formal verification of x86 machine code programs
play

Formal Verification of x86 Machine-Code Programs Computer - PowerPoint PPT Presentation

Jan 31, 2023 •239 likes •891 views

Formal Verification of x86 Machine-Code Programs Computer Architecture and Program Analysis Shilpi Goel shigoel@cs.utexas.edu Department of Computer Science The University of Texas at Austin Software and Reliability Can we rely on our

  1. Formal Verification of x86 Machine-Code Programs Computer Architecture and Program Analysis Shilpi Goel shigoel@cs.utexas.edu Department of Computer Science The University of Texas at Austin

  2. Software and Reliability Can we rely on our software systems? Recent example of a serious bug: CVE-2016-5195 or “Dirty COW” • Privilege escalation vulnerability in Linux • E.g.: allowed a user to write to files intended to be read only • Copy-on-Write (COW) breakage of private read-only memory mappings • Existed since around v2.6.22 ( 2007 ) and was fixed on Oct 18, 2016 2

  3. Formal Verification of Software: Example 1 Software Formal Verification: proving or disproving that the implementation of a program meets its specification using mathematical techniques 3

  4. Formal Verification of Software: Example 1 Software Formal Verification: proving or disproving that the implementation of a program meets its specification using mathematical techniques Suppose you needed to count the number of 1s in the binary representation of a natural number ( population count ) . Specification: popcountSpec (v): [v: natural number] if v <= 0 then return 0 else lsb = v & 1 v = v >> 1 return (lsb + popcountSpec (v)) endif 3

  5. Formal Verification of Software: Example 1 Specification: popcountSpec (v): [v: natural number] if v <= 0 then return 0 else lsb = v & 1 v = v >> 1 return (lsb + popcountSpec (v)) endif Source: Sean Anderson’s Bit-Twiddling Hacks 4

  6. Formal Verification of Software: Example 1 Specification: popcountSpec (v): [v: natural number] if v <= 0 then return 0 else lsb = v & 1 v = v >> 1 return (lsb + popcountSpec (v)) endif Implementation: int popcount_32 (unsigned int v) { v = v - ((v >> 1) & 0x55555555); v = (v & 0x33333333) + ((v >> 2) & 0x33333333); v = ((v + (v >> 4) & 0xF0F0F0F) * 0x1010101) >> 24; return(v); } Source: Sean Anderson’s Bit-Twiddling Hacks 4

  7. Formal Verification of Software: Example 1 Specification: popcountSpec (v): [v: natural number] if v <= 0 then return 0 else lsb = v & 1 v = v >> 1 return (lsb + popcountSpec (v)) endif Implementation: int popcount_32 (unsigned int v) { v = v - ((v >> 1) & 0x55555555); v = (v & 0x33333333) + ((v >> 2) & 0x33333333); v = ((v + (v >> 4) & 0xF0F0F0F) * 0x1010101) >> 24; return(v); } Do the specification and implementation behave the same way for all inputs? Source: Sean Anderson’s Bit-Twiddling Hacks 4

  8. Formal Verification of Software: Example 2 Suppose you needed to check if a given natural number is a power of 2. Specification: isPowerOfTwoSpec (x): [x: natural number] if x == 0 then return 0 else if x == 1 then return 1 else if remainder(x,2) == 0 then return isPowerOfTwoSpec (x/2) else return 0 endif endif endif 5

  9. Formal Verification of Software: Example 2 Can you trust your specification? Source: Sean Anderson’s Bit-Twiddling Hacks 6

  10. Formal Verification of Software: Example 2 Can you trust your specification? Correctness of isPowerOfTwoSpec : 1. If isPowerOfTwoSpec(v) returns 1, then there exists a natural number n such that v = 2 n . 2. If v = 2 n , where n is a natural number, then isPowerOfTwoSpec(v) returns 1. Source: Sean Anderson’s Bit-Twiddling Hacks 6

  11. Formal Verification of Software: Example 2 Can you trust your specification? Correctness of isPowerOfTwoSpec : 1. If isPowerOfTwoSpec(v) returns 1, then there exists a natural number n such that v = 2 n . 2. If v = 2 n , where n is a natural number, then isPowerOfTwoSpec(v) returns 1. Implementation: bool powerOfTwo (long unsigned int v) { bool f; f = v && !(v & (v - 1)); return f; } Source: Sean Anderson’s Bit-Twiddling Hacks 6

  12. Formal Verification of Software: Example 2 Can you trust your specification? Correctness of isPowerOfTwoSpec : 1. If isPowerOfTwoSpec(v) returns 1, then there exists a natural number n such that v = 2 n . 2. If v = 2 n , where n is a natural number, then isPowerOfTwoSpec(v) returns 1. Implementation: bool powerOfTwo (long unsigned int v) { bool f; f = v && !(v & (v - 1)); return f; } Do the specification and implementation behave the same way for all inputs? Source: Sean Anderson’s Bit-Twiddling Hacks 6

  13. Inspection of a Program’s Behavior • Testing: x�� Exhaustive analysis is infeasible • Formal Verification: ✓ Wide variety of techniques ‣ Lightweight: e.g., checking if array indices are within bounds ‣ Heavyweight: e.g., proving functional correctness 7

  14. Example: Pop-Count Program popcount_64: 89 fa mov %edi,%edx 89 d1 mov %edx,%ecx d1 e9 shr %ecx 81 e1 55 55 55 55 and $0x55555555,%ecx 29 ca sub %ecx,%edx Functional Correctness: 89 d0 mov %edx,%eax c1 ea 02 shr $0x2,%edx RAX = popcountSpec(v) 25 33 33 33 33 and $0x33333333,%eax 81 e2 33 33 33 33 and $0x33333333,%edx 01 c2 add %eax,%edx 89 d0 mov %edx,%eax specification function c1 e8 04 shr $0x4,%eax 01 c2 add %eax,%edx 48 89 f8 mov %rdi,%rax 48 c1 e8 20 shr $0x20,%rax popcountSpec (v): 81 e2 0f 0f 0f 0f and $0xf0f0f0f,%edx [v: unsigned int] 89 c1 mov %eax,%ecx d1 e9 shr %ecx 81 e1 55 55 55 55 and $0x55555555,%ecx if v <= 0 then 29 c8 sub %ecx,%eax 89 c1 mov %eax,%ecx return 0 c1 e8 02 shr $0x2,%eax else 81 e1 33 33 33 33 and $0x33333333,%ecx 25 33 33 33 33 and $0x33333333,%eax lsb = v & 1 01 c8 add %ecx,%eax 89 c1 mov %eax,%ecx v = v >> 1 c1 e9 04 shr $0x4,%ecx return (lsb + popcountSpec (v)) 01 c8 add %ecx,%eax 25 0f 0f 0f 0f and $0xf0f0f0f,%eax endif 69 d2 01 01 01 01 imul $0x1010101,%edx,%edx 69 c0 01 01 01 01 imul $0x1010101,%eax,%eax c1 ea 18 shr $0x18,%edx c1 e8 18 shr $0x18,%eax 01 d0 add %edx,%eax c3 retq 8

  15. Case Study: Pop-Count Program (defthm x86-popcount-64-symbolic-simulation (implies (and (x86p x86) (equal (model-related-error x86) nil) (unsigned-byte-p 64 n) (equal n (read 'register *rdi* x86)) (equal *popcount-64-program* (read 'memory (address-range (read 'pc x86) (len *popcount-64-program*)) x86))) (equal (read 'register *rax* (x86-run *num-of-steps* x86)) (popcountSpec n) ))) 9

  16. Heavyweight Formal Verification 10

  17. Heavyweight Formal Verification • Build a mathematical or formal model of programs • Prove theorems about this model in order to establish program properties 10

  18. Heavyweight Formal Verification ISA model • Build a mathematical or formal model of programs • Prove theorems about this model in order to establish program properties 10

  19. Heavyweight Formal Verification ISA model • Build a mathematical or formal model of programs • Prove theorems about this model in order to establish program properties Instruction Set Architecture: interface between hardware and software - Defines the machine language - Specification of state (registers, memory), machine instructions, instruction encodings, etc. 10

  20. Heavyweight Formal Verification ISA model • Build a mathematical or formal model of programs • Prove theorems about this model in order to establish program properties Instruction Set Architecture: interface between hardware and software - Defines the machine language - Specification of state (registers, memory), machine instructions, instruction encodings, etc. • An ISA model specifies the behavior of each machine instruction in terms of effects made to the processor state . 10

  21. Heavyweight Formal Verification ISA model • Build a mathematical or formal model of programs • Prove theorems about this model in order to establish program properties Instruction Set Architecture: interface between hardware and software - Defines the machine language - Specification of state (registers, memory), machine instructions, instruction encodings, etc. • An ISA model specifies the behavior of each machine instruction in terms of effects made to the processor state . • All high-level programs compile down to machine-code programs. - A program is just a sequence of machine instructions. 10

  22. Heavyweight Formal Verification ISA model • Build a mathematical or formal model of programs • Prove theorems about this model in order to establish program properties Instruction Set Architecture: interface between hardware and software - Defines the machine language - Specification of state (registers, memory), machine instructions, instruction encodings, etc. • An ISA model specifies the behavior of each machine instruction in terms of effects made to the processor state . • All high-level programs compile down to machine-code programs. - A program is just a sequence of machine instructions. • We can reason about a program by inspecting the cumulative effects of its constituent instructions on the machine state . 10

  23. Why Not Use Abstract Machine Models? 11

  24. Why Not Use Abstract Machine Models? 11

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Formal verification of numerical programs: from C annotated programs to Coq proofs Sylvie Boldo

Formal verification of numerical programs: from C annotated programs to Coq proofs Sylvie Boldo

Third International Workshop on Numerical Software Verification Formal verification of numerical programs: from C annotated programs to Coq proofs Sylvie Boldo INRIA Saclay - Ile-de-France July 15th, 2010 Thanks to the organizers !

1.72k views • 136 slides
Machine Learning in Formal Verification Manish Pandey, PhD Chief Architect, New Technologies

Machine Learning in Formal Verification Manish Pandey, PhD Chief Architect, New Technologies

Machine Learning in Formal Verification Manish Pandey, PhD Chief Architect, New Technologies Synopsys, Inc. June 18, 2017 1 Build Better Formal Verification Tools? CAR BICYCLE DOG S oftware that learns from experience and enables

767 views • 40 slides
Formal Verification in Industry John Harrison Intel Corporation The cost of bugs Formal

Formal Verification in Industry John Harrison Intel Corporation The cost of bugs Formal

Formal Verification in Industry 1 Formal Verification in Industry John Harrison Intel Corporation The cost of bugs Formal verification Machine-checked proof Automatic and interactive approaches HOL Light Floating point

366 views • 25 slides
CS 4160 Formal Verification Prof. Clarkson Spring 2019 Approaches to validation Social

CS 4160 Formal Verification Prof. Clarkson Spring 2019 Approaches to validation Social

CS 4160 Formal Verification Prof. Clarkson Spring 2019 Approaches to validation Social Less formal: Techniques may Code reviews miss problems in programs Extreme/Pair programming Methodological Design patterns

330 views • 18 slides
Formal Verification of Floating-Point Arithmetic John Harrison Intel Corporation Formal

Formal Verification of Floating-Point Arithmetic John Harrison Intel Corporation Formal

Formal Verification of Floating-Point Arithmetic 1 Formal Verification of Floating-Point Arithmetic John Harrison Intel Corporation Formal verification Machine-checked proof Automatic and interactive approaches HOL Light

539 views • 19 slides
Practical Formal Verification of MPI and Thread Programs Ganesh Gopalakrishnan, School of

Practical Formal Verification of MPI and Thread Programs Ganesh Gopalakrishnan, School of

Practical Formal Verification of MPI and Thread Programs Ganesh Gopalakrishnan, School of Computing, University of Utah, Salt Lake City, UT 84112 A Half-Day Tutorial Proposed for ICS 2009 http:// www.cs.utah.edu / formal_verification

1.3k views • 102 slides
Model-Checking Acknowledgment Formal Verification Formal verification means to apply

Model-Checking Acknowledgment Formal Verification Formal verification means to apply

Model-Checking Acknowledgment Formal Verification Formal verification means to apply mathematical arguments to prove the correctness of systems Systems have bugs Formal verification aims to find and correct such bugs Why? Computer systems

1.42k views • 122 slides
Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for

Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for

Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for Analyzing Computing Systems Shilpi Goel shilpi@centtech.com Formal Verification Engineer Centaur Technology, Inc. Software and Reliability Can we rely

1.14k views • 78 slides
Spark verification features Paul Jackson School of Informatics University of Edinburgh Formal

Spark verification features Paul Jackson School of Informatics University of Edinburgh Formal

Spark verification features Paul Jackson School of Informatics University of Edinburgh Formal Verification Spring 2018 Adding specification information to programs Verification concerns checking whether some model (or program) has desired

476 views • 22 slides
Formal verification of a code generator for a modeling language: the Velus project Xavier Leroy

Formal verification of a code generator for a modeling language: the Velus project Xavier Leroy

Formal verification of a code generator for a modeling language: the Velus project Xavier Leroy (joint work with Timothy Bourke, L elio Brun, Pierre- Evariste Dagand, Marc Pouzet, and Lionel Rieg) Inria, Paris MARS/VPT workshop, ETAPS

1.43k views • 55 slides
Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim

Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim

Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim for automation (bit level) Find niches where formal methods work well Use assertions/ properties first in sim. and then in FV (the acronym is ABV,

1.14k views • 65 slides
Formal Verification of Binary Code Roberto Guanciale // a0=GETBYTE(s0, 3); ldr r3, [r7,

Formal Verification of Binary Code Roberto Guanciale // a0=GETBYTE(s0, 3); ldr r3, [r7,

Formal Verification of Binary Code Roberto Guanciale // a0=GETBYTE(s0, 3); ldr r3, [r7, #84] lsrs r3, r3, #24 uxtb r3, r3 str r3, [r7, #48] ... // v0=*(Te[0] + a0); ldr r3, [r7, #48] lsls r2, r3, #2 ldr r3, [pc,

562 views • 30 slides
Trustworthy decompilation: Extracting models of machine code inside an ITP Magnus O. Myreen

Trustworthy decompilation: Extracting models of machine code inside an ITP Magnus O. Myreen

Trustworthy decompilation: Extracting models of machine code inside an ITP Magnus O. Myreen University of Cambridge TEITP 2010 The GCD program in ARM machine code: E1510002 B0422001 C0411002 01AFFFFFB Problems with machine code Formal

660 views • 46 slides
A Proof Repository for Formal Verification of Software Michael Franssen WASDeTT- 3 September 20

A Proof Repository for Formal Verification of Software Michael Franssen WASDeTT- 3 September 20

A Proof Repository for Formal Verification of Software Michael Franssen WASDeTT- 3 September 20 th 2010 Cocktail Derive programs from their specifications Does not scale and nobody programs like this Create proofs interactively with an

342 views • 7 slides
Formal Verification of Floating-Point programs Sylvie Boldo and Jean-Christophe Filli atre

Formal Verification of Floating-Point programs Sylvie Boldo and Jean-Christophe Filli atre

Formal Verification of Floating-Point programs Sylvie Boldo and Jean-Christophe Filli atre Montpellier June, 26th 2007 INRIA Futurs CNRS, LRI Existing tools Model and specification of FP numbers Examples Conclusion Motivations

410 views • 39 slides
Formal Verification of Differentially Private Mechanisms Marco Gaboardi University at Buffalo,

Formal Verification of Differentially Private Mechanisms Marco Gaboardi University at Buffalo,

Formal Verification of Differentially Private Mechanisms Marco Gaboardi University at Buffalo, SUNY Goal of formal verification: building programs that are correct. Why correctness matters? Why correctness matters? An example: DARPA HACMS

448 views • 40 slides
Reading assignment Chapter 3.1, 3.2 Chapter 4.1, 4.3 1

Reading assignment Chapter 3.1, 3.2 Chapter 4.1, 4.3 1

Reading assignment Chapter 3.1, 3.2 Chapter 4.1, 4.3 1 Outline Introduc5on to assembly programing Introduc5on to Y86 Y86 instruc5ons, encoding

615 views • 48 slides
CS 271: Computer Architecture and Assembly Language Winter 2013 January 7, 2013 1 / 20

CS 271: Computer Architecture and Assembly Language Winter 2013 January 7, 2013 1 / 20

CS 271: Computer Architecture and Assembly Language Winter 2013 January 7, 2013 1 / 20 Introduce yourself! On a piece of paper . . . Name, year CS/EE classes youve taken Are these office hours OK? Mon Noon2pm, Wed

441 views • 20 slides
Assembly Language for Intel- -Based Based Assembly Language for Intel th Edition Computers, 4 th

Assembly Language for Intel- -Based Based Assembly Language for Intel th Edition Computers, 4 th

Assembly Language for Intel- -Based Based Assembly Language for Intel th Edition Computers, 4 th Edition Computers, 4 Kip R. Irvine Chapter 3: Assembly Language Fundamentals (c) Pearson Education, 2002. Chapter Overview Chapter Overview

1.03k views • 47 slides
COMP2300/6300 Computer Organisation &amp; Program Execution Dr Uwe Zimmer Dr Charles Martin

COMP2300/6300 Computer Organisation &amp; Program Execution Dr Uwe Zimmer Dr Charles Martin

COMP2300/6300 Computer Organisation &amp; Program Execution Dr Uwe Zimmer Dr Charles Martin Semester 1, 2019 1 info assignment 2 is due on Friday remember to push early and push oten and dont leave your design document to the

1.01k views • 74 slides
CS305 Computer Architecture Fall 2009 Lecture 03 Bhaskaran Raman Department of CSE, IIT Bombay

CS305 Computer Architecture Fall 2009 Lecture 03 Bhaskaran Raman Department of CSE, IIT Bombay

CS305 Computer Architecture Fall 2009 Lecture 03 Bhaskaran Raman Department of CSE, IIT Bombay http://www.cse.iitb.ac.in/~br/ http://www.cse.iitb.ac.in/synerg/doku.php?id=public:courses:cs305-fall09:start Today's Topics Instruction set

506 views • 26 slides
CMPE 310: Systems Design and Programming Course Syllabus and More Spring 2008 Notice:

CMPE 310: Systems Design and Programming Course Syllabus and More Spring 2008 Notice:

CMPE 310: Systems Design and Programming Course Syllabus and More Spring 2008 Notice: Regularly check the course webpage for updates and announcements Course Instructor: Reza M. Rad Office: ITE 374, Telephone: 410-455-8776 Email:

551 views • 4 slides
Rethinking the Design of Presentation Slides: A Case for Sentence Headlines and Visual Evidence

Rethinking the Design of Presentation Slides: A Case for Sentence Headlines and Visual Evidence

See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/233595674 Rethinking the Design of Presentation Slides: A Case for Sentence Headlines and Visual Evidence Article in Technical

403 views • 12 slides
Assertions, pre/post- conditions and invariants Programming as a contract Specifying what

Assertions, pre/post- conditions and invariants Programming as a contract Specifying what

Assertions, pre/post- conditions and invariants Programming as a contract Specifying what each method does Specify it in a comment before method's header Precondition What is assumed to be true before the method is executed

409 views • 21 slides

More recommend