Presentation is loading. Please wait.

Presentation is loading. Please wait.

Modular Verification of Assembly Code with Stack-Based Control Abstractions Xinyu Feng Yale University Joint work with Zhong Shao, Alexander Vaynberg,

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Modular Verification of Assembly Code with Stack-Based Control Abstractions Xinyu Feng Yale University Joint work with Zhong Shao, Alexander Vaynberg,"— Presentation transcript:

1 Modular Verification of Assembly Code with Stack-Based Control Abstractions Xinyu Feng Yale University Joint work with Zhong Shao, Alexander Vaynberg, Sen Xiang and Zhaozhong Ni

2 Motivation How to verify the safety & correctness properties of low-level system software? Vanilla C & C++ & Assembly? Hardware Java (JML) C# (Spec #) Cyclone CCured TAL … System Software

3 Verifying C & Assembly? Many challenges … This talk: how to specify/verify low-level stack- based control flows? How to formulate the stack invariants? How to design a compositional program logic? Previous work does not apply! Hoare-Logic done at high-level: no explicit stacks! TAL & Proof-Carrying Code: Mostly use continuations & CPS-based reasoning Too general to distinguish different stack abstractions

4 Problems – call/return void f(){ void h(){ h(); return; return; } } f:... sw $ra, -4($fp) h: jal h ;; $ra contains ct ct: lw $ra, -4($fp) jr $ra... jr $ra Stacks are hidden! Does f use the right return addr.? pc

5 f2f2 … f1f1 … Problems – setjmp/longjmp int rev(int x){ if (setjmp(env) == 0){ cmp0(x, env); return 0; }else{ return 1; } void cmp0(int x,jmp_buf env){ cmp1(x, env); } void cmp1(int x,jmp_buf env){ if (x == 0) longjmp(env, 1); else return; } jmp_buf env = …; pc f0f0 … sp env f0f0 f1f1 pc f2f2 env cannot outlive the stack frame of rev !

6 Problems – weak continuations Weak continuations in C-- [Ramsey&Peyton-Jones'00] Used to implement exceptions [Ramsey&Peyton-Jones'00] Stack unwinding Stack cutting f(bits32 x){ h(x, k) also cuts to k; return 0; continuation k: return 1; } h(bits32 x, bits32 k){ if (x==0) cut to k; return; }

7 No ’s! Our Contributions A simple program logic (SCAP) for modular verification of (1) compiled C code & (2) manually-written assembly code All systems are lemma libraries built on a single CAP0 framework!

8 Outline of This Talk Motivations and contributions SCAP logic for verifying function call/return Basic framework Specifications Stack-invariant Instruction rules (to enforce the invariant) Generalizations for complicated controls Implementation & applications

9 The Machine I1I1 f1:f1: I2I2 f2:f2: I3I3 f3:f3: … (code heap) C 0 r1r1 12… r2r2 r3r3 …rnrn (data heap) H (register file) R (state) S addu … lw … sw … … j f (instr. seq.) I (program) P::=(C,S,pc) ::=(H,R) ::={f  I} * pc

10 Invariant-Based Verification Initial condition: Inv(S 0 ) S0S0 c1c1 S1S1 c2c2 S2S2 c3c3 … cncn SnSn Progress: if Inv(S), then  S’. S  c S’. Preservation: if Inv(S) and S  c S’, then Inv(S’).

11 Program Specifications I1I1 f1:f1: I2I2 f2:f2: I3I3 f3:f3: … (code heap) C 0 r1r1 12… r2r2 r3r3 …rnrn (data heap) H (register file) R (state) S addu … lw … sw … … j f (instr. seq.) I (program) P::=(C,S,pc) ::=(H,R) ::={f  I} * pc a1a1 a2a2 a3a3 (spec)  ::= {f  a} *

12 The SCAP Program Logic the form of specification “a” the invariant (based on the spec.  ) the proof obligations Instruction rules for call, ret, tail call, …

13 Outline of This Talk Motivations and contributions SCAP logic for verifying function call/return Basic framework Specifications Stack-invariant Instruction rules (to enforce the invariant) Generalizations for complicated controls Implementation & applications

14 Specifications f:... sw $ra, -4($fp) jal h ct: lw $ra, -4($fp)... jr $ra {(p 0, g 0 )} {(p 1, g 1 )} SCAP specifications: (p, g) p: State  Prop g: State  State  Prop g0g0 g1g1 g 0 S S’  S’.$ra = S.$ra … Challenges f uses the “right” return addr.? Hoare triple {p} f {q}? In different basic blocks! {$ra = n …}

15 g  {p}_{q} ! Composition rule {p} {q} {q'} {p} {q'} … … jr $ra g g' g" g g'' Hoare-triple (p, g) (p', g') (p", g") (p, g) (p", g") (p, g) in SCAP

16 Program Spec. and Code Pointers jal f jal h jr $ra Program Specification  ::= {f 1  (p 1,g 1 ), …,f n  (p n,g n )} “safe” to return ( jr $ra ): $ra  dom(  )   ($ra)=(p,g) p holds at the time of return g0g0 g4g4 p0p0 p4p4 g1g1 p1p1 g2g2 p2p2 g3g3 p3p3 … jr $ra

17 SCAP : Stack Invariant p0p0 g0g0 p1p1 g1g1 p2p2 g2g2 p3p3 g3g3 g 0 S 0 S 1  S 1.$ra     (S 1.$ra))=(p 1, g 1 )  p 1 S 1 g 0 S 0 S 1  g 1 S 1 S 2  S 2.$ra     (S 2.$ra)=(p 2, g 2 )  p 2 S 2 g 0 S 0 S 1  g 1 S 1 S 2  g 2 S 2 S 3  S 3.$ra     (S 3.$ra)=(p 3, g 3 )  p 3 S 3 jr $ra Logical control stack Always safe to return? S0S0 S1S1 S2S2 S3S3

18 SCAP : Stack Invariant WFST(n, g 0 S 0,  )   S 1. g 0 S 0 S 1   p 1,g 1.  (S 1.$ra)=(p 1, g 1 )  p 1 S 1  WFST(n-1, g 1 S 1,  ) WFST(0, g 0 S 0,  )    S 1. g 0 S 0 S 1 Invariant: p S   n.WFST(n, g S,  ) p0p0 g0g0 p1p1 g1g1 p2p2 g2g2 p3p3 g3g3 jr $ra Logical control stack S0S0 S1S1 S2S2 S3S3

19 SCAP : Invariant Preservation Inv(S): p S   n.WFST(n, g S,  ) c S’ p S   n.WFST(n,g S,  ) S p’ S’   n.WFST(n,g’S’,  )

20 SCAP: call p0p0 g0g0 p1p1 g1g1 jr $ra p0p0 g0g0 p g jal f p S  WFST(n, g S,  )p 0 S 0  WFST(n+1, g 0 S 0,  ) S S0S0 n+1 n … p S  p 0 S 0 p1p1 g1g1 n … p S  g 0 S 0 S 1  p 1 S 1 p S  g 0 S 0 S 1  g 1 S 1 S 2  g S S 2 g 0 S 0 S 1  S 0.$ra = S 1.$ra S1S1 S1S1 S2S2 S2S2

21 SCAP: ret p g p1p1 g1g1 p1p1 g1g1 jr $ra p S  WFST(n, g S,  )p 1 S 1  WFST(n-1, g 1 S 1,  ) n n-1 … … p S  g S S 1 S S1S1

22 SCAP: tail call p0p0 g0g0 jr $ra p g S n … j f p0p0 g0g0 jr $ra S0S0 n … p S  WFST(n, g S,  )p 0 S 0  WFST(n, g 0 S 0,  ) p S  p 0 S 0 p S  g 0 S 0 S 1  g S S 1 S1S1 S1S1

23 Outline of This Talk Motivations and contributions SCAP logic for verifying function call/return Basic framework Specifications Stack-invariant Instruction rules (to enforce the invariant) Generalizations for complicated controls Implementation & applications

24 SCAP: call p0p0 g0g0 p1p1 g1g1 jr $ra p0p0 g0g0 p g jal f p S  WFST(n, g S,  )p 0 S 0  WFST(n+1, g 0 S 0,  ) S S0S0 n+1 n … p S  p 0 S 0 p1p1 g1g1 n … p S  g 0 S 0 S 1  p 1 S 1 p S  g 0 S 0 S 1  g 1 S 1 S 2  g S S 2 g 0 S 0 S 1  S 0.$ra = S 1.$ra S1S1 S1S1 S2S2 S2S2

25 Generalization: Stack unwinding/cutting g1g1 p1p1 jr ra p g + p1p1 g1g1 p g Multi-ret p1p1 g1g1 jr ra p g Tail-call

26 Example: setjmp/longjmp int rev(int x){ if (setjmp(env) == 0){ cmp0(x, env); return 0; }else{ return 1; } void cmp0(int x,jmp_buf env){ cmp1(x, env); } void cmp1(int x,jmp_buf env){ if (x == 0) longjmp(env, 1); else return; } jmp_buf env = …;

27

28 Further extensions switch call ret switch coroutines coroutines w. functions calls

29 Implementation & Applications Coq implementation Encoding of machine (370 lines) Syntax & Operational semantics Encoding of CAP0 framework/SCAP systems (1800L) Inference rules & Soundness proof Certified programs w. proofs (10,000+ L) malloc/free …… garbage collectors [McCreight et al 06]

30 Summary SCAP-family logics as lemmas CAP0: the generic framework Inference rules are lemmas in CAP0 Function call; tail-call optimization SCAP Exceptions: Stack-unwindingSCAP-I, EUCAP Exceptions: Stack-cuttingSCAP-II, ECAP Weak-continuation setjmp/longjmp SCAP-II Coroutines (w. function call)CAP-CR (SCAP-CR) ThreadsFCCAP

Download ppt "Modular Verification of Assembly Code with Stack-Based Control Abstractions Xinyu Feng Yale University Joint work with Zhong Shao, Alexander Vaynberg,"

Similar presentations

A Translation from Typed Assembly Language to Certified Assembly Programming Zhong Shao Yale University Joint work with Zhaozhong Ni Paper URL:

A Translation from Typed Assembly Language to Certified Assembly Programming Zhong Shao Yale University Joint work with Zhaozhong Ni Paper URL:
Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.

Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.
1 Lecture 3: MIPS Instruction Set Today’s topic:  More MIPS instructions  Procedure call/return Reminder: Assignment 1 is on the class web-page (due.

1 Lecture 3: MIPS Instruction Set Today’s topic:  More MIPS instructions  Procedure call/return Reminder: Assignment 1 is on the class web-page (due.
Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1.

Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks C.J. Bell, Robert Dockins, Aquinas Hobor, Andrew W. Appel, David Walker 1.
The University of Adelaide, School of Computer Science

The University of Adelaide, School of Computer Science
Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.

Foundational Certified Code in a Metalogical Framework Karl Crary and Susmit Sarkar Carnegie Mellon University.
1 Procedure Calls, Linking & Launching Applications Lecture 15 Digital Design and Computer Architecture Harris & Harris Morgan Kaufmann / Elsevier, 2007.

1 Procedure Calls, Linking & Launching Applications Lecture 15 Digital Design and Computer Architecture Harris & Harris Morgan Kaufmann / Elsevier, 2007.
ECE 232 L6.Assemb.1 Adapted from Patterson 97 ©UCBCopyright 1998 Morgan Kaufmann Publishers ECE 232 Hardware Organization and Design Lecture 6 MIPS Assembly.

ECE 232 L6.Assemb.1 Adapted from Patterson 97 ©UCBCopyright 1998 Morgan Kaufmann Publishers ECE 232 Hardware Organization and Design Lecture 6 MIPS Assembly.
1 Lecture 4: Procedure Calls Today’s topics:  Procedure calls  Large constants  The compilation process Reminder: Assignment 1 is due on Thursday.

1 Lecture 4: Procedure Calls Today’s topics:  Procedure calls  Large constants  The compilation process Reminder: Assignment 1 is due on Thursday.
Lecture 6: MIPS Instruction Set Today’s topic –Control instructions –Procedure call/return 1.

Lecture 6: MIPS Instruction Set Today’s topic –Control instructions –Procedure call/return 1.
Computer Architecture CSCE 350

Computer Architecture CSCE 350
MIPS Function Continued

MIPS Function Continued
CPS3340 COMPUTER ARCHITECTURE Fall Semester, 2013 10/17/2013 Lecture 12: Procedures Instructor: Ashraf Yaseen DEPARTMENT OF MATH & COMPUTER SCIENCE CENTRAL.

CPS3340 COMPUTER ARCHITECTURE Fall Semester, /17/2013 Lecture 12: Procedures Instructor: Ashraf Yaseen DEPARTMENT OF MATH & COMPUTER SCIENCE CENTRAL.
Ch. 8 Functions.

Ch. 8 Functions.
Procedures II (1) Fall 2005 Lecture 07: Procedure Calls (Part 2)

Procedures II (1) Fall 2005 Lecture 07: Procedure Calls (Part 2)
Apr. 12, 2000Systems Architecture I1 Systems Architecture I (CS 281-001) Lecture 6: Branching and Procedures in MIPS* Jeremy R. Johnson Wed. Apr. 12, 2000.

Apr. 12, 2000Systems Architecture I1 Systems Architecture I (CS ) Lecture 6: Branching and Procedures in MIPS* Jeremy R. Johnson Wed. Apr. 12, 2000.
Procedure call frame: Hold values passed to a procedure as arguments

Procedure call frame: Hold values passed to a procedure as arguments
Advanced Development of Certified OS Kernels Zhong Shao Bryan Ford Yale University November 2010 Focus Areas: Operating Systems,

Advanced Development of Certified OS Kernels Zhong Shao Bryan Ford Yale University November Focus Areas: Operating Systems,
Extensible Verification of Untrusted Code Bor-Yuh Evan Chang, Adam Chlipala, Kun Gao, George Necula, and Robert Schneck May 14, 2004 OSQ Retreat Santa.

Extensible Verification of Untrusted Code Bor-Yuh Evan Chang, Adam Chlipala, Kun Gao, George Necula, and Robert Schneck May 14, 2004 OSQ Retreat Santa.
Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination Xinyu Feng Yale University Joint work with Zhong Shao.

Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination Xinyu Feng Yale University Joint work with Zhong Shao.

Similar presentations

Ads by Google