Browse Source

Find serious problem in the simulated execution (the simulator's state is lost).

tabularasa
Thomas Kerber 6 months ago
parent
commit
46d31107f6
Signed by: Thomas Kerber <tk@drwx.org> GPG Key ID: 8489B911F9ED617B
2 changed files with 89 additions and 50 deletions
  1. 51
    22
      Yggdrasil/Security.agda
  2. 38
    28
      Yggdrasil/World.agda

+ 51
- 22
Yggdrasil/Security.agda View File

@@ -4,6 +4,7 @@ open import Agda.Builtin.FromNat using (Number)
4 4
 import Data.Nat.Literals as ℕLit
5 5
 import Data.Rational.Literals as ℚLit
6 6
 import Data.Integer.Literals as ℤLit
7
+open import Data.Bool using (Bool; true; false)
7 8
 open import Data.List using (_∷_; []; map)
8 9
 open import Data.Product using (_×_; Σ; Σ-syntax; proj₁; proj₂; ∃; ∃-syntax) renaming (_,_ to ⟨_,_⟩)
9 10
 open import Data.Nat using (ℕ; zero; suc; _≤_; _^_; _+_)
@@ -15,7 +16,7 @@ open import Level using (Level; Lift; lift) renaming (suc to lsuc)
15 16
 open import Relation.Binary.PropositionalEquality using (_≡_; _≢_; refl; cong; sym)
16 17
 open import Relation.Nullary.Decidable using (fromWitnessFalse)
17 18
 open import Yggdrasil.List using (_∈_; here; there; with-proof; map≡-implies-∈≡)
18
-open import Yggdrasil.World using (WorldType; WorldState; World; Oracle; Call; Strategy; Node; Action; weaken; call; call↓; _↑_; stnode; _∷_; []; ⌊exec⌋; _⊑_; Query; _∈↑_; abort; dist; _>>=_; call↯; query; path; _↑; strat; ⊤; tt)
19
+open import Yggdrasil.World using (WorldType; WorldState; World; Oracle; Call; Strategy; Node; Action; weaken; call; call↓; _↑_; stnode; _∷_; []; ⌊exec⌋; _⊑_; Query; _∈↑_; abort; dist; _>>=_; call↯; query; path; _↑; strat; ⊤; tt; Action↓; exec↓)
19 20
 open import Yggdrasil.Probability using (Dist; _>>=_; pure; _≈[_]≈_)
20 21
 open import Yggdrasil.Rational using (_÷_)
21 22
 open WorldType
@@ -61,15 +62,13 @@ record Simulator {ℓ : Level} (πᵢ πᵣ : World ℓ) : Set (lsuc ℓ) where
61 62
       (x : Call.A f) → Action↯ state Γᵢ Γᵣ {hon-≡} (Call.B f x)
62 63
     query-map : ∀ {q} → q ∈↑ Γᵢ → (x : Query.A q) → Action↯ state Γᵢ Γᵣ {hon-≡} (Query.B q x)
63 64
 
64
-open Simulator
65
-
66 65
 Actionᵣ⇒Actionᵢ : ∀ {ℓ : Level} {πᵢ πᵣ : World ℓ} {A : Set ℓ} →
67
-  (S : Simulator πᵢ πᵣ) → Oracle (World.Γ πᵣ) → state S → ℕ →
68
-  Action (World.Γ πᵣ) A → Action (World.Γ πᵢ) (A × state S)
66
+  (S : Simulator πᵢ πᵣ) → Oracle (World.Γ πᵣ) → Simulator.state S → ℕ →
67
+  Action (World.Γ πᵣ) A → Action (World.Γ πᵢ) (A × Simulator.state S)
69 68
 Action↯⇒Action : ∀ {ℓ : Level} {πᵢ πᵣ : World ℓ} {A : Set ℓ} →
70
-  (S : Simulator πᵢ πᵣ) → Oracle (World.Γ πᵣ) → state S → ℕ →
71
-  Action↯ (state S) (World.Γ πᵢ) (World.Γ πᵣ) {hon-≡ S} A →
72
-  Action (World.Γ πᵢ) (A × state S)
69
+  (S : Simulator πᵢ πᵣ) → Oracle (World.Γ πᵣ) → Simulator.state S → ℕ →
70
+  Action↯ (Simulator.state S) (World.Γ πᵢ) (World.Γ πᵣ) {Simulator.hon-≡ S} A →
71
+  Action (World.Γ πᵢ) (A × Simulator.state S)
73 72
 
74 73
 private
75 74
   with-state : ∀ {ℓ Γ A Σ} → Σ → A → Action {ℓ} Γ (A × Σ)
@@ -78,15 +77,19 @@ private
78 77
   without-state : ∀ {ℓ Γ} {A Σ : Set ℓ} → (A × Σ) → Action {ℓ} Γ A
79 78
   without-state ⟨ x , _ ⟩ = dist (pure x)
80 79
 
80
+-- WAIT -- Does the state actually properly survive?
81
+-- FIXME: No, it doesn't. This is probably *unavoidable* without adding state
82
+-- to the execution definition. Do this.
81 83
 Actionᵣ⇒Actionᵢ _ _ _ zero _ = abort
82
-Actionᵣ⇒Actionᵢ S O σ (suc g) ((call↓ {f} ∈Γᵣ x) ↑) with map≡-implies-∈≡ (sym (hon-≡ S)) ∈Γᵣ
84
+Actionᵣ⇒Actionᵢ S O σ (suc g) ((call↓ {f} ∈Γᵣ x) ↑) with map≡-implies-∈≡  
85
+    (sym (Simulator.hon-≡ S)) ∈Γᵣ
83 86
 ... | ⟨ _ , ⟨ ∈Γᵢ , refl ⟩ ⟩ = call↓ ∈Γᵢ x ↑ >>= with-state σ
84 87
 Actionᵣ⇒Actionᵢ _ _ _ _ abort = abort
85 88
 Actionᵣ⇒Actionᵢ _ _ σ _ (dist D) = dist D >>= with-state σ
86
-Actionᵣ⇒Actionᵢ S O σ (suc g) (call↯ ∈Γ Γ⊑ x) = Action↯⇒Action S O σ g (call↯-map S ∈Γ Γ⊑ x)
87
-Actionᵣ⇒Actionᵢ S O σ (suc g) (α >>= β) = (Actionᵣ⇒Actionᵢ S O σ (suc g) α) >>= λ{
88
-    ⟨ x , σ′ ⟩ → Actionᵣ⇒Actionᵢ S O σ′ g (β x)
89
-  }
89
+Actionᵣ⇒Actionᵢ S O σ (suc g) (call↯ ∈Γ Γ⊑ x) = Action↯⇒Action S O σ g
90
+  (Simulator.call↯-map S ∈Γ Γ⊑ x)
91
+Actionᵣ⇒Actionᵢ S O σ (suc g) (α >>= β) = (Actionᵣ⇒Actionᵢ S O σ (suc g) α) >>=
92
+  λ{ ⟨ x , σ′ ⟩ → Actionᵣ⇒Actionᵢ S O σ′ g (β x) }
90 93
 
91 94
 Action↯⇒Action _ _ _ zero _ = abort
92 95
 Action↯⇒Action S O σ _ read = dist (pure ⟨ σ , σ ⟩)
@@ -101,27 +104,53 @@ Action↯⇒Action S O σ (suc g) (α >>= β) = (Action↯⇒Action S O σ (suc
101 104
 
102 105
 extract-oracle : ∀ {ℓ πᵢ πᵣ} → Simulator {ℓ} πᵢ πᵣ → Oracle (World.Γ πᵣ) → ℕ →
103 106
   Oracle (World.Γ πᵢ)
104
-extract-oracle S O g ∈Γ x = Action↯⇒Action S O (initial S) g (query-map S ∈Γ x)
105
-  >>= without-state
107
+extract-oracle S O g ∈Γ x = Action↯⇒Action S O (initial S) g
108
+  (Simulator.query-map S ∈Γ x) >>= without-state
109
+  where open Simulator
106 110
 
107 111
 simulated-strategy : ∀ {ℓ πᵢ πᵣ A} → Simulator {ℓ} πᵢ πᵣ →
108 112
   Strategy (World.Γ πᵣ) A → ℕ → Strategy (World.Γ πᵢ) A
109 113
 simulated-strategy S str g = strat
110 114
   (Actionᵣ⇒Actionᵢ S (oracle str) (initial S) g (init str) >>= without-state)
111 115
   (extract-oracle S (oracle str) g)
116
+  where open Simulator
112 117
 
113 118
 record Adv[_,_]≤_ {ℓ : Level} (πᵢ πᵣ : World ℓ) (ε : ℚ) :
114 119
     Set (lsuc (lsuc ℓ)) where
120
+  Γᵣ : WorldType ℓ
121
+  Γᵣ = World.Γ πᵣ
122
+  Γᵢ : WorldType ℓ
123
+  Γᵢ = World.Γ πᵢ
124
+  Σᵣ : WorldState Γᵣ
125
+  Σᵣ = World.Σ πᵣ
126
+  Σᵢ : WorldState Γᵢ
127
+  Σᵢ = World.Σ πᵢ
115 128
   field
116
-    sim-gas : Strategy (World.Γ πᵣ) Guess → ℕ
129
+    sim-gas : ℕ
117 130
     gas-map : ℕ → ℕ
118 131
     simulator : Simulator πᵢ πᵣ
119
-    proof : (g : ℕ) →
120
-      (str : Strategy (World.Γ πᵣ) Guess) →
121
-      (⌊exec⌋ (simulated-strategy simulator str (sim-gas str)) (World.Σ πᵢ)
122
-        (gas-map g))
123
-        ≈[ ε ]≈
124
-      (⌊exec⌋ str (World.Σ πᵣ) g)
132
+    invariant : (WorldState Γᵢ × WorldState Γᵣ) × Simulator.state simulator → Bool
133
+    base-case : invariant ⟨ ⟨ Σᵢ , Σᵣ ⟩ , Simulator.initial simulator ⟩ ≡ true
134
+    proof : (g : ℕ) → (O : Oracle Γᵣ) → ∀ {A} → (α : Action↓ Γᵣ A) →
135
+      (Σ : ((WorldState Γᵢ × WorldState Γᵣ) × Simulator.state simulator)) →
136
+      invariant Σ ≡ true → 
137
+      let
138
+        dᵢ = exec↓ (extract-oracle simulator O sim-gas)
139
+          (Actionᵣ⇒Actionᵢ simulator O (proj₂ Σ) sim-gas α)
140
+          (proj₁ (proj₁ Σ)) here g
141
+      in ?
142
+      
143
+
144
+--Actionᵣ⇒Actionᵢ : ∀ {ℓ : Level} {πᵢ πᵣ : World ℓ} {A : Set ℓ} →
145
+--  (S : Simulator πᵢ πᵣ) → Oracle (World.Γ πᵣ) → Simulator.state S → ℕ →
146
+--  Action (World.Γ πᵣ) A → Action (World.Γ πᵢ) (A × Simulator.state S)
147
+
148
+
149
+--      (str : Strategy Γᵣ Guess) →
150
+--      (⌊exec⌋ (simulated-strategy simulator str (sim-gas str)) (World.Σ πᵢ)
151
+--        (gas-map g))
152
+--        ≈[ ε ]≈
153
+--      (⌊exec⌋ str (World.Σ πᵣ) g)
125 154
 
126 155
 _≃_ : {ℓ : Level} → (πᵢ πᵣ : World ℓ) → Set (lsuc (lsuc ℓ))
127 156
 πᵢ ≃ πᵣ = Adv[ πᵢ , πᵣ ]≤ 0

+ 38
- 28
Yggdrasil/World.agda View File

@@ -152,42 +152,52 @@ set (there Γ′∈ ⊑Γ) (stnode Σ Σs) Σ′ = stnode Σ (set′ Γ′∈ 
152 152
     set′ here ⊑Γ (Σ ∷ Σs) Σ′ = set ⊑Γ Σ Σ′ ∷ Σs
153 153
     set′ (there Γ∈) ⊑Γ (Σ ∷ Σs) Σ′ = Σ ∷ set′ Γ∈ ⊑Γ Σs Σ′
154 154
 
155
+data Result {ℓ : Level} (A : Set ℓ) : Set ℓ where
156
+  abort      : Result A
157
+  out-of-gas : Result A
158
+  result     : A → Result A
159
+
160
+rmap : ∀ {ℓ A B} → (A → B) → Result {ℓ} A → Result {ℓ} B
161
+rmap _ abort = abort
162
+rmap _ out-of-gas = out-of-gas
163
+rmap f (result x) = result (f x)
164
+
155 165
 ⌊exec⌋ : ∀ {ℓ Γ A} → Strategy {ℓ} Γ A → WorldState {ℓ} Γ → ℕ →
156
-  Dist (Maybe (Lift (lsuc ℓ) A))
157
-exec : ∀ {ℓ Γ A} → Strategy {ℓ} Γ A → WorldState {ℓ} Γ → ℕ →
158
-  Dist (Maybe (A × WorldState {ℓ} Γ))
159
-exec′ : ∀ {ℓ Γ A} → Oracle Γ → Action Γ A → WorldState {ℓ} Γ → ℕ →
160
-  Dist (Maybe (A × WorldState {ℓ} Γ))
166
+  Dist (Result (Lift (lsuc ℓ) A))
167
+exec : ∀ {ℓ Γ A} → Oracle Γ → Action Γ A → WorldState {ℓ} Γ → ℕ →
168
+  Dist (Result (A × WorldState {ℓ} Γ))
161 169
 exec↓ : ∀ {ℓ Γ₁ Γ₂ A} → Oracle Γ₁ → Action↓ Γ₂ A → WorldState {ℓ} Γ₁ →
162
-  Γ₂ ⊑ Γ₁ → ℕ → Dist (Maybe (A × WorldState {ℓ} Γ₁))
170
+  Γ₂ ⊑ Γ₁ → ℕ → Dist (Result (A × WorldState {ℓ} Γ₁))
163 171
 exec↑ : ∀ {ℓ Γ₁ Γ₂ A} → Oracle Γ₁ → Action↑ (node Γ₂) A → WorldState {ℓ} Γ₁ →
164
-  Γ₂ ⊑ Γ₁ → ℕ → Dist (Maybe (A × WorldState {ℓ} Γ₁))
172
+  Γ₂ ⊑ Γ₁ → ℕ → Dist (Result (A × WorldState {ℓ} Γ₁))
165 173
 
166 174
 -- NOTE: Gas is only used for termination here, it is NOT a computational model.
167
-⌊exec⌋ str Σ g = (exec str Σ g) >>= (pure ∘ mmap (llift ∘ proj₁))
168
-exec (strat α O) Σ g = exec′ O α Σ g
169
-
170
-exec′ O α                       Σ zero    = pure nothing
171
-exec′ O (α ↑)                   Σ g       = exec↓ O α Σ here g
172
-exec′ O abort                   Σ g       = pure nothing
173
-exec′ O (dist D)                Σ (suc g) = lift D >>= λ{ (llift x) → pure (just ⟨ x , Σ ⟩ ) }
174
-exec′ O (call↯ {f = f} f∈ ⊑Γ x) Σ (suc g) = exec↑ O (Call.δ f x) Σ ⊑Γ g
175
-exec′ O (α >>= β)               Σ (suc g) = (exec′ O α Σ (suc g)) >>= λ{
176
-  (just ⟨ x , Σ′ ⟩) → exec′ O (β x) Σ′ g;
177
-  nothing           → pure nothing }
178
-
179
-exec↓ _ _                    _ _  zero    = pure nothing
175
+⌊exec⌋ (strat α O) Σ g = (exec O α Σ g) >>= (pure ∘ rmap (llift ∘ proj₁))
176
+
177
+exec O α                       Σ zero    = pure out-of-gas
178
+exec O (α ↑)                   Σ g       = exec↓ O α Σ here g
179
+exec O abort                   Σ g       = pure abort
180
+exec O (dist D)                Σ (suc g) = lift D >>= λ{
181
+  (llift x) → pure (result ⟨ x , Σ ⟩ ) }
182
+exec O (call↯ {f = f} f∈ ⊑Γ x) Σ (suc g) = exec↑ O (Call.δ f x) Σ ⊑Γ g
183
+exec O (α >>= β)               Σ (suc g) = (exec O α Σ (suc g)) >>= λ{
184
+  (result ⟨ x , Σ′ ⟩) → exec O (β x) Σ′ g ;
185
+  abort               → pure abort        ;
186
+  out-of-gas          → pure out-of-gas   }
187
+
188
+exec↓ _ _                    _ _  zero    = pure out-of-gas
180 189
 exec↓ O (call↓ {f = f} f∈ x) Σ ⊑Γ (suc g) = exec↑ O (Call.δ f x) Σ ⊑Γ g
181 190
 
182
-exec↑ O α                    Σ ⊑Γ zero    = pure nothing
183
-exec↑ O read                 Σ ⊑Γ _       = pure (just ⟨ get ⊑Γ Σ , Σ ⟩)
184
-exec↑ O (write σ)            Σ ⊑Γ _       = pure (just ⟨ tt , set ⊑Γ Σ σ ⟩)
185
-exec↑ O abort                Σ ⊑Γ _       = pure nothing
191
+exec↑ O α                    Σ ⊑Γ zero    = pure out-of-gas
192
+exec↑ O read                 Σ ⊑Γ _       = pure (result ⟨ get ⊑Γ Σ , Σ ⟩)
193
+exec↑ O (write σ)            Σ ⊑Γ _       = pure (result ⟨ tt , set ⊑Γ Σ σ ⟩)
194
+exec↑ O abort                Σ ⊑Γ _       = pure abort
186 195
 exec↑ O (dist D)             Σ ⊑Γ _       = lift D >>=
187
-  λ{ (llift x) → pure (just ⟨ x , Σ ⟩) }
188
-exec↑ O (query {q = q} q∈ x) Σ ⊑Γ (suc g) = exec O (O (path ⊑Γ q∈) x) Σ g
196
+  λ{ (llift x) → pure (result ⟨ x , Σ ⟩) }
197
+exec↑ O (query {q = q} q∈ x) Σ ⊑Γ (suc g) = exec O (O (path ⊑Γ q∈) x) Σ g
189 198
 exec↑ O (α ↑ Γ′∈)            Σ ⊑Γ (suc g) = exec↓ O α Σ (⊑-right ⊑Γ Γ′∈) g
190 199
 exec↑ O (α >>= β)            Σ ⊑Γ (suc g) = (exec↑ O α Σ ⊑Γ (suc g))
191 200
   >>= λ{
192
-    (just ⟨ x , Σ′ ⟩) → exec↑ O (β x) Σ′ ⊑Γ g;
193
-    nothing           → pure nothing }
201
+    (result ⟨ x , Σ′ ⟩) → exec↑ O (β x) Σ′ ⊑Γ g ;
202
+    abort               → pure abort            ;
203
+    out-of-gas          → pure out-of-gas       }

Loading…
Cancel
Save