Holistic Specifications for Robust Programs

Drossopoulou, Sophia; Noble, James; Mackay, Julian; Eisenbach, Susan

doi:10.1007/978-3-030-45234-6_21

Cited by 6 publications

(9 citation statements)

References 42 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…TooL is straightforward: Appendix A contains the full definitions. TooL is based on ℒ oo [Drossopoulou et al 2020b], with some small variations, as well as the addition of a simple type system -more in 4. As discussed in §2.5, open world specifications need to be able to provide guarantees which hold during execution of an internal, known, trusted module 𝑀 when linked together with any unknown, untrusted, module 𝑀 ′ .…”

Section: Toolmentioning

confidence: 99%

“…To express our focus on external states, we define the external states semantics, of the form 𝑀 ′ ; 𝑀, 𝜎 𝜎 ′ , where 𝑀 ′ is the external module, and 𝑀 is the internal module, and where we collapse all internal steps into one single step. Drossopoulou et al [2020b] provides a simple graphical description of our external states semantics: (A) is the "normal" execution after linking two modules into one: 𝑀 ′ • 𝑀, ... ... whereas (B) is the external states execution when 𝑀 ′ is external, 𝑀 ′ ; 𝑀, ... .... Note that whether a module is external or internal depends on perspective -nothing in a module itself renders it internal or external.…”

Section: Toolmentioning

confidence: 99%

“…Nevertheless, the logic of 𝐴 remains classical because recursion is restricted to expressions, and not generally to assertions. We have taken this approach from Drossopoulou et al [2020b], which also contains a mechanized Coq proof that assertions are classical [Drossopoulou et al 2020a]. The semantics of ↩→ is unsurprising (see Fig.…”

Section: Syntax Of Assertmentioning

confidence: 99%

“…no decrease in balance without access to password). VerX [Permenev et al 2020a] and Chainmail [Drossopoulou et al 2020b] also work on problem-specific guarantees. Both these approaches are able to express necessary conditions like 𝑺 robust_1 using temporal logic operators and implication, and Chainmail is able to express 𝑺 robust_2 , however neither have a proof logic to prove adherence to such specifications.…”

Section: Introduction: Necessary Conditions and Robustnessmentioning

confidence: 99%

See 3 more Smart Citations

Necessity Specifications for Robustness

Mackay¹,

Drossopoulou²,

Noble³

et al. 2022

Preprint

Self Cite

View full text Add to dashboard Cite

Robust modules guarantee to do only what they are supposed to do -even in the presence of untrusted, malicious clients, and considering not just the direct behaviour of individual methods, but also the emergent behaviour from calls to more than one method. Necessity is a language for specifying robustness, based on novel necessity operators capturing temporal implication, and a proof logic that derives explicit robustness specifications from functional specifications. Soundness and an exemplar proof are mechanised in Coq.CCS Concepts: • Software and its engineering → General programming languages.

show abstract

Section: Toolmentioning

confidence: 99%

Section: Toolmentioning

confidence: 99%

Section: Syntax Of Assertmentioning

confidence: 99%

Section: Introduction: Necessary Conditions and Robustnessmentioning

confidence: 99%

See 2 more Smart Citations

Necessity Specifications for Robustness

Mackay¹,

Drossopoulou²,

Noble³

et al. 2022

Preprint

Self Cite

View full text Add to dashboard Cite

show abstract

“…Model We have constructed a Coq model 7 [23] of the core of the Chainmail specification language, along with the underlying L oo language. Our formalism is organised as follows:…”

Section: Properties Of Assertionsmentioning

confidence: 99%

Holistic Specifications for Robust Programs

Drossopoulou

Noble

Mackay

et al. 2021

Preprint

Self Cite

View full text Add to dashboard Cite

Functional specifications describe what program components can do: the sufficient conditions to invoke components' operations. They allow us to reason about the use of components in a closed world setting, where components interact with known client code, and where the client code must establish the appropriate pre-conditions before calling into a component. Sufficient conditions are not enough to reason about the use of components in an open world setting, where components interact with external code, possibly of unknown provenance, and where components may evolve over time. In this open world setting, we must also consider the necessary conditions, i.e. what are the conditions without which an effect will not happen.In this paper we propose the Chainmail specification language for writing holistic specifications that focus on necessary conditions (as well as sufficient conditions). We give a formal semantics for Chainmail, and discuss several examples. The core of Chainmail has been mechanised in the Coq proof assistant.

show abstract

Efficient and provable local capability revocation using uninitialized capabilities

Georges

Guéneau

Strydonck

et al. 2021

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

Capability machines are a special form of CPUs that offer fine-grained privilege separation using a form of authority-carrying values known as capabilities. The CHERI capability machine offers local capabilities, which could be used as a cheap but restricted form of capability revocation. Unfortunately, local capability revocation is unrealistic in practice because large amounts of stack memory need to be cleared as a security precaution. In this paper, we address this shortcoming by introducing uninitialized capabilities : a new form of capabilities that represent read/write authority to a block of memory without exposing the memory’s initial contents. We provide a mechanically verified program logic for reasoning about programs on a capability machine with the new feature and we formalize and prove capability safety in the form of a universal contract for untrusted code. We use uninitialized capabilities for making a previously-proposed secure calling convention efficient and prove its security using the program logic. Finally, we report on a proof-of-concept implementation of uninitialized capabilities on the CHERI capability machine.

show abstract

Holistic Specifications for Robust Programs

Cited by 6 publications

References 42 publications

Necessity Specifications for Robustness

Necessity Specifications for Robustness

Holistic Specifications for Robust Programs

Efficient and provable local capability revocation using uninitialized capabilities

Contact Info

Product

Resources

About