abstract read permissions
play

Abstract Read Permissions Fractional Permissions without the - PowerPoint PPT Presentation

Nov 19, 2023 •16 likes •436 views

Abstract Read Permissions Fractional Permissions without the Fractions Alex Summers ETH Zurich Joint work with : Stefan Heule, Rustan Leino, Peter Mller ETH Zurich Microsoft Research ETH Zurich Overview Verification of

  1. Abstract Read Permissions Fractional Permissions without the Fractions Alex Summers ETH Zurich Joint work with : Stefan Heule, Rustan Leino, Peter Müller ETH Zurich Microsoft Research ETH Zurich

  2. Overview • Verification of (race-free) concurrent programs using fractional permissions • Background • Identify the problem • Abstract read permissions • Handling calls, fork/join • Permission expressions • Conclusions

  3. Fractional Permissions Boyland , SAS’03 • Provide a way of describing disciplined (race-free) use of shared memory locations • Many readers ✓ one writer ✓ never both • Heap locations are managed using permissions • Permission amounts are fractions p from [0,1] ▫ p=0 (no permission) ▫ 0<p<1 (read permission) ▫ p=1 (read/write permission) • Permissions are passed between methods/threads ▫ can be split and recombined, never duplicated

  4. Notation • Examples shown using Implicit Dynamic Frames assertions [Smans’09]. • Permissions represented in assertions by “accessibility predicates”: acc(x.f, p) ▫ means we have permission p to location x.f • Permissions treated multiplicatively; i.e., ▫ acc(x.f, p) && acc(x.f, p) ≡ acc(x.f, 2p) • Related to Sep. Logic [Parkinson/Summers’12] p ▫ Roughly: read acc(x.f,p) as x.f | _ • This work applies to any such program logic • We use Chalice language syntax [Leino/Müller]

  5. Inhale and Exhale • “ inhale P ” and “ exhale P ” are used to encode transfers between threads/calls • “ inhale P ” means: void m() ▫ assume heap properties in p requires P ▫ gain permissions in p ensures Q { • “ exhale P ” means: // inhale P ▫ assert heap properties in p ... // exhale P ▫ check and give up permissions call m() ▫ havoc heap locations to which // inhale Q ... no permission is now held // exhale Q }

  6. Inhale and Exhale • “ inhale P ” and “ exhale P ” are used to encode transfers between threads/calls • “ inhale P ” means: void m() ▫ assume heap properties in p requires P ▫ gain permissions in p ensures Q { • “ exhale P ” means: // inhale P ▫ assert heap properties in p ... // exhale P ▫ check and give up permissions call m() ▫ havoc heap locations to which // inhale Q ... no permission is now held // exhale Q }

  7. Inhale and Exhale • “ inhale P ” and “ exhale P ” are used to encode transfers between threads/calls • “ inhale P ” means: void m() ▫ assume heap properties in p requires P ▫ gain permissions in p ensures Q { • “ exhale P ” means: // inhale P ▫ assert heap properties in p ... // exhale P ▫ check and give up permissions call m() ▫ havoc heap locations to which // inhale Q ... no permission is now held // exhale Q }

  8. Inhale and Exhale • “ inhale P ” and “ exhale P ” are used to encode transfers between threads/calls • “ inhale P ” means: void m() ▫ assume heap properties in p requires P ▫ gain permissions in p ensures Q { • “ exhale P ” means: // inhale P ▫ assert heap properties in p ... // exhale P ▫ check and give up permissions call m() ▫ havoc heap locations to which // inhale Q ... no permission is now held // exhale Q }

  9. Inhale and Exhale • “ inhale P ” and “ exhale P ” are used to encode transfers between threads/calls • “ inhale P ” means: void m() ▫ assume heap properties in p requires P ▫ gain permissions in p ensures Q { • “ exhale P ” means: // inhale P ▫ assert heap properties in p ... // exhale P ▫ check and give up permissions call m() ▫ havoc heap locations to which // inhale Q ... no permission is now held // exhale Q }

  10. Inhale and Exhale • “ inhale P ” and “ exhale P ” are used to encode transfers between threads/calls • “ inhale P ” means: void m() ▫ assume heap properties in p requires P ▫ gain permissions in p ensures Q { • “ exhale P ” means: // inhale P ▫ assert heap properties in p ... // exhale P ▫ check and give up permissions call m() ▫ havoc heap locations to which // inhale Q ... no permission is now held // exhale Q }

  11. Inhale and Exhale • “ inhale P ” and “ exhale P ” are used to encode transfers between threads/calls • “ inhale P ” means: void m() ▫ assume heap properties in p requires P ▫ gain permissions in p ensures Q { • “ exhale P ” means: // inhale P ▫ assert heap properties in p ... // exhale P ▫ check and give up permissions call m() ▫ havoc heap locations to which // inhale Q ... no permission is now held // exhale Q }

  12. Difficulties with Fractional Permissions • Concrete fractions cause tension: caller vs callee method evaluate(Cell c) requires acc (c.f , ? ) ensures acc (c.f , ? ) { /* ... calculations ... */ }

  13. Difficulties with Fractional Permissions • Concrete fractions cause tension: caller vs callee method evaluate(Cell c) method main(Cell c) requires acc (c.f , 2/3 ) requires acc (c.f, 1/2 ) ensures acc (c.f , 2/3 ) { { call evaluate(c) ✘ /* ... calculations ... */ } }

  14. Difficulties with Fractional Permissions • Concrete fractions cause tension: caller vs callee ▫ Reuse can be made difficult ▫ Framing may be compromised • Aliasing information is relevant to values chosen method equals(Cell c) requires acc (this.f , ? ) && acc (c.f , ? ) ensures acc (this.f , ? ) && acc (c.f , ? ) { /* ... comparisons ... */ }

  15. Difficulties with Fractional Permissions • Concrete fractions cause tension: caller vs callee ▫ Reuse can be made difficult ▫ Framing may be compromised • Aliasing information is relevant to values chosen What if method equals(Cell c) this = c ? requires acc (this.f , 2/3 ) && acc (c.f , 2/3 ) ensures acc (this.f , 2/3 ) && acc (c.f , 2/3 ) { /* ... comparisons ... */ }

  16. Difficulties with Fractional Permissions • Concrete fractions cause tension: caller vs callee ▫ Reuse can be made difficult ▫ Framing may be compromised • Aliasing information is relevant to values chosen method equals(Cell c) requires acc (this.f , 1/3 ) && acc (c.f , 1/3 ) && (this != c ==> acc (this.f , 1/3 ) && acc (c.f , 1/3 )) ensures acc (this.f , 1/3 ) && acc (c.f , 1/3 ) && (this != c ==> acc (this.f , 1/3 ) && acc (c.f , 1/3 )) { /* ... comparisons ... */ }

  17. Difficulties with Fractional Permissions • Concrete fractions cause tension: caller vs callee ▫ Reuse can be made difficult ▫ Framing may be compromised • Aliasing information is relevant to values chosen • Recursive methods require parameterisation method m(Cell c) requires acc (c.f , ? ) ensures acc (c.f, ? ) { // do stuff call m(c) // do more stuff }

  18. Difficulties with Fractional Permissions • Concrete fractions cause tension: caller vs callee ▫ Reuse can be made difficult ▫ Framing may be compromised • Aliasing information is relevant to values chosen • Recursive methods require parameterisation method m(Cell c, Perm p ) requires acc (c.f , ? ) ensures acc (c.f, ? ) { // do stuff call m(c) // do more stuff }

  19. Difficulties with Fractional Permissions • Concrete fractions cause tension: caller vs callee ▫ Reuse can be made difficult ▫ Framing may be compromised • Aliasing information is relevant to values chosen • Recursive methods require parameterisation method m(Cell c, Perm p ) requires acc (c.f , p ) ensures acc (c.f, p ) { // do stuff call m(c) // do more stuff }

  20. Difficulties with Fractional Permissions • Concrete fractions cause tension: caller vs callee ▫ Reuse can be made difficult ▫ Framing may be compromised • Aliasing information is relevant to values chosen • Recursive methods require parameterisation method m(Cell c, Perm p ) requires acc (c.f , p ) ensures acc (c.f, p ) { // do stuff call m(c, p/2 ) // do more stuff }

  21. Difficulties with Fractional Permissions • Concrete fractions cause tension: caller vs callee ▫ Reuse can be made difficult ▫ Framing may be compromised • Aliasing information is relevant to values chosen • Recursive methods require parameterisation • Manual book-keeping is tedious ▫ Creates “noise” in specifications and new mistakes ▫ Programmers ideally only need care about:  when does a thread have full (write) permission?  when does a thread have some (read) permission?  … and differences in amounts of permission (…later)

  22. Example: Workers Tree Worker 1 class Node { Worker 2 Worker 3 Node l, r Outcome method work(Data data) Worker 4 Worker 5 Worker 6 Worker 8 requires «permission to data.f» ensures «permission to data.f» { Outcome out := new Outcome() How much permission? if (l != null ) left := fork l.work(data) if (r != null ) right := fork r.work(data) /* perform work on this node, using data.f */ if (l != null ) out.combine( join left) if (r != null ) out.combine( join right) return out } }

  23. Abstract Read Permissions • Introduce abstract read permissions: acc(o.f,rd) ▫ corresponds to a fixed, positive, and unknown fraction ▫ positive amount: allows reading the location o.f • Specifications are written using ▫ acc(o.f,1) to represent the full permission (read/write) ▫ acc(o.f,rd) for read permissions • In general, different read permissions can correspond to different fractions

Recommend

Temporary Read-Only Permissions for Separation Logic Making Separation Logics Small Axioms

Temporary Read-Only Permissions for Separation Logic Making Separation Logics Small Axioms

Temporary Read-Only Permissions for Separation Logic Making Separation Logics Small Axioms Smaller Arthur Charguraud Franois Pottier LTP meeting Saclay, November 28, 2016 Motivation More Motivation Separation Logic with Read-Only

441 views • 27 slides
COMP 2718: Permissions: Part 1 By: Dr. Andrew Vardy Adapted from the notes of Dr. Rod Byrne

COMP 2718: Permissions: Part 1 By: Dr. Andrew Vardy Adapted from the notes of Dr. Rod Byrne

COMP 2718: Permissions: Part 1 By: Dr. Andrew Vardy Adapted from the notes of Dr. Rod Byrne Outline Permissions Owners, Group Members, and Everyone Else Read, Writing, and Executing Digression: Number Systems chmod - Change

280 views • 14 slides
COMP 2718: Permissions: Part 2 By: Dr. Andrew Vardy Adapted from the notes of Dr. Rod Byrne

COMP 2718: Permissions: Part 2 By: Dr. Andrew Vardy Adapted from the notes of Dr. Rod Byrne

COMP 2718: Permissions: Part 2 By: Dr. Andrew Vardy Adapted from the notes of Dr. Rod Byrne Outline Permissions: Part 2 umask - Set Default Permissions Special Permissions Changing Identities su - Run a New Shell as Another

288 views • 11 slides
Teaching Acknowledgement &amp; Permissions Acknowledgement &amp; Permissions Reading/Language

Teaching Acknowledgement &amp; Permissions Acknowledgement &amp; Permissions Reading/Language

Teaching Acknowledgement &amp; Permissions Acknowledgement &amp; Permissions Reading/Language Arts to Several of the slides used in this presentation All Students were originally created by one or more of the following individuals and are

526 views • 26 slides
All About Apps Well cover... Whats an app? What are app permissions? What do

All About Apps Well cover... Whats an app? What are app permissions? What do

All About Apps Well cover... Whats an app? What are app permissions? What do companies gain by getting your permission? Typical permissions requested by apps How to check up on apps already on your phone App safety

134 views • 11 slides
AAAA2020 Abstract Submission Deadline : March 13 th , 2020 Please read all submission guidelines,

AAAA2020 Abstract Submission Deadline : March 13 th , 2020 Please read all submission guidelines,

AMERICAN ACADEMY of ANESTHESIOLOGIST ASSISTANTS Student Poster Presentation Descriptions and Guidelines AAAA2020 Abstract Submission Deadline : March 13 th , 2020 Please read all submission guidelines, utilize the AAAA abstract submission

221 views • 4 slides
pNFS Access Permissions Check draft-faibish-nfsv4-pnfs-access-permissions-check-03.txt IETF 78

pNFS Access Permissions Check draft-faibish-nfsv4-pnfs-access-permissions-check-03.txt IETF 78

pNFS Access Permissions Check draft-faibish-nfsv4-pnfs-access-permissions-check-03.txt IETF 78 NFSv4 WG Meeting, July 28, 2010 Sorin Faibish sfaibish@emc.com David Black - EMC Mike Eisler - NetApp Jason Glasgow - Google Problem Statement

376 views • 6 slides
Filesystem Hierarchy and Permissions Linux Prepared by Steven Gordon on 19 April 2017

Filesystem Hierarchy and Permissions Linux Prepared by Steven Gordon on 19 April 2017

Linux Filesystem Hierarchy inodes Permissions Filesystem Hierarchy and Permissions Linux Prepared by Steven Gordon on 19 April 2017 Common/Reports/linux-file-permissions.tex, r1417 1/15 Linux Multiuser and Server Operating System

195 views • 15 slides
Update Consumer Credit timeline 1 st April applied for interim permissions 1 st May FCA

Update Consumer Credit timeline 1 st April applied for interim permissions 1 st May FCA

Consumer Credit Update Consumer Credit timeline 1 st April applied for interim permissions 1 st May FCA will write to firms giving them a 3mth window for full applications Firms will be able to apply to vary their permissions and use

274 views • 8 slides
The Internet 192.168.178.1/24 DHCP 192.168.178.42/24 GW: 192.168.178.1 The

The Internet 192.168.178.1/24 DHCP 192.168.178.42/24 GW: 192.168.178.1 The

iNNOVO Cloud Can You Read this? Red Blue Magenta White Yellow Green -All colors visible? Can You Read this? -All circles round? Can You Read this? -All edges Can You Read this? visible? Can You Read this? Beamer Testpicture 16:9 1

1.3k views • 43 slides
Paper Reading and Presentation CMPS 7010 Research Seminar A Three-Phase Approach How to read

Paper Reading and Presentation CMPS 7010 Research Seminar A Three-Phase Approach How to read

Paper Reading and Presentation CMPS 7010 Research Seminar A Three-Phase Approach How to read a paper by Srinivasan Keshav, University of Waterloo Phase 1 (5-10 min) Carefully read the title, abstract, and intro Read the section and

496 views • 22 slides
Linux File Permissions Engineering Secure Software Last Revised: August 26, 2020 SWEN-331:

Linux File Permissions Engineering Secure Software Last Revised: August 26, 2020 SWEN-331:

Linux File Permissions Engineering Secure Software Last Revised: August 26, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 Review: Principle of Least Privilege Every user, thread, process, module needs permissions to run

459 views • 29 slides
CSN11121 System Administration and Forensics Week 3 : Users, Permissions, Processes, and Pipes

CSN11121 System Administration and Forensics Week 3 : Users, Permissions, Processes, and Pipes

CSN11121 System Administration and Forensics Week 3 : Users, Permissions, Processes, and Pipes Week 3 : Users, Permissions, Processes, and Pipes Module Leader: Dr Gordon Russell Lecturers: G. Russell, R.Ludwiniak Aliases: CSN11122 (Distance

644 views • 51 slides
Regions and Permissions for Data Invariants Romain Bardou and Claude March e Septembre 2009

Regions and Permissions for Data Invariants Romain Bardou and Claude March e Septembre 2009

Regions and Permissions for Data Invariants Romain Bardou and Claude March e Septembre 2009 Regions and Permissions for Data Invariants 1 / 1 Motivation preservation of data invariants in pointer programs ownership system of Spec#

301 views • 29 slides
ABSTRACT P e o p l e l i k e a b s t r a c t a r t b e c a u s e i t m a k e s t h e m f

ABSTRACT P e o p l e l i k e a b s t r a c t a r t b e c a u s e i t m a k e s t h e m f

ABSTRACT P e o p l e l i k e a b s t r a c t a r t b e c a u s e i t m a k e s t h e m f e e l c l e v e r WHAT IS ABSTRACT OF RESEARCH PAPER? An abstract summarizes, usually in one paragraph of 300 words or less, the major aspects

263 views • 10 slides
Lecture 14 Android Permissions Demystified Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn

Lecture 14 Android Permissions Demystified Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn

Lecture 14 Android Permissions Demystified Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn Song, David Wagner Advanced Operating Systems 9 January, 2013 SOA/OS Lecture No, Android Permissions Demystified 1/41 Introduction Android

422 views • 41 slides
Lecture 08 Android Permissions Demystified Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn

Lecture 08 Android Permissions Demystified Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn

Lecture 08 Android Permissions Demystified Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn Song, David Wagner Operating Systems Practical 20 November, 2013 OSP Lecture 08, Android Permissions Demystified 1/42 Introduction Android

894 views • 42 slides
V erification de programmes avec pointeurs ` a laide de r egions et de permissions

V erification de programmes avec pointeurs ` a laide de r egions et de permissions

INRIA Saclay Universit e de Paris-Sud 11 Ile-de-France Centre dOrsay Equipe ProVal V erification de programmes avec pointeurs ` a laide de r egions et de permissions Romain Bardou pr esent ee le 14 octobre 2011

944 views • 51 slides
Teaching g Reading/Language Arts to All Students Tracie Lynn-Zakas tracie.zakas@cms.k12.nc.us

Teaching g Reading/Language Arts to All Students Tracie Lynn-Zakas tracie.zakas@cms.k12.nc.us

Teaching g Reading/Language Arts to All Students Tracie Lynn-Zakas tracie.zakas@cms.k12.nc.us Keri M. Stevenson ksteve40@uncc.edu 1 Acknowledgement &amp; Permissions Acknowledgement &amp; Permissions Acknowledgement &amp; Permissions

1.1k views • 99 slides
Meltdown or &quot;Holy Crap: How did we do this to ourselves&quot; Abstract Meltdown

Meltdown or &quot;Holy Crap: How did we do this to ourselves&quot; Abstract Meltdown

Meltdown or &quot;Holy Crap: How did we do this to ourselves&quot; Abstract Meltdown exploits side effects of out-of-order execution to read arbitrary kernel- memory locations Breaks all security assumptions given by address space

159 views • 13 slides
Set-UID Privileged Programs Need for Privileged Programs Password Dilemma Permissions of

Set-UID Privileged Programs Need for Privileged Programs Password Dilemma Permissions of

Set-UID Privileged Programs Need for Privileged Programs Password Dilemma Permissions of /etc/shadow File: How would normal users change their password? Two-Tier Approach Implementing fine-grained access control in operating

576 views • 31 slides
Read Write Inc. Phonics MISS CASBAN About Read Write Inc Phonics

Read Write Inc. Phonics MISS CASBAN About Read Write Inc Phonics

Read Write Inc. Phonics MISS CASBAN About Read Write Inc Phonics http://www.ruthmiskin.com/en/resources/parent-tutorial-1-understanding- read-write-inc-phonics/ The core purpose of Read Write Inc is to teach every child to read and to

478 views • 18 slides
Directories &amp; Continuation This Week: How to program with directories more Reading:

Directories &amp; Continuation This Week: How to program with directories more Reading:

Overview Last Week: Efficiency read/write The File File pointer Unix System Programming File control/access Permissions, Meta Data, Ownership, umask, holes Directories &amp; Continuation This Week: How to program with

518 views • 9 slides
Modification 0668S Enabling permissions for the provision of information to Alt Han Company to

Modification 0668S Enabling permissions for the provision of information to Alt Han Company to

Modification 0668S Enabling permissions for the provision of information to Alt Han Company to support smart metering roll-out Background Certain properties e.g. flats, where the meter and the in-home display are too far apart for the Home

282 views • 9 slides

More recommend