1 / 42

Low-Level Program Verification

Low-Level Program Verification. CPU. Components of a Certifying Framework. Specifications. certified code (machine code + proof) specifications: program safety/security/correctness + machine model automated proof checker need not trust the correctness of proofs. No. Proof.

autumn-jimenez
Download Presentation

Low-Level Program Verification

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Low-Level Program Verification

  2. CPU Components of a Certifying Framework Specifications • certified code (machine code + proof) • specifications: program safety/security/correctness + machine model • automated proof checker need not trust the correctness of proofs No Proof Proof Checker Yes machine code

  3. Low-Level Machine Code Verification • Machine code is the executable form of programs • Why verify machine code • Bugs in compilers may produce buggy machine code, even if source code is correct • There are manually written assembly code in OS kernels

  4. The Machine (data heap) H f1: I1 addu … lw … sw … … j f pc 0 1 2 … f2: I2 r1 r2 r3 … rn f3: I3 (register file) R … (code heap) C (state) S ::=(H,R) (instr. seq.) I ::={fI}* (program) P ::=(C,S,I)

  5. Operational semantics

  6. The CAP Logic [Yu et al. ESOP 2003] Certified Assembly Programming Judgments

  7. State assertions - Examples a   S. S.H(100) > 0  S.R(r1) = 17 a'   S. odd(S.R(r1) ) S. a S  a' S

  8. Inference Rules Well-formed program: Well-formed code heap:

  9. Inference Rules (2)

  10. Inference Rules (3)  means logical implication

  11. Verification of malloc/free

  12. Verification of malloc/free (2)

  13. Soundness Lemma (Preservation). If and , then there exists an assertion a’ such that . Lemma (Progress). If , then there exists a program such that

  14. Soundness (2) Theorem (Soundness). If , then for all natural number n, there exists a program such that , and then then and then

  15. a1 a2 a3 Program Specifications (spec) ::={fa}* (data heap) H a f1: I1 addu … lw … sw … … j f pc 0 1 2 … f2: I2 r1 r2 r3 … rn f3: I3 (register file) R … (code heap) C (state) S ::=(H,R) (instr. seq.) I ::={fI}* (program) P ::=(C,S,I)

  16. c1 c2 c3 cn … P0 P1 P2 Pn Invariant-Based Verification Initial condition:Inv(P0) Progress: if Inv(P), then P’. P c P’. Preservation: if Inv(P) and P cP’, then Inv(P’).

  17. stack fp f: ... sw $ra, -4($fp) h: jal h ;; $ra contains ct ct: lw $ra, -4($fp) jr $ra ... jr $ra How to verify function call? R void f(){ void h(){ h(); return; return; } } ra ct ?? pc Does f use the right return addr.?

  18. {$ra = n …} g0 g1 {$ra = n …} Specifications • Challenges • f uses the “right” return addr.? • Hoare triple {p} f {q}? • In different basic blocks! f: ... sw $ra, -4($fp) jal h ct: lw $ra, -4($fp) ... jr $ra {(p0, g0)} • SCAP specifications: (p, g) • p: State  Prop • g: State  State  Prop {(p1, g1)} g0 S S’ S’.$ra = S.$ra …

  19. Program Spec. and Code Pointers • Program Specification ::= {f1(p1,g1), …,fn(pn,gn)} • “safe” to return (jr $ra): • $radom()  ($ra)=(p,g) • pholds at the time of return p0 p1 jal f p2 jal h g2 g0 g1 p3 jr$ra g3 p4 jr $ra … g4 jr $ra

  20. SCAP : Stack Invariant Always safe to return? p0 S0 g0 p1 jr $ra g0 S0S1  S1.$ra   (S1.$ra))=(p1, g1) p1S1 S1 g1 p2 S2 g0 S0S1  g1 S1S2  S2.$ra   (S2.$ra)=(p2, g2) p2S2 g2 p3 S3 g0 S0S1  g1 S1S2  g2 S2S3  S3.$ra    (S3.$ra)=(p3, g3) p3 S3 g3 … Logical control stack

  21. SCAP : Stack Invariant WFST(n, g0, S0, )  S1. g0 S0 S1   p1,g1. (S1.$ra)=(p1, g1)  p1 S1  WFST(n-1, g1, S1, ) WFST(0, g0, S0, )   S1. g0 S0 S1 Invariant: p S  n.WFST(n, g, S, ) p0 S0 g0 p1 jr $ra S1 g1 p2 S2 g2 p3 S3 g3 Logical control stack

  22. c S p’,g’ p S  n.WFST(n,g,S,) p’ S’  n.WFST(n,g’,S’,) SCAP : Invariant Preservation • Inv(S): p S  n.WFST(n, g, S, ) S’

  23. n+1 jal f SCAP: call p S  WFST(n, g, S, ) p0 S0 WFST(n+1, g0, S0, ) p p0 p0 S S0 g0 g0 p1 p1 g jr $ra jr $ra g1 g1 S1 S1 n n S2 S2 … … p S  p0 S0 g0 S0 S1 S0.$ra = S1.$ra p S  g0 S0 S1 p1 S1 p S  g0 S0 S1  g1 S1 S2  g S S2

  24. SCAP: the call rule (p0, g0) = (f)(p1, g1) = (fret) H,R. p (H,R)  p0 (H,R{rafret}) H,R,S1. p (H,R)  g0 (H,R{rafret}) S1  p1 S1  (S2. g1 S1 S2  g S S2) S0,S1. g0 S0 S1 S0.$ra = S1.$ra  |- {(p,g)} jal f fret

  25. SCAP: ret p S  WFST(n, g S, ) p1 S1 WFST(n-1, g1 S1, ) p n p1 p1 S g S1 g1 g1 jr $ra n-1 n-1 … … p S  g S S1

  26. SCAP: return rule S. p S  g S S  |- {(p,g)} jr $ra

  27. SCAP: direct jump (or tail call) p S  WFST(n, g S, ) p0 S0 WFST(n, g0 S0, ) p p0 p0 S S0 g0 g0 g jr $ra jr $ra j f n n S1 S1 … … p S  p0 S0 p S  g0 S0 S1  g S S1

  28. SCAP: sequential  |- {(p’,g’)} I S. p S  p’(AuxStep(c,S)) S,S’. p S  g’(AuxStep(c,S)) S’  g S S’  |- {(p,g)} c;I

  29. Other control flows • Stack unwinding • Stack cutting • setjmp/longjmp in C

  30. Multi-ret p1 p g1 jr ra g Call with Multiple Return Addr.

  31. Call with Multiple Ret. or Tail Call

  32. Multi-ret p1 p1 p p g1 g1 jr ra jr ra g g + Tail-call p1 p g1 g jr ra Generalization: Stack unwinding/cutting

  33. Change of Invariant

  34. env cannot outlive the stack frame of rev ! f0 f0 … … setjmp/longjmp jmp_buf env = …; void cmp0(int x,jmp_buf env){ cmp1(x, env); } int rev(int x){ if (setjmp(env) == 0){ cmp0(x, env); return 0; }else{ return 1; } } pc pc void cmp1(int x,jmp_buf env){ if (x == 0) longjmp(env, 1); else return; } pc env sp …

  35. Read the paper at: http://flint.cs.yale.edu/flint/publications/sbca.html

More Related