#### DMCA

## Relational decomposition (2011)

Venue: | In 2nd ITP, volume 6898 of LNCS |

Citations: | 3 - 1 self |

### Citations

810 | Language-based information-flow security
- Sabelfeld, Myers
(Show Context)
Citation Context ...ulating that the terminal states are in relation S whenever the initial states are in relation R. Examples include “obviously relational” properties such as program transformations or noninterference =-=[35]-=-, but also extensional interpretations of type systems and program analyses [13]. In this article, we present relational decomposition, a technique for reducing the verification of relational properti... |

723 |
Systematic Software Development Using VDM
- Jones
- 1990
(Show Context)
Citation Context ...transition system T gives rise to a one-execution specification system where assertions are (curried) binary predicates A over S that relate initial and final states, similar to postconditions in VDM =-=[25]-=-. We interpret specifications as partial-correctness statements, by writing |= T P : A whenever (s, P, t) ∈ T implies A s t for all s, t ∈ S. The formal notion of simulation employs pre- and postcondi... |

532 | A sound type system for secure flow analysis
- Volpano, Smith, et al.
- 1996
(Show Context)
Citation Context ...nn [15] and Darvas-Hähnle-Sands [18] formulate self-composition in terms of program logics, but again focus on noninterference. In particular, Beringer and Hofmann [15] show how standard type systems =-=[38, 24]-=- can be formally interpreted in a unary logic, using a type-directed rule-by-rule construction of intermediate formulae φ. The witness relations employed in the present paper extend this construction ... |

209 | Translation Validation for an Optimizing Compiler
- Necula
- 2000
(Show Context)
Citation Context ...s we are able to derive. In the area of translation validation, a number of verification approaches have been proposed, some of which include rules for relating loops that fail to proceed in lockstep =-=[32, 20, 39]-=-. In contrast to our proof system, these approaches are typically justified with the help of auxiliary constructs such as program labels and paths, in conflict with the extensional view taken in the p... |

188 |
High integrity software: The SPARK approach to safety and security
- Barnes
- 2003
(Show Context)
Citation Context ...of our techniques into verification infrastructures for mainstream languages such as the Verified Software Toolchain for C [5]. As a stepping stone towards this goal, fragments of C such as Spark/Ada =-=[9]-=- may represent a realistic testbed that is both industrially relevant and formally tractable. Acknowledgments Andrew Appel encouraged me to revisit the earlier article with Martin Hofmann. The PL grou... |

137 | Secure information flow by selfcomposition
- Barthe, D’Argenio, et al.
- 2004
(Show Context)
Citation Context ...over Isabelle/HOL, and the source files are available online [14]. As a consequence, details of most proofs are omitted. 1.1 Related work Relational decomposition extends the idea of self-composition =-=[11]-=-. For the special case of (termination-insensitive) noninterference [35], self-composition establishes the security of a command 1 C by verifying the one-execution property {∼L} C; C ′ {∼L} where C ′ ... |

129 |
Three uses of the Herbrand-Gentzen theorem in relating model theory and proof theory
- Craig
- 1957
(Show Context)
Citation Context ...tions φ can be interpreted as specifications applicable at the point of program composition in a self-composed program, mediating between pre- and postrelations in a style reminiscent of interpolants =-=[17]-=-. Terauchi and Aiken [37] observe that the efficiency of self-composition is improved if phrase-duplication is applied only to small program fragments, but limit their attention largely to noninterfer... |

104 | Simple relational correctness proofs for static analyses and program transformations
- Benton
- 2004
(Show Context)
Citation Context ...re in relation R. Examples include “obviously relational” properties such as program transformations or noninterference [35], but also extensional interpretations of type systems and program analyses =-=[13]-=-. In this article, we present relational decomposition, a technique for reducing the verification of relational properties to that of unary ones. We demonstrate our technique by deriving a variant of ... |

104 | A theorem proving approach to analysis of secure information flow
- Darvas, Hähnle, et al.
- 2005
(Show Context)
Citation Context ...’s encoding is that the explicit declaration of ghost fields permeates all classes, potentially limiting the scalability of the approach ([31], page 16). Beringer-Hofmann [15] and Darvas-Hähnle-Sands =-=[18]-=- formulate self-composition in terms of program logics, but again focus on noninterference. In particular, Beringer and Hofmann [15] show how standard type systems [38, 24] can be formally interpreted... |

100 | A formally verified compiler back-end
- Leroy
(Show Context)
Citation Context ...m those for partial-correctness properties (invariants). A second reason is that applications such as compiler verification often actually relax termination-sensitivity to at least an asymmetric form =-=[28]-=-. Thus, termination appears sufficiently orthogonal to the functional aspects of relational behaviour to be treated separately. Nevertheless, we acknowledge that (and point out where) our design decis... |

98 | Stack-based access control and secure information flow
- Banerjee, Naumann
(Show Context)
Citation Context ...sitional fashion (Section 3); 4. outline an extension of relational decomposition that deals with parametrized simulations. The resulting logic can be used to justify type systems for noninterference =-=[7]-=- and variants of relational separation logics [40] (Section 4). All results have been verified using the theorem prover Isabelle/HOL, and the source files are available online [14]. As a consequence, ... |

93 | On flow-sensitive security types
- Hunt, Sands
- 2006
(Show Context)
Citation Context ...nn [15] and Darvas-Hähnle-Sands [18] formulate self-composition in terms of program logics, but again focus on noninterference. In particular, Beringer and Hofmann [15] show how standard type systems =-=[38, 24]-=- can be formally interpreted in a unary logic, using a type-directed rule-by-rule construction of intermediate formulae φ. The witness relations employed in the present paper extend this construction ... |

83 | Secure information flow as a safety problem
- Terauchi, Aiken
- 2005
(Show Context)
Citation Context ...d as specifications applicable at the point of program composition in a self-composed program, mediating between pre- and postrelations in a style reminiscent of interpolants [17]. Terauchi and Aiken =-=[37]-=- observe that the efficiency of self-composition is improved if phrase-duplication is applied only to small program fragments, but limit their attention largely to noninterference. They demonstrate th... |

78 | Automated soundness proofs for dataflow analyses and transformations via local rules
- Lerner, Millstein, et al.
- 2005
(Show Context)
Citation Context ...very of relational invariants may potentially arise from Amtoft et al.’s preconditions for conditional information flow [2], Barthe et al.’s product programs [10], from Rhodium’s transformation rules =-=[27]-=-, or from Tate et al.’s program equivalence graphs [36]. It would also be interesting to compare the expressiveness and usability of our rules for dissonant loops with the rules from translation valid... |

69 | A logic for information flow in object-oriented programs
- Amtoft, Bandhakavi, et al.
- 2006
(Show Context)
Citation Context ... include extensional notions of declassification [8], conditional information flow [3], and the explicit integration of noninterference and separation disciplines, following the work of Amtoft et al. =-=[1]-=-. Magill et al.’s two-step abstractions for reasoning about data structures may provide orientation how ghost variables and program instrumentation interact with separation aspects [29]. A more abstra... |

63 |
The weakest prespecification
- Hoare, He
- 1987
(Show Context)
Citation Context ... left triangle in the diagram, given R and P . The latter constructs a (in general different) candidate φ according to the lower right triangle in the diagram, given S and P ′. In point-free notation =-=[22]-=-, ′ T φ P ′ S can be written as P ′\S where P ′ denotes the uncurried form of the transition R relation for P ′ and the weakest prespecification X\Y is defined as Y ; X −1 . By construction, these... |

62 | Semantics of separation-logic typing and higher-order frame rules - Birkedal, Torp-Smith, et al. - 2005 |

43 |
Non-interference for a JVM-like language
- Barthe, Rezk
- 2005
(Show Context)
Citation Context ...Terauchi and Aiken’s work to a language with objects, for general relational pre- and postconditions. Indistinguishability of locations is treated using the well-known technique of partial bijections =-=[12, 7]-=-. Naumann’s encoding of relational into unary specifications employs ghost fields: each object contains a boolean ghost field indicating whether the object should be interpreted w.r.t. the left or the... |

34 | Relational separation logic
- Yang
- 2007
(Show Context)
Citation Context ...sion of relational decomposition that deals with parametrized simulations. The resulting logic can be used to justify type systems for noninterference [7] and variants of relational separation logics =-=[40]-=- (Section 4). All results have been verified using the theorem prover Isabelle/HOL, and the source files are available online [14]. As a consequence, details of most proofs are omitted. 1.1 Related wo... |

33 | Hoare Logic and VDM: Machine-Checked Soundness and Completeness Proofs
- Kleymann
- 1999
(Show Context)
Citation Context ...], plus rules for object allocation ⊲ x := new c ι : λ (s, h) τ. ∃ ℓ /∈ locs (s, h). τ = (s[x ↦→ ℓ], h[ℓ ↦→ (c, �ι� s )]) and for the field accessing instructions (omitted). Using standard techniques =-=[26, 33]-=-, we have proven the logic sound and complete, relative to the ambient logic HOL: Theorem 2. ⊲ C : A holds if and only if |= TObj C : A. 3.2 Derivation of relational proof rules Instantiating T = TObj... |

31 | Automatic numeric abstractions for heap-manipulating programs
- Magill, Tsai, et al.
(Show Context)
Citation Context ...f Amtoft et al. [1]. Magill et al.’s two-step abstractions for reasoning about data structures may provide orientation how ghost variables and program instrumentation interact with separation aspects =-=[29]-=-. A more abstract treatment of our operators can be obtained using relational algebra. As pointed out by a referee, uncurrying DecL R φ yields (R\φ) −1 while uncurrying DecR S φ yields the weakest pos... |

30 | Hoare logics for recursive procedures and unbounded nondeterminism
- Nipkow
- 2002
(Show Context)
Citation Context ...], plus rules for object allocation ⊲ x := new c ι : λ (s, h) τ. ∃ ℓ /∈ locs (s, h). τ = (s[x ↦→ ℓ], h[ℓ ↦→ (c, �ι� s )]) and for the field accessing instructions (omitted). Using standard techniques =-=[26, 33]-=-, we have proven the logic sound and complete, relative to the ambient logic HOL: Theorem 2. ⊲ C : A holds if and only if |= TObj C : A. 3.2 Derivation of relational proof rules Instantiating T = TObj... |

23 | Verified software toolchain
- Appel
- 2011
(Show Context)
Citation Context ...f judgements of unary Hoare logics [34]. A long-term goal is the integration of our techniques into verification infrastructures for mainstream languages such as the Verified Software Toolchain for C =-=[5]-=-. As a stepping stone towards this goal, fragments of C such as Spark/Ada [9] may represent a realistic testbed that is both industrially relevant and formally tractable. Acknowledgments Andrew Appel ... |

21 |
From coupling relations to mated invariants for checking information flow
- Naumann
- 2006
(Show Context)
Citation Context ...se treatment presents a particular challenge due to the fact that differences in location chosen by the allocator in different runs are generally considered unobservable – are not considered. Naumann =-=[31]-=- extends Terauchi and Aiken’s work to a language with objects, for general relational pre- and postconditions. Indistinguishability of locations is treated using the well-known technique of partial bi... |

17 | M.: Secure information flow and program logics
- Beringer, Hofmann
- 2007
(Show Context)
Citation Context ...practical drawback of Naumann’s encoding is that the explicit declaration of ghost fields permeates all classes, potentially limiting the scalability of the approach ([31], page 16). Beringer-Hofmann =-=[15]-=- and Darvas-Hähnle-Sands [18] formulate self-composition in terms of program logics, but again focus on noninterference. In particular, Beringer and Hofmann [15] show how standard type systems [38, 24... |

14 | Generating compiler optimizations from proofs
- Tate, Stepp, et al.
- 2010
(Show Context)
Citation Context ...m Amtoft et al.’s preconditions for conditional information flow [2], Barthe et al.’s product programs [10], from Rhodium’s transformation rules [27], or from Tate et al.’s program equivalence graphs =-=[36]-=-. It would also be interesting to compare the expressiveness and usability of our rules for dissonant loops with the rules from translation validation [20], and to investigate how the latter can be ju... |

9 | Towards a logical account of declassification
- Banerjee, Naumann, et al.
- 2007
(Show Context)
Citation Context ...slation validation [20], and to investigate how the latter can be justified in a more semantics-oriented fashion. Natural extensions of noninterference include extensional notions of declassification =-=[8]-=-, conditional information flow [3], and the explicit integration of noninterference and separation disciplines, following the work of Amtoft et al. [1]. Magill et al.’s two-step abstractions for reaso... |

9 | Program and proof optimizations with type systems
- Saabas, Uustalu
- 2008
(Show Context)
Citation Context ...is conditional on the nonfaultiness of C’s final state. Saabas and Uustalu show how type derivations yield semantics-preserving proof transformations between pairs of judgements of unary Hoare logics =-=[34]-=-. A long-term goal is the integration of our techniques into verification infrastructures for mainstream languages such as the Verified Software Toolchain for C [5]. As a stepping stone towards this g... |

8 | Specification and checking of software contracts for conditional information flow
- Amtoft, Hatcliff, et al.
- 2007
(Show Context)
Citation Context ...vestigate how the latter can be justified in a more semantics-oriented fashion. Natural extensions of noninterference include extensional notions of declassification [8], conditional information flow =-=[3]-=-, and the explicit integration of noninterference and separation disciplines, following the work of Amtoft et al. [1]. Magill et al.’s two-step abstractions for reasoning about data structures may pro... |

8 |
A program logic for resources
- Aspinall, Beringer, et al.
(Show Context)
Citation Context ...isms. We P s t R φ S s’ t ’ P’ Fig. 1. Relational decomposition of simulation using witness φ thus open an avenue for integrating relational logics into foundational stacks of verification formalisms =-=[6, 4]-=-. ⋆⋆ This work is funded in part by the Air Force Office of Scientific Research (FA9550-09-1-0138) and the National Science Foundation (CNS-0910448).Relational decomposition reduces the validation of... |

3 | Precise and automated contract-based reasoning for verification and certification of information flow properties of programs with arrays
- Amtoft, Hatcliff, et al.
(Show Context)
Citation Context ...fication tasks, along the line of Terauchi and Aiken’s work. Hints for the discovery of relational invariants may potentially arise from Amtoft et al.’s preconditions for conditional information flow =-=[2]-=-, Barthe et al.’s product programs [10], from Rhodium’s transformation rules [27], or from Tate et al.’s program equivalence graphs [36]. It would also be interesting to compare the expressiveness and... |

1 | Foundational high-level static analysis
- Appel
- 2008
(Show Context)
Citation Context ...isms. We P s t R φ S s’ t ’ P’ Fig. 1. Relational decomposition of simulation using witness φ thus open an avenue for integrating relational logics into foundational stacks of verification formalisms =-=[6, 4]-=-. ⋆⋆ This work is funded in part by the Air Force Office of Scientific Research (FA9550-09-1-0138) and the National Science Foundation (CNS-0910448).Relational decomposition reduces the validation of... |

1 |
Relational verification using product programs. See http://software.imdea.org/∼ckunz/rellog/long-rellog.pdf
- Barthe, Crespo, et al.
- 2011
(Show Context)
Citation Context ...uchi and Aiken’s work. Hints for the discovery of relational invariants may potentially arise from Amtoft et al.’s preconditions for conditional information flow [2], Barthe et al.’s product programs =-=[10]-=-, from Rhodium’s transformation rules [27], or from Tate et al.’s program equivalence graphs [36]. It would also be interesting to compare the expressiveness and usability of our rules for dissonant l... |

1 |
Relational decomposition – Isabelle/HOL sources. Available at www.cs.princeton.edu/∼eberinge/RelDecompITP2011.tar.gz
- Beringer
- 2011
(Show Context)
Citation Context ...lier rule RHLWHL arises from this variant by setting V = W = ∅. The decomposed derivation of the new loop rules employs fixed-point-interpolants similar to ΦWhile (b′,R,φ) above. For the details, see =-=[14]-=-. As an example for the application of these rules, consider the programs C ≡ r:=0;i:=0;While i < n do (r:=r + i;i:=i + 1) C ′ ≡ r:=0;i:=0;While i < n do (r:=r + i;i:=i + 1;r:=r + i;i:=i + 1). The equ... |

1 |
simulation and its relation to traces and failures refinement. Theoretical Computer Science
- Power
(Show Context)
Citation Context ...lgebra. As pointed out by a referee, uncurrying DecL R φ yields (R\φ) −1 while uncurrying DecR S φ yields the weakest postspecification S/φ given by φ −1 ; S. Extending the work of [22, 23], Gardiner =-=[19]-=- explores connections between these operators and predicate transformers to study a variation of bisimulation called power simulation. In contrast to our work, predicates and relations are formulated ... |

1 |
Inter-program properties
- Voronkov, Narasamdya
- 2009
(Show Context)
Citation Context ...s we are able to derive. In the area of translation validation, a number of verification approaches have been proposed, some of which include rules for relating loops that fail to proceed in lockstep =-=[32, 20, 39]-=-. In contrast to our proof system, these approaches are typically justified with the help of auxiliary constructs such as program labels and paths, in conflict with the extensional view taken in the p... |