Daniel Wasserrab

An operational semantics and type safety prooffor multiple inheritance in C

We present an operational semantics and type safety proof for multiple inheritance in C++. The semantics models the behaviour of method calls, field accesses, and two forms of casts in C++ class hierarchies exactly, and the type safety proof was formalized and machine-checked in Isabelle/HOL. Our semantics enables one, for the first time, to understand the behaviour of operations on C++ class hierarchies without referring to implementation-level artifacts such as virtual function tables. Moreover, it can - as the semantics is executable - act as a reference for compilers, and it can form the basis for more advanced correctness proofs of, e.g., automated program transformations. The paper presents the semantics and type safety proof, and a discussion of the many subtleties that we encountered in modeling the intricate multiple inheritance model of C++.

Checking probabilistic noninterference using JOANA

Abstract JOANA is a tool for software security analysis, checking up to 100 kLOC of full multi-threaded Java. JOANA is based on sophisticated program analysis techniques and thus very precise. It includes a new algorithm guaranteeing probabilistic noninterference, named RLSOD. JOANA needs few annotations and has a nice GUI. The tool is open source and was applied in several case studies. The article presents an overview of JOANA and its underlying technology.

From Formal Semantics to Verified Slicing : A Modular Framework with Applications in Language Based Security

This book presents a modular framework for slicing in the proof assistant Isabelle/HOL which is based on abstract control flow graphs. Building on such abstract structures renders the correctness results language-independent. To prove that they hold for a specific language, it remains to instantiate the framework with this language, which requires a formal semantics of this language in Isabelle/HOL. We show that formal semantics even for sophisticated high-level languages are realizable.

Formalizing a Framework for Dynamic Slicing of Program Dependence Graphs in Isabelle/HOL

Slicing is a widely-used technique with applications in e.g. compiler technology and software security. Thus verification of algorithms in these areas is often based on the correctness of slicing, which should ideally be proven independent of concrete programming languages and with the help of well-known verifying techniques such as proof assistants. As a first step in this direction, this contribution presents a framework for dynamic slicing based on control flow and program dependence graphs and machine checked in Isabelle/HOL. Abstracting from concrete syntax we base the framework on a graph representation of the program fulfilling certain structural and well-formedness properties.

On PDG-based noninterference and its modular proof (abstract only)

We present the first machine-checked correctness proof for information flow control (IFC) based on program dependence graphs (PDGs). IFC based on slicing and PDGs is flow-sensitive, context-sensitive, and object-sensitive; thus offering more precision than traditional approaches. While the method has been implemented and successfully applied to realistic Java programs, only a manual proof of a fundamental correctness property was available so far. The new proof is based on a new correctness proof for intraprocedural PDGs and program slices. Both proofs are formalized in Isabelle/HOL. They rely on abstract structures and properties instead of concrete syntax and definitions. Carrying the correctness proof over to any given language or dependence definition reduces to just showing that it fulfills the necessary preconditions, thus eliminating the need to develop another full proof. We instantiate the framework with both a simple while language and Java bytecode, as well as with three different control dependence definitions. Thus we obtain 6 IFC correctness proofs for the price of 1½.