© andrew irelanddependable systems group on the scalability of proof carrying code for software...
TRANSCRIPT
© Andrew IrelandDependable Systems Group
On the Scalability of Proof Carrying Code for Software Certification
Andrew IrelandSchool of Mathematical & Computer Sciences
Heriot-Watt UniversityEdinburgh
© Andrew IrelandDependable Systems Group
Outline
• High integrity software development• Evidence based software certificates• Scalability problems• A planning approach• Issues for discussion
© Andrew IrelandDependable Systems Group
The SPARK ApproachSPARK
ExaminerSPADE Simplifier
SPADEProof Checker
• SPARK is a subset of Ada with annotations
(Praxis High Integrity Systems Ltd)• Supports data & information flow analysis and
formal verification - in particular, exception freedom proofs• EuroFighter and Hawk projects, advocated by NSA, …
VCs
UnprovenVCs
SPARK
codeProofs
XRevisions Tactics
© Andrew IrelandDependable Systems Group
NuSPADE
NuSPADESPARK
ExaminerSPADE Simplifier
SPADEProof Checker
• NuSPADE = proof planning + program analysis• Annotation generation motivated by proof-failure analysis
VCs
UnprovenVCs
SPARK
codeProofs
AnnotationsX
Tactics
© Andrew IrelandDependable Systems Group
NuSPADEUnproven
VCs
AbstractPredicatesAnnotations
Co-operative style of integration, i.e. “productive use of failure”
ProofPlanner
ProgramAnalyzer
Tactics
© Andrew IrelandDependable Systems Group
Conjecture
Proof Plans
Plan Theory
ProofPlanner
ProofChecker
Tactic
Proof
Failure
© Andrew IrelandDependable Systems Group
SPARK and Certification• Z specifications + rigorous proofs• Data flow & information analysis• Code level proofs:
– Exception freedom proofs: automatic + interactive proofs
– Functional proofs: significant level of interactive proofs
– Proof review files• Resource analysis
Note: various levels of formal & rigorous evidence
© Andrew IrelandDependable Systems Group
Evidence Based Certification• Proof-Carrying Code (PCC) – a example of an
evidence based approach to certification• Code is delivered with a certificate containing a
condensed mathematical proof, i.e. a proof that the code satisfies desired safety properties
• Responsibility for proof construction lies with the code producer, consumer performs proof checking
• Trusted Computing Base (TCB) for PCC is small, i.e. safety properties, verification condition generator and proof checker
© Andrew IrelandDependable Systems Group
Properties, Proofs & Certificates• Properties typically simple, e.g. memory safety • Proof construction involves advanced type
checking, i.e. no theorem proving• Certificates:
– LF proofs quadratic with respect to program size– LFi proofs 2.5 to 5 times program size– Oracles strings on average 12% program size– Proof tactics have also been used
© Andrew IrelandDependable Systems Group
Scalability Problems• Need for comprehensive properties, e.g.
functional properties• MOBIUS: combining type-based and logic-
based approaches• Need to exploit automated theorem proving
techniques• Will current PCC architecture scale-up, e.g.
oracles strings?
© Andrew IrelandDependable Systems Group
Conjecture
Proof Plans
Plan Theory
ProofPlanner
ProofChecker
Tactic
Proof
Failure
© Andrew IrelandDependable Systems Group
Conjecture
Proof Plans
Plan Theory
ProofPlanner
ProofChecker
Tactic
Proof
Failure
© Andrew IrelandDependable Systems Group
Conjecture
Proof Plans
Plan Theory
ProofPlanner
ProofChecker
Tactic
Proof
Failure
Oracle
© Andrew IrelandDependable Systems Group
Conjecture
Planning Oracles as Certificates
Plan Theory
ProofPlanner
ProofChecker
Tactic
Proof
Failure
Oracle
© Andrew IrelandDependable Systems Group
Conjecture
Planning Oracles as Certificates
Plan Theory
ProofPlanner
ProofChecker
Tactic
Proof
Failure
Oracle
Oracle identifies:• Proof plans and where they should be used• Relevant theories• Search control hints, e.g. auxiliary lemmas and generalization steps
© Andrew IrelandDependable Systems Group
Certificate GenerationCode +Spec
Certificate Generation(VCGen + Planner +Checker)
Certificate(Oracle)
? ProofFailure
Repositories(plans + theories)
© Andrew IrelandDependable Systems Group
Certificate ValidationCode +Spec
Certificate Validation(VCGen + Planner +Checker)
Certificate(Oracle)
Repositories(plans + theories)
?ProofFailure
CPU
Note: Certificate transforming compiler
© Andrew IrelandDependable Systems Group
Discussion Issues • The proposed proof planning approach will add theory
repositories (and specifications) to the TCB – is this acceptable?
• For memory limited devices, proof planning oracles are not an option for on-device certificate validation – how important is on-device validation to certification management in general?
• More comprehensive properties will require off-device validation – could a dedicated certificate validation device have a role to play?
• Certificate transforming compiler or trusted compiler?
© Andrew IrelandDependable Systems Group
Conclusion • The SPARK Approach and proof automation via
proof planning• The success of PCC as well and the limits of
current architectures• Proposal for proof planning and proof planning
oracles as a technique for addressing limitations