verifying that a compiler preserves concurrent value
play

Verifying that a compiler preserves concurrent value-dependent - PowerPoint PPT Presentation

Nov 29, 2022 •367 likes •1.94k views

Verifying that a compiler preserves concurrent value-dependent information-flow security Robert Sison (UNSW Sydney, Data61) and Toby Murray (University of Melbourne) September 2019 THE UNIVERSITY OF NEW SOUTH WALES www.data61.csiro.au So

  1. Motivation Confidentiality for modern software (CSF’16) __________________ 1. Multiple moving parts 
 Doesn't leak secrets (well-synchronised) (storage channels) Concurrent value-dependent information-flow security 3. Compositionally! 
 Confidentiality 2. Mixed-sensitivity reuse 
 (per-thread effort) (of devices, space, etc.) Beaumont et al. 
 (ACSAC’16) Example (DSTG + Data61 collaboration) 5 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  2. Motivation Confidentiality for modern software (CSF’16) 1. Multiple moving parts 
 Doesn't leak secrets (well-synchronised) PROTECTED Unclassified (storage channels) Concurrent value-dependent information-flow security Confidentiality 2. Mixed-sensitivity reuse 
 (of devices, space, etc.) 5 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  3. Motivation Confidentiality for modern software (CSF’16) 1. Multiple moving parts 
 Doesn't leak secrets (well-synchronised) PROTECTED Unclassified (storage channels) Concurrent value-dependent information-flow security Confidentiality 2. Mixed-sensitivity reuse 
 (of devices, space, etc.) … 😒 , 💹 5 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  4. Motivation Cross Domain 
 Desktop Compositor 
 Confidentiality for modern software (CSF’16) (CDDC) 1. Multiple moving parts 
 Doesn't leak secrets (well-synchronised) (storage channels) Concurrent value-dependent information-flow security Confidentiality 2. Mixed-sensitivity reuse 
 (of devices, space, etc.) 5 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  5. Motivation Cross Domain 
 Desktop Compositor 
 Confidentiality for modern software (CSF’16) (CDDC) 1. Multiple moving parts 
 Doesn't leak secrets (well-synchronised) (storage channels) Concurrent value-dependent information-flow security Confidentiality 2. Mixed-sensitivity reuse 
 (of devices, space, etc.) 5 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  6. Motivation Cross Domain 
 Desktop Compositor 
 Confidentiality for modern software (CSF’16) (CDDC) 1. Multiple moving parts 
 Doesn't leak secrets (well-synchronised) (storage channels) Concurrent value-dependent information-flow security Confidentiality 2. Mixed-sensitivity reuse 
 (of devices, space, etc.) 5 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  7. Motivation Cross Domain 
 Desktop Compositor 
 Confidentiality for modern software (CSF’16) (CDDC) 1. Multiple moving parts 
 Doesn't leak secrets (well-synchronised) (storage channels) Concurrent value-dependent information-flow security Confidentiality 2. Mixed-sensitivity reuse 
 (of devices, space, etc.) 5 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  8. Motivation Cross Domain 
 Desktop Compositor 
 Confidentiality for modern software (CSF’16) (CDDC) 1. Multiple moving parts 
 Doesn't leak secrets (well-synchronised) (storage channels) Concurrent value-dependent information-flow security Confidentiality 2. Mixed-sensitivity reuse 
 (of devices, space, etc.) 5 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  9. Motivation Cross Domain 
 Desktop Compositor 
 Confidentiality for modern software (CSF’16) (CDDC) 1. Multiple moving parts 
 Doesn't leak secrets (well-synchronised) (storage channels) Concurrent value-dependent information-flow security Confidentiality 2. Mixed-sensitivity reuse 
 (of devices, space, etc.) 5 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  10. Motivation Cross Domain 
 Desktop Compositor 
 Confidentiality for modern software (CSF’16) (CDDC) 1. Multiple moving parts 
 1. Multiple moving parts 
 Doesn't leak secrets Doesn't leak secrets (well-synchronised) (well-synchronised) (storage channels) (storage channels) Concurrent value-dependent information-flow security Concurrent value-dependent information-flow security Confidentiality Confidentiality 2. Mixed-sensitivity reuse 
 2. Mixed-sensitivity reuse 
 (of devices, space, etc.) (of devices, space, etc.) SECRET , PROTECTED , or Unclassified? 5 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  11. Motivation Cross Domain 
 Desktop Compositor 
 Confidentiality for modern software (CSF’16) (CDDC) 1. Multiple moving parts 
 1. Multiple moving parts 
 Doesn't leak secrets Doesn't leak secrets (well-synchronised) (well-synchronised) (storage channels) (storage channels) Concurrent value-dependent information-flow security Concurrent value-dependent information-flow security _____________ Confidentiality Confidentiality 2. Mixed-sensitivity reuse 
 2. Mixed-sensitivity reuse 
 (of devices, space, etc.) (of devices, space, etc.) SECRET , PROTECTED , or Unclassified? 5 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  12. Motivation Cross Domain 
 Desktop Compositor 
 Confidentiality for modern software (CSF’16) (CDDC) 1. Multiple moving parts 
 1. Multiple moving parts 
 Doesn't leak secrets Doesn't leak secrets (well-synchronised) (well-synchronised) (storage channels) (storage channels) Concurrent value-dependent information-flow security Concurrent value-dependent information-flow security _________ Confidentiality Confidentiality 2. Mixed-sensitivity reuse 
 2. Mixed-sensitivity reuse 
 (of devices, space, etc.) (of devices, space, etc.) 5 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  13. Motivation Cross Domain 
 Desktop Compositor 
 Confidentiality for modern software (CSF’16) (CDDC) 1. Multiple moving parts 
 1. Multiple moving parts 
 Doesn't leak secrets Doesn't leak secrets (well-synchronised) (well-synchronised) (storage channels) (storage channels) Concurrent value-dependent information-flow security Concurrent value-dependent information-flow security _________ Confidentiality Confidentiality 2. Mixed-sensitivity reuse 
 2. Mixed-sensitivity reuse 
 (of devices, space, etc.) (of devices, space, etc.) seL4-based software architecture 5 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  14. Motivation Confidentiality for modern software (CSF’16) 1. Multiple moving parts 
 1. Multiple moving parts 
 Doesn't leak secrets Doesn't leak secrets (well-synchronised) (well-synchronised) (storage channels) (storage channels) Concurrent value-dependent information-flow security Concurrent value-dependent information-flow security _________ Confidentiality Confidentiality 2. Mixed-sensitivity reuse 
 2. Mixed-sensitivity reuse 
 (of devices, space, etc.) (of devices, space, etc.) seL4-based software architecture (Case study: simplified model) 5 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  15. Motivation Confidentiality for modern software (CSF’16) 1. Multiple moving parts 
 1. Multiple moving parts 
 Doesn't leak secrets Doesn't leak secrets (well-synchronised) (well-synchronised) (storage channels) (storage channels) Concurrent value-dependent information-flow security Concurrent value-dependent information-flow security _________ 3. Compositionally! 
 Confidentiality Confidentiality 2. Mixed-sensitivity reuse 
 2. Mixed-sensitivity reuse 
 (of devices, space, etc.) (per-thread effort) (of devices, space, etc.) seL4-based software architecture (Case study: simplified model) 5 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  16. Motivation Confidentiality for modern software (CSF’16) 1. Multiple moving parts 
 1. Multiple moving parts 
 Doesn't leak secrets Doesn't leak secrets (well-synchronised) (well-synchronised) (storage channels) (storage channels) Concurrent value-dependent information-flow security Concurrent value-dependent information-flow security _________ 3. Compositionally! 
 Confidentiality Confidentiality 2. Mixed-sensitivity reuse 
 2. Mixed-sensitivity reuse 
 (of devices, space, etc.) (per-thread effort) (of devices, space, etc.) seL4-based software architecture (Case study: simplified model) 5 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  17. Motivation Confidentiality for modern software (CSF’16) 1. Multiple moving parts 
 1. Multiple moving parts 
 Doesn't leak secrets Doesn't leak secrets (well-synchronised) (well-synchronised) (storage channels) (storage channels) Concurrent value-dependent information-flow security Concurrent value-dependent information-flow security 3. Compositionally! 
 Confidentiality Confidentiality 2. Mixed-sensitivity reuse 
 2. Mixed-sensitivity reuse 
 (of devices, space, etc.) (per-thread effort) (of devices, space, etc.) Can a compiler preserve it? 5 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  18. Motivation Why wouldn’t a compiler preserve it? (CSF’16) Concurrent value-dependent information-flow security 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  19. Motivation Why wouldn’t a compiler preserve it? (CSF’16) Murray et al. CSF’16 control variable contents 
 ( sensitivity-switching) Concurrent value-dependent information-flow security Some extra stuff to preserve 
 (not that hard) 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  20. Motivation Why wouldn’t a compiler preserve it? (CSF’16) Murray et al. CSF’16 control variable contents 
 ( sensitivity-switching) Concurrent value-dependent information-flow security Some extra stuff to preserve 
 (not that hard) This particularly 
 makes it harder! 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  21. Motivation Why wouldn’t a compiler preserve it? (CSF’16) Murray et al. CSF’16 control variable contents 
 ( sensitivity-switching) Concurrent value-dependent information-flow security Some extra stuff to preserve 
 (not that hard) This particularly 
 makes it harder! Interference-resilience (tricky) 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  22. Motivation Why wouldn’t a compiler preserve it? (CSF’16) Murray et al. CSF’16 Mantel et al. CSF’11 relies/guarantees 
 control variable contents 
 ( synchronisation) ( sensitivity-switching) Concurrent value-dependent information-flow security Some extra stuff to preserve 
 (not that hard) This particularly 
 makes it harder! Interference-resilience (tricky) 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  23. Motivation Why wouldn’t a compiler preserve it? (CSF’16) Murray et al. CSF’16 Mantel et al. CSF’11 relies/guarantees 
 control variable contents 
 ( synchronisation) ( sensitivity-switching) Concurrent value-dependent information-flow security Some extra stuff to preserve 
 (not that hard) This particularly 
 makes it harder! Interference-resilience (tricky) + 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  24. Motivation Why wouldn’t a compiler preserve it? (CSF’16) Murray et al. CSF’16 Mantel et al. CSF’11 No storage leaks relies/guarantees 
 control variable contents 
 ( synchronisation) ( sensitivity-switching) Concurrent value-dependent information-flow security Some extra stuff to preserve 
 (not that hard) This particularly 
 makes it harder! Interference-resilience (tricky) + 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  25. 
 Motivation Why wouldn’t a compiler preserve it? (CSF’16) Murray et al. CSF’16 Mantel et al. CSF’11 No storage leaks relies/guarantees 
 control variable contents 
 ( synchronisation) ( sensitivity-switching) Concurrent value-dependent information-flow security Some extra stuff to preserve 
 (not that hard) This particularly 
 makes it harder! Interference-resilience (tricky) + Each thread must prevent (scheduler-relative) timing leaks! Volpano & Smith, CSFW’98 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  26. 
 Motivation Why wouldn’t a compiler preserve it? (CSF’16) Murray et al. CSF’16 Mantel et al. CSF’11 No storage leaks relies/guarantees 
 control variable contents 
 ( synchronisation) ( sensitivity-switching) Concurrent value-dependent information-flow security Some extra stuff to preserve 
 (not that hard) This particularly 
 Program A Program B makes it harder! // Initially, v = 0 Interference-resilience (tricky) if (h) then + skip l := v Each thread must prevent else (scheduler-relative) skip ; skip timing leaks! fi Volpano & Smith, CSFW’98 v := 1 Minimal example: 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  27. 
 Motivation Why wouldn’t a compiler preserve it? (CSF’16) Murray et al. CSF’16 Mantel et al. CSF’11 No storage leaks relies/guarantees 
 control variable contents 
 ( synchronisation) ( sensitivity-switching) Concurrent value-dependent information-flow security Some extra stuff to preserve 
 (not that hard) This particularly 
 Program A Program B makes it harder! // Initially, v = 0 Interference-resilience (tricky) if (h) then _ + skip l := v Each thread must prevent else (scheduler-relative) skip ; skip timing leaks! fi Volpano & Smith, CSFW’98 v := 1 h isn’t assigned to anything h isn’t even here! _ _ Minimal example: 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  28. 
 Motivation Why wouldn’t a compiler preserve it? (CSF’16) Murray et al. CSF’16 Mantel et al. CSF’11 No storage leaks relies/guarantees 
 control variable contents 
 ( synchronisation) ( sensitivity-switching) Concurrent value-dependent information-flow security Some extra stuff to preserve 
 (not that hard) This particularly 
 Thread A Thread B makes it harder! // Initially, v = 0 Interference-resilience (tricky) if (h) then _ + skip || l := v Each thread must prevent else (scheduler-relative) skip ; skip timing leaks! fi Volpano & Smith, CSFW’98 v := 1 Minimal example: 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  29. 
 Motivation Why wouldn’t a compiler preserve it? (CSF’16) Murray et al. CSF’16 Mantel et al. CSF’11 No storage leaks relies/guarantees 
 control variable contents 
 ( synchronisation) ( sensitivity-switching) Concurrent value-dependent information-flow security Some extra stuff to preserve 
 (not that hard) This particularly 
 Thread A Thread B makes it harder! // Initially, v = 0 Interference-resilience (tricky) if (h) then _ + skip || l := v Each thread must prevent else (scheduler-relative) skip ; skip timing leaks! fi Timing leak 
 Volpano & Smith, CSFW’98 v := 1 ____ of h Minimal example: 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  30. 
 Motivation Why wouldn’t a compiler preserve it? (CSF’16) Murray et al. CSF’16 Mantel et al. CSF’11 No storage leaks relies/guarantees 
 control variable contents 
 ( synchronisation) ( sensitivity-switching) Concurrent value-dependent information-flow security Some extra stuff to preserve 
 (not that hard) This particularly 
 Thread A Thread B Schedule 
 h = 0 makes it harder! A, A, A, B, … // Initially, v = 0 Interference-resilience (tricky) if (h) then _ + skip || l := v Each thread must prevent else (scheduler-relative) skip ; skip timing leaks! v = 0 fi Timing leak 
 Volpano & Smith, CSFW’98 v := 1 ____ of h Minimal example: 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  31. 
 Motivation Why wouldn’t a compiler preserve it? (CSF’16) Murray et al. CSF’16 Mantel et al. CSF’11 No storage leaks relies/guarantees 
 control variable contents 
 ( synchronisation) ( sensitivity-switching) Concurrent value-dependent information-flow security Some extra stuff to preserve 
 (not that hard) This particularly 
 Thread A Thread B Schedule 
 h = 0 makes it harder! / A, A, A, B, … // Initially, v = 0 Interference-resilience (tricky) if (h) then _ + skip || l := v Each thread must prevent else (scheduler-relative) skip ; skip timing leaks! v = 0 fi Timing leak 
 Volpano & Smith, CSFW’98 v := 1 ____ of h Minimal example: 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  32. 
 Motivation Why wouldn’t a compiler preserve it? (CSF’16) Murray et al. CSF’16 Mantel et al. CSF’11 No storage leaks relies/guarantees 
 control variable contents 
 ( synchronisation) ( sensitivity-switching) Concurrent value-dependent information-flow security Some extra stuff to preserve 
 (not that hard) This particularly 
 Thread A Thread B Schedule 
 h = 0 makes it harder! / / A, A, A, B, … // Initially, v = 0 Interference-resilience (tricky) if (h) then _ + skip || l := v Each thread must prevent else (scheduler-relative) skip ; skip timing leaks! v = 0 fi Timing leak 
 Volpano & Smith, CSFW’98 v := 1 ____ of h Minimal example: 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  33. 
 Motivation Why wouldn’t a compiler preserve it? (CSF’16) Murray et al. CSF’16 Mantel et al. CSF’11 No storage leaks relies/guarantees 
 control variable contents 
 ( synchronisation) ( sensitivity-switching) Concurrent value-dependent information-flow security Some extra stuff to preserve 
 (not that hard) This particularly 
 Thread A Thread B Schedule 
 h = 0 makes it harder! / / / A, A, A, B, … // Initially, v = 0 Interference-resilience (tricky) if (h) then _ + skip || l := v Each thread must prevent else (scheduler-relative) skip ; skip timing leaks! v = 0 fi Timing leak 
 Volpano & Smith, CSFW’98 v := 1 ____ of h Minimal example: 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  34. 
 Motivation Why wouldn’t a compiler preserve it? (CSF’16) Murray et al. CSF’16 Mantel et al. CSF’11 No storage leaks relies/guarantees 
 control variable contents 
 ( synchronisation) ( sensitivity-switching) Concurrent value-dependent information-flow security Some extra stuff to preserve 
 (not that hard) This particularly 
 Thread A Thread B Schedule 
 h = 0 makes it harder! / / / / A, A, A, B, … // Initially, v = 0 l = 0 Interference-resilience (tricky) if (h) then _ + skip || l := v Each thread must prevent else (scheduler-relative) skip ; skip timing leaks! v = 0 fi Timing leak 
 Volpano & Smith, CSFW’98 v := 1 ____ of h Minimal example: 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  35. 
 Motivation Why wouldn’t a compiler preserve it? (CSF’16) Murray et al. CSF’16 Mantel et al. CSF’11 No storage leaks relies/guarantees 
 control variable contents 
 ( synchronisation) ( sensitivity-switching) Concurrent value-dependent information-flow security Some extra stuff to preserve 
 (not that hard) This particularly 
 Thread A Thread B Schedule 
 h = 0 makes it harder! / / / / A, A, A, B, … // Initially, v = 0 l = 0 Interference-resilience (tricky) if (h) then _ + skip || l := v Each thread must prevent else (scheduler-relative) skip ; skip timing leaks! v = 1 fi Timing leak 
 Volpano & Smith, CSFW’98 v := 1 ____ of h Minimal example: 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  36. 
 Motivation Why wouldn’t a compiler preserve it? (CSF’16) Murray et al. CSF’16 Mantel et al. CSF’11 No storage leaks relies/guarantees 
 control variable contents 
 ( synchronisation) ( sensitivity-switching) Concurrent value-dependent information-flow security Some extra stuff to preserve 
 (not that hard) This particularly 
 Thread A Thread B Schedule 
 h = 0 makes it harder! A, A, A, B, … h = 1 // Initially, v = 0 l = 0 Interference-resilience (tricky) if (h) then _ + skip || l := v Each thread must prevent else (scheduler-relative) skip ; skip timing leaks! v = 0 fi Timing leak 
 Volpano & Smith, CSFW’98 v := 1 ____ of h Minimal example: 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  37. 
 Motivation Why wouldn’t a compiler preserve it? (CSF’16) Murray et al. CSF’16 Mantel et al. CSF’11 No storage leaks relies/guarantees 
 control variable contents 
 ( synchronisation) ( sensitivity-switching) Concurrent value-dependent information-flow security Some extra stuff to preserve 
 (not that hard) This particularly 
 Thread A Thread B Schedule 
 h = 0 makes it harder! / A, A, A, B, … h = 1 // Initially, v = 0 l = 0 Interference-resilience (tricky) if (h) then _ + skip || l := v Each thread must prevent else (scheduler-relative) skip ; skip timing leaks! v = 0 fi Timing leak 
 Volpano & Smith, CSFW’98 v := 1 ____ of h Minimal example: 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  38. 
 Motivation Why wouldn’t a compiler preserve it? (CSF’16) Murray et al. CSF’16 Mantel et al. CSF’11 No storage leaks relies/guarantees 
 control variable contents 
 ( synchronisation) ( sensitivity-switching) Concurrent value-dependent information-flow security Some extra stuff to preserve 
 (not that hard) This particularly 
 Thread A Thread B Schedule 
 h = 0 makes it harder! / / A, A, A, B, … h = 1 // Initially, v = 0 l = 0 Interference-resilience (tricky) if (h) then _ + skip || l := v Each thread must prevent else (scheduler-relative) skip ; skip timing leaks! v = 0 fi Timing leak 
 Volpano & Smith, CSFW’98 v := 1 ____ of h Minimal example: 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  39. 
 Motivation Why wouldn’t a compiler preserve it? (CSF’16) Murray et al. CSF’16 Mantel et al. CSF’11 No storage leaks relies/guarantees 
 control variable contents 
 ( synchronisation) ( sensitivity-switching) Concurrent value-dependent information-flow security Some extra stuff to preserve 
 (not that hard) This particularly 
 Thread A Thread B Schedule 
 h = 0 makes it harder! / / / A, A, A, B, … h = 1 // Initially, v = 0 l = 0 Interference-resilience (tricky) if (h) then _ + skip || l := v Each thread must prevent else (scheduler-relative) skip ; skip timing leaks! v = 1 fi Timing leak 
 Volpano & Smith, CSFW’98 v := 1 ____ of h Minimal example: 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  40. 
 Motivation Why wouldn’t a compiler preserve it? (CSF’16) Murray et al. CSF’16 Mantel et al. CSF’11 No storage leaks relies/guarantees 
 control variable contents 
 ( synchronisation) ( sensitivity-switching) Concurrent value-dependent information-flow security Some extra stuff to preserve 
 (not that hard) This particularly 
 Thread A Thread B Schedule 
 h = 0 makes it harder! / / / / A, A, A, B, … h = 1 // Initially, v = 0 l = 0 Interference-resilience (tricky) if (h) then _ l = 1 + skip || l := v Each thread must prevent else (scheduler-relative) skip ; skip timing leaks! v = 1 fi Timing leak 
 Volpano & Smith, CSFW’98 v := 1 ____ of h Minimal example: 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  41. 
 Motivation Why wouldn’t a compiler preserve it? (CSF’16) Murray et al. CSF’16 Mantel et al. CSF’11 No storage leaks relies/guarantees 
 control variable contents 
 ( synchronisation) ( sensitivity-switching) Concurrent value-dependent information-flow security Some extra stuff to preserve 
 (not that hard) This particularly 
 Thread A Thread B Schedule 
 h = 0 makes it harder! / / / / A, A, A, B, … h = 1 // Initially, v = 0 l = 0 Interference-resilience (tricky) if (h) then _ l = 1 + skip || l := v ____ Each thread must prevent else (scheduler-relative) Storage leak 
 skip ; skip timing leaks! of h! v = 1 fi Timing leak 
 Volpano & Smith, CSFW’98 v := 1 ____ of h Minimal example: 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  42. 
 Motivation Why wouldn’t a compiler preserve it? (CSF’16) Murray et al. CSF’16 Mantel et al. CSF’11 No storage leaks relies/guarantees 
 control variable contents 
 ( synchronisation) ( sensitivity-switching) Concurrent value-dependent information-flow security Some extra stuff to preserve 
 (not that hard) This particularly 
 Thread A Thread B Schedule 
 makes it harder! A, A, A, B, … // Initially, v = 0 Interference-resilience (tricky) if (h) then _ ; skip Timing 
 + skip || fix l := v ____ ____ Each thread must prevent else (scheduler-relative) Storage leak Storage leak 
 skip ; skip timing leaks! of h! fi Timing leak Timing leak 
 Volpano & Smith, CSFW’98 v := 1 ____ ____ of h Minimal example: 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  43. 
 Motivation Why wouldn’t a compiler preserve it? (CSF’16) Murray et al. CSF’16 Mantel et al. CSF’11 No storage leaks relies/guarantees 
 control variable contents 
 ( synchronisation) ( sensitivity-switching) Concurrent value-dependent information-flow security But: Compiler may eliminate it! Some extra stuff to preserve 
 (not that hard) This particularly 
 Thread A Thread B Schedule 
 makes it harder! A, A, A, B, … // Initially, v = 0 Interference-resilience (tricky) if (h) then _ ; skip Timing 
 Timing 
 + skip skip || fix fix l := v ____ Each thread must prevent else (scheduler-relative) Storage leak 
 skip ; skip timing leaks! of h! fi Timing leak 
 Volpano & Smith, CSFW’98 v := 1 ____ of h Minimal example: 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  44. 
 Motivation Why wouldn’t a compiler preserve it? (CSF’16) Murray et al. CSF’16 Mantel et al. CSF’11 No storage leaks relies/guarantees 
 control variable contents 
 ( synchronisation) ( sensitivity-switching) Concurrent value-dependent information-flow security But: Compiler may eliminate it! Some extra stuff to preserve 
 (not that hard) (or, introduce new “ if (h)”!) This particularly 
 Thread A Thread B Schedule 
 makes it harder! A, A, A, B, … // Initially, v = 0 Interference-resilience (tricky) if (h) then _ ; skip Timing 
 Timing 
 + skip skip || fix fix l := v ____ Each thread must prevent else (scheduler-relative) Storage leak 
 skip ; skip timing leaks! of h! fi Timing leak 
 Volpano & Smith, CSFW’98 v := 1 ____ of h Minimal example: 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  45. Background Why is it hard to prove? (CSF’16) Concurrent value-dependent information-flow security -preserving refinement 2 A 2 A 0 B B Abstract 1 A 1 A 0 R R Direction 
 of 
 compilation R R 2 C 2 C 0 Concrete I I 1 C 1 C 0 7 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  46. Background Why is it hard to prove? (CSF’16) Confidentiality-preserving refinement 2 A 2 A 0 B B Abstract 1 A 1 A 0 R R Direction 
 of 
 compilation R R 2 C 2 C 0 Concrete I I 1 C 1 C 0 7 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  47. Background Why is it hard to prove? (CSF’16) Confidentiality-preserving refinement 2 A 2 A 0 B B Abstract 1 A 1 A 0 R R Direction 
 of 
 compilation R R 2 C 2 C 0 Concrete I I 1 C 1 C 0 AFP entry: Dependent_SIFUM_Refinement 7 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  48. Background Why is it hard to prove? (CSF’16) Confidentiality-preserving refinement 2 A 2 A 0 B B Abstract 1 A 1 A 0 R R Direction 
 of 
 Program compilation configurations R R 2 C 2 C 0 Concrete I I 1 C 1 C 0 AFP entry: Dependent_SIFUM_Refinement 7 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  49. Background Why is it hard to prove? (CSF’16) Confidentiality-preserving refinement 2 A 2 A 0 B B Abstract Relations 
 1 A 1 A 0 (between) R R Direction 
 of 
 Program compilation configurations R R 2 C 2 C 0 Concrete I I 1 C 1 C 0 AFP entry: Dependent_SIFUM_Refinement 7 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  50. Background Why is it hard to prove? (CSF’16) Confidentiality-preserving refinement 2 A 2 A 0 B B Abstract Execution 
 Relations 
 steps 1 A 1 A 0 (between) R R Direction 
 of 
 Program compilation configurations R R 2 C 2 C 0 Concrete I I 1 C 1 C 0 AFP entry: Dependent_SIFUM_Refinement 7 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  51. Background Why is it hard to prove? (CSF’16) Confidentiality-preserving refinement “Usual” refinement: 2 A 2 A 0 B B Abstract 1 A 1 A 0 R R Direction 
 of 
 compilation R R 2 C 2 C 0 Concrete I I 1 C 1 C 0 AFP entry: Dependent_SIFUM_Refinement 7 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  52. 
 Background Why is it hard to prove? (CSF’16) Confidentiality-preserving refinement “Usual” refinement: A simulates C ⇒ C refines A 2 A 2 A 0 B B Abstract 1 A 1 A 0 R R Direction 
 of 
 compilation R R 2 C 2 C 0 Concrete I I 1 C 1 C 0 AFP entry: Dependent_SIFUM_Refinement 7 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  53. 
 Background Why is it hard to prove? (CSF’16) Confidentiality-preserving refinement “Usual” refinement: A simulates C ⇒ C refines A 2 A 2 A 0 B B Abstract 1 A 1 A 0 R R Direction 
 of 
 compilation R R 2 C 2 C 0 Concrete I I 1 C 1 C 0 AFP entry: For-all Dependent_SIFUM_Refinement 7 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  54. 
 Background Why is it hard to prove? (CSF’16) Confidentiality-preserving refinement “Usual” refinement: A simulates C ⇒ C refines A 2 A 2 A 0 B B Abstract 1 A 1 A 0 R R Direction 
 Exists of 
 compilation R R 2 C 2 C 0 Concrete I I 1 C 1 C 0 AFP entry: For-all Dependent_SIFUM_Refinement 7 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  55. Background Why is it hard to prove? (CSF’16) From compiler 
 Confidentiality-preserving refinement front-end 2 A 2 A 0 Security proof 
 B B Abstract (Bisimulation B ) 1 A 1 A 0 R R Direction 
 of 
 compilation R R 2 C 2 C 0 Concrete I I 1 C 1 C 0 AFP entry: Dependent_SIFUM_Refinement 7 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  56. ⇒ Background Why is it hard to prove? (CSF’16) From compiler 
 Confidentiality-preserving refinement front-end 2 A 2 A 0 Security proof 
 B B Abstract (Bisimulation B ) 1 A 1 A 0 + Compiler ? R R Direction 
 correctness proof of 
 (Refinement R ) compilation R R For free ? 2 C 2 C 0 Security proof 
 Concrete “ B C ” “ B C ” (Bisimulation I I B C of B R I ) “ B C ” 1 C 1 C 0 AFP entry: Dependent_SIFUM_Refinement 7 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  57. ⇒ Background Why is it hard to prove? (CSF’16) * From compiler 
 Confidentiality-preserving refinement front-end 2 A 2 A 0 Security proof 
 B B Abstract (Bisimulation B ) 1 A 1 A 0 + Compiler R R Direction 
 correctness proof of 
 (Refinement R ) compilation R R “For free”* 2 C 2 C 0 Security proof 
 Concrete (Bisimulation I I B C of B R I ) 1 C 1 C 0 AFP entry: Dependent_SIFUM_Refinement 7 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  58. ⇒ Background Why is it hard to prove? (CSF’16) * From compiler 
 Confidentiality-preserving refinement front-end (Two-sided!) 2 A 2 A 0 Security proof 
 B B Abstract (Bisimulation B ) 1 A 1 A 0 + Compiler R R Direction 
 correctness proof of 
 (Refinement R ) compilation R R “For free”* 2 C 2 C 0 Security proof 
 Concrete (Bisimulation I I B C of B R I ) 1 C 1 C 0 AFP entry: Dependent_SIFUM_Refinement 7 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  59. ⇒ Background Why is it hard to prove? (CSF’16) * From compiler 
 Confidentiality-preserving refinement front-end (Two-sided!) 2 A 2 A 0 Security proof 
 B B Abstract (Bisimulation B ) 1 A 1 A 0 + Compiler R R Direction 
 Exists correctness proof of 
 (Refinement R ) compilation 1 R R “For free”* 2 C 2 C 0 Security proof 
 Concrete (Bisimulation I I B C of B R I ) 1 C 1 C 0 AFP entry: For-all Dependent_SIFUM_Refinement 7 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  60. ⇒ Background Why is it hard to prove? (CSF’16) * From compiler 
 Confidentiality-preserving refinement front-end (Two-sided!) 2 A 2 A 0 Security proof 
 For-all B B Abstract (Bisimulation B ) 1 A 1 A 0 + Compiler R R Direction 
 Exists correctness proof of 
 (Refinement R ) compilation 1 R R “For free”* 2 C 2 C 0 Security proof 
 Concrete (Bisimulation I I B C of B R I ) 1 C 1 C 0 AFP entry: For-all Dependent_SIFUM_Refinement 7 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  61. ⇒ Background Why is it hard to prove? (CSF’16) * From compiler 
 Confidentiality-preserving refinement front-end (Two-sided!) 2 A 2 A 0 Security proof 
 For-all B B Abstract (Bisimulation B ) 1 A 1 A 0 + 2 Compiler R R Direction 
 Exists correctness proof of 
 (Refinement R ) compilation 1 Exists R R “For free”* 2 C 2 C 0 Security proof 
 Concrete (Bisimulation I I B C of B R I ) 1 C 1 C 0 AFP entry: For-all Dependent_SIFUM_Refinement 7 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  62. ⇒ Background Why is it hard to prove? (CSF’16) * From compiler 
 Confidentiality-preserving refinement front-end (Two-sided!) 2 A 2 A 0 Security proof 
 For-all B B Abstract (Bisimulation B ) 1 A 1 A 0 + 2 Compiler R R Direction 
 Exists correctness proof of 
 (Refinement R ) compilation 1 Exists R R “For free”* 2 C 2 C 0 Security proof 
 Concrete (Bisimulation I I B C of B R I ) 1 C 1 C 0 AFP entry: For-all Dependent_SIFUM_Refinement 7 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  63. ⇒ Background ( Compare: Barthe et al. CSF’18) Why is it hard to prove? (CSF’16) * From compiler 
 Confidentiality-preserving refinement front-end (Two-sided!) 2 A 2 A 0 Security proof 
 For-all B B Abstract (Bisimulation B ) 1 A 1 A 0 + 2 Compiler R R Direction 
 Exists correctness proof of 
 (Refinement R ) compilation 1 Exists R R “For free”* 2 C 2 C 0 Security proof 
 Concrete (Bisimulation I I B C of B R I ) 1 C 1 C 0 AFP entry: For-all Dependent_SIFUM_Refinement 7 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  64. Our contributions Goal Prove a compiler preserves proofs of concurrent 
 value-dependent information-flow security Plan: Use confidentiality-preserving refinement 8 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  65. Our contributions Goal Prove a compiler preserves proofs of concurrent 
 value-dependent information-flow security Results 1. Decomposition principle for confidentiality-preserving refinement 2 A = abs - steps 2 A 2 C B = 1 A abs - steps 1 A 1 C R R (Technique) = stops 2 C 2 C I = stops 1 C 1 C 8 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  66. Our contributions Goal Prove a compiler preserves proofs of concurrent 
 value-dependent information-flow security Results 1. Decomposition principle 2. Verified compiler for confidentiality-preserving While-language to RISC-style refinement assembly 2 A = abs - steps 2 A 2 C B = 1 A abs - steps 1 A 1 C R R (Technique) (Proof-of-concept 
 = stops 2 C 2 C I = for technique) stops 1 C 1 C Impact 1st such proofs carried to assembly-level model by compiler 8 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  67. Our contributions Goal Prove a compiler preserves proofs of concurrent 
 value-dependent information-flow security Results 1. Decomposition principle 2. Verified compiler for confidentiality-preserving While-language to RISC-style refinement assembly 2 A = abs - steps 2 A 2 C B = 1 A abs - steps 1 A 1 C R R (Technique) (Proof-of-concept 
 = stops 2 C 2 C I = for technique) stops 1 C 1 C Impact 1st such proofs carried to assembly-level model by compiler 8 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  68. Our contributions Goal Prove a compiler preserves proofs of concurrent 
 value-dependent information-flow security Results 1. Decomposition principle 2. Verified compiler for confidentiality-preserving While-language to RISC-style refinement assembly Proof effort 2 A = abs - steps 2 A 2 C B = almost halved ! 1 A abs - steps 1 A 1 C R R (Technique) (Proof-of-concept 
 = stops 2 C 2 C I = for technique) stops 1 C 1 C Impact 1st such proofs carried to assembly-level model by compiler 8 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  69. The “cube”, decomposed Simpler confidentiality-preserving refinement 2 A 2 A 0 B B 1 A 1 A 0 R R R R 2 C 2 C 0 I I 1 C 1 C 0 9 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  70. The “cube”, decomposed Simpler confidentiality-preserving refinement 2 A abs - steps 2 A 2 C 2 A B B = A A 0 abs - steps A C 1 A abs - steps 1 A 1 C 1 A R R R R R R 2 C 2 C 0 stops 2 C 2 C I I I = C C 0 1 C 0 1 C stops 1 C 1 C 1 2 A 2 A 0 B B ( ⟹ ) implies 1 A 1 A 0 R R R R 2 C 2 C 0 I I 1 C 0 1 C 9 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  71. The “cube”, decomposed Simpler confidentiality-preserving refinement 2 A abs - steps 2 A 2 C 2 A B B = A A 0 abs - steps A C 1 A abs - steps 1 A 1 C 1 A R R R R R R 2 C 2 C 0 stops 2 C 2 C I I I = C C 0 1 C 0 1 C stops 1 C 1 C 1 1. “Usual” proof of refinement 9 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  72. The “cube”, decomposed Simpler confidentiality-preserving refinement 2 A abs - steps 2 A 2 C 2 A B B = A A 0 abs - steps A C 1 A abs - steps 1 A 1 C 1 A R R R R R R 2 C 2 C 0 stops 2 C 2 C I I I = C C 0 1 C 0 1 C stops 1 C 1 C 1 1. “Usual” proof of refinement Standard compiler 
 correctness! (+ “extra stuff” for conc, val-dep) 9 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  73. The “cube”, decomposed Simpler confidentiality-preserving refinement “Pacing function” abs-steps 
 for (refinement) relation R 2 A abs - steps 2 A 2 C 2 A B B = A A 0 _____ abs - steps A C 1 A abs - steps 1 A 1 C 1 A R R R R R R 2 C 2 C 0 stops 2 C 2 C I I I = C C 0 1 C 0 1 C stops 1 C 1 C 1 1. “Usual” proof of refinement Standard compiler 
 correctness! (+ “extra stuff” for conc, val-dep) 9 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  74. The “cube”, decomposed Simpler confidentiality-preserving refinement “Pacing function” abs-steps 
 for (refinement) relation R _____ 2 A abs - steps 2 A 2 C 2 A B B = A A 0 _____ _____ abs - steps A C 1 A abs - steps 1 A 1 C 1 A R R R R R R 2 C 2 C 0 stops 2 C 2 C I I I = C C 0 1 C 0 1 C stops 1 C 1 C 1 1. “Usual” proof 2. Consistent pacing 
 of refinement Standard compiler 
 correctness! (+ “extra stuff” for conc, val-dep) 9 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  75. The “cube”, decomposed Simpler confidentiality-preserving refinement “Pacing function” abs-steps 
 Security witness 
 for (refinement) relation R (bisimulation) relation B _____ 2 A abs - steps 2 A 2 C 2 A B B = A A 0 _____ _____ abs - steps A C 1 A abs - steps 1 A 1 C 1 A R R R R R R 2 C 2 C 0 stops 2 C 2 C I I I = C C 0 1 C 0 1 C stops 1 C 1 C 1 1. “Usual” proof 2. Consistent pacing 
 of refinement Standard compiler 
 correctness! (+ “extra stuff” for conc, val-dep) 9 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  76. The “cube”, decomposed Simpler confidentiality-preserving refinement “Pacing function” abs-steps 
 Security witness 
 for (refinement) relation R (bisimulation) relation B _____ 2 A abs - steps 2 A 2 C 2 A B B = A A 0 _____ _____ abs - steps A C 1 A abs - steps 1 A 1 C 1 A R R R R R R 2 C 2 C 0 stops 2 C 2 C I I I = C C 0 1 C 0 1 C stops 1 C 1 C 1 1. “Usual” proof 2. Consistent pacing 
 of refinement Standard compiler 
 correctness! (+ “extra stuff” for conc, val-dep) 9 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  77. The “cube”, decomposed Simpler confidentiality-preserving refinement “Pacing function” abs-steps 
 Security witness 
 for (refinement) relation R (bisimulation) relation B _____ 2 A abs - steps 2 A 2 C 2 A B B = A A 0 _____ _____ abs - steps A C 1 A abs - steps 1 A 1 C 1 A R R R R R R 2 C 2 C 0 stops 2 C 2 C I I I = C C 0 1 C 0 1 C stops 1 C 1 C 1 1. “Usual” proof 2. Consistent pacing 
 of refinement Standard compiler 
 correctness! (+ “extra stuff” for conc, val-dep) 9 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  78. The “cube”, decomposed Simpler confidentiality-preserving refinement “Pacing function” abs-steps 
 Security witness 
 for (refinement) relation R (bisimulation) relation B _____ 2 A abs - steps 2 A 2 C 2 A B B = A A 0 _____ _____ abs - steps A C 1 A abs - steps 1 A 1 C 1 A R R R R R R 2 C 2 C 0 stops 2 C 2 C I I I = C C 0 1 C 0 1 C stops 1 C 1 C 1 1. “Usual” proof 2. Consistent pacing 
 of refinement Standard compiler 
 correctness! (+ “extra stuff” for conc, val-dep) 9 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya

Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya

Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya Sergey Aleks Nanevski Anindya Banerjee ESOP 2015 A logic-based approach for Specifying and Verifying Concurrent Algorithms An

2.36k views • 186 slides
The What and Why of What and Why of The preserves the semantics (in some sense) Compilers

The What and Why of What and Why of The preserves the semantics (in some sense) Compilers

What is a Compiler? What is a Compiler? A program that: Compilation 2007 Compilation 2007 translates from one programming language to another The What and Why of What and Why of The preserves the semantics (in some sense)

215 views • 7 slides
Parallel Analysis of Parallelism Verifying Concurrent Software System Designs Using GPUs GTC

Parallel Analysis of Parallelism Verifying Concurrent Software System Designs Using GPUs GTC

Parallel Analysis of Parallelism Verifying Concurrent Software System Designs Using GPUs GTC 2015 Anton Wijs Correctness of Concurrent Systems Distributed, concurrent systems common-place, but very

633 views • 52 slides
Verifying Concurrent Programs (Tutorial) Aarti Gupta Systems Analysis & Verification Group

Verifying Concurrent Programs (Tutorial) Aarti Gupta Systems Analysis & Verification Group

Verifying Concurrent Programs (Tutorial) Aarti Gupta Systems Analysis & Verification Group NEC Labs America, Princeton, USA www.nec-labs.com Tutorial: Verifying Concurrent Programs Oct 2011 Acknowledgements Malay Ganai, Vineet

982 views • 72 slides
Verifying a Lustre Compiler Part 2 Llio Brun PARKAS (Inria - ENS) Timothy Bourke,

Verifying a Lustre Compiler Part 2 Llio Brun PARKAS (Inria - ENS) Timothy Bourke,

Verifying a Lustre Compiler Part 2 Llio Brun PARKAS (Inria - ENS) Timothy Bourke, Pierre-variste Dagand, Xavier Leroy, Marc Pouzet, Lionel Rieg SYNCHRON 2016 December 7, 2016 Llio Brun Verifying a Lustre Compiler Part 2 December 7,

907 views • 47 slides
Verifying concurrent software using movers in CSPEC Tej Chajed , Frans Kaashoek, Butler Lampson*,

Verifying concurrent software using movers in CSPEC Tej Chajed , Frans Kaashoek, Butler Lampson*,

Verifying concurrent software using movers in CSPEC Tej Chajed , Frans Kaashoek, Butler Lampson*, Nickolai Zeldovich MIT CSAIL and *Microsoft Concurrent software is difficult to get right Programmer cannot reason about code in sequence 2

1.2k views • 72 slides
VCC: A Practical System for Verifying Concurrent C Ernie Cohen 1 , Markus Dahlweid 2 , Mark

VCC: A Practical System for Verifying Concurrent C Ernie Cohen 1 , Markus Dahlweid 2 , Mark

VCC: A Practical System for Verifying Concurrent C Ernie Cohen 1 , Markus Dahlweid 2 , Mark Hillebrand 3 , Dirk Leinenbach 3 , Michal Moskal 2 , Thomas Santen 2 , Wolfram Schulte 4 and Stephan Tobies 2 1 Microsoft Corporation, Redmond, WA, USA 2

553 views • 27 slides
The Benefits of Duality in Verifying Concurrent Programs under TSO Parosh Aziz Abdulla 1 Ahmed

The Benefits of Duality in Verifying Concurrent Programs under TSO Parosh Aziz Abdulla 1 Ahmed

The Benefits of Duality in Verifying Concurrent Programs under TSO Parosh Aziz Abdulla 1 Ahmed Bouajjani 2 Mohamed Faouzi Atig 1 Tuan Phong Ngo 1 1 Uppsala University 2 IRIF, Universit Paris Diderot & IUF CONCUR 2016 1 Motivation

1.66k views • 118 slides
Verifying Concurrent Programs using Contracts Ricardo J. Dias, Carla Ferreira, Jan Fiedor, Jo

Verifying Concurrent Programs using Contracts Ricardo J. Dias, Carla Ferreira, Jan Fiedor, Jo

Verifying Concurrent Programs using Contracts Ricardo J. Dias, Carla Ferreira, Jan Fiedor, Jo ao M. Lourenc o, Ale s Smr cka, Diogo G. Sousa, Tom a s Vojnar Brno University of Technology (BUT) Universidade Nova de Lisboa (UNL)

1.54k views • 125 slides
Concurrent Datatype Verification Verifying lock free data types using CSP and FDR Jonathan

Concurrent Datatype Verification Verifying lock free data types using CSP and FDR Jonathan

Concurrent Datatype Verification 01 Concurrent Datatype Verification Verifying lock free data types using CSP and FDR Jonathan Lawrence jonathan.lawrence@cs.ox.ac.uk Concurrent Datatype Verification 02 Introduction Case study using

618 views • 27 slides
A Verifying Core for a Cryptographic Language Compiler Lee Pike (presenting) Mark Shields 1 John

A Verifying Core for a Cryptographic Language Compiler Lee Pike (presenting) Mark Shields 1 John

A Verifying Core for a Cryptographic Language Compiler Lee Pike (presenting) Mark Shields 1 John Matthews Galois Connections August 15, 2006 1 Presently at Microsoft. Thanks Rockwell Collins Advanced Technology Center, especially David

655 views • 27 slides
Verifying Concurrent Programs Daniel Kroening 28 May 1 June 2012 Outline Shared-Variable

Verifying Concurrent Programs Daniel Kroening 28 May 1 June 2012 Outline Shared-Variable

Verifying Concurrent Programs Daniel Kroening 28 May 1 June 2012 Outline Shared-Variable Concurrency Predicate Abstraction for Concurrent Programs Boolean Programs with Bounded Replication Boolean Programs with Unbounded Replication D.

774 views • 50 slides
Verifying a Concurrent Garbage Collector Delphine Demange Suresh Jagannathan Gustavo Petri

Verifying a Concurrent Garbage Collector Delphine Demange Suresh Jagannathan Gustavo Petri

Verifying a Concurrent Garbage Collector Delphine Demange Suresh Jagannathan Gustavo Petri David Pichardie Jan Vitek Yannick Zakowski Why are high level languages difficult to compile? Easy to compile in C Obj.f := v What about Java? A

1.17k views • 73 slides
Verifying concurrent Go code in Coq with Goose Tej Chajed , Joseph Tassarotti*, Frans Kaashoek,

Verifying concurrent Go code in Coq with Goose Tej Chajed , Joseph Tassarotti*, Frans Kaashoek,

Verifying concurrent Go code in Coq with Goose Tej Chajed , Joseph Tassarotti*, Frans Kaashoek, Nickolai Zeldovich MIT and *Boston College Systems verification, broadly impl proof specification 2 Systems verification requires connecting

859 views • 48 slides
Verifying Concurrent ML programs a research proposal Gergely Buday Eszterhzy Kroly

Verifying Concurrent ML programs a research proposal Gergely Buday Eszterhzy Kroly

Verifying Concurrent ML programs a research proposal Gergely Buday Eszterhzy Kroly University Gyngys, Hungary Synchron 2016 Bamberg December 2016 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

486 views • 25 slides
Towards a formally verified obfuscating compiler Sandrine Blazy joint work with Roberto Giacobazzi

Towards a formally verified obfuscating compiler Sandrine Blazy joint work with Roberto Giacobazzi

Towards a formally verified obfuscating compiler Sandrine Blazy joint work with Roberto Giacobazzi and Alix Trieu IFIP WG 1.9/2.15, 2015-07-16 1 Background: verifying a compiler Compiler + proof that the compiler does not introduce bugs

553 views • 24 slides
Optical Flow: Constant Flow Computer Vision 16-385 Carnegie Mellon University (Kris Kitani)

Optical Flow: Constant Flow Computer Vision 16-385 Carnegie Mellon University (Kris Kitani)

Optical Flow: Constant Flow Computer Vision 16-385 Carnegie Mellon University (Kris Kitani) Optical Flow (a.k.a., Video Stabilization, Tracking, Stereo Matching, Registration) Given a pair of images { I t , I t +1 } Estimate the optical flow

293 views • 27 slides
Network flow Definition: A flow network is a directed graph G = (V,E) with two nodes s and t, and

Network flow Definition: A flow network is a directed graph G = (V,E) with two nodes s and t, and

Network flow Definition: A flow network is a directed graph G = (V,E) with two nodes s and t, and a function c(u,v) 0 on each directed edge (u,v) s is called the source t is called the sink c: ER + is called the capacity

1.16k views • 79 slides
Residual Flows for Invertible Generative Modeling Ricky T. Q. Chen, Jens Behrmann, David

Residual Flows for Invertible Generative Modeling Ricky T. Q. Chen, Jens Behrmann, David

Residual Flows for Invertible Generative Modeling Ricky T. Q. Chen, Jens Behrmann, David Duvenaud, Jrn-Henrik Jacobsen Invertible Residual Networks (i-ResNet) It can be shown that residual blocks can be inverted by fixed-point iteration and

442 views • 16 slides
JFlow: Practical Mostly- Static Information Flow Control By Andrew C. Myers (POPL 99)

JFlow: Practical Mostly- Static Information Flow Control By Andrew C. Myers (POPL 99)

JFlow: Practical Mostly- Static Information Flow Control By Andrew C. Myers (POPL 99) Presented by Daryl Zuniga Overview Information-flow: what and why JFlow: Intro JFlow: How it works JFlow: Characteristics and limitations

810 views • 53 slides
Flow Visualization Flow Visualization CS 176 Spring 2011 1 Fluid Simulation a Looking at

Flow Visualization Flow Visualization CS 176 Spring 2011 1 Fluid Simulation a Looking at

Flow Visualization Flow Visualization CS 176 Spring 2011 1 Fluid Simulation a Looking at vector fields g how? Bolz et al. Laidlaw et al. CS 176 Spring 2011 2 Field Visualization V a a Stalling et al. Cabral et al. Stalling

576 views • 18 slides
Network Flow Algorithm Design Divide and Dynamic Greedy Conquer Programming Formulate

Network Flow Algorithm Design Divide and Dynamic Greedy Conquer Programming Formulate

Network Flow Algorithm Design Divide and Dynamic Greedy Conquer Programming Formulate problem ? ? ? Design algorithm less work more work more work Prove correctness more work less work less work Analyze running time less work

520 views • 18 slides
Dynamic Flow Regulation for IP Integration on Network-on-Chip Zhonghai Lu and Yi Wang Dept. of

Dynamic Flow Regulation for IP Integration on Network-on-Chip Zhonghai Lu and Yi Wang Dept. of

Dynamic Flow Regulation for IP Integration on Network-on-Chip Zhonghai Lu and Yi Wang Dept. of Electronic Systems KTH Royal Institute of Technology Stockholm, Sweden 6th Symposium on NoCS, Denmark May 9-11, 2012 Agenda The IP integration

824 views • 33 slides
Enabling Practical SDN Security Applications with OFX (The O pen F low e X tension Framework)

Enabling Practical SDN Security Applications with OFX (The O pen F low e X tension Framework)

Enabling Practical SDN Security Applications with OFX (The O pen F low e X tension Framework) John Sonchack, Adam J. Aviv, Eric Keller, and Jonathan M. Smith Outline Introduction Overview of OFX Using OFX Benchmarks 2 Basic Networking:

604 views • 35 slides

More recommend