1 / 9

A Framework for Verifying High-Assurance Transformation System (HATS)

A Framework for Verifying High-Assurance Transformation System (HATS). Fares Fraij December 3, 2003. Outline Introduction HATS architecture HATS transformation rules and control strategies Example of transformation rules Sandia Secure Processor (SSP) HATS model in ACL2

yoshi
Download Presentation

A Framework for Verifying High-Assurance Transformation System (HATS)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. A Framework for Verifying High-Assurance Transformation System(HATS) Fares Fraij December 3, 2003

  2. Outline • Introduction • HATS architecture • HATS transformation rules and control strategies • Example of transformation rules • Sandia Secure Processor (SSP) • HATS model in ACL2 • Proving properties about the HATS model

  3. Introduction …(1) • HATS is a language independent program transformation system • goal is to perform program transformation in a provable correct fashion • HATS transforms target program written in abstract language to concrete output language (SDT) • Transformation language program (TLP) consists of sequence of transformation rules and a control strategy

  4. Introduction …(2) HATS High-Level Overview Target Program in specification language SDT in an implementation language HATS

  5. Target Parser Target file HATS Rewriting Engine Prettyprinter SDT Parsed target Core Domain (Grammar, lexer) Parsed transformation language program Program Parser Output Text User-defined functions Transformation language program HATS Architecture

  6. HATS transformation rules and control strategies • Two universal control operators • Once: has three arguments:  • Traversal mode • Identifier whose value is the SDT that is to be transformed • Identifier whose value is the transformation sequence • Fix: Is usually avoided

  7. Example of transformation rules Transformation rule: (* x (+ y z))  (+ (* x y) (* x z)) *tree0* *transformed-tree0*

  8. Sandia Secure Processor (SSP) • class loader (CL) for the SSP is correct if and only if: source: JVM(C(source)) SSP(CL(C(source))) • Where: • Sourceis the Java source code of an application written in a subset of Java supported by the SSP • Cis a function denotes a trusted Java compiler • JVM(x) is the execution of the application x using the virtual machine JVM • SSP(x) is the execution of the application x using the SSP • CL(C(source)) is the ROM image results from applying the class loader CL to the class files produced by C(source)

  9. HATS model in ACL2 • HATS system is described in terms of : • state consists of: • Input SDT (sdt) • Transformation rules (trnsf) • Control strategy (ctrl) • Program Counter (pc-trnsf) to keep track of the next transformation to be applied • PC (pc-tree) to keep track of the candidate node in the SDT • haltp predicate to determine whether the execution has reached its end • state transition: applies the current transformation rules to the current tree nodes according to the control strategy

More Related