Calculational Design of a Static Dependency Analysis

2019 Mooly Fest April 6th, 2019 — ETAPS, Prague, Czech Republic

Calculational design of a static dependency analysis

Patrick Cousot New York University, Courant Institute of Mathematics, Computer Science [email protected] cs.nyu.edu/~pcousot

“Calculational design of, a static dependency analysis” – 1/39 – © P. Cousot, NYU, CIMS, CS, April 6th, 2019

...... Motivation

...... “Calculational design of, a static dependency analysis” – 2/39 – © P. Cousot, NYU, CIMS, CS, April 6th, 2019 Dependency Dependency is prevalent in computer science: • Non-interference (confidentiality, integrity) • Security, privacy • Slicing • Temporal dependencies in synchronous languages (Lustre, Signal, etc.) • etc. The existing definitions • are postulated a priori (par exemple Cheney, Ahmed, and Acar, 2011; D. E. Denning and P. J. Denning, 1977), • without semantics justifications (except Assaf, Naumann, Signoles, Totel, and Tronel, 2017 (“hyper-collecting semantics”), Urban and Müller, 2018 on program exit uniquely) We are interested in principles, in soundness proofs, not so much in a new more powerful dependency analysis...... “Calculational design of, a static dependency analysis” – 3/39 – © P. Cousot, NYU, CIMS, CS, April 6th, 2019 Structural fixpoint trace semantics

...... “Calculational design of, a static dependency analysis” – 4/39 – © P. Cousot, NYU, CIMS, CS, April 6th, 2019 Program syntax

• C statements limited to integers, assignments, statement lits, conditionals, iterations • Programs are labelled to designate program points • atJSK: entry program point of S starts; • afterJSK: normal exit program point of S; • inJSK: reachable program points of S (excluding afterJSK); • break-toJSK: breaking point when S contains a break; to exit a loop (then escapeJSK = tt);

...... “Calculational design of, a static dependency analysis” – 5/39 – © P. Cousot, NYU, CIMS, CS, April 6th, 2019 Execution traces

• Program:

ℓ1 x = 0 ; while ℓ2 (tt) { ℓ3 x = x+1 ;} ℓ4

x = 0 = 0 tt x = x + 1 = 1 tt • Infinite execution trace: ℓ1 −−−−−−−−−−−−−−−→ ℓ2 −−−−→ ℓ3 −−−−−−−−−−−−−−−−−−−−−→ ℓ2 −−−−→ ℓ3 x = x + 1 = 2 tt x = x + 1 = 푛 tt x = x + 1 = 푛 + 1 −−−−−−−−−−−−−−−−−−−−−→ ℓ2 …ℓ2 −−−−→ ℓ3 −−−−−−−−−−−−−−−−−−−−−→ ℓ2 −−−−→ ℓ3 −−−−−−−−−−−−−−−−−−−−−−−−−−→ ℓ2 …

• Trace: finite or infinite sequence of program points separated by action (x = A = value, B, ¬B, et break ;)

...... “Calculational design of, a static dependency analysis” – 6/39 – © P. Cousot, NYU, CIMS, CS, April 6th, 2019 Value of a variable (and an expression)

• The value of a variable x along a trace 휋 is the last assigned value (or 0 at initialization).

x = E = 푣 흔(휋ℓ −−−−−−−−−−−−−−−→ ℓ′)x ≜ 푣 … 흔(휋ℓ −−−−−−→ ℓ′)x ≜ 흔(휋ℓ) otherwise 흔(ℓ)x ≜ 0

• Value of an arithmetic expression

퓐J1K휌 ≜ 1 퓐JxK휌 ≜ 휌(x) J K J K J K 퓐 A1 - A2 휌 ≜ 퓐 A1 휌 − 퓐 A2 휌

• Same for boolean expressions...... “Calculational design of, a static dependency analysis” – 7/39 – © P. Cousot, NYU, CIMS, CS, April 6th, 2019 Structural fixpoint prefix/maximal trace semantics 퓢̂ ∗JSK

• The prefix trace semantics 퓢̂ ∗JSK is a relation between J K J K • an initialization trace 휋0at S arriving at S , and • the prefix execution traces atJSK휋 continuing this initialization by zero or more execution steps • The maximal trace semantics 퓢̂ +∞JSK collects the maximal finite traces and the infinite traces obtained as limits of their prefixes.

...... “Calculational design of, a static dependency analysis” – 8/39 – © P. Cousot, NYU, CIMS, CS, April 6th, 2019 Structural fixpoint definition of the prefix trace semantics (I)

• Assignment S ∶∶= ℓ x = A ; (where atJSK = ℓ)

퓢∗JSK ≜ {⟨휋ℓ, ℓ⟩ ∣ 휋ℓ ∈ 핋+} ∪ x = A = 휈 {⟨휋ℓ, ℓ −−−−−−−−−−−−−−−−→ afterJSK⟩ ∣ 휋ℓ ∈ 핋+ ∧ 휈 = 퓐JAK흔(휋ℓ)}

...... “Calculational design of, a static dependency analysis” – 9/39 – © P. Cousot, NYU, CIMS, CS, April 6th, 2019 Structural fixpoint definition of the prefix trace semantics (II)

ℓ J K ℓ • Iteration S ∶∶= while (B) S푏 (where at S = ):

퓢∗JSK = lfp⊆ 퓕∗JSK

∗J ℓ K ℓ′ ℓ′ ℓ′ + ℓ′ ℓ 퓕 while (B) S푏 (푋) ≜ {⟨휋1 , ⟩ | 휋1 ∈ 핋 ∧ = } (a) ¬(B) ℓ′ ℓ′ ℓ′ J K ℓ′ ℓ′ ℓ′ ∪ {⟨휋1 , 휋2 −−−−−−−−−→ after S ⟩ | ⟨휋1 , 휋2 ⟩ ∈ 푋 ∧ J K ℓ′ ℓ′ ℓ′ ℓ 퓑 B 흔(휋1 휋2 ) = ff ∧ = } (b) B ℓ′ ℓ′ ℓ′ J K ⌢ ℓ′ ℓ′ ℓ′ ∪ {⟨휋1 , 휋2 −−−−→ at S푏 ⋅ 휋3⟩ | ⟨휋1 , 휋2 ⟩ ∈ 푋 ∧ B J K ℓ′ ℓ′ ℓ′ ℓ′ J K ∗J K ℓ′ ℓ 퓑 B 흔(휋1 휋2 ) = tt ∧ ⟨휋1 휋2 −−−−→at S푏 , 휋3⟩ ∈ 퓢 S푏 ∧ = } (c)

A definition of the form 푑(푥)⃗ ≜ {푓(푥′)⃗ ∣ 푃(푥′,⃗ 푥)}⃗ has the variables 푥′⃗ in 푃(푥′,⃗ 푥)⃗ bound to those of 푓(푥′)⃗ whereas 푥⃗ is free in 푃(푥′,⃗ 푥)⃗ since it appears neither in 푓(푥′)⃗ nor (by assumption) under quantifiers in 푃(푥′,⃗ 푥)⃗ . The 푥⃗ of 푃(푥′,⃗ 푥)⃗ is therefore bound to the 푥⃗ of 푑(푥)⃗ .

...... “Calculational design of, a static dependency analysis” – 10/39 – © P. Cousot, NYU, CIMS, CS, April 6th, 2019 Properties

...... “Calculational design of, a static dependency analysis” – 11/39 – © P. Cousot, NYU, CIMS, CS, April 6th, 2019 Property

• A property is represented by a set of elements (those elements which have the property) • Even intergers: 2Z ≜ {2푘 ∣ 푘 ∈ Z} • 푥 has property 푃 is 푥 ∈ 푃

• Implication is 푃1 ⊆ 푃2

...... “Calculational design of, a static dependency analysis” – 12/39 – © P. Cousot, NYU, CIMS, CS, April 6th, 2019 Semantic property

• The prefix trace semantics belongs to ℘(핋+ × 핋+∞) • A semantics property belongs to ℘(℘(핋+ × 핋+∞)) • The abstraction

휆 푄 . ℘(푄) + +∞ + +∞ ⟨℘(℘(핋 × 핋 )), ⊆⟩ −−−−−−−−−−−−→⟶←−−−−−−−−−−−−−− ⟨℘(핋 × 핋 ), ⊆⟩ 휆 푃 . ∪푃 provides trace properties (e.g.safety, liveness, etc.)

...... “Calculational design of, a static dependency analysis” – 13/39 – © P. Cousot, NYU, CIMS, CS, April 6th, 2019 Dependency, informally

...... “Calculational design of, a static dependency analysis” – 14/39 – © P. Cousot, NYU, CIMS, CS, April 6th, 2019 Dependency, informally

ℓ • At program point , the variable y depends upon the initial value 푥0 of variable x iff

changing only 푥0 will change the non-empty sequences of values 푦0, 푦1,… of y observed at ℓ whenever control reaches ℓ

• Example: ℓ0 if (x=0) { y=x; ℓ1} ℓ2

• y does not depend on x neither at ℓ0 nor at ℓ1

• y depends on x at ℓ2 • No need to distinguish between explicit and implicit dependencies • Absence of observation is not an observation • No timing channels

...... “Calculational design of, a static dependency analysis” – 15/39 – © P. Cousot, NYU, CIMS, CS, April 6th, 2019 Dependency, formally

...... “Calculational design of, a static dependency analysis” – 16/39 – © P. Cousot, NYU, CIMS, CS, April 6th, 2019 Observation of the sequence of values of a variable at a program point

+ • non-empty initialization trace 휋0 ∈ 핋 • non-empty continuation trace 휋 ∈ 핋+∞ J Kℓ ℓ • seqval y (휋0, 휋) is the sequence of values of the variable y at program point along the trace 휋 continuing 휋0

J Kℓ ℓ seqval y (휋0, ) ≜ 흔(휋0)y J Kℓ ℓ′ seqval y (휋0, ) ≜ ϶ 푎 푎 J Kℓ ℓ ℓ″ J Kℓ ⌢ ℓ ℓ″ ℓ″ seqval y (휋0, −−−−→ 휋) ≜ 흔(휋0)y ⋅ seqval y (휋0 ⋅ −−−−→ , 휋) 푎 푎 J Kℓ ℓ′ ℓ″ J Kℓ ⌢ ℓ′ ℓ″ ℓ″ seqval y (휋0, −−−−→ 휋) ≜ seqval y (휋0 ⋅ −−−−→ , 휋)

J Kℓ ℓ • seqval y (휋0, 휋) is the empty sequence ϶ if never appears in 휋

(co-inductive definition for infinite traces).

...... “Calculational design of, a static dependency analysis” – 17/39 – © P. Cousot, NYU, CIMS, CS, April 6th, 2019 Difference between sequences of values 휔 and 휔′

• Sequences that differ may have a common prefix but must eventually havea different value at some position in the sequences.

diff(휔, 휔′) ≜ ∃휔0, 휔1, 휔′1, 휈, 휈′ . 휔 = 휔0 ⋅ 휈 ⋅ 휔1 ∧ 휔′ = 휔0 ⋅ 휈′ ⋅ 휔′1 ∧ 휈 ≠ 휈′

...... “Calculational design of, a static dependency analysis” – 18/39 – © P. Cousot, NYU, CIMS, CS, April 6th, 2019 Dependency, formally

• Dependency property:

ℓ + +∞ 풟diff ⟨x, y⟩ ≜ {Π ∈ ℘(핋 × 핋 ) ∣ ∃⟨휋0, 휋1⟩, ⟨휋′0, 휋′1⟩ ∈ Π . (∀z ∈ V ⧵ {x}. 흔(휋0)z = 흔(휋′0)z) ∧ J Kℓ J Kℓ diff(seqval y (휋0, 휋1), seqval y (휋′0, 휋′1))}

• y depends on the initial value of x at program point ℓ in program P is:

̂ +∞J K 퓢 P ∈ 풟diff ℓ⟨x, y⟩

• Lemma

̂ +∞J K ̂ ∗J K 퓢 P ∈ 풟diff ℓ⟨x, y⟩ ⇔ 퓢 P ∈ 풟diff ℓ⟨x, y⟩

...... “Calculational design of, a static dependency analysis” – 19/39 – © P. Cousot, NYU, CIMS, CS, April 6th, 2019 Value dependency abstraction

...... “Calculational design of, a static dependency analysis” – 20/39 – © P. Cousot, NYU, CIMS, CS, April 6th, 2019 Abstraction en dépendance de données

• The abstraction of a semantic property S ∈ ℘(℘(핋+ × 핋+∞)) into a value dependency property 훼ᶁ(S) ∈ L → ℘(V × V ) is:

ᶁ 훼 (S)ℓ ≜ {⟨x, y⟩ ∣ S ∈ 풟diff ℓ⟨x, y⟩}

• This is a Galois connection: 훾ᶁ + +∞ ᶁ Lemma 1 ⟨℘(℘(핋 × 핋 )), ⊆⟩ −−−−−→←−−−−− ⟨L → ℘(V × V ), ⊇ ⟩ where the concretization 훼ᶁ of a dependency property 퐃 ∈ L → ℘(V × V ) is:

ᶁ 훾 (퐃) ≜ ⋂ ⋂ 풟diff ℓ⟨x, y⟩ ℓ∈L ⟨x, y⟩∈퐃(ℓ)

(the more semantics, the less common dependencies) ...... “Calculational design of, a static dependency analysis” – 21/39 – © P. Cousot, NYU, CIMS, CS, April 6th, 2019 Static dependency analysis

...... “Calculational design of, a static dependency analysis” – 22/39 – © P. Cousot, NYU, CIMS, CS, April 6th, 2019 Potential dependency

• 훼ᶁ({퓢∗JSK}) is not computable (Rice theorem) • We design an over-approximation:

̂ diff Abstract potential dependency semantics 퓢 ∃ :

ᶁ +∞J K ̂ diffJ K 훼 ({퓢 S }) ⊆̇ 퓢 ∃ S

• The abstraction in D. E. Denning and P. J. Denning, 1977 is purely syntactic; • We do a little better by taking the semantics is a simple way.

...... “Calculational design of, a static dependency analysis” – 23/39 – © P. Cousot, NYU, CIMS, CS, April 6th, 2019 Calculation design

̂ diffJ K • 퓢 ∃ S is designed by calculus (in principle can be checked in Coq as Jourdan, Laporte, Blazy, Leroy, and Pichardie, 2015); • By structural induction on the program syntax; • By fixpoint approximation for iteration:

Theorem (fixpoint over-approximation) If ⟨C, ⊑, ⊥, ⊤, ⊔, ⊓⟩ and ⟨A, ≼, 0, 1, ⋎, 훾 ⋏⟩ are complete lattices, ⟨C, ⊑⟩ ←−−−− ⟨A, ≼⟩ is a Galois connection, 푓 ∈ C ⟶↗ C and −−−−→훼 푓 ∈ A ⟶↗ A are monotonally increasing and 훼 ∘ 푓 ≼̇ 푓 ∘ 훼 (semi-commutation) then lfp⊑ 푓 ⊑ 훾(lfp≼ 푓). • Finite domain, no need for widening

...... “Calculational design of, a static dependency analysis” – 24/39 – © P. Cousot, NYU, CIMS, CS, April 6th, 2019 Abstract potential dependency semantics of assignment S ∶∶= x = A ;

̂ diffJ K ℓ ℓ J K 퓢 ∃ S = ( = at S ? {⟨y, y⟩ ∣ y ∈ V } ℓ J K ̂ diffJ K | = after S ? {⟨y, x⟩ ∣ y ∈ 퓢 ∃ A } ∪ {⟨y, y⟩ ∣ y ≠ x} : ∅ ) ̂ diffJ K J K J K 퓢 ∃ A ≜ {y ∣ ∃휌 ∈ Ev . ∃휈 ∈ 핍 . 퓔 A 휌 ≠ 퓔 A 휌[y ← 휈]}

̂ diffJ K ̂ diffJ K ̂ diffJ K J K J K 퓢 ∃ 1 ≜ ∅ 퓢 ∃ x ≜ {x} 퓢 ∃ A1 -A2 ≜ {y ∈ 핧핒핣핤 A1 ∪ 핧핒핣핤 A2 ∣ A1 ≠ A2} ̂ diffJ K J K 퓢 ∃ A ⊆ 핧핒핣핤 A Examples: • after x = y - y ;, x does not depends on y. • after x = y ; x = y - x ;, x depends on the initial value of x and y (to be more precise information of values of variables must be kept such as y - x = 0 by symbolic constant analysis) ...... “Calculational design of, a static dependency analysis” – 25/39 – © P. Cousot, NYU, CIMS, CS, April 6th, 2019 Proof I The case ℓ = atJSK was handled in (44.39). Assume ℓ = afterJSK. 훼ᶁ({퓢+∞JSK}) afterJSK = 훼ᶁ({퓢+JSK}) afterJSK Hdef. (7.6) of 퓢+∞JSK since the assignment S has only finite prefix tracesI +J K J K H ᶁ I = {⟨x′, y⟩ ∣ 퓢 S ∈ 풟diff (after S )⟨x′, y⟩} def. (44.23) of 훼 and def. ⊆ +J K = {⟨x′, y⟩ ∣ ∃⟨휋0, 휋1⟩, ⟨휋′0, 휋′1⟩ ∈ 퓢 S . (∀z ∈ V ⧵ {x′} . 흔(휋0)z = 흔(휋′0)z) ∧ J K J K J K J K H ℓ I diff(seqval y (at S )(휋0, 휋1), seqval y (at S )(휋′0, 휋′1))} def. (44.18) of 풟diff ⟨x′, y⟩ x=퓔JAK흔(휋atJSK) J K J K J K J K + = {⟨x′, y⟩ ∣ ∃⟨휋0, 휋1⟩, ⟨휋′0, 휋′1⟩ ∈ {⟨휋at S , at S −−−−−−−−−−−−−−−−−−−−−→ after S ⟩ ∣ 휋at S ∈ 핋 } . (∀z ∈ V ⧵ {x′} . 흔(휋0)z = J K J K J K J K 흔(휋′0)z) ∧ diff(seqval y (at S )(휋0, 휋1), seqval y (at S )(휋′0, 휋′1))} Hdef. maximal finite trace semantics in Section 6.4 and (6.13)I x=퓔JAK흔(휋 atJSK) x=퓔JAK흔(휋′ atJSK) J K J K 0 J K J K J K 0 J K = {⟨x′, y⟩ ∣ ∃⟨휋0at S , at S −−−−−−−−−−−−−−−−−−−−−−→ after S ⟩, ⟨휋′0at S , at S −−−−−−−−−−−−−−−−−−−−−−→ after S ⟩ . (∀z ∈ x=퓔JAK흔(휋 atJSK) J K J K J K J K J K 0 J K J K V ⧵ {x′} . 흔(휋0at S )z = 흔(휋′0at S )z) ∧ diff(seqval y after S (휋0at S −−−−−−−−−−−−−−−−−−−−−−→ after S , after S ), x=퓔JAK흔(휋′ atJSK) J K J K J K 0 J K J K H I seqval y after S (휋′0at S −−−−−−−−−−−−−−−−−−−−−−→ after S , after S ))} def. ∈

x=퓔JAK흔(휋 atJSK) x=퓔JAK흔(휋′ atJSK) J K J K 0 J K J K J K 0 J K = {⟨x′, y⟩ ∣ ∃⟨휋0at S , at S −−−−−−−−−−−−−−−−−−−−−−→ after S ⟩, ⟨휋′0at S , at S −−−−−−−−−−−−−−−−−−−−−−→ after S ⟩ . (∀z ∈ V ⧵ x=퓔JAK흔(휋 atJSK) J K J K J K J K 0 J K J K {x′} . 흔(휋0at S )z = 흔(휋′0at S )z) ∧ diff(흔(휋0at S )y ⋅ 흔(휋0at S −−−−−−−−−−−−−−−−−−−−−−→ after S )y, 흔(휋′0at S )y ⋅ x=퓔JAK흔(휋′ atJSK) J K 0 J K H J KI 흔(휋′0at S −−−−−−−−−−−−−−−−−−−−−−→ after S )y)} def. (44.15) of seqval y

...... “Calculational design of, a static dependency analysis” – 26/39 – © P. Cousot, NYU, CIMS, CS, April 6th, 2019 Proof II

x=퓔JAK흔(휋 atJSK) x=퓔JAK흔(휋′ atJSK) J K J K 0 J K J K J K 0 J K ⊆ {⟨x′, y⟩ ∣ ∃⟨휋0at S , at S −−−−−−−−−−−−−−−−−−−−−−→ after S ⟩, ⟨휋′0at S , at S −−−−−−−−−−−−−−−−−−−−−−→ after S ⟩ . (∀z ∈ J K J K J K J K J K J K V ⧵ {x′} . 흔(휋0at S )z = 흔(휋′0at S )z) ∧ ((흔(휋0at S )y ≠ 흔(휋′0at S )y⋅) ∨ (흔(휋0at S )y = 흔(휋′0at S )y⋅) ∧ x=퓔JAK흔(휋 atJSK) x=퓔JAK흔(휋′ atJSK) J K 0 J K J K 0 J K H 흔(휋0at S −−−−−−−−−−−−−−−−−−−−−−→ after S )y ≠ 흔(휋′0at S −−−−−−−−−−−−−−−−−−−−−−→ after S )y))} (44.17) so that diff(푎 ⋅ 푏, 푐 ⋅ 푑) if and only if (1) 푎 ≠ 푐 or (2) 푎 = 푐 ∧ 푏 ≠ 푑.I

x=퓔JAK흔(휋 atJSK) x=퓔JAK흔(휋′ atJSK) J K J K 0 J K J K J K 0 J K ⊆ {⟨x′, y⟩ ∣ ∃⟨휋0at S , at S −−−−−−−−−−−−−−−−−−−−−−→ after S ⟩, ⟨휋′0at S , at S −−−−−−−−−−−−−−−−−−−−−−→ after S ⟩ . (∀z ∈ V ⧵ {x′} . J K J K J K J K J K J K H I 흔(휋0at S )z = 흔(휋′0at S )z) ∧ ((y = x′) ∨ (y = x ∧ 퓔 A 흔(휋0at S ) ≠ 퓔 A 흔(휋′0at S )))} def. (6.3) of 흔

⊆ {⟨x′, y⟩ ∣ ((y = x′) ∨ (y = x ∧ ∃휌, 휈 . 퓔JAK휌 ≠ 퓔JAK휌[x′ ← 휈]))} H J K J K J K J K letting 휌 = 흔(휋0at S ) and 휈 = 흔(휋′0at S )(x′) so that ∀z ∈ V ⧵ {x′} . 흔(휋0at S )z = 흔(휋′0at S )z implies J K I that 흔(휋′0at S ) = 휌[x′ ← 휈]

⊆ {⟨x′, x′⟩ ∣ x′ ≠ x} ∪ {⟨x′, x⟩ ∣ ∃휌, 휈 . 퓔JAK휌 ≠ 퓔JAK휌[x′ ← 휈]} Hcase analysisI ̂ diffJ K = {⟨x′, x′⟩ ∣ x′ ≠ x} ∪ {⟨x′, x⟩ ∣ x′ ∈ 퓢 ∃ A } H ̂ diffJ K J K J K by defining the functional dependency of an expression A as 퓢 ∃ A ≜ {x′ ∣ ∃휌, 휈 . 퓔 A 휌 ≠ 퓔 A 휌[x′ ← 휈]}I

...... “Calculational design of, a static dependency analysis” – 27/39 – © P. Cousot, NYU, CIMS, CS, April 6th, 2019 Abstract potential dependency semantics of the iteration ℓ S ∶∶= while (B) S푏

̂ diffJ K ℓ′ ⊆̇ ᶁJ ℓ K ℓ′ 퓢 ∃ S = (lfp 퓕 while (B) S푏 ) ᶁJ ℓ K ℓ′ 퓕 while (B) S푏 푋 = ℓ′ ℓ ℓ ℓ # ̂ diffJ K ℓ ( = ? 1V ∪ 푋( ) ∪ (푋( ) 퓢 ∃ S푏 ) ℓ′ J K J K J K ℓ′ ℓ # ̂ diffJ K ℓ′ | ∈ in S ∪ ( escape S ? {break-to S } : ∅ )? 푋( ) ∪ (푋( ) 퓢 ∃ S푏 ) ℓ′ J K ℓ J K J K | = after S ? 푋( ) ∪ {⟨x′, y⟩ ∣ x′ ∈ 핧핒핣핤 B ∧ y ∈ mod S푏 } : ∅ )

• Can be refined by taking test determinacy into account (e.g. after test x == 1, x can only have value 1 so nothing can depend on x afterwards).

...... “Calculational design of, a static dependency analysis” – 28/39 – © P. Cousot, NYU, CIMS, CS, April 6th, 2019 No structural compositionality

In the following statement, x and y at ℓ1 depend on x at ℓ0. /* 푥 = 푥0, 푦 = 푦0 */ ℓ0 y = x ; ℓ 1 /* 푥 = 푥0, 푦 = 푥0 */

In the following statement, x and y at ℓ2 depend on x at ℓ1. /* 푥 = 푥0, 푦 = 푦0 */ ℓ1 y = y-x ; ℓ 2 /* 푥 = 푥0, 푦 = 푦0 − 푥0 */ In the sequential composition of the two statements /* 푥 = 푥0, 푦 = 푦0 */ ℓ 0 y = x ; /* 푥 = 푥0, 푦 = 푥0 */ ℓ 1 y = y-x ; /* 푥 = 푥0, 푦 = 0 */ ℓ2

y at ℓ2 depends on x at ℓ1 which depends on x at ℓ0 so, by composition, y at ℓ2 depends

on x at ℓ0.

However, y = 0 at ℓ2 so y at ℓ2 does not depend on x at ℓ0...... “Calculational design of, a static dependency analysis” – 29/39 – © P. Cousot, NYU, CIMS, CS, April 6th, 2019 Improving precision

• To improve prcision one must take values of variables into account; • Reduced product with a reachability analsyis (e.g. Cortesi, Ferrara, Halder, and Zanioli, 2018; Zanioli and Cortesi, 2011)

...... “Calculational design of, a static dependency analysis” – 30/39 – © P. Cousot, NYU, CIMS, CS, April 6th, 2019 Conclusion

...... “Calculational design of, a static dependency analysis” – 31/39 – © P. Cousot, NYU, CIMS, CS, April 6th, 2019 Dependency analysis is an abstract interrpetation

• No need for a generalized theory (as proposed by Assaf, Naumann, Signoles, Totel, and Tronel, 2017; Urban and Müller, 2018) • This includes further abstractions, dye analysis, taint analysis, etc. • Many possible variants (e.g. by changing diff to = we get timing channel dependency). • Data dependency analysis to detect parallelism in sequential codes Padua and Wolfe, 1986 is also an abstract interpretation Tzolovski, 1997, Tzolovski, 2002, Ch. 5.

...... “Calculational design of, a static dependency analysis” – 32/39 – © P. Cousot, NYU, CIMS, CS, April 6th, 2019 Bibliographie

...... “Calculational design of, a static dependency analysis” – 33/39 – © P. Cousot, NYU, CIMS, CS, April 6th, 2019 References I

Assaf, Mounir, David A. Naumann, Julien Signoles, Eric Totel, and Frédéric Tronel (2017). “Hypercollecting semantics and its application to static analysis of information flow”. In: POPL. ACM, pp. 874–887 (53, 3). Barthe, Gilles, Benjamin Grégoire, and Vincent Laporte (2017). “Provably secure compilation of side-channel countermeasures”. IACR Cryptology ePrint Archive 2017, p. 1233 (53, 33). Cheney, James, Amal Ahmed, and Umut A. Acar (2011). “Provenance as dependency analysis”. Mathematical Structures in Computer Science 21.6, pp. 1301–1337 (3, 51). Cortesi, Agostino, Pietro Ferrara, Raju Halder, and Matteo Zanioli (2018). “Combining Symbolic and Numerical Domains for Information Leakage Analysis”. Trans. Computational Science 31, pp. 98–135 (53, 30). Cousot, Patrick and Radhia Cousot (2009). “Bi-inductive structural semantics”. Inf. Comput. 207.2, pp. 258–283 (5, 11, 3, 8).

...... “Calculational design of, a static dependency analysis” – 34/39 – © P. Cousot, NYU, CIMS, CS, April 6th, 2019 References II Denning, Dorothy E. and Peter J. Denning (1977). “Certification of Programs for Secure Information Flow”. Commun. ACM 20.7, pp. 504–513 (1, 3–5, 7, 11, 13, 52, 23). Giacobazzi, Roberto and Isabella Mastroeni (2018). “Abstract Non-Interference: A Unifying Framework for Weakening Information-flow”. ACM Trans. Priv. Secur. 21.2, 9:1–9:31 (53, 33). Goguen, Joseph A. and José Meseguer (1982). “Security Policies and Security Models”. In: IEEE Symposium on Security and Privacy. IEEE Computer Society, pp. 11–20 (1, 3, 51, 52). – (1984). “Unwinding and Inference Control”. In: IEEE Symposium on Security and Privacy. IEEE Computer Society, pp. 75–87 (1, 3, 51, 52). Jourdan, Jacques-Henri, Vincent Laporte, Sandrine Blazy, Xavier Leroy, and David Pichardie (2015). “A Formally-Verified C Static Analyzer”. In: POPL. ACM, pp. 247–259 (18, 17, 13, 16, 5, 24).

...... “Calculational design of, a static dependency analysis” – 35/39 – © P. Cousot, NYU, CIMS, CS, April 6th, 2019 References III Lampson, Butler W. (1973). “A Note on the Confinement Problem”. Commun. ACM 16.10, pp. 613–615 (5). Mulder, Elke De, Thomas Eisenbarth, and Patrick Schaumont (2018). “Identifying and Eliminating Side-Channel Leaks in Programmable Systems”. IEEE Design & Test 35.1, pp. 74–89 (5). Padua, David A. and Michael Wolfe (1986). “Advanced Compiler Optimizations for Supercomputers”. Commun. ACM 29.12, pp. 1184–1201 (53, 32). Russo, Alejandro, John Hughes, David A. Naumann, and Andrei Sabelfeld (2006). “Closing Internal Timing Channels by Transformation”. In: ASIAN. Vol. 4435. Lecture Notes in Computer Science. Springer, pp. 120–135 (5). Sabelfeld, Andrei and Andrew C. Myers (2003). “Language-based information-flow security”. IEEE Journal on Selected Areas in Communications 21.1, pp. 5–19 (5). Tzolovski, Stanislav (1997). “Data Dependence as Abstract Interpretations”. In: SAS. Vol. 1302. Lecture Notes in Computer Science. Springer, p. 366 (53, 32).

...... “Calculational design of, a static dependency analysis” – 36/39 – © P. Cousot, NYU, CIMS, CS, April 6th, 2019 References IV Tzolovski, Stanislav (15 June 2002). “Raffinement d’analyses par interprétation abstraite”. Thèse de doctorat. Palaiseau, France: École polytechnique (53, 32). Urban, Caterina and Peter Müller (2018). “An Abstract Interpretation Framework for Input Data Usage”. In: ESOP. Vol. 10801. Lecture Notes in Computer Science. Springer, pp. 683–710 (21, 3, 53). Zanioli, Matteo and Agostino Cortesi (2011). “Information Leakage Analysis by Abstract Interpretation”. In: SOFSEM. Vol. 6543. Lecture Notes in Computer Science. Springer, pp. 545–557 (53, 30).

...... “Calculational design of, a static dependency analysis” – 37/39 – © P. Cousot, NYU, CIMS, CS, April 6th, 2019 The End, Thank you Happy sixties Mooly!