Towards Automatic Verification of Safety Architectures Carsten Schürmann Carnegie Mellon University April 2000

Towards Automatic Verification

of Safety Architectures

Carsten SchürmannCarnegie Mellon University

April 2000

2

Subtitle

TwelfA Tool to Reason About Formal

Systems

3

Motivation

CERT-advisories [www.cert.org] Computer Emergency Response Team January 1999 – February 2000 29 Advisories total 11 Advisories: Buffer overflow (e.g. ftpd) Others: Viruses, Denial of Service …

> 38% of vulnerabilities due to

bugs

4

Motivation

We need tools to Increase confidence in software Engineer trusted bases for computing Catch programming language design

flaws

There is such a tool:

Twelf

5

Contributions

Design of Twelf Meta-logic [Schürmann 00]

Algorithms for automated deduction

Implementation of Twelf Core [Pfenning, Schürmann 99] Meta theorem prover [Schürmann 00]

Application of Twelf Experiments

6

Outline of This Talk

Problem Safety Architectures

Twelf Design

Implementation Experiments

Conclusion Research Agenda

7

Trusting the Source?

Example: WU-ftpd 2.6.0: 17865 lines of code GCC-core 2.95.2: 433128 lines of code

Related work: Piton/Micro Gipsy [Moore, Young, Bevier 89]

Compiler BinarySource

Trusted Computing Base

8

Trusting Binaries?

Example: WU-ftpd 2.5.0 binary: 150 KB [RedHat 6.1]

Related work: Software fault isolation [Wahbe, … 93]

Compiler

Trusted Computing Base

VerifierBinarySource

9

Feasibility study Packet filter [Necula, Lee

96]

Trusting Safety Proofs?

CompilerSource Proof CheckerSafety Proof

Binary

Safety Proof Language

Small Trusted Computing Base

10

Safety Architectures

Proof Carrying Code Logic: 129 rules [Necula, Lee 97] Logic: several 100 rules [Appel, Felty

99] Proof checker: 206 lines [Schürmann

98] Uses a logical framework

Typed Assembly Language Type Theory: 31 rules [Morrisett, Crary … 98] Proof Checker: approx 4000 lines

Java Bytecode Type system: 20 pages prose Bytecode verifier

11

Uniform representation language Storing Shipping Checking

Logic-independent safety proof checker

Logical Frameworks

Safety ProofProof Checker


Binary

Logical Framework



12

Safety Proof Languages

First-order/higher-order logics[Gentzen 35]

Temporal logics (CTL, CTL*, LTL)[Pnueli, Manna, … 84]

Modal and linear logics[Girard 86]

Type theories

Language and system-specific knowledge

13

Good Safety Proof Languages

Consistency Falsehood should not be derivable

Expressiveness Small safety proofs require expressive logics

Extensibility Possibility to add new admissible rules

Is The Safety Proof Language Good?

14

Meta-Logical Framework

Meta-Logical Frameworks

Logical Framework



Is The Safety Proof Language Good?

15

Rest of this Talk

Twelf A meta-logical framework that supports

the representation of logics and type systems

and automates reasoning about them

Used at CMU, Princeton, Stanford…

16

Overview


• Logic• Judgments• Inference rules

Logical Framework

• Uniform language• Types• Direct encoding as objects

Reasoning

• Consistency arguments• Theorems about logics• Inductive proofs

Meta-logical Framework

• Automated proof search• Formulas• Direct encoding as proofs

17

Let’s Start



18

A Simple Logic

Intuitionistic logic:

Sequent calculus: [Gentzen 35]

Judgment: Rules:

axiomAA,

imprBA

BA

,

implCBA

CBA

,

,

|| 21 AA

AAA n ,,1

cutC

CAA

,

19

Next: Logical Framework LF



Logical Framework


20

Logical framework LF [Honsell, Harper, Plotkin 93]

Simply typed λ-calculus Dependent types

Paradigm Judgments as types Derivations as objects

Representation

Logical Framework

ADAuAu nn conchyphyp :|:,,: 11

DAAA n ,,1

21

Representation (cont’d)

Inference rules as constants

axiom : (hyp A -> conc A).

impr : (hyp A -> conc B) -> conc (A imp B).

impl : conc A -> (hyp B -> conc C) -> (hyp (A imp B) -> conc C).

cut : conc A -> (hyp A -> conc C) -> conc C.

axiomAA,

implCBA

CBA

,

,

imprBA

BA

,

cutC

CAA

,

22

Reasoning about the real worldis as good as the encoding is

Theorem prover for LF [Schürmann 98]

Representation (cont’d)

1-to-1

Logic Logical Framework

23

Notes on the Representation

Elegance Higher-order representation techniques Dependent types

Benefit Variables and substitutions come for free!

We can look at the current field of problem solving by computers as a series of ideas about how to present a problem. If a problem can be cast into one of these representations in a natural way, then it is possible to manipulate it and stand some chance of solving it.

[Allen Newell]

24

Next: Reasoning



Logical Framework


Reasoning


25

A (Not So) Simple ArgumentTheorem [Admissibility]: [Gentzen 35]

If and then

Proof: by induction on A,D,E.

Case: E=

by induction hyp. on D,E’

by application of impr

DA

ECA,

FC

imprCBACBA

,,,E'

imprCBCB

,

F'

26

History of This Result

Fundamental theorem in Logic [Gentzen 35]

Consistency of first-order logic Structural proof [Pfenning 95] Twelf can prove it automatically [Schürmann 99]

Neither a toy problem nor a trivial problem 182 = 324 cases for full-first order intuitionistic

logic One of the most basic theorems of logic and

automated deduction

27

Significance of This Result

It is not reasoning in a logic Derivation in a logic is only an object Admissibility lemma is not expressible

But reasoning about a logic Step outside the logic Analyze properties of the logic Admissibility lemma is expressible

It is not reasoning in a logic Derivation in a logic is only an object Admissibility lemma is not expressible

But reasoning about a logic Step outside the logic Analyze properties of the logic Admissibility lemma is expressible

28

Next: Meta-logical Framework



Logical Framework


Reasoning


Meta-logical Framework

• Automated proof search• Formulas• Direct encoding as proofs

29

Problem

Reasoning about derivations is inductiveIn general: LF signatures are not inductive

Standard induction techniques do not apply




Negative occurrence

30

Closed World Assumption

Standard induction techniques assume Fixed set of constructors Existence of induction principles

Example: Natural number induction

zero:nat succ:nat -> nat

31

Open World Assumption

No induction principles Type definitions are open-ended New types, new inference rules may be

added

Example: Admissibility Theorem Not stable under extensions of the world

Forms of objects are not predictable

32

Solution

Regular world assumption

Closed world assumption

Open world assumption

33

Regular World Assumption

Extensions to the world are predictable!

Sound induction principle exist But it is not standard!




h1 :hyp A1.

h2 :hyp A2.

. . .

hn :hyp An .

34

Meta Logic M2

Regular extensions of the world: Here

true.:.:.:

.:.:

CFCAEAD

CA

concconchypconc

oo

Ahyph :,|:: Theorem [Admissibility]:

If and thenDA

ECA,

FC

Au hyp:,|::

+

35

Meta Logic M2 (cont’d)

Formulas:Semantics:

true||.:|.::: 21 FFFAxFAxF

+

true|

|||

|||

|||

2121

:,]/[.:

:,]/[.:

FFFF

AMMxMFFAx

AMMxMFFAx

andiff

s.t.someforiff

s.t.allforiff

36

Meta Logic M2 (cont’d)

Proof calculus for M2 [Schürmann 00]

Judgment: Rules: see thesis

Theorem [Soundness of M2] [Schürmann 00]

If then

Proof: via realizability interpretation.

+

+

FP |

FP | F |

+

37

Twelf Implementation

Implements a theorem prover for M2

Success due to regular world assumption

Automated proof searchNo tactics

TwelfLemmas

Ind.-variablesBound

Proof in M2

Not found

+

+

38

Twelf Implementation (cont’d)Splitting

Case analysis over LF objectsRegular world assumption

RecursionInduction hypotheses

Regular world assumption

FillingApplies an underlying LF prover

Or theorem prover for underlying logic

39

Experiments

Problem Total time Reason

Cut-Elimination I L Admissibility of Cut 6min 35sec

Cut-elimination 0.28sec

ND - Sequent ND -> Sequent 0.11sec

Sequent -> ND 0.12sec

ND - Hilbert Deduction theorem 0.12sec

Translation theorem 0.37sec

falsetrue

Machine: Pentium II, 400Mhz, 192MB RAM, Linux 2.0

40

Experiments (cont’d)


Mini-ML Value-soundness 0.13sec

Type preservation 0.42sec

Reduction theorem 0.66sec

(app/ lam) Uniqueness of typing 0.25sec

Compiler (CPM) Soundness not yet. Compl. ind.

Completeness 0.31sec

(both directions) Proof equivalence 0.46sec

CCC Translation lambda 3.392sec

Distributivity not yet. LF Prover


41



Church-Rosser Append lemma 0.08sec

Substitution lemma 0.18sec

Diamond lemma 5.6sec

Strip lemma 3min 58sec

Confl uence lemma 28.52sec

Church-Rosser thm 2.05sec


42



LP (Harrop) Soundness (Uni) 0.31sec

Canonical forms 0.34sec

Completeness (Uni) 0.28sec

Soundness (Res) 1.05sec

Completeness (Res) 0.52sec

Kolmogorov CL->I L Soundness 9.55.sec

Completeness not yet LF Prover

Rippling Equivalence lemma 0.65sec

Skeleton preservation 0.94sec


43

Contributions

Design of Twelf Design of a theorem prover for LF Regular world assumption Design of the sound meta-logic M2

Implementation of Twelf Core (together with Frank Pfenning) Meta theorem prover

Application of Twelf Experiments

+

44

Research Vision

I believe, that the demand for safe and secure software, networks, programming languages will continuously increase.

I foresee myself designing, implementing, and applying the necessary tools.

45

Research Agenda

Towards real-world applications Network protocol design Security protocol design Programming language design Software engineering

46

Research Agenda (cont’d)

Design and Implementation Meta logic + Constraints Lemma generalization Natural language explanation

47

Conclusion

A meta-logical framework

(Twelf)

that supports the representation of logics and type

systems and automates reasoning about them

http://www.twelf.org

Documents

Towards Automatic Verification of Safety Architectures Carsten Schürmann Carnegie Mellon University April 2000