Verification with Small and Short Worlds Rohit Sinha, Cynthia Sturton, Petros Maniatis, Sanjit A. Seshia, David Wagner Introduction Verification of large data structures is beyond the current state of the art for finite state model checking. We present a new technique, S2W, for the verification of safety properties on large or unbounded data structures. S2W Our contribution: a semi-decision procedure for verifying property 𝚽 is an invariant of system 𝑺: 𝑺 ⊨𝔾𝚽. S2W is a three-step procedure: Standard Mathematical Induction If 𝚽 is an invariant, return True. Else, continue to step 2. Small World Create 𝑺 , a scaled down model with most data structure members abstracted away. Abstraction makes state space manageable. Short World Compute a bound 𝒌 on the reachability diameter of 𝑺 . Use bounded model checking to prove the invariant on the abstracted system: 𝑺 ⊨𝔾𝚽. Using 𝒌 as the bound for BMC makes the verification sound. Heuristics In general, computing a bound 𝒌 on the reachability diameter is undecidable for our class of systems. We develop two heuristics for computing 𝒌. Evaluation We use case studies to evaluate the practicality of using S2W for real-world applications. We successfully verify safety properties for six systems: Bochs’ TLB: Address translation optimization is correct Content Addressable Memory-based Cache: Cache optimization is correct Shadow Page Tables: Guest/host isolation SecVisor: Only approved code executes in kernel mode sHype: Chinese Wall policy is enforced ShadowVisor: Guest/host isolation Motivation Hypervisors and CPU emulators are used in a variety of security-critical applications: Cloud computing Malware analysis Hosting dangerous applications Verifying the isolation properties provided by virtualization often involves reasoning about large data structures: Page tables Translation lookaside buffers (TLB) Caches A B 232 … … … Virtual Address v-pg Page Directory Page Table p-pg 4 KB Page 31 22 21 12 11 0 TLB Look Up Figure 2. In a system with two large arrays, we might model a single entry in each array precisely and abstract away all others; the abstracted entries receive arbitrary values at each step of execution. Case Study 𝒌 Computing 𝒌 BMC Bochs’ TLB 8 steps 12 hours 23 hours CAM-based Cache 2 steps 1 second Shadow Page Tables 4 steps 1 minute 5 seconds SecVisor Verification completed with induction proof sHype ShadowVisor p-pg v-pg … … Page Table Walk Figure 1. A virtual address is translated to a physical address via the page tables. The TLB caches previously translated addresses. We verify that for any virtual address, the value p-pg returned by the TLB is equal to the value p-pg returned by the page tables.