Fissile type analysis

Coughlin, Devin; Chang, Bor-Yuh Evan

doi:10.1145/2535838.2535855

Cited by 6 publications

(3 citation statements)

References 43 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Note that this procedure temporarily violates the conservation property! The invariant is not required to hold at every program point (which would be overly strict [13]); only at the beginning (precondition) and at the end (postcondition) of every public procedure of the module. And indeed the final line of the procedure restores the invariant by creating and returning a Coin with the corresponding value.…”

Section: B Invariants and Vulnerabilitymentioning

confidence: 99%

Robust Safety for Move

Patrignani,

Blackshear

2023

2023 IEEE 36th Computer Security Foundations Symposium (CSF)

View full text Add to dashboard Cite

A program that maintains key safety properties even when interacting with arbitrary untrusted code is said to enjoy robust safety. Proving that a program written in a mainstream language is robustly safe is typically challenging because it requires static verification tools that work precisely even in the presence of language features like dynamic dispatch and shared mutability. The emerging Move programming language was designed to support strong encapsulation and static verification in the service of secure smart contract programming. However, the language design has not been analysed using a theoretical framework like robust safety.In this paper, we define robust safety for the Move language and introduce a generic framework for static tools that wish to enforce it. Our framework consists of two abstract components: a program verifier that can prove an invariant holds in a closedworld setting (e.g., the Move Prover [16, 47]), and a novel encapsulator that checks if the verifier's result generalizes to an open-world setting. We formalise an escape analysis as an instantiation of the encapsulator and prove that it attains the required security properties.Finally, we implement our encapsulator as an extension to the Move Prover and use the combination to analyse a large representative benchmark set of real-world Move programs. This toolchain certifies >99% of the Move modules we analyse, validating that automatic enforcement of strong security properties like robust safety is practical for Move. Additionally, our results tell that security-centric language design can be effective in attaining strong security properties such as robust safety.

show abstract

Section: B Invariants and Vulnerabilitymentioning

confidence: 99%

Robust Safety for Move

Patrignani,

Blackshear

2023

2023 IEEE 36th Computer Security Foundations Symposium (CSF)

View full text Add to dashboard Cite

show abstract

“…The subsequent work by Rondon et al [41] propose a flow-sensitive refinement type system to reason about programs with mutation. Similarly, Coughlin et al's work [17] handles mutation via a flow-sensitive approach, allowing type refinements to temporarily break and then get re-established later at some other control locations. It adopts flow-sensitive analysis between control locations who break and reestablish the invariant, respectively.…”

Section: Related Workmentioning

confidence: 99%

Selectively-Amortized Resource Bounding

Chang

Trivedi

2021

Static Analysis

View full text Add to dashboard Cite

Managing resource usage has become a critical concern for software developers as software development continues to grow in complexity. This thesis focuses on the practical aspects of automatically proving resource bounds by investigating how to bound an integer-valued resource variable by a given program expression. The automatic resource bound analysis has become increasingly important in detecting performance bugs, preventing algorithmic-complexity attacks, and identifying side-channel vulnerabilities. This thesis puts forth a novel paradigm of selectively-amortized resource bounding for practical yet sound analysis of resource usage.The most simple and common approach, which we refer to as the worst-case reasoning, involves reducing the problem to the reachability bound problem. This method infers the maximum number of times a location can be visited, multiplies it by the worst-case cost at this location among all visits, and sums up such products for all locations. However, this approach fails to work for non-terminating programs like reactive programs, as the number of times a location can be reached may be unbounded.To address this limitation, we adapt worst-case reasoning to work with non-terminating programs by introducing counters-auxiliary variables that track the number of times a location is reached-and specifying inductive relations that describe the worst-case reasoning using these counters. To handle unboundedness, we infer additional invariants about counters that describe the control flow. This approach is type-directed, and the inductive relations can be viewed as refinement types that can be validated by a type checking system. However, worst-case reasoning, including the aforementioned type-directed approach, can become highly imprecise when the costs at a location vary widely among various iterations. This situation is particularly common in the design and analysis of leading data structures and algorithms iii that take advantage of amortization to achieve better overall performance, such as dynamic arrays and search structures. To address the imprecision that arises due to wide cost variations, one remedy is to use the most precise reasoning, which we dub fully-amortized reasoning. This approach accurately approximates the total resource usage before and after a transition by inferring flow-sensitive invariants. However, the practicality of this approach is limited since the required invariants are often complex polynomials that can be challenging to reliably infer. This thesis introduces and focuses around a novel paradigm called selectively-amortized reasoning, which combines the simplicity of worst-case reasoning with the precision of fullyamortized reasoning. Selectively-amortized reasoning defines a spectrum of analysis by adjusting the analysis precision and simplicity, with worst-case reasoning being the simplest and fullyamortized reasoning being the most precise. To analyze a trace's total resource usage, one decomposes the trace into subtraces, applies fully-amortized reasoning wit...

show abstract

“…Following, for example, Vytiniotis et al [2013] and Coughlin and Chang [2014], we use an overline above mathematical material to indicate an appropriately punctuated sequence of zero or more repetitions of the material, with a subscript added to each metavariable in the material. Thus {α } is equal to {α 1 , α 2 , .…”

Section: Notationmentioning

confidence: 99%

Polymorphic symmetric multiple dispatch with variance

Park

Hong

Steele

et al. 2019

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

Many object-oriented languages provide method overloading, which allows multiple method declarations with the same name. For a given method invocation, in order to choose what method declaration to invoke, multiple dispatch considers the run-time types of the arguments. While multiple dispatch can support binary methods (such as mathematical operators) intuitively and consistently, it is difficult to guarantee that calls will be neither ambiguous nor undefined at run time, especially in the presence of expressive language features such as multiple inheritance and parametric polymorphism. Previous efforts have formalized languages that include such features by using overloading rules that guarantee a unique and type-sound resolution of each overloaded method call; in many cases, such rules resolve ambiguity by treating the arguments asymmetrically. Here we present the first formal specification of a strongly typed object-oriented language with symmetric multiple dispatch, multiple inheritance, and parametric polymorphism with variance. We define both a static (typechecking) semantics and a dynamic (dispatching) semantics and prove the type soundness of the language, thus demonstrating that our novel dynamic dispatch algorithm is consistent with the static semantics. Details of our dynamic dispatch algorithm address certain technical challenges that arise from structural asymmetries inherent in object-oriented languages (e.g., classes typically declare ancestors explicitly but not descendants). CCS Concepts: • Software and its engineering → General programming languages; • Social and professional topics → History of programming languages;

show abstract

Fissile type analysis

Cited by 6 publications

References 43 publications

Robust Safety for Move

Robust Safety for Move

Selectively-Amortized Resource Bounding

Polymorphic symmetric multiple dispatch with variance

Contact Info

Product

Resources

About