Presentation is loading. Please wait.

Presentation is loading. Please wait.

Stefan Heule, Eric Schkufza, Rahul Sharma, Alex Aiken

Published byDerick Jefferson Modified over 6 years ago

Similar presentations

Presentation on theme: "Stefan Heule, Eric Schkufza, Rahul Sharma, Alex Aiken"— Presentation transcript:

1 Stefan Heule, Eric Schkufza, Rahul Sharma, Alex Aiken
Stratified Synthesis: Automatically Learning the x86-64 Instruction Set Stefan Heule, Eric Schkufza, Rahul Sharma, Alex Aiken PLDI, Santa Barbara, June 16, 2016

2 Automatically Reason about Programs
Motivation Symbolic Execution Automatically Reason about Programs Program Verification 𝜙 ≡ I would like to start with some motivation. A lot of work in our community has been about building tools to automatically reason about programs. Symbolic execution has been used to explore paths through programs, for example to find inputs that cause some bad behavior (or prove that no such inputs exist). In program verification, we try to prove a program equivalent to some formal specification. Or similarly, we might want to prove the equivalence between two programs, maybe because one is much faster while we have more confidence in the other. And there are many more. Program Equivalence

3 Automatically reasoning about programs requires
Formal Semantics All of these example have one thing in common: they require a formal semantics of the programming language to allow tools to automatically reason about programs.

4 x86-64 testq %rdi, %rdi je .L1 xorq %rax, %rax .L0: movq %rdi, %rdx andq $0x1, %rdx addq %rdx, %rax shrq $0x1, %rdi jne .L0 cltq retq .L1: In our setting, we are interested in x86-64, the most widely used instruction set on desktops and servers. So, for us, programs look something like this. To be able to reason about such programs automatically, we need a formal specification of all instructions. The advantage of dealing with x86 directly is that our tools can work with almost any binary, regardless of its origin or source language.

5 64-bit bit-vector addition
x86-64 Semantics 64-bit bit-vector addition addq $0x1, %rax rax←rax 64-bit constant previous value of rax Ok, that’s not so bad, so the specification we are looking for is this. Rax is updated with rax plus 1. Here, the plus is addition over 64-bit wide bit vectors, and 1 is a 64bit constant. We can easily also get a specification for related instructions. For 8 bit, 16 and 32. Actually, it turns out x86 is weird, and for 32 bits the semantics are slightly different. The upper 32 bits get zeroed out. Here, the little circle is concatenation. Also, all of these instructions also set all 5 status flags, so really the specification looks like this. Not really something we necessarily want to write by hand, or can easily get right.

6 x86-64 Semantics addq $0x1, %rax rax←rax + 64 1 64 addb $0x1, %al
al ←al Ok, that’s not so bad, so the specification we are looking for is this. Rax is updated with rax plus 1. Here, the plus is addition over 64-bit wide bit vectors, and 1 is a 64bit constant. We can easily also get a specification for related instructions. For 8 bit, 16 and 32. Actually, it turns out x86 is weird, and for 32 bits the semantics are slightly different. The upper 32 bits get zeroed out. Here, the little circle is concatenation. Also, all of these instructions also set all 5 status flags, so really the specification looks like this. Not really something we necessarily want to write by hand, or can easily get right.

7 x86-64 Semantics addq $0x1, %rax rax←rax + 64 1 64 addb $0x1, %al
al ←al rax 64 bits Ok, that’s not so bad, so the specification we are looking for is this. Rax is updated with rax plus 1. Here, the plus is addition over 64-bit wide bit vectors, and 1 is a 64bit constant. We can easily also get a specification for related instructions. For 8 bit, 16 and 32. Actually, it turns out x86 is weird, and for 32 bits the semantics are slightly different. The upper 32 bits get zeroed out. Here, the little circle is concatenation. Also, all of these instructions also set all 5 status flags, so really the specification looks like this. Not really something we necessarily want to write by hand, or can easily get right. eax bits ax 16 bits ah al 8 bits 8 bits

8 x86-64 Semantics addq $0x1, %rax rax←rax + 64 1 64 addb $0x1, %al
al ←al rax←rax 63:8 ∘ rax 7: rax 64 bits Ok, that’s not so bad, so the specification we are looking for is this. Rax is updated with rax plus 1. Here, the plus is addition over 64-bit wide bit vectors, and 1 is a 64bit constant. We can easily also get a specification for related instructions. For 8 bit, 16 and 32. Actually, it turns out x86 is weird, and for 32 bits the semantics are slightly different. The upper 32 bits get zeroed out. Here, the little circle is concatenation. Also, all of these instructions also set all 5 status flags, so really the specification looks like this. Not really something we necessarily want to write by hand, or can easily get right. eax bits ax 16 bits ah al 8 bits 8 bits

9 x86-64 Semantics addq $0x1, %rax rax←rax + 64 1 64 addb $0x1, %al
addw $0x1, %ax rax←rax 63:16 ∘ rax 15: addl $0x1, %eax rax←rax[63:32] ∘(rax[31:0] ) Ok, that’s not so bad, so the specification we are looking for is this. Rax is updated with rax plus 1. Here, the plus is addition over 64-bit wide bit vectors, and 1 is a 64bit constant. We can easily also get a specification for related instructions. For 8 bit, 16 and 32. Actually, it turns out x86 is weird, and for 32 bits the semantics are slightly different. The upper 32 bits get zeroed out. Here, the little circle is concatenation. Also, all of these instructions also set all 5 status flags, so really the specification looks like this. Not really something we necessarily want to write by hand, or can easily get right.

10 x86-64 Semantics addq $0x1, %rax rax←rax + 64 1 64 addb $0x1, %al
addw $0x1, %ax rax←rax 63:16 ∘ rax 15: addl $0x1, %eax rax← ∘(rax[31:0] ) Ok, that’s not so bad, so the specification we are looking for is this. Rax is updated with rax plus 1. Here, the plus is addition over 64-bit wide bit vectors, and 1 is a 64bit constant. We can easily also get a specification for related instructions. For 8 bit, 16 and 32. Actually, it turns out x86 is weird, and for 32 bits the semantics are slightly different. The upper 32 bits get zeroed out. Here, the little circle is concatenation. Also, all of these instructions also set all 5 status flags, so really the specification looks like this. Not really something we necessarily want to write by hand, or can easily get right.

11 x86-64 Semantics addq $0x1, %rax rax←rax + 64 1 64 addb $0x1, %al
addw $0x1, %ax rax←rax 63:16 ∘ rax 15: addl $0x1, %eax rax← ∘(rax[31:0] ) zf← 0 32 =(eax ) cf← ∘eax [32,32] sf← eax [31,31] of←¬eax 31,31 ∧(eax )[31,31] pf←(eax )[0,0]⊕(eax )[1,1]⊕ (eax )[2,2]⊕(eax )[3,3]⊕ (eax )[4,4]⊕(eax )[5,5]⊕ (eax )[6,6]⊕(eax )[7,7] Ok, that’s not so bad, so the specification we are looking for is this. Rax is updated with rax plus 1. Here, the plus is addition over 64-bit wide bit vectors, and 1 is a 64bit constant. We can easily also get a specification for related instructions. For 8 bit, 16 and 32. Actually, it turns out x86 is weird, and for 32 bits the semantics are slightly different. The upper 32 bits get zeroed out. Here, the little circle is concatenation. Also, all of these instructions also set all 5 status flags, so really the specification looks like this. Not really something we necessarily want to write by hand, or can easily get right.

12 Related Work Manual partial specifications Taly/Godefroid [PLDI’12]
CompCert [CACM’09], BAP [CAV’11], BitBlaze [ICISS’08], Codesurfer/x86 [ETAPS’05], McVeto [CAV’10], STOKE [ASPLOS’13], Jakstab [CAV’08], many others Taly/Godefroid [PLDI’12] Automatically synthesize specification from templates Only 534 instructions

13 Automatically Learn a Specification for the x86-64 ISA
Bit-vector formulas of input-output behavior

14 Strategy: Split Instruction Set
All instructions Base set Specify manually Remaining Instructions Learn specification automatically

15 Strategy: Using Program Synthesis
combine base formulas Program 𝑝 Instruction 𝑖 synthesize Formula 𝜙 How do we synthesize programs? Formal guarantee? 𝑖≡𝜙 1 2

16 Strategy: Using Program Synthesis
combine base formulas Program 𝑝 Instruction 𝑖 synthesize Formula 𝜙 How do we synthesize programs? Randomized search Guided by cost function Based on test-cases Using STOKE [ASPLOS’13] 1

17 Strategy: Using Program Synthesis
combine base formulas Program 𝑝 Instruction 𝑖 synthesize Formula 𝜙 Formal guarantee? 𝑖≡𝜙 𝑝≡𝜙 2

18 Strategy: Using Program Synthesis
combine base formulas Program 𝑝 Instruction 𝑖 synthesize Formula 𝜙 Formal guarantee? 𝑖≡𝜙 𝑖≡𝑝≡𝜙 2

19 Strategy: Using Program Synthesis
combine base formulas Program 𝑝 Instruction 𝑖 synthesize Candidate formula 𝜙 Formal guarantee? 𝑖≡𝜙 𝑖≡𝑝≡𝜙 2

20 Strategy: Using Program Synthesis
combine base formulas Program 𝑝 Instruction 𝑖 synthesize Candidate formula 𝜙 Candidate formula 𝜙′ Program 𝑝′ Candidate formula 𝜙′′ yes ✔ increase confidence 𝜙 ? 𝜙′ no Add counter example, remove wrong program(s)

21 Solver Imprecision Increase confidence yes no
Remove incorrect program(s) 𝜙 ? 𝜙′ unknown timeout No information about equivalence

22 Solver Imprecision Increase confidence yes no
Remove incorrect program(s) 𝜙 ? 𝜙′ unknown timeout No information about equivalence

23 Solver Imprecision Increase confidence yes no
Remove incorrect program(s) 𝜙 ? 𝜙′ unknown timeout No information about equivalence Equivalence class 1 Equivalence class 2

24 Picking a Program Prefer programs whose formulas are
Equivalence class 1 Equivalence class 2 Equivalence class 3 Prefer programs whose formulas are Precise (fewest uninterpreted functions) Fast (fewest non-linear arithmetic operations) Simple (fewest nodes)

25 Picking a Program Prefer programs whose formulas are
Equivalence class 1 Equivalence class 2 Equivalence class 3 Prefer programs whose formulas are Precise (fewest uninterpreted functions) Fast (fewest non-linear arithmetic operations) Simple (fewest nodes)

26 Problem: Synthesis Limitations
synthesize

27 Solution: Stratified Search

28 Generalizing Formulas
Learn addw %ax, %dx dx←dx ax Rename addw %cx, %bx bx←bx cx addw (%rsp), %dx dx←dx M rsp addw $0x5, %dx dx←dx

29 Generalization Summary
Learn formula for register-only instructions Generalize formulas To other types of operands Check on test inputs

30 What if Generalization Impossible?
shufps $0xb3, %xmm0, %xmm1 Problem: No corresponding register-only variant Solution: Brute force a formula for every constant

31 Experiment Base set (51 instructions)
Integer, bitwise and float operations Data movement (including conditional move) Conversion operations Pseudo instructions (11 templates) Split and combine registers Changing status flags

32 Goal Total instructions 3,684 Out-of-scope Goal instructions 2,918
System instructions Crypto instructions Deprecated instructions String instructions Goal instructions 2,918 invpcid, jle aeskeygenassist fadd scasq

33 Results Base set 51 Pseudo instructions 11
Register-only instructions learned 692 Generalized 8-bit constant instructions learned Total formulas learned 1,795.42

34 Evaluation: Are the Formulas Correct?
Compare with handwritten formulas (from STOKE) Available for comparison 1,431.91 Automatically proven equivalent 1,377.91 Equivalent with additional lemma 4

35 Evaluation: Are the Formulas Correct?
Compare with handwritten formulas (from STOKE) Available for comparison 1,431.91 fadd 𝑎,𝑏 =fadd 𝑏,𝑎 Automatically proven equivalent 1,377.91 Equivalent with additional lemma 4

36 Evaluation: Are the Formulas Correct?
Compare with handwritten formulas (from STOKE) Available for comparison 1,431.91 Automatically proven equivalent 1,377.91 Equivalent with additional lemma 4 Semantically different 50 Handwritten formula correct Learned formula correct 50

37 Evaluation: Is Stratification Necessary?
Stratum 0 Stratum 1 Stratum 2 Stratum 3 base set stratum 𝑖 = if 𝑖∈baseset 1+ max 𝑖 ′ ∈𝑀(𝑖) stratum i ′ otherwise

38 Evaluation: Is Stratification Necessary?
stratum 𝑖 = if 𝑖∈baseset 1+ max 𝑖 ′ ∈𝑀(𝑖) stratum i ′ otherwise

39 Evaluation: Is Stratification Necessary?

40 Evaluation: Size of Learned Formulas
Fully inlined: 3526 instructions number of nodes in learned formula number of nodes in handwritten formula

41 Conclusions Automatically learned 1,795 formulas
Stratification key to scale program synthesis Compare to hand-written specification More correct, equally precise, same size Source code, formulas, experimental results

42 Backup Slides

43 Limitations Missing base instructions Program synthesis limits
Some integer and floating point operations are missing Program synthesis limits Shortest known program is long and outside of reach e.g., byte-vectorized operation Cost function limitation For one bit of output, the cost function does not give enough signal Crazy instructions

44 SMT solver usage (Z3) Total decisions 7,075 Equivalent 6,669 (94.26%)
New equivalence class 356 (5.03%) Counter-examples 50 (0.71%) Timeouts (45 seconds): 3

45 Experiment Details Intel Xeon E5-2697 (28 cores) at 2.6 GHz
hours (register-only) hours (8-bit constants) Total of 11, core hours

46 Test Cases Random inputs (random machine state)
“Interesting” bit-patterns 0, 1, −1, 2 𝑛 , NaN, Infinity Test cases learned from counter-examples

47 Evaluation: Simplifcation
Formulas are simplified Constant propagation Move bit-selection over concatenation 2 64 ∗ ≡ 0 64 ∘rax 63,0 ≡ rax

48 Evaluation: Formula Precision
Formula precision (number of uninterpreted functions) Learned formulas equally precise in all but 4 cases Formula quality (number of non-linear operations) Learned formulas contain same number of non-linear operations, except for 11 cases

Download ppt "Stefan Heule, Eric Schkufza, Rahul Sharma, Alex Aiken"

Similar presentations

1/1/ / faculty of Electrical Engineering eindhoven university of technology Speeding it up Part 3: Out-Of-Order and SuperScalar execution dr.ir. A.C. Verschueren.

1/1/ / faculty of Electrical Engineering eindhoven university of technology Speeding it up Part 3: Out-Of-Order and SuperScalar execution dr.ir. A.C. Verschueren.
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Machine/Assembler Language Putting It All Together Noah Mendelsohn Tufts University Web:

Machine/Assembler Language Putting It All Together Noah Mendelsohn Tufts University Web:
There are two types of addressing schemes:

There are two types of addressing schemes:
Timed Automata.

Timed Automata.
Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.

Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.
CS2422 Assembly Language & System Programming September 19, 2006.

CS2422 Assembly Language & System Programming September 19, 2006.
The CPU Revision Typical machine code instructions Using op-codes and operands Symbolic addressing. Conditional and unconditional branches.

The CPU Revision Typical machine code instructions Using op-codes and operands Symbolic addressing. Conditional and unconditional branches.
1 HOIST: A System for Automatically Deriving Static Analyzers for Embedded Systems John Regehr Alastair Reid School of Computing, University of Utah.

1 HOIST: A System for Automatically Deriving Static Analyzers for Embedded Systems John Regehr Alastair Reid School of Computing, University of Utah.
1 ICS 51 Introductory Computer Organization Fall 2006 updated: Oct. 2, 2006.

1 ICS 51 Introductory Computer Organization Fall 2006 updated: Oct. 2, 2006.
Riyadh Philanthropic Society For Science Prince Sultan College For Woman Dept. of Computer & Information Sciences CS 251 Introduction to Computer Organization.

Riyadh Philanthropic Society For Science Prince Sultan College For Woman Dept. of Computer & Information Sciences CS 251 Introduction to Computer Organization.
DEPARTMENT OF COMPUTER SCIENCE & TECHNOLOGY FACULTY OF SCIENCE & TECHNOLOGY UNIVERSITY OF UWA WELLASSA 1 CST 221 OBJECT ORIENTED PROGRAMMING(OOP) ( 2 CREDITS.

DEPARTMENT OF COMPUTER SCIENCE & TECHNOLOGY FACULTY OF SCIENCE & TECHNOLOGY UNIVERSITY OF UWA WELLASSA 1 CST 221 OBJECT ORIENTED PROGRAMMING(OOP) ( 2 CREDITS.
1 ICS 51 Introductory Computer Organization Fall 2009.

1 ICS 51 Introductory Computer Organization Fall 2009.
1 Carnegie Mellon Assembly and Bomb Lab 15-213: Introduction to Computer Systems Recitation 4, Sept. 17, 2012.

1 Carnegie Mellon Assembly and Bomb Lab : Introduction to Computer Systems Recitation 4, Sept. 17, 2012.
Superoptimization Venkatesh Karthik Srinivasan Guest Lecture in CS 701, Nov. 10, 2015.

Superoptimization Venkatesh Karthik Srinivasan Guest Lecture in CS 701, Nov. 10, 2015.
1 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition Carnegie Mellon Machine-Level Programming II: Control Carnegie Mellon.

1 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition Carnegie Mellon Machine-Level Programming II: Control Carnegie Mellon.
Computer and Information Sciences College / Computer Science Department CS 206 D Computer Organization and Assembly Language.

Computer and Information Sciences College / Computer Science Department CS 206 D Computer Organization and Assembly Language.
Rahul Sharma, Eric Schkufza, Berkeley Churchill, Alex Aiken.

Rahul Sharma, Eric Schkufza, Berkeley Churchill, Alex Aiken.
Conditionally Correct Superoptimization Rahul Sharma, Eric Schkufza, Berkeley Churchill, Alex Aiken (Stanford University)

Conditionally Correct Superoptimization Rahul Sharma, Eric Schkufza, Berkeley Churchill, Alex Aiken (Stanford University)
Spring 2016Assembly Review Roadmap 1 car *c = malloc(sizeof(car)); c->miles = 100; c->gals = 17; float mpg = get_mpg(c); free(c); Car c = new Car(); c.setMiles(100);

Spring 2016Assembly Review Roadmap 1 car *c = malloc(sizeof(car)); c->miles = 100; c->gals = 17; float mpg = get_mpg(c); free(c); Car c = new Car(); c.setMiles(100);

Similar presentations

Ads by Google