2
Comunicaciones
Navegacion
Comercio
Seguridad de instalaciones
4
ATRIBUTOS CLÁSICOS:
FIABILIDAD SEGURIDAD ROBUSTEZ CORRECCIÓN EFICIENCIA
5
6
Performance-critical open networking systems that are costly to shut down.
“Systems must never crash and must always meet their deadlines.”
“Systems must be dependable” available, trustworthy, maintainable, safe and secure -integrity and confidentiality (secrecy, anonymity)-
7
8
10
Software ErrorsSoftware Correctness
Model CheckingCourse Details
Therac-25 Radiation Overdosing (1985-87)
Radiation machine for treatment ofcancer patients
At least 6 cases of overdosis in period1985–1987 (! 100-times dosis)
Three cancer patients died
Source: Design error in the controlsoftware (race condition)
Prof. Dr. Ir. Joost-Pieter Katoen Introduction to Model Checking
Software ErrorsSoftware Correctness
Model CheckingCourse Details
AT&T Telephone Network Outage (1990)
January 1990: problem in New YorkCity leads to 9 h-outage of large partsof U.S. telephone network
Costs: several 100 million US$
Source: software flaw (wronginterpretation of break statement inC)
Prof. Dr. Ir. Joost-Pieter Katoen Introduction to Model Checking
13
(-ilities)
extensibility!
15 Source: NASA Jet Propulsion Lab
Bandwidth: < 1KB/sec Latency: > hours
Data: > 10MB/sec
Como lograr extensibilidad y eficiencia sin sacrificar la seguridad?
16 Source: Carnegie Mellon
17 Often download occurs without approval! (virus..)
18
19
20
21
23
24
25
Consequences (7.000 M euro)
Until Ariane, it was not fully appreciated how software can contribute to a system failure. Software cannot fail, this was the repeated cry.
- Ariane 5 development programme at risk - SOHO (Multi-national research programme studying the behaviour of the Sun’s heliosphere interrupted) - Many research careers jeapordised - Future satellite launches not insured
26
27
“After a crew member mistakenly entered a zero into the data field of an application, the computer system proceeded to divide another quantity by that zero. The operation caused a buffer overflow, and the error eventually brought down the ship's propulsion system.
The result: the Yorktown was dead in the water for more than two days.”
28
Non-exhaustive: miss unseen cases Trust entities required Slow down performance Burden on consumers
31
33
34
35
36
programa
Heavy and weak FMs Lightweight and strong FMs
44
45
46
47
48
49
50
A Lightweight Approach _____________________________________
“A lightweight approach, in comparison to the traditional approach, lacks power of expression and breadth of coverage.
A surgical laser likewise produces less power and poorer coverage than a lightbulb, but it makes more efficient use of the energy it consumes, and its effect is more dramatic”
[Jackson and Wing 1996]
51
53
55
Software Components Sofware Processes
Propiedades
Datos Programas
Especificaciones Requerimientos Tipos ...
Juegos de Datos
Output: Escenarios Input: Ejemplos Código
Documentación
Datos Programas
Inferencia Inductiva
Generación Escenarios
Propiedades
Transformación de Programas
Prototipado automático
Minería de Datos
Propiedades
Programas
Ejemplo de derivación
{Y>0} - precondición
{X=Y*Q+R, R>=0} - postcondición
Propiedades
Programas
Ejemplo de derivación
{Y>0} - precondición
Q:=0; R:=X; while R>Y do R:= R - Y; Q:= Q + 1 end while;
{X=Y*Q+R, R>=0} - postcondición
Propiedades
Programas
Ejemplo de derivación
{Y>0} - precondición
Q:=0; R:=X; while R>Y do R:= R - Y; Q:= Q + 1 end while;
{X=Y*Q+R, R>=0} - postcondición
Propiedades
Programas
Transformación de Programas:
• Compilación • Especialización • Deforestación • Slicing
Programas
Propiedades
Datos Programas
Inferencia Inductiva (Síntesis de Programas a partir de Ejemplos)
Generación Juegos de Datos Testing Estructural (white-box)
1. Definir caminos de prueba 2. Generar bancos o juegos de datos que hagan seguir cada camino (acumulando las ‘constraints’ que definen los arcos del camino y aplicando técnicas de CONSTRAINT SOLVING)
Datos Programas
Generación Juegos de Datos
Datos
Propiedades
Minería de Datos
+*..
Propiedades
Programas
Datos Programas
Inferencia Inductiva
Generación Escenarios
Propiedades
Transformación de Programas
Prototipado
Minería de Datos
Programas
Propiedades
Datos
Diagnóstico Declarativo 2. Especificación
de la Semántica (ORACULO)
3. Analiza (abstract) CORRECCIÓN COMPLETITUD
(1. Síntoma)
4. Diagnostica fuentes de error 5. Repara código
Criterio: Si existe A ∈ Tr(S) tal que A ∉ S entonces r es incorrecta
Ejemplo: Sea el programa incorrecto: par(0) = true���
par(s(X)) = par(X).
y la semántica: S={par(0),par(s(s(0))}
Exitos clamorosos al descubrir errores en:
FTP - file transfer Autentificación claves Coherencia caché disk Encriptación Alg. div. Pentium Comercio electrónico
Edmund M. Clarke, E. Allen Emerson, and Joseph Sifakis the winners of the 2007 A.M. Turing Award
Datos Programas
Propiedad 3. ¿?
K |= Ψ
2. Compilación
a Kripke K
4. Generación de escenarios (contraejemplo)
1. Especificación en Lógica Temporal
Ψ
Propiedades típicas
Alcanzabilidad EF Restart Es posible alcanzar la estación de llegada
Seguridad AG ¬Boom No es posible alcanzar el estado ¬Boom
Vivacidad AG [Req → AFAck] Todo requerimiento alguna vez se atenderá
Equidad AG AF DeviceEnabled La propiedad DeviceEnabled se satisface infinitas veces en toda computación
Some Disadvantages
91
Proof-Carrying Code: A Language-Based Security Approach
Programas
Propiedades
Proof Carrying code
2. Validar prueba
1. Compilador Certificante: Código + prueba
Code producer Host
This store instruction is dangerous!
Code producer Host
I am convinced it is safe to execute only if all([a:exp] (all([b:exp] (=> (/\ a b) (/\ b a)))
Code producer Host
A verification condition
… (impi (/\ a b) (/\ b a) ([ab:pf(/\ a b)] (andi b a (ander a b ab) (andel a b ab))))…)
λ
Code producer Host
Your proof typechecks. I believe you because I believe in logic.
λ
Code producer Host
Automation via Certifying Compilation
Source code
Type safety
Proof
Object code
Certifying Compiler
% spj foo.java bar.class baz.c -ljdk1.2.2
Looks and smells like a compiler.
CPU
Proof Checking
Trusted Host
102
A
B
Prueba formal o “explicación” de seguridad
Código (optimizado)
Good Things About PCC Agnostic to how the code is produced
Someone else does the really hard work (shifts the burden of ensuring the safety from code consumer to code producer)
Requires minimal infrastructure (simpler, smaller, and faster TCB)
Proofs are a “semantic checksum”
Curry-Howard Isomorphism
In a logical framework language: predicates (properties) can be represented as types
and proofs as programs (i.e., expression terms).
! Under certain conditions typechecking is sufficient to ensure the validity of the proofs.
La lógica proporciona una formulación simbólica e independiente del dominio de las leyes del pensamiento humano
Este doble carácter de la lógica hace posible mecanizar sus técnicas y métodos
clausal logic Relational (Prolog)
equational logic Functional (Haskell)
many sorted logic types order sorted logic inheritance modal logic: dynamic objects temporal concurrency epistemic knowledge deontic norms
Multiparadigm Programming
The ELP Group 30 Researchers (15 PhDs) (the biggest group of GPLIS)
María Alpuente Salvador Lucas
Germán Vidal Jose Hernández
Javier Oliver M. José Ramírez
Santiago Escobar Cesar Ferri
Christophe Joubert Marisa Llorens
Josep Silva Alicia Villanueva
_______________ 15 PhD Fellows
Beatriz Alarcón, Mauricio Alba, Gustavo Arroyo, Antonio Bella, Aristides Dasso, Marco A. Feliu, Ana Funes, Raul Gutierrez, Jose Iborra, Alexei Lescaylle, Rafael Navarro, Daniel Romero, Salvador Tamarit
Data Programs Test data generation
Program learning
Properties Refinement
Declarative debugging
Program transformation Program certification
specifications types…
data batteries examples…
The ELP group explores all arcs of this triangle
with the aim of automating the corresponding
phases of the software process.
program analyzers and certifiers program transformers (filtering, slicing, correction) declarative debuggers model checkers web verifiers net simulators
Multi- Paradigm Declarative Programs
NPA Protocol Analyzer Implementation size: 8000 lines source Maude code
Implementation size: 2.000 lines source Haskell code
(collaboration with U. Illinois at Urbana-Champaigne, NRL, and SRI)
The Java certification tool Implementation size: 600 lines source Maude code
:Load Web site directory W Web Specification S
GVerdi Web Verification System Implementation size: 8.000 lines source Java code; 800 lines Maude code
:Load TRS (+ eval strategy)
Mu-Term termination prover Implementation size: 14.000 lines source Haskell code
A Tool for Slicing Curry Programs Implementation size: 2.000 lines source Haskell code
The user interface basically consists of a graphical editor and a pane for consistency analysis.
The user can execute the net (fire the enabled transitions) as well as transform it (reconfiguration).
MCReNet analyzer for Petri Nets Implementation size: 2.000 lines source Java code
Equational (AC) Generalization Implementation size: 700 lines source Maude code
DBDT is a machine learning tool for inferring classifiers, implemented in JBuilder using the WEKA libraries
Applications to Web categorization (classification of Web documents into one or more categories)
DBDT machine learning tool