1 / 19

Certifying Domain-Specific Policies

Certifying Domain-Specific Policies. Michael Lowry Thomas Pressburger Grigore Rosu NASA Ames Research Center. Certification Spectrum I. Automation. Type checking: Automatic , efficient , effective Reveals a very limited set of errors. Trade - off. Efficiency. Generality. Efficacy.

brendalewis
Download Presentation

Certifying Domain-Specific Policies

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Certifying Domain-Specific Policies Michael Lowry Thomas Pressburger Grigore Rosu NASA Ames Research Center

  2. Certification Spectrum I Automation • Type checking: • Automatic, efficient, effective • Reveals avery limitedset of errors Trade - off Efficiency Generality Efficacy

  3. Certification Spectrum II • Polyspace – a static analysis tool • Automatic, sometimes efficient, sound • False positives, limited to prog language-specific errors • Proof Carrying Code (PCC) – Necula et al. • Automatic, effective and efficient for consumer; sound • Annotations, limited safety policies (memory safety) • Extended Static Checker (ESC) – Leino et al. • Elegant trade-off; relatively efficient and effective • language-specific errors and a bit more • ~10% annotations, not sound!

  4. Domain Specific Certifiers (DSC) • Check domain-specific safety policies • Domains presented axiomatically • Safety policies as partial abstractions • High degree of automation • Annotations often needed only for inputs • Informative warnings • Inconsistency with axioms, deep meaning

  5. Architecture of a DSC Abstract Domain (Executable Specification) Coordinate Frames SI Units, etc. Abstraction Semantics (Executable Specification) Encodes Safety Policies frameSafe : Pgm -> Bool unitSafe : Pgm -> Bool Programming Language (Syntax Specification) C, Java, Fortran

  6. Our Approach to DSC • Use a limited amount of theorem proving • Equational logics are powerful and expressive • Rewriting implements them efficiently • Use Maude as executable spec language • 3 milion rewrites per second on 1.5 GHz PCs! • Membership Equational Logic (MEL) • excelent to deal with partiality • Mix-fix signatures • parsing for free, natural and easy to read axioms

  7. A Case Study:Frame Certification • Abstract Domain = Axiomatization of Frames (Translations, Rotations, etc.) • Abstraction = Partial interpretation of functions into the abstract domain • Programming Language = Simple assignment language; Fortran & NAIF

  8. Frame Certification:Programming Language • NAIF library + assignment • Example problem: Given a time tEarth and an observation point pObs on Earth, calculate the angle under which Saturn is seen from pObs at time tEarth; the angle is relative to the normal on Earth’s surface in pObs.

  9. Earth dNorm pObs rEarth mEarth pObs dNorm angle Saturn dSaturn Earth pObs pSaturn pEarth J2000 Example ... // tEarth : time of observation // pObs : position of observation rEarth := bodvar(earthId, ‘radii’); dNorm := surfnm(rEarth, pObs); pEarth := findp(earthId, tEarth); mEarth := bodmat(earthId, tEarth); pObs := mtxv(mEarth, pObs); dNorm := mtxv(mEarth, dNorm); tSaturn := sent(saturnId, earthId, tEarth); pSaturn := findp(saturnId, tSaturn); pObs := vadd(pEarth, pObs); dSaturn := vsub(pSaturn, pObs); angle := vsep(dNorm, dSaturn);

  10. Specifying the Language • Maude: order-sorted mix-fix notation • Can parse any familiar syntax • Only domain-specific semantics is needed! fmod PROG-LANG is sorts PlReal PlVector PlMatrix Var Stmt Pgm . subsort Stmt < Pgm . op _;_ : Pgm ; Stmt -> Pgm . ops vadd vsub : PlVector PlVector -> PlVector . ops mxv mtxv : PlMatrix PlVector -> PlVector . ops vdist vsep : PlVector PlVector -> PlReal . op _:=_ : Var PlVector -> Stmt . … enfm

  11. Frame Certification:Abstract Domain • The most difficult part of the frame DSC

  12. Abstract Domain:Orientations and Rotations • Orientations and rotations as ADT • Form a Category unit(O) sorts Orientation Rotation . ops s t : Rotation -> Orientation . op unit : Orientation -> Rotation . eq s(unit(O)) = O . eq t(unit(O)) = O . op _~ : Rotation -> Rotation . eq Rot ~ ~ = Rot . eq s(Rot ~) = t(Rot) . op _*_ : Rotation Rotation -> [Rotation] . cmb Rot * Rot’ : Rotation if t(Rot) = s(Rot’) . eq Rot * (Rot ~) = unit(s(Rot)) . O Rot O’ O partiality Rot ~ Rot’ Rot * Rot’ Rot O’’ = O’’ O O O’ O

  13. Abstract Domain:Frames and Translations • Frames and Translations are also a Category Trans’ Frm’’ Frm’ Trans Trans + Trans’ Frm

  14. Abstract Domain:Some Axioms (Rewriting Rules) • Other operations added: • Rotate frames, translations, directions op _@_ : Frame Rotation ->[Frame], etc. • Extract orientation of frames, translations op frameOrt : Frame -> Orientation, etc • Other axioms added, such as: • Check and cumulate rotations cmb Frm @ Rot : Frame if frameOrt(Frm) = s(Rot) . ceq frameOrt(Frm @ Rot) = t(Rot) if Frm @ Rot :: Frame . eq (Frm @ Rot) @ Rot’ = Frm @ (Rot * Rot’) • Commutativity of translations and rotations, etc • Rotation then translation = translation then rotation partiality

  15. Frame Certification:Abstraction, Safety Policy • Common abstract supersort: FrameSafe • Common concrete supersort: Value • Partial abstraction operation: op |_| : Value -> [FrameSafe] • Axioms: eq | vadd(V, V’) | = | V | + | V’ | eq | mtxv(M, V) | = | V | @ (| M | ~) cmb |vsep(V, V’)| : Real if frameOrt(s(|V|))=frameOrt(s(|V’|)) • Safety Policy: op frameSafe : Pgm -> Bool eq frameSafe(Pgm ; Var := Value) = |Pgm[Value]| :: FrameSafe and frameSafe(Pgm) partiality

  16. Evaluation and Scaling • Tested it on mutant programs • Discovered all the mutants • Tested it on larger synthetic programs • NAIF programs are compact: we did not find large real programs • Certified 1000 SLOC in • 2.2 seconds without caching • 1.3 seconds with caching eq frameSafe(Pgm ; Var := Value) = |Pgm[Value]| :: FrameSafe and frameSafe(Pgm) • Current implementation runs in O(n^2) • Pgm[Value] is linear, so1 + 2 + … + (n –1)steps • The problem: backwards traversal of the program • Can be O(n): forwards traversal and environments

  17. Why not types?(like in MDS, ML) • Better ask: Why types? • Algebraic approach is elegant, efficient, modular • Inconvenient • changes/specializes the language by adding types • Intractable • Type inference in presence of equations • Execution overhead • Additional method calls (some compilers can optimize this) • Limiting: rejects pObs := mtxv(mEarth, pObs); • Cannot calculate the geometric mean of an array temp := temp * x[i]; // what’s the type of temp?

  18. Future and Current Work • Reimplement frame certification linearly • Measurement Unit certification • Do not add meters and seconds! • Simple and expandable Abstract Domain: sorts BUnit Unit . subsorts BUnit < Unit . op nil : -> Unit . ops kg m s : -> BUnit . op Newton : -> Unit . op _^_ : Unit Int -> Unit [prec 10] . op __ : Unit Unit -> Unit [assoc comm prec 15] . vars U U' : Unit . vars N M : Int . eq U nil = U . eq nil ^ N = nil . eq U ^ 0 = nil . eq U ^ 1 = U . eq U U = U ^ 2 . eq U (U ^ N) = U ^ (N + 1) . eq (U ^ N) (U ^ M) = U ^ (N + M) . eq (U U') ^ N = (U ^ N) (U' ^ N) . eq (U ^ N) ^ M = U ^ (N * M) . eq Newton = kg m s ^ -2 . AC matching

  19. Future and Current Work • Measurement Unit certification • Programming language: BC • “for” and “while” loops, “if_then_else” • Function definitions (can be recursive) • Arrays; no pointers, no objects • Complex abstraction semantics • Stacks and sets of environments • Symbolic abstract, domain-specific execution • Programming language specific policies • Memory safety, deadlocks/dataraces, division by 0 • Combine with Runtime Verification • Prove statically what is tractable, monitor the rest

More Related