low level program verification n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Low-Level Program Verification PowerPoint Presentation
Download Presentation
Low-Level Program Verification

Loading in 2 Seconds...

play fullscreen
1 / 42

Low-Level Program Verification - PowerPoint PPT Presentation


  • 100 Views
  • Uploaded on

Low-Level Program Verification. CPU. Components of a Certifying Framework. Specifications. certified code (machine code + proof) specifications: program safety/security/correctness + machine model automated proof checker need not trust the correctness of proofs. No. Proof.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Low-Level Program Verification' - autumn-jimenez


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
components of a certifying framework

CPU

Components of a Certifying Framework

Specifications

  • certified code (machine code + proof)
  • specifications: program safety/security/correctness + machine model
  • automated proof checker

need not trust the correctness of proofs

No

Proof

Proof Checker

Yes

machine code

low level machine code verification
Low-Level Machine Code Verification
  • Machine code is the executable form of programs
  • Why verify machine code
      • Bugs in compilers may produce buggy machine code, even if source code is correct
      • There are manually written assembly code in OS kernels
the machine
The Machine

(data heap) H

f1:

I1

addu …

lw …

sw …

j f

pc

0

1

2

f2:

I2

r1

r2

r3

rn

f3:

I3

(register file) R

(code heap) C

(state) S

::=(H,R)

(instr. seq.) I

::={fI}*

(program) P

::=(C,S,I)

the cap logic
The CAP Logic

[Yu et al. ESOP 2003]

Certified Assembly Programming

Judgments

state assertions examples
State assertions - Examples

a   S. S.H(100) > 0  S.R(r1) = 17

a'   S. odd(S.R(r1) )

S. a S  a' S

inference rules
Inference Rules

Well-formed program:

Well-formed code heap:

inference rules 3
Inference Rules (3)

 means logical implication

soundness
Soundness

Lemma (Preservation). If and

, then there exists an assertion a’

such that .

Lemma (Progress). If , then there exists a program such that

soundness 2
Soundness (2)

Theorem (Soundness). If , then for all natural number n, there exists a program such that , and

then

then

and then

program specifications

a1

a2

a3

Program Specifications

(spec) ::={fa}*

(data heap) H

a

f1:

I1

addu …

lw …

sw …

j f

pc

0

1

2

f2:

I2

r1

r2

r3

rn

f3:

I3

(register file) R

(code heap) C

(state) S

::=(H,R)

(instr. seq.) I

::={fI}*

(program) P

::=(C,S,I)

invariant based verification

c1

c2

c3

cn

P0

P1

P2

Pn

Invariant-Based Verification

Initial condition:Inv(P0)

Progress:

if Inv(P), then P’. P c P’.

Preservation:

if Inv(P) and P cP’, then Inv(P’).

how to verify function call

stack

fp

f: ...

sw $ra, -4($fp) h:

jal h ;; $ra contains ct

ct: lw $ra, -4($fp) jr $ra

...

jr $ra

How to verify function call?

R

void f(){ void h(){

h(); return;

return; }

}

ra

ct

??

pc

Does f use the right return addr.?

specifications

{$ra = n …}

g0

g1

{$ra = n …}

Specifications
  • Challenges
    • f uses the “right” return addr.?
    • Hoare triple {p} f {q}?
      • In different basic blocks!

f:

...

sw $ra, -4($fp)

jal h

ct:

lw $ra, -4($fp)

...

jr $ra

{(p0, g0)}

  • SCAP specifications: (p, g)
    • p: State  Prop
    • g: State  State  Prop

{(p1, g1)}

g0 S S’ S’.$ra = S.$ra …

program spec and code pointers
Program Spec. and Code Pointers
  • Program Specification

::=

{f1(p1,g1), …,fn(pn,gn)}

  • “safe” to return (jr $ra):
    • $radom()  ($ra)=(p,g)
    • pholds at the time of return

p0

p1

jal f

p2

jal h

g2

g0

g1

p3

jr$ra

g3

p4

jr $ra

g4

jr $ra

scap stack invariant
SCAP : Stack Invariant

Always safe to return?

p0

S0

g0

p1

jr $ra

g0 S0S1 

S1.$ra   (S1.$ra))=(p1, g1) p1S1

S1

g1

p2

S2

g0 S0S1  g1 S1S2 

S2.$ra   (S2.$ra)=(p2, g2) p2S2

g2

p3

S3

g0 S0S1  g1 S1S2  g2 S2S3 

S3.$ra    (S3.$ra)=(p3, g3) p3 S3

g3

Logical control stack

scap stack invariant1
SCAP : Stack Invariant

WFST(n, g0, S0, ) 

S1. g0 S0 S1 

 p1,g1.

(S1.$ra)=(p1, g1) 

p1 S1 

WFST(n-1, g1, S1, )

WFST(0, g0, S0, ) 

 S1. g0 S0 S1

Invariant:

p S  n.WFST(n, g, S, )

p0

S0

g0

p1

jr $ra

S1

g1

p2

S2

g2

p3

S3

g3

Logical control stack

scap invariant preservation

c

S

p’,g’

p S 

n.WFST(n,g,S,)

p’ S’ 

n.WFST(n,g’,S’,)

SCAP : Invariant Preservation
  • Inv(S):

p S  n.WFST(n, g, S, )

S’

scap call

n+1

jal f

SCAP: call

p S  WFST(n, g, S, )

p0 S0 WFST(n+1, g0, S0, )

p

p0

p0

S

S0

g0

g0

p1

p1

g

jr $ra

jr $ra

g1

g1

S1

S1

n

n

S2

S2

p S  p0 S0

g0 S0 S1 S0.$ra = S1.$ra

p S  g0 S0 S1 p1 S1

p S  g0 S0 S1  g1 S1 S2  g S S2

scap the call rule
SCAP: the call rule

(p0, g0) = (f)(p1, g1) = (fret)

H,R. p (H,R)  p0 (H,R{rafret})

H,R,S1. p (H,R)  g0 (H,R{rafret}) S1

 p1 S1  (S2. g1 S1 S2  g S S2)

S0,S1. g0 S0 S1 S0.$ra = S1.$ra

 |- {(p,g)} jal f fret

scap ret
SCAP: ret

p S  WFST(n, g S, )

p1 S1 WFST(n-1, g1 S1, )

p

n

p1

p1

S

g

S1

g1

g1

jr $ra

n-1

n-1

p S  g S S1

scap return rule
SCAP: return rule

S. p S  g S S

 |- {(p,g)} jr $ra

scap direct jump or tail call
SCAP: direct jump (or tail call)

p S  WFST(n, g S, )

p0 S0 WFST(n, g0 S0, )

p

p0

p0

S

S0

g0

g0

g

jr $ra

jr $ra

j f

n

n

S1

S1

p S  p0 S0

p S  g0 S0 S1  g S S1

scap sequential
SCAP: sequential

 |- {(p’,g’)} I

S. p S  p’(AuxStep(c,S))

S,S’. p S  g’(AuxStep(c,S)) S’  g S S’

 |- {(p,g)} c;I

other control flows
Other control flows
  • Stack unwinding
  • Stack cutting
  • setjmp/longjmp in C
generalization stack unwinding cutting

Multi-ret

p1

p1

p

p

g1

g1

jr ra

jr ra

g

g

+

Tail-call

p1

p

g1

g

jr ra

Generalization: Stack unwinding/cutting
setjmp longjmp

env cannot outlive the stack frame of rev !

f0

f0

setjmp/longjmp

jmp_buf env = …;

void cmp0(int x,jmp_buf env){

cmp1(x, env);

}

int rev(int x){

if (setjmp(env) == 0){

cmp0(x, env); return 0;

}else{

return 1;

}

}

pc

pc

void cmp1(int x,jmp_buf env){

if (x == 0)

longjmp(env, 1);

else

return;

}

pc

env

sp

slide41

Read the paper at: http://flint.cs.yale.edu/flint/publications/sbca.html