internal SymT Rewrite(SymT symT) { if (!(symT is SymTComposite)) { string newMessageId; if (!messageIdMap.TryGetValue(symT.messageId, out newMessageId)) { newMessageId = (nextNewMessageId++).ToString(); messageIdMap[symT.messageId] = newMessageId; } symT.messageId = newMessageId; } var symTTransfer = symT as SymTTransfer; if (symTTransfer != null) { symT = new SymTTransfer(symTTransfer) { producer = Rewrite(symTTransfer.producer), sender = Rewrite(symTTransfer.sender), } } ; return(symT.RewriteEmbeddedSymTs(Rewrite)); } }
public SVX_MSG() { SVX_producer = null; SVX_sender = null; SVX_symT = null; active = false; }
public static void FakeCall <T1, TResult>(Func <T1, TResult> f, T1 arg1, TResult output) where TResult : SVX_MSG { // XXX: Assert that this is not called from vProgram. var args = new SymT[1]; args[0] = ScanArg(arg1); RecordCall(output, f, args); }
// Note: SVX will automatically detect based on message IDs if a later // argument resulted from a sequence of operations on an earlier // argument, but not the other way around. public static TResult Call <T1, TResult>(Func <T1, TResult> f, T1 arg1) where TResult : SVX_MSG { var output = f(arg1); if (!VProgram_API.InVProgram) { var inputSymTs = new SymT[1]; inputSymTs[0] = ScanArg(arg1); RecordCall(output, f, inputSymTs); } return(output); }
void ScanParticipants(SymT symT) { var symTMethod = symT as SymTMethod; if (symTMethod != null) { participantsSeen.Add(symTMethod.participantId); } foreach (var embedded in symT.EmbeddedSymTs) { ScanParticipants(embedded); } }
public static TResult Call <T1, T2, TResult>(Func <T1, T2, TResult> f, T1 arg1, T2 arg2) where TResult : SVX_MSG { var output = f(arg1, arg2); if (!VProgram_API.InVProgram) { var args = new SymT[2]; args[0] = ScanArg(arg1); args[1] = ScanArg(arg2); RecordCall(output, f, args); } return(output); }
internal SymT Rewrite(SymT symT) { var symTTransfer = symT as SymTTransfer; if (symTTransfer != null && symTTransfer.producer == oldProducer) { symT = new SymTTransfer(symTTransfer) { producer = newProducer } } ; return(symT.RewriteEmbeddedSymTs(Rewrite)); } }
private static SymT GatherUsefulSymTs(SVX_MSG msg) { // Want to warn if the msg is inactive but has a symT set, at least // for the root message (possible developer mistake)? SymT rootSymT = msg.active ? (SymT)msg.SVX_symT : null; var nestedSymTs = ( // NOTE: This will traverse into PayloadSecrets that contain // messages, which is what we want. from acc in FieldFinder <SVX_MSG> .FindFields(msg.GetType(), // We do our own recursion in matches. false) let nestedMsg = acc.nullConditionalGetter(msg) where nestedMsg != null let nestedSymT = GatherUsefulSymTs(nestedMsg) where nestedSymT != null select new NestedSymTEntry { fieldPath = acc.path, symT = nestedSymT } ).ToArray(); // As a simplification, don't unnecessarily create composites // (though it shouldn't break anything). And if we have no // information, return null so an outer message doesn't // unnecessarily create a composite. if (nestedSymTs.Length == 0) { return(rootSymT); // may be null } if (rootSymT == null) { rootSymT = new SymTNondet { messageTypeFullName = msg.GetType().FullName } } ; return(new SymTComposite { RootSymTWithMessageId = rootSymT, nestedSymTs = nestedSymTs }); }
string EmitMessage(SymT symT, MessageReuseScope scope) { // First look in the scope. This mechanism currently handles cases // where a later argument to a method call is derived from an // earlier one; that's enough for the authorization code flow example. string reuseVarName; for (var checkScope = scope; checkScope != null; checkScope = checkScope.outer) { if (checkScope.availableMessages.TryGetValue(symT.messageId, out reuseVarName)) { return(reuseVarName); } } // Otherwise not found; proceed. // XXX: Currently we cannot deal with non-public participant classes // and methods. It's an open question if we should be able to and // how it should be implemented. I guess one way is for developers // to write [InternalsVisibleTo("VProgram")]. There shouldn't be // much risk of abuse because for the vProgram to access a program // element, someone authorized had to pass it to an SVX API. SymTNondet symTNondet; SymTMethod symTMethod; SymTComposite symTComposite; SymTTransfer symTTransfer; string outputVarName; // Consider using a visitor. It's not worth it yet. :/ if ((symTNondet = symT as SymTNondet) != null) { outputVarName = nextVar("msg"); // FIXME: Nondetting arbitrary data structures will cause // aliasing nightmares. We need to emit a specialized Nondet // for each message type. AppendFormattedLine("{0} {1} = SVX.VProgram_API.Nondet<{0}>();", FormatTypeFullName(symTNondet.messageTypeFullName), outputVarName); } else if ((symTMethod = symT as SymTMethod) != null) { var newScope = new MessageReuseScope { outer = scope }; var argVarNames = new List <string>(); for (int i = 0; i < symTMethod.methodArgTypeFullNames.Length; i++) { SymT inputSymT = symTMethod.inputSymTs[i]; string inputVarName; if (inputSymT != null) { inputVarName = EmitMessage(inputSymT, newScope); newScope.availableMessages[inputSymT.messageId] = inputVarName; } else { // Nondet non-message argument. One could argue for using a SymTNondet // even for non-message types. inputVarName = nextVar("arg"); AppendFormattedLine("{0} {1} = SVX.VProgram_API.Nondet<{0}>();", FormatTypeFullName(symTMethod.methodArgTypeFullNames[i]), inputVarName); } argVarNames.Add(inputVarName); } outputVarName = nextVar("msg"); AppendFormattedLine("{0} {1} = {2}.{3}({4});", FormatTypeFullName(symTMethod.methodReturnTypeFullName), outputVarName, EmitParticipant(symTMethod.participantId), symTMethod.methodName, string.Join(", ", argVarNames)); } else if ((symTComposite = symT as SymTComposite) != null) { SymTTransfer rootTransfer; if (symTComposite.rootSymT is SymTNondet) { // Nondet the root message and then overwrite the nested // messages that we have information about. outputVarName = EmitMessage(symTComposite.rootSymT, scope); foreach (var entry in symTComposite.nestedSymTs) { string nestedVarName = EmitMessage(entry.symT, scope); // Make sure we have a non-null parent to store the nested message in. var lastDot = entry.fieldPath.LastIndexOf('.'); if (lastDot != -1) { AppendFormattedLine("System.Diagnostics.Contracts.Contract.Assume({0} != null);", MakeFieldPathNullConditional(outputVarName, entry.fieldPath.Substring(0, lastDot), symTComposite.MessageTypeFullName)); } AppendFormattedLine("{0}.{1} = {2};", outputVarName, entry.fieldPath, nestedVarName); } } else if (symTComposite.rootSymT is SymTMethod) { // In this case, we assume the information in the rootSymT // subsumes the information in the nested SymTs and emit // code only for the rootSymT. If we had Equals for // messages, we could assume the nested messages equal, but // this is extra work which I don't believe is needed for // our examples so far. outputVarName = EmitMessage(symTComposite.rootSymT, scope); } else if ((rootTransfer = symTComposite.rootSymT as SymTTransfer) != null) { // The emitted code for the SymTTransfer will determine // whether the transfer is trusted. If so, just use the // transfer and ignore the nested messages, as in the // SymTMethod case. If not, it will use the fallback we // specify. outputVarName = EmitMessage(new SymTTransfer(rootTransfer) { fallback = new SymTComposite { RootSymTWithMessageId = new SymTNondet { messageTypeFullName = symTComposite.MessageTypeFullName }, nestedSymTs = symTComposite.nestedSymTs } }, scope); } else { // We should never have double composites. throw new NotImplementedException("Unhandled root SymT in composite"); } } else if ((symTTransfer = symT as SymTTransfer) != null) { string producerVarName = nextVar("producer"); AppendFormattedLine("SVX.Principal {0} = {1};", producerVarName, EmitPrincipalHandleOrNondet(symTTransfer.producer)); outputVarName = nextVar("msg"); AppendFormattedLine("{0} {1};", FormatTypeFullName(symTTransfer.MessageTypeFullName), outputVarName); AppendFormattedLine("if (SVX.VProgram_API.IsTrusted({0})) {{", producerVarName); { IncreaseIndent(); string inputVarName = EmitMessage(symTTransfer.originalSymT, scope); AppendFormattedLine("{0} = {1};", outputVarName, inputVarName); // To maintain soundness of the model, update the metadata // of nested messages the same way TransferNested would in // production, even though we don't use their SymTs. // XXX: symTTransfer.payloadSecretsVerifiedOnImport could // contain non-message payload secrets once we support them, // and we'd need to skip them here. foreach (var entry in symTTransfer.payloadSecretsVerifiedOnImport) { string paramsPath = entry.fieldPath + ".theParams"; AppendFormattedLine("System.Diagnostics.Contracts.Contract.Assume({0} != null);", MakeFieldPathNullConditional(outputVarName, paramsPath, symTTransfer.MessageTypeFullName)); AppendFormattedLine("SVX.SVX_Ops.TransferNested({0}.{1}, new {2}().Signer);", outputVarName, paramsPath, FormatTypeFullName(entry.secretGeneratorTypeFullName)); } DecreaseIndent(); } AppendFormattedLine("}} else {{"); { IncreaseIndent(); string inputVarName = EmitMessage(symTTransfer.fallback ?? new SymTNondet { messageTypeFullName = symTTransfer.MessageTypeFullName }, scope); AppendFormattedLine("{0} = {1};", outputVarName, inputVarName); DecreaseIndent(); } AppendFormattedLine("}}"); // Should we introduce a "transfer info" object that we can both // use as an arg to Transfer and store in the SymTTransfer, to // avoid shuttling individual arguments back and forth? The // following is not too bad. if (symTTransfer.hasSender) { // Note: Transfer does not use the realRequestProducer arg in the vProgram. AppendFormattedLine("SVX.SVX_Ops.Transfer({0}, {1}, {2}, null, {3});", outputVarName, producerVarName, EmitPrincipalHandleOrNondet(symTTransfer.sender), // http://stackoverflow.com/a/491367 :/ symTTransfer.browserOnly.ToString().ToLower()); } else { AppendFormattedLine("SVX.SVX_Ops.TransferNested({0}, {1});", outputVarName, producerVarName); } // If we verified secrets on import, they are valid regardless // of whether the transfer was trusted. foreach (var entry in symTTransfer.payloadSecretsVerifiedOnImport) { // I'm unsure of BCT handling of null dereferences in // general, but here we can definitely assume non-null. AppendFormattedLine("System.Diagnostics.Contracts.Contract.Assume({0} != null);", MakeFieldPathNullConditional(outputVarName, entry.fieldPath, symTTransfer.MessageTypeFullName)); // Follow the commented-out lines in // MessagePayloadSecretGenerator.VerifyAndExtract. I'd like // to define a helper method for this, but until I merge // SVX_Common and SVX_Ops, I'm between a rock and a hard // place because the method needs to be BCT translated but // needs to reference MessagePayloadSecretGenerator. AppendFormattedLine("System.Diagnostics.Contracts.Contract.Assume({0}.{1}.secretValue != null);", outputVarName, entry.fieldPath); AppendFormattedLine("System.Diagnostics.Contracts.Contract.Assume({0}.{1}.theParams != null);", outputVarName, entry.fieldPath); // XXX We're assuming the generator has a no-arg public // constructor and doesn't need any configuration parameters. AppendFormattedLine("SVX.VProgram_API.AssumeValidSecret({0}.{1}.secretValue, " + "{0}.{1}.theParams, new {2}().GetReaders({0}.{1}.theParams));", outputVarName, entry.fieldPath, FormatTypeFullName(entry.secretGeneratorTypeFullName)); } if (symTTransfer.hasSender) { Type messageType = GetTypeByFullName(symTTransfer.MessageTypeFullName); foreach (var acc in FieldFinder <Secret> .FindFields(messageType, true)) { AppendFormattedLine("SVX.VProgram_API.AssumeBorne({0}.SVX_producer, {1});", outputVarName, MakeFieldPathNullConditional(outputVarName, acc.path + ".secretValue", symTTransfer.MessageTypeFullName)); AppendFormattedLine("SVX.VProgram_API.AssumeBorne({0}.SVX_sender, {1});", outputVarName, MakeFieldPathNullConditional(outputVarName, acc.path + ".secretValue", symTTransfer.MessageTypeFullName)); } } } else { throw new NotImplementedException("Unhandled SymT"); } return(outputVarName); }