Presentation is loading. Please wait.

Presentation is loading. Please wait.

Low-Level Program Verification. Components of a Certifying Framework certified code (machine code + proof) specifications: program safety/security/correctness.

Published byPauline Wells Modified over 9 years ago

Similar presentations

Presentation on theme: "Low-Level Program Verification. Components of a Certifying Framework certified code (machine code + proof) specifications: program safety/security/correctness."— Presentation transcript:

1 Low-Level Program Verification

2 Components of a Certifying Framework certified code (machine code + proof) specifications: program safety/security/correctness + machine model automated proof checker need not trust the correctness of proofs Proof Checker Yes CPU Specifications Proof machine code No

3 Low-Level Machine Code Verification Machine code is the executable form of programs Why verify machine code Bugs in compilers may produce buggy machine code, even if source code is correct There are manually written assembly code in OS kernels

4 The Machine I1I1 f1:f1: I2I2 f2:f2: I3I3 f3:f3: … (code heap) C 0 r1r1 12… r2r2 r3r3 …rnrn (data heap) H (register file) R (state) S addu … lw … sw … … j f (instr. seq.) I (program) P::=(C,S,I) ::=(H,R) ::={f  I} * pc

5

6

7 Operational semantics

8

9

10 Program Specifications I1I1 f1:f1: I2I2 f2:f2: I3I3 f3:f3: … (code heap) C 0 r1r1 12… r2r2 r3r3 …rnrn (data heap) H (register file) R (state) S addu … lw … sw … … j f (instr. seq.) I (program) P::=(C,S,I) ::=(H,R) ::={f  I} * pc a1a1 a2a2 a3a3 (spec)  ::= {f  a} * a

11 The CAP Logic Certified Assembly Programming Judgments [Yu et al. ESOP 2003]

12 State assertions - Examples a  S. S.H(100) > 0  S.R(r1) = 17  S. a S  a' S a'  S. odd(S.R(r1) )

13 Inference Rules Well-formed program: Well-formed code heap:

14 Inference Rules (2)

15 Inference Rules (3)  means logical implication

16 Verification of malloc/free

17 Verification of malloc/free (2)

18

19

20 Soundness Lemma (Preservation). If and, then there exists an assertion a’ such that. Lemma (Progress). If, then there exists a program such that

21 Soundness (2) Theorem (Soundness). If, then for all natural number n, there exists a program such that, and then and then

22 Program Specifications I1I1 f1:f1: I2I2 f2:f2: I3I3 f3:f3: … (code heap) C 0 r1r1 12… r2r2 r3r3 …rnrn (data heap) H (register file) R (state) S addu … lw … sw … … j f (instr. seq.) I (program) P::=(C,S,I) ::=(H,R) ::={f  I} * pc a1a1 a2a2 a3a3 (spec)  ::= {f  a} * a

23 Invariant-Based Verification Initial condition: Inv  (P 0 ) P0P0 c1c1 P1P1 c2c2 P2P2 c3c3 … cncn PnPn Progress: if Inv  (P), then  P’. P  c P’. Preservation: if Inv  (P) and P  c P’, then Inv  (P’).

24 f:... sw $ra, -4($fp) h: jal h ;; $ra contains ct ct: lw $ra, -4($fp) jr $ra... jr $ra fp stack ?? ct How to verify function call? void f(){ void h(){ h(); return; return; } } Does f use the right return addr.? pc ra R

25 void cmp1(int x,jmp_buf env){ if (x == 0) longjmp(env, 1); else return; } setjmp/longjmp int rev(int x){ if (setjmp(env) == 0){ cmp0(x, env); return 0; }else{ return 1; } void cmp0(int x,jmp_buf env){ cmp1(x, env); } jmp_buf env = …; pc f0f0 … sp env f0f0 pc env cannot outlive the stack frame of rev ! … …

26 SCAP specifications: (p, g) –p: State  Prop –g: State  State  Prop Specifications f:... sw $ra, -4($fp) jal h ct: lw $ra, -4($fp)... jr $ra {(p 0, g 0 )} {(p 1, g 1 )} g0g0 g1g1 g 0 S S’  S’.$ra = S.$ra … Challenges –f uses the “right” return addr.? –Hoare triple {p} f {q}? In different basic blocks! {$ra = n …}

27 Program Spec. and Code Pointers jal f jal h jr $ra g0g0 g4g4 p0p0 p4p4 g1g1 p1p1 g2g2 p2p2 g3g3 p3p3 … Program Specification  ::= {f 1  (p 1,g 1 ), …,f n  (p n,g n )} “safe” to return ( jr $ra ): –$ra  dom(  )   ($ra)=(p,g) –p holds at the time of return

28 SCAP : Stack Invariant p0p0 g0g0 p1p1 g1g1 p2p2 g2g2 p3p3 g3g3 g 0 S 0 S 1  S 1.$ra     (S 1.$ra))=(p 1, g 1 )  p 1 S 1 g 0 S 0 S 1  g 1 S 1 S 2  S 2.$ra     (S 2.$ra)=(p 2, g 2 )  p 2 S 2 g 0 S 0 S 1  g 1 S 1 S 2  g 2 S 2 S 3  S 3.$ra     (S 3.$ra)=(p 3, g 3 )  p 3 S 3 jr $ra Logical control stack Always safe to return? S0S0 S1S1 S2S2 S3S3 …

29 SCAP : Stack Invariant WFST(n, g 0, S 0,  )   S 1. g 0 S 0 S 1   p 1,g 1.  (S 1.$ra)=(p 1, g 1 )  p 1 S 1  WFST(n-1, g 1, S 1,  ) WFST(0, g 0, S 0,  )    S 1. g 0 S 0 S 1 Invariant: p S   n.WFST(n, g, S,  ) p0p0 g0g0 p1p1 g1g1 p2p2 g2g2 p3p3 g3g3 jr $ra Logical control stack S0S0 S1S1 S2S2 S3S3

30 SCAP : Invariant Preservation Inv(S): p S   n.WFST(n, g, S,  ) c S’ p S   n.WFST(n,g,S,  ) S p’ S’   n.WFST(n,g’,S’,  )  p’,g’

31 SCAP: call p0p0 g0g0 p1p1 g1g1 jr $ra p0p0 g0g0 p g jal f p S  WFST(n, g, S,  )p 0 S 0  WFST(n+1, g 0, S 0,  ) S S0S0 n+1 n … p S  p 0 S 0 p1p1 g1g1 n … p S  g 0 S 0 S 1  p 1 S 1 p S  g 0 S 0 S 1  g 1 S 1 S 2  g S S 2 g 0 S 0 S 1  S 0.$ra = S 1.$ra S1S1 S1S1 S2S2 S2S2

32 SCAP: the call rule  |- {(p,g)} jal f fret  H,R. p (H,R)  p 0 (H,R{ra  fret})  H,R,S 1. p (H,R)  g 0 (H,R{ra  fret}) S 1  p 1 S 1  (  S 2. g 1 S 1 S 2  g S S 2 )  S 0,S 1. g 0 S 0 S 1  S 0.$ra = S 1.$ra (p 0, g 0 ) =  (f) (p 1, g 1 ) =  (fret)

33 SCAP: ret p g p1p1 g1g1 p1p1 g1g1 jr $ra p S  WFST(n, g S,  )p 1 S 1  WFST(n-1, g 1 S 1,  ) n n-1 … … p S  g S S 1 S S1S1

34 SCAP: return rule  |- {(p,g)} jr $ra  S. p S  g S S

35 SCAP: direct jump (or tail call) p0p0 g0g0 jr $ra p g S n … j f p0p0 g0g0 jr $ra S0S0 n … p S  WFST(n, g S,  )p 0 S 0  WFST(n, g 0 S 0,  ) p S  p 0 S 0 p S  g 0 S 0 S 1  g S S 1 S1S1 S1S1

36 SCAP: sequential  |- {(p,g)} c;I  S. p S  p’(AuxStep(c,S))  |- {(p’,g’)} I  S,S’. p S  g’(AuxStep(c,S)) S’  g S S’

37 Other control flows Stack unwinding Stack cutting setjmp/longjmp in C

38 Call with Multiple Return Addr. p1p1 g1g1 jr ra p g Multi-ret

39 Call with Multiple Ret. or Tail Call

40 Generalization: Stack unwinding/cutting g1g1 p1p1 jr ra p g + p1p1 g1g1 p g Multi-ret p1p1 g1g1 jr ra p g Tail-call

41 Change of Invariant

42 void cmp1(int x,jmp_buf env){ if (x == 0) longjmp(env, 1); else return; } setjmp/longjmp int rev(int x){ if (setjmp(env) == 0){ cmp0(x, env); return 0; }else{ return 1; } void cmp0(int x,jmp_buf env){ cmp1(x, env); } jmp_buf env = …; pc f0f0 … sp env f0f0 pc env cannot outlive the stack frame of rev ! … …

43 Read the paper at: http://flint.cs.yale.edu/flint/publications/sbca.html

44

Download ppt "Low-Level Program Verification. Components of a Certifying Framework certified code (machine code + proof) specifications: program safety/security/correctness."

Similar presentations

A Translation from Typed Assembly Language to Certified Assembly Programming Zhong Shao Yale University Joint work with Zhaozhong Ni Paper URL:

A Translation from Typed Assembly Language to Certified Assembly Programming Zhong Shao Yale University Joint work with Zhaozhong Ni Paper URL:
1 Lecture 3: MIPS Instruction Set Today’s topic:  More MIPS instructions  Procedure call/return Reminder: Assignment 1 is on the class web-page (due.

1 Lecture 3: MIPS Instruction Set Today’s topic:  More MIPS instructions  Procedure call/return Reminder: Assignment 1 is on the class web-page (due.
The University of Adelaide, School of Computer Science

The University of Adelaide, School of Computer Science
1 Procedure Calls, Linking & Launching Applications Lecture 15 Digital Design and Computer Architecture Harris & Harris Morgan Kaufmann / Elsevier, 2007.

1 Procedure Calls, Linking & Launching Applications Lecture 15 Digital Design and Computer Architecture Harris & Harris Morgan Kaufmann / Elsevier, 2007.
10/6: Lecture Topics Procedure call Calling conventions The stack

10/6: Lecture Topics Procedure call Calling conventions The stack
1 Lecture 4: Procedure Calls Today’s topics:  Procedure calls  Large constants  The compilation process Reminder: Assignment 1 is due on Thursday.

1 Lecture 4: Procedure Calls Today’s topics:  Procedure calls  Large constants  The compilation process Reminder: Assignment 1 is due on Thursday.
MIPS Calling Convention Chapter 2.7 Appendix A.6.

MIPS Calling Convention Chapter 2.7 Appendix A.6.
Lecture 6: MIPS Instruction Set Today’s topic –Control instructions –Procedure call/return 1.

Lecture 6: MIPS Instruction Set Today’s topic –Control instructions –Procedure call/return 1.
Computer Architecture CSCE 350

Computer Architecture CSCE 350
CPS3340 COMPUTER ARCHITECTURE Fall Semester, 2013 10/17/2013 Lecture 12: Procedures Instructor: Ashraf Yaseen DEPARTMENT OF MATH & COMPUTER SCIENCE CENTRAL.

CPS3340 COMPUTER ARCHITECTURE Fall Semester, /17/2013 Lecture 12: Procedures Instructor: Ashraf Yaseen DEPARTMENT OF MATH & COMPUTER SCIENCE CENTRAL.
Ch. 8 Functions.

Ch. 8 Functions.
Procedures II (1) Fall 2005 Lecture 07: Procedure Calls (Part 2)

Procedures II (1) Fall 2005 Lecture 07: Procedure Calls (Part 2)
Apr. 12, 2000Systems Architecture I1 Systems Architecture I (CS 281-001) Lecture 6: Branching and Procedures in MIPS* Jeremy R. Johnson Wed. Apr. 12, 2000.

Apr. 12, 2000Systems Architecture I1 Systems Architecture I (CS ) Lecture 6: Branching and Procedures in MIPS* Jeremy R. Johnson Wed. Apr. 12, 2000.
The University of Adelaide, School of Computer Science

The University of Adelaide, School of Computer Science
Procedure call frame: Hold values passed to a procedure as arguments

Procedure call frame: Hold values passed to a procedure as arguments
Lecture 8: MIPS Instruction Set

Lecture 8: MIPS Instruction Set
 Procedures (subroutines) allow the programmer to structure programs making them : › easier to understand and debug and › allowing code to be reused.

 Procedures (subroutines) allow the programmer to structure programs making them : › easier to understand and debug and › allowing code to be reused.
Advanced Development of Certified OS Kernels Zhong Shao Bryan Ford Yale University November 2010 Focus Areas: Operating Systems,

Advanced Development of Certified OS Kernels Zhong Shao Bryan Ford Yale University November Focus Areas: Operating Systems,
Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination Xinyu Feng Yale University Joint work with Zhong Shao.

Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination Xinyu Feng Yale University Joint work with Zhong Shao.
Typed Assembly Languages COS 441, Fall 2004 Frances Spalding Based on slides from Dave Walker and Greg Morrisett.

Typed Assembly Languages COS 441, Fall 2004 Frances Spalding Based on slides from Dave Walker and Greg Morrisett.

Similar presentations

Ads by Google