Unformatted text preview: 10 Emerging Technologies 2011,
In: Technology Review, 2011(6), MIT Press
http://www.technologyreview.com/tr10/ Formal
proofs for
resilience,
extensibility,
security? Need to reason about: human behaviors cosmic rays + natural disasters hardware failure software VIEW #1: bugfree host
impossible. Treat it as a
biological system. Formal
proofs for
resilience,
extensibility,
security? HW & Env
Model Need to reason about: human behaviors cosmic rays + natural disasters hardware failure software VIEW #2: focus on
software since it is a
rigorous mathematical
entity! 0101101010101010111110001100
1110110111111101010101010101
0101010101111111110101010101
0111100011000101010101010101
SOFTWARE
1111100011001001111001111111
1001111111000111100010101010
1111110111001100111010101011
1111100011110001110001110011 Formal
specs &
proofs for
resilience,
extensibility,
security?
HW & Env
Model Find a mathematical proof showing that
if the HW/Env follows its model, the software will run according
to its specification 01011010101010101111100011001110110
Application & other
11111110101010101010101010101011111
11110101010101011110001100010101010
system SW
10101011111100011001001111001111111
Legacy
Java/
NaCl
Legacy
10011111110001111000101010101111110
X86
M SIL
App
O S + App
App
App
11100110011101010101111111000111100
Protected
Executors Native
Executor Typesafe
Executor SF I
Executor Formal
specs &
proofs for
resilience,
extensibility,
security? VM M
Executor Certified Kernel
Resource
M anagers Scheduler Device
Drivers Scheduler FS Net Driver CPU CPU Driver Driver Driver G PU G PU Disk HW & Env
Model NIC Research tasks & key innovations: new OS kernel that can crashproof the entire system & application SW new PLs for writing certified kernel plugins (new OCAP + DSPLs) new formal methods for automating proofs & specs (VeriML) Certified hypervisor kernel
Rogue PC
WinCC
Other & rogue OS &
its kernel Secure PC
w. IFC labels
Other
Apps WinCC
&
Step 7 COTS OS Secure
PLC certified
firmware Step 7 Protecting
against
Stuxnet
attacks! firmware Apps Rogue
PLC certified kernel zeroday kernel vulnerabilities
small mechanized proof checker & fake/stolen driver certificates Problems w. existing platforms Attacks: ZeroDay Kernel Vulnerabilities
(ZDKVs) & rogue driver certificates leads to rogue kernels New CRASH technologies A small certified hypervisor kernel provides a
reliable ZDKVfree core to fall back on, even
under attacks leads to rogue WinCC/Step7 apps InformationFlowControl to enforce security leads to rogue PLC firmeware Mechanized proof certificates are unforgeable Predicate Logic
Predicate logic over integer expressions:
a language of logical assertions, for example
∀x. x + 0 = x
Why discuss predicate logic?
It is an example of a simple language
It has simple denotational semantics
We will use it later in program speciﬁcations Abstract Syntax
Describes the structure of a phrase
ignoring the details of its representation.
An abstract grammar for predicate logic over integer expressions: intexp ::= 0  1  . . .
 var
 −intexp  intexp + intexp  intexp − intexp  . . . assert ::= true  false
 intexp = intexp  intexp < intexp  intexp ≤ intexp  . . .
 ¬assert  assert ∧ assert  assert ∨ assert
 assert ⇒ assert  assert ⇔ assert
 ∀var . assert  ∃var . assert Resolving Notational Ambiguity
Using parentheses: (∀x. ((((x) + (0)) + 0) = (x)))
Using precedence and parentheses: ∀x. (x + 0) + 0 = x
arithmetic operators (∗ / rem . . .) with the usual precedence
relational operators (= = < ≤ . . .)
¬
∧
∨
⇒
⇔
The body of a quantiﬁed term extends to a delimiter. Carriers and Constructors
Carriers:
sets of abstract phrases (e.g. intexp , assert )
Constructors: specify abstract grammar productions intexp ::= 0
intexp ::= intexp + intexp −→
−→ c0 ∈
{} → intexp
c+ ∈intexp × intexp → intexp Note: Independent of the concrete pattern of the production: intexp ::= plus intexp intexp −→ c+ ∈intexp × intexp → intexp Constructors must be injective and have disjoint ranges
Carriers must be either predeﬁned or their elements must be
constructible in ﬁnitely many constructor applications Inductive Structure of Carrier Sets
With these properties of constructors and carriers,
carriers can be deﬁned inductively: intexp (0)
intexp (j +1)
assert (0)
assert (j +1) =
=
=
= intexp =
assert = {}
{c0, . . .} ∪ {c+(x0, x1)  x0, x1 ∈ intexp (j )} ∪ . . .
{}
{ctrue, cfalse}
∪{c=(x0, x1)  x0, x1 ∈ intexp (j )} ∪ . . .
∪{c¬(x0)  x0 ∈ assert (j )} ∪ . . .
∞
j =0
∞
j =0 intexp (j )
assert (j ) Denotational Semantics of Predicate Logic
The meaning of a term e ∈ intexp is [[e]]intexp i.e. the function [[−]]intexp maps intexp objects to their meanings.
What is the set of meanings?
The meaning [[5 + 37]]intexp of the term 5 + 37 could be the integer 42.
(that is, c+(c5, c37)) However the term x + 5 contains the free variable x,
so the meaning of an intexp in general cannot be an integer. . . Mathematical Background Sets
Relations
Functions
Sequences
Products and Sums Sets
membership the empty set
natural numbers inclusion integers ﬁnite subset
set comprehension
intersection and
is a bound variable union or difference and not powerset
integer range and Generalized Set Operations
def def def def def def meaningless
Examples: Relations
A relation is a set of primitive pairs
relates . and is an identity relation
def the identity on
the domain of
the range of
composition of with reﬂection of dom def ran def
def
def and Relations: Properties and Examples dom dom ran Functions
A relation is a function if
and If is a function,
maps
and If and are functions.
are functions, then is a function: is not necessarily a function:
consider
is an injection if both and are functions. to Notation for Functions
def Typed abstraction:
Deﬁned only when is deﬁned for all (consider ) dom
Placeholder: , if ran with a dash dom . standing for the bound variable
if Variation of a function :
dom dom ran ran otherwise Sequences
def
def
def — the empty function
— the empty sequence
— an tuple
— a (nonprimitive) pair
dom =
= when Products
Let be an indexed family of sets (a function with sets in its range). The Cartesian product of
def dom is
dom and dom More Products def def def def “” def times Sets of Sequences Let
def
def
def (ﬁnite)
(ﬁnite)
(inﬁnite) Sums
Let θ be an indexed family of sets (a function with sets in its range).
The disjoint union (sum) of θ is
x∈ T
n
def θ = {i, x  i ∈ dom θ and x ∈ θ i} def S= def S= i=m λx ∈ T. S
i∈(m to n) S n
def S 1 + . . . + Sn = T ×S = i=1
S x∈ T n × S = (0 to (n − 1)) × S = S + .. + S
.
n times
“S i ” B + B = B, B = {0, true, 0, false, 1, true, 1, false}
= 2×B Functions of Multiple Arguments
Use tuples instead of multiple arguments:
−−
f (a0, . . . an−1) − − → f a0, . . . an−1
Syntactic sugar:
λx0 ∈ S0, . . . , xn−1 ∈ Sn−1. E
def = λx ∈ S0 × . . . × Sn−1. (λx0 ∈ S0. . . . λxn−1 ∈ Sn−1. E )
(x 0) . . . (x(n − 1)) Use Currying: −−
f (a0, . . . an−1) − − → f a0 . . . an−1
=(. . . (f a0) . . .) an−1 where f is a Curried function λx0 ∈ S0. . . . λxn−1 ∈ Sn−1. E . Relations Between Sets
ρ is a relation from S to T
→
⇐⇒ ρ ∈ S − T
REL ⇐⇒ dom ρ ⊆ S and ran ρ ⊆ T .
def Relation on S = relation from S to S .
→
IS ∈ S − S
REL
→
→
ρ ∈ S − T ⇒ ρ† ∈ T − S
REL
REL
→
For all S and T , {} ∈ S − T
REL
→
{} ∈! S − {}
REL
→
{} ∈! {} − T
REL Total Relations
→
ρ ∈ S − T is a total relation from S to T
REL
−
→
⇐⇒ ρ ∈ S TREL T ⇐⇒ ∀x S. ∃y ∈ T. x ρ y
⇐⇒ dom ρ = S
⇐⇒ IS ⊆ ρ† · ρ S
◦
ρ ◦
◦ T ◦
◦
◦ ◦ −
→
ρ ∈ (dom ρ) TREL T ⇐⇒ T ⊇ ran ρ Functions Between Sets
f is a partial function from S to T
−
⇐⇒ f ∈ S − → T
PFUN →
⇐⇒ f ∈ S − T and f is a function.
REL →
“Partial”: f ∈ S − T ⇒ dom f ⊆ S
REL
−
f ∈ S − → T is a (total) function from S to T
PFUN
⇐⇒ f ∈ S → T ⇐⇒ dom f = S .
S → T = TS = x∈S T S → T → U = S → (T → U ) Surjections, Injections, Bijections
f is a surjection from S to T ⇐⇒ ran f = T −
f is a injection from S to T ⇐⇒ f † ∈ T − → S
PFUN
f is a bijection from S to T ⇐⇒ f † ∈ T → S ⇐⇒ f is an isomorphism from S to T S
◦ T
◦ ◦ ◦ ◦
◦ ◦ sur S T ◦ ◦
◦ in ◦
◦
S T ◦ ◦
◦
◦ bi ◦
◦
Back to Predicate Logic intexp ::= 0  1  . . .
 var
 −intexp  intexp + intexp  intexp − intexp  . . . assert ::= true  false
 intexp = intexp  intexp < intexp  intexp ≤ intexp  . . .
 ¬assert  assert ∧ assert  assert ∨ assert
 assert ⇒ assert  assert ⇔ assert
 ∀var . assert  ∃var . assert Denotational Semantics of Predicate Logic The meaning of term e ∈ intexp is [[e]]intexp i.e. the function [[−]]intexp maps objects from intexp to their meanings.
What is the set of meanings?
The meaning [[5 + 37]]intexp of the term 5 + 37 could be the integer 42.
But the term x + 5 contains the free variable x. . . Environments
. . . hence we need an environment (variable assignment, state)
def σ ∈ Σ = var → Z
to give meaning to free variables.
The meaning of a term is a function from the states to Z or B.
[[−]]intexp
[[−]]assert ∈
∈ intexp → Σ → Z
assert → Σ → B if σ = [x : 3, y : 4], then [[x+5]]intexp σ = 8
[[∃z. x < z ∧ z < y]] σ = false Direct Semantics Equations for Predicate Logic
v ∈ var e ∈ intexp p ∈ assert [[0]]intexp σ = 0
( really [[c0]]intexp σ = 0)
[[v ]]intexp σ = σ v
[[e0+e1]]intexp σ = [[e0]]intexp σ + [[e1]]intexp σ
[[true]]assert σ = true
[[e0=e1]]assert σ = [[e0]]intexp σ = [[e1]]intexp σ
[[¬p]]assert σ = ¬([[p]]assert σ )
[[p0 ∧ p1]]assert σ = [[p0]]assert σ ∧ [[p1]]assert σ
[[∀v. p]]assert σ = ∀n ∈ Z. [[p]]assert [σ v : n] Example: The Meaning of a Term [[∀x. x+0=x]]assert σ = ∀n ∈ Z. [[x+0=x]]assert [σ x : n] = ∀n ∈ Z. [[x+0]]intexp [σ x : n] = [[x]]intexp [σ x : n] = ∀n ∈ Z. [[x]]intexp [σ x : n]+[[0]]intexp [σ x : n] = [[x]]intexp [σ x : n]
= ∀n ∈ Z. [σ x : n](x) + 0 = [σ x : n](x)
= ∀n ∈ Z. n + 0 = n
= true Properties of the Semantic Equations
They are syntaxdirected (homomorphic):
exactly one equation for each abstract grammar production
(constructor)
result expressed using functions (meanings)
of subterms only (arguments of constructor)
⇒ they have exactly one solution [[−]]intexp , [[−]]assert
(proof by induction on the structure of terms).
They deﬁne compositional semantic functions
(depending only on the meaning of the subterms)
⇒ “equivalent” subterms can be substituted Validity of Assertions
p holds/is true in σ ⇐⇒ σ satisﬁes p ⇐⇒ [[p]]assert σ = true p is valid ⇐⇒ ∀σ ∈ Σ. p holds in σ p is unsatisﬁable ⇐⇒ ∀σ ∈ Σ. [[p]]assert σ = false
⇐⇒ ¬p is valid p is stronger than p ⇐⇒ ∀σ ∈ Σ. (p holds if p holds )
⇐⇒ (p ⇒ p) is valid p and p are equivalent ⇐⇒ p is stronger than p and p is stronger than p Inference Rules Class
p (Axiom)
p (Axiom Schema) p0 . . . pn−1
(Rule)
p Examples
x + 0 = x (xPlusZero)
e1=e0 ⇒ e0=e1 (SymmObjEq) p p ⇒ p
(ModusPonens)
p
p
(Generalization)
∀v. p Formal Proofs
A set of inference rules deﬁnes a logical theory .
A formal proof (in a logical theory):
a sequence of instances of the inference rules, where
the premisses of each rule occur as conclusions earlier in the sequence.
1. x + 0 = x (xPlusZero) 3. x = x + 0 (ModusPonens, 1, 2)
[p : x + 0 = x  p : x = x + 0] 2. x + 0 = x ⇒ x = x + 0 (SymmObjEq)
[e0 : x  e1 : x + 0] 4. ∀x. x = x + 0 (Generalization, 3)
[ v : x  p : x = x + 0] Tree Representation of Formal Proofs (SymmObjEq)
x+0=x x+0=x⇒x=x+0
(MP)
x=x+0
(Gen)
∀x. x = x + 0 Soundness of a Logical Theory An inference rule is sound if in every instance of the rule
the conclusion is valid if all the premisses are.
A logical theory is sound if all inference rules in it are sound.
If is sound and there is a formal proof of p, then p is valid.
Object vs Meta implication:
p
p ⇒ ∀v. p is not a sound rule, although
is.
∀v. p Completeness of a Logical Theory A logical theory is complete if for every valid p there is a formal proof of p. A logical theory is axiomatizable if there exists a ﬁnite set of inference rules
from which can be constructed formal proofs of all assertions in . No ﬁrstorder theory of arithmetic is complete and axiomatizable. Variable Binding
∀x. ∃y. x
< y ∧ x
∃x. x
> ∀
y
∃
∧
< x
y x
∃
> x
y y Variable Binding
∀x. ∃y. x
y < ∃x. x
∧
> ∀
y
∃
<
y ∧
∃
>
y y Bound and Free Variables
In ∀v. p, v is the binding occurrence (binder) and p is its scope.
If a nonbinding occurrence of v is within the scope of a binder for v ,
then it is a bound occurrence; otherwise it’s a free one.
F Vintexp (0) = {} F V (v ) = {v } F V (−e) = F V (e) F Vassert (true) = {} F V (e0=e1) = F V (e0) ∪ F V (e1)
F V (¬p) = F V (p) F V (e0 + e1) = F V (e0) ∪ F V (e1) F V (p0 ∧ p1) = F V (p0) ∪ F V (p1) Example: F V (∀v. p) = F V (p) − {v } F V (∃y. x < y ∧ ∃x. x > y) = {x} Only Assignment of Free Variables Matters
Coincidence Theorem:
If σ v = σ v for all v ∈ F Vθ (p), then [[p]]θ σ = [[p]]θ σ
(where p is a phrase of type θ).
Proof: By structural induction.
Inductive hypothesis:
The statement of the theorem holds
for all
phrases of depth less than that of the phrase p.
Base cases:
p = 0 ⇒ [[0]]intexp σ = 0 = [[0]]intexp σ p = v ⇒ [[v ]]intexp σ = σ v = σ v = [[v ]]intexp σ , since F V (v ) = {v }. Proof of Concidence Theorem, cont’d
Coincidence Theorem:
If σ v = σ v for all v ∈ F Vθ (p), then [[p]]θ σ = [[p]]θ σ .
Inductive cases:
p = e0 + e1: by IH
[[ei]]intexp σ = [[ei]]intexp σ , i ∈ {1, 2}.
[[p]]intexp σ = [[e0]]intexp σ + [[e1]]intexp σ
= [[e0]]intexp σ + [[e1]]intexp σ = [[p]]intexp σ
p = ∀u. q :
Then by IH σ v = σ v,
∀v ∈ F V (p) = F V (q ) − {u}
then [σ u : n]v = [σ u : n]v, ∀v ∈ F V (q ), n ∈ Z
[[q ]]assert [σ u : n] = [[q ]]assert [σ u : n] for all n ∈ Z, hence ∀n ∈ Z. [[q ]]assert [σ u : n] = ∀n ∈ Z. [[q ]]assert [σ u : n]
[[∀u. q ]]assert σ = [[∀u. q ]]assert σ . Substitution
−/δ ∈ intexp →
−/δ ∈ assert →
0/δ = 0 intexp assert (e)/δ = (e/δ )
(e0+e1)/δ = (e0/δ )+(e1/δ )
...
Examples: when δ ∈ var → intexp
v/δ = δ v (p0 ∧ p1)/δ = (p0/δ ) ∧ (p1/δ )
(∀v. p)/δ = ∀v . (p/[δ v : v ]),
where v ∈
/ u∈F V (p)−{v } (x < 0 ∧ ∃x. x ≤ y)/[x : y+1] = y+1 < 0 ∧ ∃x. x ≤ y
(x < 0 ∧ ∃x. x ≤ y)/[y : x+1] = x < 0 ∧ ∃z. z ≤ x+1 F V (δ u ) Preserving Binding Structure (x < 0 ∧ ∃x. x ≤ y)/[ x : y+1]
x
<
∃
0 <
y+1 < 0 ∧ ∃x. x ≤ y −→ ∧
=
y y
∧
<
+
1
0 ∃
<
y
1 Avoiding Variable Capture (x < 0 ∧ ∃x. x ≤ y)/[ y : x+1]
x
<
0 x < 0 ∧ ∃z. z ≤ x+1 −→ ∧
=
∃
x <
y
∧
<
0 ∃
<
x
+
1 Substitution Theorems
Substitution Theorem:
If σ = [[−]]intexp σ · δ on F V (p), then ([[−]]σ )p = ([[−]]σ · (−/δ ))p.
Finite Substitution Theorem:
[[p/v0 → e0, . . . vn−1 → en−1]]σ = [[p]][σ v0 : [[e0]]σ, . . .].
where
def p/v0 → e0, . . . vn−1 → en−1 = p/[cvarv0 : e0 . . . vn−1 : en−1].
Renaming:
If u ∈ F V (q ) − {v }, then [[∀u. (q/v → u)]]boolexp = [[∀v. q ]]boolexp .
/ ...
View
Full
Document
 Fall '09

Click to edit the document details