Relational Logic with Framing and Hypotheses

Relational properties arise in many settings: relating two versions of a program that use different data representations, noninterference properties for security, etc. The main ingredient of relational verification, relating aligned pairs of intermediate steps, has been used in numerous guises, but existing relational program logics are narrow in scope. This paper introduces a logic based on novel syntax that weaves together product programs to express alignment of control flow points at which relational formulas are asserted. Correctness judgments feature hypotheses with relational specifications, discharged by a rule for the linking of procedure implementations. The logic supports reasoning about program-pairs containing both similar and dissimilar control and data structures. Reasoning about dynamically allocated objects is supported by a frame rule based on frame conditions amenable to SMT provers. We prove soundness and sketch how the logic can be used for data abstraction, loop optimizations, and secure information flow.

[1]  Nick Benton,et al.  Simple relational correctness proofs for static analyses and program transformations , 2004, POPL.

[2]  Ofer Strichman,et al.  Regression Verification: Proving the Equivalence of Similar Programs , 2009, CAV.

[3]  Anindya Banerjee,et al.  Regional Logic for Local Reasoning about Global Invariants , 2008, ECOOP.

[4]  Shuvendu K. Lahiri,et al.  Differential assertion checking , 2013, ESEC/FSE 2013.

[5]  Torben Amtoft,et al.  A logic for information flow in object-oriented programs , 2006, POPL '06.

[6]  Anindya Banerjee,et al.  Stack-based access control and secure information flow , 2005, J. Funct. Program..

[7]  C. A. R. Hoare,et al.  Proof of correctness of data representations , 1972, Acta Informatica.

[8]  Amir Pnueli,et al.  CoVaC: Compiler Validation by Program Analysis of the Cross-Product , 2008, FM.

[9]  Isil Dillig,et al.  Cartesian hoare logic for verifying k-safety properties , 2016, PLDI.

[10]  Anindya Banerjee,et al.  Decision Procedures for Region Logic , 2012, VMCAI.

[11]  Kedar S. Namjoshi,et al.  Loopy: Programmable and Formally Verified Loop Transformations , 2016, SAS.

[12]  Hongseok Yang,et al.  Relational Parametricity and Separation Logic , 2008, Log. Methods Comput. Sci..

[13]  Gilles Barthe,et al.  Beyond 2-Safety: Asymmetric Product Programs for Relational Program Verification , 2013, LFCS.

[14]  Anindya Banerjee,et al.  Local Reasoning for Global Invariants, Part II: Dynamic Boundaries , 2013, JACM.

[15]  Helmut Seidl,et al.  An Analysis of Universal Information Flow Based on Self-Composition , 2015, 2015 IEEE 28th Computer Security Foundations Symposium.

[16]  Vladimir Klebanov,et al.  Automating regression verification , 2014, Software Engineering & Management.

[17]  Anindya Banerjee,et al.  Expressive Declassification Policies and Modular Static Enforcement , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[18]  Anindya Banerjee,et al.  Local Reasoning for Global Invariants, Part I: Region Logic , 2013, JACM.

[19]  Anindya Banerjee,et al.  A Logical Analysis of Framing for Specifications with Pure Method Calls , 2014, VSTTE.

[20]  Bernd Finkbeiner,et al.  Relational abstract interpretation for the verification of 2-hypersafety properties , 2013, CCS.

[21]  David A. Naumann,et al.  Observational purity and encapsulation , 2005, Theor. Comput. Sci..

[22]  David A. Naumann From Coupling Relations to Mated Invariants for Checking Information Flow , 2006, ESORICS.

[23]  Gilles Barthe,et al.  Product programs and relational program logics , 2016, J. Log. Algebraic Methods Program..

[24]  Anindya Banerjee,et al.  Ownership confinement ensures representation independence for object-oriented programs , 2002, JACM.

[25]  Gilles Barthe,et al.  Relational Verification Using Product Programs , 2011, FM.

[26]  Alexander Aiken,et al.  Secure Information Flow as a Safety Problem , 2005, SAS.

[27]  Gilles Barthe,et al.  Probabilistic Relational Reasoning for Differential Privacy , 2012, TOPL.

[28]  Lennart Beringer,et al.  Relational Decomposition , 2011, ITP.

[29]  Amir Pnueli,et al.  Translation and Run-Time Validation of Loop Transformations , 2005, Formal Methods Syst. Des..

[30]  Ioannis T. Kassios The dynamic frames theory , 2010, Formal Aspects of Computing.

[31]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[32]  John C. Reynolds,et al.  Types, Abstraction and Parametric Polymorphism , 1983, IFIP Congress.

[33]  Deepak Garg,et al.  Dependent Type Theory for Verification of Information Flow and Access Control Policies , 2013, TOPL.

[34]  Lars Birkedal,et al.  A relational modal logic for higher-order stateful ADTs , 2010, POPL '10.

[35]  Derek Dreyer,et al.  State-dependent representation independence , 2009, POPL '09.

[36]  Martin Hofmann,et al.  Relational semantics for effect-based program transformations with dynamic allocation , 2007, PPDP '07.

[37]  Martin Hofmann,et al.  Abstract effects and proof-relevant logical relations , 2014, POPL.

[38]  Hongseok Yang,et al.  Relational separation logic , 2007, Theor. Comput. Sci..

[39]  Robert W. Floyd,et al.  Assigning Meanings to Programs , 1993 .

[40]  K. Rustan M. Leino,et al.  Dafny: An Automatic Program Verifier for Functional Correctness , 2010, LPAR.

[41]  Hongseok Yang,et al.  Two for the Price of One: Lifting Separation Logic Assertions , 2012, Log. Methods Comput. Sci..

[42]  Shuvendu K. Lahiri,et al.  Towards Modularly Comparing Programs Using Automated Theorem Provers , 2013, CADE.

[43]  Gary T. Leavens,et al.  Information Hiding and Visibility in Interface Specifications , 2007, 29th International Conference on Software Engineering (ICSE'07).