Verification and Certification of Java An experience report Gilles Barthe IMDEA Software, Madrid Septembre 2009 Gilles Barthe Verification and Certification of Java
Context: formal methods for small devices smartcard platform and applications (1999-2004) formal verification of JavaCard bytecode verification automated construction of certified verifiers formal analysis of GlobalPlatform API mobile phone applications (2004-2009) program verification environments carrying evidence across abstraction layers formal verification of static analysers and program verifiers embedding certified verifiers Acknowledgements Some work reported here is not my own. Many people are involved; I will try to acknowledge authors during the talk. Gilles Barthe Verification and Certification of Java
Motivation: security and certification Security is hard: hard to formulate (security is always relative), harder to enforce High standards forced by application domains: banking, phone, moblie code, etc. control systems for energy, transportation, health etc. Common criteria: An international initiative to provide common structure and language for expressing security requirements, and unified security evaluation mechanisms mandate use of formal methods at highest levels Gilles Barthe Verification and Certification of Java
The Mobius project (2005-2009) Integrated Project within the FET pro-active Global Computing II Objective Establish a security architecture appropriate for global computers: adopt a computational model that captures faithfully 1 fundamental aspects of global computers identify the trust and security requirements of such a model 2 develop on top of the computational model a security framework 3 that enforces these requirements ⇒ Proof Carrying Code provide the enabling technologies necessary for implementing 4 the framework ⇒ Program analysis and program verification validate the architecture 5 Gilles Barthe Verification and Certification of Java
Mobius architecture Certificate Interactive Source program generation proofs Source Specification (types + logics) Certificate Requirements Code consumer Java compiler Spec compiler Bytecode program Proof compiler Bytecode program Bytecode Specification Bytecode Specification Certificate Certificate checker Certificate Runtime environment Code producer Gilles Barthe Verification and Certification of Java
Selected issues Specification languages Verification methods Carrying evidence across compilation Certified certifiers Embedding certifiers Fundamental hypothesis The platform behaves correctly (later) Gilles Barthe Verification and Certification of Java
Specification languages Behavioral languages a la JML Domain-specific languages for targetted classes of properties: resource policies, information flow policies, Commonalities + + Support for modular verification - - Limited support for concurrency Gilles Barthe Verification and Certification of Java
JML: Java Modeling Language Annotation language for Java. Uses Java-like notation. Annotations are side-e ff ect-free Java expressions + extra keywords ( \ exists , \ forall , \ old( − ) , \ result , \ throws . . . ) + logical operators and quantifiers. Design-by-Contract Pre- and postconditions define a contract between a class and its clients: Client must ensure precondition and may assume postcondition Method may assume precondition and must ensure postcondition Gilles Barthe Verification and Certification of Java
Example /*@ exceptional_behavior @ requires arg == null; @ signals (NullPointerException) true; @ also @ behavior @ requires arg != null; @ ensures \result == arg[0]; @ signals (IndexOutOfBoundsException) @ arg.length == 0; @*/ Object firstElement (Object [] arg) { return arg[0]; } JML specs can be as weak as one wants! Gilles Barthe Verification and Certification of Java
Native specifications Complex properties often use advanced specification features of JML (e.g. pure methods, model variables) Yet the expressive power of JML is (legitimately) constrained Native constructs allow fallback on more general specification languages (as used in theorem provers) Native types Native methods Gilles Barthe Verification and Certification of Java
Native types and methods Native types and methods are declared in JML: //@ public native class ObjectSet; //@ public native boolean withinBounds(Object[] tab, int i); and specified in a separate file user extensions.v: Definition ObjectSet := set Reference. Definition withinBounds:= ... Native types are not standard Java / JML class types: Do not inherit from Object No constructors No casts No instance creation . . . Gilles Barthe Verification and Certification of Java
Example: set library We can define a set library to use in annotations. JML /*@ public native class ObjectSet { @ public native static ObjectSet create(); @ public native static ObjectSet add(ObjectSet os, Object o); @ public native boolean member(Object o); @ public static native ObjectSet toSet(Object [] tab); @ } @*/ Coq Definition ObjectSet := set Reference. Definition ObjectSet_create := empty_set. Definition ObjectSet_add (os: ObjectSet) (o: Reference) := set_add o os. Definition ObjectSet_member (this: ObjectSet) (o: Reference) := set_mem o this Gilles Barthe Verification and Certification of Java
Tools for JML Varying degree in precision and e ffi ciency and correctness run-time verification and unit testing static checking and interactive verification: VC generator computes proof obligations from annotated programs. Proof obligations discharged by automatic provers, then unresolved proof obligations are sent to a theorem prover. e ff ective means of finding common programming errors (nullpointer dereferencing, indexing an array out of bounds), proving adherence to policies. Example applications: SSH implementation, design patterns using theorem provers, allows to deal with full correctness. Example application: collection libraries, APIs, etc there are also tools that generate JML specifications Concurrency Limited support for concurrency: RCC, Bogor General philosophy is thread-modular verification Gilles Barthe Verification and Certification of Java
Example of verification { requires n = N } x := 0; while ( n � 0 ) do { Inv : x + n ∗ ( n + 1 ) / 2 = N ( N + 1 ) / 2 } x := x + n ; n := n − 1; { ensures x = N ∗ ( N − 1 ) / 2 } n = N ⇒ 0 + n ∗ ( n + 1 ) / 2 = N ( N + 1 ) / 2 1 x + n ∗ ( n + 1 ) / 2 = N ( N + 1 ) / 2 ∧ n � 0 ⇒ 2 x + n + ( n − 1 ) ∗ ( n − 1 + 1 ) / 2 = N ( N − 1 ) / 2 x + n ∗ ( n + 1 ) / 2 = N ( N + 1 ) / 2 ∧ n = 0 ⇒ x = N ∗ ( N − 1 ) / 2 3 Gilles Barthe Verification and Certification of Java
Example of verification { requires n = N } // @0 + n ∗ ( n + 1 ) / 2 = N ( N + 1 ) / 2 x := 0; while ( n � 0 ) do { Inv : x + n ∗ ( n + 1 ) / 2 = N ( N + 1 ) / 2 } { x + n + ( n − 1 ) ∗ ( n − 1 + 1 ) / 2 = N ( N + 1 ) / 2 } x := x + n ; { x + ( n − 1 ) ∗ ( n − 1 + 1 ) / 2 = N ( N + 1 ) / 2 } n := n − 1; { ensures x = N ∗ ( N − 1 ) / 2 } n = N ⇒ 0 + n ∗ ( n + 1 ) / 2 = N ( N + 1 ) / 2 1 x + n ∗ ( n + 1 ) / 2 = N ( N + 1 ) / 2 ∧ n � 0 ⇒ 2 x + n + ( n − 1 ) ∗ ( n − 1 + 1 ) / 2 = N ( N − 1 ) / 2 x + n ∗ ( n + 1 ) / 2 = N ( N + 1 ) / 2 ∧ n = 0 ⇒ x = N ∗ ( N − 1 ) / 2 3 Gilles Barthe Verification and Certification of Java
Example of verification { requires n = N } // @0 + n ∗ ( n + 1 ) / 2 = N ( N + 1 ) / 2 x := 0; while ( n � 0 ) do { Inv : x + n ∗ ( n + 1 ) / 2 = N ( N + 1 ) / 2 } { x + n + ( n − 1 ) ∗ ( n − 1 + 1 ) / 2 = N ( N + 1 ) / 2 } x := x + n ; { x + ( n − 1 ) ∗ ( n − 1 + 1 ) / 2 = N ( N + 1 ) / 2 } n := n − 1; { ensures x = N ∗ ( N − 1 ) / 2 } n = N ⇒ 0 + n ∗ ( n + 1 ) / 2 = N ( N + 1 ) / 2 1 x + n ∗ ( n + 1 ) / 2 = N ( N + 1 ) / 2 ∧ n � 0 ⇒ 2 x + n + ( n − 1 ) ∗ ( n − 1 + 1 ) / 2 = N ( N − 1 ) / 2 x + n ∗ ( n + 1 ) / 2 = N ( N + 1 ) / 2 ∧ n = 0 ⇒ x = N ∗ ( N − 1 ) / 2 3 Gilles Barthe Verification and Certification of Java
Example of verification { requires n = N } // @0 + n ∗ ( n + 1 ) / 2 = N ( N + 1 ) / 2 x := 0; while ( n � 0 ) do { Inv : x + n ∗ ( n + 1 ) / 2 = N ( N + 1 ) / 2 } { x + n + ( n − 1 ) ∗ ( n − 1 + 1 ) / 2 = N ( N + 1 ) / 2 } x := x + n ; { x + ( n − 1 ) ∗ ( n − 1 + 1 ) / 2 = N ( N + 1 ) / 2 } n := n − 1; { ensures x = N ∗ ( N − 1 ) / 2 } n = N ⇒ 0 + n ∗ ( n + 1 ) / 2 = N ( N + 1 ) / 2 1 x + n ∗ ( n + 1 ) / 2 = N ( N + 1 ) / 2 ∧ n � 0 ⇒ 2 x + n + ( n − 1 ) ∗ ( n − 1 + 1 ) / 2 = N ( N − 1 ) / 2 x + n ∗ ( n + 1 ) / 2 = N ( N + 1 ) / 2 ∧ n = 0 ⇒ x = N ∗ ( N − 1 ) / 2 3 Gilles Barthe Verification and Certification of Java
Example of verification { requires n = N } // @0 + n ∗ ( n + 1 ) / 2 = N ( N + 1 ) / 2 x := 0; while ( n � 0 ) do { Inv : x + n ∗ ( n + 1 ) / 2 = N ( N + 1 ) / 2 } { x + n + ( n − 1 ) ∗ ( n − 1 + 1 ) / 2 = N ( N + 1 ) / 2 } x := x + n ; { x + ( n − 1 ) ∗ ( n − 1 + 1 ) / 2 = N ( N + 1 ) / 2 } n := n − 1; { ensures x = N ∗ ( N − 1 ) / 2 } n = N ⇒ 0 + n ∗ ( n + 1 ) / 2 = N ( N + 1 ) / 2 1 x + n ∗ ( n + 1 ) / 2 = N ( N + 1 ) / 2 ∧ n � 0 ⇒ 2 x + n + ( n − 1 ) ∗ ( n − 1 + 1 ) / 2 = N ( N − 1 ) / 2 x + n ∗ ( n + 1 ) / 2 = N ( N + 1 ) / 2 ∧ n = 0 ⇒ x = N ∗ ( N − 1 ) / 2 3 Gilles Barthe Verification and Certification of Java
Recommend
More recommend