verifying that a compiler preserves concurrent value
play

Verifying that a compiler preserves concurrent value-dependent - PowerPoint PPT Presentation

Nov 29, 2022 •367 likes •1.94k views

Verifying that a compiler preserves concurrent value-dependent information-flow security Robert Sison (UNSW Sydney, Data61) and Toby Murray (University of Melbourne) September 2019 THE UNIVERSITY OF NEW SOUTH WALES www.data61.csiro.au So

  1. Motivation Confidentiality for modern software (CSF’16) __________________ 1. Multiple moving parts 
 Doesn't leak secrets (well-synchronised) (storage channels) Concurrent value-dependent information-flow security 3. Compositionally! 
 Confidentiality 2. Mixed-sensitivity reuse 
 (per-thread effort) (of devices, space, etc.) Beaumont et al. 
 (ACSAC’16) Example (DSTG + Data61 collaboration) 5 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  2. Motivation Confidentiality for modern software (CSF’16) 1. Multiple moving parts 
 Doesn't leak secrets (well-synchronised) PROTECTED Unclassified (storage channels) Concurrent value-dependent information-flow security Confidentiality 2. Mixed-sensitivity reuse 
 (of devices, space, etc.) 5 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  3. Motivation Confidentiality for modern software (CSF’16) 1. Multiple moving parts 
 Doesn't leak secrets (well-synchronised) PROTECTED Unclassified (storage channels) Concurrent value-dependent information-flow security Confidentiality 2. Mixed-sensitivity reuse 
 (of devices, space, etc.) … 😒 , 💹 5 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  4. Motivation Cross Domain 
 Desktop Compositor 
 Confidentiality for modern software (CSF’16) (CDDC) 1. Multiple moving parts 
 Doesn't leak secrets (well-synchronised) (storage channels) Concurrent value-dependent information-flow security Confidentiality 2. Mixed-sensitivity reuse 
 (of devices, space, etc.) 5 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  5. Motivation Cross Domain 
 Desktop Compositor 
 Confidentiality for modern software (CSF’16) (CDDC) 1. Multiple moving parts 
 Doesn't leak secrets (well-synchronised) (storage channels) Concurrent value-dependent information-flow security Confidentiality 2. Mixed-sensitivity reuse 
 (of devices, space, etc.) 5 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  6. Motivation Cross Domain 
 Desktop Compositor 
 Confidentiality for modern software (CSF’16) (CDDC) 1. Multiple moving parts 
 Doesn't leak secrets (well-synchronised) (storage channels) Concurrent value-dependent information-flow security Confidentiality 2. Mixed-sensitivity reuse 
 (of devices, space, etc.) 5 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  7. Motivation Cross Domain 
 Desktop Compositor 
 Confidentiality for modern software (CSF’16) (CDDC) 1. Multiple moving parts 
 Doesn't leak secrets (well-synchronised) (storage channels) Concurrent value-dependent information-flow security Confidentiality 2. Mixed-sensitivity reuse 
 (of devices, space, etc.) 5 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  8. Motivation Cross Domain 
 Desktop Compositor 
 Confidentiality for modern software (CSF’16) (CDDC) 1. Multiple moving parts 
 Doesn't leak secrets (well-synchronised) (storage channels) Concurrent value-dependent information-flow security Confidentiality 2. Mixed-sensitivity reuse 
 (of devices, space, etc.) 5 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  9. Motivation Cross Domain 
 Desktop Compositor 
 Confidentiality for modern software (CSF’16) (CDDC) 1. Multiple moving parts 
 Doesn't leak secrets (well-synchronised) (storage channels) Concurrent value-dependent information-flow security Confidentiality 2. Mixed-sensitivity reuse 
 (of devices, space, etc.) 5 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  10. Motivation Cross Domain 
 Desktop Compositor 
 Confidentiality for modern software (CSF’16) (CDDC) 1. Multiple moving parts 
 1. Multiple moving parts 
 Doesn't leak secrets Doesn't leak secrets (well-synchronised) (well-synchronised) (storage channels) (storage channels) Concurrent value-dependent information-flow security Concurrent value-dependent information-flow security Confidentiality Confidentiality 2. Mixed-sensitivity reuse 
 2. Mixed-sensitivity reuse 
 (of devices, space, etc.) (of devices, space, etc.) SECRET , PROTECTED , or Unclassified? 5 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  11. Motivation Cross Domain 
 Desktop Compositor 
 Confidentiality for modern software (CSF’16) (CDDC) 1. Multiple moving parts 
 1. Multiple moving parts 
 Doesn't leak secrets Doesn't leak secrets (well-synchronised) (well-synchronised) (storage channels) (storage channels) Concurrent value-dependent information-flow security Concurrent value-dependent information-flow security _____________ Confidentiality Confidentiality 2. Mixed-sensitivity reuse 
 2. Mixed-sensitivity reuse 
 (of devices, space, etc.) (of devices, space, etc.) SECRET , PROTECTED , or Unclassified? 5 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  12. Motivation Cross Domain 
 Desktop Compositor 
 Confidentiality for modern software (CSF’16) (CDDC) 1. Multiple moving parts 
 1. Multiple moving parts 
 Doesn't leak secrets Doesn't leak secrets (well-synchronised) (well-synchronised) (storage channels) (storage channels) Concurrent value-dependent information-flow security Concurrent value-dependent information-flow security _________ Confidentiality Confidentiality 2. Mixed-sensitivity reuse 
 2. Mixed-sensitivity reuse 
 (of devices, space, etc.) (of devices, space, etc.) 5 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  13. Motivation Cross Domain 
 Desktop Compositor 
 Confidentiality for modern software (CSF’16) (CDDC) 1. Multiple moving parts 
 1. Multiple moving parts 
 Doesn't leak secrets Doesn't leak secrets (well-synchronised) (well-synchronised) (storage channels) (storage channels) Concurrent value-dependent information-flow security Concurrent value-dependent information-flow security _________ Confidentiality Confidentiality 2. Mixed-sensitivity reuse 
 2. Mixed-sensitivity reuse 
 (of devices, space, etc.) (of devices, space, etc.) seL4-based software architecture 5 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  14. Motivation Confidentiality for modern software (CSF’16) 1. Multiple moving parts 
 1. Multiple moving parts 
 Doesn't leak secrets Doesn't leak secrets (well-synchronised) (well-synchronised) (storage channels) (storage channels) Concurrent value-dependent information-flow security Concurrent value-dependent information-flow security _________ Confidentiality Confidentiality 2. Mixed-sensitivity reuse 
 2. Mixed-sensitivity reuse 
 (of devices, space, etc.) (of devices, space, etc.) seL4-based software architecture (Case study: simplified model) 5 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  15. Motivation Confidentiality for modern software (CSF’16) 1. Multiple moving parts 
 1. Multiple moving parts 
 Doesn't leak secrets Doesn't leak secrets (well-synchronised) (well-synchronised) (storage channels) (storage channels) Concurrent value-dependent information-flow security Concurrent value-dependent information-flow security _________ 3. Compositionally! 
 Confidentiality Confidentiality 2. Mixed-sensitivity reuse 
 2. Mixed-sensitivity reuse 
 (of devices, space, etc.) (per-thread effort) (of devices, space, etc.) seL4-based software architecture (Case study: simplified model) 5 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  16. Motivation Confidentiality for modern software (CSF’16) 1. Multiple moving parts 
 1. Multiple moving parts 
 Doesn't leak secrets Doesn't leak secrets (well-synchronised) (well-synchronised) (storage channels) (storage channels) Concurrent value-dependent information-flow security Concurrent value-dependent information-flow security _________ 3. Compositionally! 
 Confidentiality Confidentiality 2. Mixed-sensitivity reuse 
 2. Mixed-sensitivity reuse 
 (of devices, space, etc.) (per-thread effort) (of devices, space, etc.) seL4-based software architecture (Case study: simplified model) 5 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  17. Motivation Confidentiality for modern software (CSF’16) 1. Multiple moving parts 
 1. Multiple moving parts 
 Doesn't leak secrets Doesn't leak secrets (well-synchronised) (well-synchronised) (storage channels) (storage channels) Concurrent value-dependent information-flow security Concurrent value-dependent information-flow security 3. Compositionally! 
 Confidentiality Confidentiality 2. Mixed-sensitivity reuse 
 2. Mixed-sensitivity reuse 
 (of devices, space, etc.) (per-thread effort) (of devices, space, etc.) Can a compiler preserve it? 5 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  18. Motivation Why wouldn’t a compiler preserve it? (CSF’16) Concurrent value-dependent information-flow security 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  19. Motivation Why wouldn’t a compiler preserve it? (CSF’16) Murray et al. CSF’16 control variable contents 
 ( sensitivity-switching) Concurrent value-dependent information-flow security Some extra stuff to preserve 
 (not that hard) 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  20. Motivation Why wouldn’t a compiler preserve it? (CSF’16) Murray et al. CSF’16 control variable contents 
 ( sensitivity-switching) Concurrent value-dependent information-flow security Some extra stuff to preserve 
 (not that hard) This particularly 
 makes it harder! 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  21. Motivation Why wouldn’t a compiler preserve it? (CSF’16) Murray et al. CSF’16 control variable contents 
 ( sensitivity-switching) Concurrent value-dependent information-flow security Some extra stuff to preserve 
 (not that hard) This particularly 
 makes it harder! Interference-resilience (tricky) 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  22. Motivation Why wouldn’t a compiler preserve it? (CSF’16) Murray et al. CSF’16 Mantel et al. CSF’11 relies/guarantees 
 control variable contents 
 ( synchronisation) ( sensitivity-switching) Concurrent value-dependent information-flow security Some extra stuff to preserve 
 (not that hard) This particularly 
 makes it harder! Interference-resilience (tricky) 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  23. Motivation Why wouldn’t a compiler preserve it? (CSF’16) Murray et al. CSF’16 Mantel et al. CSF’11 relies/guarantees 
 control variable contents 
 ( synchronisation) ( sensitivity-switching) Concurrent value-dependent information-flow security Some extra stuff to preserve 
 (not that hard) This particularly 
 makes it harder! Interference-resilience (tricky) + 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  24. Motivation Why wouldn’t a compiler preserve it? (CSF’16) Murray et al. CSF’16 Mantel et al. CSF’11 No storage leaks relies/guarantees 
 control variable contents 
 ( synchronisation) ( sensitivity-switching) Concurrent value-dependent information-flow security Some extra stuff to preserve 
 (not that hard) This particularly 
 makes it harder! Interference-resilience (tricky) + 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  25. 
 Motivation Why wouldn’t a compiler preserve it? (CSF’16) Murray et al. CSF’16 Mantel et al. CSF’11 No storage leaks relies/guarantees 
 control variable contents 
 ( synchronisation) ( sensitivity-switching) Concurrent value-dependent information-flow security Some extra stuff to preserve 
 (not that hard) This particularly 
 makes it harder! Interference-resilience (tricky) + Each thread must prevent (scheduler-relative) timing leaks! Volpano & Smith, CSFW’98 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  26. 
 Motivation Why wouldn’t a compiler preserve it? (CSF’16) Murray et al. CSF’16 Mantel et al. CSF’11 No storage leaks relies/guarantees 
 control variable contents 
 ( synchronisation) ( sensitivity-switching) Concurrent value-dependent information-flow security Some extra stuff to preserve 
 (not that hard) This particularly 
 Program A Program B makes it harder! // Initially, v = 0 Interference-resilience (tricky) if (h) then + skip l := v Each thread must prevent else (scheduler-relative) skip ; skip timing leaks! fi Volpano & Smith, CSFW’98 v := 1 Minimal example: 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  27. 
 Motivation Why wouldn’t a compiler preserve it? (CSF’16) Murray et al. CSF’16 Mantel et al. CSF’11 No storage leaks relies/guarantees 
 control variable contents 
 ( synchronisation) ( sensitivity-switching) Concurrent value-dependent information-flow security Some extra stuff to preserve 
 (not that hard) This particularly 
 Program A Program B makes it harder! // Initially, v = 0 Interference-resilience (tricky) if (h) then _ + skip l := v Each thread must prevent else (scheduler-relative) skip ; skip timing leaks! fi Volpano & Smith, CSFW’98 v := 1 h isn’t assigned to anything h isn’t even here! _ _ Minimal example: 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  28. 
 Motivation Why wouldn’t a compiler preserve it? (CSF’16) Murray et al. CSF’16 Mantel et al. CSF’11 No storage leaks relies/guarantees 
 control variable contents 
 ( synchronisation) ( sensitivity-switching) Concurrent value-dependent information-flow security Some extra stuff to preserve 
 (not that hard) This particularly 
 Thread A Thread B makes it harder! // Initially, v = 0 Interference-resilience (tricky) if (h) then _ + skip || l := v Each thread must prevent else (scheduler-relative) skip ; skip timing leaks! fi Volpano & Smith, CSFW’98 v := 1 Minimal example: 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  29. 
 Motivation Why wouldn’t a compiler preserve it? (CSF’16) Murray et al. CSF’16 Mantel et al. CSF’11 No storage leaks relies/guarantees 
 control variable contents 
 ( synchronisation) ( sensitivity-switching) Concurrent value-dependent information-flow security Some extra stuff to preserve 
 (not that hard) This particularly 
 Thread A Thread B makes it harder! // Initially, v = 0 Interference-resilience (tricky) if (h) then _ + skip || l := v Each thread must prevent else (scheduler-relative) skip ; skip timing leaks! fi Timing leak 
 Volpano & Smith, CSFW’98 v := 1 ____ of h Minimal example: 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  30. 
 Motivation Why wouldn’t a compiler preserve it? (CSF’16) Murray et al. CSF’16 Mantel et al. CSF’11 No storage leaks relies/guarantees 
 control variable contents 
 ( synchronisation) ( sensitivity-switching) Concurrent value-dependent information-flow security Some extra stuff to preserve 
 (not that hard) This particularly 
 Thread A Thread B Schedule 
 h = 0 makes it harder! A, A, A, B, … // Initially, v = 0 Interference-resilience (tricky) if (h) then _ + skip || l := v Each thread must prevent else (scheduler-relative) skip ; skip timing leaks! v = 0 fi Timing leak 
 Volpano & Smith, CSFW’98 v := 1 ____ of h Minimal example: 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  31. 
 Motivation Why wouldn’t a compiler preserve it? (CSF’16) Murray et al. CSF’16 Mantel et al. CSF’11 No storage leaks relies/guarantees 
 control variable contents 
 ( synchronisation) ( sensitivity-switching) Concurrent value-dependent information-flow security Some extra stuff to preserve 
 (not that hard) This particularly 
 Thread A Thread B Schedule 
 h = 0 makes it harder! / A, A, A, B, … // Initially, v = 0 Interference-resilience (tricky) if (h) then _ + skip || l := v Each thread must prevent else (scheduler-relative) skip ; skip timing leaks! v = 0 fi Timing leak 
 Volpano & Smith, CSFW’98 v := 1 ____ of h Minimal example: 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  32. 
 Motivation Why wouldn’t a compiler preserve it? (CSF’16) Murray et al. CSF’16 Mantel et al. CSF’11 No storage leaks relies/guarantees 
 control variable contents 
 ( synchronisation) ( sensitivity-switching) Concurrent value-dependent information-flow security Some extra stuff to preserve 
 (not that hard) This particularly 
 Thread A Thread B Schedule 
 h = 0 makes it harder! / / A, A, A, B, … // Initially, v = 0 Interference-resilience (tricky) if (h) then _ + skip || l := v Each thread must prevent else (scheduler-relative) skip ; skip timing leaks! v = 0 fi Timing leak 
 Volpano & Smith, CSFW’98 v := 1 ____ of h Minimal example: 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  33. 
 Motivation Why wouldn’t a compiler preserve it? (CSF’16) Murray et al. CSF’16 Mantel et al. CSF’11 No storage leaks relies/guarantees 
 control variable contents 
 ( synchronisation) ( sensitivity-switching) Concurrent value-dependent information-flow security Some extra stuff to preserve 
 (not that hard) This particularly 
 Thread A Thread B Schedule 
 h = 0 makes it harder! / / / A, A, A, B, … // Initially, v = 0 Interference-resilience (tricky) if (h) then _ + skip || l := v Each thread must prevent else (scheduler-relative) skip ; skip timing leaks! v = 0 fi Timing leak 
 Volpano & Smith, CSFW’98 v := 1 ____ of h Minimal example: 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  34. 
 Motivation Why wouldn’t a compiler preserve it? (CSF’16) Murray et al. CSF’16 Mantel et al. CSF’11 No storage leaks relies/guarantees 
 control variable contents 
 ( synchronisation) ( sensitivity-switching) Concurrent value-dependent information-flow security Some extra stuff to preserve 
 (not that hard) This particularly 
 Thread A Thread B Schedule 
 h = 0 makes it harder! / / / / A, A, A, B, … // Initially, v = 0 l = 0 Interference-resilience (tricky) if (h) then _ + skip || l := v Each thread must prevent else (scheduler-relative) skip ; skip timing leaks! v = 0 fi Timing leak 
 Volpano & Smith, CSFW’98 v := 1 ____ of h Minimal example: 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  35. 
 Motivation Why wouldn’t a compiler preserve it? (CSF’16) Murray et al. CSF’16 Mantel et al. CSF’11 No storage leaks relies/guarantees 
 control variable contents 
 ( synchronisation) ( sensitivity-switching) Concurrent value-dependent information-flow security Some extra stuff to preserve 
 (not that hard) This particularly 
 Thread A Thread B Schedule 
 h = 0 makes it harder! / / / / A, A, A, B, … // Initially, v = 0 l = 0 Interference-resilience (tricky) if (h) then _ + skip || l := v Each thread must prevent else (scheduler-relative) skip ; skip timing leaks! v = 1 fi Timing leak 
 Volpano & Smith, CSFW’98 v := 1 ____ of h Minimal example: 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  36. 
 Motivation Why wouldn’t a compiler preserve it? (CSF’16) Murray et al. CSF’16 Mantel et al. CSF’11 No storage leaks relies/guarantees 
 control variable contents 
 ( synchronisation) ( sensitivity-switching) Concurrent value-dependent information-flow security Some extra stuff to preserve 
 (not that hard) This particularly 
 Thread A Thread B Schedule 
 h = 0 makes it harder! A, A, A, B, … h = 1 // Initially, v = 0 l = 0 Interference-resilience (tricky) if (h) then _ + skip || l := v Each thread must prevent else (scheduler-relative) skip ; skip timing leaks! v = 0 fi Timing leak 
 Volpano & Smith, CSFW’98 v := 1 ____ of h Minimal example: 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  37. 
 Motivation Why wouldn’t a compiler preserve it? (CSF’16) Murray et al. CSF’16 Mantel et al. CSF’11 No storage leaks relies/guarantees 
 control variable contents 
 ( synchronisation) ( sensitivity-switching) Concurrent value-dependent information-flow security Some extra stuff to preserve 
 (not that hard) This particularly 
 Thread A Thread B Schedule 
 h = 0 makes it harder! / A, A, A, B, … h = 1 // Initially, v = 0 l = 0 Interference-resilience (tricky) if (h) then _ + skip || l := v Each thread must prevent else (scheduler-relative) skip ; skip timing leaks! v = 0 fi Timing leak 
 Volpano & Smith, CSFW’98 v := 1 ____ of h Minimal example: 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  38. 
 Motivation Why wouldn’t a compiler preserve it? (CSF’16) Murray et al. CSF’16 Mantel et al. CSF’11 No storage leaks relies/guarantees 
 control variable contents 
 ( synchronisation) ( sensitivity-switching) Concurrent value-dependent information-flow security Some extra stuff to preserve 
 (not that hard) This particularly 
 Thread A Thread B Schedule 
 h = 0 makes it harder! / / A, A, A, B, … h = 1 // Initially, v = 0 l = 0 Interference-resilience (tricky) if (h) then _ + skip || l := v Each thread must prevent else (scheduler-relative) skip ; skip timing leaks! v = 0 fi Timing leak 
 Volpano & Smith, CSFW’98 v := 1 ____ of h Minimal example: 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  39. 
 Motivation Why wouldn’t a compiler preserve it? (CSF’16) Murray et al. CSF’16 Mantel et al. CSF’11 No storage leaks relies/guarantees 
 control variable contents 
 ( synchronisation) ( sensitivity-switching) Concurrent value-dependent information-flow security Some extra stuff to preserve 
 (not that hard) This particularly 
 Thread A Thread B Schedule 
 h = 0 makes it harder! / / / A, A, A, B, … h = 1 // Initially, v = 0 l = 0 Interference-resilience (tricky) if (h) then _ + skip || l := v Each thread must prevent else (scheduler-relative) skip ; skip timing leaks! v = 1 fi Timing leak 
 Volpano & Smith, CSFW’98 v := 1 ____ of h Minimal example: 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  40. 
 Motivation Why wouldn’t a compiler preserve it? (CSF’16) Murray et al. CSF’16 Mantel et al. CSF’11 No storage leaks relies/guarantees 
 control variable contents 
 ( synchronisation) ( sensitivity-switching) Concurrent value-dependent information-flow security Some extra stuff to preserve 
 (not that hard) This particularly 
 Thread A Thread B Schedule 
 h = 0 makes it harder! / / / / A, A, A, B, … h = 1 // Initially, v = 0 l = 0 Interference-resilience (tricky) if (h) then _ l = 1 + skip || l := v Each thread must prevent else (scheduler-relative) skip ; skip timing leaks! v = 1 fi Timing leak 
 Volpano & Smith, CSFW’98 v := 1 ____ of h Minimal example: 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  41. 
 Motivation Why wouldn’t a compiler preserve it? (CSF’16) Murray et al. CSF’16 Mantel et al. CSF’11 No storage leaks relies/guarantees 
 control variable contents 
 ( synchronisation) ( sensitivity-switching) Concurrent value-dependent information-flow security Some extra stuff to preserve 
 (not that hard) This particularly 
 Thread A Thread B Schedule 
 h = 0 makes it harder! / / / / A, A, A, B, … h = 1 // Initially, v = 0 l = 0 Interference-resilience (tricky) if (h) then _ l = 1 + skip || l := v ____ Each thread must prevent else (scheduler-relative) Storage leak 
 skip ; skip timing leaks! of h! v = 1 fi Timing leak 
 Volpano & Smith, CSFW’98 v := 1 ____ of h Minimal example: 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  42. 
 Motivation Why wouldn’t a compiler preserve it? (CSF’16) Murray et al. CSF’16 Mantel et al. CSF’11 No storage leaks relies/guarantees 
 control variable contents 
 ( synchronisation) ( sensitivity-switching) Concurrent value-dependent information-flow security Some extra stuff to preserve 
 (not that hard) This particularly 
 Thread A Thread B Schedule 
 makes it harder! A, A, A, B, … // Initially, v = 0 Interference-resilience (tricky) if (h) then _ ; skip Timing 
 + skip || fix l := v ____ ____ Each thread must prevent else (scheduler-relative) Storage leak Storage leak 
 skip ; skip timing leaks! of h! fi Timing leak Timing leak 
 Volpano & Smith, CSFW’98 v := 1 ____ ____ of h Minimal example: 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  43. 
 Motivation Why wouldn’t a compiler preserve it? (CSF’16) Murray et al. CSF’16 Mantel et al. CSF’11 No storage leaks relies/guarantees 
 control variable contents 
 ( synchronisation) ( sensitivity-switching) Concurrent value-dependent information-flow security But: Compiler may eliminate it! Some extra stuff to preserve 
 (not that hard) This particularly 
 Thread A Thread B Schedule 
 makes it harder! A, A, A, B, … // Initially, v = 0 Interference-resilience (tricky) if (h) then _ ; skip Timing 
 Timing 
 + skip skip || fix fix l := v ____ Each thread must prevent else (scheduler-relative) Storage leak 
 skip ; skip timing leaks! of h! fi Timing leak 
 Volpano & Smith, CSFW’98 v := 1 ____ of h Minimal example: 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  44. 
 Motivation Why wouldn’t a compiler preserve it? (CSF’16) Murray et al. CSF’16 Mantel et al. CSF’11 No storage leaks relies/guarantees 
 control variable contents 
 ( synchronisation) ( sensitivity-switching) Concurrent value-dependent information-flow security But: Compiler may eliminate it! Some extra stuff to preserve 
 (not that hard) (or, introduce new “ if (h)”!) This particularly 
 Thread A Thread B Schedule 
 makes it harder! A, A, A, B, … // Initially, v = 0 Interference-resilience (tricky) if (h) then _ ; skip Timing 
 Timing 
 + skip skip || fix fix l := v ____ Each thread must prevent else (scheduler-relative) Storage leak 
 skip ; skip timing leaks! of h! fi Timing leak 
 Volpano & Smith, CSFW’98 v := 1 ____ of h Minimal example: 6 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  45. Background Why is it hard to prove? (CSF’16) Concurrent value-dependent information-flow security -preserving refinement 2 A 2 A 0 B B Abstract 1 A 1 A 0 R R Direction 
 of 
 compilation R R 2 C 2 C 0 Concrete I I 1 C 1 C 0 7 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  46. Background Why is it hard to prove? (CSF’16) Confidentiality-preserving refinement 2 A 2 A 0 B B Abstract 1 A 1 A 0 R R Direction 
 of 
 compilation R R 2 C 2 C 0 Concrete I I 1 C 1 C 0 7 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  47. Background Why is it hard to prove? (CSF’16) Confidentiality-preserving refinement 2 A 2 A 0 B B Abstract 1 A 1 A 0 R R Direction 
 of 
 compilation R R 2 C 2 C 0 Concrete I I 1 C 1 C 0 AFP entry: Dependent_SIFUM_Refinement 7 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  48. Background Why is it hard to prove? (CSF’16) Confidentiality-preserving refinement 2 A 2 A 0 B B Abstract 1 A 1 A 0 R R Direction 
 of 
 Program compilation configurations R R 2 C 2 C 0 Concrete I I 1 C 1 C 0 AFP entry: Dependent_SIFUM_Refinement 7 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  49. Background Why is it hard to prove? (CSF’16) Confidentiality-preserving refinement 2 A 2 A 0 B B Abstract Relations 
 1 A 1 A 0 (between) R R Direction 
 of 
 Program compilation configurations R R 2 C 2 C 0 Concrete I I 1 C 1 C 0 AFP entry: Dependent_SIFUM_Refinement 7 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  50. Background Why is it hard to prove? (CSF’16) Confidentiality-preserving refinement 2 A 2 A 0 B B Abstract Execution 
 Relations 
 steps 1 A 1 A 0 (between) R R Direction 
 of 
 Program compilation configurations R R 2 C 2 C 0 Concrete I I 1 C 1 C 0 AFP entry: Dependent_SIFUM_Refinement 7 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  51. Background Why is it hard to prove? (CSF’16) Confidentiality-preserving refinement “Usual” refinement: 2 A 2 A 0 B B Abstract 1 A 1 A 0 R R Direction 
 of 
 compilation R R 2 C 2 C 0 Concrete I I 1 C 1 C 0 AFP entry: Dependent_SIFUM_Refinement 7 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  52. 
 Background Why is it hard to prove? (CSF’16) Confidentiality-preserving refinement “Usual” refinement: A simulates C ⇒ C refines A 2 A 2 A 0 B B Abstract 1 A 1 A 0 R R Direction 
 of 
 compilation R R 2 C 2 C 0 Concrete I I 1 C 1 C 0 AFP entry: Dependent_SIFUM_Refinement 7 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  53. 
 Background Why is it hard to prove? (CSF’16) Confidentiality-preserving refinement “Usual” refinement: A simulates C ⇒ C refines A 2 A 2 A 0 B B Abstract 1 A 1 A 0 R R Direction 
 of 
 compilation R R 2 C 2 C 0 Concrete I I 1 C 1 C 0 AFP entry: For-all Dependent_SIFUM_Refinement 7 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  54. 
 Background Why is it hard to prove? (CSF’16) Confidentiality-preserving refinement “Usual” refinement: A simulates C ⇒ C refines A 2 A 2 A 0 B B Abstract 1 A 1 A 0 R R Direction 
 Exists of 
 compilation R R 2 C 2 C 0 Concrete I I 1 C 1 C 0 AFP entry: For-all Dependent_SIFUM_Refinement 7 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  55. Background Why is it hard to prove? (CSF’16) From compiler 
 Confidentiality-preserving refinement front-end 2 A 2 A 0 Security proof 
 B B Abstract (Bisimulation B ) 1 A 1 A 0 R R Direction 
 of 
 compilation R R 2 C 2 C 0 Concrete I I 1 C 1 C 0 AFP entry: Dependent_SIFUM_Refinement 7 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  56. ⇒ Background Why is it hard to prove? (CSF’16) From compiler 
 Confidentiality-preserving refinement front-end 2 A 2 A 0 Security proof 
 B B Abstract (Bisimulation B ) 1 A 1 A 0 + Compiler ? R R Direction 
 correctness proof of 
 (Refinement R ) compilation R R For free ? 2 C 2 C 0 Security proof 
 Concrete “ B C ” “ B C ” (Bisimulation I I B C of B R I ) “ B C ” 1 C 1 C 0 AFP entry: Dependent_SIFUM_Refinement 7 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  57. ⇒ Background Why is it hard to prove? (CSF’16) * From compiler 
 Confidentiality-preserving refinement front-end 2 A 2 A 0 Security proof 
 B B Abstract (Bisimulation B ) 1 A 1 A 0 + Compiler R R Direction 
 correctness proof of 
 (Refinement R ) compilation R R “For free”* 2 C 2 C 0 Security proof 
 Concrete (Bisimulation I I B C of B R I ) 1 C 1 C 0 AFP entry: Dependent_SIFUM_Refinement 7 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  58. ⇒ Background Why is it hard to prove? (CSF’16) * From compiler 
 Confidentiality-preserving refinement front-end (Two-sided!) 2 A 2 A 0 Security proof 
 B B Abstract (Bisimulation B ) 1 A 1 A 0 + Compiler R R Direction 
 correctness proof of 
 (Refinement R ) compilation R R “For free”* 2 C 2 C 0 Security proof 
 Concrete (Bisimulation I I B C of B R I ) 1 C 1 C 0 AFP entry: Dependent_SIFUM_Refinement 7 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  59. ⇒ Background Why is it hard to prove? (CSF’16) * From compiler 
 Confidentiality-preserving refinement front-end (Two-sided!) 2 A 2 A 0 Security proof 
 B B Abstract (Bisimulation B ) 1 A 1 A 0 + Compiler R R Direction 
 Exists correctness proof of 
 (Refinement R ) compilation 1 R R “For free”* 2 C 2 C 0 Security proof 
 Concrete (Bisimulation I I B C of B R I ) 1 C 1 C 0 AFP entry: For-all Dependent_SIFUM_Refinement 7 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  60. ⇒ Background Why is it hard to prove? (CSF’16) * From compiler 
 Confidentiality-preserving refinement front-end (Two-sided!) 2 A 2 A 0 Security proof 
 For-all B B Abstract (Bisimulation B ) 1 A 1 A 0 + Compiler R R Direction 
 Exists correctness proof of 
 (Refinement R ) compilation 1 R R “For free”* 2 C 2 C 0 Security proof 
 Concrete (Bisimulation I I B C of B R I ) 1 C 1 C 0 AFP entry: For-all Dependent_SIFUM_Refinement 7 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  61. ⇒ Background Why is it hard to prove? (CSF’16) * From compiler 
 Confidentiality-preserving refinement front-end (Two-sided!) 2 A 2 A 0 Security proof 
 For-all B B Abstract (Bisimulation B ) 1 A 1 A 0 + 2 Compiler R R Direction 
 Exists correctness proof of 
 (Refinement R ) compilation 1 Exists R R “For free”* 2 C 2 C 0 Security proof 
 Concrete (Bisimulation I I B C of B R I ) 1 C 1 C 0 AFP entry: For-all Dependent_SIFUM_Refinement 7 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  62. ⇒ Background Why is it hard to prove? (CSF’16) * From compiler 
 Confidentiality-preserving refinement front-end (Two-sided!) 2 A 2 A 0 Security proof 
 For-all B B Abstract (Bisimulation B ) 1 A 1 A 0 + 2 Compiler R R Direction 
 Exists correctness proof of 
 (Refinement R ) compilation 1 Exists R R “For free”* 2 C 2 C 0 Security proof 
 Concrete (Bisimulation I I B C of B R I ) 1 C 1 C 0 AFP entry: For-all Dependent_SIFUM_Refinement 7 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  63. ⇒ Background ( Compare: Barthe et al. CSF’18) Why is it hard to prove? (CSF’16) * From compiler 
 Confidentiality-preserving refinement front-end (Two-sided!) 2 A 2 A 0 Security proof 
 For-all B B Abstract (Bisimulation B ) 1 A 1 A 0 + 2 Compiler R R Direction 
 Exists correctness proof of 
 (Refinement R ) compilation 1 Exists R R “For free”* 2 C 2 C 0 Security proof 
 Concrete (Bisimulation I I B C of B R I ) 1 C 1 C 0 AFP entry: For-all Dependent_SIFUM_Refinement 7 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  64. Our contributions Goal Prove a compiler preserves proofs of concurrent 
 value-dependent information-flow security Plan: Use confidentiality-preserving refinement 8 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  65. Our contributions Goal Prove a compiler preserves proofs of concurrent 
 value-dependent information-flow security Results 1. Decomposition principle for confidentiality-preserving refinement 2 A = abs - steps 2 A 2 C B = 1 A abs - steps 1 A 1 C R R (Technique) = stops 2 C 2 C I = stops 1 C 1 C 8 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  66. Our contributions Goal Prove a compiler preserves proofs of concurrent 
 value-dependent information-flow security Results 1. Decomposition principle 2. Verified compiler for confidentiality-preserving While-language to RISC-style refinement assembly 2 A = abs - steps 2 A 2 C B = 1 A abs - steps 1 A 1 C R R (Technique) (Proof-of-concept 
 = stops 2 C 2 C I = for technique) stops 1 C 1 C Impact 1st such proofs carried to assembly-level model by compiler 8 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  67. Our contributions Goal Prove a compiler preserves proofs of concurrent 
 value-dependent information-flow security Results 1. Decomposition principle 2. Verified compiler for confidentiality-preserving While-language to RISC-style refinement assembly 2 A = abs - steps 2 A 2 C B = 1 A abs - steps 1 A 1 C R R (Technique) (Proof-of-concept 
 = stops 2 C 2 C I = for technique) stops 1 C 1 C Impact 1st such proofs carried to assembly-level model by compiler 8 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  68. Our contributions Goal Prove a compiler preserves proofs of concurrent 
 value-dependent information-flow security Results 1. Decomposition principle 2. Verified compiler for confidentiality-preserving While-language to RISC-style refinement assembly Proof effort 2 A = abs - steps 2 A 2 C B = almost halved ! 1 A abs - steps 1 A 1 C R R (Technique) (Proof-of-concept 
 = stops 2 C 2 C I = for technique) stops 1 C 1 C Impact 1st such proofs carried to assembly-level model by compiler 8 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  69. The “cube”, decomposed Simpler confidentiality-preserving refinement 2 A 2 A 0 B B 1 A 1 A 0 R R R R 2 C 2 C 0 I I 1 C 1 C 0 9 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  70. The “cube”, decomposed Simpler confidentiality-preserving refinement 2 A abs - steps 2 A 2 C 2 A B B = A A 0 abs - steps A C 1 A abs - steps 1 A 1 C 1 A R R R R R R 2 C 2 C 0 stops 2 C 2 C I I I = C C 0 1 C 0 1 C stops 1 C 1 C 1 2 A 2 A 0 B B ( ⟹ ) implies 1 A 1 A 0 R R R R 2 C 2 C 0 I I 1 C 0 1 C 9 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  71. The “cube”, decomposed Simpler confidentiality-preserving refinement 2 A abs - steps 2 A 2 C 2 A B B = A A 0 abs - steps A C 1 A abs - steps 1 A 1 C 1 A R R R R R R 2 C 2 C 0 stops 2 C 2 C I I I = C C 0 1 C 0 1 C stops 1 C 1 C 1 1. “Usual” proof of refinement 9 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  72. The “cube”, decomposed Simpler confidentiality-preserving refinement 2 A abs - steps 2 A 2 C 2 A B B = A A 0 abs - steps A C 1 A abs - steps 1 A 1 C 1 A R R R R R R 2 C 2 C 0 stops 2 C 2 C I I I = C C 0 1 C 0 1 C stops 1 C 1 C 1 1. “Usual” proof of refinement Standard compiler 
 correctness! (+ “extra stuff” for conc, val-dep) 9 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  73. The “cube”, decomposed Simpler confidentiality-preserving refinement “Pacing function” abs-steps 
 for (refinement) relation R 2 A abs - steps 2 A 2 C 2 A B B = A A 0 _____ abs - steps A C 1 A abs - steps 1 A 1 C 1 A R R R R R R 2 C 2 C 0 stops 2 C 2 C I I I = C C 0 1 C 0 1 C stops 1 C 1 C 1 1. “Usual” proof of refinement Standard compiler 
 correctness! (+ “extra stuff” for conc, val-dep) 9 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  74. The “cube”, decomposed Simpler confidentiality-preserving refinement “Pacing function” abs-steps 
 for (refinement) relation R _____ 2 A abs - steps 2 A 2 C 2 A B B = A A 0 _____ _____ abs - steps A C 1 A abs - steps 1 A 1 C 1 A R R R R R R 2 C 2 C 0 stops 2 C 2 C I I I = C C 0 1 C 0 1 C stops 1 C 1 C 1 1. “Usual” proof 2. Consistent pacing 
 of refinement Standard compiler 
 correctness! (+ “extra stuff” for conc, val-dep) 9 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  75. The “cube”, decomposed Simpler confidentiality-preserving refinement “Pacing function” abs-steps 
 Security witness 
 for (refinement) relation R (bisimulation) relation B _____ 2 A abs - steps 2 A 2 C 2 A B B = A A 0 _____ _____ abs - steps A C 1 A abs - steps 1 A 1 C 1 A R R R R R R 2 C 2 C 0 stops 2 C 2 C I I I = C C 0 1 C 0 1 C stops 1 C 1 C 1 1. “Usual” proof 2. Consistent pacing 
 of refinement Standard compiler 
 correctness! (+ “extra stuff” for conc, val-dep) 9 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  76. The “cube”, decomposed Simpler confidentiality-preserving refinement “Pacing function” abs-steps 
 Security witness 
 for (refinement) relation R (bisimulation) relation B _____ 2 A abs - steps 2 A 2 C 2 A B B = A A 0 _____ _____ abs - steps A C 1 A abs - steps 1 A 1 C 1 A R R R R R R 2 C 2 C 0 stops 2 C 2 C I I I = C C 0 1 C 0 1 C stops 1 C 1 C 1 1. “Usual” proof 2. Consistent pacing 
 of refinement Standard compiler 
 correctness! (+ “extra stuff” for conc, val-dep) 9 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  77. The “cube”, decomposed Simpler confidentiality-preserving refinement “Pacing function” abs-steps 
 Security witness 
 for (refinement) relation R (bisimulation) relation B _____ 2 A abs - steps 2 A 2 C 2 A B B = A A 0 _____ _____ abs - steps A C 1 A abs - steps 1 A 1 C 1 A R R R R R R 2 C 2 C 0 stops 2 C 2 C I I I = C C 0 1 C 0 1 C stops 1 C 1 C 1 1. “Usual” proof 2. Consistent pacing 
 of refinement Standard compiler 
 correctness! (+ “extra stuff” for conc, val-dep) 9 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

  78. The “cube”, decomposed Simpler confidentiality-preserving refinement “Pacing function” abs-steps 
 Security witness 
 for (refinement) relation R (bisimulation) relation B _____ 2 A abs - steps 2 A 2 C 2 A B B = A A 0 _____ _____ abs - steps A C 1 A abs - steps 1 A 1 C 1 A R R R R R R 2 C 2 C 0 stops 2 C 2 C I I I = C C 0 1 C 0 1 C stops 1 C 1 C 1 1. “Usual” proof 2. Consistent pacing 
 of refinement Standard compiler 
 correctness! (+ “extra stuff” for conc, val-dep) 9 Verifying that a compiler preserves concurrent value-dependent infoflow security | Robert Sison and Toby Murray

Recommend

Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya

Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya

Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya Sergey Aleks Nanevski Anindya Banerjee ESOP 2015 A logic-based approach for Specifying and Verifying Concurrent Algorithms An

2.36k views • 186 slides
The What and Why of What and Why of The preserves the semantics (in some sense) Compilers

The What and Why of What and Why of The preserves the semantics (in some sense) Compilers

What is a Compiler? What is a Compiler? A program that: Compilation 2007 Compilation 2007 translates from one programming language to another The What and Why of What and Why of The preserves the semantics (in some sense)

215 views • 7 slides
Parallel Analysis of Parallelism Verifying Concurrent Software System Designs Using GPUs GTC

Parallel Analysis of Parallelism Verifying Concurrent Software System Designs Using GPUs GTC

Parallel Analysis of Parallelism Verifying Concurrent Software System Designs Using GPUs GTC 2015 Anton Wijs Correctness of Concurrent Systems Distributed, concurrent systems common-place, but very

633 views • 52 slides
Verifying Concurrent Programs (Tutorial) Aarti Gupta Systems Analysis & Verification Group

Verifying Concurrent Programs (Tutorial) Aarti Gupta Systems Analysis & Verification Group

Verifying Concurrent Programs (Tutorial) Aarti Gupta Systems Analysis & Verification Group NEC Labs America, Princeton, USA www.nec-labs.com Tutorial: Verifying Concurrent Programs Oct 2011 Acknowledgements Malay Ganai, Vineet

982 views • 72 slides
Verifying a Lustre Compiler Part 2 Llio Brun PARKAS (Inria - ENS) Timothy Bourke,

Verifying a Lustre Compiler Part 2 Llio Brun PARKAS (Inria - ENS) Timothy Bourke,

Verifying a Lustre Compiler Part 2 Llio Brun PARKAS (Inria - ENS) Timothy Bourke, Pierre-variste Dagand, Xavier Leroy, Marc Pouzet, Lionel Rieg SYNCHRON 2016 December 7, 2016 Llio Brun Verifying a Lustre Compiler Part 2 December 7,

907 views • 47 slides
Verifying concurrent software using movers in CSPEC Tej Chajed , Frans Kaashoek, Butler Lampson*,

Verifying concurrent software using movers in CSPEC Tej Chajed , Frans Kaashoek, Butler Lampson*,

Verifying concurrent software using movers in CSPEC Tej Chajed , Frans Kaashoek, Butler Lampson*, Nickolai Zeldovich MIT CSAIL and *Microsoft Concurrent software is difficult to get right Programmer cannot reason about code in sequence 2

1.2k views • 72 slides
VCC: A Practical System for Verifying Concurrent C Ernie Cohen 1 , Markus Dahlweid 2 , Mark

VCC: A Practical System for Verifying Concurrent C Ernie Cohen 1 , Markus Dahlweid 2 , Mark

VCC: A Practical System for Verifying Concurrent C Ernie Cohen 1 , Markus Dahlweid 2 , Mark Hillebrand 3 , Dirk Leinenbach 3 , Michal Moskal 2 , Thomas Santen 2 , Wolfram Schulte 4 and Stephan Tobies 2 1 Microsoft Corporation, Redmond, WA, USA 2

553 views • 27 slides
The Benefits of Duality in Verifying Concurrent Programs under TSO Parosh Aziz Abdulla 1 Ahmed

The Benefits of Duality in Verifying Concurrent Programs under TSO Parosh Aziz Abdulla 1 Ahmed

The Benefits of Duality in Verifying Concurrent Programs under TSO Parosh Aziz Abdulla 1 Ahmed Bouajjani 2 Mohamed Faouzi Atig 1 Tuan Phong Ngo 1 1 Uppsala University 2 IRIF, Universit Paris Diderot & IUF CONCUR 2016 1 Motivation

1.66k views • 118 slides
Verifying Concurrent Programs using Contracts Ricardo J. Dias, Carla Ferreira, Jan Fiedor, Jo

Verifying Concurrent Programs using Contracts Ricardo J. Dias, Carla Ferreira, Jan Fiedor, Jo

Verifying Concurrent Programs using Contracts Ricardo J. Dias, Carla Ferreira, Jan Fiedor, Jo ao M. Lourenc o, Ale s Smr cka, Diogo G. Sousa, Tom a s Vojnar Brno University of Technology (BUT) Universidade Nova de Lisboa (UNL)

1.54k views • 125 slides
Concurrent Datatype Verification Verifying lock free data types using CSP and FDR Jonathan

Concurrent Datatype Verification Verifying lock free data types using CSP and FDR Jonathan

Concurrent Datatype Verification 01 Concurrent Datatype Verification Verifying lock free data types using CSP and FDR Jonathan Lawrence jonathan.lawrence@cs.ox.ac.uk Concurrent Datatype Verification 02 Introduction Case study using

618 views • 27 slides
A Verifying Core for a Cryptographic Language Compiler Lee Pike (presenting) Mark Shields 1 John

A Verifying Core for a Cryptographic Language Compiler Lee Pike (presenting) Mark Shields 1 John

A Verifying Core for a Cryptographic Language Compiler Lee Pike (presenting) Mark Shields 1 John Matthews Galois Connections August 15, 2006 1 Presently at Microsoft. Thanks Rockwell Collins Advanced Technology Center, especially David

655 views • 27 slides
Verifying Concurrent Programs Daniel Kroening 28 May 1 June 2012 Outline Shared-Variable

Verifying Concurrent Programs Daniel Kroening 28 May 1 June 2012 Outline Shared-Variable

Verifying Concurrent Programs Daniel Kroening 28 May 1 June 2012 Outline Shared-Variable Concurrency Predicate Abstraction for Concurrent Programs Boolean Programs with Bounded Replication Boolean Programs with Unbounded Replication D.

774 views • 50 slides
Verifying a Concurrent Garbage Collector Delphine Demange Suresh Jagannathan Gustavo Petri

Verifying a Concurrent Garbage Collector Delphine Demange Suresh Jagannathan Gustavo Petri

Verifying a Concurrent Garbage Collector Delphine Demange Suresh Jagannathan Gustavo Petri David Pichardie Jan Vitek Yannick Zakowski Why are high level languages difficult to compile? Easy to compile in C Obj.f := v What about Java? A

1.17k views • 73 slides
Verifying concurrent Go code in Coq with Goose Tej Chajed , Joseph Tassarotti*, Frans Kaashoek,

Verifying concurrent Go code in Coq with Goose Tej Chajed , Joseph Tassarotti*, Frans Kaashoek,

Verifying concurrent Go code in Coq with Goose Tej Chajed , Joseph Tassarotti*, Frans Kaashoek, Nickolai Zeldovich MIT and *Boston College Systems verification, broadly impl proof specification 2 Systems verification requires connecting

859 views • 48 slides
Verifying Concurrent ML programs a research proposal Gergely Buday Eszterhzy Kroly

Verifying Concurrent ML programs a research proposal Gergely Buday Eszterhzy Kroly

Verifying Concurrent ML programs a research proposal Gergely Buday Eszterhzy Kroly University Gyngys, Hungary Synchron 2016 Bamberg December 2016 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

486 views • 25 slides
Towards a formally verified obfuscating compiler Sandrine Blazy joint work with Roberto Giacobazzi

Towards a formally verified obfuscating compiler Sandrine Blazy joint work with Roberto Giacobazzi

Towards a formally verified obfuscating compiler Sandrine Blazy joint work with Roberto Giacobazzi and Alix Trieu IFIP WG 1.9/2.15, 2015-07-16 1 Background: verifying a compiler Compiler + proof that the compiler does not introduce bugs

553 views • 24 slides
Verifying concurrent, crash-safe systems with Perennial Tej Chajed , Joseph Tassarotti*, Frans

Verifying concurrent, crash-safe systems with Perennial Tej Chajed , Joseph Tassarotti*, Frans

Verifying concurrent, crash-safe systems with Perennial Tej Chajed , Joseph Tassarotti*, Frans Kaashoek, Nickolai Zeldovich MIT and *Boston College Many systems need concurrency and crash safety Examples: file systems, databases, and key-value

852 views • 46 slides
Verifying a Lustre Compiler (Part 1) Timothy Bourke 1 , 2 Llio Brun 1 , 2 Pierre-variste Dagand

Verifying a Lustre Compiler (Part 1) Timothy Bourke 1 , 2 Llio Brun 1 , 2 Pierre-variste Dagand

Verifying a Lustre Compiler (Part 1) Timothy Bourke 1 , 2 Llio Brun 1 , 2 Pierre-variste Dagand 3 Xavier Leroy 1 Marc Pouzet 4 , 2 , 1 Lionel Rieg 5 1. INRIA Paris 2. DI, cole normale suprieure 3. CNRS 4. Univ. Pierre et Marie Curie 5.

1.06k views • 79 slides
Testing and Verifying Atomicity of Composed Concurrent Operations Ohad Shacham Tel Aviv

Testing and Verifying Atomicity of Composed Concurrent Operations Ohad Shacham Tel Aviv

Testing and Verifying Atomicity of Composed Concurrent Operations Ohad Shacham Tel Aviv University Nathan Bronson Stanford University Alex Aiken Stanford University Mooly Sagiv Tel Aviv University Martin Vechev ETH Eran Yahav Technion

458 views • 35 slides
GNATprove a Spark 2014 verifying compiler Florian Schanda, Altran UK 1 Tool architecture

GNATprove a Spark 2014 verifying compiler Florian Schanda, Altran UK 1 Tool architecture

GNATprove a Spark 2014 verifying compiler Florian Schanda, Altran UK 1 Tool architecture User view gnatprove Source Verdict 2 Tool architecture More detailed view... Encoding Source CVC4 gnat2why gnatwhy3 SMTLIB Z3 AltErgo

622 views • 24 slides
SteelCore: An Extensible Concurrent Separation Logic for Effectful Dependent Programs Nikhil

SteelCore: An Extensible Concurrent Separation Logic for Effectful Dependent Programs Nikhil

SteelCore: An Extensible Concurrent Separation Logic for Effectful Dependent Programs Nikhil Swamy, Aseem Rastogi, Aymeric Fromherz , Denis Merigoux, Danel Ahman, Guido Martinez ICFP 2020 1/12 Verifying Concurrent Programs Lots of recent work

556 views • 37 slides
Cosmo: a concurrent separation logic for Multicore OCaml Glen Mvel , Jacques-Henri Jourdan,

Cosmo: a concurrent separation logic for Multicore OCaml Glen Mvel , Jacques-Henri Jourdan,

Cosmo: a concurrent separation logic for Multicore OCaml Glen Mvel , Jacques-Henri Jourdan, Franois Pottier August, 2020 ICFP, New York LRI & Inria, Paris, France This talk Our aim: Verifying fine-grained concurrent

511 views • 38 slides
Formal verification of program obfuscations Sandrine Blazy joint work with Roberto Giacobazzi and

Formal verification of program obfuscations Sandrine Blazy joint work with Roberto Giacobazzi and

Formal verification of program obfuscations Sandrine Blazy joint work with Roberto Giacobazzi and Alix Trieu IFIP WG 2.11, 2015-11-10 1 Background: verifying a compiler Compiler + proof that the compiler does not introduce bugs CompCert, a

597 views • 21 slides
11/8/2012 The Structure of a Compiler (2) The Structure of a Compiler (1) Any compiler must

11/8/2012 The Structure of a Compiler (2) The Structure of a Compiler (1) Any compiler must

11/8/2012 The Structure of a Compiler (2) The Structure of a Compiler (1) Any compiler must perform two major tasks Sourc rce Progra ram Tokens Syntactic Semantic Scanner Parser Structure re Routines (Chara racter r St Stre

690 views • 22 slides

More recommend