the need for a formal model of java
play

The need for a formal model of Java Safety guarantees of Java - PowerPoint PPT Presentation

Sep 02, 2023 •140 likes •595 views

Making the Java Memory Model Safe Andreas Lochbihler Institute for Information Security ETH Zurich supported by DFG Sn11/10-1,2 The need for a formal model of Java Safety guarantees of Java definedness type safety security

  1. Making the Java Memory Model Safe ∗ Andreas Lochbihler Institute for Information Security ETH Zurich ∗ supported by DFG Sn11/10-1,2

  2. The need for a formal model of Java Safety guarantees of Java ◮ definedness ◮ type safety ◮ security architecture (sandbox) Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 2 / 9

  3. The need for a formal model of Java Safety guarantees of Java ◮ definedness ◮ type safety ◮ security architecture (sandbox) rely on KeY-System Krakatoa / Why3 Java Path Finder Joana Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 2 / 9

  4. The need for a formal model of Java Concurrency in Java Safety guarantees of Java ◮ threads ◮ definedness ◮ synchronisation primitives ◮ type safety ◮ memory model ◮ security architecture (sandbox) rely on KeY-System Krakatoa / Why3 Java Path Finder Joana Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 2 / 9

  5. The need for a formal model of Java Concurrency in Java Safety guarantees of Java ◮ threads ◮ definedness ◮ synchronisation primitives ◮ type safety ◮ memory model ◮ security architecture (sandbox) rely on Implications? KeY-System Krakatoa / Why3 Java Path Finder Joana Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 2 / 9

  6. Why do we need a memory model? initially: x = y = 0; y = 2; x = 1; j = y; i = x; Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 4 / 9

  7. Why do we need a memory model? interleaving semantics initially: x = y = 0; j == 0 j == 2 y = 2; i == 0 x = 1; j = y; i == 1 i = x; Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 4 / 9

  8. Why do we need a memory model? interleaving semantics initially: x = y = 0; j == 0 j == 2 y = 2; i == 0 x = 1; √ j = y; i == 1 i = x; Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 4 / 9

  9. Why do we need a memory model? interleaving semantics initially: x = y = 0; j == 0 j == 2 √ y = 2; i == 0 x = 1; √ j = y; i == 1 i = x; Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 4 / 9

  10. Why do we need a memory model? interleaving semantics initially: x = y = 0; j == 0 j == 2 √ y = 2; i == 0 x = 1; √ √ j = y; i == 1 i = x; Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 4 / 9

  11. Why do we need a memory model? interleaving semantics initially: x = y = 0; j == 0 j == 2 √ y = 2; i == 0 X x = 1; √ √ j = y; i == 1 i = x; Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 4 / 9

  12. Why do we need a memory model? interleaving semantics initially: x = y = 0; j == 0 j == 2 √ y = 2; i == 0 X x = 1; √ √ j = y; i == 1 i = x; compiler and hardware reorder statements j == 0 j == 2 √ j = y; i = x; i == 0 y = 2; x = 1; i == 1 Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 4 / 9

  13. Why do we need a memory model? Java memory model initially: x = y = 0; j == 0 j == 2 √ √ y = 2; i == 0 x = 1; √ √ j = y; i == 1 i = x; compiler and hardware reorder statements j == 0 j == 2 √ j = y; i = x; i == 0 y = 2; x = 1; i == 1 Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 4 / 9

  14. Why do we need a memory model? Java memory model data races initially: x = y = 0; j == 0 j == 2 √ √ y = 2; i == 0 x = 1; √ √ j = y; i == 1 i = x; compiler and hardware reorder statements j == 0 j == 2 √ j = y; i = x; i == 0 y = 2; x = 1; i == 1 Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 4 / 9

  15. Semantics in layers Java memory model set of well-formed candidate executions operational semantics shared memory Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 5 / 9

  16. Semantics in layers Java memory model set of well-formed candidate executions operational semantics shared allocation & memory type information Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 5 / 9

  17. Semantics in layers Java memory model set of well-formed candidate executions operational t : α semantics shared allocation & memory type information Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 5 / 9

  18. Semantics in layers Java memory model set of well-formed candidate executions thread communication operational t : α semantics shared allocation & memory type information Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 5 / 9

  19. Semantics in layers Java memory model set of well-formed candidate executions transition system thread communication 1 α . : . . t 1 operational t : α ′ t : 1 . α ′ . semantics . 1 . . . shared allocation & memory type information Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 5 / 9

  20. Semantics in layers Java memory model � [ t 1 : α 1 , t 2 : α 2 , . . . ] , set of well-formed [ t ′ 1 : α ′ 1 , t ′ 2 : α ′ 2 , . . . ] , candidate executions [ t ′′ 1 : α ′′ 1 , t ′′ 2 : α ′′ � 2 , . . . ] , . . . paths in the transition system thread communication 1 α . : . . t 1 operational t : α ′ t : 1 . α ′ . semantics . 1 . . . shared allocation & memory type information Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 5 / 9

  21. Semantics in layers legality constraints Java memory model pair read and write ops � [ t 1 : α 1 , t 2 : α 2 , . . . ] , set of well-formed [ t ′ 1 : α ′ 1 , t ′ 2 : α ′ 2 , . . . ] , legal candidate executions [ t ′′ 1 : α ′′ 1 , t ′′ 2 : α ′′ � 2 , . . . ] , . . . paths in the transition system thread communication 1 α . : . . t 1 operational t : α ′ t : 1 . α ′ . semantics . 1 . . . shared allocation & memory type information Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 5 / 9

  22. Semantics in layers need set of legality constraints Java memory model candidate executions pair read and write ops cf. [Batty et al.’15] � [ t 1 : α 1 , t 2 : α 2 , . . . ] , set of well-formed [ t ′ 1 : α ′ 1 , t ′ 2 : α ′ 2 , . . . ] , legal candidate executions [ t ′′ 1 : α ′′ 1 , t ′′ 2 : α ′′ � 2 , . . . ] , . . . paths in the transition system thread communication 1 α . : . . t 1 operational t : α ′ t : 1 . α ′ . semantics . 1 . . . shared allocation & memory type information Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 5 / 9

  23. Type safety for method calls Dynamic method lookup finds a unique method. class A { void m() {} } initially: x = y = null; r2 = y; r1 = x; if (r1 != null) r1.m(); x = r2; y = new A(); Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 6 / 9

  24. Type safety for method calls Dynamic method lookup finds a unique method. JMM allows reordering with allocations. class A { void m() {} } initially: x = y = null; r2 = y; r1 = x; reorder if (r1 != null) r1.m(); x = r2; y = new A(); Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 6 / 9

  25. Type safety for method calls Dynamic method lookup finds a unique method. JMM allows reordering with allocations. class A { void m() {} } initially: x = y = null; r2 = y; r1 = x; reorder if (r1 != null) r1.m(); x = r2; y = new A(); Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 6 / 9

  26. Type safety for method calls Dynamic method lookup finds a unique method. JMM allows reordering with allocations. class A { void m() {} } initially: x = y = null; r2 = y; r1 = x; reorder if (r1 != null) r1.m(); x = r2; y = new A(); object accessed before allocated Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 6 / 9

  27. Type safety for method calls Dynamic method lookup finds a unique method. JMM allows reordering with allocations. class A { void m() {} } initially: x = y = null; r2 = y; r1 = x; reorder if (r1 != null) r1.m(); x = r2; y = new A(); object accessed before allocated Separate type information of addresses from their allocation! Index addresses by dynamic type! Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 6 / 9

  28. Type safety for fields Accessed fields exist and contain only type-conform values. Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 7 / 9

  29. Type safety for fields progress Accessed fields exist and contain only type-conform values. Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 7 / 9

  30. Type safety for fields progress Accessed fields exist and contain only type-conform values. Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 7 / 9

  31. Type safety for fields progress subject reduction Accessed fields exist and contain only type-conform values. Andreas Lochbihler (ETH Z¨ urich) Making the Java Memory Model Safe 7 / 9

Recommend

Model Checking Java Programs (Java PathFinder) Slides partially compiled from the NASA

Model Checking Java Programs (Java PathFinder) Slides partially compiled from the NASA

Model Checking Java Programs (Java PathFinder) Slides partially compiled from the NASA JavaPathFinder project and E. Clarkes course material Java PathFinder JPF is an explicit state software model checker for Java bytecode JPF is a Java

888 views • 35 slides
e Java Memory Model . Jesper qvist . . . e Java Environment . . . 2 . . e Java

e Java Memory Model . Jesper qvist . . . e Java Environment . . . 2 . . e Java

. e Java Memory Model . Jesper qvist . . . e Java Environment . . . 2 . . e Java Environment . . . 3 . . Java Execution . Possible reordering due to Compiler, JVM, or CPU! Plus visibility problems due to CPU caches! .

473 views • 21 slides
Multi-core in JVM/Java Concurrent programming in java Prior Java 5 Java 5 (2006)

Multi-core in JVM/Java Concurrent programming in java Prior Java 5 Java 5 (2006)

Multi-core in JVM/Java Concurrent programming in java Prior Java 5 Java 5 (2006) Java 7 (2010) Other topics Basic concurrency in Java Java Memory Model describes how threads interact through memory Single thread

812 views • 34 slides
1 Java compilation model Java bytecode format void spin () { int i; for (i = 0; i < 100;

1 Java compilation model Java bytecode format void spin () { int i; for (i = 0; i < 100;

The Java programming environment Introduction to JVM Based on material produced by Bill Venners 1 2 The Java platform The role of the virtual machime byte code generated by the Java front-end is an intermediate representation (IR)

834 views • 3 slides
Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for

Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for

Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for Analyzing Computing Systems Shilpi Goel shilpi@centtech.com Formal Verification Engineer Centaur Technology, Inc. Software and Reliability Can we rely

1.14k views • 78 slides
JAVA Java vs. Java Java Language Specification

JAVA Java vs. Java Java Language Specification

BR 10/05 JAVA Java vs. Java Java Language Specification http://java.sun.com/docs/books/jls/second_edition/html/j.title.doc.html Java programming language is compiled into java byte code Java Virtual Machine Specification

1.07k views • 44 slides
Using Formal Methods for VLSI Development Using Java and JML in the Real World Joseph

Using Formal Methods for VLSI Development Using Java and JML in the Real World Joseph

Using Formal Methods for VLSI Development Using Java and JML in the Real World Joseph Kiniry Department of Computer Science University College Dublin Asynchronous VLSI What is AVLSI? delay insensitive circuits power invariant

255 views • 13 slides
The Java Memory Model Jaroslav Sev c k University of Edinburgh Supported by ITI

The Java Memory Model Jaroslav Sev c k University of Edinburgh Supported by ITI

The Java Memory Model Jaroslav Sev c k University of Edinburgh Supported by ITI Techmedia The Java Memory Model p. 1/30 Overview Part I : Motivation for weak memory models: Compromise between standard optimisations and

813 views • 46 slides
Tutorial Intro. to Modern Formal Methods: Mechanized Formal Analysis Using Model Checking,

Tutorial Intro. to Modern Formal Methods: Mechanized Formal Analysis Using Model Checking,

Tutorial Intro. to Modern Formal Methods: Mechanized Formal Analysis Using Model Checking, Theorem Proving SMT Solving, Abstraction, and Static Analysis With SAL, PVS, and Yices, and more John Rushby Computer Science Laboratory SRI

1.89k views • 161 slides
Model-Checking Acknowledgment Formal Verification Formal verification means to apply

Model-Checking Acknowledgment Formal Verification Formal verification means to apply

Model-Checking Acknowledgment Formal Verification Formal verification means to apply mathematical arguments to prove the correctness of systems Systems have bugs Formal verification aims to find and correct such bugs Why? Computer systems

1.42k views • 122 slides
Java Path Finder (JPF) Christian Bergum Bergersen June 1, 2015 What is Java Path Finder?

Java Path Finder (JPF) Christian Bergum Bergersen June 1, 2015 What is Java Path Finder?

Java Path Finder (JPF) Christian Bergum Bergersen June 1, 2015 What is Java Path Finder? Java Path Finder is an open-source analysis system that automatically verifies/model check Java programs. Initially developed by NASA. The Java

615 views • 16 slides
Formal Definition of Computation Formal Definition of Computation p.1/28 Computation

Formal Definition of Computation Formal Definition of Computation p.1/28 Computation

Formal Definition of Computation Formal Definition of Computation p.1/28 Computation model The model of computation considered so far is the work performed by a finite automaton Formal Definition of Computation p.2/28

1.27k views • 69 slides
SAR-SSI 2012 1 Introduction Java Card security model Off-card security model Java class Byte

SAR-SSI 2012 1 Introduction Java Card security model Off-card security model Java class Byte

Samiya Hamadouche, Guillaume Bouffard , Jean-Louis Lanet, Bruno Dorsemaine , Bastien Nouhant, Alexandre Magloire, Arnaud Reygnaud guillaume.bouffard@xlim.fr bruno.dorsemaine@etu.unilim.fr SAR-SSI 2012 1 Introduction Java Card security model

227 views • 19 slides
Lecture A Motivation The model, informally The formal model Other thoughts February

Lecture A Motivation The model, informally The formal model Other thoughts February

Lecture A Motivation The model, informally The formal model Other thoughts February 6, 2009 ECS 235B Winter Quarter 2009 Slide #A-1 Matt Bishop, UC Davis Overview What is recordation? Why do it electronically? Models

946 views • 47 slides
Java Java Basics Java Program Statements Java Review Conditional statements

Java Java Basics Java Program Statements Java Review Conditional statements

Java Java Basics Java Program Statements Java Review Conditional statements Repetition statements (loops) Writing Classes in Java Selim Aksoy Class definitions Bilkent University Encapsulation and Java modifiers

346 views • 11 slides
Testing/Simulation Formal Analysis Real System Formal Model Partial coverage Complete coverage

Testing/Simulation Formal Analysis Real System Formal Model Partial coverage Complete coverage

Formal Methods Assurance for TTP John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby, SR I Formal Methods Assurance for TTP: 1 Formal Methods for Analysis and Assurance: The Idea Testing/Simulation Formal

200 views • 6 slides
Formal Model Based Safety Assessment Marco Bozzano, Roberto Cavada, Alessandro Cimatti, Cristian

Formal Model Based Safety Assessment Marco Bozzano, Roberto Cavada, Alessandro Cimatti, Cristian

NuSMV3: a framework for Formal Model Based Safety Assessment Marco Bozzano, Roberto Cavada, Alessandro Cimatti, Cristian Mattarei Fondazione Bruno Kessler, Trento (Italy) Roadmap Formal Model Based Safety Assessment Formal Safety

497 views • 37 slides
Towards a Formal Model for View Maintenance in Data Warehouses D. Agrawal , A. El Abbadi , A.

Towards a Formal Model for View Maintenance in Data Warehouses D. Agrawal , A. El Abbadi , A.

Towards a Formal Model for View Maintenance in Data Warehouses D. Agrawal , A. El Abbadi , A. Most efaoui , M. Raynal and M. Roy Univ. Santa Barbara, California IRISA, Rennes, France Towards a Formal

578 views • 34 slides
Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on

Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on

Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on slides developed by Natasha Sharygina 17-654/17-754: Analysis of Software Artifacts Spring 2006 1 Formal Verification by Model Checking Domain:

380 views • 13 slides
Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on

Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on

Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on slides developed by Natasha Sharygina 15-413: Introduction to Software Engineering Fall 2005 3 Formal Verification by Model Checking Domain:

289 views • 24 slides
Todays topics Java Input More Syntax Upcoming Decision Trees More

Todays topics Java Input More Syntax Upcoming Decision Trees More

Todays topics Java Input More Syntax Upcoming Decision Trees More formal treatment of grammers Reading Great Ideas , Chapter 2 Java Details Variable: an item of data named by an identifier

430 views • 13 slides
Formal Verifjcation Lecture 1: Introduction to Model Checling and Temporal Logic Jacques

Formal Verifjcation Lecture 1: Introduction to Model Checling and Temporal Logic Jacques

Formal Verifjcation Lecture 1: Introduction to Model Checling and Temporal Logic Jacques Fleuriot jdf@inf.ed.ac.uk Acknowledgement: Adapted from original material by Paul Jackson, including some additions by Bob Atkey. Formal Verifjcation

381 views • 35 slides
A Formal Model for Web-Service Composition Simon Foster <S.Foster@dcs.shef.ac.uk>

A Formal Model for Web-Service Composition Simon Foster <S.Foster@dcs.shef.ac.uk>

Outline Background The Cashew Orchestration Model My Work Conclusion and References A Formal Model for Web-Service Composition Simon Foster <S.Foster@dcs.shef.ac.uk> Department of Computer Science University of Sheffield

633 views • 34 slides
TM Technology for Blu-ray and TV: Java Creating your own Blu-ray Java Discs The Blu-ray Java

TM Technology for Blu-ray and TV: Java Creating your own Blu-ray Java Discs The Blu-ray Java

TM Technology for Blu-ray and TV: Java Creating your own Blu-ray Java Discs The Blu-ray Java Authoring Team: Bill Foote, Chihiro Saito, A. Sundararajan, Jaya Hangal TS-5449 Talk Outline HD Cookbook Community Overview Target: Blu-ray

592 views • 44 slides

More recommend