Results 1 - 10
of
127
Building a high-performance, programmable secure coprocessor
- Computer Networks
, 1999
"... Abstract. Unsecure computational environments threaten many nancial cryptography implementations, and other sensitive computation. High-performance secure coprocessors can address these threats. However, using this technology for practical security solutions requires overcoming numerous technical an ..."
Abstract
-
Cited by 224 (38 self)
- Add to MetaCart
Abstract. Unsecure computational environments threaten many nancial cryptography implementations, and other sensitive computation. High-performance secure coprocessors can address these threats. However, using this technology for practical security solutions requires overcoming numerous technical and business obstacles. These obstacles motivate building a high-performance secure coprocessor that balances security with easy third-party programmability|but these obstacles also provide many design challenges. This paper discusses some of issues we faced when attempting to build such a device. 1
Automatic Generation of Program Specifications
- In ISSTA 2002, Proceedings of the 2002 International Symposium on Software Testing and Analysis
, 2002
"... Producing specifications by dynamic (runtime) analysis of program executions is potentially unsound, because the analyzed executions may not fully characterize all possible executions of the program. In practice, how accurate are the results of a dynamic analysis? This paper describes the results of ..."
Abstract
-
Cited by 82 (16 self)
- Add to MetaCart
(Show Context)
Producing specifications by dynamic (runtime) analysis of program executions is potentially unsound, because the analyzed executions may not fully characterize all possible executions of the program. In practice, how accurate are the results of a dynamic analysis? This paper describes the results of an investigation into this question, determining how much specifications generalized from program runs must be changed in order to be verified by a static checker.
Evaluating SFI for a CISC architecture
- In 15th USENIX Security Symposium (2006
"... Executing untrusted code while preserving security requires that the code be prevented from modifying memory or executing instructions except as explicitly allowed. Software-based fault isolation (SFI) or “sandboxing” enforces such a policy by rewriting the untrusted code at the instruction level. H ..."
Abstract
-
Cited by 80 (9 self)
- Add to MetaCart
(Show Context)
Executing untrusted code while preserving security requires that the code be prevented from modifying memory or executing instructions except as explicitly allowed. Software-based fault isolation (SFI) or “sandboxing” enforces such a policy by rewriting the untrusted code at the instruction level. However, the original sandboxing technique of Wahbe et al. is applicable only to RISC architectures, and most other previous work is either insecure, or has been not described in enough detail to give confidence in its security properties. We present a new sandboxing technique that can be applied to a CISC architecture like the IA-32, and whose application can be checked at load-time to minimize the TCB. We describe an implementation which provides a robust security guarantee and has low runtime overheads (an average of 21 % on the SPECint2000 benchmarks). We evaluate the utility of the technique by applying it to untrusted decompression modules in an archive tool, and its safety by constructing a machine-checked proof that any program approved by the verification algorithm will respect the desired safety property. 1
Static verification of dynamically detected program invariants: Integrating Daikon and ESC/Java
, 2001
"... This paper shows how to integrate two complementary techniques for manipulating program invariants: dynamic detection and static verification. Dynamic detection proposes likely invariants based on program executions, but the resulting properties are not guaranteed to be true over all possible execut ..."
Abstract
-
Cited by 73 (5 self)
- Add to MetaCart
This paper shows how to integrate two complementary techniques for manipulating program invariants: dynamic detection and static verification. Dynamic detection proposes likely invariants based on program executions, but the resulting properties are not guaranteed to be true over all possible executions. Static verification checks that properties are always true, but it can be difficult and tedious to select a goal and to annotate programs for input to a static checker. Combining these techniques overcomes the weaknesses of each: dynamically detected invariants can annotate a program or provide goals for static verification, and static veri cation can confirm properties proposed by a dynamic tool. We have
An open extensible tool environment for Event-B
- ICFEM 2006, LNCS
, 2006
"... Abstract. We consider modelling indispensable for the development of complex systems. Modelling must be carried out in a formal notation to reason and make meaningful conjectures about a model. But formal modelling of complex systems is a difficult task. Even when theorem provers improve further and ..."
Abstract
-
Cited by 57 (24 self)
- Add to MetaCart
(Show Context)
Abstract. We consider modelling indispensable for the development of complex systems. Modelling must be carried out in a formal notation to reason and make meaningful conjectures about a model. But formal modelling of complex systems is a difficult task. Even when theorem provers improve further and get more powerful, modelling will remain difficult. The reason for this that modelling is an exploratory activity that requires ingenuity in order to arrive at a meaningful model. We are aware that automated theorem provers can discharge most of the onerous trivial proof obligations that appear when modelling systems. In this article we present a modelling tool that seamlessly integrates modelling and proving similar to what is offered today in modern integrated development environments for programming. The tool is extensible and configurable so that it can be adapted more easily to different application domains and development methods. 1
Structured Theory Development for a Mechanized Logic
- Journal of Automated Reasoning
, 1999
"... Experience has shown that large or multi-user interactive proof efforts can benefit significantly from structuring mechanisms, much like those available in many modern programming languages. Such a mechanism can allow some lemmas and definitions to be exported, and others not. In this paper we addre ..."
Abstract
-
Cited by 53 (16 self)
- Add to MetaCart
(Show Context)
Experience has shown that large or multi-user interactive proof efforts can benefit significantly from structuring mechanisms, much like those available in many modern programming languages. Such a mechanism can allow some lemmas and definitions to be exported, and others not. In this paper we address two such structuring mechanisms for the ACL2 theorem prover: encapsulation and books. After presenting an introduction to ACL2, this paper justifies the implementation of ACL2's structuring mechanisms and, more generally, formulates and proves high-level correctness properties of ACL2. The issues in the present paper are relevant not only for ACL2 but also for other theorem-proving environments.
Lifted-FL: A Pragmatic Implementation of Combined Model Checking and Theorem Proving
, 1999
"... Abstract. Combining theorem proving and model checking o ers the tantalizing possibility of e ciently reasoning about large circuits at high levels of abstraction. We have constructed a system that seamlessly integrates symbolic trajectory evaluation based model checking with theorem proving in a hi ..."
Abstract
-
Cited by 39 (3 self)
- Add to MetaCart
(Show Context)
Abstract. Combining theorem proving and model checking o ers the tantalizing possibility of e ciently reasoning about large circuits at high levels of abstraction. We have constructed a system that seamlessly integrates symbolic trajectory evaluation based model checking with theorem proving in a higher-order classical logic. The approach is made possible by using the same programming language ( ) as both the meta and object language of theorem proving. This is done by \lifting ",essentially deeply embedding in itself. The approach is a pragmatic solution that provides an e cient and extensible veri cation environment. Our approach is generally applicable to any dialect of the ML programming language and any model-checking algorithm that has practical inference rules for combining results. 1
Structured Specifications and Interactive Proofs with KIV
, 1998
"... The aim of this chapter is to describe the integrated specification- and theorem proving environment of KIV. KIV is an advanced tool for developing high assurance systems. It supports: --- hierarchical formal specification of software and system designs --- specification of safety/security models -- ..."
Abstract
-
Cited by 37 (28 self)
- Add to MetaCart
The aim of this chapter is to describe the integrated specification- and theorem proving environment of KIV. KIV is an advanced tool for developing high assurance systems. It supports: --- hierarchical formal specification of software and system designs --- specification of safety/security models --- proving properties of specifications --- modular implementation of specification components --- modular verification of implementations --- incremental verification and error correction --- reuse of specifications, proofs, and verified components KIV supports the entire design process from formal specifications to verified code. It supports functional as well as state-based modeling. KIV is ready for use, and has been tested in a number of indu...
