Yang Zhao,Ligong Yu,Jia Bei

DOI: https://doi.org/10.1109/csse.2008.890

2008-01-01

Abstract:This paper proposes to use permissions to assure some important parallel interference patterns in multithreaded programs. With pre-defined annotations, programmers are able to express their design intent which could be interpreted as permission representations. A permission is a value associated with some piece of state in a program and it is designed to permit certain operations. There are two inherent transformations among permissions: fraction and nesting, such that the former allows one permission to be split into several pieces, while the latter builds a protection relation between the nested and nester permissions. Based on the permission interpretation and reasoning, we are able to tell whether the high level annotations match with the low level program code and hence some important interference patterns in multithreaded programs could be assured.

Yang Zhao,Ligong Yu,Jia Bei

DOI: https://doi.org/10.1109/icacte.2008.51

2008-01-01

Abstract:Lock-based synchronization is widely used to avoid data races in multithreaded programs. However it is usually painful to verify the safety and correctness of lock usage because there may be some unpredictable interferences among different threads in parallel. In order to assure the usage of mutual-exclusion locks, we propose to interpret the synchronization policy as permission representations. A permission is a value associated with some piece of state in a program and it is designed to permit certain operations. Permission includes a characteristic property: "nesting," such that one permission may be designed to be nested into the other, with which we are able to simulate lock protection annotations and hence detect whether high level annotations match with underlying program code.

JIANG Li,CHEN Jian,PING Ling-di,CHEN Xiao-ping

DOI: https://doi.org/10.3785/j.issn.1008-973x.2010.05.004

2010-01-01

Abstract:In multithreaded environment,sensitive information is often deliberately released by many real applications and sometimes information needs to become more confidential. In order to address this situation,a security policy was defined in the style of strong bisimulation equivalence,which can handle both information leaking and erasing. The policy controls what information is released and guarantees that attackers cannot exploit information releasing mechanisms to reveal more sensitive data than intended. Moreover,it ensures that public data after erasing cannot be abused by attackers. Then a secure transforming type system was proposed to enforce the security policy by using the cross-copying technique,which can eliminate internal timing covert channels resulting from the interplay between different threads. The transforming type system can transform an insecure program into a secure one,trying to close information leaks. The secure program has the same structure as the original program and models the same timing behavior. Finally,the soundness of the type system was proved with respect to the operational semantics. Results indicate that if a program can be transformed according to typing rules,the resulting program satisfies the security policy.

Lì Jiāng,Lingdi Ping,Xuezeng Pan

DOI: https://doi.org/10.1109/cis.2007.58

2007-01-01

Abstract:Language-based information flow security proper- ties such as noninterference ensure confidential data cannot interfere with public data. But in real comput- ing systems sensitive information sometimes needs to be released or to become more confidential. In this paper, we propose a new security property including support for both information release and erasure. Since the property is in the style of strong bisimulation equivalence, it is applicable to multi-threaded pro- grams. To ensure that declassification cannot be ex- ploited to reveal more secret data than intended, our property addresses what information may be released. Moreover, the property guarantees that dynamic up- grading the security label of data due to erasure re- quirement cannot affect the publicly visible behavior.

Changqin Huang,Guanghua Song,Yao Zheng,Deren Chen

DOI: https://doi.org/10.1007/978-3-540-30102-8_39

2004-01-01

Abstract:Large-scale scientific and engineering computation is normally accomplished through the interaction of collaborating groups and diverse heterogeneous resources. Grid computing is emerging as an applicable paradigm, whilst, there is a critical challenge of authorization in the grid infrastructure. This paper proposes a Parallelized Subtask-level Authorization Service architecture (PSAS) based on the least privilege principle, and presents a context-aware authorization approach and a flexible task management mechanism. The minimization of the privileges is conducted by decomposing the parallelizable task and re-allotting the privileges required for each subtask. The dynamic authorization is carried out by constructing a multi-value community policy and adaptively transiting the mapping. Besides applying a relevant management policy, a delegation mechanism collaboratively performs the authorization delegation for task management. In the enforcement mechanisms involved, the authors have extended the RSL specification and the proxy certificate, and have modified the Globus gatekeeper, jobmanager and the GASS library to allow authorization callouts. Therefore the authorization requirement of an application is effectively met in the presented architecture.

Christian Haack,Marieke Huisman,Clément Hurlin,Afshin Amighi

DOI: https://doi.org/10.2168/lmcs-11(1:2)2015

2015-02-27

Logical Methods in Computer Science

Abstract:This paper presents a program logic for reasoning about multithreaded Java-like programs with dynamic thread creation, thread joining and reentrant object monitors. The logic is based on concurrent separation logic. It is the first detailed adaptation of concurrent separation logic to a multithreaded Java-like language. The program logic associates a unique static access permission with each heap location, ensuring exclusive write accesses and ruling out data races. Concurrent reads are supported through fractional permissions. Permissions can be transferred between threads upon thread starting, thread joining, initial monitor entrancies and final monitor exits. In order to distinguish between initial monitor entrancies and monitor reentrancies, auxiliary variables keep track of multisets of currently held monitors. Data abstraction and behavioral subtyping are facilitated through abstract predicates, which are also used to represent monitor invariants, preconditions for thread starting and postconditions for thread joining. Value-parametrized types allow to conveniently capture common strong global invariants, like static object ownership relations. The program logic is presented for a model language with Java-like classes and interfaces, the soundness of the program logic is proven, and a number of illustrative examples are presented.

computer science, theory & methods,logic

Wn Chin,A Takano,Zj Hu

DOI: https://doi.org/10.1109/iccl.1998.674166

1998-01-01

Abstract:Abstract program schemes, such as scan or homomorphism, can capture a wide range of data parallel programs. While versatile, these schemes are of limited practical use on their own. A key problem is that the more natural sequential specifications may not have associative combine operators required by these schemes. As a result, they often fail to be immediately identified. To resolve this problem, the authors propose a method to systematically derive parallel programs from sequential definitions. This method is special in that it can automatically invent auxiliary functions needed by associative combine operators. Apart from a formalisation, they also provide new theorems, based on the notion of context preservation, to guarantee parallelization for a precise class of sequential programs.

Jianhua Zhao,Xuandong Li

DOI: https://doi.org/10.48550/arXiv.0912.4184

2009-12-21

Abstract:This paper presents an extension to Hoare logic for pointer program verification. First, the Logic for Partial Function (LPF) used by VDM is extended to specify memory access using pointers and memory layout of composite types. Then, the concepts of data-retrieve functions (DRF) and memory-scope functions (MSF) are introduced in this paper. People can define DRFs to retrieve abstract values from interconnected concrete data objects. The definition of the corresponding MSF of a DRF can be derived syntactically from the definition of the DRF. This MSF computes the set of memory units accessed when the DRF retrieves an abstract value. This memory unit set is called the memory scope of the abstract value. Finally, the proof rule of assignment statements in Hoare's logic is modified to deal with pointers. The basic idea is that a virtual value keeps unmodified as long as no memory unit in its scope is over-written. Another proof rule is added for memory allocation statements. The consequence rule and the rules for control-flow statements are slightly modified. They are essentially same as their original version in Hoare logic. An example is presented to show the efficacy of this logic. We also give some heuristics on how to verify pointer programs.

Logic in Computer Science

Zhao Jianhua,Li Xuandong

DOI: https://doi.org/10.1007/978-3-642-39718-9_24

2013-01-01

Abstract:This paper presents an extension to Hoare Logic for pointer program verification. The main observation leading to this logic is that the value of an expression e depends only on the contents stored in a finite set of memory units. This set can be specified using another expression (called the memory scope of e) constructed syntactically from e. A set of construction rules are given in this paper for expressions which may contain recursive functions (predicates). It is also observed that the memory scope of e is a super set of the memory scope of the memory scope of e. Based on this, local reasoning can be supported using assertion variables which represent arbitrary assertions. Program-point-specific expressions are used to specify the relations between different program points. Another feature of this logic is that for formulas with no user-defined functions, the weakest-preconditions can be calculated w.r.t. assignments.

Yun-min ZHU,Li-wei ZHANG,Sheng-yuan WANG,Yuan DONG,Su-qin ZHANG

DOI: https://doi.org/10.3321/j.issn:0372-2112.2009.z1.001

2009-01-01

Tien Tzu Hsueh Pao/Acta Electronica Sinica

Abstract:2 Abstract As the multi-core processor is widely used and advanced high-trusted software is required, the verification of parallel programs for multi-core processor becomes more and more important. This paper presents a proof framework about the verification of parallel programs, including the definition of our abstract machine, the formal specification for object code, logic inference rules and the proof of soundness theory. We certify the code at an assembly-level directly in order to disregard the correctness of compilers. The classic spin-lock technology is introduced to implement the mutually exclusive access to shared memory. Our proof framework supports Hoare-logic style reasoning. In addition, we use high-order logic to describe both operational semantics and security-policy, so the partial correctness of multi-core parallel programs can be verified in our system.

Carlos Olarte,Elaine Pimentel,Camilo Rueda

DOI: https://doi.org/10.48550/arXiv.1802.04695

2018-02-14

Abstract:A recent trend in object oriented (OO) programming languages is the use of Access Permissions (APs) as an abstraction for controlling concurrent executions of programs. The use of AP source code annotations defines a protocol specifying how object references can access the mutable state of objects. Although the use of APs simplifies the task of writing concurrent code, an unsystematic use of them can lead to subtle problems. This paper presents a declarative interpretation of APs as Linear Concurrent Constraint Programs (lcc). We represent APs as constraints (i.e., formulas in logic) in an underlying constraint system whose entailment relation models the transformation rules of APs. Moreover, we use processes in lcc to model the dependencies imposed by APs, thus allowing the faithful representation of their flow in the program. We verify relevant properties about AP programs by taking advantage of the interpretation of lcc processes as formulas in Girard's intuitionistic linear logic (ILL). Properties include deadlock detection, program correctness (whether programs adhere to their AP specifications or not), and the ability of methods to run concurrently. By relying on a focusing discipline for ILL, we provide a complexity measure for proofs of the above mentioned properties. The effectiveness of our verification techniques is demonstrated by implementing the Alcove tool that includes an animator and a verifier. The former executes the lcc model, observing the flow of APs and quickly finding inconsistencies of the APs vis-a-vis the implementation. The latter is an automatic theorem prover based on ILL. This paper is under consideration for publication in Theory and Practice of Logic Programming (TPLP).

Logic in Computer Science

Jérôme Dohrau,Alexander J. Summers,Caterina Urban,Severin Münger,Peter Müller

DOI: https://doi.org/10.48550/arXiv.1804.04091

2018-04-12

Abstract:Information about the memory locations accessed by a program is, for instance, required for program parallelisation and program verification. Existing inference techniques for this information provide only partial solutions for the important class of array-manipulating programs. In this paper, we present a static analysis that infers the memory footprint of an array program in terms of permission pre- and postconditions as used, for example, in separation logic. This formulation allows our analysis to handle concurrent programs and produces specifications that can be used by verification tools. Our analysis expresses the permissions required by a loop via maximum expressions over the individual loop iterations. These maximum expressions are then solved by a novel maximum elimination algorithm, in the spirit of quantifier elimination. Our approach is sound and is implemented; an evaluation on existing benchmarks for memory safety of array programs demonstrates accurate results, even for programs with complex access patterns and nested loops.

Programming Languages

Jianhua Zhao,Xuandong Li

DOI: https://doi.org/10.48550/arXiv.1012.2553

2010-12-13

Abstract:This paper presents an extension to Hoare logic for pointer program verification. Logic formulas with user-defined recursive functions are used to specify properties on the program states before/after program executions. Three basic functions are introduced to represents memory access, record-field access and array-element access. Some axioms are introduced to specify these basic functions in our logic. The concept Memory Scope Function (MSF) is introduced in our logic. Given a recursive function $f$, the MSF of $f$ computes the set of memory units accessed during the evaluation of $f$. A set of rules are given to derive the definition of this MSF syntactically from the definition of $f$. As MSFs are also recursive functions, they also have their MSFs. An axiom is given to specify that an MSF contains its MSF. Based on this axiom, local reasoning is supported with predicate variables. Pre-state terms are used to specify the relations between pre-states and post-states. People can use pre-state terms in post-conditions to represents the values on the pre-state. The axiom of assignment statements in Hoare's logic is modified to deal with pointers. The basic idea is that during the program execution, a recursive function is evaluated to the same value as long as no memory unit in its memory scope is modified. Another proof rule is added for memory allocation statements. We use a simple example to show that our logic can deal with pointer programs in this paper. In the appendix, the Shorre-Waite algorithm is proved using our logic. We also use the selection-sort program to show that our logic can be used to prove program with indirectly-specified components.

Logic in Computer Science

Mingsheng Ying,Yangjia Li

2018-01-01

Abstract:We initiate the study of parallel quantum programming by defining the operational and denotational semantics of parallel quantum programs. The technical contributions of this paper include: (1) find a series of useful proof rules for reasoning about correctness of parallel quantum programs; and (2) prove a strong soundness theorem of these proof rules showing that partial correctness is well maintained at each step of transitions in the operational semantics of a parallel quantum program. This is achieved by partially overcoming the following conceptual challenges that are never present in classical parallel programming: (i) the intertwining of nondeterminism caused by quantum measurements and introduced by parallelism; (ii) entanglement between component quantum programs; and (iii) combining quantum predicates in the overlap of state Hilbert spaces of component quantum programs with shared variables. It seems that a full solution to these challenges and developing a (relatively) complete proof system for parallel quantum programs are still far beyond the current reach.

袁崇义,余鹏,王生原

DOI: https://doi.org/10.3969/j.issn.1004-731x.2003.z1.006

2003-01-01

Abstract:A program system is, in the first place, a physical system, which behaves in accordance with physical laws. But it is a common convention for parallel programming models to rely on state sequences in their mathematical semantic treatment. When a partially ordered state space is fully ordered by interleaving, misleading results may emerge in program property argumentation. Possible misleading results, i.e. deviations from real execution, can be revealed with the help of Petri Nets. These deviations are related to what is called conflict, contact, concurrency and confusion in Petri Nets. This paper analyzes such misleading situations in terms of Petri Nets.

Hongjin Liang,Jan Hoffmann,Xinyu Feng,Zhong Shao

DOI: https://doi.org/10.1007/978-3-642-40184-8_17

2013-01-01

Abstract:Implementations of concurrent objects should guarantee linearizability and a progress property such as wait-freedom, lock-freedom, obstruction-freedom, starvation-freedom, or deadlock-freedom. Conventional informal or semi-formal definitions of these progress properties describe conditions under which a method call is guaranteed to complete, but it is unclear how these definitions can be utilized to formally verify system software in a layered and modular way. In this paper, we propose a unified framework based on contextual refinements to show exactly how progress properties affect the behaviors of client programs. We give formal operational definitions of all common progress properties and prove that for linearizable objects, each progress property is equivalent to a specific type of contextual refinement that preserves termination. The equivalence ensures that verification of such a contextual refinement for a concurrent object guarantees both linearizability and the corresponding progress property. Contextual refinement also enables us to verify safety and liveness properties of client programs at a high abstraction level by soundly replacing concrete method implementations with abstract atomic operations.

Ketil Stølen

2024-04-25

Abstract:A syntax-directed formal system for the development of totally correct programs with respect to an unfair shared-state parallel while-language is proposed. The system can be understood as a compositional reformulation of the Owicki/Gries method for verification of parallel programs. Auxiliary variables are used both as a specification tool to eliminate undesirable implementations, and as a verification tool to make it possible to prove that an already finished program satisfies a particular specification. Auxiliary variables may be of any sort, and it is up to the user to define the auxiliary structure he prefers. Moreover, the auxiliary structure is only a part of the logic. This means that auxiliary variables do not have to be implemented as if they were ordinary programming variables. The system is proved sound and relatively complete with respect to an operational semantics and employed to develop three nontrivial algorithms: the Dining-Philosophers, the Bubble-Lattice-Sort and the Set-Partition algorithms. Finally, a related method for the development of (possibly nonterminating) programs with respect to four properties is described. This approach is then used to develop Dekker's algorithm.

Formal Languages and Automata Theory

Hongjin Liang,Jan Hoffmann,Xinyu Feng,Zhong Shao

2013-01-01

Abstract:Implementations of concurrent objects should guarantee linearizability and a progress property such as wait-freedom, lock-freedom, obstruction-freedom, starvation-freedom, or deadlock-freedom. Conventional informal or semi-formal definitions of these progress properties describe conditions under which a method call is guaranteed to complete, but it is unclear how these definitions can be utilized to formally verify system software in a layered and modular way. In this paper, we propose a unified framework based on contextual refinements to show exactly how progress properties affect the behaviors of client programs. We give formal operational definitions of all common progress properties and prove that for linearizable objects, each progress property is equivalent to a specific type of contextual refinement that preserves termination. The equivalence ensures that verification of such a contextual refinement for a concurrent object guarantees both linearizability and the corresponding progress property. Contextual refinement also enables us to verify safety and liveness properties of client programs at a high abstraction level by soundly replacing concrete method implementations with abstract atomic operations.

Chen Tian,Min Feng,Rajiv Gupta

DOI: https://doi.org/10.1145/1809028.1806604

2010-01-01

Abstract:The availability of multicore processors has led to significant interest in compiler techniques for speculative parallelization of sequential programs. Isolation of speculative state from non-speculative state forms the basis of such speculative techniques as this separation enables recovery from misspeculations. In our prior work on CorD [35,36] we showed that for array and scalar variable based programs copying of data between speculative and non-speculative memory can be highly optimized to support state separation that yields significant speedups on multicore machines available today. However, we observe that in context of heap-intensive programs that operate on linked dynamic data structures, state separation based speculative parallelization poses many challenges. The copying of data structures from non-speculative to speculative state (copy-in operation) can be very expensive due to the large sizes of dynamic data structures. The copying of updated data structures from speculative state to non-speculative state (copy-out operation) is made complex due to the changes in the shape and size of the dynamic data structure made by the speculative computation. In addition, we must contend with the need to translate pointers internal to dynamic data structures between their non-speculative and speculative memory addresses. In this paper we develop an augmented design for the representation of dynamic data structures such that all of the above operations can be performed efficiently. Our experiments demonstrate significant speedups on a real machine for a set of programs that make extensive use of heap based dynamic data structures.

Robert J. Colvin,Ian J. Hayes,Scott Heiner,Peter Höfner,Larissa Meinicke,Roger C. Su

2024-07-30

Abstract:Developers of low-level systems code providing core functionality for operating systems and kernels must address hardware-level features of modern multicore architectures. A particular feature is pipelined "out-of-order execution" of the code as written, the effects of which are typically summarised as a "weak memory model" - a term which includes further complicating factors that may be introduced by compiler optimisations. In many cases, the nondeterminism inherent in weak memory models can be expressed as micro-parallelism, i.e., parallelism within threads and not just between them. Fortunately Jones' rely/guarantee reasoning provides a compositional method for shared-variable concurrency, whether that be in terms of communication between top-level threads or micro-parallelism within threads. In this paper we provide an in-depth verification of the lock algorithm used in the seL4 microkernel, using rely/guarantee to handle both interthread communication as well as micro-parallelism introduced by weak memory models.

Logic in Computer Science