research-article

Open access

Modular Product Programs

Authors:

Samuel HitzAuthors Info & Claims

ACM Transactions on Programming Languages and Systems (TOPLAS), Volume 42, Issue 1

Article No.: 3, Pages 1 - 37

https://doi.org/10.1145/3324783

Published: 21 November 2019 Publication History

All formats PDF

Abstract

Many interesting program properties like determinism or information flow security are hyperproperties, that is, they relate multiple executions of the same program. Hyperproperties can be verified using relational logics, but these logics require dedicated tool support and are difficult to automate. Alternatively, constructions such as self-composition represent multiple executions of a program by one product program, thereby reducing hyperproperties of the original program to trace properties of the product. However, existing constructions do not fully support procedure specifications, for instance, to derive the determinism of a caller from the determinism of a callee, making verification non-modular.

We present modular product programs, a novel kind of product program that permits hyperproperties in procedure specifications and, thus, can reason about calls modularly. We provide a general formalization of our product construction and prove it sound and complete. We demonstrate its expressiveness by applying it to information flow security with advanced features such as declassification and termination-sensitivity. Modular product programs can be verified using off-the-shelf verifiers; we have implemented our approach for both secure information flow and general hyperproperties using the Viper verification infrastructure. Our evaluation demonstrates that modular product programs can be used to prove hyperproperties for challenging examples in reasonable time.

References

[1]

Alejandro Aguirre, Gilles Barthe, Marco Gaboardi, Deepak Garg, and Pierre-Yves Strub. 2017. A relational logic for higher-order programs. PACMPL 1, ICFP (2017). 21:1--21:29.

Digital Library

[2]

Timos Antonopoulos, Paul Gazzillo, Michael Hicks, Eric Koskinen, Tachio Terauchi, and Shiyi Wei. 2017. Decomposition instead of self-composition for proving the absence of timing channels. In 38th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2017, (Barcelona, Spain, June 18--23, 2017). 362--375.

Digital Library

[3]

Anindya Banerjee and David A. Naumann. 2002. Secure information flow and pointer confinement in a Java-like language. In 15th IEEE Computer Security Foundations Workshop (CSFW-15'02), (24--26 June 2002, Cape Breton, Nova Scotia, Canada). 253.

[4]

Anindya Banerjee, David A. Naumann, and Mohammad Nikouei. 2016. Relational logic with framing and hypotheses. In 36th IARCS Annual Conference on Foundations of Software Technology and Theoretical Computer Science, FSTTCS 2016, (December 13--15, 2016, Chennai, India). 11:1--11:16.

[5]

Michael Barnett, Bor-Yuh Evan Chang, Robert DeLine, Bart Jacobs, and K. Rustan M. Leino. 2005. Boogie: A modular reusable verifier for object-oriented programs. In FMCO (Lecture Notes in Computer Science), Vol. 4111. Springer, 364--387.

[6]

Gilles Barthe, Juan Manuel Crespo, and César Kunz. 2011. Relational verification using product programs. In FM 2011: Formal Methods - 17th International Symposium on Formal Methods, (Limerick, Ireland, June 20--24, 2011). 200--214.

[7]

Gilles Barthe, Juan Manuel Crespo, and César Kunz. 2013. Beyond 2-safety: Asymmetric product programs for relational program verification. In Logical Foundations of Computer Science, International Symposium, LFCS 2013, (San Diego, CA, January 6--8, 2013). 29--43.

[8]

Gilles Barthe, Pedro R. D’Argenio, and Tamara Rezk. 2011. Secure information flow by self-composition. Mathematical Structures in Computer Science 21, 6 (2011). 1207--1252.

Digital Library

[9]

Gilles Barthe, Benjamin Grégoire, and Santiago Zanella Béguelin. 2009. Formal certification of code-based cryptographic proofs. In 36th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, (POPL'09), (Savannah, GA, January 21--23, 2009). 90--101.

Digital Library

[10]

Nick Benton. 2004. Simple relational correctness proofs for static analyses and program transformations. In 31st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, (POPL'04), (Venice, Italy, January 14--16, 2004). 14--25.

Digital Library

[11]

Adam Betts, Nathan Chong, Alastair F. Donaldson, Shaz Qadeer, and Paul Thomson. 2012. GPUVerify: A verifier for GPU kernels. In 27th Annual ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications, (OOPSLA 2012, part of SPLASH 2012), (Tucson, AZ, October 21--25, 2012). 113--132.

Digital Library

[12]

Michael R. Clarkson and Fred B. Schneider. 2010. Hyperproperties. Journal of Computer Security 18, 6 (2010), 1157--1210.

[13]

Peter Collingbourne, Alastair F. Donaldson, Jeroen Ketema, and Shaz Qadeer. 2013. Interleaving and lock-step semantics for analysis and verification of GPU kernels. In Programming Languages and Systems - 22nd European Symposium on Programming, ESOP 2013, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2013, (Rome, Italy, March 16--24, 2013). 270--289.

Digital Library

[14]

David Costanzo and Zhong Shao. 2014. A separation logic for enforcing declarative information flow control policies. In Principles of Security and Trust - 3rd International Conference, (POST'14), Held as Part of the European Joint Conferences on Theory and Practice of Software, (ETAPS'14), (Grenoble, France, April 5--13, 2014). 179--198.

[15]

Ádám Darvas, Reiner Hähnle, and David Sands. 2005. A theorem proving approach to analysis of secure information flow. In 2nd International Conferernce on Security in Pervasive Computing, (SPC'05), (Boppard, Germany, April 6--8, 2005). 193--209.

Digital Library

[16]

Leonardo Mendonça de Moura and Nikolaj Bjørner. 2008. Z3: An efficient SMT solver. In Tools and Algorithms for the Construction and Analysis of Systems, 14th International Conference, (TACAS'08), Held as Part of the Joint European Conferences on Theory and Practice of Software, (ETAPS'08), (Budapest, Hungary, March 29-April 6, 2008). 337--340.

[17]

Zhenyue Deng and Geoffrey Smith. 2004. Lenient array operations for practical secure information flow. In 17th IEEE Computer Security Foundations Workshop, (CSFW-17 2004), (28--30 June 2004, Pacific Grove, CA). 115.

[18]

Marco Eilers, Peter Müller, and Samuel Hitz. 2018. Modular product programs. In Programming Languages and Systems - 27th European Symposium on Programming, (ESOP'18), Held as Part of the European Joint Conferences on Theory and Practice of Software, (ETAPS'18), (Thessaloniki, Greece, April 14--20, 2018). 502--529.

[19]

Dima Elenbogen, Shmuel Katz, and Ofer Strichman. 2015. Proving mutual termination. Formal Methods in System Design 47, 2 (2015). 204--229.

Digital Library

[20]

Dennis Felsing, Sarah Grebing, Vladimir Klebanov, Philipp Rümmer, and Mattias Ulbrich. 2014. Automating regression verification. In ACM/IEEE International Conference on Automated Software Engineering, (ASE’14), (Vasteras, Sweden - September 15--19, 2014). 349--360.

Digital Library

[21]

Dennis Giffhorn and Gregor Snelting. 2015. A new algorithm for low-deterministic security. Int. J. Inf. Sec. 14, 3 (2015). 263--287.

Digital Library

[22]

Chris Hawblitzel, Ming Kawaguchi, Shuvendu K. Lahiri, and Henrique Rebêlo. 2013. Towards modularly comparing programs using automated theorem provers. In Automated Deduction - CADE-24 - 24th International Conference on Automated Deduction, (Lake Placid, NY, June 9--14, 2013). 282--299.

Digital Library

[23]

Akifumi Imanishi, Kohei Suenaga, and Atsushi Igarashi. 2018. A guess-and-assume approach to loop fusion for program verification. In ACM SIGPLAN Workshop on Partial Evaluation and Program Manipulation, (Los Angeles, CA, January 8--9, 2018). 2--14.

Digital Library

[24]

Ralf Küsters, Tomasz Truderung, Bernhard Beckert, Daniel Bruns, Michael Kirsten, and Martin Mohr. 2015. A hybrid approach for proving noninterference of Java programs. In IEEE 28th Computer Security Foundations Symposium, (CSF'15), (Verona, Italy, 13--17 July 2015). 305--319.

Digital Library

[25]

Shuvendu K. Lahiri, Kenneth L. McMillan, Rahul Sharma, and Chris Hawblitzel. 2013. Differential assertion checking. In Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering, (ESEC/FSE’13), (Saint Petersburg, Russian Federation, August 18--26, 2013). 345--355.

Digital Library

[26]

K. Rustan M. Leino and Peter Müller. 2008. Verification of equivalent-results methods. In Programming Languages and Systems, 17th European Symposium on Programming, (ESOP'08), Held as Part of the Joint European Conferences on Theory and Practice of Software, (ETAPS'08), (Budapest, Hungary, March 29-April 6, 2008). 307--321.

[27]

Peng Li and Steve Zdancewic. 2005. Downgrading policies and relaxed noninterference. In Proceedings of the 32nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, (POPL'05), (Long Beach, California, January 12--14, 2005). 158--170.

Digital Library

[28]

Peter Müller, Malte Schwerhoff, and Alexander J. Summers. 2016. Automatic verification of iterated separating conjunctions using symbolic execution. In Computer Aided Verification - 28th International Conference, (CAV'16), (Toronto, ON, Canada, July 17--23, 2016), Part I. 405--425.

[29]

Peter Müller, Malte Schwerhoff, and Alexander J. Summers. 2016. Viper: A verification infrastructure for permission-based reasoning. In Verification, Model Checking, and Abstract Interpretation - 17th International Conference, VMCAI 2016, St. Petersburg, FL, USA, January 17--19, 2016. Proceedings. 41--62.

[30]

David A. Naumann. 2006. From coupling relations to mated invariants for checking information flow. In Computer Security - (ESORICS'06), 11th European Symposium on Research in Computer Security, (Hamburg, Germany, September 18--20, 2006). 279--296.

[31]

Lauren Pick, Grigory Fedyukovich, and Aarti Gupta. 2018. Exploiting synchrony and symmetry in relational verification. In Computer Aided Verification - 30th International Conference, CAV 2018, Held as Part of the Federated Logic Conference, (FloC'18), (Oxford, UK, July 14--17, 2018), Part I. 164--182.

[32]

Adi Prabawa, Mahmudul Faisal Al Ameen, Benedict Lee, and Wei-Ngan Chin. 2018. A logical system for modular information flow verification. In Verification, Model Checking, and Abstract Interpretation - 19th International Conference, (VMCAI'18), (Los Angeles, CA, January 7--9, 2018). 430--451.

[33]

John C. Reynolds. 2002. Separation logic: A logic for shared mutable data structures. In 17th IEEE Symposium on Logic in Computer Science (LICS'02), (22--25 July 2002, Copenhagen, Denmark). IEEE Computer Society, 55--74.

[34]

Andrei Sabelfeld and Andrew C. Myers. 2003. A model for delimited information release. In Software Security - Theories and Systems, 2nd Mext-NSF-JSPS International Symposium, (ISSS'03), (Tokyo, Japan, November 4--6, 2003), Revised Papers. 174--191.

[35]

Andrei Sabelfeld and David Sands. 2005. Dimensions and principles of declassification. In 18th IEEE Computer Security Foundations Workshop, (CSFW-18'05), (20--22 June 2005, Aix-en-Provence, France). 255--269.

Digital Library

[36]

Christoph Scheben and Peter H. Schmitt. 2011. Verification of information flow properties of Java programs without approximations. In Formal Verification of Object-Oriented Software - International Conference, (FoVeOOS'11), (Turin, Italy, October 5--7, 2011), Revised Selected Papers. 232--249.

Digital Library

[37]

Jan Smans, Bart Jacobs, and Frank Piessens. 2012. Implicit dynamic frames. ACM Trans. Program. Lang. Syst. 34, 1 (2012). 2:1--2:58.

Digital Library

[38]

Geoffrey Smith. 2007. Principles of secure information flow analysis. In Malware Detection. 291--307.

[39]

Marcelo Sousa and Isil Dillig. 2016. Cartesian Hoare logic for verifying k-safety properties. In Proceedings of the 37th ACM SIGPLAN Conference on Programming Language Design and Implementation, (PLDI'16), (Santa Barbara, CA, June 13--17, 2016). 57--69.

Digital Library

[40]

Tachio Terauchi and Alexander Aiken. 2005. Secure information flow as a safety problem. In Static Analysis, 12th International Symposium, (SAS'05), (London, UK, September 7--9, 2005). 352--367.

[41]

Hongseok Yang. 2007. Relational separation logic. Theor. Comput. Sci. 375, 1--3 (2007). 308--334.

Digital Library

Cited By

Dardinier TMüller P(2024)Hyper Hoare Logic: (Dis-)Proving Program HyperpropertiesProceedings of the ACM on Programming Languages10.1145/36564378:PLDI(1485-1509)Online publication date: 20-Jun-2024
https://dl.acm.org/doi/10.1145/3656437
Filinski ALarsen KJensen T(2024)Axiomatising an information flow logic based on partial equivalence relationsInternational Journal on Software Tools for Technology Transfer10.1007/s10009-024-00756-z26:4(445-461)Online publication date: 25-Jun-2024
https://doi.org/10.1007/s10009-024-00756-z
Eilers MSchwerhoff MMüller P(2024)Verification Algorithms for Automated Separation Logic VerifiersComputer Aided Verification10.1007/978-3-031-65627-9_18(362-386)Online publication date: 26-Jul-2024
https://doi.org/10.1007/978-3-031-65627-9_18
Show More Cited By

Index Terms

Modular Product Programs
1. Security and privacy
  1. Systems security
    1. Information flow control
2. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Formal software verification
  2. Software organization and properties
    1. Software functional properties
      1. Correctness
      2. Formal methods
        Software verification

Recommendations

Cartesian hoare logic for verifying k-safety properties
PLDI '16: Proceedings of the 37th ACM SIGPLAN Conference on Programming Language Design and Implementation

Unlike safety properties which require the absence of a “bad” program trace, k-safety properties stipulate the absence of a “bad” interaction between k traces. Examples of k-safety properties include transitivity, associativity, anti-symmetry, and ...
On the limits of refinement-testing for model-checking CSP
Abstract
Refinement-checking, as embodied in tools like FDR, PAT and ProB, is a popular approach for model-checking refinement-closed predicates of CSP processes. We consider the limits of this approach to model-checking these kinds of predicates. By ...
Formal semantics, modular specification, and symbolic verification of product-line behaviour

Formal techniques for specifying and verifying Software Product Lines (SPL) are actively studied. While the foundations of this domain recently made significant progress with the introduction of Featured Transition Systems (FTSs) and associated ...

Reviews

Reviewer: Jacques Carette

Some properties of programs are not about a single run of the program; instead, they relate multiple runs. For example, a program is deterministic if, given the same input, two runs will always produce the same answer. Many other properties of interest, such as security properties, are also like this. These are known as k -hyperproperties, which relate the runs of k programs. The authors claim that current approaches to the problem are not modular, which would clearly make them difficult to scale. They instead introduce a translation-based method for verifying such properties that blows up the data dependencies (linearly in k ), but does not change the control flow. Quite a bit of care is needed to design a translation that deals with each control structure appropriately. The problem and ideas involved are well motivated through well-chosen examples (sections 2 and 3). Because of this setup, the more technical details of the construction (section 4) make sense. Section 5 is a human proof of soundness and completeness (it's a bit surprising to see a non-mechanized proof in TOPLAS ). Section 6 gives applications to various information flow and security properties, showing the wide applicability of the method, while section 7 gives a rather thorough evaluation of the corresponding implementation in Viper. The paper is very well written and quite readable. Anyone wanting a snapshot of an interesting method for proving hyperproperties, or even learning about hyperproperties, could benefit from reading this paper.

Access critical reviews of Computing literature here

Become a reviewer for Computing Reviews.

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Programming Languages and Systems

ACM Transactions on Programming Languages and Systems Volume 42, Issue 1

Special Issue on ESOP 2018

March 2020

215 pages

ISSN:0164-0925

EISSN:1558-4593

DOI:10.1145/3373084

Editor:
Andrew Myers
Cornell University, USA

Issue’s Table of Contents

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 November 2019

Accepted: 01 March 2019

Revised: 01 November 2018

Received: 01 May 2018

Published in TOPLAS Volume 42, Issue 1

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Funding Sources

Zurich Information Security and Privacy Center (ZISC)

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

15
Total Citations
View Citations
648
Total Downloads

Downloads (Last 12 months)157
Downloads (Last 6 weeks)21

Reflects downloads up to 01 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Dardinier TMüller P(2024)Hyper Hoare Logic: (Dis-)Proving Program HyperpropertiesProceedings of the ACM on Programming Languages10.1145/36564378:PLDI(1485-1509)Online publication date: 20-Jun-2024
https://dl.acm.org/doi/10.1145/3656437
Filinski ALarsen KJensen T(2024)Axiomatising an information flow logic based on partial equivalence relationsInternational Journal on Software Tools for Technology Transfer10.1007/s10009-024-00756-z26:4(445-461)Online publication date: 25-Jun-2024
https://doi.org/10.1007/s10009-024-00756-z
Eilers MSchwerhoff MMüller P(2024)Verification Algorithms for Automated Separation Logic VerifiersComputer Aided Verification10.1007/978-3-031-65627-9_18(362-386)Online publication date: 26-Jul-2024
https://doi.org/10.1007/978-3-031-65627-9_18
Beutner R(2024)Automated Software Verification of HyperlivenessTools and Algorithms for the Construction and Analysis of Systems10.1007/978-3-031-57249-4_10(196-216)Online publication date: 6-Apr-2024
https://dl.acm.org/doi/10.1007/978-3-031-57249-4_10
Banerjee ANagasamudram RNaumann DNikouei M(2023)A Relational Program Logic with Data Abstraction and Dynamic FramingACM Transactions on Programming Languages and Systems10.1145/355149744:4(1-136)Online publication date: 10-Jan-2023
https://dl.acm.org/doi/10.1145/3551497
Cadar CSchemmel DSharma A(2023)Patch Specifications via Product Programs2023 IEEE/ACM 11th International Conference on Formal Methods in Software Engineering (FormaliSE)10.1109/FormaliSE58978.2023.00012(39-43)Online publication date: May-2023
https://doi.org/10.1109/FormaliSE58978.2023.00012
Finkbeiner BFrenkel HHofmann JLohse J(2023)Automata-Based Software Model Checking of HyperpropertiesNASA Formal Methods10.1007/978-3-031-33170-1_22(361-379)Online publication date: 16-May-2023
https://dl.acm.org/doi/10.1007/978-3-031-33170-1_22
Nagasamudram RBanerjee ANaumann D(2023)The WhyRel Prototype for Modular Relational Verification of Pointer ProgramsTools and Algorithms for the Construction and Analysis of Systems10.1007/978-3-031-30820-8_11(133-151)Online publication date: 22-Apr-2023
https://dl.acm.org/doi/10.1007/978-3-031-30820-8_11
D’Osualdo EFarzan ADreyer D(2022)Proving hypersafety compositionallyProceedings of the ACM on Programming Languages10.1145/35632986:OOPSLA2(289-314)Online publication date: 31-Oct-2022
https://dl.acm.org/doi/10.1145/3563298
Beutner RFinkbeiner B(2022)Software Verification of Hyperproperties Beyond k-SafetyComputer Aided Verification10.1007/978-3-031-13185-1_17(341-362)Online publication date: 7-Aug-2022
https://dl.acm.org/doi/10.1007/978-3-031-13185-1_17
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Media

Figures

Other

Tables

View Issue’s Table of Contents