Open source verification in an anonymous volunteer network

Abstract An ‘open’ certification process is characterised here that is not based on any central agency, but rather on the option for any party to confirm any part of the certification process at will. The model for this paradigm has been a distributed, piece-wise, semantic audit carried out on the Linux kernel source code using a lightweight formal method. Our goal is a technology that allows open source developers to receive formally backed certifications for their project, in quid pro quo exchanges of resources and expertise with other developers within an amorphous and anonymous cloud of volunteers. To help ensure the integrity of the results, identifying details such as subroutine and variable names are not included in the data sent for analysis, each part of the computation is repeated many times at different sites, and checkpoint information is generated that enables independent checks to be carried out without starting from scratch each time.

[1]  David P. Anderson,et al.  BOINC: a system for public-resource computing and storage , 2004, Fifth IEEE/ACM International Workshop on Grid Computing.

[2]  Peter T. Breuer,et al.  Verification in the Large via Symbolic Approximation , 2006, Second International Symposium on Leveraging Applications of Formal Methods, Verification and Validation (isola 2006).

[3]  David A. Wagner,et al.  Finding User/Kernel Pointer Bugs with Type Inference , 2004, USENIX Security Symposium.

[4]  Peter T. Breuer,et al.  One Million (LOC) and Counting: Static Analysis for Errors and Vulnerabilities in the Linux Kernel Source Code , 2006, Ada-Europe.

[5]  Peter T. Breuer,et al.  Checking for Deadlock, Double-Free and Other Abuses in the Linux Kernel Source Code , 2006, International Conference on Computational Science.

[6]  David Evans,et al.  Improving Security Using Extensible Lightweight Static Analysis , 2002, IEEE Softw..

[7]  George C. Necula,et al.  Safe kernel extensions without run-time checking , 1996, OSDI '96.

[8]  Peter T. Breuer,et al.  A formal nethod (a networked formal method) , 2010, Innovations in Systems and Software Engineering.

[9]  David P. Anderson,et al.  High-performance task distribution for volunteer computing , 2005, First International Conference on e-Science and Grid Computing (e-Science'05).

[10]  Simon Pickin,et al.  Verification in the Light and Large: Large-Scale Verification for Fast-Moving Open Source C Projects , 2007 .

[11]  Peter T. Breuer,et al.  Typed Assembler for a RISC Crypto-Processor , 2012, ESSoS.

[12]  Sriram K. Rajamani,et al.  The SLAM project: debugging system software via static analysis , 2002, POPL '02.

[13]  Alex Groce,et al.  Model driven code checking , 2008, Automated Software Engineering.

[14]  Robert W. Gomulkiewicz How Copyleft Uses License Rights to Succeed in the Open Source Software Revolution and the Implications for Article 2B , 1999 .

[15]  Alexander Aiken,et al.  Flow-sensitive type qualifiers , 2002, PLDI '02.

[16]  J. J. Horning,et al.  Introduction to LCL, A Larch/C Interface Language , 1991 .

[17]  Arthur Griffith GCC, the complete reference , 2002 .

[18]  Fuad Abujarad,et al.  Parallelizing Deadlock Resolution in Symbolic Synthesis of Distributed Programs , 2009, PDMC.

[19]  Peter T. Breuer,et al.  Symbolic approximation: an approach to verification in the large , 2006, Innovations in Systems and Software Engineering.

[20]  Carlos Delgado Kloos,et al.  A formal method for specification and refinement of real-time systems , 1996, Proceedings of the Eighth Euromicro Workshop on Real-Time Systems.

[21]  C. A. R. Hoare,et al.  Communicating sequential processes , 1978, CACM.

[22]  David P. Anderson,et al.  A Correlated Resource Model of Internet End Hosts , 2012, IEEE Transactions on Parallel and Distributed Systems.

[23]  Joan Manuel Marquès,et al.  Long-term availability prediction for groups of volunteer resources , 2012, J. Parallel Distributed Comput..

[24]  David A. Wagner,et al.  A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities , 2000, NDSS.

[25]  Alexander Schrijver,et al.  Theory of linear and integer programming , 1986, Wiley-Interscience series in discrete mathematics and optimization.

[26]  P. Mato,et al.  LHC Cloud Computing with CernVM , 2011 .

[27]  Patrick K. Bobko Open-Source Software and the Demise of Copyright , 2001 .

[28]  Dawson R. Engler,et al.  Checking system rules using system-specific, programmer-written compiler extensions , 2000, OSDI.

[29]  K. Rustan M. Leino,et al.  The Spec# Programming System: An Overview , 2004, CASSIS.

[30]  Eric S. Raymond,et al.  The cathedral and the bazaar - musings on Linux and Open Source by an accidental revolutionary , 2001 .

[31]  Gerard J. Holzmann,et al.  The SPIN Model Checker - primer and reference manual , 2003 .

[32]  Peter T. Breuer,et al.  Static Deadlock Detection in the Linux Kernel , 2004, Ada-Europe.

[33]  Peter T. Breuer,et al.  Detecting Deadlock, Double-Free and Other Abuses in a Million Lines of Linux Kernel Source , 2006, 2006 30th Annual IEEE/NASA Software Engineering Workshop.

[34]  Antonio Puliafito,et al.  Cloud@Home: Bridging the Gap between Volunteer and Cloud Computing , 2009, ICIC.

[35]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.