1 / 47

Towards Automatic Verification of Safety Architectures

Towards Automatic Verification of Safety Architectures. Carsten Schürmann Carnegie Mellon University April 2000. Subtitle. Twelf A Tool to Reason About Formal Systems. Motivation. CERT-advisories [www.cert.org] Computer Emergency Response Team

brook
Download Presentation

Towards Automatic Verification of Safety Architectures

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Towards Automatic Verification of Safety Architectures Carsten Schürmann Carnegie Mellon University April 2000

  2. Subtitle • Twelf • A Tool to Reason About Formal Systems

  3. Motivation • CERT-advisories [www.cert.org] • Computer Emergency Response Team • January 1999 – February 2000 • 29 Advisories total • 11 Advisories: Buffer overflow (e.g. ftpd) • Others: Viruses, Denial of Service … • > 38% of vulnerabilities due to bugs

  4. Motivation • We need tools to • Increase confidence in software • Engineer trusted bases for computing • Catch programming language design flaws • There is such a tool: • Twelf

  5. Contributions • Design of Twelf • Meta-logic [Schürmann 00] • Algorithms for automated deduction • Implementation of Twelf • Core [Pfenning, Schürmann 99] • Meta theorem prover [Schürmann 00] • Application of Twelf • Experiments

  6. Outline of This Talk • Problem • Safety Architectures • Twelf • Design • Implementation • Experiments • Conclusion • Research Agenda

  7. Trusting the Source? • Example: • WU-ftpd 2.6.0: 17865 lines of code • GCC-core 2.95.2: 433128 lines of code • Related work: • Piton/Micro Gipsy [Moore, Young, Bevier 89] Source Compiler Binary Trusted Computing Base

  8. Trusting Binaries? • Example: • WU-ftpd 2.5.0 binary: 150 KB[RedHat 6.1] • Related work: • Software fault isolation [Wahbe, … 93] Source Compiler Binary Verifier Trusted Computing Base

  9. Trusting Safety Proofs? Feasibility study Packet filter [Necula, Lee 96] Binary Source Compiler Proof Checker Safety Proof Safety Proof Language Small Trusted Computing Base

  10. Safety Architectures • Proof Carrying Code • Logic: 129 rules [Necula, Lee 97] • Logic: several 100 rules [Appel, Felty 99] • Proof checker: 206 lines [Schürmann 98] • Uses a logical framework • Typed Assembly Language • Type Theory: 31 rules[Morrisett, Crary … 98] • Proof Checker: approx 4000 lines • Java Bytecode • Type system: 20 pages prose • Bytecode verifier

  11. Logical Framework Binary Proof Checker Proof Checker Safety Proof Safety Proof Safety Proof Language Safety Proof Language Logical Frameworks • Uniform representation language • Storing • Shipping • Checking • Logic-independent safety proof checker

  12. Safety Proof Languages • First-order/higher-order logics • [Gentzen 35] • Temporal logics (CTL, CTL*, LTL) • [Pnueli, Manna, … 84] • Modal and linear logics • [Girard 86] • Type theories • Language and system-specific knowledge

  13. Good Safety Proof Languages • Consistency • Falsehood should not be derivable • Expressiveness • Small safety proofs require expressive logics • Extensibility • Possibility to add new admissible rules Is The Safety Proof Language Good?

  14. Meta-Logical Framework Logical Framework Proof Checker Safety Proof Safety Proof Language Meta-Logical Frameworks Is The Safety Proof Language Good?

  15. Rest of this Talk • Twelf • A meta-logical framework that supports • the representation of logics and type systems • and automates reasoningabout them • Used at CMU, Princeton, Stanford…

  16. Overview Reasoning • Consistency arguments • Theorems about logics • Inductive proofs Meta-logical Framework • Automated proof search • Formulas • Direct encoding as proofs Safety Proof Language • Logic • Judgments • Inference rules Logical Framework • Uniform language • Types • Direct encoding as objects

  17. Let’s Start Safety Proof Language • Logic • Judgments • Inference rules

  18. A Simple Logic • Intuitionistic logic: • Sequent calculus: [Gentzen 35] • Judgment: • Rules:

  19. Next: Logical Framework LF Safety Proof Language • Logic • Judgments • Inference rules Logical Framework • Uniform language • Types • Direct encoding as objects

  20. Logical Framework Representation • Logical framework LF[Honsell, Harper, Plotkin 93] • Simply typed λ-calculus • Dependent types • Paradigm • Judgments as types • Derivations as objects

  21. axiom : (hyp A -> conc A). impr : (hyp A -> conc B) -> conc (A imp B). impl : conc A -> (hyp B -> conc C) -> (hyp (A imp B) -> conc C). cut : conc A -> (hyp A -> conc C) -> conc C. Representation (cont’d) • Inference rules as constants

  22. Representation (cont’d) • Reasoning about the real world • is as good as the encoding is • Theorem prover for LF[Schürmann 98] Logic Logical Framework 1-to-1

  23. Notes on the Representation We can look at the current field of problem solving by computers as a series of ideas about how to present a problem. If a problem can be cast into one of these representations in a natural way, then it is possible to manipulate it and stand some chance of solving it. [Allen Newell] • Elegance • Higher-order representation techniques • Dependent types • Benefit • Variables and substitutions come for free!

  24. Next: Reasoning Reasoning • Consistency arguments • Theorems about logics • Inductive proofs Safety Proof Language • Logic • Judgments • Inference rules Logical Framework • Uniform language • Types • Direct encoding as objects

  25. A (Not So) Simple Argument • Theorem [Admissibility]:[Gentzen 35] • If and then • Proof: by induction on A,D,E. • Case: E= • by induction hyp. on D,E’ • by application of impr

  26. History of This Result • Fundamental theorem in Logic [Gentzen 35] • Consistency of first-order logic • Structural proof [Pfenning 95] • Twelf can prove it automatically [Schürmann 99] • Neither a toy problem nor a trivial problem • 182 = 324 cases for full-first order intuitionistic logic • One of the most basic theorems of logic and automated deduction

  27. Significance of This Result • It is not reasoning in a logic • Derivation in a logic is only an object • Admissibility lemma is not expressible • But reasoning about a logic • Step outside the logic • Analyze properties of the logic • Admissibility lemma is expressible It is not reasoning in a logic Derivation in a logic is only an object Admissibility lemma is not expressible But reasoning about a logic Step outside the logic Analyze properties of the logic Admissibility lemma is expressible

  28. Next: Meta-logical Framework Reasoning • Consistency arguments • Theorems about logics • Inductive proofs Meta-logical Framework • Automated proof search • Formulas • Direct encoding as proofs Safety Proof Language • Logic • Judgments • Inference rules Logical Framework • Uniform language • Types • Direct encoding as objects

  29. Problem • Reasoning about derivations is inductive • In general: LF signatures are not inductive • Standard induction techniques do not apply axiom : (hyp A -> conc A). impr : (hyp A -> conc B) -> conc (A imp B). impl : conc A -> (hyp B -> conc C) -> (hyp (A imp B) -> conc C). Negative occurrence

  30. Closed World Assumption • Standard induction techniques assume • Fixed set of constructors • Existence of induction principles • Example: Natural number induction zero:nat succ:nat -> nat

  31. Open World Assumption • No induction principles • Type definitions are open-ended • New types, new inference rules may be added • Example: Admissibility Theorem • Not stable under extensions of the world • Forms of objects are not predictable

  32. Solution Regular world assumption Open world assumption Closed world assumption

  33. Regular World Assumption • Extensions to the world are predictable! • Sound induction principle exist • But it is not standard! axiom : (hyp A -> conc A). impr : (hyp A -> conc B) -> conc (A imp B). impl : conc A -> (hyp B -> conc C) -> (hyp (A imp B) -> conc C). h1 :hyp A1. h2 :hyp A2. . . . hn :hyp An .

  34. Theorem [Admissibility]: If and then + Meta Logic M2 • Regular extensions of the world: • Here

  35. + Meta Logic M2 (cont’d) • Formulas: • Semantics:

  36. + Meta Logic M2 (cont’d) + • Proof calculus for M2[Schürmann 00] • Judgment: • Rules: see thesis • Theorem [Soundness of M2] [Schürmann 00] • Ifthen • Proof: via realizability interpretation. +

  37. Twelf Implementation + • Implements a theorem prover for M2 • Success due to regular world assumption • Automated proof search • No tactics Lemmas Twelf + Proof in M2 Ind.-variables Not found Bound

  38. Twelf Implementation (cont’d) • Splitting Case analysis over LF objects Regular world assumption • Recursion • Induction hypotheses • Regular world assumption • Filling • Applies an underlying LF prover • Or theorem prover for underlying logic

  39. Experiments Machine: Pentium II, 400Mhz, 192MB RAM, Linux 2.0

  40. Experiments (cont’d) Machine: Pentium II, 400Mhz, 192MB RAM, Linux 2.0

  41. Experiments (cont’d) Machine: Pentium II, 400Mhz, 192MB RAM, Linux 2.0

  42. Experiments (cont’d) Machine: Pentium II, 400Mhz, 192MB RAM, Linux 2.0

  43. Contributions • Design of Twelf • Design of a theorem prover for LF • Regular world assumption • Design of the sound meta-logic M2 • Implementation of Twelf • Core (together with Frank Pfenning) • Meta theorem prover • Application of Twelf • Experiments +

  44. Research Vision I believe, that the demand for safe and secure software, networks, programming languages will continuously increase. I foresee myself designing, implementing, and applyingthe necessary tools.

  45. Research Agenda • Towards real-world applications • Network protocol design • Security protocol design • Programming language design • Software engineering

  46. Research Agenda (cont’d) • Design and Implementation • Meta logic + Constraints • Lemma generalization • Natural language explanation

  47. Conclusion • A meta-logical framework • (Twelf) • that supports • the representation of logics and type systems • and automates reasoningabout them http://www.twelf.org

More Related