Relational abstract interpretation for the verification of 2-hypersafety properties

Kovács, Máté; Seidl, Helmut; Finkbeiner, Bernd

doi:10.1145/2508859.2516721

Cited by 30 publications

(36 citation statements)

References 38 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…As our case studies show, machine code verification requires flow and path sensitive techniques due to register reuse and complex data/control flow. Hence, compared to [30,38], our techniques is more precise. Third, our approach addresses additional complications due to the lack of support for data structures.…”

Section: Discussion and Related Workmentioning

confidence: 93%

“…Relational program verification has been used to prove non-functional properties such as compiler optimization correctness [10], program equivalence [39,38] and information flow security [11,8,30]. Neither addresses verification at the machine level.…”

Section: Discussion and Related Workmentioning

confidence: 99%

“…A related paper [10] presents product programs as a mean for reducing relational verification to classical functional verification. Several authors have studied algorithms for constructing and verifying over/under approximations of product programs automatically using typing [47], abstract interpretation [30,38] and symbolic execution [8,39,44]. This work differs in several aspects.…”

Section: Discussion and Related Workmentioning

confidence: 99%

See 2 more Smart Citations

Automating Information Flow Analysis of Low Level Code

Balliu

Dam

Guanciale

2014

Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

Low level code is challenging: It lacks structure, it uses jumps and symbolic addresses, the control ow is often highly optimized, and registers and memory locations may be reused in ways that make typing extremely challenging. Information ow properties create additional complications: They are hyperproperties relating multiple executions, and the possibility of interrupts and concurrency, and use of devices and features like memory-mapped I/O requires a departure from the usual initial-state nal-state account of noninterference. In this work we propose a novel approach to relational verication for machine code. Verication goals are expressed as equivalence of traces decorated with observation points. Relational verication conditions are propagated between observation points using symbolic execution, and discharged using rst-order reasoning. We have implemented an automated tool that integrates with SMT solvers to automate the verication task. The tool transforms ARMv7 binaries into an intermediate, architecture-independent format using the BAP toolset by means of a veried translator. We demonstrate the capabilities of the tool on a separation kernel system call handler, which mixes hand-written assembly with gcc-optimized output, a UART device driver and a crypto service modular exponentiation routine.

QC 20140905

show abstract

Section: Discussion and Related Workmentioning

confidence: 93%

Section: Discussion and Related Workmentioning

confidence: 99%

Section: Discussion and Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Automating Information Flow Analysis of Low Level Code

Balliu

Dam

Guanciale

2014

Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

QC 20140905

show abstract

“…In a nutshell, the type-directed transformation of programs does not self-compose branching statements depending on public variables, but rather uses synchronous programs, and performs copy propagation on self-composed assignments with low expressions to variables. Kovacs, Seidl and Finkbeiner [28] further refine this approach, again by providing a product program that is easier to verify.…”

Section: Related Workmentioning

confidence: 99%

Product programs and relational program logics

Barthe

Crespo²,

Kunz³

2016

Journal of Logical and Algebraic Methods in Programming

View full text Add to dashboard Cite

A common theme in program verification is to relate two programs, for instance to show that they are equivalent, or that one refines the other. Such relationships can be formally established using relational program logics, which are tailored to reason about relations between two programs, or product constructions which allow to build from two programs a product program that emulates the behavior of both input programs. Similarly, product programs and relational program logics can be used to reason about 2-safety properties, an important class of properties that reason about two executions of the same program, and includes as instances non-interference, continuity, and determinism. In this paper, we consider several notions of product programs and explore their relationship with different relational program logics. Moreover, we present applications of product programs to program robustness, non-interference, translation validation, and differential privacy.

show abstract

“…Several works have used abstract interpretation in some way. One approach to 2-safety is by forming a product program that encodes execution pairs (Barthe et al 2004;Terauchi and Aiken 2005;Darvas et al 2005), thereby reducing the problem to ordinary safety which can be checked by abstract interpretation (Kovács et al 2013) or other means. Alternatively, a 2-safety property can be checked by dedicated analyses which may rely in part on ordinary abstract interpretations for trace properties (Amtoft et al 2006).…”

mentioning

confidence: 99%

Hypercollecting semantics and its application to static analysis of information flow

Assaf

Naumann

Signoles

et al. 2017

Proceedings of the 44th ACM SIGPLAN Symposium on Principles of Programming Languages

View full text Add to dashboard Cite

We show how static analysis for secure information flow can be expressed and proved correct entirely within the framework of abstract interpretation. The key idea is to define a Galois connection that directly approximates the hyperproperty of interest. To enable use of such Galois connections, we introduce a fixpoint characterisation of hypercollecting semantics, i.e. a "set of sets" transformer. This makes it possible to systematically derive static analyses for hyperproperties entirely within the calculational framework of abstract interpretation. We evaluate this technique by deriving example static analyses. For qualitative information flow, we derive a dependence analysis similar to the logic of Amtoft and Banerjee (SAS'04) and the type system of Hunt and Sands (POPL'06). For quantitative information flow, we derive a novel cardinality analysis that bounds the leakage conveyed by a program instead of simply deciding whether it exists. This encompasses problems that are hypersafety but not k-safety. We put the framework to use and introduce variations that achieve precision rivalling the most recent and precise static analyses for information flow.

show abstract

Relational abstract interpretation for the verification of 2-hypersafety properties

Cited by 30 publications

References 38 publications

Automating Information Flow Analysis of Low Level Code

Automating Information Flow Analysis of Low Level Code

Product programs and relational program logics

Hypercollecting semantics and its application to static analysis of information flow

Contact Info

Product

Resources

About