Skip to main content

Verification and Specification through Progress Abstractions

Periodic Reporting for period 1 - VeSPA (Verification and Specification through Progress Abstractions)

Reporting period: 2018-09-01 to 2020-08-31

Concurrent computation, organised as a decentralised collection of interacting components, is now ubiquitous.
Our society increasingly relies on such systems for sensitive and critical infrastructure.
To make this safe and sustainable we need a formal approach to analyse and certify the correctness of concurrent software.
Our trust in concurrent systems is based on three key properties:

1. Safety: can the system crash?
2. Progress: will the system be reactive to requests?
3. Security: no secret is ever leaked.

Analysing these properties is vastly more complicated for concurrent
software: the decentralised interaction between processes introduces
much more subtle behaviour than what is found in sequential centralised
computation.
The space of all possible interactions is so huge and complex that we lack proper tools to reason about it, both manually and automatically. This is called the analysis scalability problem. While the case of Safety has been extensively studied, Progress and Security still lack a scalable methodology for verification.

VeSPA's approach to tackle the analysis scalability problem for Progress and Security is based on two strategies:

1. Devising modular specifications for concurrent components.
2. Developing automatic analysis techniques to offload parts of the analysis task to the computer.

The first strategy aims at breaking up the task of a complex concurrent system into smaller, more manageable sub-tasks about its components. This is far from trivial because progress-related arguments are typically about the interaction between components rather than individual properties of components. One of VeSPA's main results was an analysis framework to reason about concurrent programs which can express the progress properties of a component without having to talk about the whole system. This allows for proofs that are:

• Scalable: large programs can be understood as a hierarchy of smaller sub-systems, and the analysis can focus on each sub-system individually, reducing the complexity of the proofs.
• Reusable: once a component has been proven correct with respect to its abstract interface, any program that uses that component can reuse the proof as well. Also, modifications to a component that do not alter its behaviour can be done without having to re-prove the program that uses the component.

The second strategy aims at automating as much as possible some parts of the correctness proofs. Ideally, the human should be able to focus on the high-level insightful aspects of a proof, and leave the tedious and very complicated reasoning for the computer to check.
VeSPA advanced the state of art in automation, for proofs of correctness of cryptographic protocols. These are protocols that underpin every online activity requiring authentication, physical access control devices, e-voting systems and more. They aim at achieving secure communication in an insecure channel, through the use of cryptography. They are notoriously tricky to design and flaws are discovered every day in deployed protocols, causing huge societal and economic damages. VeSPA contributed a method and a prototype tool to automate complex steps in the verification of security properties of these protocols.
"VeSPA's main achievements are: the TaDA Live program logic for reasoning about progress of fine-grained blocking concurrent systems; and a new theory of decidable invariants for analysis of security protocols (with an accompanying tool implementation).

TaDA Live is the first program logics that is able to reason about termination properties of fine-grained concurrent programs with blocking behaviour, in a scalable and reusable way.
TaDA Live consists of:

1) a novel specification formalism,
2) a mathematical model of its semantics,
3) a compositional proof system,
4) proofs of soundness of the proof system, and
5) a series of challenging case studies.

For cryptographic protocols, VeSPA's main result is a series of algorithms, implemented in a tool called Lemma9, for the automatic analysis of security properties. Given a formal model of a protocol, the tool can symbolically reason about facts that hold true in every possible attack scenario, for example ""encryption key K is never leaked to the attacker"".
To achieve this, we proposed a theory of decidable invariants for security protocols and a prototype analysis tool called Lemma9. The fundamental challenge it tackles is providing sound and complete algorithms that can reason about absence of security attacks. Since the space of attacks is infinite and highly irregular, VeSPA's main achievement is the identification of a class of protocols for which we can bring back some regularity in the infinite space of possible attacks. This is a very expressive class which greatly generalises previous known classes. This work brings new ideas from infinite-state model checking to fruition in protocol verification.

In addition, VeSPA provided the platform for studying novel reasoning principles for a security-relevant class of properties called Hyperproperties.

In terms of dissemination, VeSPA's results have been presented in numerous workshops and specialistic seminars.
TaDA Live has been documented in an openly available technical report.
The work on cryptographic protocols has been published at the CONCUR'20 conference. The accompanying tool Lemma9 is open source and publicly available."
The research of VeSPA contributes, broadly speaking, to tackling one of the big challenges of our times: building a trustworthy global software infrastructure on which to base the functioning and progress of our society. More specifically, VeSPA identified new reasoning principles for proving progress and security properties of concurrent software. Concurrent systems underpin virtually every online activity, including critical operations where programming flaws may entail huge societal costs (e.g. privacy breaches, financial damages, election hijacking). VeSPA produced contributions that aim at solving the major obstacle in the wider adoption of formal methods for industrial concurrent systems: the scalability of the analysis techniques. VeSPA proposed key innovations showing how progress properties can be verified modularly and compositionally, two qualities that allow breaking down the task of analysing a concurrent system, in the smaller tasks of analysing its components and then composing the sub-analyses; it was previously unknown how to do this in generality. VeSPA also presented new ways to understand and analyse cryptographic protocols; scalability here is tackled by providing flexible algorithms which can aid the human effort in proving security of a protocol. Finally, VeSPA investigated Hyperproperties, a class of properties for which there are virtually no compositional reasoning principles available.

Due to the theoretical nature of VeSPA’s research, the main direct users of its results are other researchers in Verification. VeSPA’s innovative research can be translated into industrial solutions for software companies which invest in formal methods. VeSPA’s techniques for cryptographic protocols can be readily integrated in mature industry-strong tools like ProVerif and Tamarin (both deeply rooted in EU research), with the effect of greatly increasing the automation and applicability of these tools.