Under the Hood of the Open Verifier Bor-Yuh Evan Chang, Adam Chlipala, Kun Gao, George Necula, and Robert Schneck October 21, 2003 OSQ Group Meeting.

Slides:



Advertisements
Similar presentations
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Advertisements

CMPE 421 Advanced Parallel Computer Architecture Pipeline datapath and Control.
Instruction Set Design
Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1.
– © Yohai Devir 2007 Technion - IIT Tutorial #10 MIPS commands.
8. Code Generation. Generate executable code for a target machine that is a faithful representation of the semantics of the source code Depends not only.
Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.
March 4, 2005Susmit Sarkar 1 A Cost-Effective Foundational Certified Code System Susmit Sarkar Thesis Proposal.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Computer Organization and Architecture
Computer Organization and Architecture
CSCI 4717/5717 Computer Architecture
Nicholas Moore Bianca Curutan Pooya Samizadeh McMaster University March 30, 2012.
David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.
Type-Based Verification of Assembly Language for Compiler Debugging Bor-Yuh Evan ChangAdam Chlipala George C. NeculaRobert R. Schneck University of California,
ISBN Chapter 3 Describing Syntax and Semantics.
Copyright © 2006 Addison-Wesley. All rights reserved. 3.5 Dynamic Semantics Meanings of expressions, statements, and program units Static semantics – type.
The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI
Code-Carrying Proofs Aytekin Vargun Rensselaer Polytechnic Institute.
Coolaid: Debugging Compilers with Untrusted Code Verification Bor-Yuh Evan Chang with George Necula, Robert Schneck, and Kun Gao May 14, 2003 OSQ Retreat.
CPSC Compiler Tutorial 8 Code Generator (unoptimized)
Extensible Verification of Untrusted Code Bor-Yuh Evan Chang, Adam Chlipala, Kun Gao, George Necula, and Robert Schneck May 14, 2004 OSQ Retreat Santa.
Strength Through Typing: A more powerful dependently-typed assembly language Matt Harren George Necula OSQ 2004.
Execution of an instruction
Chapter 16 Control Unit Operation No HW problems on this chapter. It is important to understand this material on the architecture of computer control units,
1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.
Programmability with Proof-Carrying Code George C. Necula University of California Berkeley Peter Lee Carnegie Mellon University.
Stored Program Concept: The Hardware View
OOP #10: Correctness Fritz Henglein. Wrap-up: Types A type is a collection of objects with common behavior (operations and properties). (Abstract) types.
Chapter 16 Control Unit Implemntation. A Basic Computer Model.
A Type System for Expressive Security Policies David Walker Cornell University.
Chapter 15 IA 64 Architecture Review Predication Predication Registers Speculation Control Data Software Pipelining Prolog, Kernel, & Epilog phases Automatic.
Henry Hexmoor1 Chapter 10- Control units We introduced the basic structure of a control unit, and translated assembly instructions into a binary representation.
Describing Syntax and Semantics
Mechanized Metatheory for User- Defined Type Extensions Dan Marino, Brian Chin, Todd Millstein UCLA Gang Tan Boston College Robert J. Simmons, David Walker.
Extensible Untrusted Code Verification Robert Schneck with George Necula and Bor-Yuh Evan Chang May 14, 2003 OSQ Retreat.
Extensible Code Verification Kun Gao (Senior EECS) with Professor George Necula, Evan Chang, Robert Schneck, Adam Chlipala An individual receives code.
Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.
Computer Architecture and the Fetch-Execute Cycle
Proof Carrying Code Zhiwei Lin. Outline Proof-Carrying Code The Design and Implementation of a Certifying Compiler A Proof – Carrying Code Architecture.
Overview of Formal Methods. Topics Introduction and terminology FM and Software Engineering Applications of FM Propositional and Predicate Logic Program.
Native Client: A Sandbox for Portable, Untrusted x86 Native Code
Charles Kime & Thomas Kaminski © 2004 Pearson Education, Inc. Terms of Use (Hyperlinks are active in View Show mode) Terms of Use ECE/CS 352: Digital Systems.
Outline Basic VM Concepts Formal Definitions Virtualization Theorems
Proof-Carrying Code & Proof-Carrying Authentication Stuart Pickard CSCI 297 June 2, 2005.
ISBN Chapter 3 Describing Semantics -Attribute Grammars -Dynamic Semantics.
Checking Reachability using Matching Logic Grigore Rosu and Andrei Stefanescu University of Illinois, USA.
© Andrew IrelandDependable Systems Group On the Scalability of Proof Carrying Code for Software Certification Andrew Ireland School of Mathematical & Computer.
Mobility, Security, and Proof-Carrying Code Peter Lee Carnegie Mellon University Lecture 2 July 11, 2001 Overview of PCC and Safety Policies Lipari School.
Introduction to Problem Solving. Steps in Programming A Very Simplified Picture –Problem Definition & Analysis – High Level Strategy for a solution –Arriving.
Execution of an instruction
Module : Algorithmic state machines. Machine language Machine language is built up from discrete statements or instructions. On the processing architecture,
3.2 Semantics. 2 Semantics Attribute Grammars The Meanings of Programs: Semantics Sebesta Chapter 3.
1 Compiler Construction (CS-636) Muhammad Bilal Bashir UIIT, Rawalpindi.
From Hoare Logic to Matching Logic Reachability Grigore Rosu and Andrei Stefanescu University of Illinois, USA.
SAFE KERNEL EXTENSIONS WITHOUT RUN-TIME CHECKING George C. Necula Peter Lee Carnegie Mellon U.
Prof. Necula CS 164 Lecture 171 Operational Semantics of Cool ICOM 4029 Lecture 10.
Copyright © 2005 – Curt Hill MicroProgramming Programming at a different level.
Lecture 4 Page 1 CS 111 Online Modularity and Memory Clearly, programs must have access to memory We need abstractions that give them the required access.
Model Checking Early Requirements Specifications in Tropos Presented by Chin-Yi Tsai.
System Programming and administration
Modularity and Memory Clearly, programs must have access to memory
Instruction Format MIPS Instruction Set.
Computer Architecture
Processor Organization and Architecture
Computer Architecture and the Fetch-Execute Cycle
Other ISAs Next, we’ll first we look at a longer example program, starting with some C code and translating it into our assembly language. Then we discuss.
Other ISAs Next, we’ll first we look at a longer example program, starting with some C code and translating it into our assembly language. Then we discuss.
Instruction Format MIPS Instruction Set.
The Stored Program Computer
Presentation transcript:

Under the Hood of the Open Verifier Bor-Yuh Evan Chang, Adam Chlipala, Kun Gao, George Necula, and Robert Schneck October 21, 2003 OSQ Group Meeting

2 10/21/2003 Issues with PCC and FPCC Flexibility –Can the code producer use a different (or multiple) safety enforcement mechanism(s)? e.g., various type systems, vcgen proofs More FlexibleLess Flexible FPCC OV PCC

3 10/21/2003 Issues with PCC and FPCC Scalability –Can the proof obligations for the code producer be simplified? More ScalableLess Scalable PCC OV FPCC

4 10/21/2003 Issues with PCC and FPCC Amount of Trusted Code –Can the amount of trusted code in the verification infrastructure be lessened while maintaining flexibility and scalability? Less Trusted CodeMore Trusted Code FPCC OV PCC

5 10/21/2003 An Untrusted Verifier The code producer supplies the verifier along with the code –flexibility: code producer can provide a verifier to handle particular enforcement mechanism –scalability: specialized reasoning for the enforcement mechanism encoded in executable form –amount of trusted code: verifier extension with specialized reasoning is not trusted Too hard to prove correctness of the verifier Embed the untrusted verifier as an extension in a trusted infrastructure (the Open Verifier) untrustedtrusted verifier extension OpenVer code verifier extension

6 10/21/2003 Outline Motivation Architecture Overview Simple Local Invariants –Decoder –Extension –Coverage Complete Local Invariants –Coverage Summary

7 10/21/2003 The Open Verifier Decoder I Pinstruction at locinv I safe if P holds Dnext locinvs D Director Extension trusted untrusted locinvI Pa proof of P EDa proof that E covers D next locinvsE code

8 10/21/2003 The Open Verifier Decoder Director Extension trusted untrusted locinvI next locinvsE code StandardCoolVerifier Cool Extension DefinitionsandLemmas

9 10/21/2003 The Open Verifier Decoder Director Extension trusted untrusted locinvI next locinvsE code Proof Extractor for Traditional PCC Generic Extension

10 10/21/2003 An Example class S { S next() { … }; } class R extends S { S next() { … } void f(S x) { x = this; while (x != null) { x = x.next(); } r THIS : R, r THIS  0, r x : S 1 Rf: r x := r THIS r x : R, r x  0 2 L 2 : if r x =0 jump L 9 r x : R, r x  0 3 L 3 : load r t from r x + 4 r t : vm(r x,4), r x : R, r x  0 4 L 4 : r THIS := r x r THIS = r x, r t : vm(r x,4), r x : R, r x  0 5 L 5 : r RA := L 7 r RA = L 7, r THIS = r x, r t : vm(r x,4), r x : R, r x  0 6 L 6 : ijump r t r RV : S 7 L 7 : r x := r RV r x : S 8 L 8 : jump L 2 9 L 9 : ijump r RA 20 Snext: … 30 Rnext: …

11 10/21/2003 Local Invariants (Locinvs) - Part 1 Language of discourse in the Open Verifier Should be –simple, natural –sufficiently powerful, “complete” A predicate about the machine state at a specific instruction

12 10/21/2003 Local Invariants - Part 1 Informal: At r PC = 1, the memory is laid out according to the Cool specification, r THIS has type R, r THIS is non-null, and r x has type S. (More) Formal: r PC = 1 Æ (cinv r M ); mem ok Æ r THIS : R Æ r THIS  0 Æ r x : S r THIS : R, r THIS  0, r x : S 1 Rf: r x := r THIS 2 L 2 : if r x =0 jump L 9 3 L 3 : load r t from r x L 4 : r THIS := r x 5 L 5 : r RA := L 7 6 L 6 : ijump r t 7 L 7 : r x := r RV 8 L 8 : jump L 2 9 L 9 : ijump r RA

13 10/21/2003 Decoder Encodes the semantics of machine instructions and the safety policy Essentially, a strongest- postcondition generator decoder(I) = (P, D ) I:r PC = 1 Æ (cinv r M ) Æ r THIS : R Æ r THIS  0 Æ r x : S P:True D : [ 9 t x. r PC = 2 Æ r x = r THIS Æ (cinv r M ) Æ r THIS : R Æ r THIS  0 Æ t x : S] 1 Rf: r x := r THIS 2 L 2 : if r x =0 jump L 9

14 10/21/2003 Local Invariants - Part 2 Existentially quantified predicates parameterized by the machine state  and structured into –first-order assumptions A Machine state specifies the values of the PC, the registers, and the memory –left implicit in the examples

15 10/21/2003 Extension Required to prove: –Local safety condition (I ) P) Either trivial or some address is valid Type-based extensions use the soundness of the type system ED –Coverage ( E covers D )

16 10/21/2003 Coverage ( E covers D ) means roughly where safe I means “if locinv I is satisfied, then safe progress can be made” but it is sufficient to show

17 10/21/2003 Coverage Covering a single D = 9 x D. (A D x D ) or it is sufficient to show for some E = 9 x E.(A E x E ) 2 E

18 10/21/2003 Coverage Typically, the extension makes minor modifications to the locinv produced by the decoder. –e.g., to forget about some detailed information not necessary for demonstrating safety Can implement proof of coverage more efficiently by considering kinds of changes –e.g., using the decoder’s locinv or simply dropping assumptions from the decoder’s locinv requires no coverage proof.

19 10/21/2003 Coverage - Add Assumptions 1 Rf: r x := r THIS I:r PC = 1 Æ (cinv r M ) Æ r THIS : R Æ r THIS  0 Æ r x : S P:True D : [ 9 t x. r PC = 2 Æ r x = r THIS Æ (cinv r M ) Æ r THIS : R Æ r THIS  0 Æ t x : S] E : [r PC = 2 Æ (cinv r M ) Æ r x : R Æ r x  0] ( E covers D ) requires 8 x D. (A D x D ) ) r x : R Æ r x  0

20 10/21/2003 Coverage - Scanned Locinv (Loops) 1 L 8 : jump L 2 I:r PC = 8 Æ (cinv r M ) Æ r x : S P:True D : [r PC = L 2 Æ (cinv r M ) Æ r x : S] E : [r PC = L 2 Æ (cinv r M ) Æ r x : R Æ r x  0] r THIS : R, r THIS  0, r x : S 1 Rf: r x := r THIS r x : R, r x  0 2 L 2 : if r x =0 jump L 9 r x : R, r x  0 3 L 3 : load r t from r x + 4 r t : vm(r x,4), r x : R, r x  0 4 L 4 : r THIS := r x r THIS = r x, r t : vm(r x,4), r x : R, r x  0 5 L 5 : r RA := L 7 r RA = L 7, r THIS = r x, r t : vm(r x,4), r x : R, r x  0 6 L 6 : ijump r t r RV : S 7 L 7 : r x := r RV r x : S 8 L 8 : jump L 2 9 L 9 : ijump r RA ( E covers D ) r x : S ) r x : R Æ r x  0

21 10/21/2003 Coverage - Scanned Locinv (Loops) 1 L 8 : jump L 2 I:r PC = 8 Æ (cinv r M ) Æ r x : S P:True D : [r PC = L 2 Æ (cinv r M ) Æ r x : S] E : [r PC = L 2 Æ (cinv r M ) Æ r x : S] r THIS : R, r THIS  0, r x : S 1 Rf: r x := r THIS r x : R, r x  0 2 L 2 : if r x =0 jump L 9 r x : R, r x  0 3 L 3 : load r t from r x + 4 r t : vm(r x,4), r x : R, r x  0 4 L 4 : r THIS := r x r THIS = r x, r t : vm(r x,4), r x : R, r x  0 5 L 5 : r RA := L 7 r RA = L 7, r THIS = r x, r t : vm(r x,4), r x : R, r x  0 6 L 6 : ijump r t r RV : S 7 L 7 : r x := r RV r x : S 8 L 8 : jump L 2 9 L 9 : ijump r RA ( E covers D ) r x : S ) r x : R Æ r x  0

22 10/21/2003 Coverage - Scanned Locinv (Loops) 1 L 8 : jump L 2 I:r PC = 8 Æ (cinv r M ) Æ r x : S P:True D : [r PC = L 2 Æ (cinv r M ) Æ r x : S] E :[r PC = L 2 Æ (cinv r M ) Æ r x : S] (from before) Coverage is trivially satisfied here Do not know the incremental changes r THIS : R, r THIS  0, r x : S 1 Rf: r x := r THIS r x : S 2 L 2 : if r x =0 jump L 9 r x : S, r x  0 3 L 3 : load r t from r x + 4 r t : vm(r x,4), r x : S, r x  0 4 L 4 : r THIS := r x r THIS = r x, r t : vm(r x,4), r x : S, r x  0 5 L 5 : r RA := L 7 r RA = L 7, r THIS = r x, r t : vm(r x,4), r x : S, r x  0 6 L 6 : ijump r t r RV : S 7 L 7 : r x := r RV r x : S 8 L 8 : jump L 2 9 L 9 : ijump r RA

23 10/21/2003 Outline Motivation Architecture Overview Simple Local Invariants –Decoder –Extension –Coverage Complete Local Invariants –Coverage Summary

24 10/21/2003 Indirect Jumps Indirect jumps are more difficult to handle but necessary –function return, exceptions Within the context of a particular locinv, need to state a code address is “safe to jump to” (under certain conditions) –e.g., it is “safe to jump to” the address contained in r RA.

25 10/21/2003 Local Invariants - Part 3 “r PC = 9, r SAVE = 1, r RA = 27, and it is safe to jump to r PC = r RA as long as r SAVE has the same value as now.” . (r PC  ) = 9 Æ (r SAVE  ) = 1 Æ safe (  ’. (r PC  ’) = (r RA  ) Æ (r SAVE  ’) = (r SAVE  ))

26 10/21/2003 Local Invariants - Part 3 Existentially quantified predicates parameterized by the machine state  and structured into –first-order assumptions A –progress continuations C a list of locinvs that are “safe to continue to” Not a general higher-order predicate but one structured into first-order pieces.

27 10/21/2003 Local Invariants - Part 3 Fixing the machine state, a locinv I can be structured into a tuple as follows: I = 9 x I. h PC I, R I, A I, C I i PC I is an expression in terms of x I (usually, constant) R I is a mapping from register names to expressions A I is a first-order formula (assumptions) C I is a list of locinvs (progress continuations)

28 10/21/2003 Local Invariants - Part 3 “r PC = 9, r SAVE = 1, r RA = 27, and it is safe to jump to r PC = r RA as long as r SAVE has the same value as now.” I = . (r PC  ) = 9 Æ (r SAVE  ) = 1 Æ safe (  ’. (r PC  ’) = (r RA  ) Æ (r SAVE  ’) = (r SAVE  )) I = 9 x SAVE,x RA. h PC I = 9, R I = {SAVE  x SAVE, RA  x RA, …}, A I = (x SAVE = 1), C I = [ h PC C1 = x RA, R C1 = {SAVE  x SAVE, …}, A C1 = True, C C1 = [ ] i ] i

29 10/21/2003 Coverage with Progress Continuations ( E covers D) - a single locinv means it is sufficient to show for some E 2 E [ C D

30 10/21/2003 Function Return 9 L 9 : ijump r RA I: 9 x RA. h PC I = 9, R I = {RA  x RA, …}, A I = True, C I = [ h PC C1 = x RA,R C1 = {…},A C1 = True,C C1 = [ ] i ] i P:True D : [ 9 x RA. h PC I = x RA, R I = {RA  x RA, …}, A I = True, C I = [ h PC C1 = x RA,R C1 = {…},A C1 = True,C C1 = [ ] i ] i ] E :[ ] In this case, D contains its own “covering” locinv C1.

31 10/21/2003 Summary Untrusted verifier extensions allows the code producer –flexibility to use various safety enforcement mechanisms –to simplify proof generation by incorporating specialized reasoning in executable form Building extensions is simplified by –structuring invariants into first-order pieces –requiring only first-order proofs (specialized method of proving covers)

32 10/21/2003 Issues Are locinvs too restrictive? Can proving coverage be simplified (and made more efficient)? –by specializing to common cases?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.