cs 591: formal methods in security and...
TRANSCRIPT
![Page 1: CS 591: Formal Methods in Security and Privacycs-people.bu.edu/gaboardi/teaching/S20-CS591/CS591-4.pdf · 2020. 4. 21. · CS 591: Formal Methods in ... Rules of Hoare Logic Assignment](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc4dccaf3bb2e5e9271ebb9/html5/thumbnails/1.jpg)
Marco Gaboardi [email protected]
Alley Stoughton [email protected]
CS 591: Formal Methods in Security and Privacy
Hoare Logic
![Page 2: CS 591: Formal Methods in Security and Privacycs-people.bu.edu/gaboardi/teaching/S20-CS591/CS591-4.pdf · 2020. 4. 21. · CS 591: Formal Methods in ... Rules of Hoare Logic Assignment](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc4dccaf3bb2e5e9271ebb9/html5/thumbnails/2.jpg)
From the previous class
![Page 3: CS 591: Formal Methods in Security and Privacycs-people.bu.edu/gaboardi/teaching/S20-CS591/CS591-4.pdf · 2020. 4. 21. · CS 591: Formal Methods in ... Rules of Hoare Logic Assignment](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc4dccaf3bb2e5e9271ebb9/html5/thumbnails/3.jpg)
Formal Semantics
PreconditionProgram
Postcondition
formal semantics of programs
We need to assign a formal meaning to the different components: formal semantics
of specification conditions
formal semantics of specification
conditions
We also need to describe the rules which combine program and specifications.
![Page 4: CS 591: Formal Methods in Security and Privacycs-people.bu.edu/gaboardi/teaching/S20-CS591/CS591-4.pdf · 2020. 4. 21. · CS 591: Formal Methods in ... Rules of Hoare Logic Assignment](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc4dccaf3bb2e5e9271ebb9/html5/thumbnails/4.jpg)
Programming Languagec::= abort | skip | x:=e | c;c | if e then c else c | while e do c
x,y,z,… program variables
e1,e2,… expressions
c1,c2,… commands
![Page 5: CS 591: Formal Methods in Security and Privacycs-people.bu.edu/gaboardi/teaching/S20-CS591/CS591-4.pdf · 2020. 4. 21. · CS 591: Formal Methods in ... Rules of Hoare Logic Assignment](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc4dccaf3bb2e5e9271ebb9/html5/thumbnails/5.jpg)
MemoriesWe can formalize a memory as a map m from variables to values.
m=[x1 ⟼ v1,…,xn ⟼ vn]
We consider only maps that respect types.
We want to read the value associated to a particular variable:
We want to update the value associated to a particular variable:
m(x)
m[x←v]This is defined as
m[x←v](y)=v
m(y)If x=yOtherwise{
![Page 6: CS 591: Formal Methods in Security and Privacycs-people.bu.edu/gaboardi/teaching/S20-CS591/CS591-4.pdf · 2020. 4. 21. · CS 591: Formal Methods in ... Rules of Hoare Logic Assignment](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc4dccaf3bb2e5e9271ebb9/html5/thumbnails/6.jpg)
Semantics of ExpressionsThis is defined on the structure of expressions:
{x}m = m(x)
{f(e1,…,en)}m = {f}({e1}m,…,{en}m)
where {f} is the semantics associated with the basic operation we are considering.
![Page 7: CS 591: Formal Methods in Security and Privacycs-people.bu.edu/gaboardi/teaching/S20-CS591/CS591-4.pdf · 2020. 4. 21. · CS 591: Formal Methods in ... Rules of Hoare Logic Assignment](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc4dccaf3bb2e5e9271ebb9/html5/thumbnails/7.jpg)
Semantics of CommandsWhat is the meaning of the following command?
We can give the semantics as a relation between command, memories and memories or failure.
We will denote this relation as:
Cmd * Mem * (Mem | ⊥)
{c}m=m’
k:=2; z:=x mod k; if z=0 then r:=1 else r:=2
This is commonly typeset as: JcKm = m0
{c}m=⊥Or
![Page 8: CS 591: Formal Methods in Security and Privacycs-people.bu.edu/gaboardi/teaching/S20-CS591/CS591-4.pdf · 2020. 4. 21. · CS 591: Formal Methods in ... Rules of Hoare Logic Assignment](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc4dccaf3bb2e5e9271ebb9/html5/thumbnails/8.jpg)
Summary of the Semantics of Commands
{abort}m = ⊥
{skip}m = m
{c;c’}m = {c’}m’ {c}m = m’If
{c;c’}m = ⊥ {c}m = ⊥If
{x:=e}m = m[x←{e}m]
{if e then ct else cf}m = {ct}m {e}m=trueIf
{if e then ct else cf}m = {cf}m {e}m=falseIf
{while e do c}m =supn∊Nat{whilen e do c}m
![Page 9: CS 591: Formal Methods in Security and Privacycs-people.bu.edu/gaboardi/teaching/S20-CS591/CS591-4.pdf · 2020. 4. 21. · CS 591: Formal Methods in ... Rules of Hoare Logic Assignment](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc4dccaf3bb2e5e9271ebb9/html5/thumbnails/9.jpg)
Approximating While
whilen e do cThe lower iteration of a While statement:
Is defined as
whilen e do c=(whilen e do c);if e then abort
whilen e do cWhere
Is defined aswhile0 e do c = skip
whilen+1 e do c = if e then (c;whilen e do c)
![Page 10: CS 591: Formal Methods in Security and Privacycs-people.bu.edu/gaboardi/teaching/S20-CS591/CS591-4.pdf · 2020. 4. 21. · CS 591: Formal Methods in ... Rules of Hoare Logic Assignment](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc4dccaf3bb2e5e9271ebb9/html5/thumbnails/10.jpg)
Information orderAn idea that has been developed to solve this problem is the idea of information order.
This corresponds to the idea of order different possible denotations in term of the information they provide.
In our case we can use the following order on possible outputs:
⊥
m1 m2 m3 mn… …
≥≥ ≥ ≥
![Page 11: CS 591: Formal Methods in Security and Privacycs-people.bu.edu/gaboardi/teaching/S20-CS591/CS591-4.pdf · 2020. 4. 21. · CS 591: Formal Methods in ... Rules of Hoare Logic Assignment](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc4dccaf3bb2e5e9271ebb9/html5/thumbnails/11.jpg)
Examplex:=3; y:=1; while x > 1 do y := y+1; x := x-1;
What is the semantics of the following program:
![Page 12: CS 591: Formal Methods in Security and Privacycs-people.bu.edu/gaboardi/teaching/S20-CS591/CS591-4.pdf · 2020. 4. 21. · CS 591: Formal Methods in ... Rules of Hoare Logic Assignment](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc4dccaf3bb2e5e9271ebb9/html5/thumbnails/12.jpg)
Today: Hoare Triples
![Page 13: CS 591: Formal Methods in Security and Privacycs-people.bu.edu/gaboardi/teaching/S20-CS591/CS591-4.pdf · 2020. 4. 21. · CS 591: Formal Methods in ... Rules of Hoare Logic Assignment](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc4dccaf3bb2e5e9271ebb9/html5/thumbnails/13.jpg)
Hoare triple
PreconditionProgram
Postcondition c : P ⇒ Q
Program
Precondition (a logical formula)
Postcondition (a logical formula)
![Page 14: CS 591: Formal Methods in Security and Privacycs-people.bu.edu/gaboardi/teaching/S20-CS591/CS591-4.pdf · 2020. 4. 21. · CS 591: Formal Methods in ... Rules of Hoare Logic Assignment](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc4dccaf3bb2e5e9271ebb9/html5/thumbnails/14.jpg)
Some examples
x = z + 1 : {z > 0} ⇒ {x > 1}Is it valid?
![Page 15: CS 591: Formal Methods in Security and Privacycs-people.bu.edu/gaboardi/teaching/S20-CS591/CS591-4.pdf · 2020. 4. 21. · CS 591: Formal Methods in ... Rules of Hoare Logic Assignment](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc4dccaf3bb2e5e9271ebb9/html5/thumbnails/15.jpg)
Some examples
x = z + 1 : {z > 0} ⇒ {x > 0}Is it valid?
![Page 16: CS 591: Formal Methods in Security and Privacycs-people.bu.edu/gaboardi/teaching/S20-CS591/CS591-4.pdf · 2020. 4. 21. · CS 591: Formal Methods in ... Rules of Hoare Logic Assignment](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc4dccaf3bb2e5e9271ebb9/html5/thumbnails/16.jpg)
Some examples
x = z + 1 : {z < 0} ⇒ {x < 0}
Is it valid?
![Page 17: CS 591: Formal Methods in Security and Privacycs-people.bu.edu/gaboardi/teaching/S20-CS591/CS591-4.pdf · 2020. 4. 21. · CS 591: Formal Methods in ... Rules of Hoare Logic Assignment](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc4dccaf3bb2e5e9271ebb9/html5/thumbnails/17.jpg)
Some examples
x = z + 1 : {z = n} ⇒ {x = n + 1}
Is it valid?
![Page 18: CS 591: Formal Methods in Security and Privacycs-people.bu.edu/gaboardi/teaching/S20-CS591/CS591-4.pdf · 2020. 4. 21. · CS 591: Formal Methods in ... Rules of Hoare Logic Assignment](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc4dccaf3bb2e5e9271ebb9/html5/thumbnails/18.jpg)
Some examples
: {y > x} ⇒ {z < 0}
Is it valid?
while x>0 z=x*2+y x=x/2 z=x*2-y
![Page 19: CS 591: Formal Methods in Security and Privacycs-people.bu.edu/gaboardi/teaching/S20-CS591/CS591-4.pdf · 2020. 4. 21. · CS 591: Formal Methods in ... Rules of Hoare Logic Assignment](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc4dccaf3bb2e5e9271ebb9/html5/thumbnails/19.jpg)
Some examples
: {y > x} ⇒ {z < 0}
Is it valid?
while x>0 z=x*2+y x=x/2 z=x*2-y
![Page 20: CS 591: Formal Methods in Security and Privacycs-people.bu.edu/gaboardi/teaching/S20-CS591/CS591-4.pdf · 2020. 4. 21. · CS 591: Formal Methods in ... Rules of Hoare Logic Assignment](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc4dccaf3bb2e5e9271ebb9/html5/thumbnails/20.jpg)
Some examples
: {even y ∧ odd x} ⇒ {z < 2.5}
Is it valid?
z=x*2+y x=x/2 z=x*2-y
![Page 21: CS 591: Formal Methods in Security and Privacycs-people.bu.edu/gaboardi/teaching/S20-CS591/CS591-4.pdf · 2020. 4. 21. · CS 591: Formal Methods in ... Rules of Hoare Logic Assignment](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc4dccaf3bb2e5e9271ebb9/html5/thumbnails/21.jpg)
How do we determine the validity of an Hoare triple?
![Page 22: CS 591: Formal Methods in Security and Privacycs-people.bu.edu/gaboardi/teaching/S20-CS591/CS591-4.pdf · 2020. 4. 21. · CS 591: Formal Methods in ... Rules of Hoare Logic Assignment](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc4dccaf3bb2e5e9271ebb9/html5/thumbnails/22.jpg)
Validity of Hoare triple
c : P ⇒ Q
Program
Precondition (a logical formula)
Postcondition (a logical formula)
We are interested only in inputs that meets P and we want to have outputs satisfying Q.
How shall we formalize this intuition?
![Page 23: CS 591: Formal Methods in Security and Privacycs-people.bu.edu/gaboardi/teaching/S20-CS591/CS591-4.pdf · 2020. 4. 21. · CS 591: Formal Methods in ... Rules of Hoare Logic Assignment](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc4dccaf3bb2e5e9271ebb9/html5/thumbnails/23.jpg)
Validity of Hoare tripleWe say that the triple c:P⇒Q is valid
if and only if for every memory m such that P(m) and memory m’ such that {c}m=m’ we have Q(m’).
Is this condition easy to check?
![Page 24: CS 591: Formal Methods in Security and Privacycs-people.bu.edu/gaboardi/teaching/S20-CS591/CS591-4.pdf · 2020. 4. 21. · CS 591: Formal Methods in ... Rules of Hoare Logic Assignment](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc4dccaf3bb2e5e9271ebb9/html5/thumbnails/24.jpg)
Hoare Logic
![Page 25: CS 591: Formal Methods in Security and Privacycs-people.bu.edu/gaboardi/teaching/S20-CS591/CS591-4.pdf · 2020. 4. 21. · CS 591: Formal Methods in ... Rules of Hoare Logic Assignment](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc4dccaf3bb2e5e9271ebb9/html5/thumbnails/25.jpg)
Floyd-Hoare reasoning
Robert W Floyd Tony Hoare
![Page 26: CS 591: Formal Methods in Security and Privacycs-people.bu.edu/gaboardi/teaching/S20-CS591/CS591-4.pdf · 2020. 4. 21. · CS 591: Formal Methods in ... Rules of Hoare Logic Assignment](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc4dccaf3bb2e5e9271ebb9/html5/thumbnails/26.jpg)
Rules of Hoare Logic Skip
⊢skip: P⇒P
![Page 27: CS 591: Formal Methods in Security and Privacycs-people.bu.edu/gaboardi/teaching/S20-CS591/CS591-4.pdf · 2020. 4. 21. · CS 591: Formal Methods in ... Rules of Hoare Logic Assignment](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc4dccaf3bb2e5e9271ebb9/html5/thumbnails/27.jpg)
Rules of Hoare Logic Assignment
⊢x:=e: P⇒P[e/x]Is this correct?
![Page 28: CS 591: Formal Methods in Security and Privacycs-people.bu.edu/gaboardi/teaching/S20-CS591/CS591-4.pdf · 2020. 4. 21. · CS 591: Formal Methods in ... Rules of Hoare Logic Assignment](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc4dccaf3bb2e5e9271ebb9/html5/thumbnails/28.jpg)
Correctness of an axiom
⊢c : P ⇒ Q
We say that an axiom is correct if we can prove the validity of each triple which is an instance of the conclusion.
![Page 29: CS 591: Formal Methods in Security and Privacycs-people.bu.edu/gaboardi/teaching/S20-CS591/CS591-4.pdf · 2020. 4. 21. · CS 591: Formal Methods in ... Rules of Hoare Logic Assignment](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc4dccaf3bb2e5e9271ebb9/html5/thumbnails/29.jpg)
Some examples
⊢ x = z + 1 : {x > 0} ⇒ {z + 1 > 0}
Is this a valid triple?
![Page 30: CS 591: Formal Methods in Security and Privacycs-people.bu.edu/gaboardi/teaching/S20-CS591/CS591-4.pdf · 2020. 4. 21. · CS 591: Formal Methods in ... Rules of Hoare Logic Assignment](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc4dccaf3bb2e5e9271ebb9/html5/thumbnails/30.jpg)
Some examples
⊢ x = x + 1 : {x < 0} ⇒ {x + 1 < 0}
Is this a valid triple?
![Page 31: CS 591: Formal Methods in Security and Privacycs-people.bu.edu/gaboardi/teaching/S20-CS591/CS591-4.pdf · 2020. 4. 21. · CS 591: Formal Methods in ... Rules of Hoare Logic Assignment](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc4dccaf3bb2e5e9271ebb9/html5/thumbnails/31.jpg)
Rules of Hoare Logic Assignment
⊢x:=e : P[e/x]⇒P
![Page 32: CS 591: Formal Methods in Security and Privacycs-people.bu.edu/gaboardi/teaching/S20-CS591/CS591-4.pdf · 2020. 4. 21. · CS 591: Formal Methods in ... Rules of Hoare Logic Assignment](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc4dccaf3bb2e5e9271ebb9/html5/thumbnails/32.jpg)
Some examples
⊢ x = z + 1 : {z + 1 > 0} ⇒ {x > 0}
Is this a valid triple?
![Page 33: CS 591: Formal Methods in Security and Privacycs-people.bu.edu/gaboardi/teaching/S20-CS591/CS591-4.pdf · 2020. 4. 21. · CS 591: Formal Methods in ... Rules of Hoare Logic Assignment](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc4dccaf3bb2e5e9271ebb9/html5/thumbnails/33.jpg)
Some examples
⊢ x = x + 1 : {x + 1 < 0} ⇒ {x < 0}
Is this a valid triple?
![Page 34: CS 591: Formal Methods in Security and Privacycs-people.bu.edu/gaboardi/teaching/S20-CS591/CS591-4.pdf · 2020. 4. 21. · CS 591: Formal Methods in ... Rules of Hoare Logic Assignment](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc4dccaf3bb2e5e9271ebb9/html5/thumbnails/34.jpg)
Rules of Hoare Logic Composition
⊢c;c’: P⇒Q⊢c:P⇒R ⊢c’:R⇒Q
![Page 35: CS 591: Formal Methods in Security and Privacycs-people.bu.edu/gaboardi/teaching/S20-CS591/CS591-4.pdf · 2020. 4. 21. · CS 591: Formal Methods in ... Rules of Hoare Logic Assignment](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc4dccaf3bb2e5e9271ebb9/html5/thumbnails/35.jpg)
Some examples
⊢ x = z * 2; z := x * 2
How can we derive this?
: {(z * 2) * 2 = 8} ⇒ {z = 8}
![Page 36: CS 591: Formal Methods in Security and Privacycs-people.bu.edu/gaboardi/teaching/S20-CS591/CS591-4.pdf · 2020. 4. 21. · CS 591: Formal Methods in ... Rules of Hoare Logic Assignment](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc4dccaf3bb2e5e9271ebb9/html5/thumbnails/36.jpg)
Some examples
⊢ x = z * 2; z := x * 2
How can we derive this?
: {z = 2} ⇒ {z = 8}
![Page 37: CS 591: Formal Methods in Security and Privacycs-people.bu.edu/gaboardi/teaching/S20-CS591/CS591-4.pdf · 2020. 4. 21. · CS 591: Formal Methods in ... Rules of Hoare Logic Assignment](https://reader036.vdocuments.net/reader036/viewer/2022071007/5fc4dccaf3bb2e5e9271ebb9/html5/thumbnails/37.jpg)
Rules of Hoare Logic Consequence
⊢c: P⇒Q⊢c:S⇒RP⇒S R⇒Q