Lecture 20: Total
Correctness; ProofCarrying Code, CodeCarrying Proof
CS655: Programming Languages
David Evans
University of Virginia
http://www.cs.virginia.edu/~evans
Computer Science
Menu
• Axiomatic Semantics review and
continuation
• Proof-Carrying Code
10 April 2001
CS 655: Lecture 20
2
Goal: find weakest pre-condition
P & x0 = x
{
while n <= x do
n := n + 1;
result := result * n;
end
}
result = x0!
10 April 2001
CS 655: Lecture 20
Elevator speech
3
Go backwards: Inv & ~Pred  Q
Inv & ~Pred  Q
Inv & ~(n <= x)  result = x0!
Guess an Invariant:
Inv = result = (n - 1)! & x = x0 & n <= x + 1
Inv & ~(n <= x)  result = x0!
n <= x + 1 & ~(n <= x)  n = x + 1
result = ((x + 1) – 1)!  result = x!
x = x0  result = x0!
10 April 2001
CS 655: Lecture 20
4
Inv & Pred { Statement } Inv
result = (n - 1)! & x = x0 & n <= x + 1 & n <= x
{ n := n + 1; result := result * n; }
result = (n - 1)! & x = x0 & n <= x + 1
Rule for sequences:
{ A } s0 { B }, { B } s1 { C }
{ A } s0 ; s1 { C }
10 April 2001
CS 655: Lecture 20
5
Push: result := result * n
result0 = result &
result = (n - 1)! & x = x0 & n <= x + 1 & n <= x
{ result := result * n }
B
Substitute result = result0 * n:
B = result = (n – 1)! * n & rest is same
B = result = n! & rest is same
10 April 2001
CS 655: Lecture 20
6
Reminder: Inv = result = (n - 1)! & x = x0 & n <= x + 1
Push: n := n + 1
n0 = n & result = n0! & x = x0 & n0 <= x + 1 & n0 <= x
{ n := n + 1 }
Q
Substitute n = n0 + 1 (n0= n – 1) :
result = (n – 1)! & x = x0 & (n – 1) <= x + 1 & (n – 1)
<= x
 result = (n – 1)! & x = x0 & n <= x + 2 & n <= x + 1
 result = (n – 1)! & x = x0 & n <= x + 1  Inv
10 April 2001
CS 655: Lecture 20
7
Progress Checklist
We need to pick P to make this work.


P  Inv,
Inv { Pred }  Inv,  Trivial since Pred = (n <= x)
Inv & Pred { Statement } Inv,
(Inv & ~Pred)  Q,
while Pred do Statement end terminates
P { while Pred do Statement end } Q
10 April 2001
CS 655: Lecture 20
8
Find weakest pre-condition
• Need to show
P & x = x0  result = (n - 1)! & x = x0 & n <= x + 1
• Weakest:
P = result = (n – 1)! & n <= x + 1
• More intuitive (but stronger):
P = result = 1 & n = 0 & x >= 0
 result = 0! & n <= x + 1
 Inv
10 April 2001
CS 655: Lecture 20
9
What have we proved?
Partial correctness of:
result = 1 & n = 0 & x >= 0 & x0 = x
{ while n <= x do
n := n + 1; result := result * n;
end }
result = x0!
10 April 2001
CS 655: Lecture 20
10
Total Correctness:
Must show termination also
1. Define an energy function,
E  integer
2. Show P  E is finite, non-negative
3. Show Pred does not change E
4. Show loop body decreases E
e0 = E & Pred { Statement } E < e0
5. Show E = 0  ~Pred (termination)
Remind you of anything?
10 April 2001
CS 655: Lecture 20
11
Termination Proof
1. Energy Function
E=x+1–n
2. P  E is finite, non-negative
n = 0 & x >= 0  E = x + 1 – 0
x is >= 0, so x + 1 is finite, non-negative
3. Pred does not change E
Trivial, Pred is n <= x
10 April 2001
CS 655: Lecture 20
12
Termination Proof, Part 2
4. Show loop body decreases E
e0 = x + 1 – n & n <= x & n0 = n
{ n := n + 1; result := result * n; }
x + 1 - n < e0
True: x + 1 – (n0 + 1) < x + 1 - n0.
5. Show termination:
x + 1 - n = 0  ~(n <= x)
x + 1 = n  ~(x + 1 <= x)
10 April 2001
CS 655: Lecture 20
13
Proof-Carrying Code
10 April 2001
CS 655: Lecture 20
14
PCC: Basic Idea
• Creating a proof is hard
– Have to make up invariants, etc.
• Checking a proof is easy
– Simple mechanical application of rules
• Guarantee properties of untrustworthy
code by checking a proof provided by
code producer
10 April 2001
CS 655: Lecture 20
15
Proof-Carrying Code
Certifying Compiler
Program
Native Code
Proof
Native Code
Proof
Code Producer
Code Consumer
Ok
Proof Checker
Policy
CPU
10 April 2001
CS 655: Lecture 20
16
Tamper with Code
Certifying Compiler
Program
Native Code
Proof
Code Producer
Wily Hacker
Code Consumer
Tampered Code
No!
Proof
Proof Checker
CPU
10 April 2001
CS 655: Lecture 20
17
Tamper with Both
Certifying Compiler
Program
Native Code
Proof
Code Producer
Wily P. Hacker
Code Consumer
But it means the
desired property
still holds!
Tampered Code
Ok
No!
Tampered Proof
Proof Checker
CPU
10 April 2001
CS 655: Lecture 20
18
What must the proof prove?
Safety Policy
VCGen
Safety Predicate
Program
• Depends on the policy
• Code consumer must run VCGen (can’t trust
proof unless it proves safety predicate)
• VCGen can be developed from an
operational semantics
10 April 2001
CS 655: Lecture 20
19
How many PCC systems in
active use?
•
•
•
•
•
•
2
100
1000
1 Million
10 Million
> 20 Million
10 April 2001
Java byte code verifier is
a limited implementation of PCC:
• Bytecodes include extra
information on typing,
stack use, etc.
• Bytecode verifier checks it to
enforce low-level code
safety properties
Peter Lee claims most linkers are
instances of PCC also.
CS 655: Lecture 20
20
SVML
Program::= TypeHint* Statement*
TypeHint::= TYPE MemoryLocation Type
Type::= INTEGER | REF Type
Statement::=
STORE Expression_m Expression_v
Expression_m must have type ref (typeof Expression_v).
| READ Expression
Expression must have type ref (integer).
| WHILE Expression_l <= Expression_r
Expression_l and Expression_r must have type integer.
| ENDWHILE | HALT
| CHECKTYPE Expression Type
Generates a run-time error if type of Expression is not Type.
Expression::=
ADD Expression_1 Expression_2
Expression_1 and Expression_2 must have type integer.
| ADDP Expression_1 Expression_2
Expression_1 must have type ref(T). Expression_2 must have type integer.
| DEREF Expression
10 April 2001
Expression must have type ref (T).
CS 655: Lecture 20
21
An SVML Program
[T0] TYPE M0 INT
[T1] TYPE M1 REF INT
[T2] TYPE M100-M200 INT % abbrev for 201 decls
[0] STORE M0 0
[1] STORE M1 M100
[2] WHILE DEREF M0 <= 99
[3]
CHECKTYPE DEREF M1 REF INT
[4]
READ DEREF M1
[5]
STORE M1 ADDP DEREF M1 1
[6]
STORE M0 ADD DEREF M0 1
[7] ENDWHILE
[8] HALT
10 April 2001
CS 655: Lecture 20
22
VCGen for SVML
VCGen (PC) =
if Inst[PC] = STORE Expression_m Expression_v
typeof (Expression_m) = ref (typeof (Expression_v))
& VCGenE (Expression_m) & VCGenE (Expression_v) & VCGen (PC + 1)
if Inst[PC] = WHILE Expression_l <= Expression_r
typeof (Expression_l) = integer & typeof (Expression_r) = integer
& VCGenE (Expression_l) & VCGenE (Expression_r)
& VCGen (PC + 1) & VCGen (<pc of next ENDWHILE>)
if INST[PC] = READ Expression
typeof (Expression) = ref (integer)
& VCGenE (Expression) & VCGen (PC + 1)
if INST[PC] = CHECKTYPE Expression Type
VCGen (PC + 1)
can assume typeof (Expression) = Type
if INST[PC] = ENDWHILE
VCGen (PC + 1)
if INST[PC] = HALT
true
10 April 2001
CS 655: Lecture 20
23
VCGenE
VCGenE (E) =
if E = ADD Expression_1 Expression_2
typeof (Expression_1) = integer
& typeof (Expression_2) = integer
& VCGenE (Expression_1) & VCGenE (Expression_2)
if E = ADDP Expression_1 Expression_2
typeof (Expression_1) = ref (T)
& typeof (Expression_2) = integer
& VCGenE (Expression_1) & VCGenE (Expression_2)
if E = DEREF Expression
typeof (Expression) = ref (T) & VCGenE (Expression)
if E = IntLiteral
true
if E = MemoryLocation
true
10 April 2001
CS 655: Lecture 20
24
VCGen for Program
[T0] TYPE M0 INT
[T1] TYPE M1 REF INT
[T2] TYPE M100-M200 INT % abbrev for 201 decls
[0] STORE M0 0
[1] STORE M1 M100
[2] WHILE DEREF M0 <= 99
[3]
CHECKTYPE DEREF M1 REF INT
[4]
READ DEREF M1
[5]
STORE M1 ADDP DEREF M1 1
[6]
STORE M0 ADD DEREF M0 1
[7] ENDWHILE
[8] HALT
10 April 2001
CS 655: Lecture 20
25
Constructing a Proof
A = type environment
= [ M0: ref (integer), M1: ref (ref (integer)),
M100-M200: ref (integer) ]
Axioms are typing judgments (your PS2 solution)
We need to show: A proves VCGen (0)
Type bindings given by
CHECKTYPE Expression Type
are true until STORE Expression_x Expression
or READ Expression_x
where typeof (Expression_x) = Type.
10 April 2001
CS 655: Lecture 20
26
So Far
• About as easy to generate these proofs
as to check them, so no need to pass
proof around with code.
• Except: the type hints are really a proof!
• CHECKTYPE is expensive – optimizing
compiler should be able to remove it for
this program
10 April 2001
CS 655: Lecture 20
27
An SVML Program
[T0] TYPE M0 INT [T1] TYPE M1 REF INT
[T2] TYPE M100-M199 INT % abbrev for 200 decls
[0] STORE M0 0
[1] STORE M1 M100
[2] WHILE DEREF M0 <= 99
Need a loop invariant
[3]
READ DEREF M1
[4]
STORE M1 ADDP M1 1
[5]
STORE M0 ADD M0 1
[6] ENDWHILE
[7] HALT
10 April 2001
CS 655: Lecture 20
28
Requirements for Invariant
• Strong enough to prove:
Inv & Pred  VCGen ([3] READ DEREF M1)
Inv & (DEREF M0 <= 99)  typeof (DEREF M1) = ref
(integer)
• Weak enough to prove:
TypeHints + [0] STORE M0 0 + [1] STORE M1 M100  Inv
• Weak and strong enough to prove WHILE
loop axioms
Inv & (DEREF M0 <= 99) {
[3] READ DEREF M1
[4] STORE M1 ADDP M1 1
[5] STORE M0 ADD M0 1 } Inv
10 April 2001
CS 655: Lecture 20
29
Loop Invariant
Inv =
DEREF (DEREF M1) = 100 + DEREF M0
& DEREF M0 >= 0
This is the “proof” attached to the code.
Once you have it, checking is easy!
10 April 2001
CS 655: Lecture 20
30
PCC Summary
• Code producer provides a checkable proof of
desired property
• Code consumer verifies the proof
– Can use invariants, type hints, etc. but must not
assume they are true
– Help direct the checker to construct a proof quickly
• Enables optimizations not possible without
proof
• Enables guarantees not possible without
proof (lack of run-time errors)
10 April 2001
CS 655: Lecture 20
31
• Thursday:
Charge
– My INFOSEC PCC talk
– Elevator Speeches
– Intro to Concurrency
• PS4
– Some things are more “optional” than others; this is
really optional, but strongly recommended.
• Projects - progress email by tonight
– Meet with me if:
• You aren’t making good progress
• You aren’t sure what to do
• Your project has changed substantially
10 April 2001
CS 655: Lecture 20
32