View
32
Download
0
Category
Preview:
DESCRIPTION
Low-Level Program Verification. CPU. Components of a Certifying Framework. Specifications. certified code (machine code + proof) specifications: program safety/security/correctness + machine model automated proof checker need not trust the correctness of proofs. No. Proof. - PowerPoint PPT Presentation
Citation preview
Low-Level Program Verification
Components of a Certifying Framework
• certified code (machine code + proof)
• specifications: program safety/security/correctness + machine model
• automated proof checker need not trust the correctness of proofs
Proof Checker Yes
CPU
Specifications
Proof
machine code
No
Low-Level Machine Code Verification
• Machine code is the executable form of programs
• Why verify machine code• Bugs in compilers may produce buggy machine code,
even if source code is correct• There are manually written assembly code in OS
kernels
The Machine
I1f1:
I2f2:
I3f3:
…
(code heap) C
0
r1
1 2 …
r2 r3 … rn
(data heap) H
(register file) R
(state) S
addu … lw … sw … … j f
(instr. seq.) I
(program) P ::=(C,S,I)
::=(H,R)::={f I}*
pc
Operational semantics
The CAP LogicCertified Assembly Programming
Judgments
[Yu et al. ESOP 2003]
State assertions - Examples
a S. S.H(100) > 0 S.R(r1) = 17
S. a S a' S
a' S. odd(S.R(r1) )
Inference RulesWell-formed program:
Well-formed code heap:
Inference Rules (2)
Inference Rules (3)
means logical implication
Verification of malloc/free
Verification of malloc/free (2)
Soundness
Lemma (Preservation). If and , then there exists an assertion a’
such that .
Lemma (Progress). If , then there exists a program such that
Soundness (2)
Theorem (Soundness). If , then for all natural number n, there exists a program such that , and
then
then
and then
Program Specifications
I1f1:
I2f2:
I3f3:
…
(code heap) C
0
r1
1 2 …
r2 r3 … rn
(data heap) H
(register file) R
(state) S
addu … lw … sw … … j f
(instr. seq.) I
(program) P ::=(C,S,I)
::=(H,R)::={f I}*
pc
a1
a2
a3
(spec) ::= {f a}*
a
Invariant-Based Verification
Initial condition: Inv(P0)
P0
c1 P1
c2 P2
c3 … cn Pn
Progress: if Inv(P), then P’. P c P’.
Preservation: if Inv(P) and P c P’, then Inv(P’).
f: ...
sw $ra, -4($fp) h:
jal h ;; $ra contains ct
ct: lw $ra, -4($fp) jr $ra
...
jr $ra
fp
stack
??ct
How to verify function call?
void f(){ void h(){
h(); return;
return; }
}
Does f use the right return addr.?
pc
ra
R
• SCAP specifications: (p, g)– p: State Prop– g: State State Prop
Specifications
f: ... sw $ra, -4($fp) jal h
ct: lw $ra, -4($fp) ... jr $ra
{(p0, g0)}
{(p1, g1)}
g0
g1
g0 S S’ S’.$ra = S.$ra …
• Challenges– f uses the “right” return addr.?
– Hoare triple {p} f {q}?• In different basic blocks!
{$ra = n …}
{$ra = n …}
Program Spec. and Code Pointers
jal f
jal h
jr $ra
jr $ra
g0
g4
p0
p4
g1
p1
g2
p2
g3
p3
…
jr $ra
• Program Specification::=
{f1(p1,g1), …,fn(pn,gn)}
• “safe” to return (jr $ra):– $radom() ($ra)=(p,g)– p holds at the time of return
SCAP : Stack Invariant
p0
g0p1
g1p2
g2p3
g3
g0 S0 S1 S1.$ra (S1.$ra))=(p1, g1) p1 S1
g0 S0 S1 g1 S1 S2 S2.$ra (S2.$ra)=(p2, g2) p2 S2
g0 S0 S1 g1 S1 S2 g2 S2 S3 S3.$ra (S3.$ra)=(p3, g3) p3 S3
jr $ra
Logical control stack
Always safe to return?S0
S1
S2
S3
…
SCAP : Stack Invariant
WFST(n, g0, S0, ) S1. g0 S0 S1
p1,g1.
(S1.$ra)=(p1, g1) p1 S1 WFST(n-1, g1, S1, )
WFST(0, g0, S0, ) S1. g0 S0 S1
Invariant:p S n.WFST(n, g, S, )
p0
g0p1
g1p2
g2p3
g3
jr $ra
Logical control stack
S0
S1
S2
S3
SCAP : Invariant Preservation
• Inv(S): p S n.WFST(n, g, S, )
cS’
p S n.WFST(n,g,S,)
S
p’ S’ n.WFST(n,g’,S’,)
p’,g’
SCAP: call
p0
g0p1
g1
jr $ra
p0
g0jr $ra
p
g
jal f
p S WFST(n, g, S, ) p0 S0 WFST(n+1, g0, S0, )
S S0
n+1
n
…
p S p0 S0
p1
g1
n
…
p S g0 S0 S1 p1 S1
p S g0 S0 S1 g1 S1 S2 g S S2
g0 S0 S1 S0.$ra = S1.$ra
S1S1
S2 S2
SCAP: the call rule
|- {(p,g)} jal f fret
H,R. p (H,R) p0 (H,R{rafret})
H,R,S1. p (H,R) g0 (H,R{rafret}) S1 p1 S1 (S2. g1 S1 S2 g S S2)
S0,S1. g0 S0 S1 S0.$ra = S1.$ra
(p0, g0) = (f) (p1, g1) = (fret)
SCAP: ret
pgp1
g1
p1
g1jr $ra
p S WFST(n, g S, ) p1 S1 WFST(n-1, g1 S1, )
n
n-1
…
n-1
…
p S g S S1
SS1
SCAP: return rule
|- {(p,g)} jr $ra
S. p S g S S
SCAP: direct jump (or tail call)
p0
g0
jr $ra
p
g
S
n
…
j f
p0
g0
jr $ra
S0
n
…
p S WFST(n, g S, ) p0 S0 WFST(n, g0 S0, )
p S p0 S0 p S g0 S0 S1 g S S1
S1S1
SCAP: sequential
|- {(p,g)} c;I
S. p S p’(AuxStep(c,S))
|- {(p’,g’)} I
S,S’. p S g’(AuxStep(c,S)) S’ g S S’
Other control flows
• Stack unwinding
• Stack cutting
• setjmp/longjmp in C
Call with Multiple Return Addr.
p1
g1jr ra
p
g
Multi-ret
Call with Multiple Ret. or Tail Call
Generalization: Stack unwinding/cutting
g1
p1
jr ra
p
g
+
p1
g1jr ra
p
g
Multi-ret
p1
g1
jr ra
p
g
Tail-call
Change of Invariant
void cmp1(int x,jmp_buf env){
if (x == 0)
longjmp(env, 1);
else
return;
}
setjmp/longjmp
int rev(int x){
if (setjmp(env) == 0){
cmp0(x, env); return 0;
}else{
return 1;
}
}
void cmp0(int x,jmp_buf env){
cmp1(x, env);
}
jmp_buf env = …;
pc
f0
… sp
env
f0 pc
pc
env cannot outlive the stack frame of rev !
…
…
Read the paper at: http://flint.cs.yale.edu/flint/publications/sbca.html
Recommended