Enforcing Resource Bounds via Static Verification of Dynamic Checks

  • Ajay Chander
  • David Espinosa
  • Nayeem Islam
  • Peter Lee
  • George Necula
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3444)

Abstract

We classify existing approaches to resource-bounds checking as static or dynamic. Dynamic checking performs checks during program execution, while static checking performs them before execution. Dynamic checking is easy to implement but incurs runtime cost. Static checking avoids runtime overhead but typically involves difficult, often incomplete program analyses. In particular, static checking is hard in the presence of dynamic data and complex program structure. We propose a new resource management paradigm that offers the best of both worlds. We present language constructs that let the code producer optimize dynamic checks by placing them either before each resource use, or at the start of the program, or anywhere in between. We show how the code consumer can then statically verify that the optimized dynamic checks enforce his resource bounds policy. We present a practical language that is designed to admit decidable yet efficient verification and prove that our procedure is sound and optimal. We describe our experience verifying a Java implementation of tar for resource safety. Finally, we outline how our method can improve the checking of other dynamic properties.

References

  1. 1.
    Mitchell, J.C.: Foundations for Programming Languages. MIT Press, Cambridge (1996)Google Scholar
  2. 2.
    Dijkstra, E.: A Discipline of Programming. Prentice-Hall, Englewood Cliffs (1976)MATHGoogle Scholar
  3. 3.
    Nelson, G., Oppen, D.: Simplification by cooperating decision procedures. ACM Transactions on Programming Languages and Systems 1, 245–257 (1979)MATHCrossRefGoogle Scholar
  4. 4.
    Detlefs, D., Nelson, G., Saxe, J.: Simplify: a theorem prover for program checking. Technical Report HPL-2003-148, HP Laboratories (2003)Google Scholar
  5. 5.
    Flanagan, C., Leino, R., Lilibridge, M., Nelson, G., Saxe, J., Stata, R.: Extended static checking for Java. In: Programming Language Design and Implementation, Berlin, Germany (2002)Google Scholar
  6. 6.
    Shostak, R.E.: Deciding combinations of theories. Journal of the ACM 31, 1–12 (1984)MATHCrossRefMathSciNetGoogle Scholar
  7. 7.
    Owre, S., Rushby, J.M., Shankar, N.: PVS: A prototype verification system. In: Kapur, D. (ed.) CADE 1992. LNCS, vol. 607, pp. 748–752. Springer, Heidelberg (1992)Google Scholar
  8. 8.
    Necula, G.: Proof-carrying code. In: Principles of Programming Languages, Paris, France (1997)Google Scholar
  9. 9.
    Flanagan, C., Leino, K.R.M.: Houdini, an annotation assistant for ESC/Java. In: Oliveira, J.N., Zave, P. (eds.) FME 2001. LNCS, vol. 2021, p. 500. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  10. 10.
    Endres, T.: Java Tar 2.5 (2003), http://www.trustice.com Google Scholar
  11. 11.
    Necula, G.C., Rahul, S.P.: Oracle-based checking of untrusted software. In: Principles of Programming Languages, London, England (2001)Google Scholar
  12. 12.
    Jones, N., Gomard, C., Sestoft, P.: Partial Evaluation and Automatic Program Generation. Prentice-Hall, Englewood Cliffs (1993)MATHGoogle Scholar
  13. 13.
    Gupta, R.: Optimizing array bound checks using flow analysis. ACM Letters on Programming Languages and Systems 2, 135–150 (1993)CrossRefGoogle Scholar
  14. 14.
    Crary, K., Weirich, S.: Resource bound certification. In: Principles of Programming Languages, Boston, Massachusetts (2000)Google Scholar
  15. 15.
    Gong, L.: Inside Java 2 Platform Security. Addison-Wesley, Reading (1999)Google Scholar
  16. 16.
    Czajkowski, G., von Eicken, T.: JRes: a resource accounting interface for Java. In: Object-Oriented Programming, Systems, Languages, and Applications, Vancouver, BC (1998)Google Scholar
  17. 17.
    Evans, D., Twyman, A.: Flexible policy-directed code safety. In: Security and Privacy, Oakland, California (1999)Google Scholar
  18. 18.
    Erlingsson, U., Schneider, F.: SASI enforcement of security policies: a retrospective. In: New Security Paradigms Workshop, Caledon, Canada (1999)Google Scholar
  19. 19.
    Colcombet, T., Fradet, P.: Enforcing trace properties by program transformation. In: Principles of Programming Languages, Boston, Massachusetts (2000)Google Scholar
  20. 20.
    Pandey, R., Hashii, B.: Providing fine-grained access control for Java programs via binary editing. Concurrency: Practice and Experience 12, 1405–1430 (2000)MATHCrossRefGoogle Scholar
  21. 21.
    Chander, A., Mitchell, J., Shin, I.: Mobile code security by Java bytecode instrumentation. In: DARPA Information Survivability Confernce and Exposition (2001)Google Scholar
  22. 22.
    Kim, M., Kannan, S., Lee, I., Sokolsky, O.: Java-MaC: a run-time assurance tool for Java programs. Electronic Notes in Theoretical Computer Science 55 (2001)Google Scholar
  23. 23.
    Necula, G., Lee, P.: Safe kernel extensions without run-time checking. In: Operating Systems Design and Implementation, Seattle, Washington (1996)Google Scholar
  24. 24.
    Wallach, D., Appel, A., Felten, E.: SAFKASI: a security mechanism for language-based systems. Transactions on Software Engineering 9, 341–378 (2000)CrossRefGoogle Scholar
  25. 25.
    Patel, P., Lepreau, J.: Hybrid resource control of active extensions. In: Open Architectures and Network Programming, San Francisco, California (2003)Google Scholar
  26. 26.
    Vanderwaart, J., Crary, K.: Foundational typed assembly language for grid computing. Technical Report CMU-CS-04-104, Carnegie-Mellon University (2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Ajay Chander
    • 1
  • David Espinosa
    • 1
  • Nayeem Islam
    • 1
  • Peter Lee
    • 2
  • George Necula
    • 3
  1. 1.DoCoMo Labs USASan Jose
  2. 2.Carnegie Mellon UniversityPittsburgh
  3. 3.University of CaliforniaBerkeley

Personalised recommendations