1. Low-Level Program Verification

2. Components of a Certifying Framework
Specifications No
Proof
Proof Checker
Yes
machine code
CPU
certified code (machine code + proof)
specifications: program safety/security/correctness + machine model
automated proof checker
need not trust the correctness of proofs

3. Low-Level Machine Code Verification
Machine code is the executable form of programs
Why verify machine code
Bugs in compilers may produce buggy machine code, even if source code is correct
There are manually written assembly code in OS kernels

4. The Machine (program) P ::=(C,S,I) (data heap) H f1: I1 addu … lw …
sw … …
j f pc 1 2 …
f2: I2 r1 r2 r3 … rn
f3: I3
(register file) R …
(code heap) C
(state) S
::=(H,R)
(instr. seq.) I
::={f  I}*
(program) P
::=(C,S,I)

7. Operational semantics

10. The CAP Logic Judgments Certified Assembly Programming
[Yu et al. ESOP 2003]
Certified Assembly Programming
Judgments

11. State assertions - Examples
a   S. S.H(100) > 0  S.R(r1) = 17
a'   S. odd(S.R(r1) )
S. a S  a' S

12. Inference Rules
Well-formed program:
Well-formed code heap:

13. Inference Rules (2)

14. Inference Rules (3)
 means logical implication

15. Verification of malloc/free

16. Verification of malloc/free (2)

19. Soundness Lemma (Preservation). If and
, then there exists an assertion a’
such that
Lemma (Progress). If , then there exists a program such that

20. Soundness (2)
Theorem (Soundness). If , then for all natural number n, there exists a program such that , and
then
then
and then

21. Program Specifications
(spec)  ::= {f  a}* a1 a2 a3
(data heap) H a
f1: I1
addu …
lw …
sw … …
j f pc 1 2 …
f2: I2 r1 r2 r3 … rn
f3: I3
(register file) R …
(code heap) C
(state) S
::=(H,R)
(instr. seq.) I
::={f  I}*
(program) P
::=(C,S,I)

22. Invariant-Based VerificationP0 c1 P1 c2 P2 c3 … cn Pn
Initial condition: Inv(P0)
Progress:
if Inv(P), then P’. P c P’.
Preservation:
if Inv(P) and P c P’, then Inv(P’).
Invariants are hard to find

23. How to verify function call?fp
stack
void f(){ void h(){
h(); return;
return; } } ra ?? ct
f: ...
sw $ra, -4($fp) h:
jal h ;; $ra contains ct
ct: lw $ra, -4($fp) jr $ra
...
jr $ra pc
Does f use the right return addr.?

24. Specifications Challenges SCAP specifications: (p, g)
f uses the “right” return addr.?
Hoare triple {p} f {q}?
In different basic blocks! g0 f:
...
sw $ra, -4($fp)
jal h
ct:
lw $ra, -4($fp)
jr $ra
{(p0, g0)}
{$ra = n …}
SCAP specifications: (p, g)
p: State  Prop
g: State  State  Prop g1
{(p1, g1)}
What is state? State contains memory, register file
The exit point does not have to be return point: raise exceptions, weak continuations, context switching
g0 S S’ S’.$ra = S.$ra …

25. Program Spec. and Code Pointers
Program Specification
::=
{f1(p1,g1), …,fn(pn,gn)}
“safe” to return (jr $ra):
$radom()  ($ra)=(p,g)
p holds at the time of return p1
jal f p2
jal h g0 g1 g2 p3
jr $ra p4 g3
jr $ra
Only code labels specified in \Psi are good code pointers
To make sure it is safe to jump to some code, the code label must be defined in \Psi with some spec (p, g) … g4
jr $ra

26. SCAP : Stack Invariant Always safe to return? … Logical control stack
jr $ra
g0 S0 S1 
S1.$ra    (S1.$ra))=(p1, g1)  p1 S1 S1 g1 p2
g0 S0 S1  g1 S1 S2 
S2.$ra    (S2.$ra)=(p2, g2)  p2 S2 S2 g2 p3 S3
g0 S0 S1  g1 S1 S2  g2 S2 S3 
S3.$ra    (S3.$ra)=(p3, g3)  p3 S3 g3 …
Logical control stack

27. SCAP : Stack Invariant Invariant: WFST(n, g0, S0, ) 
S1. g0 S0 S1 
 p1,g1.
(S1.$ra)=(p1, g1) 
p1 S1 
WFST(n-1, g1, S1, )
WFST(0, g0, S0, ) 
 S1. g0 S0 S1
Invariant:
p S  n.WFST(n, g, S, ) p0 S0 g0 p1
jr $ra S1 g1 p2 S2 g2 p3 S3 g3
Logical control stack

28. SCAP : Invariant Preservation
Inv(S):
p S  n.WFST(n, g, S, ) c
p S 
n.WFST(n,g,S,) S S’
p’ S’ 
n.WFST(n,g’,S’,)
p’,g’

29. SCAP: call … … p S  WFST(n, g, S, ) p0 S0  WFST(n+1, g0, S0, ) p
jr $ra p1
jr $ra g1 S1
jal f g1 S1 n n S2 S2 … …
Proof obligations
p S  p0 S0
g0 S0 S1  S0.$ra = S1.$ra
p S  g0 S0 S1  p1 S1
p S  g0 S0 S1  g1 S1 S2  g S S2

30. SCAP: the call rule (p0, g0) = (f) (p1, g1) = (fret)
H,R. p (H,R)  p0 (H,R{rafret})
H,R,S1. p (H,R)  g0 (H,R{rafret}) S1
 p1 S1  (S2. g1 S1 S2  g S S2)
S0,S1. g0 S0 S1  S0.$ra = S1.$ra
 |- {(p,g)} jal f fret

31. SCAP: ret … … p S  g S S1 p S  WFST(n, g S, )
jr $ra
n-1
n-1 … …
p S  g S S1

32. SCAP: return rule
S. p S  g S S
 |- {(p,g)} jr $ra

33. SCAP: direct jump (or tail call)
p S  WFST(n, g S, )
p0 S0  WFST(n, g0 S0, ) p p0 p0 S S0 g0 g0 g
jr $ra
jr $ra
j f n n S1 S1 … …
p S  p0 S0
p S  g0 S0 S1  g S S1

34. SCAP: sequential  |- {(p’,g’)} I S. p S  p’(AuxStep(c,S))
S,S’. p S  g’(AuxStep(c,S)) S’  g S S’
 |- {(p,g)} c;I

35. Other control flows
Stack unwinding
Stack cutting
setjmp/longjmp in C

36. Call with Multiple Return Addr.g1
jr ra p g
Multi-ret

37. Call with Multiple Ret. or Tail Call

38. Generalization: Stack unwinding/cuttingp1 g1
jr ra p g
Multi-ret g1 p1
jr ra p g + p1 g1
jr ra p g
Tail-call

39. Change of Invariant

40. env cannot outlive the stack frame of rev !
setjmp/longjmp
jmp_buf env = …;
void cmp0(int x,jmp_buf env){
cmp1(x, env); }
int rev(int x){
if (setjmp(env) == 0){
cmp0(x, env); return 0;
}else{
return 1; } f0 pc pc
void cmp1(int x,jmp_buf env){
if (x == 0)
longjmp(env, 1);
else
return; } pc
env f0 … … sp …

41. Read the paper at: http://flint. cs. yale. edu/flint/publications/sbca