Low-Level Program Verification

Components of a Certifying Framework

• certified code (machine code + proof)

• specifications: program safety/security/correctness + machine model

• automated proof checker need not trust the correctness of proofs

Proof Checker Yes

CPU

Specifications

Proof

machine code

No

Low-Level Machine Code Verification

• Machine code is the executable form of programs

• Why verify machine code• Bugs in compilers may produce buggy machine code,

even if source code is correct• There are manually written assembly code in OS

kernels

The Machine

I1f1:

I2f2:

I3f3:

…

(code heap) C

0

r1

1 2 …

r2 r3 … rn

(data heap) H

(register file) R

(state) S

addu … lw … sw … … j f

(instr. seq.) I

(program) P ::=(C,S,I)

::=(H,R)::={f I}*

pc

Operational semantics

The CAP LogicCertified Assembly Programming

Judgments

[Yu et al. ESOP 2003]

State assertions - Examples

a S. S.H(100) > 0 S.R(r1) = 17

S. a S a' S

a' S. odd(S.R(r1) )

Inference RulesWell-formed program:

Well-formed code heap:

Inference Rules (2)

Inference Rules (3)

means logical implication

Verification of malloc/free

Verification of malloc/free (2)

Soundness

Lemma (Preservation). If and , then there exists an assertion a’

such that .

Lemma (Progress). If , then there exists a program such that

Soundness (2)

Theorem (Soundness). If , then for all natural number n, there exists a program such that , and

then

then

and then

Program Specifications

I1f1:

I2f2:

I3f3:

…

(code heap) C

0

r1

1 2 …

r2 r3 … rn

(data heap) H

(register file) R

(state) S

addu … lw … sw … … j f

(instr. seq.) I

(program) P ::=(C,S,I)

::=(H,R)::={f I}*

pc

a1

a2

a3

(spec) ::= {f a}*

a

Invariant-Based Verification

Initial condition: Inv(P0)

P0

c1 P1

c2 P2

c3 … cn Pn

Progress: if Inv(P), then P’. P c P’.

Preservation: if Inv(P) and P c P’, then Inv(P’).

f: ...

sw $ra, -4($fp) h:

jal h ;; $ra contains ct

ct: lw $ra, -4($fp) jr $ra

...

jr $ra

fp

stack

??ct

How to verify function call?

void f(){ void h(){

h(); return;

return; }

}

Does f use the right return addr.?

pc

ra

R

• SCAP specifications: (p, g)– p: State Prop– g: State State Prop

Specifications

f: ... sw $ra, -4($fp) jal h

ct: lw $ra, -4($fp) ... jr $ra

{(p0, g0)}

{(p1, g1)}

g0

g1

g0 S S’ S’.$ra = S.$ra …

• Challenges– f uses the “right” return addr.?

– Hoare triple {p} f {q}?• In different basic blocks!

{$ra = n …}

{$ra = n …}

Program Spec. and Code Pointers

jal f

jal h

jr $ra

jr $ra

g0

g4

p0

p4

g1

p1

g2

p2

g3

p3

…

jr $ra

• Program Specification::=

{f1(p1,g1), …,fn(pn,gn)}

• “safe” to return (jr $ra):– $radom() ($ra)=(p,g)– p holds at the time of return

SCAP : Stack Invariant

p0

g0p1

g1p2

g2p3

g3

g0 S0 S1 S1.$ra (S1.$ra))=(p1, g1) p1 S1

g0 S0 S1 g1 S1 S2 S2.$ra (S2.$ra)=(p2, g2) p2 S2

g0 S0 S1 g1 S1 S2 g2 S2 S3 S3.$ra (S3.$ra)=(p3, g3) p3 S3

jr $ra

Logical control stack

Always safe to return?S0

S1

S2

S3

…

SCAP : Stack Invariant

WFST(n, g0, S0, ) S1. g0 S0 S1

p1,g1.

(S1.$ra)=(p1, g1) p1 S1 WFST(n-1, g1, S1, )

WFST(0, g0, S0, ) S1. g0 S0 S1

Invariant:p S n.WFST(n, g, S, )

p0

g0p1

g1p2

g2p3

g3

jr $ra

Logical control stack

S0

S1

S2

S3

SCAP : Invariant Preservation

• Inv(S): p S n.WFST(n, g, S, )

cS’

p S n.WFST(n,g,S,)

S

p’ S’ n.WFST(n,g’,S’,)

p’,g’

SCAP: call

p0

g0p1

g1

jr $ra

p0

g0jr $ra

p

g

jal f

p S WFST(n, g, S, ) p0 S0 WFST(n+1, g0, S0, )

S S0

n+1

n

…

p S p0 S0

p1

g1

n

…

p S g0 S0 S1 p1 S1

p S g0 S0 S1 g1 S1 S2 g S S2

g0 S0 S1 S0.$ra = S1.$ra

S1S1

S2 S2

SCAP: the call rule

|- {(p,g)} jal f fret

H,R. p (H,R) p0 (H,R{rafret})

H,R,S1. p (H,R) g0 (H,R{rafret}) S1 p1 S1 (S2. g1 S1 S2 g S S2)

S0,S1. g0 S0 S1 S0.$ra = S1.$ra

(p0, g0) = (f) (p1, g1) = (fret)

SCAP: ret

pgp1

g1

p1

g1jr $ra

p S WFST(n, g S, ) p1 S1 WFST(n-1, g1 S1, )

n

n-1

…

n-1

…

p S g S S1

SS1

SCAP: return rule

|- {(p,g)} jr $ra

S. p S g S S

SCAP: direct jump (or tail call)

p0

g0

jr $ra

p

g

S

n

…

j f

p0

g0

jr $ra

S0

n

…

p S WFST(n, g S, ) p0 S0 WFST(n, g0 S0, )

p S p0 S0 p S g0 S0 S1 g S S1

S1S1

SCAP: sequential

|- {(p,g)} c;I

S. p S p’(AuxStep(c,S))

|- {(p’,g’)} I

S,S’. p S g’(AuxStep(c,S)) S’ g S S’

Other control flows

• Stack unwinding

• Stack cutting

• setjmp/longjmp in C

Call with Multiple Return Addr.

p1

g1jr ra

p

g

Multi-ret

Call with Multiple Ret. or Tail Call

Generalization: Stack unwinding/cutting

g1

p1

jr ra

p

g

+

p1

g1jr ra

p

g

Multi-ret

p1

g1

jr ra

p

g

Tail-call

Change of Invariant

void cmp1(int x,jmp_buf env){

if (x == 0)

longjmp(env, 1);

else

return;

}

setjmp/longjmp

int rev(int x){

if (setjmp(env) == 0){

cmp0(x, env); return 0;

}else{

return 1;

}

}

void cmp0(int x,jmp_buf env){

cmp1(x, env);

}

jmp_buf env = …;

pc

f0

… sp

env

f0 pc

pc

env cannot outlive the stack frame of rev !

…

…

Read the paper at: http://flint.cs.yale.edu/flint/publications/sbca.html