verification and certification of java
play

Verification and Certification of Java An experience report Gilles - PowerPoint PPT Presentation

Sep 12, 2022 •134 likes •753 views

Verification and Certification of Java An experience report Gilles Barthe IMDEA Software, Madrid Septembre 2009 Gilles Barthe Verification and Certification of Java Context: formal methods for small devices smartcard platform and

  1. Verification and Certification of Java An experience report Gilles Barthe IMDEA Software, Madrid Septembre 2009 Gilles Barthe Verification and Certification of Java

  2. Context: formal methods for small devices smartcard platform and applications (1999-2004) formal verification of JavaCard bytecode verification automated construction of certified verifiers formal analysis of GlobalPlatform API mobile phone applications (2004-2009) program verification environments carrying evidence across abstraction layers formal verification of static analysers and program verifiers embedding certified verifiers Acknowledgements Some work reported here is not my own. Many people are involved; I will try to acknowledge authors during the talk. Gilles Barthe Verification and Certification of Java

  3. Motivation: security and certification Security is hard: hard to formulate (security is always relative), harder to enforce High standards forced by application domains: banking, phone, moblie code, etc. control systems for energy, transportation, health etc. Common criteria: An international initiative to provide common structure and language for expressing security requirements, and unified security evaluation mechanisms mandate use of formal methods at highest levels Gilles Barthe Verification and Certification of Java

  4. The Mobius project (2005-2009) Integrated Project within the FET pro-active Global Computing II Objective Establish a security architecture appropriate for global computers: adopt a computational model that captures faithfully 1 fundamental aspects of global computers identify the trust and security requirements of such a model 2 develop on top of the computational model a security framework 3 that enforces these requirements ⇒ Proof Carrying Code provide the enabling technologies necessary for implementing 4 the framework ⇒ Program analysis and program verification validate the architecture 5 Gilles Barthe Verification and Certification of Java

  5. Mobius architecture Certificate Interactive Source program generation proofs Source Specification (types + logics) Certificate Requirements Code consumer Java compiler Spec compiler Bytecode program Proof compiler Bytecode program Bytecode Specification Bytecode Specification Certificate Certificate checker Certificate Runtime environment Code producer Gilles Barthe Verification and Certification of Java

  6. Selected issues Specification languages Verification methods Carrying evidence across compilation Certified certifiers Embedding certifiers Fundamental hypothesis The platform behaves correctly (later) Gilles Barthe Verification and Certification of Java

  7. Specification languages Behavioral languages a la JML Domain-specific languages for targetted classes of properties: resource policies, information flow policies, Commonalities + + Support for modular verification - - Limited support for concurrency Gilles Barthe Verification and Certification of Java

  8. JML: Java Modeling Language Annotation language for Java. Uses Java-like notation. Annotations are side-e ff ect-free Java expressions + extra keywords ( \ exists , \ forall , \ old( − ) , \ result , \ throws . . . ) + logical operators and quantifiers. Design-by-Contract Pre- and postconditions define a contract between a class and its clients: Client must ensure precondition and may assume postcondition Method may assume precondition and must ensure postcondition Gilles Barthe Verification and Certification of Java

  9. Example /*@ exceptional_behavior @ requires arg == null; @ signals (NullPointerException) true; @ also @ behavior @ requires arg != null; @ ensures \result == arg[0]; @ signals (IndexOutOfBoundsException) @ arg.length == 0; @*/ Object firstElement (Object [] arg) { return arg[0]; } JML specs can be as weak as one wants! Gilles Barthe Verification and Certification of Java

  10. Native specifications Complex properties often use advanced specification features of JML (e.g. pure methods, model variables) Yet the expressive power of JML is (legitimately) constrained Native constructs allow fallback on more general specification languages (as used in theorem provers) Native types Native methods Gilles Barthe Verification and Certification of Java

  11. Native types and methods Native types and methods are declared in JML: //@ public native class ObjectSet; //@ public native boolean withinBounds(Object[] tab, int i); and specified in a separate file user extensions.v: Definition ObjectSet := set Reference. Definition withinBounds:= ... Native types are not standard Java / JML class types: Do not inherit from Object No constructors No casts No instance creation . . . Gilles Barthe Verification and Certification of Java

  12. Example: set library We can define a set library to use in annotations. JML /*@ public native class ObjectSet { @ public native static ObjectSet create(); @ public native static ObjectSet add(ObjectSet os, Object o); @ public native boolean member(Object o); @ public static native ObjectSet toSet(Object [] tab); @ } @*/ Coq Definition ObjectSet := set Reference. Definition ObjectSet_create := empty_set. Definition ObjectSet_add (os: ObjectSet) (o: Reference) := set_add o os. Definition ObjectSet_member (this: ObjectSet) (o: Reference) := set_mem o this Gilles Barthe Verification and Certification of Java

  13. Tools for JML Varying degree in precision and e ffi ciency and correctness run-time verification and unit testing static checking and interactive verification: VC generator computes proof obligations from annotated programs. Proof obligations discharged by automatic provers, then unresolved proof obligations are sent to a theorem prover. e ff ective means of finding common programming errors (nullpointer dereferencing, indexing an array out of bounds), proving adherence to policies. Example applications: SSH implementation, design patterns using theorem provers, allows to deal with full correctness. Example application: collection libraries, APIs, etc there are also tools that generate JML specifications Concurrency Limited support for concurrency: RCC, Bogor General philosophy is thread-modular verification Gilles Barthe Verification and Certification of Java

  14. Example of verification { requires n = N } x := 0; while ( n � 0 ) do { Inv : x + n ∗ ( n + 1 ) / 2 = N ( N + 1 ) / 2 } x := x + n ; n := n − 1; { ensures x = N ∗ ( N − 1 ) / 2 } n = N ⇒ 0 + n ∗ ( n + 1 ) / 2 = N ( N + 1 ) / 2 1 x + n ∗ ( n + 1 ) / 2 = N ( N + 1 ) / 2 ∧ n � 0 ⇒ 2 x + n + ( n − 1 ) ∗ ( n − 1 + 1 ) / 2 = N ( N − 1 ) / 2 x + n ∗ ( n + 1 ) / 2 = N ( N + 1 ) / 2 ∧ n = 0 ⇒ x = N ∗ ( N − 1 ) / 2 3 Gilles Barthe Verification and Certification of Java

  15. Example of verification { requires n = N } // @0 + n ∗ ( n + 1 ) / 2 = N ( N + 1 ) / 2 x := 0; while ( n � 0 ) do { Inv : x + n ∗ ( n + 1 ) / 2 = N ( N + 1 ) / 2 } { x + n + ( n − 1 ) ∗ ( n − 1 + 1 ) / 2 = N ( N + 1 ) / 2 } x := x + n ; { x + ( n − 1 ) ∗ ( n − 1 + 1 ) / 2 = N ( N + 1 ) / 2 } n := n − 1; { ensures x = N ∗ ( N − 1 ) / 2 } n = N ⇒ 0 + n ∗ ( n + 1 ) / 2 = N ( N + 1 ) / 2 1 x + n ∗ ( n + 1 ) / 2 = N ( N + 1 ) / 2 ∧ n � 0 ⇒ 2 x + n + ( n − 1 ) ∗ ( n − 1 + 1 ) / 2 = N ( N − 1 ) / 2 x + n ∗ ( n + 1 ) / 2 = N ( N + 1 ) / 2 ∧ n = 0 ⇒ x = N ∗ ( N − 1 ) / 2 3 Gilles Barthe Verification and Certification of Java

  16. Example of verification { requires n = N } // @0 + n ∗ ( n + 1 ) / 2 = N ( N + 1 ) / 2 x := 0; while ( n � 0 ) do { Inv : x + n ∗ ( n + 1 ) / 2 = N ( N + 1 ) / 2 } { x + n + ( n − 1 ) ∗ ( n − 1 + 1 ) / 2 = N ( N + 1 ) / 2 } x := x + n ; { x + ( n − 1 ) ∗ ( n − 1 + 1 ) / 2 = N ( N + 1 ) / 2 } n := n − 1; { ensures x = N ∗ ( N − 1 ) / 2 } n = N ⇒ 0 + n ∗ ( n + 1 ) / 2 = N ( N + 1 ) / 2 1 x + n ∗ ( n + 1 ) / 2 = N ( N + 1 ) / 2 ∧ n � 0 ⇒ 2 x + n + ( n − 1 ) ∗ ( n − 1 + 1 ) / 2 = N ( N − 1 ) / 2 x + n ∗ ( n + 1 ) / 2 = N ( N + 1 ) / 2 ∧ n = 0 ⇒ x = N ∗ ( N − 1 ) / 2 3 Gilles Barthe Verification and Certification of Java

  17. Example of verification { requires n = N } // @0 + n ∗ ( n + 1 ) / 2 = N ( N + 1 ) / 2 x := 0; while ( n � 0 ) do { Inv : x + n ∗ ( n + 1 ) / 2 = N ( N + 1 ) / 2 } { x + n + ( n − 1 ) ∗ ( n − 1 + 1 ) / 2 = N ( N + 1 ) / 2 } x := x + n ; { x + ( n − 1 ) ∗ ( n − 1 + 1 ) / 2 = N ( N + 1 ) / 2 } n := n − 1; { ensures x = N ∗ ( N − 1 ) / 2 } n = N ⇒ 0 + n ∗ ( n + 1 ) / 2 = N ( N + 1 ) / 2 1 x + n ∗ ( n + 1 ) / 2 = N ( N + 1 ) / 2 ∧ n � 0 ⇒ 2 x + n + ( n − 1 ) ∗ ( n − 1 + 1 ) / 2 = N ( N − 1 ) / 2 x + n ∗ ( n + 1 ) / 2 = N ( N + 1 ) / 2 ∧ n = 0 ⇒ x = N ∗ ( N − 1 ) / 2 3 Gilles Barthe Verification and Certification of Java

  18. Example of verification { requires n = N } // @0 + n ∗ ( n + 1 ) / 2 = N ( N + 1 ) / 2 x := 0; while ( n � 0 ) do { Inv : x + n ∗ ( n + 1 ) / 2 = N ( N + 1 ) / 2 } { x + n + ( n − 1 ) ∗ ( n − 1 + 1 ) / 2 = N ( N + 1 ) / 2 } x := x + n ; { x + ( n − 1 ) ∗ ( n − 1 + 1 ) / 2 = N ( N + 1 ) / 2 } n := n − 1; { ensures x = N ∗ ( N − 1 ) / 2 } n = N ⇒ 0 + n ∗ ( n + 1 ) / 2 = N ( N + 1 ) / 2 1 x + n ∗ ( n + 1 ) / 2 = N ( N + 1 ) / 2 ∧ n � 0 ⇒ 2 x + n + ( n − 1 ) ∗ ( n − 1 + 1 ) / 2 = N ( N − 1 ) / 2 x + n ∗ ( n + 1 ) / 2 = N ( N + 1 ) / 2 ∧ n = 0 ⇒ x = N ∗ ( N − 1 ) / 2 3 Gilles Barthe Verification and Certification of Java

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Verification of a Java Compiler in Isabelle Martin Strecker 7.1.2002 Java: Types, values,

Verification of a Java Compiler in Isabelle Martin Strecker 7.1.2002 Java: Types, values,

Verification of a Java Compiler in Isabelle Martin Strecker 7.1.2002 Java: Types, values, terms, ... Typing and operational semantics JVM Compiler Definition Proof Techniques Compilation and Bytecode Verification

643 views • 18 slides
Introduction to Soot Automated testing and J.P . Galeotti - Alessandra Gorla verification

Introduction to Soot Automated testing and J.P . Galeotti - Alessandra Gorla verification

Introduction to Soot Automated testing and J.P . Galeotti - Alessandra Gorla verification Thursday, November 22, 12 The Java virtual machine (JVM) The Java compiler translates a Java program into Java bytecode (input language of the JVM)

446 views • 20 slides
FY 2021 ACO Oversight Budget Guidance and Certification Eligibility Verification Alena Berube,

FY 2021 ACO Oversight Budget Guidance and Certification Eligibility Verification Alena Berube,

FY 2021 ACO Oversight Budget Guidance and Certification Eligibility Verification Alena Berube, Director of Value Based Payments & ACO Regulation June 3, 2020 Agenda 1. Background 2. Statutory Authority 3. FY 2021 Certification

652 views • 26 slides
The KeY Platform for Verification and Analysis of Java Programs Reiner H ahnle Technische

The KeY Platform for Verification and Analysis of Java Programs Reiner H ahnle Technische

The KeY Platform for Verification and Analysis of Java Programs Reiner H ahnle Technische Universit at Darmstadt Department of Computer Science, Software Engineering Group Dagstuhl Seminar 16131: Language Based Verification Tools for

1.01k views • 68 slides
Digital Certificates, Certification Authorities, and Public Key Infrastructure Sections 14.3-14.5

Digital Certificates, Certification Authorities, and Public Key Infrastructure Sections 14.3-14.5

Digital Certificates, Certification Authorities, and Public Key Infrastructure Sections 14.3-14.5 Basic Problem What does a public-key signature verification tell you? Verification parameters include public key, and successful verification

201 views • 17 slides
Software Verification for Java 5 KeY Symposium 2007 Mattias Ulbrich June 14, 2007 KeY + Java 5

Software Verification for Java 5 KeY Symposium 2007 Mattias Ulbrich June 14, 2007 KeY + Java 5

KeY + Java 5 Enums Enhanced loops Generics Software Verification for Java 5 KeY Symposium 2007 Mattias Ulbrich June 14, 2007 KeY + Java 5 Enums Enhanced loops Generics Content KeY + Java 5 Typesafe Enumeration Datatypes Enhanced For

1.14k views • 58 slides
A Simple Framework for Program Verification and its Mechanical Certification in Theorema Tudor

A Simple Framework for Program Verification and its Mechanical Certification in Theorema Tudor

A Simple Framework for Program Verification and its Mechanical Certification in Theorema Tudor Jebelean M ad alina Era scu Research Institute for Symbolic Computation, Johannes Kepler University, Linz, Austria October 2012 1/25

430 views • 26 slides
Certification and Verification in the Artisan Sector Programs and Proposals for Impact and Scale

Certification and Verification in the Artisan Sector Programs and Proposals for Impact and Scale

Certification and Verification in the Artisan Sector Programs and Proposals for Impact and Scale Panelists Abigail Jacobs and Doug Guiley west elm Indrassen Vencatachellum Formerly of UNESCO Moderated by: Karen Gibbs Alliance for Artisan

553 views • 14 slides
JAVA Java vs. Java Java Language Specification

JAVA Java vs. Java Java Language Specification

BR 10/05 JAVA Java vs. Java Java Language Specification http://java.sun.com/docs/books/jls/second_edition/html/j.title.doc.html Java programming language is compiled into java byte code Java Virtual Machine Specification

1.07k views • 44 slides
Foreign Supplier Verification & Third Party Certification Allen Sayler, Vice President,

Foreign Supplier Verification & Third Party Certification Allen Sayler, Vice President,

FSMAs Update: Proposed Preventive Controls, Foreign Supplier Verification & Third Party Certification Allen Sayler, Vice President, Center for Food Safety & Regulatory Solutions, ( CFSRS ) Woodbridge, Virginia asayler@cfsrs.com

470 views • 24 slides
The KeY Platform for Verification and Analysis of Java Programs Reiner H ahnle Technische

The KeY Platform for Verification and Analysis of Java Programs Reiner H ahnle Technische

The KeY Platform for Verification and Analysis of Java Programs Reiner H ahnle Technische Universit at Darmstadt Department of Computer Science, Software Engineering Group 25 April 2016 Joint Work with. . . Wolfgang Ahrendt, Bernhard

1.06k views • 55 slides
Specification, Verification, and Proofs for Java Erik Poll Digital Security Radboud University

Specification, Verification, and Proofs for Java Erik Poll Digital Security Radboud University

Specification, Verification, and Proofs for Java Erik Poll Digital Security Radboud University Nijmegen presented at FOSAD'2009, Bertinoro, Italy supported by the EU IST project Mobius Overview Context - Proof Carrying Code (PCC)

1.53k views • 142 slides
Research in the Verification of Flight-Critical Systems Alwyn Goodloe NASA Langley Research

Research in the Verification of Flight-Critical Systems Alwyn Goodloe NASA Langley Research

Research in the Verification of Flight-Critical Systems Alwyn Goodloe NASA Langley Research Center Overview Background Verification and Certification Aircraft self-separation Runtime verification Formal-Methods for numerical

812 views • 50 slides
Multi-core in JVM/Java Concurrent programming in java Prior Java 5 Java 5 (2006)

Multi-core in JVM/Java Concurrent programming in java Prior Java 5 Java 5 (2006)

Multi-core in JVM/Java Concurrent programming in java Prior Java 5 Java 5 (2006) Java 7 (2010) Other topics Basic concurrency in Java Java Memory Model describes how threads interact through memory Single thread

812 views • 34 slides
1 2 3 KASS Certification Procedure Operation System Certification Certification Training

1 2 3 KASS Certification Procedure Operation System Certification Certification Training

1 2 3 KASS Certification Procedure Operation System Certification Certification Training Inspection/Audit Establish MoC Status of Operator/ Maintainer Manual, Function Identify CRB Record and Interfaces Result of Form Ground/

618 views • 24 slides
Deductive Verification of Java programs Introduction with Algebraic Modeling and Multi-Prover

Deductive Verification of Java programs Introduction with Algebraic Modeling and Multi-Prover

Krakatoa Deductive Verification of Java programs Introduction with Algebraic Modeling and Multi-Prover Overview of Krakatoa Algebraic models Backend: the Why/Krakatoa platform Conclusions Claude March e Christine Paulin Jean-Christophe

636 views • 31 slides
Bi-inductive Structural Semantics and its Abstraction Patrick Cousot cole normale

Bi-inductive Structural Semantics and its Abstraction Patrick Cousot cole normale

Bi-inductive Structural Semantics and its Abstraction Patrick Cousot cole normale suprieure 1. Motivation 45 rue dUlm, 75230 Paris cedex 05, France Patrick.Cousot@ens.fr www.di.ens.fr/~cousot (joint work with Radhia Cousot)

442 views • 18 slides
Inductive Definitions in Bounded Arithmetic: A New Way to Approach P vs. PSPACE Naohi Eguchi

Inductive Definitions in Bounded Arithmetic: A New Way to Approach P vs. PSPACE Naohi Eguchi

CTFM, Feb 19, 2013, Tokyo Institute of Technology Inductive Definitions in Bounded Arithmetic: A New Way to Approach P vs. PSPACE Naohi Eguchi Mathematical Institute, Tohoku University, Japan Introduction 1/2 Purpose in computational

673 views • 45 slides
Continuous Improvement Toolkit IDEF0 Continuous Improvement Toolkit . www.citoolkit.com Managing

Continuous Improvement Toolkit IDEF0 Continuous Improvement Toolkit . www.citoolkit.com Managing

Continuous Improvement Toolkit IDEF0 Continuous Improvement Toolkit . www.citoolkit.com Managing Deciding & Selecting Planning & Project Management* Pros and Cons Risk PDPC Importance-Urgency Mapping RACI Matrix Stakeholders

327 views • 8 slides
Development of a Programming Environment and Interpreter for LOOP and WHILE Michael Gebhard

Development of a Programming Environment and Interpreter for LOOP and WHILE Michael Gebhard

Development of a Programming Environment and Interpreter for LOOP and WHILE Michael Gebhard 22.01.2019 Goals LOOP and WHILE Interpreter IDE Plugin Michael Gebhard IDE and Interpreter for LOOP and WHILE (22.01.2019) 2 LOOP Syntax

419 views • 22 slides
On locally o-minimal structures Hiroshi Tanaka joint works with Tomohiro Kawakami, Kota Takeuchi

On locally o-minimal structures Hiroshi Tanaka joint works with Tomohiro Kawakami, Kota Takeuchi

On locally o-minimal structures Hiroshi Tanaka joint works with Tomohiro Kawakami, Kota Takeuchi and Akito Tsuboi Anan National College of Technology RIMS Model Theory Meeting December 1, 2010 RIMS Hiroshi Tanaka (Anan National College of

435 views • 41 slides
Q 2 1 1 TDT4250 Modeling of Information Systems Autumn 2006 System development Developer

Q 2 1 1 TDT4250 Modeling of Information Systems Autumn 2006 System development Developer

TDT4250 Modeling of Information Systems Autumn 2006 Meta-modeling in METIS John Krogstie IDI, NTNU and SINTEF Meta.ppt 1 TDT4250 Modeling of Information Systems Autumn 2006 Overview of this week Why meta-modeling? Central

477 views • 15 slides
Book Software Language Engineering g g g g Generic Language Technology (2IS15) g g gy (

Book Software Language Engineering g g g g Generic Language Technology (2IS15) g g gy (

Book Software Language Engineering g g g g Generic Language Technology (2IS15) g g gy ( ) by Anneke Kleppe (Addison Wesley) Syntaxes Prof.dr. Mark van den Brand / Faculteit Wiskunde en Informatica 13-9-2011 PAGE 1 Signatures and

286 views • 10 slides
Boolean Algebra cont The digital abstraction Theorem: Absorption Law For every pair of

Boolean Algebra cont The digital abstraction Theorem: Absorption Law For every pair of

Boolean Algebra cont The digital abstraction Theorem: Absorption Law For every pair of elements a , b

819 views • 35 slides

More recommend