1 / 27

Static Provenance Verification for Message Passing Programs

Static Provenance Verification for Message Passing Programs. Rupak Majumdar Roland Meyer Zilong Wang. MPI-SWS. TU Kaiserslautern. MPI-SWS. Motivation: Taint Analysis. “All data from sources must be sanitized before a sink.”. source . sanitizer. data. source. sanitizer. sink.

terrel
Download Presentation

Static Provenance Verification for Message Passing Programs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Static Provenance Verification for Message Passing Programs Rupak Majumdar Roland Meyer Zilong Wang MPI-SWS TU Kaiserslautern MPI-SWS

  2. Motivation: Taint Analysis “All data from sources must be sanitized before a sink.” source . sanitizer data source sanitizer sink otherwise

  3. Provenance Information about the source and access history of an object • Databases: What rows were used to compute a query? • Workflows: Which information was used for a result? Program Analysis: what can we do?

  4. Provenance Verification forConcurrent Programs Questions: • Can we statically track provenance information in a concurrent program model? • Can we verify interesting provenance properties? Main results: • A model of asynchronous message passing program with provenances • Static provenance verification is decidable(with finite data domains)

  5. Message Passing Program • Principals run in parallel • Local variables • Operations: control flow, send(ch, x), recv(ch, x) • Channels • Unbounded but unordered • Messages • Finite domain

  6. Provenance on Messages • Provenance of a message = Principals who have sent the message chronologically • Provenance domain = Strings over principal names

  7. HQ, Medical Example principal patient { var p1, p2, p3; while(true) { choose :: p1 = HQ; send(ch0, p1); :: p1 = AR; send(ch0, p1); :: recv(ch1, p2); if (p2 == HA) p3 = p2;}} PC1 PC2 PC3 HQ, patient HQ HA, patient.secretary.doctor.doctor principal secretary { var s1, s2; while(true) { recv(ch0, s1); if (s1 == HQ) send(ch2, s1); else { s2 = AA(s1); send(ch1, s2);}}} ch0 ch1 ch2 principal doctor { var d1, d2; while(true) { recv(ch2, d1); d2 = HA(d1); choose :: send(ch2, d2); :: send(ch1, d2);}} HQ, patient.secretary HA, patient.secretary.doctor HA

  8. Medical Example principal patient { var p1, p2, p3; while(true) { choose :: p1 = HQ; send(ch0, p1); :: p1 = AR; send(ch0, p1); :: recv(ch1, p2); if (p2 == HA) p3 = p2; } } Requirement: Every health answer received by a patient must be seen by a doctor at least once. PC1 PC2 PC3 HQ principal secretary { var s1, s2; while(true) { recv(ch0, s1); if (s1 == HQ) send(ch2, s1); else { s2 = AA(s1); send(ch1, s2); } } } ch0 ch2 ch1 HA, patient.secretary.doctor.doctor Provenance problem: Are provenances of messages in p3 always in the regular set along all executions? principal doctor { var d1, d2; while(true) { recv(ch2, d1); d2 = HA(d1); choose :: send(ch2, d2); :: send(ch1, d2);}}

  9. Provenance Verification Problem Given a message passing program P, a variable x, and a regular set R of provenances, are provenances of all messages stored in xalways in the set R along all executions of P?

  10. Verification Challenge Infinite state space: • Unboundedly many messages in a channel • Unboundedly many provenances

  11. Unbounded Messages in a Channel principal patient { var p1, p2, p3; while(true) { choose :: p1 = HQ; send(ch0, p1); :: p1 = AR; send(ch0, p1); :: recv(ch1, p2); if (p2 == HA) p3 = p2;}} PC1 HQ HQ principal secretary { var s1, s2; while(true) { recv(ch0, s1); if (s1 == HQ) send(ch2, s1); else { s2 = AA(s1); send(ch1, s2);}}} ch0 ch1 ch2 principal doctor { var d1, d2; while(true) { recv(ch2, d1); d2 = HA(d1); choose :: send(ch2, d2); :: send(ch1, d2);}}

  12. Verification Challenge Infinite state space: • Unboundedly many messages in a channel • Unboundedly many provenances

  13. Unboundedly Many Provenances principal patient { var p1, p2, p3; while(true) { choose :: p1 = HQ; send(ch0, p1); :: p1 = AR; send(ch0, p1); :: recv(ch1, p2); if (p2 == HA) p3 = p2;}} PC3 principal secretary { var s1, s2; while(true) { recv(ch0, s1); if (s1 == HQ) send(ch2, s1); else { s2 = AA(s1); send(ch1, s2);}}} ch0 ch1 ch2 principal doctor { var d1, d2; while(true) { recv(ch2, d1); d2 = HA(d1); choose :: send(ch2, d2); :: send(ch1, d2);}} HA, ….doctor.doctor HA

  14. Unbounded Messages: Petri Net • Finite set of places • Finite set of transitions • Places marked with tokens • Fire transitions • An infinite state system • Coverability problem is decidable.Is a given place markable in some execution?

  15. Program to a BisimilarPetri Net B A A transition for each operation in a program A place for each control location A place (x, m): for each variable x and each message value m A place (ch, m):for each channel ch and each message value m

  16. Consider Provenances • Unboundedly many provenances •  unboundedlymany places!

  17. Provenance Automata • Provenance problem: Are provenances of all messages stored in xalways in the regular set R of provenances along all executions of P? • A regular set of provenances  DFA • The answer to the problem depends on the states of DFA, not on individual provenances.Equivalence classes w.r.t. states: Two provenances are equivalent if they let DFA go to the same state.

  18. Track States, not Provenances principal patient { var p1, p2, p3; while(true) { choose :: p1 = HQ; send(ch0, p1); :: p1 = AR; send(ch0, p1); :: recv(ch1, p2); if (p2 == HA) p3 = p2;}} PC1 PC2 PC3 principal secretary { var s1, s2; while(true) { recv(ch0, s1); if (s1 == HQ) send(ch2, s1); else { s2 = AA(s1); send(ch1, s2);}}} ch2 ch0 ch1 HA HA, patient.secretary.doctor HA,q3 principal doctor { var d1, d2; while(true) { recv(ch2, d1); d2 = HA(d1); choose :: send(ch2, d2); :: send(ch1, d2);}} a D D S P q3 q2 q1 q0

  19. Track States, not Provenances principal patient { var p1, p2, p3; while(true) { choose :: p1 = HQ; send(ch0, p1); :: p1 = AR; send(ch0, p1); :: recv(ch1, p2); if (p2 == HA) p3 = p2; } } Provenance problem: Are provenances of messages in p3 always in the regular set along all executions? Coverability problem: Is one of the places (p3,*,q1),(p3,*,q2) and (p3,*,sink)markable along some execution? PC1 PC2 principal secretary { var s1, s2; while(true) { recv(ch0, s1); if (s1 == HQ) send(ch2, s1); else { s2 = AA(s1); send(ch1, s2); } } } ch2 ch0 ch1 HQ,q2 HA,q3 a D D S P q3 q2 q1 q0

  20. Reduction Program + Provenance DFA ➔polyPetri net Provenance verification problem = Coverability problem of Petri nets

  21. Main Theorem Provenance verification problem for message passing programs is decidableand is EXPSPACE-complete.

  22. Application: Firefox Extensions • Database service: mozlStorageServiceasyncAPIs • Private mode in Firefox • No restrictions for extensions in private mode • Question: can extensions save user data into databases in the private mode?

  23. Extensions and Channels PriEx PubEx ch0 ch1 ch2 • ch0: for temporary files • ch1, ch2: for database async API calls • Are provenances of all messages received by DB always in the set PubEx* along all executions? DB

  24. Tool • Use Javascript analyzer JSure to obtain the control flow of extensions • Perform data flow abstraction to obtain Petri net models • Run a coverability checker

  25. Experimental Results • Nine extensions using mozlStorageService • Five extensions save user information to databases in private mode • Amazon price history • Facebook chat history manager • FVD Speed Dial • Privad privacy-aware ad server • Shopping assistant

  26. Summary • Provenance verification problem in concurrent message passing programs • Coverability problem of Petri nets • Firefox extensions may save user data in private mode (Be careful!)

  27. Questions? www.mpi-sws.org/~zilong

More Related