Title: On the Scalability of Proof Carrying Code for Software Certification
1On the Scalability of Proof Carrying Code for
Software Certification
Andrew Ireland School of Mathematical Computer
Sciences Heriot-Watt University Edinburgh
2Outline
- High integrity software development
- Evidence based software certificates
- Scalability problems
- A planning approach
- Issues for discussion
3The SPARK Approach
SPARK code
Proofs
SPARK Examiner
SPADE Simplifier
VCs
?
UnprovenVCs
X
Revisions
Tactics
SPADE Proof Checker
- SPARK is a subset of Ada with annotations
- (Praxis High Integrity Systems Ltd)
- Supports data information flow analysis and
- formal verification - in particular, exception
freedom proofs - EuroFighter and Hawk projects, advocated by NSA,
4SPARK and Certification
- Z specifications rigorous proofs
- Data information flow analysis
- Code level proofs
- Exception freedom proofs automatic interactive
proofs - Functional proofs significant level of
interactive proofs - Proof review files
- Resource analysis
- Note explicit evidence via proof either fragile
or absent
5NuSPADE
SPARK code
Proofs
SPARK Examiner
SPADE Simplifier
VCs
?
UnprovenVCs
X
Annotations
Tactics
NuSPADE
SPADE Proof Checker
- NuSPADE proof planning program analysis
- Annotation generation motivated by proof-failure
analysis - Proof planning supports a robust style of
reasoning, i.e. - addresses the fragility of interactive proof
6NuSPADE
Unproven VCs
Abstract Predicates
Tactics
Annotations
Proof Planner
Program Analyzer
Co-operative style of integration, i.e.
productive use of failure
7Evidence Based Certification
- Proof-Carrying Code (PCC) a example of an
evidence based approach to certification - Code is delivered with a certificate containing a
condensed mathematical proof, i.e. a proof that
the code satisfies desired safety properties - Responsibility for proof construction lies with
the code producer, consumer performs proof
checking - Trusted Computing Base (TCB) for PCC is small,
i.e. safety properties, verification condition
generator and proof checker
8Properties, Proofs Certificates
- Properties typically simple, e.g. memory safety
- Proof construction involves advanced type
checking, i.e. no theorem proving - Certificates
- LF proofs quadratic with respect to program size
- LFi proofs 2.5 to 5 times program size
- Oracles strings on average 12 program size
- Proof tactics have also been used
9Scalability Problems
- Need for comprehensive properties, e.g.
functional properties - MOBIUS combining type-based and logic-based
approaches - Need to exploit automated theorem proving
techniques - Will current PCC architecture scale-up, e.g.
oracles strings?
10Proof Plans
Conjecture
Plan
Theory
Proof Planner
Tactic
Proof Checker
Proof
11Proof Plans
Conjecture
Plan
Theory
Proof Planner
Tactic
Proof Checker
Proof
12Proof Plans
Conjecture
Plan
Theory
Oracle
Proof Planner
Tactic
Proof Checker
Proof
13Planning Oracles as Certificates
Conjecture
Plan
Theory
Oracle
Proof Planner
Tactic
Proof Checker
Proof
14Planning Oracles as Certificates
Conjecture
Plan
Theory
- Oracle identifies
- Proof plans and where they should be used
- Relevant theories
- Search control hints, e.g. auxiliary lemmas
- and generalization steps
Oracle
Proof Planner
Tactic
Proof Checker
Proof
15Certificate Generation
Code Spec
Repositories (plans theories)
Certificate Generation (VCGen Planner Checker)
Certificate (Oracle)
?
Proof
Failure
16Certificate Validation
Code Spec
CPU
Repositories (plans theories)
Certificate Validation (VCGen Planner Checker)
Certificate (Oracle)
Proof
?
Failure
17Discussion Issues
- The proposed proof planning approach will add
theory repositories (and specifications) to the
TCB is this acceptable? - For memory limited devices, proof planning
oracles are not an option for on-device
certificate validation how important is
on-device validation to certification management
in general? - More comprehensive properties will require
off-device validation could a dedicated
certificate validation device have a role to
play? - Certificate transforming compiler or trusted
compiler?
18Conclusion
- The SPARK Approach
- SPARK proofs lack explicit evidence or are
fragile - Proof planning gives rise to fully expansive
proofs and increases automation, i.e. proofs are
explicit and robust - Building upon the idea of oracle strings, we
propose the use of proof planning oracles as a
technique for scaling PCC for general purpose
software certification
19(No Transcript)