VCGen + Planner +Checker
advertisement
On the Scalability of Proof Carrying Code for Software Certification Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt University Edinburgh Dependable Systems Group © Andrew Ireland Outline • • • • • High integrity software development Evidence based software certificates Scalability problems A planning approach Issues for discussion Dependable Systems Group © Andrew Ireland The SPARK Approach SPARK code SPARK Examiner Revisions VCs SPADE Simplifier Unproven VCs Proofs X Tactics SPADE Proof Checker • SPARK is a subset of Ada with annotations (Praxis High Integrity Systems Ltd) • Supports data & information flow analysis and formal verification - in particular, exception freedom proofs • EuroFighter and Hawk projects, advocated by NSA, … Dependable Systems Group © Andrew Ireland NuSPADE SPARK code SPARK Examiner Annotations VCs SPADE Simplifier Unproven VCs Proofs X NuSPADE Tactics SPADE Proof Checker • NuSPADE = proof planning + program analysis • Annotation generation motivated by proof-failure analysis Dependable Systems Group © Andrew Ireland NuSPADE Unproven VCs Abstract Predicates Annotations Program Analyzer Tactics Proof Planner Co-operative style of integration, i.e. “productive use of failure” Dependable Systems Group © Andrew Ireland Proof Plans Conjecture Theory Plan Proof Planner Tactic Proof Checker Dependable Systems Group Proof Failure © Andrew Ireland SPARK and Certification • Z specifications + rigorous proofs • Data flow & information analysis • Code level proofs: – Exception freedom proofs: automatic + interactive proofs – Functional proofs: significant level of interactive proofs – Proof review files • Resource analysis Note: various levels of formal & rigorous evidence Dependable Systems Group © Andrew Ireland Evidence Based Certification • Proof-Carrying Code (PCC) – a example of an evidence based approach to certification • Code is delivered with a certificate containing a condensed mathematical proof, i.e. a proof that the code satisfies desired safety properties • Responsibility for proof construction lies with the code producer, consumer performs proof checking • Trusted Computing Base (TCB) for PCC is small, i.e. safety properties, verification condition generator and proof checker Dependable Systems Group © Andrew Ireland Properties, Proofs & Certificates • Properties typically simple, e.g. memory safety • Proof construction involves advanced type checking, i.e. no theorem proving • Certificates: – – – – LF proofs quadratic with respect to program size LFi proofs 2.5 to 5 times program size Oracles strings on average 12% program size Proof tactics have also been used Dependable Systems Group © Andrew Ireland Scalability Problems • Need for comprehensive properties, e.g. functional properties • MOBIUS: combining type-based and logicbased approaches • Need to exploit automated theorem proving techniques • Will current PCC architecture scale-up, e.g. oracles strings? Dependable Systems Group © Andrew Ireland Proof Plans Conjecture Theory Plan Proof Planner Tactic Proof Checker Dependable Systems Group Proof Failure © Andrew Ireland Proof Plans Conjecture Theory Plan Proof Planner Tactic Proof Checker Dependable Systems Group Proof Failure © Andrew Ireland Proof Plans Conjecture Theory Plan Proof Planner Oracle Tactic Proof Checker Dependable Systems Group Proof Failure © Andrew Ireland Planning Oracles as Certificates Conjecture Theory Plan Oracle Proof Planner Tactic Proof Checker Dependable Systems Group Proof Failure © Andrew Ireland Planning Oracles as Certificates Conjecture Theory Plan Oracle identifies: • Proof plans and where they should be used • Relevant Oracle theories Proof • Search control hints, e.g. auxiliary lemmas Planner and generalization steps Tactic Proof Checker Dependable Systems Group Proof Failure © Andrew Ireland Certificate Generation Code + Spec Repositories (plans + theories) Certificate Certificate Generation (Oracle) (VCGen + Planner +Checker) Failure Dependable Systems Group ? Proof © Andrew Ireland Certificate Validation Code + Spec CPU Repositories (plans + theories) Certificate (Oracle) Certificate Validation (VCGen + Planner +Checker) Failure ? Proof Note: Certificate transforming compiler Dependable Systems Group © Andrew Ireland Discussion Issues • The proposed proof planning approach will add theory repositories (and specifications) to the TCB – is this acceptable? • For memory limited devices, proof planning oracles are not an option for on-device certificate validation – how important is on-device validation to certification management in general? • More comprehensive properties will require off-device validation – could a dedicated certificate validation device have a role to play? • Certificate transforming compiler or trusted compiler? Dependable Systems Group © Andrew Ireland Conclusion • The SPARK Approach and proof automation via proof planning • The success of PCC as well and the limits of current architectures • Proposal for proof planning and proof planning oracles as a technique for addressing limitations Dependable Systems Group © Andrew Ireland
