Static provenance verification for message passing programs
This presentation is the property of its rightful owner.
Sponsored Links
1 / 27

Static Provenance Verification for Message Passing Programs PowerPoint PPT Presentation


  • 86 Views
  • Uploaded on
  • Presentation posted in: General

Static Provenance Verification for Message Passing Programs. Rupak Majumdar Roland Meyer Zilong Wang. MPI-SWS. TU Kaiserslautern. MPI-SWS. Motivation: Taint Analysis. “All data from sources must be sanitized before a sink.”. source . sanitizer. data. source. sanitizer. sink.

Download Presentation

Static Provenance Verification for Message Passing Programs

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Static provenance verification for message passing programs

Static Provenance Verification for Message Passing Programs

Rupak Majumdar Roland MeyerZilong Wang

MPI-SWS

TU Kaiserslautern

MPI-SWS


Motivation taint analysis

Motivation: Taint Analysis

“All data from sources must be sanitized before a sink.”

source . sanitizer

data

source

sanitizer

sink

otherwise


Provenance

Provenance

Information about the source and access history of an object

  • Databases: What rows were used to compute a query?

  • Workflows: Which information was used for a result?

    Program Analysis: what can we do?


Provenance verification for concurrent programs

Provenance Verification forConcurrent Programs

Questions:

  • Can we statically track provenance information in a concurrent program model?

  • Can we verify interesting provenance properties?

    Main results:

  • A model of asynchronous message passing program with provenances

  • Static provenance verification is decidable(with finite data domains)


Message passing program

Message Passing Program

  • Principals run in parallel

    • Local variables

    • Operations: control flow, send(ch, x), recv(ch, x)

  • Channels

    • Unbounded but unordered

  • Messages

    • Finite domain


Provenance on messages

Provenance on Messages

  • Provenance of a message = Principals who have sent the message chronologically

  • Provenance domain = Strings over principal names


Medical example

HQ,

Medical Example

principal patient {

var p1, p2, p3;

while(true) {

choose

:: p1 = HQ; send(ch0, p1);

:: p1 = AR; send(ch0, p1);

:: recv(ch1, p2);

if (p2 == HA) p3 = p2;}}

PC1

PC2

PC3

HQ,

patient

HQ

HA,

patient.secretary.doctor.doctor

principal secretary {

var s1, s2;

while(true) {

recv(ch0, s1);

if (s1 == HQ)

send(ch2, s1);

else {

s2 = AA(s1);

send(ch1, s2);}}}

ch0

ch1

ch2

principal doctor {

var d1, d2;

while(true) {

recv(ch2, d1);

d2 = HA(d1);

choose

:: send(ch2, d2);

:: send(ch1, d2);}}

HQ,

patient.secretary

HA,

patient.secretary.doctor

HA


Medical example1

Medical Example

principal patient {

var p1, p2, p3;

while(true) {

choose

:: p1 = HQ; send(ch0, p1);

:: p1 = AR; send(ch0, p1);

:: recv(ch1, p2);

if (p2 == HA) p3 = p2;

}

}

Requirement:

Every health answer received by a patient must be seen by a doctor at least once.

PC1

PC2

PC3

HQ

principal secretary {

var s1, s2;

while(true) {

recv(ch0, s1);

if (s1 == HQ)

send(ch2, s1);

else {

s2 = AA(s1);

send(ch1, s2);

}

}

}

ch0

ch2

ch1

HA,

patient.secretary.doctor.doctor

Provenance problem:

Are provenances of messages in p3 always in the regular set

along all executions?

principal doctor {

var d1, d2;

while(true) {

recv(ch2, d1);

d2 = HA(d1);

choose

:: send(ch2, d2);

:: send(ch1, d2);}}


Provenance verification problem

Provenance Verification Problem

Given a message passing program P, a variable x, and a regular set R of provenances,

are provenances of all messages stored in xalways in the set R along all executions of P?


Verification challenge

Verification Challenge

Infinite state space:

  • Unboundedly many messages in a channel

  • Unboundedly many provenances


Unbounded messages in a channel

Unbounded Messages in a Channel

principal patient {

var p1, p2, p3;

while(true) {

choose

:: p1 = HQ; send(ch0, p1);

:: p1 = AR; send(ch0, p1);

:: recv(ch1, p2);

if (p2 == HA) p3 = p2;}}

PC1

HQ

HQ

principal secretary {

var s1, s2;

while(true) {

recv(ch0, s1);

if (s1 == HQ)

send(ch2, s1);

else {

s2 = AA(s1);

send(ch1, s2);}}}

ch0

ch1

ch2

principal doctor {

var d1, d2;

while(true) {

recv(ch2, d1);

d2 = HA(d1);

choose

:: send(ch2, d2);

:: send(ch1, d2);}}


Verification challenge1

Verification Challenge

Infinite state space:

  • Unboundedly many messages in a channel

  • Unboundedly many provenances


Unboundedly many provenances

Unboundedly Many Provenances

principal patient {

var p1, p2, p3;

while(true) {

choose

:: p1 = HQ; send(ch0, p1);

:: p1 = AR; send(ch0, p1);

:: recv(ch1, p2);

if (p2 == HA) p3 = p2;}}

PC3

principal secretary {

var s1, s2;

while(true) {

recv(ch0, s1);

if (s1 == HQ)

send(ch2, s1);

else {

s2 = AA(s1);

send(ch1, s2);}}}

ch0

ch1

ch2

principal doctor {

var d1, d2;

while(true) {

recv(ch2, d1);

d2 = HA(d1);

choose

:: send(ch2, d2);

:: send(ch1, d2);}}

HA,

….doctor.doctor

HA


Unbounded messages petri net

Unbounded Messages: Petri Net

  • Finite set of places

  • Finite set of transitions

  • Places marked with tokens

  • Fire transitions

  • An infinite state system

  • Coverability problem is decidable.Is a given place markable in some execution?


Static provenance verification for message passing programs

Program to a BisimilarPetri Net

B

A

A transition for each operation in a program

A place for each control location

A place (x, m): for each variable x and each message value m

A place (ch, m):for each channel ch and each message value m


Static provenance verification for message passing programs

Consider Provenances

  • Unboundedly many provenances

  •  unboundedlymany places!


Provenance automata

Provenance Automata

  • Provenance problem: Are provenances of all messages stored in xalways in the regular set R of provenances along all executions of P?

  • A regular set of provenances  DFA

  • The answer to the problem depends on the states of DFA, not on individual provenances.Equivalence classes w.r.t. states: Two provenances are equivalent if they let DFA go to the same state.


Track states not provenances

Track States, not Provenances

principal patient {

var p1, p2, p3;

while(true) {

choose

:: p1 = HQ; send(ch0, p1);

:: p1 = AR; send(ch0, p1);

:: recv(ch1, p2);

if (p2 == HA) p3 = p2;}}

PC1

PC2

PC3

principal secretary {

var s1, s2;

while(true) {

recv(ch0, s1);

if (s1 == HQ)

send(ch2, s1);

else {

s2 = AA(s1);

send(ch1, s2);}}}

ch2

ch0

ch1

HA

HA,

patient.secretary.doctor

HA,q3

principal doctor {

var d1, d2;

while(true) {

recv(ch2, d1);

d2 = HA(d1);

choose

:: send(ch2, d2);

:: send(ch1, d2);}}

a

D

D

S

P

q3

q2

q1

q0


Track states not provenances1

Track States, not Provenances

principal patient {

var p1, p2, p3;

while(true) {

choose

:: p1 = HQ;

send(ch0, p1);

:: p1 = AR; send(ch0, p1);

:: recv(ch1, p2);

if (p2 == HA) p3 = p2;

}

}

Provenance problem:

Are provenances of messages in p3 always in the regular set

along all executions?

Coverability problem:

Is one of the places (p3,*,q1),(p3,*,q2) and (p3,*,sink)markable along some execution?

PC1

PC2

principal secretary {

var s1, s2;

while(true) {

recv(ch0, s1);

if (s1 == HQ)

send(ch2, s1);

else {

s2 = AA(s1);

send(ch1, s2);

}

}

}

ch2

ch0

ch1

HQ,q2

HA,q3

a

D

D

S

P

q3

q2

q1

q0


Reduction

Reduction

Program + Provenance DFA ➔polyPetri net

Provenance verification problem =

Coverability problem of Petri nets


Static provenance verification for message passing programs

Main Theorem

Provenance verification problem for message passing programs is decidableand is EXPSPACE-complete.


Application firefox extensions

Application: Firefox Extensions

  • Database service: mozlStorageServiceasyncAPIs

  • Private mode in Firefox

  • No restrictions for extensions in private mode

  • Question: can extensions save user data into databases in the private mode?


Extensions and channels

Extensions and Channels

PriEx

PubEx

ch0

ch1

ch2

  • ch0: for temporary files

  • ch1, ch2: for database async API calls

  • Are provenances of all messages received by DB always in the set PubEx* along all executions?

DB


Static provenance verification for message passing programs

Tool

  • Use Javascript analyzer JSure to obtain the control flow of extensions

  • Perform data flow abstraction to obtain Petri net models

  • Run a coverability checker


Experimental results

Experimental Results

  • Nine extensions using mozlStorageService

  • Five extensions save user information to databases in private mode

    • Amazon price history

    • Facebook chat history manager

    • FVD Speed Dial

    • Privad privacy-aware ad server

    • Shopping assistant


Summary

Summary

  • Provenance verification problem in concurrent message passing programs

    • Coverability problem of Petri nets

  • Firefox extensions may save user data in private mode (Be careful!)


Static provenance verification for message passing programs

Questions?

www.mpi-sws.org/~zilong


  • Login