(12) United States Patent (10) Patent No.: US 8,341,602 B2 Hawblitzel Et Al

Total Page:16

File Type:pdf, Size:1020Kb

(12) United States Patent (10) Patent No.: US 8,341,602 B2 Hawblitzel Et Al USOO83416O2B2 (12) United States Patent (10) Patent No.: US 8,341,602 B2 Hawblitzel et al. (45) Date of Patent: Dec. 25, 2012 (54) AUTOMATED VERIFICATION OF A 7.65 E: $39. St. 727 TYPE-SAFE OPERATING SYSTEM 7,818,729- W - B1 * 10/2010 PlumOTley, et al.JT. .......... T17,140. 8, 104,021 B2* 1/2012 Erli tal. T17,126 (75) Inventors: Chris Hawblitzel, Redmond, WA (US); 8,127,280 B2 * 2/2012 E. al T17.136 Jean Yang, Cambridge, MA (US) 8,132,002 B2 * 3/2012 Lo et al. ......... ... 713, 164 8, 181,021 B2 * 5/2012 Ginter et al. .................. T13, 164 (73) Assignee: Microsoft Corporation, Redmond, WA 2004/0172638 A1 9, 2004 Larus (US) 2005, OO65973 A1 3/2005 Steensgaard et al. 2005, 0071387 A1 3, 2005 Mitchell (*) Notice: Subject to any disclaimer, the term of this (Continued) patent is extended or adjusted under 35 U.S.C. 154(b) by 442 days. OTHER PUBLICATIONS Klein et al., seL4: formal verification of an OS kernel, Oct. 2009, 14 (21) Appl. No.: 12/714,468 pages, <http://delivery.acm.org/10.1145/1630000/1629596.p207 klein.pdf>.* (22) Filed: Feb. 27, 2010 (Continued) (65) Prior Publication Data US 2010/O192130 A1 Jul 29, 2010 Primary Examiner — Thuy Dao ul. Z9, (74) Attorney, Agent, or Firm — Lyon & Harr, LLP; Mark A. Related U.S. Application Data Watson (63) Continuation-in-part of application No. 12/362.444, (57) ABSTRACT filed on Jan. 29, 2009. An Automated, Static Safety Verifier uses typed assembly 51) Int. C language (TAL) and Hoare logic to achieve highly automated, (51) o,F o/44 2006.O1 static verification of type and memory safety of an operating ( .01) system (OS). Various techniques and tools mechanically G06F 9/45 (2006.01) Verify the safety of every assembly language instruction in the HD4L 29/06 (2006.01) OS, run-time system, drivers, and applications, except the (52) U.S. Cl. ........ 717/126,717/136; 717/140; 717/168; boot loader (which can be separately verified). The OS 713/164 includes a "Nucleus' for accessing hardware and memory, a (58) Field of Classification Search ............... ... ... None kernel that builds services running on the Nucleus, and appli See application file for complete search history. cations that run on top of the kernel. The Nucleus, written in Verified assembly language, implements allocation, garbage (56) References Cited collection, multiple stacks, interrupt handling, and device access. The kernel, written in C# and compiled to TAL, builds U.S. PATENT DOCUMENTS higher-level services, such as preemptive threads, on top of 5,485,613 A 1/1996 Engelstad the Nucleus. A Hoare-style verifier with automated theorem 6,219,7876,128,774. AB1 * 10/20004/2001 NeculaBrewer ......................... 713/167 prover verifies safety and correctness of the Nucleus. ATAL 6,925,637 B2 8/2005 Thomas checker verifies safety of the kernel and applications. 7,139,784 B2 11/2006 Knobe 7,233,733 B2 6/2007 Derby 20 Claims, 5 Drawing Sheets KERNE (TAL) APPLICATION 24 (TAL) GarbageCollect NUCLEUS GetStackState AllocObject (BoogiepL) Allacy actor e Rese:Stack hrow g g YieldTo s s A. 2 4 s s s adfield wgaTextwrite FaultHandlar riteField Tryreadkeyboard ErrorHandlar O readStack Startimer Interrupthandler writeStack SendEoi Fatalandler 225 v. v.2 s x86 HARDWARE 220 "SafeoS"STRUCTURE SHOWINGXEMPLARY FUNCTIONSEXPORTED BY NUCLEUS US 8,341.602 B2 Page 2 U.S. PATENT DOCUMENTS 10th ACM SIGPLAN Int’l Conf. on Functional Programming, ICFP 2005/0114842 A1* 5/2005 Fleehart et al. ............... 717/126 2005, pp. 116-128, Sep. 26-28, 2005, Tallinn, Estonia. 2006/0085433 A1 4/2006 Bacon Klein, G. K. Elphinstone, G. Heiser, J. Andronick, D. Cock, P. 2006/0265438 Al 11/2006 Shankar Derrin, D. Elkaduwe, K. Engelhardt, R. Kolanski, M. Norrish, T. 2006/0277539 A1* 12/2006 Amarasinghe et al. ....... 717/168 Sewell. H. Tuch, S. Winwood, seA: Formal verification of an OS 2007/0174370 A1 7/2007 Detlefs kernel, Proc. of the 22nd ACM Symposium on Operating Systems 2007/0285271 A1 12/2007 Erlingsson Principles 2009, SOSP 2009, Oct. 11-14, 2009, pp. 207-220, Big Sky, 2008/0010327 A1 1/2008 Steensgaard Montana, USA. 2008/0148244 A1* 6/2008 Tannenbaum et al. ........ 717/136 2012/0084759 A1* 4/2012 Candlea et al. ........... 717/126 Lin, C., A. McCreight, Z. Shao, Y. Chen, Y. Guo, Foundational typed assembly language with certified collecton, First Joint IEEE/IFIP OTHER PUBLICATIONS Symposium on Theoretical Aspects of Software Engg. TASE 2007, Jun. 5-8, 2007, pp. 326-338, Shanghai, China. Heiser et al., Towards trustworthy computing systems: taking Maeda, T., Safe execution of user programs in Kernel mode using microkernels to the next level, Jul. 2007, 9 pages, <http://delivery. typed assembly language, Master Thesis, Feb. 5, 2002, pp. 1-36, The acm.org/10.1145/1280000/1278904/p3-heiser.pdf>.* University of Tokyo, Tokyo, Japan. Yang et al., Safe to the last instruction: automated verification of a type-safe operating system, Dec. 2011.9 pages, <http://deliveryacm. Makholm, H., A region-based memory manager for prolog, Proc. of org/10.1145/2050000/2043 197p123-yang.pdf>.* the 2nd Int'l Symposium on Memory Management, ISMM2000, Jan. Barnett, M., B.-Y. E. Chang, R. DeLine, B. Jacobs, K. Rustan, M. 2001, pp. 25-34, vol. 36, No. 1, ACM New York, NY, USA. Leino, Boogie: A modular reusable verifier for object-oriented pro Maus, S., M. Moskal, W. Schulte, Vx86: x86 Assembler simulated in grams, 4th Int'l Symposium on Formal Methods for Components and C powered by automated theorem proving, Proc. of teh 12th Int’l Objects, FMCO 2005, Nov. 1-4, 2005, pp. 364-387, Springer, Conf. on Algebraic Methodology and Software Tech., AMAST 2008, Amsterdam, The Netherlands , Jul. 28-31, 2008, pp. 284-298, Springer, Urbana, IL, USA. Baumann, A. P. Barham, P.-E. Dagand, T. L. Harris, R. Isaacs, S. McCreight, A. Z. Shao, C. Lin, L. Li. A general framework for Peter, T. Roscoe, A. Schipbach, A. Singhania, The Multikernel: A certifying garbage collectors and their mutators, Proc. of the ACM new OS architecture for scalable multicore systems, Proc. of the 22nd SIGPLAN 2007 Conf. on Programming Language Design and ACM Symposium on Operating Sys’s Principles, SOSP 2009, Oct. Implementation, PLDI 2007, Jun. 11-13, 2007, pp. 468-479, San 11-14, 2009, pp. 29-44. Big Sky, Montana, USA. Diego, California, USA. Bevier, W. R. W. A. Hunt Jr., J. S. Moore, W. D. Young. An approach Miller, J. S., G. J. Rozas, Garbage collection is fast, but a stack is to systems verification, Technical Report 41, Computational Logic, faster, Al Memo No. 1462, Massachusetts Institute of Technology Inc., Apr. 1989, 19 page. Artificial Intelligence Laboratory, Mar. 1994, pp. 1-36, Cambridge, Bevier, W. R. Kit: A study in operating system verification, Technical MA, USA. Report 28, Computational Logic, Inc., Aug. 1988, 28 pages. Morrisett, J. G. D. Walker, K. Crary, N. Glew, From system F to Chen, J. C. Hawblitzel, F. Perry, M. Emmi, J. Condit, D. Coetzee, P. typed assembly language, ACM Trans. Program. Lang. Syst., May Pratikaki. Type-preserving compilation for large-scale optimizing 1999, pp. 527-568, vol. 21, No. 3. object-oriented compilers, Proc. of the ACM SIGPLAN 2008 Conf. de Moura, L. M. N. Bjorner, Z3: An efficient SMT solver, Proc. of the on Programming Language Design and Implementation. PLDI 14th Int’l Conf. on Tools and Algorithms for the Construction and 2008, Jun. 7-13, 2008, pp. 183-192, Tucson, AZ, USA. Analysis of Sys's, TACAS 2008, Held as Part of the Joint European Edelman, J. R. Machine code verification using the bogor frame Conf. on Theory and Practice of Software, ETAPS 2008, Mar. work, Master of Science thesis, Brigham Young University, Aug. 29-Apr. 6, 2008, pp. 337-340, Budapest, Hungary. 2008, 39 pages. Ni, Z., D. Yu, Z. Shao. Using XCAP to certify realistic systems code: Fahndrich, M., M. Aiken, C. Hawblitzel, O. Hodson, G. C. Hunt, J. R. Machine context management, Proc. 20th Int’l Conf. Theorem Prov Larus, S. Levi, Language support for fast and reliable message-based ing in Higher Order Logics, TPHOLS 2007, Sep. 10-13, 2007, pp. communication in singularity OS, Proc. of the 2006 EuroSys Conf. 189-206, vol. 4732, Springer, Kaiserslautern, Germany. Apr. 18-21, 2006, pp. 177-190, Leuven, Belgium. Petersen, L., R. Harper, K. Crary, F. Pfenning. A type theory for Feng, X. Z. Shao, Y. Guo, Y. Dong, Certifying low-level programs memory allocation and data layout, The 30th SIGPLAN-SIGACT with hardware interrupts and preemptive threads, J. Autom. Reason Symposium on Principles of Programming Languages, Jan. 15-17, ing, Apr. 2009, vol. 42, No. 2-4, pp. 301-347. 2003, pp. 172-184, New Orleans, Louisisana, USA. Feng, X. Z. Shao, Y. Dong, Y. Guo, Certifying low-level programs Tillman, N., Pex now a DevLabs project, Nikolai Tillman's Blog, with hardware interrupts and preemptive threads, Proc. of the ACM retrieved from http://blogs.msdn.com/nikolait, May 21, 2008, pp. SIGPLAN 2008 Conf. on Programming Language Design and 1-14. Implementation, PLDI 2008, Jun. 7-13, 2008, pp. 170-182, Tucson, Vechev, M. T. E. Yahav, D. F. Bacon, N. Rinetzky, CGCExplorer: A AZ, USA. semi-automated search procedure for provably correct concurrent Feng, X. Z. Shao, Modular verification of concurrent assembly code collectors, Proc. pf the ACM SIGPLAN 2007 Conf. on Programming with dynamic thread creation and termination, Proc. of the 10th ACM Language Design and Implementation, PLDI2007, Jun. 11-13, 2007, SIGPLAN Int’l Conf. on Functional Programming, ICFP2005, Sep. pp. 456-467, San Diego, California, USA.
Recommended publications
  • Autogr: Automated Geo-Replication with Fast System Performance and Preserved Application Semantics
    AutoGR: Automated Geo-Replication with Fast System Performance and Preserved Application Semantics Jiawei Wang1, Cheng Li1,4, Kai Ma1, Jingze Huo1, Feng Yan2, Xinyu Feng3, Yinlong Xu1,4 1University of Science and Technology of China 2University of Nevada, Reno 3State Key Laboratory for Novel Software Technology, Nanjing University 4Anhui Province Key Laboratory of High Performance Computing [email protected],{chengli7,ylxu}@ustc.edu.cn,{ksqsf,jzfire}@mail.ustc.edu.cn,[email protected],[email protected] ABSTRACT static runtime Geo-replication is essential for providing low latency response AP AP and quality Internet services. However, designing fast and correct Analyzer Code App ( Rigi ) geo-replicated services is challenging due to the complex trade-off US EU US EU between performance and consistency semantics in optimizing the expensive cross-site coordination. State-of-the-art solutions rely Restrictions on programmers to derive sufficient application-specific invariants Cross-site Causally Consistent Schema Coordination and code specifications, which is both time-consuming and error- Database Service Geo-Replicated Store prone. In this paper, we propose an end-to-end geo-replication APP Servers deployment framework AutoGR (AUTOmated Geo-Replication) to free programmers from such label-intensive tasks. AutoGR en- Figure 1: An overview of the proposed end-to-end AutoGR ables the geo-replication features for non-replicated, serializable solution. AP, US, and EU stand for data centers in Singapore, applications in an automated way with optimized performance and Oregon, and Frankfurt, respectively. The runtime library is correct application semantics. Driven by a novel static analyzer Rigi, co-located with Server, omitted from the graph.
    [Show full text]
  • Functional SMT Solving: a New Interface for Programmers
    Functional SMT solving: A new interface for programmers A thesis submitted in Partial Fulfillment of the Requirements for the Degree of Master of Technology by Siddharth Agarwal to the DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING INDIAN INSTITUTE OF TECHNOLOGY KANPUR June, 2012 v ABSTRACT Name of student: Siddharth Agarwal Roll no: Y7027429 Degree for which submitted: Master of Technology Department: Computer Science & Engineering Thesis title: Functional SMT solving: A new interface for programmers Name of Thesis Supervisor: Prof Amey Karkare Month and year of thesis submission: June, 2012 Satisfiability Modulo Theories (SMT) solvers are powerful tools that can quickly solve complex constraints involving booleans, integers, first-order logic predicates, lists, and other data types. They have a vast number of potential applications, from constraint solving to program analysis and verification. However, they are so complex to use that their power is inaccessible to all but experts in the field. We present an attempt to make using SMT solvers simpler by integrating the Z3 solver into a host language, Racket. Our system defines a programmer’s interface in Racket that makes it easy to harness the power of Z3 to discover solutions to logical constraints. The interface, although in Racket, retains the structure and brevity of the SMT-LIB format. We demonstrate this using a range of examples, from simple constraint solving to verifying recursive functions, all in a few lines of code. To my grandfather Acknowledgements This project would have never have even been started had it not been for my thesis advisor Dr Amey Karkare’s help and guidance. Right from the time we were looking for ideas to when we finally had a concrete proposal in hand, his support has been invaluable.
    [Show full text]
  • Approximations and Abstractions for Reasoning About Machine Arithmetic
    IT Licentiate theses 2016-010 Approximations and Abstractions for Reasoning about Machine Arithmetic ALEKSANDAR ZELJIC´ UPPSALA UNIVERSITY Department of Information Technology Approximations and Abstractions for Reasoning about Machine Arithmetic Aleksandar Zeljic´ [email protected] October 2016 Division of Computer Systems Department of Information Technology Uppsala University Box 337 SE-751 05 Uppsala Sweden http://www.it.uu.se/ Dissertation for the degree of Licentiate of Philosophy in Computer Science c Aleksandar Zeljic´ 2016 ISSN 1404-5117 Printed by the Department of Information Technology, Uppsala University, Sweden Abstract Safety-critical systems rely on various forms of machine arithmetic to perform their tasks: integer arithmetic, fixed-point arithmetic or floating-point arithmetic. Machine arithmetic can exhibit subtle dif- ferences in behavior compared to the ideal mathematical arithmetic, due to fixed-size of representation in memory. Failure of safety-critical systems is unacceptable, because it can cost lives or huge amounts of money, time and e↵ort. To prevent such incidents, we want to form- ally prove that systems satisfy certain safety properties, or otherwise discover cases when the properties are violated. However, for this we need to be able to formally reason about machine arithmetic. The main problem with existing approaches is their inability to scale well with the increasing complexity of systems and their properties. In this thesis, we explore two alternatives to bit-blasting, the core procedure lying behind many common approaches to reasoning about machine arithmetic. In the first approach, we present a general approximation framework which we apply to solve constraints over floating-point arithmetic. It is built on top of an existing decision procedure, e.g., bit-blasting.
    [Show full text]
  • Automated Theorem Proving
    CS 520 Theory and Practice of Software Engineering Spring 2021 Automated theorem proving April 22, 2020 Upcoming assignments • Week 12 Par4cipaon Ques4onnaire will be about Automated Theorem Proving • Final project deliverables are due Tuesday May 11, 11:59 PM (just before midnight) Programs are known to be error-prone • Capture complex aspects such as: • Threads and synchronizaon (e.g., Java locks) • Dynamically heap allocated structured data types (e.g., Java classes) • Dynamically stack allocated procedures (e.g., Java methods) • Non-determinism (e.g., Java HashSet) • Many input/output pairs • Challenging to reason about all possible behaviors of these programs Programs are known to be error-prone • Capture complex aspects such as: • Threads and synchronizaon (e.g., Java locks) • Dynamically heap allocated structured data types (e.g., Java classes) • Dynamically stack allocated procedures (e.g., Java methods) • Non-determinism (e.g., Java HashSet) • Many input/output pairs • Challenging to reason about all possible behaviors of these programs Overview of theorem provers Key idea: Constraint sa4sfac4on problem Take as input: • a program modeled in first-order logic (i.e. a set of boolean formulae) • a queson about that program also modeled in first-order logic (i.e. addi4onal boolean formulae) Overview of theorem provers Use formal reasoning (e.g., decision procedures) to produce as output one of the following: • sasfiable: For some input/output pairs (i.e. variable assignments), the program does sasfy the queson • unsasfiable: For all
    [Show full text]
  • Learning-Aided Program Synthesis and Verification
    LEARNING-AIDED PROGRAM SYNTHESIS AND VERIFICATION Xujie Si A DISSERTATION in Computer and Information Science Presented to the Faculties of the University of Pennsylvania in Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy 2020 Supervisor of Dissertation Mayur Naik, Professor, Computer and Information Science Graduate Group Chairperson Mayur Naik, Professor, Computer and Information Science Dissertation Committee: Rajeev Alur, Zisman Family Professor of Computer and Information Science Osbert Bastani, Research Assistant Professor of Computer and Information Science Steve Zdancewic, Professor of Computer and Information Science Le Song, Associate Professor in College of Computing, Georgia Institute of Technology LEARNING-AIDED PROGRAM SYNTHESIS AND VERIFICATION COPYRIGHT 2020 Xujie Si Licensed under a Creative Commons Attribution 4.0 License. To view a copy of this license, visit: http://creativecommons.org/licenses/by/4.0/ Dedicated to my parents and brothers. iii ACKNOWLEDGEMENTS First and foremost, I would like to thank my advisor, Mayur Naik, for providing a constant source of wisdom, guidance, and support over the six years of my Ph.D. journey. Were it not for his mentorship, I would not be here today. My thesis committee consisted of Rajeev Alur, Osbert Bastani, Steve Zdancewic, and Le Song: I thank them for the careful reading of this document and suggestions for improvement. In addition to providing valuable feedback on this dissertation, they have also provided extremely helpful advice over the years on research, com- munication, networking, and career planning. I would like to thank all my collaborators, particularly Hanjun Dai, Mukund Raghothaman, and Xin Zhang, with whom I have had numerous fruitful discus- sions, which finally lead to this thesis.
    [Show full text]
  • Faster and Better Simple Temporal Problems
    PRELIMINARY VERSION: DO NOT CITE The AAAI Digital Library will contain the published version some time after the conference Faster and Better Simple Temporal Problems Dario Ostuni1, Alice Raffaele2, Romeo Rizzi1, Matteo Zavatteri1* 1University of Verona, Department of Computer Science, Strada Le Grazie 15, 37134 Verona (Italy) 2University of Trento, Department of Mathematics, Via Sommarive 14, 38123 Povo (Italy) fdario.ostuni, romeo.rizzi, [email protected], [email protected] Abstract satisfied? TCSP is NP-complete (Dechter, Meiri, and Pearl 1991). In this paper we give a structural characterization and ex- tend the tractability frontier of the Simple Temporal Problem The Simple Temporal Problem (STP) is the fragment of (STP) by defining the class of the Extended Simple Temporal TCSP whose set of constraints consists of atoms of the form Problem (ESTP), which augments STP with strict inequal- y − x 2 [`; u] only. Historically, STP allows for two rep- ities and monotone Boolean formulae on inequations (i.e., resentations: the interval based one (as we just discussed formulae involving the operations of conjunction, disjunction above) or a set of inequalities y − x ≤ k where x; y are and parenthesization). A polynomial-time algorithm is pro- variables and k 2 R. While these are equivalent (y − x ≤ k vided to solve ESTP, faster than previous state-of-the-art al- can be written as y − x 2 [−∞; k]), the second represen- gorithms for other extensions of STP that had been consid- tation is more elementary as y − x 2 [`; u] amounts to ered in the literature, all encompassed by ESTP.
    [Show full text]
  • Principles of Security and Trust
    Flemming Nielson David Sands (Eds.) Principles of Security LNCS 11426 ARCoSS and Trust 8th International Conference, POST 2019 Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2019 Prague, Czech Republic, April 6–11, 2019, Proceedings Lecture Notes in Computer Science 11426 Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen Editorial Board Members David Hutchison, UK Takeo Kanade, USA Josef Kittler, UK Jon M. Kleinberg, USA Friedemann Mattern, Switzerland John C. Mitchell, USA Moni Naor, Israel C. Pandu Rangan, India Bernhard Steffen, Germany Demetri Terzopoulos, USA Doug Tygar, USA Advanced Research in Computing and Software Science Subline of Lecture Notes in Computer Science Subline Series Editors Giorgio Ausiello, University of Rome ‘La Sapienza’, Italy Vladimiro Sassone, University of Southampton, UK Subline Advisory Board Susanne Albers, TU Munich, Germany Benjamin C. Pierce, University of Pennsylvania, USA Bernhard Steffen, University of Dortmund, Germany Deng Xiaotie, Peking University, Beijing, China Jeannette M. Wing, Microsoft Research, Redmond, WA, USA More information about this series at http://www.springer.com/series/7410 Flemming Nielson • David Sands (Eds.) Principles of Security and Trust 8th International Conference, POST 2019 Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2019 Prague, Czech Republic, April 6–11, 2019 Proceedings Editors Flemming Nielson David Sands Technical University of Denmark Chalmers University of Technology Kongens Lyngby, Denmark Gothenburg, Sweden ISSN 0302-9743 ISSN 1611-3349 (electronic) Lecture Notes in Computer Science ISBN 978-3-030-17137-7 ISBN 978-3-030-17138-4 (eBook) https://doi.org/10.1007/978-3-030-17138-4 Library of Congress Control Number: 2019936300 LNCS Sublibrary: SL4 – Security and Cryptology © The Editor(s) (if applicable) and The Author(s) 2019.
    [Show full text]
  • LNCS 8141 Molecular Programming 19Th International Conference, DNA 19 Tempe, AZ, USA, September 2013 Proceedings
    David Soloveichik Bernard Yurke (Eds.) DNA Computing and LNCS 8141 Molecular Programming 19th International Conference, DNA 19 Tempe, AZ, USA, September 2013 Proceedings 123 Lecture Notes in Computer Science 8141 Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen Editorial Board David Hutchison Lancaster University, UK Takeo Kanade Carnegie Mellon University, Pittsburgh, PA, USA Josef Kittler University of Surrey, Guildford, UK Jon M. Kleinberg Cornell University, Ithaca, NY, USA Alfred Kobsa University of California, Irvine, CA, USA Friedemann Mattern ETH Zurich, Switzerland John C. Mitchell Stanford University, CA, USA Moni Naor Weizmann Institute of Science, Rehovot, Israel Oscar Nierstrasz University of Bern, Switzerland C. Pandu Rangan Indian Institute of Technology, Madras, India Bernhard Steffen TU Dortmund University, Germany Madhu Sudan Microsoft Research, Cambridge, MA, USA Demetri Terzopoulos University of California, Los Angeles, CA, USA Doug Tygar University of California, Berkeley, CA, USA Gerhard Weikum Max Planck Institute for Informatics, Saarbruecken, Germany David Soloveichik Bernard Yurke (Eds.) DNA Computing and Molecular Programming 19th International Conference, DNA 19 Tempe, AZ, USA, September 22-27, 2013 Proceedings 13 Volume Editors David Soloveichik University of California, San Francisco Center for Systems and Synthetic Biology 1700 4th Street San Francisco, CA 94158, USA E-mail: [email protected] Bernard Yurke Boise State University
    [Show full text]
  • Applied Type System: an Approach to Practical Programming with Theorem-Proving
    ZU064-05-FPR main 15 January 2016 12:51 Under consideration for publication in J. Functional Programming 1 Applied Type System: An Approach to Practical Programming with Theorem-Proving Hongwei Xi∗ Boston University, Boston, MA 02215, USA (e-mail: [email protected]) Abstract The framework Pure Type System (PTS) offers a simple and general approach to designing and formalizing type systems. However, in the presence of dependent types, there often exist certain acute problems that make it difficult for PTS to directly accommodate many common realistic programming features such as general recursion, recursive types, effects (e.g., exceptions, refer- ences, input/output), etc. In this paper, Applied Type System (ATS) is presented as a framework for designing and formalizing type systems in support of practical programming with advanced types (including dependent types). In particular, it is demonstrated that ATS can readily accommodate a paradigm referred to as programming with theorem-proving (PwTP) in which programs and proofs are constructed in a syntactically intertwined manner, yielding a practical approach to internalizing constraint-solving needed during type-checking. The key salient feature of ATS lies in a complete separation between statics, where types are formed and reasoned about, and dynamics, where pro- grams are constructed and evaluated. With this separation, it is no longer possible for a program to occur in a type as is otherwise allowed in PTS. The paper contains not only a formal development of ATS but also some examples taken from ATS, a programming language with a type system rooted in ATS, in support of using ATS as a framework to form type systems for practical programming.
    [Show full text]
  • Homework: Verification
    Homework: Verification The goal of this assignment is to build a simple program verifier. The support code includes a parser and abstract syntax for a simple language of imperative commands, which should be the input language of your verifier. You will write a function to calculate weakest preconditions and verify that user-written assertions and loop invariants are correct using the Z3 Theorem Prover. 1 Restrictions None. 2 Setup To do this assignment, you will need a copy of the Z3 Theorem Prover: https://github.com/Z3Prover/z3/releases The packages on the website include Z3 bindings for several languages. However, you will only need the z3 executable. (In particular, you do not need the OCaml bindings for Z3.) We’ve written an OCaml library that let’s you interface with Z3 that you can install using OPAM: opam install ocaml-z3 3 Requirements Write a program that takes one argument: verif.d.byte program The argument program should be the name of a file that contains a program written using the grammer in fig. 23.1. Your verifier should verify that the pre- and post- conditions of the program (i.e., the predicates prefixed by requires and ensures) are valid and terminate with exit code 0. If the are invalid, your verifier should terminate with a non-zero exit code. Feel free to output whatever you need on standard in / standard error to help you debug and understand your verifier. 4 Support Code The module Imp defines the abstract syntax of the language shown in fig. 23.1 and includes functions to parse programs in the language.
    [Show full text]
  • COIN Attacks: on Insecurity of Enclave Untrusted Interfaces In
    Session 11A: Enclaves and memory security — Who will guard the guards? COIN Attacks: On Insecurity of Enclave Untrusted Interfaces in SGX Mustakimur Rahman Khandaker Yueqiang Cheng [email protected] [email protected] Florida State University Baidu Security Zhi Wang Tao Wei [email protected] [email protected] Florida State University Baidu Security Abstract Keywords. Intel SGX; enclave; vulnerability detection Intel SGX is a hardware-based trusted execution environ- ACM Reference Format: ment (TEE), which enables an application to compute on Mustakimur Rahman Khandaker, Yueqiang Cheng , Zhi Wang, confidential data in a secure enclave. SGX assumes apow- and Tao Wei. 2020. COIN Attacks: On Insecurity of Enclave Un- erful threat model, in which only the CPU itself is trusted; trusted Interfaces in SGX. In Proceedings of the Twenty-Fifth In- anything else is untrusted, including the memory, firmware, ternational Conference on Architectural Support for Programming system software, etc. An enclave interacts with its host ap- Languages and Operating Systems (ASPLOS ’20), March 16–20, 2020, Lausanne, Switzerland. ACM, New York, NY, USA, 15 pages. https: plication through an exposed, enclave-specific, (usually) bi- //doi.org/10.1145/3373376.3378486 directional interface. This interface is the main attack surface of the enclave. The attacker can invoke the interface in any 1 Introduction order and inputs. It is thus imperative to secure it through careful design and defensive programming. Intel Software Guard Extensions (SGX) introduces a set of In this work, we systematically analyze the attack models ISA extensions to enable a trusted execution environment, against the enclave untrusted interfaces and summarized called enclave, for security-sensitive computations in user- them into the COIN attacks – Concurrent, Order, Inputs, and space processes.
    [Show full text]
  • Gray-Box Monitoring of Hyperproperties?
    Gray-box Monitoring of Hyperproperties? Sandro Stucki1[0000−0001−5608−8273], César Sánchez2[0000−0003−3927−4773], Gerardo Schneider1[0000−0003−0629−6853], and Borzoo Bonakdarpour3[0000−0003−1800−5419] 1 University of Gothenburg, Sweden, [email protected],[email protected] 2 IMDEA Software Institute, Spain, [email protected] 3 Iowa State University, USA, [email protected] Abstract. Many important system properties, particularly in security and privacy, cannot be verified statically. Therefore, runtime verification is an appealing alternative. Logics for hyperproperties, such as Hyper- LTL, support a rich set of such properties. We first show that black-box monitoring of HyperLTL is in general unfeasible, and suggest a gray-box approach. Gray-box monitoring implies performing analysis of the system at run-time, which brings new limitations to monitorabiliy (the feasibility of solving the monitoring problem). Thus, as another contribution of this paper, we refine the classic notions of monitorability, both for trace prop- erties and hyperproperties, taking into account the computability of the monitor. We then apply our approach to monitor a privacy hyperproperty called distributed data minimality, expressed as a HyperLTL property, by using an SMT-based static verifier at runtime. 1 Introduction Consider a confidentiality policy ' that requires that every pair of separate executions of a system agree on the position of occurrences of some proposition a. Otherwise, an external observer may learn some sensitive information about the system. We are interested in studying how to build runtime monitors for properties like ', where the monitor receives independent executions of the system under scrutiny and intend to determine whether or not the system satisfies the property.
    [Show full text]