useful to rely on a preliminary analyser that computes information that can be used to reduce the control flow graph and to detect branches that will never be taken. For example:

null pointers (to predict unthrowable null pointer exceptions), classes (to predict target of throws instructions), array accesses (to predict unthrowable out-of-bounds exceptions), exceptions (to over-approximate the set of throwable exceptions for each method)

Gilles Barthe Verification and Certification of Java

Carrying evidence across compilation

Program verification environments are being used successfully for proving properties of source programs Verification of source code does not address mobile code issues Our goal is to generate certificates from source code verification

Virtual machine Operating system Source program Bytecode program Interactive proofs API JML specification specification Bytecode Certificate Certificate Certificate checker

Gilles Barthe Verification and Certification of Java

Certificates

Programs come equipped with a certificate of their correctness are condensed and formalized mathematical proofs/hints are self-evident and unforgeable can be checked efficiently, independently of difficulty of certificate generation Certificates= Coq proof scripts, Coq proof terms, etc

Gilles Barthe Verification and Certification of Java

Preservation of proof obligations

Non-optimizing compiler

Proof obligations are syntactically equal PO(P, φ, ψ) = PO([ [P] ], φ, ψ)

VCGen Verification Conditions Prover Certificate Certificate

Producer Consumer

Proof Checker OK Source Program Execution VCGen Verification Conditions Compiled Program Preservation of Proof Obligations Compiler Non−optimizing Gilles Barthe Verification and Certification of Java

Optimizing Compilers

VCGen Verification Conditions Prover Certificate Certificate

Producer Consumer

Proof Checker OK Source Program Execution VCGen Verification Conditions Compiled Program Preservation of Proof Obligations Compiler Non−optimizing Gilles Barthe Verification and Certification of Java

Optimizing Compilers

VCGen Verification Conditions Prover Certificate Certificate VCGen Compiled Program Optimizer

Producer Consumer

Proof Checker OK Source Program Execution Verification Conditions Preservation of Proof Obligations Compiler Non−optimizing Optimized Program Gilles Barthe Verification and Certification of Java

Optimizing Compilers

VCGen Verification Conditions Prover Certificate Certificate VCGen Compiled Program Optimizer

Producer Consumer

Proof Checker OK Source Program Execution Verification Conditions Preservation of Proof Obligations Compiler Non−optimizing Optimized Program

Proofs obligations might not be preserved annotations might need to be modified (e.g. constant propagation) certificates for analyzers might be needed (certifying analyzer) analyses might need to be modified (e.g. dead variable elimination)

Gilles Barthe Verification and Certification of Java

Optimizing Compilers

VCGen Verification Conditions Prover Certificate Certificate Certificate Translator

Producer Consumer

Proof Checker OK Source Program Compiler Execution VCGen Verification Conditions Compiled Program

Certificate translation a general framework to carry evidence across optimizing compilation an instantiation for a small source language to RTL a prototype implementation

Gilles Barthe Verification and Certification of Java

Certified certifiers

Static analysers and program verifiers are complex software, and must be verified.

Gilles Barthe Verification and Certification of Java

Certified certifiers

Static analysers and program verifiers are complex software, and must be verified. Touchstone An early PCC infrastructure for C Includes a VCGen (23,000 lines of C...) Many errors in code

Gilles Barthe Verification and Certification of Java

Certified certifiers

Static analysers and program verifiers are complex software, and must be verified. Touchstone An early PCC infrastructure for C Includes a VCGen (23,000 lines of C...) Many errors in code Simple checkers Not clear they exist. . .

Gilles Barthe Verification and Certification of Java

Simple checkers

Proof

• ˙

¨ αP(Postif B then St else Sf fi) =

• def. (110) of ˙

¨ αP ¨ αP ∘ Postif B then St else Sf fi ∘ ¨ γ P =

• def. (103) of Post

¨ αP ∘ post[τ ⋆if B then St else Sf fi] ∘ ¨ γ P = big step operational semantics (93) ¨ αP ∘ post [(1P ∪ τ B) ∘ τ ⋆St ∘ (1P ∪ τ t) ∪ (1P ∪ τ ¯

B) ∘ τ ⋆Sf ∘ (1P ∪

τ f )] ∘ ¨ γ P = Galois connection (98) so that post preserves joins ¨ αP ∘ (post [(1P ∪ τ B) ∘ τ ⋆St ∘ (1P ∪ τ t)] ˙ ∪ post[(1P ∪ τ ¯

B) ∘ τ ⋆Sf ∘ (1P ∪ τ f )]) ∘ ¨

γ P = Galois connection (106) so that ¨ αP preserves joins (¨ αP ∘ post[(1P ∪ τ B) ∘ τ ⋆St ∘ (1P ∪ τ t)] ∘ ¨ γ P) ˙ ¨ ⊔ (¨ αP ∘ post[(1P ∪ τ ¯

B) ∘ τ ⋆Sf ∘ (1P ∪ τ f )] ∘ ¨

γ P) ˙ ¨ ⊑ lemma (5.3) and similar one for the else branch λJ • let J t′ = λl ∈ inPP•( (l = atPSt ? JatPSt ˙ ⊔ AbexpB(Jℓ) ¿ Jl) ) in let J t′′ = APostSt(J t′) in λl ∈ inPP•( (l = ℓ′ ? J t′′

ℓ′ ˙

⊔ J t′′ afterPSt ¿ J t′′

l )

) ¨ ⊔ let J f ′ = λl ∈ inPP•( (l = atPSf ? JatPSf ˙ ⊔ AbexpT (¬B)(Jℓ) ¿ Jl) ) in let J f ′′ = APostSf (J f ′) in λl ∈ inPP•( (l = ℓ′ ? J f ′′

ℓ′

˙ ⊔ J f ′′ afterPSf ¿ J f ′′

l

) ) (120) = by grouping similar terms λJ • let J t′ = λl ∈ inPP•( (l = atPSt ? JatPSt ˙ ⊔ AbexpB(Jℓ) ¿ Jl) ) and J f ′ = λl ∈ inPP•( (l = atPSf ? JatPSf ˙ ⊔ AbexpT (¬B)(Jℓ) ¿ Jl) ) in let J t′′ = APostSt(J t′) and J f ′′ = APostSf (J f ′) in λl ∈ inPP•( (l = ℓ′ ? J t′′

ℓ′ ˙

⊔ J t′′ afterPSt ˙ ⊔ J f ′′

ℓ′

˙ ⊔ J f ′′ afterPSf ¿ J t′′

l

˙ ⊔ J f ′′

l

) ) = by locality (113) and labelling scheme (59) so that in particular J t′′

ℓ′ = J t′ ℓ′ = J t ℓ′ = J f ℓ′

= J f ′

ℓ′ = J f ′′ ℓ′ and APostSt and APostSf do not interfere

Gilles Barthe Verification and Certification of Java

Simple checkers

Proof

• ˙

¨ αP(Postif B then St else Sf fi) =

• def. (110) of ˙

¨ αP ¨ αP ∘ Postif B then St else Sf fi ∘ ¨ γ P =

• def. (103) of Post

¨ αP ∘ post[τ ⋆if B then St else Sf fi] ∘ ¨ γ P = big step operational semantics (93) ¨ αP ∘ post [(1P ∪ τ B) ∘ τ ⋆St ∘ (1P ∪ τ t) ∪ (1P ∪ τ ¯

B) ∘ τ ⋆Sf ∘ (1P ∪

τ f )] ∘ ¨ γ P = Galois connection (98) so that post preserves joins ¨ αP ∘ (post [(1P ∪ τ B) ∘ τ ⋆St ∘ (1P ∪ τ t)] ˙ ∪ post[(1P ∪ τ ¯

B) ∘ τ ⋆Sf ∘ (1P ∪ τ f )]) ∘ ¨

γ P = Galois connection (106) so that ¨ αP preserves joins (¨ αP ∘ post[(1P ∪ τ B) ∘ τ ⋆St ∘ (1P ∪ τ t)] ∘ ¨ γ P) ˙ ¨ ⊔ (¨ αP ∘ post[(1P ∪ τ ¯

B) ∘ τ ⋆Sf ∘ (1P ∪ τ f )] ∘ ¨

γ P) ˙ ¨ ⊑ lemma (5.3) and similar one for the else branch λJ • let J t′ = λl ∈ inPP•( (l = atPSt ? JatPSt ˙ ⊔ AbexpB(Jℓ) ¿ Jl) ) in let J t′′ = APostSt(J t′) in λl ∈ inPP•( (l = ℓ′ ? J t′′

ℓ′ ˙

⊔ J t′′ afterPSt ¿ J t′′

l )

) ¨ ⊔ let J f ′ = λl ∈ inPP•( (l = atPSf ? JatPSf ˙ ⊔ AbexpT (¬B)(Jℓ) ¿ Jl) ) in let J f ′′ = APostSf (J f ′) in λl ∈ inPP•( (l = ℓ′ ? J f ′′

ℓ′

˙ ⊔ J f ′′ afterPSf ¿ J f ′′

l

) ) (120) = by grouping similar terms λJ • let J t′ = λl ∈ inPP•( (l = atPSt ? JatPSt ˙ ⊔ AbexpB(Jℓ) ¿ Jl) ) and J f ′ = λl ∈ inPP•( (l = atPSf ? JatPSf ˙ ⊔ AbexpT (¬B)(Jℓ) ¿ Jl) ) in let J t′′ = APostSt(J t′) and J f ′′ = APostSf (J f ′) in λl ∈ inPP•( (l = ℓ′ ? J t′′

ℓ′ ˙

⊔ J t′′ afterPSt ˙ ⊔ J f ′′

ℓ′

˙ ⊔ J f ′′ afterPSf ¿ J t′′

l

˙ ⊔ J f ′′

l

) ) = by locality (113) and labelling scheme (59) so that in particular J t′′

ℓ′ = J t′ ℓ′ = J t ℓ′ = J f ℓ′

= J f ′

ℓ′ = J f ′′ ℓ′ and APostSt and APostSf do not interfere

Implementation

matrix_t* _matrix_alloc_int(const int mr, const int nc) { matrix_t* mat = (matrix_t*)malloc(sizeof(matrix_t)); mat->nbrows = mat->_maxrows = mr; mat->nbcolumns = nc; mat->_sorted = s; if (mr*nc>0){ int i; pkint_t* q; mat->_pinit = _vector_alloc_int(mr*nc); mat->p = (pkint_t**)malloc(mr * sizeof(pkint_t*)); q = mat->_pinit; for (i=0;i<mr;i++){ mat->p[i]=q; q=q+nc; }} return mat; } void backsubstitute(matrix_t* con, int rank) { int i,j,k; for (k=rank-1; k>=0; k--) { j = pk_cherni_intp[k]; for (i=0; i<k; i++) { if (pkint_sgn(con->p[i][j])) matrix_combine_rows(con,i,k,i,j); } for (i=k+1; i<con->nbrows; i++) { if (pkint_sgn(con->p[i][j])) matrix_combine_rows(con,i,k,i,j); }} }

Gilles Barthe Verification and Certification of Java

Simple checkers

Proof

• ˙

¨ αP(Postif B then St else Sf fi) =

• def. (110) of ˙

¨ αP ¨ αP ∘ Postif B then St else Sf fi ∘ ¨ γ P =

• def. (103) of Post

¨ αP ∘ post[τ ⋆if B then St else Sf fi] ∘ ¨ γ P = big step operational semantics (93) ¨ αP ∘ post [(1P ∪ τ B) ∘ τ ⋆St ∘ (1P ∪ τ t) ∪ (1P ∪ τ ¯

B) ∘ τ ⋆Sf ∘ (1P ∪

τ f )] ∘ ¨ γ P = Galois connection (98) so that post preserves joins ¨ αP ∘ (post [(1P ∪ τ B) ∘ τ ⋆St ∘ (1P ∪ τ t)] ˙ ∪ post[(1P ∪ τ ¯

B) ∘ τ ⋆Sf ∘ (1P ∪ τ f )]) ∘ ¨

γ P = Galois connection (106) so that ¨ αP preserves joins (¨ αP ∘ post[(1P ∪ τ B) ∘ τ ⋆St ∘ (1P ∪ τ t)] ∘ ¨ γ P) ˙ ¨ ⊔ (¨ αP ∘ post[(1P ∪ τ ¯

B) ∘ τ ⋆Sf ∘ (1P ∪ τ f )] ∘ ¨

γ P) ˙ ¨ ⊑ lemma (5.3) and similar one for the else branch λJ • let J t′ = λl ∈ inPP•( (l = atPSt ? JatPSt ˙ ⊔ AbexpB(Jℓ) ¿ Jl) ) in let J t′′ = APostSt(J t′) in λl ∈ inPP•( (l = ℓ′ ? J t′′

ℓ′ ˙

⊔ J t′′ afterPSt ¿ J t′′

l )

) ¨ ⊔ let J f ′ = λl ∈ inPP•( (l = atPSf ? JatPSf ˙ ⊔ AbexpT (¬B)(Jℓ) ¿ Jl) ) in let J f ′′ = APostSf (J f ′) in λl ∈ inPP•( (l = ℓ′ ? J f ′′

ℓ′

˙ ⊔ J f ′′ afterPSf ¿ J f ′′

l

) ) (120) = by grouping similar terms λJ • let J t′ = λl ∈ inPP•( (l = atPSt ? JatPSt ˙ ⊔ AbexpB(Jℓ) ¿ Jl) ) and J f ′ = λl ∈ inPP•( (l = atPSf ? JatPSf ˙ ⊔ AbexpT (¬B)(Jℓ) ¿ Jl) ) in let J t′′ = APostSt(J t′) and J f ′′ = APostSf (J f ′) in λl ∈ inPP•( (l = ℓ′ ? J t′′

ℓ′ ˙

⊔ J t′′ afterPSt ˙ ⊔ J f ′′

ℓ′

˙ ⊔ J f ′′ afterPSf ¿ J t′′

l

˙ ⊔ J f ′′

l

) ) = by locality (113) and labelling scheme (59) so that in particular J t′′

ℓ′ = J t′ ℓ′ = J t ℓ′ = J f ℓ′

= J f ′

ℓ′ = J f ′′ ℓ′ and APostSt and APostSf do not interfere

Implementation

matrix_t* _matrix_alloc_int(const int mr, const int nc) { matrix_t* mat = (matrix_t*)malloc(sizeof(matrix_t)); mat->nbrows = mat->_maxrows = mr; mat->nbcolumns = nc; mat->_sorted = s; if (mr*nc>0){ int i; pkint_t* q; mat->_pinit = _vector_alloc_int(mr*nc); mat->p = (pkint_t**)malloc(mr * sizeof(pkint_t*)); q = mat->_pinit; for (i=0;i<mr;i++){ mat->p[i]=q; q=q+nc; }} return mat; } void backsubstitute(matrix_t* con, int rank) { int i,j,k; for (k=rank-1; k>=0; k--) { j = pk_cherni_intp[k]; for (i=0; i<k; i++) { if (pkint_sgn(con->p[i][j])) matrix_combine_rows(con,i,k,i,j); } for (i=k+1; i<con->nbrows; i++) { if (pkint_sgn(con->p[i][j])) matrix_combine_rows(con,i,k,i,j); }} }

Do the two parts connect?

Gilles Barthe Verification and Certification of Java

The way to certified certifiers

1

Model the semantics of the JVM

2

Implement the program analyzer and verifier

3

Prove its correctness

4

Run, extract and run, extract, compile and run Instances Out-of-bounds Points-to Data races Information flow Resources

Gilles Barthe Verification and Certification of Java

Certified verifiers

Bicolano: a Coq model of the JVM sequential JVM (nowadays a routine task) most limitations arise from the MIDP framework concurrency model (experimental) instrumented semantics for resources Bicolano is our basis for certified certifiers. To build a certified certifier one must

1

formalize abstract domains (using library of lattices)

2

program transfer functions (using efficient implementation of data structures)

3

state the soundness theorem and prove it (generally tedious proof)

Gilles Barthe Verification and Certification of Java

Embedding certified analyzers

Gilles Barthe Verification and Certification of Java

Embedding certified analyzers

PCC verifier

Contains a Coq correctness proof of the PCC verifier

Gilles Barthe Verification and Certification of Java

Embedding certified analyzers

PCC verifier

Gilles Barthe Verification and Certification of Java

Embedding certified analyzers

PCC verifier

The proof is checked and then extracted to an OCaml implem.

Gilles Barthe Verification and Certification of Java

Embedding certified analyzers

PCC verifier PCC verifier

The proof is checked and then extracted to an OCaml implem.

Gilles Barthe Verification and Certification of Java

Embedding certified analyzers

PCC verifier PCC verifier

Gilles Barthe Verification and Certification of Java

Embedding certified analyzers

PCC verifier PCC verifier

The certified verifier is installed on device

Gilles Barthe Verification and Certification of Java

Embedding certified analyzers

PCC verifier PCC verifier

Gilles Barthe Verification and Certification of Java

Embedding certified analyzers

PCC verifier PCC verifier

proof

Gilles Barthe Verification and Certification of Java

Embedding certified analyzers

PCC verifier PCC verifier

proof

Gilles Barthe Verification and Certification of Java

Embedding certified analyzers

PCC verifier PCC verifier

The mobile code and its proof are verified by the certified PCC verifier

proof

Gilles Barthe Verification and Certification of Java

Embedding certified analyzers

PCC verifier PCC verifier

The mobile code and its proof are verified by the certified PCC verifier

proof

Gilles Barthe Verification and Certification of Java

Embedding certified analyzers

PCC verifier PCC verifier

proof

Gilles Barthe Verification and Certification of Java

Embedding certified analyzers

PCC verifier PCC verifier

proof proof proof

One verifier for several mobile codes

Gilles Barthe Verification and Certification of Java

Concluding remarks

There are robust program verification environments for Java programs Verification results can be carried across abstraction layers Specialized verifiers are available and effective, esp. for resource policies Embedded certified verifiers can be used to provide highest guarantees to end users

Gilles Barthe Verification and Certification of Java