extending the compcert certified c compiler
play

Extending the CompCert certified C compiler with instruction - PowerPoint PPT Presentation

Dec 11, 2023 •350 likes •557 views

Extending CompCert S. Boulm e ( Verimag , Grenoble-INP) RISC-V week @ Paris2019 Extending the CompCert certified C compiler with instruction scheduling and control-flow integrity (CFI) October 2019 Sylvain.Boulme@univ-grenoble-alpes.fr

  1. Extending CompCert S. Boulm´ e ( Verimag , Grenoble-INP) RISC-V week @ Paris’2019 Extending the CompCert certified C compiler with instruction scheduling and control-flow integrity (CFI) October 2019 Sylvain.Boulme@univ-grenoble-alpes.fr Verimag , Grenoble-INP 1/19

  2. Extending CompCert S. Boulm´ e ( Verimag , Grenoble-INP) RISC-V week @ Paris’2019 Issue : optimizing compiler for safety-critical software Compilation bugs in most C compilers (GCC, LLVM, etc) . Attested by randomized differential testing : Eide-Regehr’08, Yang-et-al’11, Lidbury-et-al’15, ... Tests of optimizing compilers cannot cover all corner cases ! Strong safety-critical requirements of Avionics (DO-178) , Nuclear (IEC-61513) , Automotive (ISO-26262) , Railway (IEC-62279) often established at the source level with human review of the compiled code . ← intractable if optimized One solution : a formally proved compiler ! formal proof = computer-aided review of the compiler code w.r.t its spec. up-to-date & very sharp (formal) documentation of the compiler ⇒ that also helps “ external developers ” (like us at Verimag) 2/19

  3. Extending CompCert S. Boulm´ e ( Verimag , Grenoble-INP) RISC-V week @ Paris’2019 Overview of https://github.com/AbsInt/CompCert Input most of ISO C99 + a few extensions Output (32&64 bits) code for RISC-V , PowerPC, ARM, x86 Developed since 2005 by Leroy-et-al at Inria Commercial support since 2015 by AbsInt (German Company) Industrial uses in Avionics (Airbus) & Nuclear Plants (MTU) Unequaled level of trust for industrial-scaling compilers Correctness proved within the Coq proof assistant Performance of generated code (for PowerPC and ARM) 2 × faster than gcc -O0 10% slower than gcc -O1 and 20% than gcc -O3 . Example In MTU systems (emergency power for Nuclear Plants) 28% smaller WCET than with a previous unverified compiler. 3/19

  4. Extending CompCert S. Boulm´ e ( Verimag , Grenoble-INP) RISC-V week @ Paris’2019 Understanding the formal correctness of CompCert Formally, correctness of compiled code is ensured modulo  • correctness of C formal semantics in Coq   • correctness of assembly formal semantics in Coq • absence of undefined behavior in the source program   Formal semantics ≃ relation between “programs” and “behaviors” i.e. a (possibly non-deterministic) interpretation of programs for C : formalization of ISO C99 standard for assembly : formalization/abstraction of ISA Source program assumed to be without undefined behavior int x, t[10], y; ... if (...) { t[10]=1; // undefined behavior: out of bounds // the compiler could write in x or y, // or prune the branch as dead -code , ... 4/19

  5. Extending CompCert S. Boulm´ e ( Verimag , Grenoble-INP) RISC-V week @ Paris’2019 Informal view of CompCert formal correctness Observable Value = int or float or address of global variable Trace = a sequence of external function calls (or volatile accesses ) each of the form “ f ( v 1 , . . . , v n ) �→ v ” where f is name Behavior = one of the four possible cases (of an execution) :  an infinite trace (of a diverging execution)    a finite trace followed by an infinite “silent” loop  a finite trace followed by an integer exit code (terminating case)    a finite trace followed by an error (UNDEFINED-BEHAVIOR)  Semantics = maps each program to a set of behaviors . Correctness of the compiler For any source program S , if S has no UNDEFINED-BEHAVIOR, and if the compiler returns some assembly program C , then any behavior of C is also a behavior of S . NB : under these conditions, C has no UNDEFINED-BEHAVIOR. 5/19

  6. Extending CompCert S. Boulm´ e ( Verimag , Grenoble-INP) RISC-V week @ Paris’2019 Modular design of CompCert in Coq Components independent/parametrized/specific w.r.t. the target side-effects out of type elimination stack allocation expressions loop simplification of variables CompCert C Clight C#minor Cminor instruction linearization register CFG selection of CFG allocation construction Linear LTL RTL CminorSel layout of branch tunneling CFG optimizations stackframes Mach Asm assembly code generation And now, Verimag ’s Mach → Asm for two targets 1. The “K1c” VLIW core of Kalray : the 1st (scaling) certified compiler that optimizes ILP ? 2. A variant of RISC-V with encryption and CFI. 6/19

  7. Extending CompCert S. Boulm´ e ( Verimag , Grenoble-INP) RISC-V week @ Paris’2019 Instruction scheduling for CompCert /Kalray’s K1c Joint work with C. Six (Kalray/Verimag) and D. Monniaux (CNRS/Verimag) Kalray’s K1c = a 6-issue VLIW with a 7-stage pipeline, e.g. with instruction level parallelism (ILP) in 2D bundles of (upto) 6 instructions may run in parallel at each of the 7 pipeline stages. with a very predictible semantics : in-order & interlocked. � simplify WCET estimations & compilers design ! Two main contributions of our CompCert backend 1. an (abstract) formal semantics of VLIW assembly expressing parallel execution of instructions within bundles 2. a certified instruction scheduler performing assembly optimization w.r.t the 2D of ILP a speedup of more 50% on the code generated by CompCert coming around 10% slower than GCC-O2 (Kalray’s backend) & generally 20% faster than GCC-O1 (without scheduling) 7/19

  8. Extending CompCert S. Boulm´ e ( Verimag , Grenoble-INP) RISC-V week @ Paris’2019 Issue : CompCert and Control-Flow Integrity (CFI) ? status pay( float amount , id client , id vendor ){ if (auth(client )) goto transaction; ABORTED; return transaction: /* perform the transaction */ CompCert ’s formal correctness implies that the generated assembly cannot run code at transaction without being entered “normally” in function pay under the two following conditions ◮ no undefined-behavior in the source (e.g. no BOV) ◮ trustworthy runtime environment (e.g. no hardware attack) � very restrictive conditions w.r.t practice ! 8/19

  9. Extending CompCert S. Boulm´ e ( Verimag , Grenoble-INP) RISC-V week @ Paris’2019 Overview of CFI in CEA’s IntrinSec Works of O. Savry and its team at CEA-LETI CEA’s IntrinSec = a RISC-V variant (still under design) with code/data encryption with CF&data access-control Control-Flow Integrity (in an adversarial context) provided by access-control on both the CF : ensuring that CF cannot “ enter into functions ” except at : function entry + return-address (RA) from callees the stack : ensuring that only “authorized instructions” can modify RA in the stack (e.g. no buffer-overflows). Actually, the processor aborts to prevent unsecure behaviors : Buffer-overflows can modify RA on the stack, but then, abort on the load into RA register 9/19

  10. Extending CompCert S. Boulm´ e ( Verimag , Grenoble-INP) RISC-V week @ Paris’2019 CF access control for CompCert /CEA’s IntrinSec Joint work with P. Torrini (Verimag) & hints from M.L. Potet (Verimag) and O. Savry (LETI) Our contributions ◮ Extend CompCert ’s RISC-V model with IntrinSec’s instructions of CF access control ◮ Make CompCert generate instructions of CF access control ◮ Formally prove the compiler correctness (work in progress) Future works ◮ Support of data access-control ◮ Informal CFI properties of the platform ◮ Toward a formalization of some CFI properties ? Issue : CompCert ’s models too high-level for expressing attacks ? 10/19

  11. Extending CompCert S. Boulm´ e ( Verimag , Grenoble-INP) RISC-V week @ Paris’2019 Conclusions CompCert = a moderately -optimizing C compiler with an unprecedented level of trust in its correctness “ CompCert is the only compiler we have tested for which Csmith cannot find wrong-code errors. This is not for lack of trying : we have devoted about six CPU-years to the task. [ . . . ] developing compiler optimizations within a proof framework [ . . . ] has tangible benefits for compiler users.” Yang-et-al’11 (from randomized differential testing) CompCert ready to be included into chip codesign but, in parallel of a traditional compiler ! Cons some feature could still be hard to support in CompCert Pro formal feedback on the ISA (semantics & compilation process) ⇒ Convergence with RISC-V community on safety, security, embedded systems, etc. 11/19

  12. Extending CompCert S. Boulm´ e ( Verimag , Grenoble-INP) RISC-V week @ Paris’2019 Appendix (offline slides) Topics The Coq proof assistant Trust in ELF binaries produced with CompCert More details on the CompCert /Kalray’s K1c Topics 12/19

  13. Extending CompCert S. Boulm´ e ( Verimag , Grenoble-INP) RISC-V week @ Paris’2019 The Coq proof assistant A language to formalize mathematical theories (and their proofs) with a computer . Examples : • Four-color & Odd-order theorems by Gonthier-et-al. • Univalence theory by Voevodsky (Fields Medalist). With a high-level of confidence : • Logic reduced to a few powerful constructs ; Proofs checked by a small verifiable kernel • Consistency-by-construction of most user theories (promotes definitions instead of axioms ) ACM Software System Award in 2013 for Coquand, Huet, Paulin-Mohring et al. Topics The Coq proof assistant 13/19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CompCert : C compilers you can formally trust March 2020 Sylvain.Boulme@univ-grenoble-alpes.fr

CompCert : C compilers you can formally trust March 2020 Sylvain.Boulme@univ-grenoble-alpes.fr

Introduction to the CompCert Certified Compiler S. Boulm e March 2020 CompCert : C compilers you can formally trust March 2020 Sylvain.Boulme@univ-grenoble-alpes.fr 1/24 Introduction to the CompCert Certified Compiler S. Boulm e

1.01k views • 65 slides
CompCert guarantees for low-level C programs Sandrine Blazy joint work with Frdric Besson and

CompCert guarantees for low-level C programs Sandrine Blazy joint work with Frdric Besson and

CompCert guarantees for low-level C programs Sandrine Blazy joint work with Frdric Besson and Pierre Wilke IFIP W.G. 2.11, Bloomington, 2016-08-23 1 The CompCert C verified compiler Compiler + proof that the compiler does not introduce bugs

471 views • 24 slides
A concrete memory model for CompCert Frdric Besson Sandrine Blazy Pierre Wilke Rennes,

A concrete memory model for CompCert Frdric Besson Sandrine Blazy Pierre Wilke Rennes,

A concrete memory model for CompCert Frdric Besson Sandrine Blazy Pierre Wilke Rennes, France P . Wilke A concrete memory model for CompCert 1 / 28 CompCert real-world C to ASM compiler used in industry (commercialised by AbsInt)

563 views • 40 slides
Mechanized semantics for Clight Sandrine Blaxy, Xavier Leroy Pim Jager - Type Theory and Coq The

Mechanized semantics for Clight Sandrine Blaxy, Xavier Leroy Pim Jager - Type Theory and Coq The

Mechanized semantics for Clight Sandrine Blaxy, Xavier Leroy Pim Jager - Type Theory and Coq The CompCert C project Formally proving a compiler The CompCert project investigates the formal verification of realistic compilers usable

948 views • 26 slides
Formal verification of program obfuscations Sandrine Blazy joint work with Roberto Giacobazzi and

Formal verification of program obfuscations Sandrine Blazy joint work with Roberto Giacobazzi and

Formal verification of program obfuscations Sandrine Blazy joint work with Roberto Giacobazzi and Alix Trieu IFIP WG 2.11, 2015-11-10 1 Background: verifying a compiler Compiler + proof that the compiler does not introduce bugs CompCert, a

597 views • 21 slides
Extending a Compiler Backend for Complete Memory Error Detection Norman A. Rink and Jeronimo

Extending a Compiler Backend for Complete Memory Error Detection Norman A. Rink and Jeronimo

Extending a Compiler Backend for Complete Memory Error Detection Norman A. Rink and Jeronimo Castrillon Technische Universitt Dresden Automotive Safety & Security 2017 30 May 2017 Stuttgart Outline 1. Motivation 2. Error detection,

573 views • 23 slides
11/8/2012 The Structure of a Compiler (2) The Structure of a Compiler (1) Any compiler must

11/8/2012 The Structure of a Compiler (2) The Structure of a Compiler (1) Any compiler must

11/8/2012 The Structure of a Compiler (2) The Structure of a Compiler (1) Any compiler must perform two major tasks Sourc rce Progra ram Tokens Syntactic Semantic Scanner Parser Structure re Routines (Chara racter r St Stre

690 views • 22 slides
Extending ns Extending ns In OTcl In C++ Debugging Padma Haldar USC/ISI 1 2 ns

Extending ns Extending ns In OTcl In C++ Debugging Padma Haldar USC/ISI 1 2 ns

Outline Extending ns Extending ns In OTcl In C++ Debugging Padma Haldar USC/ISI 1 2 ns Directory Structure Extending ns in OTcl ns-allinone If you dont want to compile source your changes in your sim Tcl8.3 TK8.3

303 views • 9 slides
Compiler Construction Chapter 11 1 Compiler Construction Compiler Construction A New Compiler

Compiler Construction Chapter 11 1 Compiler Construction Compiler Construction A New Compiler

Compiler Construction Chapter 11 1 Compiler Construction Compiler Construction A New Compiler Perhaps a new source language Perhaps a new target for an existing compiler Perhaps both 2 Compiler Construction Compiler Construction

661 views • 18 slides
Extending the GC hardware Rob Reilink Extending the GC hardware Why? GC can be an embedded

Extending the GC hardware Rob Reilink Extending the GC hardware Why? GC can be an embedded

Extending the GC hardware Rob Reilink Extending the GC hardware Why? GC can be an embedded computer Home automation Cinema set Car Infotainment system ... But: Essential hardware lacks: Data storage (harddisk and/or flash)

221 views • 9 slides
Formal C semantics: CompCert and the C standard Robbert Krebbers 1 Xavier Leroy 2 Freek Wiedijk 1

Formal C semantics: CompCert and the C standard Robbert Krebbers 1 Xavier Leroy 2 Freek Wiedijk 1

Formal C semantics: CompCert and the C standard Robbert Krebbers 1 Xavier Leroy 2 Freek Wiedijk 1 1 ICIS, Radboud University Nijmegen, The Netherlands 2 Inria Paris-Rocquencourt, France July 17, 2014 @ ITP, Vienna, Austria 1 Underspecification

511 views • 34 slides
Extending ns Padma Haldar USC/ISI 1 Outline Extending ns In OTcl In C++

Extending ns Padma Haldar USC/ISI 1 Outline Extending ns In OTcl In C++

Extending ns Padma Haldar USC/ISI 1 Outline Extending ns In OTcl In C++ Debugging 2 ns Directory Structure ns-allinone Tcl8.3 TK8.3 OTcl tclcl ns-2 nam-1 ... tcl C+ + code ex test mcast ... lib examples

965 views • 52 slides
10/15/2018 About Me Professional Certified Coach ( 900+ certified hours) MBTI and ELI

10/15/2018 About Me Professional Certified Coach ( 900+ certified hours) MBTI and ELI

10/15/2018 About Me Professional Certified Coach ( 900+ certified hours) MBTI and ELI Certified Practitioner 12 Years as Trade Association Executive Director Lifelong Entrepreneur (Apparel, Fitness, Coaching) Podcaster, The

325 views • 11 slides
Certified Laboratories OAC 3745 300 04 Certified Professional 8 Hour Training VAP CL

Certified Laboratories OAC 3745 300 04 Certified Professional 8 Hour Training VAP CL

Certified Laboratories OAC 3745 300 04 Certified Professional 8 Hour Training VAP CL Rule In order to demonstrate that applicable standards are met for a property, VAP Certified Laboratory analysis must be performed on all COCs in all

173 views • 6 slides
Software Engineering A historical perspective and a current assessment Niklaus Wirth Zurich,

Software Engineering A historical perspective and a current assessment Niklaus Wirth Zurich,

Software Engineering A historical perspective and a current assessment Niklaus Wirth Zurich, 22.11.2010 Early days 1960: Language and compiler Neliac Overriding property: A mess Extending language, fixing compiler bugs: Black art Missing a

127 views • 12 slides
Syntax Macros: a Case-Study in Extending Clang Dr. Norman A. Rink Technische Universitt

Syntax Macros: a Case-Study in Extending Clang Dr. Norman A. Rink Technische Universitt

Syntax Macros: a Case-Study in Extending Clang Dr. Norman A. Rink Technische Universitt Dresden, Germany norman.rink@tu-dresden.de LLVM Cauldron 8 September 2016 Hebden Bridge, England Who we are Chair for Compiler Construction (since

515 views • 14 slides
CMSC 430 Introduction to Compilers Fall 2018 LLVM Compiler Framework Overview Weve

CMSC 430 Introduction to Compilers Fall 2018 LLVM Compiler Framework Overview Weve

CMSC 430 Introduction to Compilers Fall 2018 LLVM Compiler Framework Overview Weve focused on building a compiler, end to end In practice, there are a lot of tools we can leverage Today well discuss one of the most popular:

776 views • 12 slides
LLVM Simone Campanoni simonec@eecs.northwestern.edu Problems with Canvas? Problems with slides?

LLVM Simone Campanoni simonec@eecs.northwestern.edu Problems with Canvas? Problems with slides?

LLVM Simone Campanoni simonec@eecs.northwestern.edu Problems with Canvas? Problems with slides? Any problems? Outline Introduction to LLVM CAT steps Hacking LLVM LLVM LLVM is a great, hackable compiler for C/C++ languages

1.68k views • 44 slides
Code Generation 22 November 2019 OSU CSE 1 BL Compiler Structure Code Tokenizer Parser

Code Generation 22 November 2019 OSU CSE 1 BL Compiler Structure Code Tokenizer Parser

Code Generation 22 November 2019 OSU CSE 1 BL Compiler Structure Code Tokenizer Parser Generator string of string of abstract string of characters tokens program integers (source code) (words) (object code) The code

1.05k views • 55 slides
Compiling with Optimizations Compilers usually have options to apply optimization

Compiling with Optimizations Compilers usually have options to apply optimization

13.1 13.2 Compiling with Optimizations Compilers usually have options to apply optimization Example: gcc/g++ -O n -O0 : ____ optimization (the default); generates unoptimized code but has the CS356 Unit 13 __________ compilation

530 views • 11 slides
Language, Compiler, and Optimization Issues in Quantum Computing Margaret Martonosi Princeton

Language, Compiler, and Optimization Issues in Quantum Computing Margaret Martonosi Princeton

Language, Compiler, and Optimization Issues in Quantum Computing Margaret Martonosi Princeton University Fred Chong Ali JavadiAbhari Kenneth R. Brown Diana Franklin Shruti Patil Georgia Tech Jeff Heckey Princeton University Daniel Kudrow

1.1k views • 42 slides
How Cython Works A one hour guide to compiler design (sarcasm) Josh Kantor May 15, 2008 Josh

How Cython Works A one hour guide to compiler design (sarcasm) Josh Kantor May 15, 2008 Josh

How Cython Works A one hour guide to compiler design (sarcasm) Josh Kantor May 15, 2008 Josh Kantor How Cython Works Goal for this talk Cython is an integral part of sage, and it is useful to be able to bend it to our will. However,

607 views • 24 slides
Compiling C Code Philipp Koehn 28 October 2019 Philipp Koehn Computer Systems Fundamentals:

Compiling C Code Philipp Koehn 28 October 2019 Philipp Koehn Computer Systems Fundamentals:

Compiling C Code Philipp Koehn 28 October 2019 Philipp Koehn Computer Systems Fundamentals: Compiling C Code 28 October 2019 C Code 1 Source Code #include <stdlib.h> #include <stdio.h> int main(void) { printf("Hello

380 views • 17 slides
Compiler Construction Lecture 1: Introduction Thomas Noll Lehrstuhl f ur Informatik 2

Compiler Construction Lecture 1: Introduction Thomas Noll Lehrstuhl f ur Informatik 2

Compiler Construction Lecture 1: Introduction Thomas Noll Lehrstuhl f ur Informatik 2 (Software Modeling and Verification) noll@cs.rwth-aachen.de http://moves.rwth-aachen.de/teaching/ss-14/cc14/ Summer Semester 2014 Outline Preliminaries

1.04k views • 20 slides

More recommend