1/28 Type safety from the ground up. Chris Hawblitzel (joint work with Jean Yang, Juan Chen, and Gregory Malecha)

2/28 Modern computer systems are great! (but they have bugs)

3/28 Answer #1: Type Safety! source code (e.g. C#) source code (e.g. C#) assembly language Type checker Compiler (but compilers have bugs) Catches many common bugs (at compile time or run time): buffer overflows double frees... Web scripting: Java, Javascript,.NET,... Operating systems: SPIN, Singularity,...

4/28 Example compiler bug (in Bartok) void F(int[] arr, int i) { if (i <= arr.Length) { // i ≤ arr.Length int j = i - 1; // j < i ≤ arr.Length if (j >= 0) { // 0 ≤ j < i ≤ arr.Length // no bounds check required! arr[j]++; } } } counterexample: i = j = j > i vulnerability: address = &(arr[0]) + 4*j = &(arr[0]) + 4*( ) = &(arr[0]) - 4

5/28 Answer #2: Typed Assembly Language! (Morrisett et al, POPL 1998) source code (e.g. C#) source code (e.g. C#) typed assembly language typed assembly language Type checker Compiler catches type errors in assembly language program types for objects, stacks, code pointers, etc.

6/28 Answer #2: Typed Assembly Language! source code (e.g. C#) source code (e.g. C#) typed assembly language typed assembly language Type checker Compiler (but run-time systems and operating systems have bugs) run-time system (GC,...) OS services OS services Linker / loader

7/28 From: Apple Product Security Date: Fri, 11 Jul Available for: iPhone v1.0 through v1.1.4,iPod touch v1.1 through v1.1.4 Description: A memory corruption issue exists in JavaScriptCore's handling of runtime garbage collection. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved garbage collection. Example GC vulnerabilities Mozilla Firefox Bug in JavaScript Garbage Collector Lets Remote Users Deny Service Advisory: Mozilla Foundation Security Advisory Date: Apr A remote user can create specially crafted HTML that, when loaded by the target user, will trigger a flaw in the JavaScript garbage collector code and cause the target user's browser to crash.... The vendor indicates that similar crashes have been exploitable in the past, so arbitrary code execution may be possible... MS07-057: Cumulative security update for Internet Explorer Date: October Internet Explorer 6 may exit with an access violation when the JavaScript garbage collector runs and you have dynamically removed a TBODY, THEAD, or TFOOT HTML tag from a table in Windows XP...

8/28 Answer #3: Verification! (via automated theorem proving) source code (e.g. C#) source code (e.g. C#) typed assembly language typed assembly language Type checker Compiler run-time system (GC,...) low-level OS services low-level OS services Linker / loader Verifier

9/28 Verve: a verifiably safe OS Verified Garbage Collector Verified Threads Verified Interrupt Handlers Verified Device Interface Verified Startup Verify safety with TAL checker Verify safety & correctness with Boogie/Z3 Boot Loader x86 Hardware Small Operating System (C#) Typed Assembly Language Bartok “every assembly language instruction checked for safety” Kernel Nucleus

10/28 Kernel Nucleus Small Operating System (C#) Typed Assembly Language Bartok Boot Loader Threads GetStackState ResetStack YieldTo Threads GetStackState ResetStack YieldTo GC Heap AllocObject AllocVector GarbageCollect Throw (readField) (writeField) (readStack) (writeStack) GC Heap AllocObject AllocVector GarbageCollect Throw (readField) (writeField) (readStack) (writeStack) Interrupts FaultHandler ErrorHandler InterruptHandler FatalHandler Interrupts FaultHandler ErrorHandler InterruptHandler FatalHandler Device IO VgaTextWrite TryReadKeyboard StartTimer SendEoi PciConfigRead32 PciMemSetup PciMemRead32 PciMemWrite32 DmaBuffer DmaPhysicalAddr Rdtsc Device IO VgaTextWrite TryReadKeyboard StartTimer SendEoi PciConfigRead32 PciMemSetup PciMemRead32 PciMemWrite32 DmaBuffer DmaPhysicalAddr Rdtsc Startup NucleusEntryPoint Startup NucleusEntryPoint x86 Hardware Class types, interface types Array types Method invocations Stack frames Casts, array store checks... Verve: a verifiably safe OS BUILD!

11/28 Related work (Mostly) type-based – House (Hallgren et al) – TALK (Maeda et al) – Typed GC interface (Vanderwaart et al) (Mostly) interactive theorem proving – FLINT / certified code (Shao et al) – seL4 (Klein et al)

12/28 Demo: Boogie/Z3

13/28 Z3: Automated theorem prover DECIDABLE THEORIES boolean expressions e ::= true | false | !e | e && e | e ==> e |... linear integer arithmetic e ::=... | -2 | -1 | 0 | 1 | 2 | e + e | e – e | e <= e |... bit vector arithmetic e ::=... | e & e | e << e |... arrays e ::=... | e[e] | e[e := e] UNDECIDABLE quantifiers e ::=... | forall x.e | exists x.e

14/28 Practical, verified copying collector code procedure CopyAndForward(ptr:int, _tj:int) requires ecx == ptr; requires CopyGcInv(...); requires Pointer(r1, ptr, r1[ptr]);... { call edx := GcRead(ecx + 4); esp := esp - 4; call GetSize(ptr, edx, r1, r1); call ebp := Mov(eax);... call edi := Mov(0); call edx := Mov(0); loop: assert 4 * edi == edx; assert CopyGcInv(...);... if (edx >= ebp) { goto loopEnd; } call copyWord(ptr, _tj, esi, edi, ebp); call edi := Add(edi, 1); call edx := Add(edx, 4); goto loop; loopEnd: call eax := Lea(esi + 4); call GcWrite(ecx + 4, eax);... mov edi, 0 mov edx, 0 CopyAndForward$loop: cmp edx, ebp jae CopyAndForward$loopEnd automatic translation

15/28 Memory management Code, Static fields, GC info Code, Static fields, GC info Interrupt table Interrupt table IO-MMU page tables IO-MMU page tables DMA area DMA area General-purpose memory General-purpose memory Nucleus private stack Nucleus private stack PCI tables PCI tables Thread contexts Thread contexts C#/TAL stacks C#/TAL stacks GC heap GC heap Trusted specification Untrusted definitions

16/28 Memory management Code, Static fields, GC info Code, Static fields, GC info Interrupt table Interrupt table IO-MMU page tables IO-MMU page tables DMA area DMA area General-purpose memory General-purpose memory Nucleus private stack Nucleus private stack PCI tables PCI tables Thread contexts Thread contexts C#/TAL stacks C#/TAL stacks GC heap GC heap Defined by (trusted) specification Untrusted definitions from- space to- space... && (forall i:int::{T(i)} T(i) && Fi <= i && i < Fk && r1[i] != NO_ABS && (IsFwdPtr(gcMem[i + 4]) ==> Pointer(r2, gcMem[i + 4] - 4, r1[i]) && AlignedHeapAddr(i + 4) && word(gcMem[i + 4]))...

17/28 Memory management Code, Static fields, GC info Code, Static fields, GC info Interrupt table Interrupt table IO-MMU page tables IO-MMU page tables DMA area DMA area General-purpose memory General-purpose memory Nucleus private stack Nucleus private stack PCI tables PCI tables Thread contexts Thread contexts C#/TAL stacks C#/TAL stacks GC heap GC heap Trusted specification Untrusted definitions

18/28 DMA area DMA area Memory management Code, Static fields, GC info Code, Static fields, GC info Interrupt table Interrupt table IO-MMU page tables IO-MMU page tables General-purpose memory General-purpose memory Nucleus private stack Nucleus private stack PCI tables PCI tables Thread contexts Thread contexts C#/TAL stacks C#/TAL stacks GC heap GC heap Trusted specification Untrusted definitions IO page table IO-MMU IO page table IO page table... and(ptr, 4095) == 0 &&(forall i:int::{T(i)} T(i) && 0 IoPageTableEntry(IomMem[ptr + 8 * i], IomMem[ptr + 8 * i + 4])... ptr

19/28 Threads and interrupts Stacks Interrupt table Interrupt/error handling procedure InterruptHandler(stackState:[int]StackState, …); requires StackState[S] == StackRunning; ensures NucleusInv(... StackState[S := StackInterrupted(eax, ebx, …)] [Stack0 := StackRunning] …); TAL code 0 void KernelMain() { … // Schedule thread, wait for exception or // interrupt ScheduleNextThread(); // CurrentThread received exception, // interrupt, or exited voluntarily uint cid = CurrentThread; Thread t = threadTable[cid]; … } void KernelMain() { … // Schedule thread, wait for exception or // interrupt ScheduleNextThread(); // CurrentThread received exception, // interrupt, or exited voluntarily uint cid = CurrentThread; Thread t = threadTable[cid]; … }

20/28 Micro-benchmarks Verve functionality Cycles Round-trip yield 98 Round-trip wait + signal 216 ComparisonsCycles L4 (IPC)224 SeL4 (IPC)448 Singularity (yield)2156 Linux (yield)2390 Windows (yield)3554

21/28 Size of code, specification CopyingMark-sweep Specification Boogie lines1517 Verified Boogie lines x86 instructions Boogie verification ~1 person-year work Boogie/Z3 runs in ~10 minutes 3x code C# code (100% safe)35,000 CODE!

22/28 Building Verve Verified Kernel.cs Nucleus.bpl (x86) Kernel.obj (x86) Compiler Specification Boot loader TAL checkerBoogie/Z3 Verve.iso Translator / Assembler Linker / ISO generator DEMO!

23/28 BugWhose fault? InitializeGC: clobber ebp AllocObject: off-by-4 debugger stub linking GC tables String GC descriptor Bugs in the trusted computing base Specification Boot loader TAL checkerBoogie/Z3 Translator / Assembler Linker / ISO generator Specification Debugger stub Windows/Bartok TAL checker Specification TAL checker Linker / ISO gen Specification procedure InitializeGc(); requires SMemRequireRA(...); requires MemInv(...);... modifies Eip, eax,..., ebp, esp; ensures WellFormed(toAbs); ensures ebp == old(ebp); procedure AllocObject(...); requires isStack(S); requires NucleusInv(...);... ensures eax == 0 || Pointer(toAbs, eax - 4, abs); ensures ebp == old(ebp); Debugger stub Code, Static fields, GC info Code, Static fields, GC info public sealed class String :... { private int m_arrayLength; private int m_stringLength; internal char[] m_chars;...

24/28 Towards foundational Verve (Gregory Malecha) Nucleus specification Nucleus specification TAL checker Well-typed registers Well-typed objects Well-typed stack frames... Specification for values Specification for objects Specification for stack frames... Goal: mechanized connection

25/28 Unified invariant Nucleus invariant + TAL well-typedness... && (forall i:int::{T(i)} T(i) && Fi <= i && i < Fk && r1[i] != NO_ABS && (IsFwdPtr(gcMem[i + 4]) ==> Pointer(r2, gcMem[i + 4] - 4, r1[i]) && AlignedHeapAddr(i + 4) && word(gcMem[i + 4]))... && (forall i:int::{T(i)} T(i) && Fi <= i && i < Fk && r1[i] != NO_ABS && (IsFwdPtr(gcMem[i + 4]) ==> Pointer(r2, gcMem[i + 4] - 4, r1[i]) && AlignedHeapAddr(i + 4) && word(gcMem[i + 4]))... Inductive WellTypedIns : CodeType -> Instr -> CodeType -> Prop := | Tmov : forall st st' from to ty, opdType st from ty -> regTyUpd st to ty = st' -> WellTypedIns st (Imov to from) st‘ |... Inductive WellTypedIns : CodeType -> Instr -> CodeType -> Prop := | Tmov : forall st st' from to ty, opdType st from ty -> regTyUpd st to ty = st' -> WellTypedIns st (Imov to from) st‘ |...

26/28 Unified invariant MOV edx, esi CALL...Nucleus... MOV edx, esi CALL...Nucleus... MOV esi, eax MOV edx, esi CALL...Nucleus... MOV edx, esi CALL...Nucleus... MOV esi, eax Nucleus invariant + TAL well-typedness TAL instruction = 1 step Nucleus call = 1 step Each step maintains unified invariant

27/28 Progress on “foundational Verve” Approach so far (roughly) – Mechanically translate Boogie Spec into Coq – Specify “step” relation in Coq – Boogie/Z3 proofs become Coq axioms – (Try to!) prove invariant holds after each step We’re not done yet, but we’ve found spec bugs procedure YieldTo(s:int,...); requires ecx == s; requires (StackState[s] == StackRunning &&...) || (StackState[s] == StackYielded(...) &&...) || (StackState[s] == StackInterrupted(...) &&...) || (StackState[s] == StackEmpty &&...) || (!isStack(s)); implementation YieldTo(s:int,...) { if (ecx >= ?NumStacks) {... call debugBreak(); }... } procedure YieldTo(s:int,...); requires ecx == s; requires (StackState[s] == StackRunning &&...) || (StackState[s] == StackYielded(...) &&...) || (StackState[s] == StackInterrupted(...) &&...) || (StackState[s] == StackEmpty &&...) || (!isStack(s)); implementation YieldTo(s:int,...) { if (ecx >= ?NumStacks) {... call debugBreak(); }... }

28/28 Conclusions Every x86 instruction checked for safety! Automated tools: checking scales to large code. Open challenges – Complete, foundational TAL/runtime/OS – Concurrency, multicore – GPUs