Ingenierría de Software Automática

2

Comunicaciones

Navegacion

Comercio

Seguridad de instalaciones

4

ATRIBUTOS CLÁSICOS:

FIABILIDAD SEGURIDAD ROBUSTEZ CORRECCIÓN EFICIENCIA

5

6

Performance-critical open networking systems that are costly to shut down.

“Systems must never crash and must always meet their deadlines.”

“Systems must be dependable” available, trustworthy, maintainable, safe and secure -integrity and confidentiality (secrecy, anonymity)-

7

8

10

Software ErrorsSoftware Correctness

Model CheckingCourse Details

Therac-25 Radiation Overdosing (1985-87)

Radiation machine for treatment ofcancer patients

At least 6 cases of overdosis in period1985–1987 (! 100-times dosis)

Three cancer patients died

Source: Design error in the controlsoftware (race condition)

Prof. Dr. Ir. Joost-Pieter Katoen Introduction to Model Checking

Software ErrorsSoftware Correctness

Model CheckingCourse Details

AT&T Telephone Network Outage (1990)

January 1990: problem in New YorkCity leads to 9 h-outage of large partsof U.S. telephone network

Costs: several 100 million US$

Source: software flaw (wronginterpretation of break statement inC)

Prof. Dr. Ir. Joost-Pieter Katoen Introduction to Model Checking

13

(-ilities)

extensibility!

15 Source: NASA Jet Propulsion Lab

Bandwidth: < 1KB/sec Latency: > hours

Data: > 10MB/sec

Como lograr extensibilidad y eficiencia sin sacrificar la seguridad?

16 Source: Carnegie Mellon

17 Often download occurs without approval! (virus..)

18

19

20

21

23

24

25

Consequences (7.000 M euro)

Until Ariane, it was not fully appreciated how software can contribute to a system failure. Software cannot fail, this was the repeated cry.

- Ariane 5 development programme at risk - SOHO (Multi-national research programme studying the behaviour of the Sun’s heliosphere interrupted) - Many research careers jeapordised - Future satellite launches not insured

26

27

“After a crew member mistakenly entered a zero into the data field of an application, the computer system proceeded to divide another quantity by that zero. The operation caused a buffer overflow, and the error eventually brought down the ship's propulsion system.

The result: the Yorktown was dead in the water for more than two days.”

28

  Non-exhaustive: miss unseen cases   Trust entities required   Slow down performance   Burden on consumers

31

33

34

35

36

programa

Heavy and weak FMs Lightweight and strong FMs

44

45

46

47

48

49

50

A Lightweight Approach _____________________________________

“A lightweight approach, in comparison to the traditional approach, lacks power of expression and breadth of coverage.

A surgical laser likewise produces less power and poorer coverage than a lightbulb, but it makes more efficient use of the energy it consumes, and its effect is more dramatic”

[Jackson and Wing 1996]

51

53

55

Software Components Sofware Processes

Propiedades

Datos Programas

Especificaciones Requerimientos Tipos ...

Juegos de Datos

Output: Escenarios Input: Ejemplos Código

Documentación

Datos Programas

Inferencia Inductiva

Generación Escenarios

Propiedades

Transformación de Programas

Prototipado automático

Minería de Datos

Propiedades

Programas

Ejemplo de derivación

{Y>0} - precondición

{X=Y*Q+R, R>=0} - postcondición

Propiedades

Programas

Ejemplo de derivación

{Y>0} - precondición

Q:=0; R:=X; while R>Y do R:= R - Y; Q:= Q + 1 end while;

{X=Y*Q+R, R>=0} - postcondición

Propiedades

Programas

Ejemplo de derivación

{Y>0} - precondición

Q:=0; R:=X; while R>Y do R:= R - Y; Q:= Q + 1 end while;

{X=Y*Q+R, R>=0} - postcondición

Propiedades

Programas

Transformación de Programas:

•  Compilación •  Especialización •  Deforestación •  Slicing

Programas

Propiedades

Datos Programas

Inferencia Inductiva (Síntesis de Programas a partir de Ejemplos)

Generación Juegos de Datos Testing Estructural (white-box)

1. Definir caminos de prueba 2. Generar bancos o juegos de datos que hagan seguir cada camino (acumulando las ‘constraints’ que definen los arcos del camino y aplicando técnicas de CONSTRAINT SOLVING)

Datos Programas

Generación Juegos de Datos

Datos

Propiedades

Minería de Datos

+*..

Propiedades

Programas

Datos Programas

Inferencia Inductiva

Generación Escenarios

Propiedades

Transformación de Programas

Prototipado

Minería de Datos

Programas

Propiedades

Datos

Diagnóstico Declarativo 2. Especificación

de la Semántica (ORACULO)

3. Analiza (abstract) CORRECCIÓN COMPLETITUD

(1. Síntoma)

4. Diagnostica fuentes de error 5. Repara código

Criterio: Si existe A ∈ Tr(S) tal que A ∉ S entonces r es incorrecta

Ejemplo: Sea el programa incorrecto: par(0) = true���

par(s(X)) = par(X).

y la semántica: S={par(0),par(s(s(0))}

Exitos clamorosos al descubrir errores en:

FTP - file transfer Autentificación claves Coherencia caché disk Encriptación Alg. div. Pentium Comercio electrónico

Edmund M. Clarke, E. Allen Emerson, and Joseph Sifakis the winners of the 2007 A.M. Turing Award

Datos Programas

Propiedad 3. ¿?

K |= Ψ

2. Compilación

a Kripke K

4. Generación de escenarios (contraejemplo)

1. Especificación en Lógica Temporal

Ψ

Propiedades típicas

  Alcanzabilidad EF Restart Es posible alcanzar la estación de llegada

  Seguridad AG ¬Boom No es posible alcanzar el estado ¬Boom

  Vivacidad AG [Req → AFAck] Todo requerimiento alguna vez se atenderá

  Equidad AG AF DeviceEnabled La propiedad DeviceEnabled se satisface infinitas veces en toda computación

Some Disadvantages

91

Proof-Carrying Code: A Language-Based Security Approach

Programas

Propiedades

Proof Carrying code

2. Validar prueba

1. Compilador Certificante: Código + prueba

Code producer Host

This store instruction is dangerous!

Code producer Host

I am convinced it is safe to execute only if all([a:exp] (all([b:exp] (=> (/\ a b) (/\ b a)))

Code producer Host

A verification condition

… (impi (/\ a b) (/\ b a) ([ab:pf(/\ a b)] (andi b a (ander a b ab) (andel a b ab))))…)

λ

Code producer Host

Your proof typechecks. I believe you because I believe in logic.

λ

Code producer Host

Automation via Certifying Compilation

Source code

Type safety

Proof

Object code

Certifying Compiler

% spj foo.java bar.class baz.c -ljdk1.2.2

Looks and smells like a compiler.

CPU

Proof Checking

Trusted Host

102

A

B

Prueba formal o “explicación” de seguridad

Código (optimizado)

Good Things About PCC   Agnostic to how the code is produced

  Someone else does the really hard work (shifts the burden of ensuring the safety from code consumer to code producer)

  Requires minimal infrastructure (simpler, smaller, and faster TCB)

  Proofs are a “semantic checksum”

Curry-Howard Isomorphism

In a logical framework language: predicates (properties) can be represented as types

and proofs as programs (i.e., expression terms).

! Under certain conditions typechecking is sufficient to ensure the validity of the proofs.

La lógica proporciona una formulación simbólica e independiente del dominio de las leyes del pensamiento humano

Este doble carácter de la lógica hace posible mecanizar sus técnicas y métodos

clausal logic Relational (Prolog)

equational logic Functional (Haskell)

many sorted logic types order sorted logic inheritance modal logic: dynamic objects temporal concurrency epistemic knowledge deontic norms

Multiparadigm Programming

The ELP Group 30 Researchers (15 PhDs) (the biggest group of GPLIS)

María Alpuente Salvador Lucas

Germán Vidal Jose Hernández

Javier Oliver M. José Ramírez

Santiago Escobar Cesar Ferri

Christophe Joubert Marisa Llorens

Josep Silva Alicia Villanueva

_______________ 15 PhD Fellows

Beatriz Alarcón, Mauricio Alba, Gustavo Arroyo, Antonio Bella, Aristides Dasso, Marco A. Feliu, Ana Funes, Raul Gutierrez, Jose Iborra, Alexei Lescaylle, Rafael Navarro, Daniel Romero, Salvador Tamarit

Data Programs Test data generation

Program learning

Properties Refinement

Declarative debugging

Program transformation Program certification

specifications types…

data batteries examples…

The ELP group explores all arcs of this triangle

with the aim of automating the corresponding

phases of the software process.

program analyzers and certifiers program transformers (filtering, slicing, correction) declarative debuggers model checkers web verifiers net simulators

Multi- Paradigm Declarative Programs

NPA Protocol Analyzer Implementation size: 8000 lines source Maude code

Implementation size: 2.000 lines source Haskell code

(collaboration with U. Illinois at Urbana-Champaigne, NRL, and SRI)

The Java certification tool Implementation size: 600 lines source Maude code

:Load Web site directory W Web Specification S

GVerdi Web Verification System Implementation size: 8.000 lines source Java code; 800 lines Maude code

:Load TRS (+ eval strategy)

Mu-Term termination prover Implementation size: 14.000 lines source Haskell code

A Tool for Slicing Curry Programs Implementation size: 2.000 lines source Haskell code

The user interface basically consists of a graphical editor and a pane for consistency analysis.

The user can execute the net (fire the enabled transitions) as well as transform it (reconfiguration).

MCReNet analyzer for Petri Nets Implementation size: 2.000 lines source Java code

Equational (AC) Generalization Implementation size: 700 lines source Maude code

DBDT is a machine learning tool for inferring classifiers, implemented in JBuilder using the WEKA libraries

Applications to Web categorization (classification of Web documents into one or more categories)

DBDT machine learning tool