Academia.eduAcademia.edu

Outline

Title
Abstract
Introduction
Review of Constraint Database Approximation Theory
Related Work
Conclusions and Future Work
References
All Topics
Psychology
Social Psychology

Verifying the Incorrectness of Programs and Automata

Profile image of Scot AndersonScot AndersonProfile image of Peter ReveszPeter Revesz

2005, Abstraction, Reformulation and Approximation

https://doi.org/10.1007/11527862_1
visibility

description

12 pages

link

1 file

Abstract

Verification of the incorrectness of programs and automata needs to be taken as seriously as the verification of correctness. However, there are no good general methods that always terminate and prove incorrectness. We propose one general method based on a lower bound approximation of the semantics of programs and automata. Based on the lower-bound approximation, it becomes easy to check whether certain error states are reached. This is in contrast to various abstract interpretation techniques that make an upper bound approximation of the semantics and test that the error states are not reached. The precision of our lower bound approximation is controlled by a single parameter that can be adjusted by the user of the MLPQ system in which the approximation method is implemented. As the value of the parameter decreases the implementation results in a finer program semantics approximation but requires a longer evaluation time. However, for all input parameter values the program is guaranteed to terminate. We use the lower bound approximation to verify the incorrectness of a subway train control automaton. We also use the lower bound approximation for a problem regarding computer security via trust management programs. We propose a trust management policy language extending earlier work by Li and Mitchell. Although, our trust management programming language is Turing-complete, programs in this language have semantics that lend themselves naturally to a lower-bound approximation. Namely, the lower bound approximation is such that no unwarranted authorization is given at any time, although some legitimate access may be denied.

Related papers

Foundations of Logic-Based Trust Management
Alessandra Russo

2012 IEEE Symposium on Security and Privacy, 2012

Over the last 15 years, many policy languages have been developed for specifying policies and credentials under the trust management paradigm. What has been missing is a formal semantics-in particular, one that would capture the inherently dynamic nature of trust management, where access decisions are based on the local policy in conjunction with varying sets of dynamically submitted credentials. The goal of this paper is to rest trust management on a solid formal foundation. To this end, we present a model theory that is based on Kripke structures for counterfactual logic. The semantics enjoys compositionality and full abstraction with respect to a natural notion of observational equivalence between trust management policies. Furthermore, we present a corresponding Hilbert-style axiomatization that is expressive enough for reasoning about a system's observables on the object level. We describe an implementation of a mechanization of the proof theory, which can be used to prove non-trivial metatheorems about trust management systems, as well as analyze probing attacks on such systems. Our benchmark results show that this logic-based approach performs significantly better than the only previously available, ad-hoc analysis method for probing attacks.

View PDFchevron_right
Gate automata-driven run-time enforcement
Gabriele Costa

Computers & Mathematics with Applications, 2012

Security and trust represent two different perspectives on the problem of guaranteeing the correct interaction among software components. Gate automata have been proposed as a formalism for the specification of both security and trust policies in the scope of the Security-by-Contract-with-Trust (S×C×T) framework. Indeed, they watch the execution of a target program, possibly modifying its behaviour, and produce a feedback for the trust management system. The level of trust changes the environment settings by dynamically activating/deactivating some of the defined gate automata. The goal of this paper is to present gate automata and to show a gate automatadriven strategy for the run-time enforcement in the S×C×T.

View PDFchevron_right
Verification and Validation for Trustworthy Software Systems
James Michael

IEEE Software, 2011

View PDFchevron_right
Model and synthesize security automata
Ilaria Matteucci

2006

We define a set of process algebra operators (controllers) that mimic the security automata introduced by Schneider in and by Ligatti and al. in [4], respectively. We also show how to automatically build these controllers for given security policies. Recently, several papers tackled the formal definition of mechanisms for enforcing security policies (e.g., see ). The focus of this paper is the study of the enforcement mechanisms introduced by Schneider in and security automata developed by Ligatti and al. in [4,. In , Schneider deals with the problem of enforcing security properties in a systematic way. He discusses whether a given security property is enforceable and at what cost. To study those issues, Schneider uses the class of enforcement mechanisms (EM) that work by monitoring execution steps of a target system, herein and terminating its execution if it is about to violate the security property being enforced. A security automaton defined in [18] is a triple (Q, q 0 , δ) where Q is a set of states, q 0 is the initial one and δ : Act × Q → Q, where Act is a set of security-relevant actions, is the transition function. A security automata processes a sequence a 1 a 2 . . . of actions. At each step only one action is considered and for each action we calculate the global state Q that is the set of the possible states for the current action, i.e. if the automaton is checking the action a i then Q = q∈Q δ(a i , q). If the automaton can make a transition on a given action, i.e. Q is not empty, then the target is allowed to perform that step. The state of the automaton changes according to the transition rules. Otherwise the target execution is terminated. A security property that can be enforced in this way corresponds to a safety property (according to [18], a property is a safety * Work partially supported by CNR project "Trusted e-services for dynamic coalitions" and by EU-funded project "Software Engineering for Service-Oriented Overlay Computers"(SENSORIA) and by EU-funded project "Secure Software and Services for Mobile Systems "(S3MS).

View PDFchevron_right
Verification of automata-based programs
Anatoly Shalyto

2011

View PDFchevron_right
The road to trustworthy systems
Gernot Heiser

Proceedings of the fifth ACM workshop on Scalable trusted computing - STC '10, 2010

Computer systems are routinely deployed in life-and missioncritical situations, yet in most cases their security, safety or dependability cannot be assured to the degree warranted by the application. In other words, trusted computer systems are rarely really trustworthy.

View PDFchevron_right
Verifying Security Protocols Modelled by Networks of Automata
Mirosław Kurkowski

Fundamenta Informaticae, 2007

The paper presents a method of abstraction for timed systems. To extract an abstract model of a timed system we propose to use static analysis, namely a technique called path compression. The idea behind the path compression consists in identifying a path (or a set of paths) on which a process executes a sequence of transitions that do not influence a property being verified, and replacing this path with a single transition. The method is property driven since it depends on a formula in question. The abstraction is exact with respect to all the properties expressible in the temporal logic CTL * −X .

View PDFchevron_right
Automatic Veri cation of Security Protocols Using Approximations
Olga Kouchnarenko

Security protocols are widely used in open modern networks to ensure safe communications. It is now recognized that formal analysis can provide the level of assurance required by both developers and users of the protocols. Unfortunately it is generally undecidable to certify whether a protocol is safe or not. However the automatic verification of security protocols can be attempted using abstraction-based approximation. For this purpose, tree automata approximations were introduced by Genet and Klay in 2000. In this paper, we propose an extension of their techniques making the approach efficiently automatic. Our contribution has been implementing in the TA4SP tool with a high level specification language as input format, providing positive practical results on industrial security protocols.

View PDFchevron_right
Security policies enforcement using finite and pushdown edit automata
Daniele Beauquier

International Journal of Information Security, 2013

Edit automata have been introduced by J.Ligatti et al. as a model for security enforcement mechanisms which work at run time. In a distributed interacting system, they play a role of a monitor that runs in parallel with a target program and transforms its execution sequence into a sequence that obeys the security property. In this paper, we characterize security properties which are enforceable by finite edit automata (i.e. edit automata with a finite set of states) and deterministic context-free edit automata (i.e. finite edit automata extended with a stack). We prove that the properties enforceable by finite edit automata are a sub-class of regular sets. Moreover, given a regular set P, one can decide in time O(n 2), whether P is enforceable by a finite edit automaton (where n is the number of states of the finite automaton recognizing P) and we give an algorithm to synthesize the controller. Moreover, we prove that safety policies are always enforced by a deterministic context-free edit automaton. We also prove that it is possible to check if a policy is a safety policy in O(n 4). Finally, we give a topological condition on the deterministic automaton expressing a regular policy enforceable by a deterministic context-free edit automaton. Keywords Edit automata • Security policies • Enforcement mechanisms Preliminary results were presented in [1].

View PDFchevron_right
Specification and automatic verification of trust-based multi-agent systems
Nagat Drawel

Future Generation Computer Systems, 2018

We present a new logic-based framework for modeling and automatically verifying trust in Multi-Agent Systems (MASs). We start by refining TCTL, a temporal logic of trust that extends the Computation Tree Logic (CTL) to enable reasoning about trust with preconditions. A new vector-based version of interpreted systems is defined to capture the trust relationship between the interacting parties. We introduce a set of reasoning postulates along with formal proofs to support our logic. Moreover, we present new symbolic model checking algorithms to formally and automatically verify the system under consideration against some desirable properties expressed using the proposed logic. We fully implemented our proposed algorithms as a model checker tool called MCMAS-T on top of the MCMAS model checker for MASs along with its new input language VISPL (Vector-extended ISPL). We evaluated the tool and reported experimental results using a real-life scenario in the healthcare field.

View PDFchevron_right

References (39)

  1. Alur, R., Courcoubetis, C., Halbwachs, N., Henzinger, T., Ho, P.-H., Nicollin, X., Olivero, A., Sifakis, J., and Yovine, S. The algorithmic analysis of hybrid systems. Theoretical Computer Science 138, 1 (1995), 3-34.
  2. Blaze, M., Feigenbaum, J., and Lacy, J. Decentralized trust management. Tech. Rep. 96-17, AT and T Research, 1996.
  3. Boigelot, B., Rassart, S., and Wolper, P. On the expressiveness of real and integer arithmetic automata. In International Colloquium on Automata, Languages and Programming (1998), vol. 1443 of Lecture Notes in Computer Science, Springer-Verlag, pp. 152-63.
  4. Boigelot, B., and Wolper, P. Symbolic verification with periodic sets. In Proc. Conference on Computer-Aided Verification (1994), pp. 55-67.
  5. Clarke, E. M., Grumberg, O., and Peled, D. A. Model Checking. MIT Press, 1999.
  6. Cobham, A. On the base-dependence of sets of numbers recognizable by finite automata. Mathematical Systems Theory 3 (1969), 186-92.
  7. Colmerauer, A. Note sur Prolog III. In Proc. Séminaire Programmation en Logique (1986), pp. 159- 174.
  8. Cousot, P. Proving program invariance and termination by parametric abstraction, lagrangian relax- ation and semidefinite programming. In Sixth International Conference on Verification, Model Checking and Abstract Interpretation (VMCAI'05) (Paris, France, LNCS 3385, Jan. 17-19 2005), Springer, Berlin, pp. 1-24.
  9. Delzanno, G., and Podelski, A. Model checking in CLP. In 2nd International Conference on Tools and Algorithms for the Construction and Analysis of Systems (1999), vol. 1579 of Lecture Notes in Computer Science, Springer-Verlag, pp. 74-88.
  10. Dincbas, M., Van Hentenryck, P., Simonis, H., Aggoun, A., Graf, T., and Berthier, F. The constraint logic programming language chip. In Proc. Fifth Generation Computer Systems (Tokyo, Japan, 1988), pp. 693-702.
  11. Floyd, R. B., and Beigel, R. The Language of Machines: An Introduction to Computability and Formal Languages. Computer Science Press, 1994.
  12. Fribourg, L., and Olsén, H. A decompositional approach for computing least fixed-points of datalog programs with Z-counters. Constraints 2, 3-4 (1997), 305-36.
  13. Fribourg, L., and Richardson, J. D. C. Symbolic verification with gap-order constraints. In Proc. Logic Program Synthesis and Transformation (1996), vol. 1207 of Lecture Notes in Computer Science, pp. 20-37.
  14. Godefroid, P., Huth, M., and Jagadeesan, R. Abstraction-based model checking using modal transition systems. In 12th International Conference on Concurrency Theory (2001), pp. 426-440.
  15. Grandison, T., and Sloman, M. A survey of trust in internet application. IEEE Communications Surveys and Tutorials 3, Fourth Quarter (2000).
  16. Halbwachs, N. Delay analysis in synchronous programs. In Proc. Conference on Computer-Aided Verification (1993), pp. 333-46.
  17. Jaffar, J., and Lassez, J. L. Constraint logic programming. In Proc. 14th ACM Symposium on Principles of Programming Languages (1987), pp. 111-9.
  18. Jaffar, J., and Maher, M. Constraint logic programming: A survey. J. Logic Programming 19/20 (1994), 503-581.
  19. Jaffar, J., Michaylov, S., Stuckey, P. J., and Yap, R. H. The CLP(R) language and system. ACM Transactions on Programming Languages and Systems 14, 3 (1992), 339-95.
  20. Kanellakis, P. C., Kuper, G. M., and Revesz, P. Constraint query languages. In Proc. ACM Symposium on Principles of Database Systems (1990), pp. 299-313.
  21. Kanellakis, P. C., Kuper, G. M., and Revesz, P. Constraint query languages. Journal of Computer and System Sciences 51, 1 (1995), 26-52.
  22. Kerbrat, A. Reachable state space analysis of lotos specifications. In Proc. 7th International Confer- ence on Formal Description Techniques (1994), pp. 161-76.
  23. Kuper, G. M., Libkin, L., and Paredaens, J., Eds. Constraint Databases. Springer-Verlag, 2000.
  24. Li, N., and Mitchell, J. Understanding SPKI/SDSI using first-order logic. In Proc. IEEE Computer Security Foundations Workshop (2003), pp. 89-108.
  25. Li, N., and Mitchell, J. C. Datalog with constraints: A foundation for trust management languages. In Proceedings of the Fifth International Symposium on Practical Aspects of Declarative Languages (Jan. 2003), pp. 58-73.
  26. Li, N., and Mitchell, J. C. RT: A role-based trust-management framework, April 2003.
  27. Li, N., Mitchell, J. C., and Winsborough, W. H. Design of a role-based trust management framework. In Proc. IEEE Symposium on Security and Privacy, Oakland (May 2002).
  28. Marriott, K., and Stuckey, P. J. Programming with Constraints: An Introduction. MIT Press, 1998.
  29. Matiyasevich, Y. Enumerable sets are diophantine. Doklady Akademii Nauk SSR 191 (1970), 279-82.
  30. McMillan, K. Symbolic Model Checking. Kluwer, 1993.
  31. Minsky, M. L. Recursive unsolvability of Post's problem of "tag" and other topics in the theory of Turing machines. Annals of Mathematics 74, 3 (1961), 437-55.
  32. Minsky, M. L. Computation: Finite and Infinite Machines. Prentice Hall, 1967.
  33. Revesz, P. A closed-form evaluation for Datalog queries with integer (gap)-order constraints. Theo- retical Computer Science 116, 1 (1993), 117-49.
  34. Revesz, P. Constraint databases: A survey. In Semantics in Databases, L. Libkin and B. Thalheim, Eds., vol. 1358 of Lecture Notes in Computer Science. Springer-Verlag, 1998, pp. 209-46.
  35. Revesz, P. Datalog programs with difference constraints. In Proc. 12th International Conference on Applications of Prolog (1999), pp. 69-76.
  36. Revesz, P. Reformulation and approximation in model checking. In Proc. 4th International Symposium on Abstraction, Reformulation, and Approximation (2000), B. Choueiry and T. Walsh, Eds., vol. 1864 of Lecture Notes in Computer Science, Springer-Verlag, pp. 124-43.
  37. Revesz, P. Introduction to Constraint Databases. Springer-Verlag, 2002.
  38. Revesz, P., Chen, R., Kanjamala, P., Li, Y., Liu, Y., and Wang, Y. The MLPQ/GIS constraint database system. In ACM SIGMOD International Conference on Management of Data (2000).
  39. Wolper, P., and Boigelot, B. An automata-theoretic approach to Presburger arithmetic constraints. In Proc. Static Analysis Symposium (1995), vol. 983 of Lecture Notes in Computer Science, Springer- Verlag, pp. 21-32.

Related papers

Trust-Driven Policy Enforcement through Gate Automata
Gabriele Costa

2011 Fifth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing, 2011

In this paper we introduce the notion of gate automata for describing security policies. This new kind of automata aim at defining a model for the specification of both security and trust policies. The main novelty of our proposal is a unified framework for the integration of security enforcement and trust monitoring. Indeed, gate automata watch the execution of a target program, possibly modifying its behaviour, and produce a feedback for the trust management system. The level of trust changes the environment settings by dynamically activating/deactivating some of the defined gate automata.

View PDFchevron_right
TPL: A Trust Policy Language
Stefan More

IFIP Advances in Information and Communication Technology, 2019

We present TPL, a Trust Policy Language and Trust Management System. It is built around the qualities of modularity, declarativity, expressive power, formal precision, and accountability. The modularity means that TPL is built in a way that makes it easily adaptable to different types of transactions and signatures. From the aspect of declarativity and expressive power, the language is built such that policies are always formulated in a positive form and the language is Turing complete. The formal precision and accountability of the language eliminates ambiguity and allows us to achieve verified evaluations. The idea is that for any decision, the system can generate a proof that can then be checked by a prover that is formally verified, in Isabelle/HOL, to be sound with respect to a first-order logic semantics.

View PDFchevron_right
A Logic of Secure Systems and its Application to Trusted Computing (CMU-CyLab-09-001)
Dilsun Kaynar

2009

We present a logic for reasoning about properties of secure systems. The logic is built around a concurrent programming language with constructs for modeling machines with shared memory, a simple form of access control on memory, machine resets, cryptographic operations, network communication, and dynamically loading and executing unknown (and potentially untrusted) code. The adversary's capabilities are constrained by the system interface as defined in the programming model (leading to the name CSI-ADVERSARY). We develop a sound proof system for reasoning about programs without explicitly reasoning about adversary actions. We use the logic to characterize trusted computing primitives and prove code integrity and execution integrity properties of two remote attestation protocols. The proofs make precise assumptions needed for the security of these protocols and reveal an insecure interaction between the two protocols.

View PDFchevron_right
A Logic of Secure Systems and its Application to Trusted Computing
Deepak Garg

2009

We present a logic for reasoning about properties of secure systems. The logic is built around a concurrent programming language with constructs for modeling machines with shared memory, a simple form of access control on memory, machine resets, cryptographic operations, network communication, and dynamically loading and executing unknown (and potentially untrusted) code. The adversary's capabilities are constrained by the system interface as defined in the programming model (leading to the name CSI-ADVERSARY). We develop a sound proof system for reasoning about programs without explicitly reasoning about adversary actions. We use the logic to characterize trusted computing primitives and prove code integrity and execution integrity properties of two remote attestation protocols. The proofs make precise assumptions needed for the security of these protocols and reveal an insecure interaction between the two protocols.

View PDFchevron_right
A verification approach to applied system security
Burkhart Wolff

International Journal on Software Tools for Technology Transfer, 2005

We present a method for the security analysis of realistic models over off-the-shelf systems and their configuration by formal, machine-checked proofs. The presentation follows a large case study based on a formal security analysis of a CVS-Server architecture. The analysis is based on an abstract architecture (enforcing a role-based access control), which is refined to an implementation architecture (based on the usual discretionary access control provided by the POSIX environment). Both architectures serve as a skeleton to formulate access control and confidentiality properties. Both the abstract and the implementation architecture are specified in the language Z. Based on a logical embedding of Z into Isabelle/HOL, we provide formal, machine-checked proofs for consistency properties of the specification, for the correctness of the refinement, and for security properties.

View PDFchevron_right

Related topics

  • Social Psychology
  • Abstract Interpretation
  • Semantics
  • Trust Management
  • Computer Security
  • Language Policy
  • Approximation Method
    • 580 California St., Suite 400
    San Francisco, CA, 94104
    © 2025 Academia. All rights reserved