319 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
319 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
320 |
320 |
321 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
321 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
322 \begin{frame}[c] |
322 \begin{frame}[c] |
323 |
323 |
324 |
|
325 \begin{textblock}{11}(1,3) |
324 \begin{textblock}{11}(1,3) |
326 \begin{tabular}{@{\hspace{-10mm}}l} |
325 \begin{tabular}{@{\hspace{-10mm}}l} |
327 \begin{tikzpicture}[scale=1.1] |
326 \begin{tikzpicture}[scale=1.1] |
328 \node at (-2.5,-1.5) {\textcolor{white}{a}}; |
327 \node at (-2.5,-1.5) {\textcolor{white}{a}}; |
329 \node at (8,4) {\textcolor{white}{a}}; |
328 \node at (8,4) {\textcolor{white}{a}}; |
330 |
329 |
331 |
|
332 |
|
333 \only<1>{ |
330 \only<1>{ |
334 \draw[fill, blue!50] (1,0) rectangle (6,0.6); |
331 \draw[fill, blue!50] (1,0) rectangle (6,0.6); |
335 \node at (1.5,0.9) {\small $A_L$}; |
332 \node at (1.5,0.9) {\small $A_L$}; |
336 \node at (2.0,0.9) {\small $B_L$}; |
333 \node at (2.0,0.9) {\small $B_L$}; |
337 \node at (3.5,0.9) {\small $A_R$}; |
334 \node at (3.5,0.9) {\small $A_R$}; |
649 |
646 |
650 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
647 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
651 \begin{frame}[c] |
648 \begin{frame}[c] |
652 \frametitle{Design of AC-Policies} |
649 \frametitle{Design of AC-Policies} |
653 |
650 |
|
651 Imagine you set up an access policy (root, lpd, users, staff, etc) |
|
652 \bigskip\pause |
|
653 |
654 \Large |
654 \Large |
655 \begin{quote} |
655 \begin{quote} |
656 ''what you specify is what you get but not necessarily what you want\ldots'' |
656 ``what you specify is what you get but not necessarily what you want\ldots'' |
657 \end{quote}\bigskip\bigskip\bigskip |
657 \end{quote}\bigskip\bigskip\bigskip |
658 |
658 |
659 \normalsize main work by Chunhan Wu (PhD-student) |
659 \normalsize main work by Chunhan Wu (a PhD-student in Nanjing) |
660 |
660 |
661 \end{frame} |
661 \end{frame} |
662 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
662 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
663 |
663 |
664 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
664 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
709 \node[black, rotate=10] at (1.9,3.6) {\LARGE\ldots}; |
709 \node[black, rotate=10] at (1.9,3.6) {\LARGE\ldots}; |
710 } |
710 } |
711 |
711 |
712 \end{tikzpicture} |
712 \end{tikzpicture} |
713 \end{center} |
713 \end{center} |
|
714 |
|
715 \only<7->{ |
|
716 \begin{textblock}{4}(1,12) |
|
717 \small |
|
718 reduced the problem to a finite problem; gave a proof |
|
719 \end{textblock}} |
714 |
720 |
715 \end{frame} |
721 \end{frame} |
716 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
722 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
717 |
723 |
718 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
724 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
741 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
747 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
742 \begin{frame}[c] |
748 \begin{frame}[c] |
743 \frametitle{Fuzzy Testing C-Compilers} |
749 \frametitle{Fuzzy Testing C-Compilers} |
744 |
750 |
745 \begin{itemize} |
751 \begin{itemize} |
746 \item tested GCC, LLVM, others by randomly generating |
752 \item tested GCC, LLVM and others by randomly generating |
747 C-programs |
753 C-programs |
748 \item found more than 300 bugs in GCC and also |
754 \item found more than 300 bugs in GCC and also |
749 many in LLVM (some of them highest-level critical)\bigskip |
755 many in LLVM (some of them highest-level critical)\bigskip |
750 \item about CompCert: |
756 \item about CompCert: |
751 |
757 |
814 \end{itemize} |
820 \end{itemize} |
815 \item better software development methodology |
821 \item better software development methodology |
816 \item stable platforms and frameworks |
822 \item stable platforms and frameworks |
817 \item better use of specifications\medskip\\ |
823 \item better use of specifications\medskip\\ |
818 \small If you want to build software that works or is secure, |
824 \small If you want to build software that works or is secure, |
819 it is helpful to know what you mean by ``work'' and by ``secure''! |
825 it is helpful to know what you mean by ``works'' and by ``is secure''! |
820 \end{itemize} |
826 \end{itemize} |
821 |
827 |
822 \end{frame} |
828 \end{frame} |
823 |
829 |
824 |
830 |
829 |
835 |
830 Remember the Bridges example? |
836 Remember the Bridges example? |
831 |
837 |
832 \begin{itemize} |
838 \begin{itemize} |
833 \item Can we look at our programs and somehow ensure |
839 \item Can we look at our programs and somehow ensure |
834 they are secure/bug free/correct/secure?\pause\bigskip |
840 they are secure/bug free/correct?\pause\bigskip |
835 |
841 |
836 \item Very hard: Anything interesting about programs is equivalent |
842 \item Very hard: Anything interesting about programs is equivalent |
837 to halting problem, which is undecidable.\pause\bigskip |
843 to halting problem, which is undecidable.\pause\bigskip |
838 |
844 |
839 \item \alert{Solution:} We avoid this ``minor'' obstacle by |
845 \item \alert{Solution:} We avoid this ``minor'' obstacle by |
840 being as close as possible of deciding the halting |
846 being as close as possible of deciding the halting |
841 problem, without actually deciding the halting problem. |
847 problem, without actually deciding the halting problem. |
842 \small$\quad\Rightarrow$ yes, no, do not know (static analysis) |
848 \small$\quad\Rightarrow$ yes, no, don't know (static analysis) |
843 \end{itemize} |
849 \end{itemize} |
844 |
850 |
845 \end{frame} |
851 \end{frame} |
846 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
852 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
847 |
853 |
938 | \meta{Exp} = \meta{Exp} |
944 | \meta{Exp} = \meta{Exp} |
939 | \meta{num} |
945 | \meta{num} |
940 | \meta{var}\\ |
946 | \meta{var}\\ |
941 : \meta{Stmt} ::= \meta{label} : |
947 : \meta{Stmt} ::= \meta{label} : |
942 | \meta{var} := \meta{Exp} |
948 | \meta{var} := \meta{Exp} |
943 | jmp? \meta{Exp} \meta{label} |
949 | \pcode{jmp?} \meta{Exp} \meta{label} |
944 | goto \meta{label}\\ |
950 | \pcode{goto} \meta{label}\\ |
945 : \meta{Prog} ::= \meta{Stmt} \ldots \meta{Stmt}\\ |
951 : \meta{Prog} ::= \meta{Stmt} \ldots{} \meta{Stmt}\\ |
946 \end{plstx}} |
952 \end{plstx}} |
947 |
953 |
948 \begin{textblock}{0}(7.8,2.5) |
954 \begin{textblock}{0}(7.8,2.5) |
949 \small |
955 \small |
950 \begin{bubble}[5.6cm] |
956 \begin{bubble}[5.6cm] |
976 | \meta{Exp} = \meta{Exp} |
982 | \meta{Exp} = \meta{Exp} |
977 | \meta{num} |
983 | \meta{num} |
978 | \meta{var}\\ |
984 | \meta{var}\\ |
979 : \meta{Stmt} ::= \meta{label} : |
985 : \meta{Stmt} ::= \meta{label} : |
980 | \meta{var} := \meta{Exp} |
986 | \meta{var} := \meta{Exp} |
981 | jmp? \meta{Exp} \meta{label} |
987 | \pcode{jmp?} \meta{Exp} \meta{label} |
982 | goto \meta{label}\\ |
988 | \pcode{goto} \meta{label}\\ |
983 : \meta{Prog} ::= \meta{Stmt} \ldots \meta{Stmt}\\ |
989 : \meta{Prog} ::= \meta{Stmt} \ldots{} \meta{Stmt}\\ |
984 \end{plstx}} |
990 \end{plstx}} |
985 |
991 |
986 \begin{textblock}{0}(7.8,3.5) |
992 \begin{textblock}{0}(7.8,3.5) |
987 \small |
993 \small |
988 \begin{bubble}[5.6cm] |
994 \begin{bubble}[5.6cm] |
1017 | \meta{Exp} = \meta{Exp} |
1023 | \meta{Exp} = \meta{Exp} |
1018 | \meta{num} |
1024 | \meta{num} |
1019 | \meta{var}\\ |
1025 | \meta{var}\\ |
1020 : \meta{Stmt} ::= \meta{label} : |
1026 : \meta{Stmt} ::= \meta{label} : |
1021 | \meta{var} := \meta{Exp} |
1027 | \meta{var} := \meta{Exp} |
1022 | jmp? \meta{Exp} \meta{label} |
1028 | \pcode{jmp?} \meta{Exp} \meta{label} |
1023 | goto \meta{label}\\ |
1029 | \pcode{goto} \meta{label}\\ |
1024 : \meta{Prog} ::= \meta{Stmt} \ldots \meta{Stmt}\\ |
1030 : \meta{Prog} ::= \meta{Stmt} \ldots{} \meta{Stmt}\\ |
1025 \end{plstx}} |
1031 \end{plstx}} |
1026 |
1032 |
1027 \end{frame} |
1033 \end{frame} |
1028 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
1034 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
1029 |
1035 |
1030 |
1036 |
1031 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
1037 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
1032 \begin{frame}[fragile] |
1038 \begin{frame}[fragile] |
1033 \frametitle{Eval} |
1039 \frametitle{Eval: An Interpreter} |
1034 \mbox{}\\[-14mm]\mbox{} |
1040 \mbox{}\\[-14mm]\mbox{} |
1035 |
1041 |
1036 \small |
1042 \small |
1037 \begin{center} |
1043 \begin{center} |
1038 \bl{\begin{tabular}{lcl} |
1044 \bl{\begin{tabular}{lcl} |
1279 \mbox{}\\[-13mm]\mbox{} |
1285 \mbox{}\\[-13mm]\mbox{} |
1280 |
1286 |
1281 \small |
1287 \small |
1282 \begin{center} |
1288 \begin{center} |
1283 \bl{\begin{tabular}{lcl} |
1289 \bl{\begin{tabular}{lcl} |
1284 $[n]_{env}$ & $\dn$ & |
1290 $[n]_{aenv}$ & $\dn$ & |
1285 $\begin{cases} |
1291 $\begin{cases} |
1286 \{+\} & \text{if}\; n > 0\\ |
1292 \{+\} & \text{if}\; n > 0\\ |
1287 \{-\} & \text{if}\; n < 0\\ |
1293 \{-\} & \text{if}\; n < 0\\ |
1288 \{0\} & \text{if}\; n = 0 |
1294 \{0\} & \text{if}\; n = 0 |
1289 \end{cases}$\\ |
1295 \end{cases}$\\ |
1290 $[x]_{env}$ & $\dn$ & $env(x)$\\ |
1296 $[x]_{aenv}$ & $\dn$ & $aenv(x)$\\ |
1291 $[e_1 + e_2]_{env}$ & $\dn$ & $[e_1]_{env} \oplus [e_2]_{env}$\\ |
1297 $[e_1 + e_2]_{aenv}$ & $\dn$ & $[e_1]_{aenv} \oplus [e_2]_{aenv}$\\ |
1292 $[e_1 * e_2]_{env}$ & $\dn$ & $[e_1]_{env} \otimes [e_2]_{env}$\\ |
1298 $[e_1 * e_2]_{aenv}$ & $\dn$ & $[e_1]_{aenv} \otimes [e_2]_{aenv}$\\ |
1293 $[e_1 = e_2]_{env}$ & $\dn$ & $\{0, +\}$\\ |
1299 $[e_1 = e_2]_{aenv}$ & $\dn$ & $\{0, +\}$\\ |
1294 \end{tabular}} |
1300 \end{tabular}} |
1295 \end{center} |
1301 \end{center} |
1296 |
1302 |
1297 \scriptsize |
1303 \scriptsize |
1298 \begin{lstlisting}[language=Scala,numbers=none,xleftmargin=-5mm] |
1304 \begin{lstlisting}[language=Scala,numbers=none,xleftmargin=-5mm] |
1310 \end{lstlisting} |
1316 \end{lstlisting} |
1311 |
1317 |
1312 \end{frame} |
1318 \end{frame} |
1313 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
1319 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
1314 |
1320 |
|
1321 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
1322 \begin{frame}[fragile] |
|
1323 \frametitle{AEval for Stmts} |
|
1324 \mbox{}\\[-12mm]\mbox{} |
|
1325 |
|
1326 Let \bl{$sn$} be the snippets of a program |
|
1327 |
|
1328 \small |
|
1329 \begin{center} |
|
1330 \bl{\begin{tabular}{lcl} |
|
1331 $[\texttt{nil}]_{aenv}$ & $\to$ & $(\texttt{nil},aenv)$\medskip\\ |
|
1332 $[\texttt{Label}(l:)::rest]_{aenv}$ & $\to$ & $(rest, aenv)$\medskip\\ |
|
1333 $[x \,\texttt{:=}\, e::rest]_{aenv}$ & $\to$ & |
|
1334 $(rest, aenv[x:= [e]_{aenv}])$\medskip\\ |
|
1335 $[\texttt{jmp?}\;e\;l::rest]_{aenv}$ & $\to$ & |
|
1336 $(sn(l),aenv)$ \textcolor{black}{and} $(rest, aenv)$\medskip\\ |
|
1337 $[\texttt{goto}\;l::rest]_{aenv}$ & $\to$ & $(sn(l), aenv)$\\ |
|
1338 \end{tabular}} |
|
1339 \end{center}\bigskip |
|
1340 |
|
1341 Start with \bl{$[sn(\mbox{\code{""}})]_{\varnothing}$}, try to |
|
1342 reach all \emph{states} you can find (until a fix point is reached). |
|
1343 |
|
1344 Check whether there are only $aenv$ in the final states that have |
|
1345 your property. |
|
1346 \end{frame} |
|
1347 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
1315 |
1348 |
1316 |
1349 |
1317 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
1350 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
1318 \begin{frame}[c] |
1351 \begin{frame}[c] |
1319 \frametitle{Sign Analysis} |
1352 \frametitle{Sign Analysis} |
1321 \begin{itemize} |
1354 \begin{itemize} |
1322 \item We want to find out whether \texttt{a} and \texttt{n} |
1355 \item We want to find out whether \texttt{a} and \texttt{n} |
1323 are always positive?\medskip |
1356 are always positive?\medskip |
1324 \item After a few optimisations, we can indeed find this out. |
1357 \item After a few optimisations, we can indeed find this out. |
1325 \begin{itemize} |
1358 \begin{itemize} |
1326 \item \texttt{if} returns \texttt{+} or \texttt{0} |
1359 \item \texttt{equations} return \texttt{+} or \texttt{0} |
1327 \item branch into only one dircection if you know |
1360 \item branch into only one dircection if you know |
1328 \item if $x$ is \texttt{+}, then $x + \texttt{-1}$ |
1361 \item if $x$ is \texttt{+}, then $x + \texttt{-1}$ |
1329 cannot be negative |
1362 cannot be negative |
1330 \end{itemize}\bigskip |
1363 \end{itemize}\bigskip |
1331 |
1364 |
1332 \item What is this good for? Well, you do not need |
1365 \item What is this good for? Well, you do not need |
1333 underflow checks (in order to prevent buffer-overflow |
1366 underflow checks (in order to prevent buffer-overflow |
1334 attacks). |
1367 attacks). In general this technique is used to make sure |
|
1368 keys stay secret. |
1335 \end{itemize} |
1369 \end{itemize} |
1336 |
1370 |
1337 \end{frame} |
1371 \end{frame} |
1338 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
1372 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
1373 |
|
1374 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
1375 \begin{frame}[c] |
|
1376 \frametitle{Take Home Points} |
|
1377 |
|
1378 \begin{itemize} |
|
1379 \item While testing is important, it does not show the |
|
1380 absence of bugs/vulnerabilities.\medskip |
|
1381 \item More and more we need (formal) proofs that show |
|
1382 a program is bug free. |
|
1383 \end{itemize} |
|
1384 |
|
1385 \end{frame} |
|
1386 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
1387 |
1339 |
1388 |
1340 |
1389 |
1341 \end{document} |
1390 \end{document} |
1342 |
1391 |
1343 |
1392 |