Taking into account meta-programming concerns in static program verification - PowerPoint PPT Presentation

About This Presentation
Title:

Taking into account meta-programming concerns in static program verification

Description:

assume requires(main, (old heap, #0)); // true. start: // beginning of the program ... assume ensures(b.A. init , (pre heap, arg0), (heap, stack[0] ... – PowerPoint PPT presentation

Number of Views:15
Avg rating:3.0/5.0
Slides: 18
Provided by: wwwsop
Category:

less

Transcript and Presenter's Notes

Title: Taking into account meta-programming concerns in static program verification


1
Taking into account meta-programming concerns in
static program verification
Verifying with a Security Manager
  • Julien Charles

2
that fails
A classic scenario
package b class A /_at_ modifies \nothing
_at_ exsures false _at_/ public
A() // it does nothing basically
java different.Main gt Exception in thread
"main" java.lang.SecurityException at
a.b.Main1.checkPackageAccess(Main.java9) .
package different class Main /_at_ modifies
\nothing _at_ exsures false _at_/
public main(String args) b.A a
new b.A()
3
Interference
  • The semantic is unexpected
  • A JVM level component interfere
  • It is specified nowhere
  • How to verify correctly this program? (which
    semantic?)
  • AOP is all about that

4
Aspects
  • It really looks like a cross cutting concern
  • The Security Manager is an aspect
  • An invasive aspect
  • We need a framework to verify that!

5
A framework for meta-programming concerns
  • What are meta-programming concerns?
  • Meta-programs change the semantic of your virtual
    machine(s)
  • Meta-programs are invasive
  • Meta-programs are non-modular
  • Meta-programs are aspects
  • AspectJ programs

6
Modelling a Security Manager with Aspects
For our 2 lines program public void main()
b.A b new b.A()
public aspect SecurityManager SetltStringgt s
new HashSetltStringgt() pointcut
anyPublicMethod(Object o) target(o) call(
public ()) before(Object o)
anyPublicMethod(o) String pkg
o.getClass().getPackage().toString()
if(!s.contains(pkg)) s.add(pkg) if(pkg.equa
ls("b")) throw new SecurityException()

pkg "b"
s is empty, so it doesnt contain b yet
pkg "b" the exception is thrown
7
What verification process?
  1. Fully annotate the program and advices
  2. Abstract the advices
  3. Transform everything into BoogiePL
  4. Weave the abstracted advices
  5. Compute the weakest precondition

8
Specifications
  • We annotate the program code and the advices
  • Language used Pipa
  • Pipa vs. JML
  • Here we will limit to before specs

9
The annotated base program
/_at_ requires o ! null s ! null _at_
assignable \nothing _at_ ensures
s.contains(o.getClass().getPackage()) _at_
!(o.getClass().getPackage().equals("b")) _at_
exsures (SecurityException) !s.contains("b") _at_
(o.getClass().getPackage().equals("b"))
_at_/ before(Object o) anyPublicMethod(o)
...
/_at_ assignable \nothing _at_ ensures
s.contains("b") _at_ exsures (SecurityException)
_at_ !s.contains("b") _at_/ public
static void main(String args) b.A a new
b.A()
10
Abstraction
  • Lighter manipulation
  • Aspects become models

/_at_ public model class SecurityManager _at_
public invariant s ! null _at_ model SetltStringgt
s _at_ _at_ requires o ! null s ! null _at_
assignable \nothing _at_ ensures
s.contains(o.getClass().getPackage().toString())
_at_ !(o.getClass().getPackage().equals("
b")) _at_ exsures (SecurityException)
!s.contains("b") _at_
(o.getClass().getPackage().equals("b")) _at_
public model void beforeAnyPublicMethod (Object
o) _at_/
11
Go Boogie!
  • Bytecode verification
  • The only semantic of weaving for AspectJ
  • Using BML annotation language
  • Transform everything in BoogiePL guarded commands
  • Lehner Müller 07

12
Base program Boogied
init // initialization of the method old heap
heap reg0 0 assume requires(main,
(old heap, 0)) // true start // beginning of
the program heap add(heap, b.A) // new
call stack0 new(heap, b.A) arg0
stack0 // constructor call pre heap
heap assert arg0 ! null assert
requires(b.A.ltinitgt, pre heap, arg0) havoc
heap goto b.A.ltinitgt normal, b.A.ltinitgt
excp b.A.ltinitgt excp havoc stack0
assume alloc (stack0, heap)
typeof(stack0) ltThrowable assume
exsures(b.A.ltinitgt, (pre heap, arg0),
(heap, stack0)) goto handler b.A.ltinitgt
normal havoc stack0 assume
ensures(b.A.ltinitgt, (pre heap, arg0),
(heap, stack0)) post //
post condition and exception handler assert
ensures(main, (old heap, 0), (heap, stack0))
// s.contains("b") goto handler
assert exsures(main, (old heap, 0), (heap,
stack0)) // !s.contains("b")
goto
13
Verification conditions
  • Weaving rules
  • Belblidia Debbabi 06
  • How weaving is done?
  • The wp used is the one that is described in
    Leinos paper Weakest precondition over
    unstructured programs

14
Related work
  • Static verification usually modular, with
    restrictions
  • Cliftons PhD thesis
  • Kunz Hoare logic
  • Krishnamurti model checking framework
  • No implementation available, and often
    unrealistic frameworks

15
Conclusion
  • Non-modular verification framework
  • Simple
  • Realistic
  • Using lots of existing technologies
  • Targets a real language

16
Future work
  • Specification with aspects is hard
  • Implementation as soon as JML AST gets stable
    again
  • The other half of the framework depends the
    realization of Mobius PVE

17
  • For more infos, you can read my paper "Taking
    into account Javas." on my webpage
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Taking into account meta-programming concerns in static program verification" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!