Compositional Non-Interference for Fine-Grained Concurrent Programs

Frumin, Dan; Krebbers, Robbert; Birkedal, Lars

doi:10.1109/sp40001.2021.00003

Cited by 15 publications

(3 citation statements)

References 40 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Separation logic: Relational separation logics have been developed on top of Iris for a range of properties, such as contextual refinement [38], [43], [50], [51], simulation [52]- [54], and security [55]- [57]. The representation of the righthand side program as a resource is a recurring idea, but our technical construction with run ahead is novel.…”

Section: Related Workmentioning

confidence: 99%

Asynchronous Probabilistic Couplings in Higher-Order Separation Logic

Gregersen¹,

Aguirre²,

Haselwarter³

et al. 2023

Preprint

View full text Add to dashboard Cite

Probabilistic couplings are the foundation for many probabilistic relational program logics and arise when relating random sampling statements across two programs. In relational program logics, this manifests as dedicated coupling rules that, e.g., say we may reason as if two sampling statements return the same value. However, this approach fundamentally requires aligning or "synchronizing" the sampling statements of the two programs which is not always possible.In this paper we develop Clutch, a higher-order probabilistic relational separation logic that addresses this issue by supporting asynchronous probabilistic couplings. We use Clutch to develop a logical step-indexed logical relational to reason about contextual refinement and equivalence of higher-order programs written in a rich language with higher-order local state and impredicative polymorphism. Finally, we demonstrate the usefulness of our approach on a number of case studies.All the results that appear in the paper have been formalized in the Coq proof assistant using the Coquelicot library and the Iris separation logic framework.

show abstract

Section: Related Workmentioning

confidence: 99%

Asynchronous Probabilistic Couplings in Higher-Order Separation Logic

Gregersen¹,

Aguirre²,

Haselwarter³

et al. 2023

Preprint

View full text Add to dashboard Cite

show abstract

“…[Murray et al 2018;Smith 2007] or work for programs using locks to protect shared memory like our logic (e.g. [Eilers et al 2021;Ernst and Murray 2019]), but some recent logics target more complex settings, like fine-grained concurrency [Frumin et al 2021] or relaxed memory models [Yan and Murray 2021]. We believe that our approach also extends to fine-grained concurrency, since the general idea of making sure that concurrent changes commute also applies in this setting.…”

Section: Related Workmentioning

confidence: 99%

CommCSL: Proving Information Flow Security for Concurrent Programs using Abstract Commutativity

Eilers¹,

Dardinier²,

Müller³

2022

Preprint

View full text Add to dashboard Cite

Information flow security ensures that the secret data manipulated by a program does not influence its observable output. Proving information flow security is especially challenging for concurrent programs, where operations on secret data may influence the execution time of a thread and, thereby, the interleaving between threads. Such internal timing channels may affect the observable outcome of a program even if an attacker does not observe execution times. Existing verification techniques for information flow security in concurrent programs attempt to prove that secret data does not influence the relative timing of threads. However, these techniques are often restrictive (for instance because they disallow branching on secret data) and make strong assumptions about the execution platform (ignoring caching, processor instructions with data-dependent execution time, and other common features that affect execution time).In this paper, we present a novel verification technique for secure information flow in concurrent programs that lifts these restrictions and does not make any assumptions about timing behavior. The key idea is to prove that all mutating operations performed on shared data commute, such that different thread interleavings do not influence its final value. Crucially, commutativity is required only for an abstraction of the shared data that contains the information that will be leaked to a public output. Abstract commutativity is satisfied by many more operations than standard commutativity, which makes our technique widely applicable.We formalize our technique in CommCSL, a relational concurrent separation logic with support for commutativity-based reasoning, and prove its soundness in Isabelle/HOL. We have implemented Comm-CSL in HyperViper, an automated verifier based on the Viper verification infrastructure, and demonstrate its ability to verify challenging examples.

show abstract

“…Unary logical relations models in Iris have been used for proving type safety and data-race freedom of the Rust type system [JJKD18, DJKD20, JJKD20], type safety of session types [HLKB20], type safety of Scala's core calculus DOT [GST + 20], and robust safety [SGD17,SGDL20]. Logical relations in Iris have also been used for showing other relational properties such as terminationpreserving refinement [TJH17], non-interference of concurrent programs [FKB21], and recovery refinements (refinements in the presence of potential crashes) [CTKZ19]. Nearly all of the aforementioned developments have accompanying mechanizations in Coq, and in some of those mechanizations the authors define their own tactics.…”

Section: Related Workmentioning

confidence: 99%

ReLoC Reloaded: A Mechanized Relational Logic for Fine-Grained Concurrency and Logical Atomicity

Frumin,

Krebbers,

Birkedal

2020

Preprint

Self Cite

View full text Add to dashboard Cite

We present a new version of ReLoC: a relational logic for proving refinements of programs in a language with higher-order state, fine-grained concurrency, polymorphism and recursive types. The core of ReLoC is the refinement judgment |= e e ′ : τ , which expresses that a program e refines a program e ′ at type τ . In contrast to earlier work on refinements for languages with higher-order state and concurrency, ReLoC provides type-directed structural rules and symbolic execution rules for manipulating this judgment, whereas previously, such proofs were carried out by unfolding the judgment into its definition in the model. These more abstract proof rules make it simpler to carry out refinement proofs, and enable us to generalize the notion of logically atomic specifications to the relational case, which we call logically atomic relational specifications.We build ReLoC on top of the Iris framework for separation logic in Coq, allowing us to leverage features of Iris to prove soundness of ReLoC, and to carry out refinement proofs in ReLoC. We implement tactics for interactive refinements proofs, allowing us to mechanize several case studies, and thereby demonstrate the practicality of ReLoC.ReLoC Reloaded extends our ReLoC logic (LICS'18) with various technical improvements, a new Coq mechanization, and support for Iris's prophecy variables. The latter allows us to carry out refinement proofs that involve reasoning about the program's future. We also expand ReLoC's notion of logically atomic relational specifications with a new flavor based on the HOCAP pattern by Svendsen et al .

show abstract

Compositional Non-Interference for Fine-Grained Concurrent Programs

Cited by 15 publications

References 40 publications

Asynchronous Probabilistic Couplings in Higher-Order Separation Logic

Asynchronous Probabilistic Couplings in Higher-Order Separation Logic

CommCSL: Proving Information Flow Security for Concurrent Programs using Abstract Commutativity

ReLoC Reloaded: A Mechanized Relational Logic for Fine-Grained Concurrency and Logical Atomicity

Contact Info

Product

Resources

About