Christoph Scheben

The KeY Platform for Verification and Analysis of Java Programs

The KeY system offers a platform of software analysis tools for sequential Java. Foremost, this includes full functional verification against contracts written in the Java Modeling Language. But the approach is general enough to provide a basis for other methods and purposes: (i) complementary validation techniques to formal verification such as testing and debugging, (ii) methods that reduce the complexity of verification such as modularization and abstract interpretation, (iii) analyses of non-functional properties such as information flow security, and (iv) sound program transformation and code generation. We show that deductive technology that has been developed for full functional verification can be used as a basis and framework for other purposes than pure functional verification. We use the current release of the KeY system as an example to explain and prove this claim.

Verification of information flow properties of java programs without approximations

In this paper we propose a methodology for the specification and verification of information flow properties for sequential Java programs. This proposal also covers declassification. We define an extension of the Java Modeling Language (JML) that significantly goes beyond previous approaches. The JML specification clauses are translated into proof obligations in Dynamic Logic. An experimental implementation within the KeY-system shows the feasibility of the approach.

The COST IC0701 verification competition 2011

This paper reports on the experiences with the program verification competition held during the FoVeOOS conference in October 2011. There were 6 teams participating in this competition. We discuss the three different challenges that were posed and the solutions developed by the teams. We conclude with a discussion about the value of such competitions and lessons learned from them.

Information Flow in Object-Oriented Software

This paper contributes to the investigation of object-sensitive information flow properties for sequential Java, i.e., properties that take into account information leakage through objects, as opposed to primitive values. We present two improvements to a popular object-sensitive non-interference property. Both reduce the burden on analysis and monitoring tools. We present a formalization of this property in a program logic – JavaDL in our case – which allows using an existing tool without requiring program modification. The third contribution is a novel fine-grained specification methodology. In our approach, arbitrary JavaDL terms (read ‘side-effect-free Java expressions’) may be assigned a security level – in contrast to security labels being attached to fields and variables only.

Efficient Self-composition for Weakest Precondition Calculi

This paper contributes to deductive verification of language based secure information flow. A popular approach in this area is self-composition in combination with off-the-shelf software verification systems to check for secure information flow. This approach is appealing, because 1 it is highly precise and 2 existing sophisticated software verification systems can be harnessed. On the other hand, self-composition is commonly considered to be inefficient. We show how the efficiency of self-composition style reasoning can be increased. It is sufficient to consider programs only once, if the used verification technique is based on a weakest precondition calculus with an explicit heap model. Additionally, we show that in many cases the number of final symbolic states to be considered can be reduced considerably. Finally, we propose a comprehensive solution of the technical problem of applying software contracts within the self-composition approach. So far this problem had only been solved partially.

Information Flow Analysis

Information flow analysis detects and controls how sensitive information is propagated through an application. We give a formal model of what it means for sensitive information to be revealed, as well as an extension of JML that allows for the specification of information flow concerns. We present an approach by which we can verify these JML contracts using KeY. It is based on two symbolic executions of the program.

Functional verification and information flow analysis of an electronic voting system

Electronic voting (e-voting) systems that are used in public elections need to fulfill a broad range of strong requirements concerning both safety and security. Among those requirements are reliability, robustness, privacy of votes, coercion resistance, and universal verifiability. Bugs in or manipulations of an e-voting system can have considerable influence on society. Therefore, e-voting systems are an obvious target for software verification. This case study proves the preservation of privacy of votes for a basic electronic voting system. Altogether the considered code comprises eight classes and thirteen methods in about 150 lines of code of a rich fragment of Java.

HUMAN PROCESSOR MODELLING LANGUAGE (HPML): ESTIMATE WORKING MEMORY LOAD TROUGH INTERACTION

Abstract To operate machines over their user interface may cause high load on humans working memory. This load can decrease performance in the working task significantly if this task is a cognitive challenging one, e. g. diagnosis. With the »Human Processor Modelling Language« (HPML) the interaction activity can be modelled with a directed graph. From such models a condensed indicator value for working memory load can be estimated. Thus different user interface solutions can get compared with respect to their relative demand on working memory resources.

Simulation of d′ -dimensional cellular automata on d -dimensional cellular automata

In this paper a fast and space efficient method for simulating a d′-dimensional cellular automaton (CA) on a d-dimensional CA (d<d′) is introduced For d′=2 and d=1 this method is optimal (under certain assumptions) with respect to time as well as space complexity Let in this case t(n) be the time complexity and r(n) the side length of the smallest square enclosing all used cells Then the simulation does not need more than O(r2) cells and has a running time of d′ = d+1 a version with the time and space complexity of O(t2) will be presented Finally it will be shown, how it is possible to simulate a 2d-dimensional CA on a d-dimensional CA in a similarly efficient way.