Product programs and relational program logics

Barthe, Gilles; Crespo, Juan Manuel; Kunz, César

doi:10.1016/j.jlamp.2016.05.004

Cited by 36 publications

(40 citation statements)

References 31 publications

(41 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…It should be noted that those are not exactly the same rules as presented in the original paper [3] because the (R-Assign-) rule of this paper seems unsound to us and some rules were missing.…”

Section: Minimal Relational Hoare Logic Minimal Relational Hoarementioning

confidence: 78%

See 1 more Smart Citation

Verifiable semantic difference languages

Girka

Mentré

Régis-Gianas

2017

Proceedings of the 19th International Symposium on Principles and Practice of Declarative Programming

View full text Add to dashboard Cite

Program differences are usually represented as textual differences on source code with no regard to its syntax or its semantics. In this paper, we introduce semantic-aware difference languages. A difference denotes a relation between program reduction traces. A difference language for the toy imperative programming language Imp is given as an illustration.To certify software evolutions, we want to mechanically verify that a difference correctly relates two given programs. Product programs and correlating programs are effective proof techniques for relational reasoning. A product program simulates, in the same programming language as the compared programs, a well-chosen interleaving of their executions to highlight a specific relation between their reduction traces. While this approach enables the use of readily-available static analysis tools on the product program, it also has limitations: a product program will crash whenever one of the two programs under consideration crashes, thus making it unsuitable to characterize a patch fixing a safety issue.We replace product programs by correlating oracles which need not be expressed in the same programming language as the compared programs. This allows designing correlating oracle languages specific to certain classes of program changes and capable of relating crashing programs with non-crashing ones. Thanks to oracles, the primitive differences of our difference language on Imp can be assigned a verifiable semantics. Besides, each class of oracles comes with a specific proof scheme which simplifies relational reasoning for a well-specified class of relations. We also prove that our framework is at least as expressive as several Relational Hoare Logic variants by encoding them as correlating oracles, (re)proving soundness of those variants in the process. The entirety of the framework as well as its instantiations have been defined and proved correct using the Coq proof assistant.

show abstract

Section: Minimal Relational Hoare Logic Minimal Relational Hoarementioning

confidence: 78%

“…Extended Relational Hoare Logic is the final variant of RHL presented by Barthe et al [3]. It allows to replace any sub-program by some other extensionally equivalent program.…”

Section: Extended Rhlmentioning

confidence: 99%

Verifiable semantic difference languages

Girka

Mentré

Régis-Gianas

2017

Proceedings of the 19th International Symposium on Principles and Practice of Declarative Programming

View full text Add to dashboard Cite

show abstract

“…Product program constructions Product program constructions and self-composition are techniques aimed at reducing the verification of k-safety properties (Clarkson and Schneider 2010) to the verification of traditional (unary) safety proprieties of a product program that emulates the behavior of multiple input programs. Multiple such constructions have been proposed (Barthe et al 2016) targeted for instance at secure IFC (Barthe et al 2011;Naumann 2006;Terauchi and Aiken 2005;Yasuoka and Terauchi 2014), program equivalence for compiler validation (Zaks and Pnueli 2008), equivalence checking and computing semantic differences (Lahiri et al 2012), program approximation (He et al 2016). Sousa and Dillig's 2016 recent Descartes tool for k-safety properties also creates k copies of the program, but uses lockstep reasoning to improve performance by more tightly coupling the key invariants across the program copies.…”

Section: Related Workmentioning

confidence: 99%

A monadic framework for relational verification: applied to information security, program equivalence, and optimizations

Grimm

Maillard

Fournet

et al. 2018

Proceedings of the 7th ACM SIGPLAN International Conference on Certified Programs and Proofs

View full text Add to dashboard Cite

Relational properties describe multiple runs of one or more programs. They characterize many useful notions of security, program refinement, and equivalence for programs with diverse computational effects, and they have received much attention in the recent literature. Rather than developing separate tools for special classes of effects and relational properties, we advocate using a general purpose proof assistant as a unifying framework for the relational verification of effectful programs. The essence of our approach is to model effectful computations using monads and to prove relational properties on their monadic representations, making the most of existing support for reasoning about pure programs.We apply this method in F ⋆ and evaluate it by encoding a variety of relational program analyses, including information flow control, semantic declassification, program equivalence and refinement at higher order, correctness of program optimizations and game-based cryptographic security. By relying on SMT-based automation, unary weakest preconditions, user-defined effects, and monadic reification, we show that, compared to unary properties, verifying relational properties requires little additional effort from the F ⋆ programmer.

show abstract

“…Hoare logic [27] is one of the most widely-used logics for proof-based verification of software. Variants of Hoare logic have been proposed for verifying relational, and in particular, k-safety properties [28][29][30]. An advantage of these techniques is that they avoid the state-space explosion problem, because they do not check the whole state space of the program.…”

Section: Case Studymentioning

confidence: 99%

Verifying Weak Probabilistic Noninterference

Noroozi¹,

Karimpour²,

Isazadeh³

et al. 2017

ijacsa

View full text Add to dashboard Cite

Abstract-Weak probabilistic noninterference is a security property for enforcing confidentiality in multi-threaded programs. It aims to guarantee secure flow of information in the program and ensure that sensitive information does not leak to attackers. In this paper, the problem of verifying weak probabilistic noninterference by leveraging formal methods, in particular algorithmic verification, is discussed. Behavior of multi-threaded programs is modeled using probabilistic Kripke structures and formalize weak probabilistic noninterference in terms of these structures. Then, a verification algorithm is proposed to check weak probabilistic noninterference. The algorithm uses an abstraction technique to compute quotient space of the program with respect to an equivalence relation called weak probabilistic bisimulation and does a simple check to decide whether the security property is satisfied or not. The progress made is demonstrated by a real-world case study. It is expected that the proposed approach constitutes a significant step towards more widely applicable secure information flow analysis.

show abstract

Product programs and relational program logics

Cited by 36 publications

References 31 publications

Verifiable semantic difference languages

Verifiable semantic difference languages

A monadic framework for relational verification: applied to information security, program equivalence, and optimizations

Verifying Weak Probabilistic Noninterference

Contact Info

Product

Resources

About