Isabella Mastroeni - Profs Area Scienze ed...

DERIVING BISIMULATIONS BY SIMPLIFYING

PARTITIONS

Isabella Mastroeni

VMCAI 2008

Deriving Bisimulations by Simplifying Partitions – p.1/15

INTRODUCTION

INGREDIENTS:

BISIMULATION : ... compares systems also on their capabilityof simulating each others.


INTRODUCTION

INGREDIENTS:


STABILITY : ... requires a bisimulation between a system andone of its abstractions (partitions of states).


INTRODUCTION

INGREDIENTS:


STABILITY : ... requires a bisimulation between a system andone of its abstractions (partitions of states).

COMPLETENESS: ... models the precision of an abstract domainwrt an operator.


INTRODUCTION

INGREDIENTS:

A n o t b is im il a r t o C=A n o t s t a bl e [ P T '8 7]=A n o t c om pl e t e [ G Q '0 1, R T '0 5]


INTRODUCTION

INGREDIENTS:

A b is im il a r to C=A s t a bl e [ P T '8 7]=A c o m pl e t e [ G Q '0 1, R T '0 5]


ABSTRACT INTERPRETATION

Consider the complete lattice < C ,≤, ∧, ∨,⊥,⊤ >, Ai ∈ uco(C )

Lattice of Abstract Domains ≡ Lattice ucoA ≡ ρ(C )

< uco(C ),⊑,⊓,⊔, λx . ⊤, λx . x >





< uco(C ),⊑,⊓,⊔, λx . ⊤, λx . x >

A1 ⊑ A2 ⇔ A2 ⊆ A1





< uco(C ),⊑,⊓,⊔, λx . ⊤, λx . x >

A1 ⊑ A2 ⇔ A2 ⊆ A1

⊓iAi = M(∪iAi )





< uco(C ),⊑,⊓,⊔, λx . ⊤, λx . x >

A1 ⊑ A2 ⇔ A2 ⊆ A1

⊓iAi = M(∪iAi )

⊔iAi = ∩iAi





< uco(C ),⊑,⊓,⊔, λx . ⊤, λx . x >

A1 ⊑ A2 ⇔ A2 ⊆ A1

⊓iAi = M(∪iAi )

⊔iAi = ∩iAi

x

C

Top:

A





< uco(C ),⊑,⊓,⊔, λx . ⊤, λx . x >

A1 ⊑ A2 ⇔ A2 ⊆ A1

⊓iAi = M(∪iAi )

⊔iAi = ∩iAi

x

C

Top:

x

C A

x

Bottom:

A


PARTITIONS VS ABSTRACT DOMAINS

Partitions uniquely correspond to particular abstract domains: PARTITIONING

[RT’04,HM’05]




[RT’04,HM’05]

η ∈ uco(℘(C )) ⇒ ∀x , y . x Relη y iff η(x ) = η(y)

O

1 2 3 4

1234

123




[RT’04,HM’05]


O

1 2 3 4

23

14

1234

123 234




[RT’04,HM’05]


R ∈ Eq(C ) ⇒ CloR(X )def=

S

x∈X [x ]R

O

1 2 3 4

23

14

1234

123 234




[RT’04,HM’05]


R ∈ Eq(C ) ⇒ CloR(X )def=

S

x∈X [x ]R

Π(η)def= CloRelη ⊑ η


COMPLETENESS

⊤ ⊤

⊥ ⊥

ρη

BACKWARD COMPLETENESS: η◦f ◦ρ = η◦f


COMPLETENESS

⊤ ⊤

⊥ ⊥

ρη

BACKWARD IN -COMPLETENESS: η◦f ◦ρ ≥ η◦f


COMPLETENESS

⊤ ⊤

⊥ ⊥

ρη

Making BACKWARD COMPLETE: Refining input domains [GRS’00]


COMPLETENESS

⊤ ⊤

⊥ ⊥

ρη

Making BACKWARD COMPLETE: Simplifying output domains [GRS’00]


COMPLETENESS

⊤ ⊤

⊥ ⊥

ρ

η

FORWARD COMPLETENESS: η◦f ◦ρ = f ◦ρ


COMPLETENESS

⊤ ⊤

⊥ ⊥

ρ

η

FORWARD IN-COMPLETENESS: η◦f ◦ρ ≥ f ◦ρ


COMPLETENESS

⊤ ⊤

⊥ ⊥

ρ

η

Making FORWARD COMPLETE: Refining output domains [GQ’01]


COMPLETENESS

⊤ ⊤

⊥ ⊥

ρ

η

Making FORWARD COMPLETE: Simplifying input domains [GQ’01]


STABILITY

Let S and R, resp., an output and an input partition, let p be a binary relation:

STABILITY : S is stable wrt R if ∀X ∈ S, Y ∈ R we haveX ∩ p(Y ) 6= ∅ ⇒ X ⊆ p(Y )


STABILITY



pY

X


STABILITY



pY


MAIN CONTRIBUTION

WHAT ALREADY EXISTS:

A correspondence between stability and forward completeness[RANZATO & TAPPARO ’05];

A refinement algorithm for partition stability [PAIGE & TARJAN’87];

A refinement transformer for abstract domain completeness[GIACOBAZZI ET AL .’00, GIACOBAZZI & QUINTARELLI ’01];

A simplification transformer for abstract domain completeness[GIACOBAZZI ET AL .’00, GIACOBAZZI & QUINTARELLI ’01];;


MAIN CONTRIBUTION

WHAT DOES NOT EXIST:

A characterization of completeness for partitions;

A notion of partition stability/completeness for the backward direction;

A simplification algorithm for partition stability


STABILITY VS FORWARD COMPLETENESS

F-STABILITY : X ∩ f (Y ) 6= ∅ ⇒ X ⊆ f (Y ) [PT’87,RT’05]




f

SR Y

X f ( X )




f

SR Y

X f ( X )F-COMPLETENESS: [f ([x ]R)]S = f ([x ]R)




f

SR Y

X f ( X )F-COMPLETENESS: [f ([x ]R)]S = f ([x ]R) ⇔ (∀X ∈ CloR ⇒ f (X ) ∈ CloS)

⊥

⊤

A Y B

A Y

∪ A B∪

B Y∪

⊥

⊤X C D

X C∪ X D

∪

C D

∪f


STABILITY VS BACKWARD COMPLETENESS

B-STABILITY : X ∩ f (Y ) 6= ∅ ⇒ f (Y ) ⊆ X




fSR Y

X f ( Y )




fSR Y

X

{ Y | f ( Y ) X }⊆Deriving Bisimulations by Simplifying Partitions – p.9/15



fSR Y

X

{ Y | f ( Y ) X }⊆B-COMPLETENESS:[f ([x ]R)]S = [f (x )]S




fSR Y

X

{ Y | f ( Y ) X }⊆B-COMPLETENESS:[f ([x ]R)]S = [f (x )]S ⇔ (∀X ∈ CloS ⇒ max

{Y

˛

˛

˛ f (Y ) ⊆ X}∈ CloR)

⊥

⊤

A Y B

A Y

∪ A B∪

B Y∪

⊥

⊤

X C D

X C∪ X D

∪

C D

∪f


BACKWARD VS FORWARD

A domain is backward complete wrt f iff it is forward complete wrt

f + = λX .S

{Y

˛

˛

˛ f (Y ) ⊆ X}

;

A (not trivial) partition is backward stable wrt f iff it is forward stable wrt

f −1 = λX .{

y˛

˛

˛ f (y) ∈ X}

;

If f is injective, a (not trivial) partition is forward stable wrt f iff it isbackward stable wrt f −1;


BACKWARD VS FORWARD

A domain is backward complete wrt f iff it is forward complete wrt

f + = λX .S

{Y

˛

˛

˛ f (Y ) ⊆ X}

;

A (not trivial) partition is backward stable wrt f iff it is forward stable wrt

f −1 = λX .{

y˛

˛

˛ f (y) ∈ X}

;

If f is injective, a (not trivial) partition is forward stable wrt f iff it isbackward stable wrt f −1;

A backward problem can always be transformed in a forward one,but the viceversa is not always possible!


REFINING FOR STABILITY: PT GENERALIZED

The best refinement towards forward stability always exists![PT’87]




P : Partition

PTSplitf (S ,P) :

{Partition obtained from P by replacingeach block B ∈ P with B ∩ f (S) and B r f (S)

PTRefinersf (P)def=

{S

˛

˛

˛ P 6= PTSplitf (S ,P) ∧ ∃{Bi }i ⊆ P. S =S

i Bi

}

PT-Algorithmf :

while (P is not stable) dochoose S ∈ PTRefinersf (P);

P := PTSplitf (S ,P);

endwhile

[RT’05]




The best refinement towards backward stability always exists!




The best refinement towards backward stability always exists!

⇓We can use the PT algorithm since a backward problem wrt f corresponds

always to a forward problem wrt f −1.


SIMPLIFYING FOR STABILITY

The best simplification towards backward stability always exists!




PTSimplifiersf (S)def=

{X

˛

˛

˛ X ∩ f (S) 6= ∅

}

PTMergef (S ,P) :

Partition obtained from P by replacingall the blocks X ∈ PTSimplifiersf (S) withS

PTSimplifiersf (S)

DPT-Algorithmf :

while (P is not stable) dochoose S ∈ PTSimplifiersf (P);

P := PTMergef (S ,P));

endwhile




The best simplification towards forward stability DOES NOTalways exist!




The best simplification towards forward stability DOES NOTalways exist!

EXAMPLE :Consider f (x ) = 2x . ⊤ is not stable (f (⊤) = even ⊂ ⊤).Consider R = {even, odd } (Parity partition), then

even ∩ f (odd) 6= ∅ since 6 ∈ f (3) andeven 6⊆ f (odd) since 4 /∈ f (odd)

⇒ A forward stable simplification does not exist!


STABILITY IN ABSTRACT NON INTERFERENCE

ABSTRACT NON INTERFERENCE: [GM’04]Fixed an observation of public input, the variation of

private input has not to interfere with the observation of the public output.

⇓∀l1, l2 ∈ V

L, h1, h2 ∈ VH. η(l1) = η(l2) ⇒ ρ(JPK(h1, l1)L) = ρ(JPK(h2, l2)L)





⇓∀l1, l2 ∈ V


Let Υ(η(l)) denote the sets of value that has to be indistinguishable by amalicious attacker observing η in input (Υ(η(l)) = JPK(VH, η(l))L).





⇓∀l1, l2 ∈ V



Υ(L1)Υ(L2)





⇓∀l1, l2 ∈ V



Υ(L1)Υ(L2)

Y ∩ Υ(L1) "= ∅ and Υ(L1) "⊆ Y





⇓∀l1, l2 ∈ V



THEOREM: The domain{

X˛

˛

˛ X is backward stable wrt Υ}

is the strongest

harmless attacker for deterministic systems.


STABILITY FOR OPACITY

OPAQUE PREDICATE: A predicate φ over the semantics of a system,is opaque wrt the observation function obs if, for every execution t1

satisfying φ there is an execution t2 which does not satisfy φ,such that obs(t1) =obs(t2). [Bryans et al. ’05]





⇓∀t . obs(t) ∩ φ 6= ∅ and obs(t) 6⊆ φ

(φ NOT backward stable wrt obs)





⇓∀t . obs(t) ∩ φ 6= ∅ and obs(t) 6⊆ φ


EXAMPLE :φ = 3|(x3 − x ), attacker capability α = {Z, 3Z, Z r 3Z, ∅}

⇒ If the attacker can observe the predicate as the bca of all the functioncomposing φ then obs(2) ∩ φ = Z ∩ φ 6= ∅, while obs(2) 6⊆ φ.





⇓∀t . obs(t) ∩ φ 6= ∅ and obs(t) 6⊆ φ


⇒ Completeness can be exploited for certifying the resilience of opaquepredicates to reverse engineering;

⇒ Opacity provides new expectations in seeking domain transformersincreasing incompleteness,


DISCUSSION

We extend the existing notion of stability (corresponding to forwardcompleteness for partitions) also to the backward direction;

We dualize the existing refinement algorithm for stability in order tosimplify partitions;

The simplification algorithm can be considered for simplifying abstractmodels in abstract model checking;

We show fields of computer science where the new stability notionmodels existing concepts:¬

The strongest harmless attacker in abstract non-interference[Giacobazzi & Mastroeni ’04, Hunt & Mastroeni ’05]

Opacity for abstract observations of programs


Isabella Mastroeni - Profs Area Scienze ed...

Documents

Transcript of Isabella Mastroeni - Profs Area Scienze ed...