static provenance verification for message passing programs n.
Download
Skip this Video
Download Presentation
Static Provenance Verification for Message Passing Programs

Loading in 2 Seconds...

play fullscreen
1 / 27

Static Provenance Verification for Message Passing Programs - PowerPoint PPT Presentation


  • 112 Views
  • Uploaded on

Static Provenance Verification for Message Passing Programs. Rupak Majumdar Roland Meyer Zilong Wang. MPI-SWS. TU Kaiserslautern. MPI-SWS. Motivation: Taint Analysis. “All data from sources must be sanitized before a sink.”. source . sanitizer. data. source. sanitizer. sink.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Static Provenance Verification for Message Passing Programs' - terrel


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
static provenance verification for message passing programs

Static Provenance Verification for Message Passing Programs

Rupak Majumdar Roland Meyer Zilong Wang

MPI-SWS

TU Kaiserslautern

MPI-SWS

motivation taint analysis
Motivation: Taint Analysis

“All data from sources must be sanitized before a sink.”

source . sanitizer

data

source

sanitizer

sink

otherwise

provenance
Provenance

Information about the source and access history of an object

  • Databases: What rows were used to compute a query?
  • Workflows: Which information was used for a result?

Program Analysis: what can we do?

provenance verification for concurrent programs
Provenance Verification forConcurrent Programs

Questions:

  • Can we statically track provenance information in a concurrent program model?
  • Can we verify interesting provenance properties?

Main results:

  • A model of asynchronous message passing program with provenances
  • Static provenance verification is decidable(with finite data domains)
message passing program
Message Passing Program
  • Principals run in parallel
    • Local variables
    • Operations: control flow, send(ch, x), recv(ch, x)
  • Channels
    • Unbounded but unordered
  • Messages
    • Finite domain
provenance on messages
Provenance on Messages
  • Provenance of a message = Principals who have sent the message chronologically
  • Provenance domain = Strings over principal names
medical example

HQ,

Medical Example

principal patient {

var p1, p2, p3;

while(true) {

choose

:: p1 = HQ; send(ch0, p1);

:: p1 = AR; send(ch0, p1);

:: recv(ch1, p2);

if (p2 == HA) p3 = p2;}}

PC1

PC2

PC3

HQ,

patient

HQ

HA,

patient.secretary.doctor.doctor

principal secretary {

var s1, s2;

while(true) {

recv(ch0, s1);

if (s1 == HQ)

send(ch2, s1);

else {

s2 = AA(s1);

send(ch1, s2);}}}

ch0

ch1

ch2

principal doctor {

var d1, d2;

while(true) {

recv(ch2, d1);

d2 = HA(d1);

choose

:: send(ch2, d2);

:: send(ch1, d2);}}

HQ,

patient.secretary

HA,

patient.secretary.doctor

HA

medical example1
Medical Example

principal patient {

var p1, p2, p3;

while(true) {

choose

:: p1 = HQ; send(ch0, p1);

:: p1 = AR; send(ch0, p1);

:: recv(ch1, p2);

if (p2 == HA) p3 = p2;

}

}

Requirement:

Every health answer received by a patient must be seen by a doctor at least once.

PC1

PC2

PC3

HQ

principal secretary {

var s1, s2;

while(true) {

recv(ch0, s1);

if (s1 == HQ)

send(ch2, s1);

else {

s2 = AA(s1);

send(ch1, s2);

}

}

}

ch0

ch2

ch1

HA,

patient.secretary.doctor.doctor

Provenance problem:

Are provenances of messages in p3 always in the regular set

along all executions?

principal doctor {

var d1, d2;

while(true) {

recv(ch2, d1);

d2 = HA(d1);

choose

:: send(ch2, d2);

:: send(ch1, d2);}}

provenance verification problem
Provenance Verification Problem

Given a message passing program P, a variable x, and a regular set R of provenances,

are provenances of all messages stored in xalways in the set R along all executions of P?

verification challenge
Verification Challenge

Infinite state space:

  • Unboundedly many messages in a channel
  • Unboundedly many provenances
unbounded messages in a channel
Unbounded Messages in a Channel

principal patient {

var p1, p2, p3;

while(true) {

choose

:: p1 = HQ; send(ch0, p1);

:: p1 = AR; send(ch0, p1);

:: recv(ch1, p2);

if (p2 == HA) p3 = p2;}}

PC1

HQ

HQ

principal secretary {

var s1, s2;

while(true) {

recv(ch0, s1);

if (s1 == HQ)

send(ch2, s1);

else {

s2 = AA(s1);

send(ch1, s2);}}}

ch0

ch1

ch2

principal doctor {

var d1, d2;

while(true) {

recv(ch2, d1);

d2 = HA(d1);

choose

:: send(ch2, d2);

:: send(ch1, d2);}}

verification challenge1
Verification Challenge

Infinite state space:

  • Unboundedly many messages in a channel
  • Unboundedly many provenances
unboundedly many provenances
Unboundedly Many Provenances

principal patient {

var p1, p2, p3;

while(true) {

choose

:: p1 = HQ; send(ch0, p1);

:: p1 = AR; send(ch0, p1);

:: recv(ch1, p2);

if (p2 == HA) p3 = p2;}}

PC3

principal secretary {

var s1, s2;

while(true) {

recv(ch0, s1);

if (s1 == HQ)

send(ch2, s1);

else {

s2 = AA(s1);

send(ch1, s2);}}}

ch0

ch1

ch2

principal doctor {

var d1, d2;

while(true) {

recv(ch2, d1);

d2 = HA(d1);

choose

:: send(ch2, d2);

:: send(ch1, d2);}}

HA,

….doctor.doctor

HA

unbounded messages petri net
Unbounded Messages: Petri Net
  • Finite set of places
  • Finite set of transitions
  • Places marked with tokens
  • Fire transitions
  • An infinite state system
  • Coverability problem is decidable.Is a given place markable in some execution?
slide15

Program to a BisimilarPetri Net

B

A

A transition for each operation in a program

A place for each control location

A place (x, m): for each variable x and each message value m

A place (ch, m):for each channel ch and each message value m

slide16

Consider Provenances

  • Unboundedly many provenances
  •  unboundedlymany places!
provenance automata
Provenance Automata
  • Provenance problem: Are provenances of all messages stored in xalways in the regular set R of provenances along all executions of P?
  • A regular set of provenances  DFA
  • The answer to the problem depends on the states of DFA, not on individual provenances.Equivalence classes w.r.t. states: Two provenances are equivalent if they let DFA go to the same state.
track states not provenances
Track States, not Provenances

principal patient {

var p1, p2, p3;

while(true) {

choose

:: p1 = HQ; send(ch0, p1);

:: p1 = AR; send(ch0, p1);

:: recv(ch1, p2);

if (p2 == HA) p3 = p2;}}

PC1

PC2

PC3

principal secretary {

var s1, s2;

while(true) {

recv(ch0, s1);

if (s1 == HQ)

send(ch2, s1);

else {

s2 = AA(s1);

send(ch1, s2);}}}

ch2

ch0

ch1

HA

HA,

patient.secretary.doctor

HA,q3

principal doctor {

var d1, d2;

while(true) {

recv(ch2, d1);

d2 = HA(d1);

choose

:: send(ch2, d2);

:: send(ch1, d2);}}

a

D

D

S

P

q3

q2

q1

q0

track states not provenances1
Track States, not Provenances

principal patient {

var p1, p2, p3;

while(true) {

choose

:: p1 = HQ;

send(ch0, p1);

:: p1 = AR; send(ch0, p1);

:: recv(ch1, p2);

if (p2 == HA) p3 = p2;

}

}

Provenance problem:

Are provenances of messages in p3 always in the regular set

along all executions?

Coverability problem:

Is one of the places (p3,*,q1),(p3,*,q2) and (p3,*,sink)markable along some execution?

PC1

PC2

principal secretary {

var s1, s2;

while(true) {

recv(ch0, s1);

if (s1 == HQ)

send(ch2, s1);

else {

s2 = AA(s1);

send(ch1, s2);

}

}

}

ch2

ch0

ch1

HQ,q2

HA,q3

a

D

D

S

P

q3

q2

q1

q0

reduction
Reduction

Program + Provenance DFA ➔polyPetri net

Provenance verification problem =

Coverability problem of Petri nets

slide21

Main Theorem

Provenance verification problem for message passing programs is decidableand is EXPSPACE-complete.

application firefox extensions
Application: Firefox Extensions
  • Database service: mozlStorageServiceasyncAPIs
  • Private mode in Firefox
  • No restrictions for extensions in private mode
  • Question: can extensions save user data into databases in the private mode?
extensions and channels
Extensions and Channels

PriEx

PubEx

ch0

ch1

ch2

  • ch0: for temporary files
  • ch1, ch2: for database async API calls
  • Are provenances of all messages received by DB always in the set PubEx* along all executions?

DB

slide24
Tool
  • Use Javascript analyzer JSure to obtain the control flow of extensions
  • Perform data flow abstraction to obtain Petri net models
  • Run a coverability checker
experimental results
Experimental Results
  • Nine extensions using mozlStorageService
  • Five extensions save user information to databases in private mode
    • Amazon price history
    • Facebook chat history manager
    • FVD Speed Dial
    • Privad privacy-aware ad server
    • Shopping assistant
summary
Summary
  • Provenance verification problem in concurrent message passing programs
    • Coverability problem of Petri nets
  • Firefox extensions may save user data in private mode (Be careful!)
slide27

Questions?

www.mpi-sws.org/~zilong