Designing a permission system for Kinect

FAST: a Transducer Based Language for Manipulating TreesPresented By:Loris DAntoni

Joint work with:Margus Veanes, Ben Livshits, David Molnar

1MotivationTrees are common input/output data structures

XML query, type-checking, etc

Compilers/optimizers (from parse tree to parse tree)

Tree manipulating programs: data structures algorithms, ontologies, etc

2HTML SanitizationRemoving malicious active code from HTML documents is a tree transformationbodyscriptmaliciouscodedivpToday Im happybodydivpToday Im happySANITIZE3What do we Need?We want to write these single transformations separately to avoid errors

4Remove malicious URLsReplace deprecated tagsRemove bad elements (scripts)Interesting Properties Composition: T(x) = T2(T1(x))

Type-checking: given two languages I,O T(I) is always in O

Pre-image: compute the input that produces a particular output

To achieve speed

Check if the sanitizer ever produces a malicious output

Produce counterexamples if type-checking fails5DEMO: http://rise4fun.com/Fast/jNFAST CompilerFAST codeTransducersAnalysisandoptimizationC#6SMT solverStages by Example7mapCmapC2

Transducers

Choosing the right formalism8Semantics as TransducersGoal: find a decidable class of tree transducersthat can express the previous examples

9Top Down Tree Transducers [Engelfriet75]q(a(x1,x2)) b(c,q1(x1))

Decidable properties: type-checking, etcDomain expressiveness: only finite alphabetsabc qq1x1x2x11010Symbolic Tree Transducers [PSI11]q(a.a>3,(x1,x2)) a.a+1,(a.a-2,q1(x1))

Decidable properties: type-checking, etcDomain expressiveness: infinite alphabets using predicates and functionsStructural expressiveness: cant delete a node without reading it first55+15-2 qq1x1x2x1Such that5>3 is true11Alphabet theory has to be DECIDABLEWell use Z3 to check predicate satisfiability11Improving structural expressivenessTransformation: delete the left child if its root greater than 5

If we delete the node we cant check that the left child was actually greater than 5

123q13q12Regular Look-Ahead (RLA)??12Regular Look Ahead (TOPR)Transformation: delete a node if its left child is greater than 5

Rules can ask whether the children are in particular languagesp1: the language of trees whose root is greater than 5p2: the language of all trees

Decidable properties: type-checking, etcDomain expressiveness: infinite alphabetsStructural expressiveness: good enough to express our examples173qp1p213qTransformation now is safe1313DecidabilityComplexityStructuralExpressivenessInfinite alphabetsTop Down Tree Transducers[Engelfriet75]VVXXTop Down Tree Transducers with Regular Look-ahead[Engelfriet76]VV~XStreaming Tree Transducers [AlurDantoni12]VXVXData Automata[Bojanczyk98]~XXVSymbolic Tree Transducers[VeanesBjoerner11]VVXVSymbolic Tree Transducers RLAVV~V1414Composition of symbolic transducers with regular lookahead15Composition of STTRThis is not always possible!!Find the biggest class for which it is possible16T1T2T1 o T2Classes of STTR DETERMINISTIC: at most one transducer rule applies for each input treeLINEAR: each child appear at most once in the right hand side of each rule

17xqx+1q2q1linearnonlinearx+1q2q117When can we Compose?Theorem: T(x) = T2(T1(x))definable by a Symbolic Tree Transducers with RLA if T1 is deterministic, OR T2 is linear

All our examples fall in this category18Alphabet theory has to be DECIDABLEWell use Z3 to check predicate satisfiabilityPre-image as Composition19TO?Domain(T o O)FAST: Decidable by Design20

CompositionType-checkingPre-imageSymbolic Tree Transducers with RLASMT Solver for Alphabet TheoryCase studies and experiments21Case Studies and ExperimentsProgram Optimization: Deforestation of functional programs

Verification: HTML sanitizationAnalysis of functional programsAugmented reality app store22InfiniteAlphabets:IntegerData typesDeforestationRemoving intermediate data structures from programs

ADVANTAGE: the program is a single transducer reads the input list only once, thanks to transducers composition23alphabet ILIst [i : int] { nil(0), cons(1) }trans mapC: IList IList { nil() to nil [0] | cons(x) to cons [(i+5)%26] (mapC x)}def mapC2: IList IList := compose mapC mapCDeforestation: Speedup24f(f(f(f(x)...)(f;f;f;;f)(x)Analysis of Functional Programs25

AR Interference AnalysisRecognizers output data that can be seen as a tree structure

SpineHipNeckHeadKneeAnkleFoot..26

Apps as Tree TransformationsApplications that use recognizers can be modeled as FAST programs

27trans addHat: STree -> STree Spine(x,y) to Spine(addHat(x), y)| Neck(h,l,r) to Neck(addHat(h), l, r)| Head(a) to Head(Hat(a))2727Composition of ProgramsTwo FAST programs can be composed into a single FAST program

p1p2 p1;p2

28Interference analysisApps can be malicious: try to overwrite outputs of other appsApps interfere when they annotate the same node of a recognizers output

We can compose them and check if they interfere statically!!Put checker in the AppStore and analyze Apps before approval

Interfering appsAdd cat earsAdd hatAdd pin to a cityBlur a cityAmazon Buy Now buttonMalicious Buy Now button29

Interference Analysis in Practice100 generated FAST programs, up to 85 functions each

Check statically if they conflict pairwise for ANY possible input

Checked 99% of program pair in less than 0.5 sec!

For an App store these are perfectly fine

No Cheap Talk31

ConclusionFAST: a versatile language for tree manipulating programs with decidable analysis

Symbolic tree transducers with RLA

FAST is online: http://rise4fun.com/Fast/

32DecidabilityComplexityStructuralExpressivenessInfinite alphabetsTop Down Tree Transducers[Engelfriet75]VVXXTop Down Tree Transducers with Regular Look-ahead[Engelfriet76]VV~XStreaming Tree Transducers [AlurDantoni12]VXVXData Automata[Bojanczyk98]~XXVSymbolic Tree Transducers[VeanesBjoerner11]VVXV3333