A Translation from Typed Assembly Language to Certified Assembly Programming Zhong Shao Yale University Joint work with Zhaozhong Ni Paper URL:

Slides:

Advertisements

Similar presentations

A Framework for describing recursive data structures Kenneth Roe Scott Smith.

Advertisements

Operating Systems Components of OS

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Semantics Static semantics Dynamic semantics attribute grammars

Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1.

Certified Typechecking in Foundational Certified Code Systems Susmit Sarkar Carnegie Mellon University.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.

March 4, 2005Susmit Sarkar 1 A Cost-Effective Foundational Certified Code System Susmit Sarkar Thesis Proposal.

Automated and Modular Refinement Reasoning for Concurrent Programs Collaborators: Chris Hawblitzel (Microsoft) Erez Petrank (Technion) Serdar Tasiran (Koc.

Nicholas Moore Bianca Curutan Pooya Samizadeh McMaster University March 30, 2012.

Background information Formal verification methods based on theorem proving techniques and modelchecking –to prove the absence of errors (in the formal.

ISBN Chapter 3 Describing Syntax and Semantics.

CS 355 – Programming Languages

VeriML: Revisiting the Foundations of Proof Assistants Zhong Shao Yale University MacQueen Fest May 13, 2012 (Joint work with Antonis Stampoulis)

Code-Carrying Proofs Aytekin Vargun Rensselaer Polytechnic Institute.

Ross Tate, Juan Chen, Chris Hawblitzel. Typed Assembly Languages Compilers are great but they make mistakes and can introduce vulnerabilities Typed assembly.

Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination Xinyu Feng Yale University Joint work with Zhong Shao.

Contiki A Lightweight and Flexible Operating System for Tiny Networked Sensors Presented by: Jeremy Schiff.

Proof-system search ( ` ) Interpretation search ( ² ) Main search strategy DPLL Backtracking Incremental SAT Natural deduction Sequents Resolution Main.

Certifying Low-Level Programs with Hardware Interrupts and Preemptive Threads Xinyu Feng Toyota Technological Institute at Chicago Joint work with Zhong.

Programmability with Proof-Carrying Code George C. Necula University of California Berkeley Peter Lee Carnegie Mellon University.

10/19/2007TTI-C PL-Lunch Certified Concurrent Code with Interrupts Xinyu Feng Joint work with Zhong Shao (Yale University) and Yuan Dong (Tsinghua University)

/191 Typed Compilation of Objects Andrew McCreight and Zhong Shao FLINT Project Yale University.

An Open Framework for Foundational Proof-Carrying Code Xinyu Feng Yale University Joint work with Zhaozhong Ni (Yale, now at MSR), Zhong Shao (Yale) and.

Modular Verification of Assembly Code with Stack-Based Control Abstractions Xinyu Feng Yale University Joint work with Zhong Shao, Alexander Vaynberg,

On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and.

A Type System for Expressive Security Policies David Walker Cornell University.

Describing Syntax and Semantics

Mechanized Metatheory for User- Defined Type Extensions Dan Marino, Brian Chin, Todd Millstein UCLA Gang Tan Boston College Robert J. Simmons, David Walker.

Extensible Untrusted Code Verification Robert Schneck with George Necula and Bor-Yuh Evan Chang May 14, 2003 OSQ Retreat.

A Mystery Esterel –small no type inference, subtyping, … no recursion, functions, … no pointers, malloc, GC, … no complex data structures, libraries,

Stack Management Each process/thread has two stacks  Kernel stack  User stack Stack pointer changes when exiting/entering the kernel Q: Why is this necessary?

Secure Virtual Architecture John Criswell, Arushi Aggarwal, Andrew Lenharth, Dinakar Dhurjati, and Vikram Adve University of Illinois at Urbana-Champaign.

Modular Machine Code Verification Zhaozhong Ni Advisor: Zhong Shao Committee: Zhong Shao, Paul Hudak Carsten Schürmann, David Walker Department of Computer.

Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.

Low-Level Program Verification. Components of a Certifying Framework certified code (machine code + proof) specifications: program safety/security/correctness.

Proof Carrying Code Zhiwei Lin. Outline Proof-Carrying Code The Design and Implementation of a Certifying Compiler A Proof – Carrying Code Architecture.

Silberschatz, Galvin and Gagne  2002 Modified for CSCI 399, Royden, Operating System Concepts Operating Systems Lecture 7 OS System Structure.

ISBN Chapter 3 Describing Semantics -Attribute Grammars -Dynamic Semantics.

Formal Verification Lecture 9. Formal Verification Formal verification relies on Descriptions of the properties or requirements Descriptions of systems.

Checking Reachability using Matching Logic Grigore Rosu and Andrei Stefanescu University of Illinois, USA.

CE Operating Systems Lecture 3 Overview of OS functions and structure.

© Janice Regan, CMPT 300, May CMPT 300 Introduction to Operating Systems Memory: Relocation.

Advanced Development of Certified OS Kernels DARPA CRASH Site Visit PIs: Zhong Shao & Bryan Ford (Yale University) October 5th, Friday, 2012, Room 307.

Writing Systems Software in a Functional Language An Experience Report Iavor Diatchki, Thomas Hallgren, Mark Jones, Rebekah Leslie, Andrew Tolmach.

Processes Introduction to Operating Systems: Module 3.

Certifying Intermediate Programming Zhaopeng Li

3.2 Semantics. 2 Semantics Attribute Grammars The Meanings of Programs: Semantics Sebesta Chapter 3.

Secure Compiler Seminar 4/11 Visions toward a Secure Compiler Toshihiro YOSHINO (D1, Yonezawa Lab.)

Safe to the Last Instruction: Automated Verification of a Type-Safe Operating System Jean Yang MIT CSAIL Chris Hawblitzel Microsoft Research.

A. Frank - P. Weisberg Operating Systems Structure of Operating Systems.

Verification & Validation By: Amir Masoud Gharehbaghi

MIDORI The Windows Killer!! by- Sagar R. Yeole Under the guidance of- Prof. T. A. Chavan.

Formal Specification: a Roadmap Axel van Lamsweerde published on ICSE (International Conference on Software Engineering) Jing Ai 10/28/2003.

What’s Ahead for Embedded Software? (Wed) Gilsoo Kim

SAFE KERNEL EXTENSIONS WITHOUT RUN-TIME CHECKING George C. Necula Peter Lee Carnegie Mellon U.

Formal Verification. Background Information Formal verification methods based on theorem proving techniques and modelchecking –To prove the absence of.

CSSE501 Object-Oriented Development. Chapter 10: Subclasses and Subtypes  In this chapter we will explore the relationships between the two concepts.

CSC3315 (Spring 2009)1 CSC 3315 Languages & Compilers Hamid Harroud School of Science and Engineering, Akhawayn University

Introduction to Computer Programming Concepts M. Uyguroğlu R. Uyguroğlu.

1 Chapter 2: Operating-System Structures Services Interface provided to users & programmers –System calls (programmer access) –User level access to system.

Computer System Structures

Low-Level Program Verification

(One-Path) Reachability Logic

State your reasons or how to keep proofs while optimizing code

IS 2935: Developing Secure Systems

An overview of Coq Xinyu Feng USTC.

An overview of Coq.

Presentation transcript:

A Translation from Typed Assembly Language to Certified Assembly Programming Zhong Shao Yale University Joint work with Zhaozhong Ni Paper URL: August 11, 2006

Research objective (of the FLINT group) To build a certified software platform with real guarantee of reliability & security ! Hardware certified L1 software legacy SW layer1 legacy SW layer2 legacy SW layer3 legacy SW layer4 certified L2 SW certified L3 SW certified L4 SW certified L5 SW

The lowest SW layer is the key! A buggy L1 software can take over the machine easily! Hardware buggy L1 software (or VM) legacy SW layer1 legacy SW layer2 legacy SW layer3 legacy SW layer4 certified L2 SW certified L3 SW certified L4 SW certified L5 SW infected L2 SW infected L3 SW infected L4 SW infected L5 SW

Must be Trusted! Structure of our certified framework certified code (proof + machine code) machine model safety policy mechanized meta-logic proof checker Proof Checker Yes CPU Safety Policy Proof machine code No

What makes a good mechanized meta logic? Youd better be very paranoid! The logic must be rock-solid, i.e., consistent! The logic must be expressive to express everything a hacker wants to say Support explicit, machine-checkable proof objects The logic must be simple so that the proof checker can be hand-verified Can serve as logical framework and meta-logical framework to allow one to prove using specialized logics Compatible with automated proof construction

How to scale? Modularity, modularity, modularity! specification S 1 binary code C 1 formal proof P 1 specification S 2 binary code C 2 formal proof P 2 specification S 3 binary code C 3 formal proof P 3 specification S 4 binary code C 4 formal proof P 4 specification S 6 binary code C 6 formal proof P 6 specification S 5 binary code C 5 formal proof P 5 specification S binary code C formal proof P Linking

Another form of modularity Software is often organized as a vertical stack of abstractions! Not everything is certified at the assembly level! Hardware certified L1 software certified L2 SW certified L3 SW certified L4 SW certified L5 SW Must accurately specify & certify all these interfaces!

A really juicy research area … Many interesting & exciting problems: How to certify each standard language and OS abstraction? –general code pointers –procedure call/return –general stack-based control abstraction –mutable data structures (& malloc/free …) –self-modifying code (& OS boot loader …) –interrupt/signal handling –device drivers and IO managers –thread libraries and synchronization –multiprocessor and memory model –OS kernel/user abstraction –………… How to combine proof assistant with general-purpose programming? Other exciting interplays btw machine-checked proofs & computation

Related research projects at Yale Certifying different language & OS abstractions: –certified assembly programming [CAP ESOP02] –embedded code pointers [XCAP POPL06] –non-preemptive threads [CCAP ICFP04 & CMAP ICFP05] –stack-based control abstractions [SCAP PLDI06] –self-modifying code & local reasoning [Cai et al GCAP on-going] –thread libraries and synchronizations [Ni et al on-going] –interrupts & multiprocessors [Ferreira et al on-going] –open framework for interoperability [Feng et al OCAP on-going] –boot-loaders & preemptive threads [Feng et al on-going] –memory management using malloc/free [CAP ESOP02] –garbage collector & mutator [McCreight et al on-going]

Features of a CAP-style system All built on a mechanized meta logic (e.g., Coq) Both the machine-level program and the property are specified by formulas in the meta logic Like TLA except our meta logic is mechanized Hoare-style assertions & inference rules enforce both the correctness & type safety properties No need of a separate type system; not a refinement Assertion languages can vary: Borrow those from Coq (shallow embedding) --- CAP Hybrid: Coq assertions + a thin layer of syntax --- XCAP

TAL vs. CAP Type-based Approach –TAL [Morrisett98] –Touchstone PCC [Colby00] –Syntactic FPCC [Hamid02] –FTAL [Crary03] –LTAL [Chen03] –… –Modular –Generate proof easily –Type safety Logic-based Approach –Original PCC [Necula98] –CAP [Yu03] –CCAP/CMAP [Yu04, Feng05] –XCAP [Ni & Shao 06] –SCAP [Feng et al 06] –… –Expressive –Advanced properties –Good interoperability

This talk! We also show how to embed TAL into our new XCAP! SCAP [Feng et al PLDI06]XCAP [Ni & Shao POPL06] Can we have the best of both worlds? Can a Hoare-style CAP system support: –embedded code pointers? –closures? –exceptions? –runtime stacks? –general references w. weak update? –recursive data structures?

Syntax of target machine TM

Operational semantics of TM

Mechanized meta logic All implemented in the Coq proof assistant!

XCAP assertion language

Validity rules for PropX [P] = ¢ ` P

Soundness of interpretation

XCAP inference rules: top level

XCAP inference rules: instructions

Soundness of XCAP

Memory mutation in XCAP? Strong update! –special conjunction (p * q) in separation logic –directly definable in Prop and PropX –explicit alias control, popular in system level Weak update (general reference)? –mutable reference (int ref) in ML –managed data pointers (int __gc*) in.NET –rely on GC to recycle memory

XCAP extension: general reference

XCAP ext.: supporting weak update

Recursive specification in XCAP? Simple recursive data structures! –linked list, queue, stack, tree, etc. –supported via inductive definition of Prop Complex recursive structures with ECP? –object (self refers to the entire object) –threading invariant (each thread assumes others)

XCAP ext.: recursive predicates

TAL: type definitions

TAL typing rules: top level

TAL typing rules: instructions

TAL typing rules: instructions (contd)

TAL uses syntactic subtyping!

Well-formed state in TAL

TAL-to-XCAP translation Step #1: we build a logic-based TAL that uses semantic subtyping Step #2: translating regular TAL into logic-based TAL (this is fairly straight-forward!) Step #3: translating logic-based TAL into XCAP

TAL-to-XCAP: translating value types

translation of preconditions translation of code heap types translation of data heap types TAL-to-XCAP: other translations

TAL-to-XCAP: typing preservation

Conclusion user application library TAL device driver OS kernel firmware XCAP XCAP can be extended to support general reference, weak update, and recursive specification ! We give a direct embedding of TAL into XCAP.