Leakage traces #431
Leakage traces #431
Conversation
|
For now, this branch only has some edits to Semantics.v. Before I add anything else, I wanted to ask whether I should be making these edits (i.e., adding leakage traces) in Semantics.v, MetricSemantics.v, or both? Also, why are Semantics.v and MetricSemantics.v separate, and are there plans to merge them eventually? |
There was a problem hiding this comment.
Semantics.v, MetricSemantics.v, or both?
IMO the best option is to create additional semantics files. We want to have only one compiler proof, so that would use LeakageMetricSemantics. Some program proofs may be done with that one as well, but the examples for our current manuscript probably shouldn't be, so there we'd probably want want LeakageSemantics as well. In an unverified software project, this kind of duplication would be asking for inconsistency bugs, but I hope it won't be too hard to state and prove the appropriate relationships between these variants.
Proving the appropriate relationship between Semantics.v and LeakageSemantics.v will only be trivial if we modify Semantics.v so that So, should I modify Semantics and MetricSemantics |
|
However, the Semantics- |
|
Ah, indeed. I was only thinking of the easy direction, Semantics implies LeakageSemantics. I don't think we should add pick_sp to current semantics. @samuelgruetter do you think it would be acceptable to carry both copies in the repo, but only the half of the equivalence proof that allows program proofs without leakage to be used with a compiler proof that preserves everything they say about leakage? However, the other direction of this relationship might be a good opportunity to drill down on the difficulty in the equivalence proof and perhaps simplify it. We don't have to do this, but I'm thinking that if you could state the desired equivalence with a minimized version of semantics that is just complicated enough to illustrate the challenge (without abstract traces, predictors, or even function calls and etc), then I would give it a try. "How hard can pushing a quantifier into an inductive be" 🚀😂🙄 |
Sounds good!
This kind of proof would be interesting as a minimal standalone file that might accompany a paper as "supplemental material", where the focus is really to make it as simple as possible, but without simplifying away the core difficulty. (And if at some point, we actually need this direction of the equivalence for real, we can again scale it up to the whole language). |
This could be nice, yeah! To make it as academic as possible (and remove the coqutil/bedrock2 dependency and get a standalone file) I'd probably make the following simplifications to the equivalence proof I currently have:
I'd probably keep IO calls though, since the nondeterminism there seems to add an interesting dimension. |
|
Oh, bedrock2 is Turing-complete! I forgot that you can store and retrieve as much information as you want in the IO trace (with an appropriate choice of I had thought that it was just a finite-state machine, so in principle, you could prove some absolute upper bound (depending only on word size and source program) on the size of an |
|
👍 You can store a turing-machine tape in a nat, so I think all options here are turing-complete. And I'd even remove I/O at first, we can add it back later if we want. |
OwenConoly
force-pushed
the
leakage_traces
branch
from
bc1fcb2 to
cff166c
Compare
|
The existence of (Metric)LeakageSemantics.v implies the existence of: (Metric)LeakageLoops.v, (Metric)LeakageProgramLogic.v, (Metric)LeakageWeakestPreconditionProperties.v, and (Metric)LeakageWeakestPrecondition.v, right? |
|
Yes. At some point I may try to share more code, but for new these are just copied I think. |
Will we ever need a program logic that does both metrics and leakage at the same time? If not, the needed files should probably just be
|
|
I don't have specific code planned where this would be needed, but I imagine basic library functions like memset could end up being used by callers that need either kind of spec. I'm fine with procrastinating on building support for this, though. |
|
Ok. I can just do the MetricLeakage files while I'm at it, if they'll be needed eventually anyway. (Probably I'll end up making some errors in MetricLeakageProgramLogic, since there won't be any test cases for it.) Unrelatedly, since I am adding the separate files for Leakage stuff instead of changing what was already there, my changes to the source language shouldn't break the compiler proof. So it seems natural to split this PR into two: in this PR I can just change the source language and add some examples, and then I can make a separate PR for compiler proof things. Does that sound good? |
|
Separate PRs sounds good to me. (There is some possibility that we will want to review them together, though.) |
OwenConoly
force-pushed
the
leakage_traces
branch
from
55105b1 to
989d21b
Compare
OwenConoly
force-pushed
the
leakage_traces
branch
5 times, most recently
from
ec43d73 to
b0dbeb7
Compare
compiler/src/compiler/CustomFix.v
Outdated
| Check Fix_eq. | ||
| Definition type_of_Fix_eq := | ||
| forall (A : Type) (R : A -> A -> Prop) (Rwf : well_founded R) | ||
| (P : A -> Type) (F : forall x : A, (forall y : A, R y x -> P y) -> P x), | ||
| (forall (x : A) (f g : forall y : A, R y x -> P y), | ||
| (forall (y : A) (p : R y x), f y p = g y p) -> F x f = F x g) -> | ||
| forall x : A, Fix Rwf P F x = F x (fun (y : A) (_ : R y x) => Fix Rwf P F y). | ||
|
|
||
| Check Fix_eq'. | ||
| Definition type_of_Fix_eq' := | ||
| forall (A : Type) (R : A -> A -> Prop) (Rwf : well_founded R) | ||
| (P : A -> Type) (F : forall x : A, (forall y : A, R y x -> P y) -> P x), | ||
| (forall (x : A) (f g : forall y : A, R y x -> P y), | ||
| (forall (y : A) (p1 p2 : R y x), f y p1 = g y p2) -> F x f = F x g) -> | ||
| forall x : A, Fix Rwf P F x = F x (fun (y : A) (_ : R y x) => Fix Rwf P F y). | ||
|
|
||
| Goal type_of_Fix_eq' -> type_of_Fix_eq. | ||
| cbv [type_of_Fix_eq type_of_Fix_eq']. auto. Qed. |
There was a problem hiding this comment.
Fix_eq was apparently useless for proving the fixpoint equation for some functions that I defined for the compiler proof, so I proved and used this Fix_eq' instead. I'm unsure whether Fix_eq is genuinely not applicable here; it's probable that I'm just not using Fix/Fix_eq as intended. If Fix_eq is really not helpful here, then I wonder why they don't have Fix_eq' in the standard library.
I think that, a few months ago, I had a good grasp on why Fix_eq is not helpful for the function I defined and why Fix_eq' is needed instead. But my current level of understanding is just "if I apply Fix_eq instead of Fix_eq', then the proof gets stuck".
@andres-erbsen, you've directly used Fix for general recursion, right? Has this issue come up before?
There was a problem hiding this comment.
I have run into this before, and I think I did get it working with stdlib Fix_eq every time. Unfortunately I do not recall how, but perhaps the trick was about clearing the recursive call before the abstract proof that R decreases. However, I remember spending at least a few minutes on it and feeling annoyed that I had to, so feel free to keep the more flexible lemma and perhaps even submit it to stdlib.
OwenConoly
force-pushed
the
leakage_traces
branch
2 times, most recently
from
d4d014e to
9fe2d00
Compare
|
Unfortunately, my attempt at writing my compiler-proof leakage-transformation functions without CPS did not work out nicely, for two reasons:
Amusingly, this second issue is a non-issue if we work with nondeterministic stackalloc addresses. This made me assume it wouldn't be an issue with the deterministic stackalloc addresses, but apparently I was wrong. I probably didn't explain any of that well enough to be understandable; I could elaborate if any of it is interesting. But anyway, since I have to use CPS now, I have a need to write a non-structurally-recursive function which takes a function as an argument. I think there are three options for how to prove the fixpoint equation for such a function:
I already did option (2), so I'm inclined to just stick with that unless there are compelling reasons for doing something else. I imagine there are no good reasons for doing (1), but I'm not sure about (3). |
I'm not sure. Wf1 is a complicated general wrapper around the simple trick that if you know how many arguments your recursive function takes, you can demand pointwise extensionality rather than equality, and the induction goes through. It sounds like what you did is somewhat more general than this (though note that you maybe want to parameterize over a PER instead of an equivalence, if you want to avoid funext?) |
fancy new notations!)
because don't have any leakagesemantics -> semantics lemmas
OwenConoly
force-pushed
the
leakage_traces
branch
from
bead77f to
b2d1b5c
Compare
| Lemma word_to_bytes' (a : word) : | ||
| exists l, length l = (Z.to_nat ((width + 7) / 8)) /\ | ||
| a = word.of_Z (LittleEndianList.le_combine l). |
There was a problem hiding this comment.
Thoughts about where this belongs? coqutil/Word/Properties.v, perhaps?
There was a problem hiding this comment.
Actually, coqutil/Word/LittleEndianList.v seems better.
There was a problem hiding this comment.
Are you sure you want a lemma with an exists litke this at all? Probably a lemma that uses a specific value of l would do, and maybe it exists already.
There was a problem hiding this comment.
Yeah, word_to_bytes' is a corollary of word_to_bytes (right above it), which has a specific value of l. I just thought it might be nice to abstract away the unnecessary details, since (so far as I know) this lemma would mainly be useful for stack deallocation, where we wouldn't care what the bytes actually are.
I don't think a lemma like this existed before I proved it. I just conducted an unsuccessful three-minute search, and also this comment makes it sound like there are no word_to_bytes lemmas.
| Definition remove_n_r {X : Type} (n : nat) (l : list X) := | ||
| rev (skipn n (rev l)). | ||
|
|
||
| Lemma remove_n_r_spec {X : Type} (l1 l2 : list X) : | ||
| remove_n_r (length l2) (l1 ++ l2) = l1. | ||
| Proof. | ||
| cbv [remove_n_r]. rewrite rev_app_distr. rewrite List.skipn_app_r. | ||
| - apply rev_involutive. | ||
| - rewrite length_rev. reflexivity. | ||
| Qed. |
There was a problem hiding this comment.
This probably belongs somewhere other than Pipeline.v. Shall I put it in coqutil?
OwenConoly
force-pushed
the
leakage_traces
branch
from
246377c to
30cc501
Compare
OwenConoly
force-pushed
the
leakage_traces
branch
from
30cc501 to
8f1f5ee
Compare
This PR will add leakage traces to the source and intermediate semantics, augment the compiler-correctness statement and proof to talk about leakage traces, and add some examples involving leakage traces.