Low-Level Program Verification

Components of a Certifying Framework certified code (machine code + proof) specifications: program safety/security/correctness + machine model automated proof checker need not trust the correctness of proofs Proof Checker Yes CPU Specifications Proof machine code No

Low-Level Machine Code Verification Machine code is the executable form of programs Why verify machine code Bugs in compilers may produce buggy machine code, even if source code is correct There are manually written assembly code in OS kernels

The Machine I1I1 f1:f1: I2I2 f2:f2: I3I3 f3:f3: … (code heap) C 0 r1r1 12… r2r2 r3r3 …rnrn (data heap) H (register file) R (state) S addu … lw … sw … … j f (instr. seq.) I (program) P::=(C,S,I) ::=(H,R) ::={f  I} * pc

Operational semantics

Program Specifications I1I1 f1:f1: I2I2 f2:f2: I3I3 f3:f3: … (code heap) C 0 r1r1 12… r2r2 r3r3 …rnrn (data heap) H (register file) R (state) S addu … lw … sw … … j f (instr. seq.) I (program) P::=(C,S,I) ::=(H,R) ::={f  I} * pc a1a1 a2a2 a3a3 (spec)  ::= {f  a} * a

The CAP Logic Certified Assembly Programming Judgments [Yu et al. ESOP 2003]

State assertions - Examples a  S. S.H(100) > 0  S.R(r1) = 17  S. a S  a' S a'  S. odd(S.R(r1) )

Inference Rules Well-formed program: Well-formed code heap:

Inference Rules (2)

Inference Rules (3)  means logical implication

Verification of malloc/free

Verification of malloc/free (2)

Soundness Lemma (Preservation). If and, then there exists an assertion a’ such that. Lemma (Progress). If, then there exists a program such that

Soundness (2) Theorem (Soundness). If, then for all natural number n, there exists a program such that, and then and then

Program Specifications I1I1 f1:f1: I2I2 f2:f2: I3I3 f3:f3: … (code heap) C 0 r1r1 12… r2r2 r3r3 …rnrn (data heap) H (register file) R (state) S addu … lw … sw … … j f (instr. seq.) I (program) P::=(C,S,I) ::=(H,R) ::={f  I} * pc a1a1 a2a2 a3a3 (spec)  ::= {f  a} * a

Invariant-Based Verification Initial condition: Inv  (P 0 ) P0P0 c1c1 P1P1 c2c2 P2P2 c3c3 … cncn PnPn Progress: if Inv  (P), then  P’. P  c P’. Preservation: if Inv  (P) and P  c P’, then Inv  (P’).

f:... sw $ra, -4($fp) h: jal h ;; $ra contains ct ct: lw $ra, -4($fp) jr $ra... jr $ra fp stack ?? ct How to verify function call? void f(){ void h(){ h(); return; return; } } Does f use the right return addr.? pc ra R

void cmp1(int x,jmp_buf env){ if (x == 0) longjmp(env, 1); else return; } setjmp/longjmp int rev(int x){ if (setjmp(env) == 0){ cmp0(x, env); return 0; }else{ return 1; } void cmp0(int x,jmp_buf env){ cmp1(x, env); } jmp_buf env = …; pc f0f0 … sp env f0f0 pc env cannot outlive the stack frame of rev ! … …

SCAP specifications: (p, g) –p: State  Prop –g: State  State  Prop Specifications f:... sw $ra, -4($fp) jal h ct: lw $ra, -4($fp)... jr $ra {(p 0, g 0 )} {(p 1, g 1 )} g0g0 g1g1 g 0 S S’  S’.$ra = S.$ra … Challenges –f uses the “right” return addr.? –Hoare triple {p} f {q}? In different basic blocks! {$ra = n …}

Program Spec. and Code Pointers jal f jal h jr $ra g0g0 g4g4 p0p0 p4p4 g1g1 p1p1 g2g2 p2p2 g3g3 p3p3 … Program Specification  ::= {f 1  (p 1,g 1 ), …,f n  (p n,g n )} “safe” to return ( jr $ra ): –$ra  dom(  )   ($ra)=(p,g) –p holds at the time of return

SCAP : Stack Invariant p0p0 g0g0 p1p1 g1g1 p2p2 g2g2 p3p3 g3g3 g 0 S 0 S 1  S 1.$ra     (S 1.$ra))=(p 1, g 1 )  p 1 S 1 g 0 S 0 S 1  g 1 S 1 S 2  S 2.$ra     (S 2.$ra)=(p 2, g 2 )  p 2 S 2 g 0 S 0 S 1  g 1 S 1 S 2  g 2 S 2 S 3  S 3.$ra     (S 3.$ra)=(p 3, g 3 )  p 3 S 3 jr $ra Logical control stack Always safe to return? S0S0 S1S1 S2S2 S3S3 …

SCAP : Stack Invariant WFST(n, g 0, S 0,  )   S 1. g 0 S 0 S 1   p 1,g 1.  (S 1.$ra)=(p 1, g 1 )  p 1 S 1  WFST(n-1, g 1, S 1,  ) WFST(0, g 0, S 0,  )    S 1. g 0 S 0 S 1 Invariant: p S   n.WFST(n, g, S,  ) p0p0 g0g0 p1p1 g1g1 p2p2 g2g2 p3p3 g3g3 jr $ra Logical control stack S0S0 S1S1 S2S2 S3S3

SCAP : Invariant Preservation Inv(S): p S   n.WFST(n, g, S,  ) c S’ p S   n.WFST(n,g,S,  ) S p’ S’   n.WFST(n,g’,S’,  )  p’,g’

SCAP: call p0p0 g0g0 p1p1 g1g1 jr $ra p0p0 g0g0 p g jal f p S  WFST(n, g, S,  )p 0 S 0  WFST(n+1, g 0, S 0,  ) S S0S0 n+1 n … p S  p 0 S 0 p1p1 g1g1 n … p S  g 0 S 0 S 1  p 1 S 1 p S  g 0 S 0 S 1  g 1 S 1 S 2  g S S 2 g 0 S 0 S 1  S 0.$ra = S 1.$ra S1S1 S1S1 S2S2 S2S2

SCAP: the call rule  |- {(p,g)} jal f fret  H,R. p (H,R)  p 0 (H,R{ra  fret})  H,R,S 1. p (H,R)  g 0 (H,R{ra  fret}) S 1  p 1 S 1  (  S 2. g 1 S 1 S 2  g S S 2 )  S 0,S 1. g 0 S 0 S 1  S 0.$ra = S 1.$ra (p 0, g 0 ) =  (f) (p 1, g 1 ) =  (fret)

SCAP: ret p g p1p1 g1g1 p1p1 g1g1 jr $ra p S  WFST(n, g S,  )p 1 S 1  WFST(n-1, g 1 S 1,  ) n n-1 … … p S  g S S 1 S S1S1

SCAP: return rule  |- {(p,g)} jr $ra  S. p S  g S S

SCAP: direct jump (or tail call) p0p0 g0g0 jr $ra p g S n … j f p0p0 g0g0 jr $ra S0S0 n … p S  WFST(n, g S,  )p 0 S 0  WFST(n, g 0 S 0,  ) p S  p 0 S 0 p S  g 0 S 0 S 1  g S S 1 S1S1 S1S1

SCAP: sequential  |- {(p,g)} c;I  S. p S  p’(AuxStep(c,S))  |- {(p’,g’)} I  S,S’. p S  g’(AuxStep(c,S)) S’  g S S’

Other control flows Stack unwinding Stack cutting setjmp/longjmp in C

Call with Multiple Return Addr. p1p1 g1g1 jr ra p g Multi-ret

Call with Multiple Ret. or Tail Call

Generalization: Stack unwinding/cutting g1g1 p1p1 jr ra p g + p1p1 g1g1 p g Multi-ret p1p1 g1g1 jr ra p g Tail-call

Change of Invariant

void cmp1(int x,jmp_buf env){ if (x == 0) longjmp(env, 1); else return; } setjmp/longjmp int rev(int x){ if (setjmp(env) == 0){ cmp0(x, env); return 0; }else{ return 1; } void cmp0(int x,jmp_buf env){ cmp1(x, env); } jmp_buf env = …; pc f0f0 … sp env f0f0 pc env cannot outlive the stack frame of rev ! … …

Read the paper at: