Dealing with Intervals

Suppose now to be interested in a hyper intervals analysis. The classic abstract domain of Intervals, as introduced in Section5.2.2is defined over numerical values, but the intervals construction can be easily generalized [Cousot and Cousot,1979b]. Given a complete lattice hC, 4, g, f, >, ⊥i, we can define the C-Intervals domain as follows.

Definition 28(C-Interval Domain). The domain of C-Intervals has a carrier set: IntvC

M. Pasqua 6.2. Hyper Abstract Domains

αIntv

ı γ

Intv ı

Figure 6.6: Abstraction and concretization of an Interval of Intervals.

Then the relation vı

C⊆ Intv C

× IntvC

, defined as [a, b] vı

C[c, d] , (c 4 a ∧ b 4 d), is a partial

order. The domain has arbitrary least upper bounds and greatest lower bounds, defined as:

Cbı_{[a

i, bi]}i∈∆, [c{ai}i∈∆,b{ai}i∈∆]

C

c

ı{[ai, bi]}i∈∆, (

[>, ⊥] if b{ai}i∈∆4c{ai}i∈∆ b{ai}i∈∆,c{ai}i∈∆ otherwise

The domain has a minimum [>, ⊥], that we denote ⊥ı

C, and a maximum [⊥, >], that we

denote >ı

C. The domain is, indeed, a complete lattice.

The corresponding Galois connection between (the powerset of) the concrete domain C and its intervals domain is

h℘(C), ⊆i −−−→←−−− αC_ı γ_ıC hIntvC_{, v}ı Ci where α C ı(X) , [c X, b X] and γıC([a, b]) , {c ∈ C | a 4 c 4 b} An instance of this pattern is the classic domain of Intervals over integers, where the initial domain is the complete lattice of Integers. This latter has a carrier set Z ∪ {−∞, +∞}, maxas a supremum, min as a infimum, −∞ as a minimum and +∞ as a maximum.

We can use the intervals construction for an inner abstraction when we aim at charac- terizing invariants of intervals of computations. In this case we use the lift L and then we compose it with an outer abstraction determining the desired invariants. But, we can use this construction also for an outer abstraction by defining it on an domain A already ob- tained by an inner abstraction. In this case we characterize interval invariants of an inner abstract domain, abstraction of ℘(A). For instance, if the inner abstraction is Pos, then we would characterize the sign properties of interval bounds.

In Figure6.6we have a graphical representation of the interval abstraction applied to the interval domain itself. A set of intervals is abstracted into a higher-order interval. The con- cretization is the set of all intervals comprised, w.r.t. the partial order of the classic Interval domain, between the left and the right interval bounds.

Example: Intervals-Parity Analysis. Consider the classic domain of Intervals on integers. Now, we can lift it at hyper level, obtaining the following Galois connection:

h℘(℘(Z)), ⊆, ∩, ∪, ℘(Z), ∅i −−−−−→←−−−−− L(αı)

G(αı)

h℘(Intv), ⊆, ∪, ∩, Intv, ∅i

92 92

Chapter 6. Hyper Program Analysis M. Pasqua

From a set of intervals we can forget the exact relation between the bounds, instead we can collect together the information of the left bounds and the right bounds. In order to get the Intervals-Parity domain we need an intermediate abstraction. A set of intervals can be seen as a set of pairs, hence we can exploit the abstraction from sets of pairs to pairs of sets (a slightly modified version of the Componentwise Abstraction introduced in Section2.3). This is formalized by the following Galois connection, where Z∞, Z ∪ {−∞, +∞}:

h℘(Intv), ⊆, ∪, ∩, Intv, ∅i −−−→←−−− α×_ı γ×_ı

h℘(Z∞)2, ⊆2, ∪2, ∩2, hZ∞, Z∞i, h∅, ∅ii α×

(X) , h{a | [a, b] ∈ X}, {b | [a, b] ∈ X}i γ×(hX, Y i) ,

(

{[a, b] | a ∈ X, b ∈ Y, a ≤ b} ∪ {⊥ı_{} if + ∞ ∈ X ∧ −∞ ∈ Y} {[a, b] | a ∈ X, b ∈ Y, a ≤ b} otherwise

The intervals-parity analysis retrieves the parity of the left and right bounds of a set of intervals. The Parity domain of Z∞has as carrier set Par , {⊥, Even, Odd, >}. The relation 6 ⊆ Par × Par, defined as 6 , {h⊥, pi | p ∈ Par} ∪ {hp, >i | p ∈ Par}, is a partial order. The domain has binary infimum and supremum, trivially defined. The minimum is ⊥ and the maximum is >. Then we have the following Galois connection:

h℘(Z∞), ⊆, ∪, ∩, Z∞, ∅i −−−−→←−−−−_α Par γPar hPar, 6, Y, Z, >, ⊥i α_{Par(X) ,}          ⊥ if X = ∅ Even _{if X ⊆ 2Z} Odd if X ⊆ 2Z+1 > otherwise γ_{Par(p) ,}          ∅ if p = ⊥ 2Z if p = Even 2Z+1 if p = Odd Z∞ otherwise

Now, we can apply this abstraction componentwise to ℘(Z∞), obtaining the following Ga- lois connection: h℘(Z∞)2, ⊆2, ∪2, ∩2, hZ∞, Z∞i, h∅, ∅ii −−−−→←−−−− α2 Par γPar2 hPar2 , 62 , Y2 , Z2_{, h>, >i, h⊥, ⊥ii}

α2_{Par(hX, Y i) , hα}Par(X), αPar(Y )i γPar2 (hp1, p2i) , hγPar(p1), γPar(p2)i

Due to the fact that Galois connections are closed by composition we finally have the ab- straction from the concrete domain and the domain for the Intervals-Parity analysis:

h℘(℘(Z)), ⊆, ∪, ∩, ℘(Z), ∅i −−−−→←−−−− αı Par γı Par hPar2 , 62, Y2, Z2, h>, >i, h⊥, ⊥ii αı Par, α2Par◦ α ×_{◦ L(α} ı) γParı , G(αı) ◦ γ×◦ γPar2

Example 12. The set of sets of integers X = {{1, 2, 3}, {1, 4}} is abstracted as follows: αı_Par(X ) = α2_Par◦ α×

({[1, 3], [1, 4]}) = α2_Par(h{1}, {3, 4}i) = hOdd, >i

In this case, we have that the left bounds are all even, instead the right bounds do not agree on parity.

M. Pasqua 6.2. Hyper Abstract Domains

Note that, also this hyperdomain follows the pattern described in Subsection6.2.1. The inner abstraction is αı, then we have the additive lift L and, finally, the outer abstraction is α2_Par◦ α×_.

Example: Bound-Stability Analysis. The Bound-Stability analysis is very similar to the Intervals-Parity analysis, but it checks if the bounds of a set of intervals are stable (i.e. have constant values) instead of checking their parity. The Constants domain of Z∞has as carrier set Cst , {n | n ∈ Z} ∪ {⊥, >}. The relation 6 ⊆ Cst × Cst, defined as 6 , {h⊥, ci | c ∈ Cst}∪{hc, >i | c ∈ Cst}, is a partial order. The domain has binary infimum and supremum, trivially defined. The minimum is ⊥ and the maximum is >. Then we have the following Galois connection: h℘(Z∞), ⊆, ∪, ∩, Z∞, ∅i −−−−→←−−−−_α Cst γCst hCst, 6, Y, Z, >, ⊥i α_{Cst(X) ,}      ⊥ if X = ∅ n if X = {n} > otherwise γ_{Cst(c) ,}      ∅ if c = ⊥ {n} if c = n Z∞ otherwise

Now, we can apply this abstraction componentwise to ℘(Z∞), obtaining the following Ga- lois connection: h℘(Z∞)2, ⊆2, ∪2, ∩2, hZ∞, Z∞i, h∅, ∅ii −−−−→←−−−− α2 Cst γCst2 hCst2 , 62 , Y2 , Z2_{, h>, >i, h⊥, ⊥ii} α2_{Cst(hX, Y i) , hα}Cst(X), αCst(Y )i γCst2 (hc1, c2i) , hγCst(c1), γCst(c2)i

Due to the fact that Galois connections are closed by composition we finally have the ab- straction from the concrete domain and the domain for the Bound-Stability analysis:

h℘(℘(Z)), ⊆, ∪, ∩, ℘(Z), ∅i −−−−→←−−−− αı Cst γı Cst hCst2 , 62 , Y2 , Z2_{, h>, >i, h⊥, ⊥ii} αı Cst, α 2 Cst◦ α ×_{◦ L(α} ı) γ_Cstı , G(αı) ◦ γ×◦ γ_Cst2

Example 13. The set of sets of integers X = {{1, 2, 3}, {1, 4}} is abstracted as follows: αı_Cst(X ) = α2_Cst◦ α×_{({[1, 3], [1, 4]}) = α}2

Cst(h{1}, {3, 4}i) = h1, >i

In this case, we have that the left bound is stable, i.e. it is always 1, whilst the right bound it is not.

Also this hyperdomain follows the pattern describe in Subsection6.2.1. The inner abstrac- tion is αı, then we have the additive lift L and, finally, the outer abstraction is α2Cst◦ α

×_.

Again on Analyzing Analyses. The design patterns introduced in this section are not use- ful for hyperproperties verification only. Indeed they can also be used in the context of the analysis of analyses, as introduced at the end of Section6.1. For instance, suppose to have an analyzer for the Intervals domain, that we call first level analysis. Then, collecting the Intervals subsequently generated by this static analyzer, we can infer whether the Intervals bounds are stable (indeed, we approximate this information), applying the Bound-Stability

94 94

Chapter 6. Hyper Program Analysis M. Pasqua

analysis. We call this latter second level analysis and it builds on top of the semantics of the first order analyzer. If a bound is not stable we can apply a widening or other optimizations, in order to speed-up the (first level) analysis. As noted at the end of Section6.1, the anal- ysis with the Bound-Stability domain is applied on the partial evaluation of the first level analyzer on the target program.

Bounded Subset-Closed Hyperproperties

7

S

ubset-closed hyperproperties, introduced in Chapter4.2, are particular hyperproperties containing only downward closed elements. In the previous chapter we have seen that these specifications are simpler to verify, indeed they are in between, for what concerns verification difficulty, generic hyperproperties and trace hyperproperties. Now we consider particular subset-closed hyperproperties, for which the verification is simplified, still not as simple as the one for trace properties.

7.1

Bounded Subset-Closed Hyperproperties

Recall that the set of subset-closed hyperproperties SSCH_{, with typical elements cHp ∈ SSC}H_, is defined as:

SSCH_,Hp ∈ GENHX ∈ Hp ⇒ (∀Y ⊆ X . Y ∈ Hp)

where GENH_{is the set of all generic hyperproperties over the execution denotations domain}

Den, namely GENH

, ℘(℘(Den)). The strongest subset-closed hyperproperty for a program Pis ℘(SP

base), meaning that these hyperproperties can be refuted by means of a single subset

of the base semantics, which is a witness of refutation.

Now, we define a stronger notion of subset-closed hyperproperty, allowing us to further restrict the set of possible refuting witnesses.

Definition 29(k-Bounded Subset-Closed Hyperproperties). Given an ordinal k < ω, the set of k-bounded subset-closed hyperproperties is:

SSCHk , {cHp ∈ SSCH| X /∈ cHp ⇔ (∃Tk ⊆ X . (|Tk| ≤ k ∧ Tk ∈ cHp))}/

The set Tk is the witness of refutation, namely a set of traces of cardinality at most k vio- lating the specification. In other words, in a k-bounded subset-closed hyperproperty, every set of traces not satisfying the hyperproperty has a refuting witness with at most k traces. This means that, in order to refute the hyperproperty, we need to exhibit a counterexample consisting in at most k traces. Formally, suppose cHp ∈ SSCH

k, if we find {¯σ

1_{, ¯σ}2_{, . . . ¯σ}k_{} ⊆ X} such that {¯σ1_{, ¯σ}2_{, . . . ¯σ}k_{} /∈ cHp, then we imply that X /∈ cHp. Hence X |= cHp if and only} if {{¯σ1_{, ¯σ}2_{, . . . ¯σ}k_{} | ¯σ}1_{, ¯σ}2_{, . . . ¯σ}k _{∈ X} ⊆ cHp. The if and only if here is crucial: in order to} refute the hyperproperty we can show just a counterexample set of cardinality k, namely ∃{¯σ1_{, ¯σ}2_{, . . . ¯σ}k_{} ⊆ X . {¯σ}1_{, ¯σ}2_{, . . . ¯σ}k_{} /∈ cHp implies X 6|= cHp.}

A subset-closed hyperproperty is unbounded when k = ω, meaning that the witnesses of refutation could be infinite. It is clear that, the union of all the k-bounded and unbounded subset-closed hyperproperties is precisely the set of all the subset-closed hyperproperties.

M. Pasqua 7.1. Bounded Subset-Closed Hyperproperties

Proposition 8. It holds that SSCH₌S

k<ω+1SSCHk. For every cHp ∈ SSCH_{we can define a refuting set R}

cHp, namely a set of sets of traces rep- resenting the witnesses for refuting the specification. These sets are similar to the prefixes representing the “bad thing” in safety (hyper)properties. It is possible to define different refuting sets for a given subset-closed hyperproperty, since when a set satisfies X /∈ cHp then we have that X ∪ Y /∈ cHp, by subset-closure. A SSCH_{hyperproperty cHp is violated if} and only if the given set of traces is a superset of an element in RcHp. So cHp ∈ SSCHcan be characterized as:

∀X ∈ ℘(Den) . (∃Tr∈ RcHp. Tr⊆ X) ⇔ X /∈ cHp (7.1) If, in addition, cHp ∈ SSCH

k, with k < ω, then we can define the minimal refuting set R min cHp (i.e. the one containing the sets with minimal cardinality) characterizing the hyperproperty. The set is minimal in the sense that ∀Tr, Tr0 ∈ RcHpmin. T

0

r6⊆ Tr∨ |Tr0| ≥ |Tr| (namely, Tr0 ⊆ Tr implies Tr0 = Tr). This means that for every set violating the hyperproperty, RmincHpcontains only its minimal representative. In particular, every element in Rmin

cHphas cardinality k.

Example 14. Let Mem = Var −→ Z and Den = Mem × Mem. Non-Interference, parametric on a security variables typing Γ ∈ Var −→ {L, H}, is:

NI , {X ∈ ℘(Den) | ∀¯σ, ¯σ0∈ X . (¯σ` =Lσ¯0`⇒ ¯σa=L¯σa0)}

where ¯σ`and ¯σaare the projections on the first and last element of the pair ¯σ, respectively. The equivalence =Lholds for memories agreeing on the values of public (L) variables. NI is in SSCH

2, namely X |= NI if and only if {{¯σ, ¯σ0} | ¯σ, ¯σ0 ∈ X} ⊆ NI. Hence, if we find a pair of interfering executions, i.e. {¯σ, ¯σ0} 6∈ NI, then we proved that X 6|= NI. Indeed, the minimal refuting set for Non-Interference is:

R_NImin_,{¯σ, ¯σ0} ∈ ℘(Den)

σ¯`=Lσ¯`0 ∧ ¯σa6=Lσ¯a0

Remark. By substituting ⊆ with the prefix-set relation 61 _{in (7.1) we obtain the minimal}

refuting set for an k-hypersafety.

In the rest of the work, when we say bounded hyperproperty, we mean a k-bounded subset-closed hyperproperty, for some k < ω. It is worth noting, that we can restate the satisfiability for bounded hyperproperties.

Proposition 9. A program P, with base semantics SP

basesatisfies a k-bounded subset-closed hyper- property cHp if and only if {X ⊆ SP

base| |X| = k} ⊆ cHp.

We can then approximate {X ⊆ SP

base | |X| = k} in order to verify the hyperproperty.

The set {X ⊆ SP

base| |X| = k} is not a correct hypersemantics, since it does not contain S P base.

Nevertheless, it is equisatisfying to the collecting semantics {SP

base} w.r.t. SSC

H

k. We will see how to exploit this fact in a moment.

Note that a k-bounded subset-closed hyperproperty with k = ω is not simpler to verify than an arbitrary subset-closed hyperproperty. Indeed, simplifications occur, as always, when from infinite objects we move to finite ones.

1_{Here X 6 Y if and only if for every ¯σ ∈ Xexists ¯σ}0_{∈ Y such that ¯σ}

is a prefix of ¯σ0(see Section4.2).

98 98

Chapter 7. Bounded Subset-Closed Hyperproperties M. Pasqua

In document Hyper Static Analysis of Programs - An Abstract Interpretation-Based Framework for Hyperproperties Verification (Page 109-117)