Tool-Assisted Specification and Verification of the JavaCard...
-
Upload
hoangkhanh -
Category
Documents
-
view
222 -
download
3
Transcript of Tool-Assisted Specification and Verification of the JavaCard...
![Page 1: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/1.jpg)
Tool-Assisted Specification andVerification of the JavaCard
Platform
Gilles BartheINRIA Sophia-Antipolis, France
Joint work with: P. Courtieu, G. Dufay, M. Huisman,L. Jakubiec, B. Serpette, S. Melo de Sousa, S. Stratulat
� ��� � ��
![Page 2: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/2.jpg)
New generation smartcards
� Flexibility
� High-level language for developing applets
� Multi-application and post-issuance
� New Security Threats
� Confidentiality
� Integrity
� Availability
� ��� � ��
![Page 3: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/3.jpg)
Formal verification for smartcards
� Motivations
� Complex software with high demands on security
� Common Criteria require formal methods at levelsEAL5-EAL7
FocusPlatform vs. program verification
Bytecode vs. source level
� ��� � ��
![Page 4: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/4.jpg)
Formal verification for smartcards
� Motivations
� Complex software with high demands on security
� Common Criteria require formal methods at levelsEAL5-EAL7
� Focus
� Platform vs. program verification
� Bytecode vs. source level
� ��� � ��
![Page 5: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/5.jpg)
Overview
� JavaCard
� CertiCartes: verification of the JavaCard platform
� Jakarta: tool support for specification and verificationof virtual machines
� ��� � ��
![Page 6: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/6.jpg)
JavaCard
� A superset of a subset of Java:
� A subset: no large datatypes, security manager,dynamic class loading, (garbage collection). . .
� A superset: firewall, entry points, shareableinterfaces, transactions, etc.
� JavaCard programs use the JavaCard APIs
� ��� � ��
![Page 7: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/7.jpg)
The JavaCard Platform
Virtual Machine
APIs
Industry−Specific Extensions
Operating System
011100011101011010011111001110110111100100110
Applet011100011101011010011111001110110111100100110
Applet011100011101011010011111001110110111100100110
Applet
LinkingLoading
011100011101011010011111001110110111100100110
Java compilerClass File Converter
Cap File Builder
package fr.inri
import javacar
public class no public Object
011100011101011010011111001110110111100100110
Bytecode verifier
Class fileJava source Cap file
� ��� � ��
![Page 8: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/8.jpg)
CertiCartes
Formal specification/verification of:
� JCVMs: small-step semantics
exec : s ta te � > re tu rned_s ta te
� written in Coq but use a neutral style
� executable with the JCVM Tools
� BCV: executable in Caml
� part of the JCRE
� ��� � ��
![Page 9: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/9.jpg)
Program model
Record jcprogram : Set : = { i n t e r f a c e s : ( l i s t I n t e r f a c e ) ;
c lasses : ( l i s t Class ) ;
methods : ( l i s t Method ) } .
Record Method : Set : = {
i s _ s t a t i c : bool ;
s igna tu re : ( ( l i s t type ) � type ) ;
l o c a l : nat ; ( � Number o f l o c a l va r i ab l es )
h a n d l e r _ l i s t : ( l i s t handler_type ) ; ( � Except ion handlers )
bytecode : ( l i s t I n s t r u c t i o n ) ; ( � i n s t r u c t i o n s to be executed )
method_id : method_idx ; ( � Index o f the method i n program )
owner : c lass_ idx ( � Index o f the owning c lass ) } .
� ��� � ��
![Page 10: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/10.jpg)
Memory model
� Stack as a list of frames
Record frame : Set : = {
locvars : ( l i s t va lu ) ; ( � Local Var iab les )
opstack : ( l i s t va lu ) ; ( � Operand stack )
p_count : bytecode_idx ; ( � Program counter )
method_loc : method_idx ; ( � Locat ion o f the method )
con tex t_ re f : package ; ( � Context In fo rma t i on ) } .
� State
D e f i n i t i o n s ta te : = s ta t i c_heap � heap � stack .
� ��� � ��
![Page 11: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/11.jpg)
InstructionD e f i n i t i o n NEW : = [ idx : cap_class_idx ] [ s t a te : jcvm_state ]
Cases ( s tack_ f s ta te ) o f
( cons h l f ) = >
( � Ex t rac t the owner c lass from thew c a p _ f i l e � )
Cases ( N th_e l t ( c lasses cap ) idx ) o f
( � then a new ins tance i s created and pushed i n t o the heap � )
(Some c l ) = > l e t new_obj = . . . i n
( Normal
( Bu i ld_ jcvm_sta te
( sheap_f s ta te )
( app ( heap_f s ta te ) new_obj )
( � the re ference o f the created ob jec t i s pushed i n t o the opstack � )
( cons
( update_opstack ( cons ( vRef ( vRef_instance idx ( S ( leng th ( heap_f s ta te ) ) ) ) ) ( opstack h ) ) h )
l f ) ) ) |
None = > ( AbortCode class_membership_error s ta te )
end |
_ = > ( AbortCode s t a t e _ e r r o r s ta te )
end .
� ��� �� ��
![Page 12: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/12.jpg)
Virtual Machines Specification
� Defensive JCVM is closest to specification:
� It manipulates typed values
� Types are checked at run-time
Offensive JCVM is closest to implementation:
It manipulates untyped values
Type correctness enforced by BCV
Abstract JCVM used in bytecode verification:
Manipulates types as values
Operates on a method-per-method basis
� ��� � � ��
![Page 13: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/13.jpg)
Virtual Machines Specification
� Defensive JCVM is closest to specification:
� It manipulates typed values
� Types are checked at run-time
� Offensive JCVM is closest to implementation:
� It manipulates untyped values
� Type correctness enforced by BCV
Abstract JCVM used in bytecode verification:
Manipulates types as values
Operates on a method-per-method basis
� ��� � � ��
![Page 14: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/14.jpg)
Virtual Machines Specification
� Defensive JCVM is closest to specification:
� It manipulates typed values
� Types are checked at run-time
� Offensive JCVM is closest to implementation:
� It manipulates untyped values
� Type correctness enforced by BCV
� Abstract JCVM used in bytecode verification:
� Manipulates types as values
� Operates on a method-per-method basis
� ��� � � ��
![Page 15: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/15.jpg)
Cross-Validation
Defensive and offensive VMs coincide on programs thatare well-typed for the abstract VM
offensive and defensive VMs coincide on programswell-typed for the defensive VM
programs that are well-typed for the abstract VM arewell-typed with the defensive VM
Best viewed as some form of correctness of abstractinterpretations
� ��� � � ��
![Page 16: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/16.jpg)
Cross-Validation
Defensive and offensive VMs coincide on programs thatare well-typed for the abstract VM
� offensive and defensive VMs coincide on programswell-typed for the defensive VM
programs that are well-typed for the abstract VM arewell-typed with the defensive VM
Best viewed as some form of correctness of abstractinterpretations
� ��� � � ��
![Page 17: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/17.jpg)
Cross-Validation
Defensive and offensive VMs coincide on programs thatare well-typed for the abstract VM
� offensive and defensive VMs coincide on programswell-typed for the defensive VM
� programs that are well-typed for the abstract VM arewell-typed with the defensive VM
Best viewed as some form of correctness of abstractinterpretations
� ��� � � ��
![Page 18: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/18.jpg)
Cross-Validation
Defensive and offensive VMs coincide on programs thatare well-typed for the abstract VM
� offensive and defensive VMs coincide on programswell-typed for the defensive VM
� programs that are well-typed for the abstract VM arewell-typed with the defensive VM
Best viewed as some form of correctness of abstractinterpretations
� ��� � � ��
![Page 19: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/19.jpg)
Offensive vs. Defensive
� Abstraction function: ��� � � ���� ��
Diagram commutes
��
//
��//
if defensive VM does not raise typing errors
� ��� � � ��
![Page 20: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/20.jpg)
Offensive vs. Defensive
� Abstraction function: ��� � � ���� ��
� Diagram commutes
��� � � �����
����� � �
//
��� � � � ����� �
��� � � � ��� � � � �// � � � � � ���
if defensive VM does not raise typing errors
� ��� � � ��
![Page 21: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/21.jpg)
Abstract vs. Defensive
� Abstraction function: ����
� ���� � �
Diagram commutes
��
//� _
��//
if “execution keeps in the same frame”
� ��� � � ��
![Page 22: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/22.jpg)
Abstract vs. Defensive
� Abstraction function: ����
� ���� � �
� Diagram commutes
��� � � �������
����� � �
//
��� � � � ���
� _
�� � �
���� � � ��� �� � �// �� � � � � � �
if “execution keeps in the same frame”
� ��� � � ��
![Page 23: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/23.jpg)
Bytecode verifier
� Reject programs which go wrong (on the abstractVM) using dataflow analysis (Kildall’s algorithm)
Defensive and offensive machines coincide onprograms that pass bytecode verification
Proof builds upon commuting diagrams, correctnessof DFA, methodwise verification, and monotonicity ofabstract VM
� ��� � � ��
![Page 24: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/24.jpg)
Bytecode verifier
� Reject programs which go wrong (on the abstractVM) using dataflow analysis (Kildall’s algorithm)
� Defensive and offensive machines coincide onprograms that pass bytecode verification
Proof builds upon commuting diagrams, correctnessof DFA, methodwise verification, and monotonicity ofabstract VM
� ��� � � ��
![Page 25: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/25.jpg)
Bytecode verifier
� Reject programs which go wrong (on the abstractVM) using dataflow analysis (Kildall’s algorithm)
� Defensive and offensive machines coincide onprograms that pass bytecode verification
� Proof builds upon commuting diagrams, correctnessof DFA, methodwise verification, and monotonicity ofabstract VM
� ��� � � ��
![Page 26: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/26.jpg)
Assessment
� Positive evaluation from Gemplus but CertiCartes isan in-depth feasibility study
A complete formalization of the JavaCard platform islabour intensive (E. Giménez)
The methodology works well and could be used forother analyses
High-level of automation is possible
Specifications use a restricted language and proofsuse well-understood techniques
� ��� � � ��
![Page 27: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/27.jpg)
Assessment
� Positive evaluation from Gemplus but CertiCartes isan in-depth feasibility study
� A complete formalization of the JavaCard platform islabour intensive (E. Giménez)
The methodology works well and could be used forother analyses
High-level of automation is possible
Specifications use a restricted language and proofsuse well-understood techniques
� ��� � � ��
![Page 28: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/28.jpg)
Assessment
� Positive evaluation from Gemplus but CertiCartes isan in-depth feasibility study
� A complete formalization of the JavaCard platform islabour intensive (E. Giménez)
� The methodology works well and could be used forother analyses
High-level of automation is possible
Specifications use a restricted language and proofsuse well-understood techniques
� ��� � � ��
![Page 29: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/29.jpg)
Assessment
� Positive evaluation from Gemplus but CertiCartes isan in-depth feasibility study
� A complete formalization of the JavaCard platform islabour intensive (E. Giménez)
� The methodology works well and could be used forother analyses
� High-level of automation is possible
Specifications use a restricted language and proofsuse well-understood techniques
� ��� � � ��
![Page 30: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/30.jpg)
Assessment
� Positive evaluation from Gemplus but CertiCartes isan in-depth feasibility study
� A complete formalization of the JavaCard platform islabour intensive (E. Giménez)
� The methodology works well and could be used forother analyses
� High-level of automation is possible
� Specifications use a restricted language and proofsuse well-understood techniques
� ��� � � ��
![Page 31: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/31.jpg)
Jakarta
� A dedicated environment for formal specification andverification of typed low-level languages
Designed to support:
executable specifications
abstractions (and refinement) of specifications
automation of correctness proofs
� ��� � � ��
![Page 32: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/32.jpg)
Jakarta
� A dedicated environment for formal specification andverification of typed low-level languages
� Designed to support:
� executable specifications
� abstractions (and refinement) of specifications
� automation of correctness proofs
� ��� � � ��
![Page 33: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/33.jpg)
Current focus
� Input: defensive virtual machine
Output:
offensive and abstract virtual machines
offensive and defensive machines coincide onwell-typed programsprograms that are ill-typed for the defensive VM
are ill-typed with the abstract VMthe abstract virtual machine is monotone
� ��� � � ��
![Page 34: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/34.jpg)
Current focus
� Input: defensive virtual machine
� Output:
offensive and abstract virtual machines
offensive and defensive machines coincide onwell-typed programsprograms that are ill-typed for the defensive VM
are ill-typed with the abstract VMthe abstract virtual machine is monotone
� ��� � � ��
![Page 35: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/35.jpg)
Current focus
� Input: defensive virtual machine
� Output:
� offensive and abstract virtual machines
offensive and defensive machines coincide onwell-typed programsprograms that are ill-typed for the defensive VM
are ill-typed with the abstract VMthe abstract virtual machine is monotone
� ��� � � ��
![Page 36: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/36.jpg)
Current focus
� Input: defensive virtual machine
� Output:
� offensive and abstract virtual machines
� offensive and defensive machines coincide onwell-typed programs
programs that are ill-typed for the defensive VMare ill-typed with the abstract VMthe abstract virtual machine is monotone
� ��� � � ��
![Page 37: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/37.jpg)
Current focus
� Input: defensive virtual machine
� Output:
� offensive and abstract virtual machines
� offensive and defensive machines coincide onwell-typed programs
� programs that are ill-typed for the defensive VMare ill-typed with the abstract VM
the abstract virtual machine is monotone
� ��� � � ��
![Page 38: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/38.jpg)
Current focus
� Input: defensive virtual machine
� Output:
� offensive and abstract virtual machines
� offensive and defensive machines coincide onwell-typed programs
� programs that are ill-typed for the defensive VMare ill-typed with the abstract VM
� the abstract virtual machine is monotone
� ��� � � ��
![Page 39: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/39.jpg)
Jakarta Specification Language
� JSL types are first-order polymorphic types
� JSL expressions are first-order algebraic terms
� � � � � � � � ��� �� � ��
� Functions defined by conditional rewrite rules
��� � � � � � ��� � �
where �� are patterns with fresh variables
� ��� � � ��
![Page 40: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/40.jpg)
Compiling JSL Specifications
� Specifications are executed by rewriting engines
� Deterministic specifications are compiled intocase-expressions then CAML, Coq, Isabelle, PVS
� Non-deterministic specifications �� � aretranslated into
� � � � �
� Partial specifications �� � are translated into
� �� � �
� ��� � � ��
![Page 41: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/41.jpg)
Abstractions
� For each datatype� define
�� and�
��
�
�� ��
For each defined function , defineby transforming into
Not a legal rule: substitution and cleaning stepsdeclared in abstraction scripts
Generated offensive and abstract JCVMs
� ��� � � ��
![Page 42: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/42.jpg)
Abstractions
� For each datatype� define
�� and�
��
�
�� ��
� For each defined function �� �, define
�
� ��
by transforming
� � � � � � � ��� � �
into
� �� � � � �� � � � �
� �� � � � � � � � � �
Not a legal rule: substitution and cleaning stepsdeclared in abstraction scripts
Generated offensive and abstract JCVMs
� ��� � � ��
![Page 43: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/43.jpg)
Abstractions
� For each datatype� define
�� and�
��
�
�� ��
� For each defined function �� �, define
�
� ��
by transforming
� � � � � � � ��� � �
into
� �� � � � �� � � � �
� �� � � � � � � � � �
� Not a legal rule: substitution and cleaning stepsdeclared in abstraction scripts
Generated offensive and abstract JCVMs
� ��� � � ��
![Page 44: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/44.jpg)
Abstractions
� For each datatype� define
�� and�
��
�
�� ��
� For each defined function �� �, define
�
� ��
by transforming
� � � � � � � ��� � �
into
� �� � � � �� � � � �
� �� � � � � � � � � �
� Not a legal rule: substitution and cleaning stepsdeclared in abstraction scripts
� Generated offensive and abstract JCVMs
� ��� � � ��
![Page 45: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/45.jpg)
Proof automation using Coq
� Mostly case analysis + equational reasoning
Built tactics that reduce to
and perform some equational reasoning
Further automation of equational reasoningis highly desirable
Exploiting abstraction scripts seems promising
� ��� � � ��
![Page 46: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/46.jpg)
Proof automation using Coq
� Mostly case analysis + equational reasoning
� Built tactics that reduce
� ��� �� ����
��� to
� ���� ���� ����
�� ��� � �� �
� ��� � �� � � � �����
� �� �
and perform some equational reasoning
Further automation of equational reasoningis highly desirable
Exploiting abstraction scripts seems promising
� ��� � � ��
![Page 47: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/47.jpg)
Proof automation using Coq
� Mostly case analysis + equational reasoning
� Built tactics that reduce
� ��� �� ����
��� to
� ���� ���� ����
�� ��� � �� �
� ��� � �� � � � �����
� �� �
and perform some equational reasoning
� Further automation of equational reasoningis highly desirable
Exploiting abstraction scripts seems promising
� ��� � � ��
![Page 48: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/48.jpg)
Proof automation using Coq
� Mostly case analysis + equational reasoning
� Built tactics that reduce
� ��� �� ����
��� to
� ���� ���� ����
�� ��� � �� �
� ��� � �� � � � �����
� �� �
and perform some equational reasoning
� Further automation of equational reasoningis highly desirable
� Exploiting abstraction scripts seems promising
� ��� � � ��
![Page 49: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/49.jpg)
Proof automation using Spike
� Spike is a first-order prover for “inductive theorems”
Cross-validation of the VMs for 2/3 of bytecodes
Now applying Spike to prove the monotonicity ofabstract VM
� ��� � � ��
![Page 50: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/50.jpg)
Proof automation using Spike
� Spike is a first-order prover for “inductive theorems”
� Cross-validation of the VMs for 2/3 of bytecodes
Now applying Spike to prove the monotonicity ofabstract VM
� ��� � � ��
![Page 51: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/51.jpg)
Proof automation using Spike
� Spike is a first-order prover for “inductive theorems”
� Cross-validation of the VMs for 2/3 of bytecodes
� Now applying Spike to prove the monotonicity ofabstract VM
� ��� � � ��
![Page 52: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/52.jpg)
Conclusions
� Formal specification and verification of the JavaCardplatform is feasible but labor-intensive
Tool support for formal specification and verificationof (type safety for) low-level typed languages
Some interesting topics:
extracting code or tests from specificationstools for certifying certifying compilers
For further information www.inria.fr/lemme/verificard
� ��� � � ��
![Page 53: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/53.jpg)
Conclusions
� Formal specification and verification of the JavaCardplatform is feasible but labor-intensive
� Tool support for formal specification and verificationof (type safety for) low-level typed languages
Some interesting topics:
extracting code or tests from specificationstools for certifying certifying compilers
For further information www.inria.fr/lemme/verificard
� ��� � � ��
![Page 54: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/54.jpg)
Conclusions
� Formal specification and verification of the JavaCardplatform is feasible but labor-intensive
� Tool support for formal specification and verificationof (type safety for) low-level typed languages
� Some interesting topics:
� extracting code or tests from specifications
� tools for certifying certifying compilers
For further information www.inria.fr/lemme/verificard
� ��� � � ��
![Page 55: Tool-Assisted Specification and Verification of the JavaCard …pszgmh/appsem-slides/barthe.pdf · Tool-Assisted Specification and Verification of the JavaCard Platform Gilles](https://reader031.fdocuments.net/reader031/viewer/2022030506/5ab53c5d7f8b9a156d8c913c/html5/thumbnails/55.jpg)
Conclusions
� Formal specification and verification of the JavaCardplatform is feasible but labor-intensive
� Tool support for formal specification and verificationof (type safety for) low-level typed languages
� Some interesting topics:
� extracting code or tests from specifications
� tools for certifying certifying compilers
� For further information www.inria.fr/lemme/verificard
� ��� � � ��