formalizing exe s dll s
play

Formalizing EXEs, DLLs and all that Nick Benton, Andrew Kennedy - PowerPoint PPT Presentation

Nov 30, 2022 •174 likes •491 views

Formalizing EXEs, DLLs and all that Nick Benton, Andrew Kennedy (Microsoft Research Cambridge) Interns: Jonas Jensen (ITU), Valentin Robert (UCSD), Pierre-Evariste Dagand (INRIA), Jan Hoffman (Yale) PiP 2014 1 25th January 2014 Our

  1. Formalizing EXE’s, DLL’s and all that Nick Benton, Andrew Kennedy (Microsoft Research Cambridge) Interns: Jonas Jensen (ITU), Valentin Robert (UCSD), Pierre-Evariste Dagand (INRIA), Jan Hoffman (Yale) PiP 2014 1 25th January 2014

  2. Our dream Highest assurance software correctness for machine code programs through machine-assisted proof “Prove what you run” PiP 2014 2 25th January 2014

  3. One tool: Coq  Model (sequential, 32-bit, subset of) x86 in Coq: bits, bytes, memory, instruction decoding, execution  Generate x86 programs from Coq: assembly syntax in Coq, with macros, run assembler in Coq to produce machine code, even EXEs and DLLs  Specify x86 programs in Coq: separation logic for low-level code  Prove x86 programs in Coq: tactics and manual proof for showing that programs meet their specifications PiP 2014 3 25th January 2014

  4. x86 assembly code Macro for local procedure Macro for while loop Intel instruction syntax Macro for calling external C code Inline string data Inline byte data Scoped labels PiP 2014 4 25th January 2014

  5. X86 assembly code, in Coq Actually, “just” a Macros are “just” definition in Coq parameterized Coq definitions Assembler syntax is “just” user -defined Coq notation Scoped labels “just” use Coq binding PiP 2014 5 25th January 2014

  6. In previous work… POPL 2013 Low-level program logic for assembly; proof of soundness wrt machine model Program specifications; program logic tactics; proofs of correctness for assembly programs Model of x86 machine: binary reps, memory, instruction Higher-level languages; decoding, instruction execution compilers; compiler correctness Assembly-code representation; assembler; proof of correctness PPDP 2013 Simple macros (if, while); User macros; DSLs (e.g. regexps) PiP 2014 6 25th January 2014

  7. Today’s talk Extend generation, specification and verification of x86 machine code to  Generate binary link formats: EXEs and DLLs for Windows (i.e. practice )  Specify and verify behaviour of EXEs and DLLs  (Future work) Specify and verify loading and dynamic linking of EXEs and DLLs But first, a quick overview of our x86 machine model. PiP 2014 7 25th January 2014

  8. Model x86  Use Coq to construct a “reference implementation” of sequential x86 instruction decoding and execution Example fragment: semantics of call and return.

  9. Design an assembly language  Define datatype of programs, with sequencing, labels, and scoping of labels  Use Coq variables for object- level ‘variables’ (labels), à la higher-order abstract syntax PiP 2014 9 25th January 2014

  10. Build an assembler (1)  First implement instruction encoder: PiP 2014 10 25th January 2014

  11. Build an assembler (2)  Using instruction encoder, implement multi-pass assembler that determines a consistent assignment for scoped labels  Prove “round - trip” lemma stating that instruction decoding is inverse wrt instruction encoding  Extend this to a full round-trip theorem for the assembler PiP 2014 11 25th January 2014

  12. Design a logic  It’s usual to use a program logic such as Hoare logic to specify and reason about programs {P} C {Q} Postcondition Precondition Command  Recent invention of separation logic makes reasoning about pointers tractable  But still not appropriate for machine code  Machine code programs don’t “finish” (what postcondition?)  Code and data are all mixed up (“command” is just bytes in memory), also code can be “higher - order” with code pointers  We have devised a new separation logic that solves all these problems, embedded it in Coq, and proved it sound with respect to the machine model

  13. Example: Specifying memory allocation If it is safe to exit through failLabel or j … …such that (at j), EDI points just beyond accessible memory block of size bytes… …then it is safe to enter at i …under the assumption that memory at i..j decodes to allocator code, ESI and flags are arbitrary, and a data invariant is maintained

  14. Trivial implementation of allocator

  15. Prove some theorems  We have developed Coq tactics to help prove that programs behave as specified  Sometimes routine, sometimes careful reasoning required. Example proof fragment:

  16. Put it all together 1. Use Coq to produce raw bytes, link with a small boot loader, to produce a bootable image 2. Under assumptions about state of machine following boot loading, prove that program meets spec 3. Run! Game of life, written in assembler using Coq, running on bare metal! PiP 2014 16 25th January 2014

  17. Executables  That’s all well and good but  We’d like to formalize the process of loading programs, and support dynamic linking, and  Rather than booting the machine (or a VM) it would be nice to experiment on an existing OS e.g. Windows  Also good to test our ideas on linking and loading using existing formats  So: model EXE’s, DLL’s, loading and dynamic linking PiP 2014 17 25th January 2014

  18. What’s in an executable? Some machine code, with an entry point, preferred base address, and…  Several sections (code, data, r/o data, thread local data, etc.)  Relocation information (if not loaded at preferred base address)  Imports , by name or number  Exports (if executable is a DLL)  A lot of metadata  Legacy cruft (e.g. MSDOS stub!)  Informally documented in a ~100 page spec PiP 2014 18 25th January 2014

  19. What’s in an executable? Let’s look inside compile & link dumpbin /all PiP 2014 19 25th January 2014

  20. Example .EXE, in Coq Import a Dynamic Link Library Declare a code section containing our factorial code Import a named function from the DLL Generate the bytes of the .EXE at a given load address! Compile… …and run! PiP 2014 20 25th January 2014

  21. Example DLL counter.dll Export module-level labels by name Declare a module-level label without exporting it Read/write data section PiP 2014 21 25th January 2014

  22. Example client usecounter.exe Import Get from counter.dll Call indirect through Get’s “slot” PiP 2014 22 25th January 2014

  23. The messy details  Our assembly datatype and assembler give us all the mechanisms we need to generate the structures found in EXE’s and DLL’s  Byte, word, string representations  RVAs (Relative Virtual Address)  Padding  Alignment constraints  Bitfields  Multi-pass fixed-point iteration to deal with forward references  One small annoyance: file image not identical to in-memory image (e.g. alignment of sections); RVAs wrt in-memory image  Hack: add “skip” primitive in our writer monad to advance the assembler’s “cursor” without producing any bytes PiP 2014 23 25th January 2014

  24. Exports and imports Exports Logically: a list of 〈 name,address 〉 pairs Imports Logically: for each imported DLL,  Its name  A list of imported symbols (by name or ordinal )  A list of slots, one for each imported symbol: the Import Address Table or IAT In binary format, this is all somewhat messier! PiP 2014 24 25th January 2014

  25. Relocateable code  Some x86 code is position independent e.g. makes use of PC-relative offsets (jumps)  But much is not: especially on 32- bit, it’s hard to refer to global data in position independent way  So: executables have a “preferred base address”  If not loaded at this address, absolute addresses embedded in code and data must be rebased i.e. patched at load-time  The executable lists these in a special “. reloc ” section PiP 2014 25 25th January 2014

  26. What does the OS loader do? Before: in-file Code at RVA 0x230 Base = 0x3000 Base = 0x9000 Code Code for Inc Code Code for main section Code for Get section MOV EDX, [0x9570] Slot at RVA 0x570 “ Inc ” 0x100 Export table “Get” 0x230 “ Inc ” Import “Get” table counter.dll usecounter.exe PiP 2014 26 25th January 2014

  27. What does the OS loader do? After loading: in-memory Starting at address Starting at address 0x3000 0x9000 Base = 0x3000 Base = 0x9000 Code Code for Inc Code Code for main section Code for Get section MOV EDX, [0x9570] “ Inc ” 0x100 Export table “Get” 0x230 “ Inc ” 0x3100 Import “Get” table 0x3230 counter.dll usecounter.exe PiP 2014 27 25th January 2014

  28. Patching of instructions  We want to relocate addresses (“rebasing”) and perhaps link modules (in some non-Windows loader) by in-place update of instructions  Encodings matter. Prove lemmas such as PiP 2014 28 25th January 2014

  29. (Towards) Specifying calling conventions  “ fastcall ” calling convention for function of one argument (passed in ECX) and one result (in EAX) PiP 2014 29 25th January 2014

  30. What’s to do?  Separately specify different modules; prove correctness of combination, already loaded and with imports resolved  Model the loading process itself  Implement a small loader, in machine code using Coq, with export/import resolution  Prove its correctness PiP 2014 30 25th January 2014

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Formalizing Dijkstra John Harrison Intel Corporation A Discipline of Programming

Formalizing Dijkstra John Harrison Intel Corporation A Discipline of Programming

Formalizing Dijkstra 1 Formalizing Dijkstra John Harrison Intel Corporation A Discipline of Programming Mechanizing programming logics Relational semantics Weakest preconditions Guarded commands Theorems about loops

299 views • 18 slides
CSE 116: Fall 2019 Introduction to Functional Programming Formalizing Nano Owen Arden

CSE 116: Fall 2019 Introduction to Functional Programming Formalizing Nano Owen Arden

CSE 116: Fall 2019 Introduction to Functional Programming Formalizing Nano Owen Arden UC Santa Cruz Based on course materials developed by Nadia Polikarpova Formalizing Nano Goal: we want to guarantee properties about programs, such

426 views • 10 slides
Common Knowledge: Formalizing the Social Applications 1 Today and Thursday well take a step

Common Knowledge: Formalizing the Social Applications 1 Today and Thursday well take a step

Common Knowledge: Formalizing the Social Applications 1 Today and Thursday well take a step in the direction of formalizing the social puzzles, such as omission commission. 2 First, a reminder of the set-up and the theorem 3 The set-

932 views • 59 slides
CMPS 112: Spring 2019 Comparative Programming Languages Formalizing Nano Owen Arden

CMPS 112: Spring 2019 Comparative Programming Languages Formalizing Nano Owen Arden

CMPS 112: Spring 2019 Comparative Programming Languages Formalizing Nano Owen Arden UC Santa Cruz Based on course materials developed by Nadia Polikarpova Formalizing Nano Goal: we want to guarantee properties about programs,

621 views • 12 slides
Formalizing Both Refraction-Based and Sequential Executions of Production Rule Programs Bruno

Formalizing Both Refraction-Based and Sequential Executions of Production Rule Programs Bruno

Formalizing Both Refraction-Based and Sequential Executions of Production Rule Programs Bruno Berstel-Da Silva Albert-Ludwigs-Universitt Freiburg IBM France Lab RuleML Montpellier August 29, 2012 1 / 10 RuleML 2012 Formalizing the

325 views • 31 slides
Formalizing Bachmair and Ganzinger's Ordered Resolution Prover Anders Jasmin Dmitriy Uwe

Formalizing Bachmair and Ganzinger's Ordered Resolution Prover Anders Jasmin Dmitriy Uwe

Formalizing Bachmair and Ganzinger's Ordered Resolution Prover Anders Jasmin Dmitriy Uwe Schlichtkrull Blanchette Traytel Waldmann Formalizing Automated Reasoning in Proof Assistants Theorem Proof assistants are mature enough to be used

661 views • 40 slides
Formalizing type theory in type theory using nominal techniques Ulrik Buchholtz TU Darmstadt

Formalizing type theory in type theory using nominal techniques Ulrik Buchholtz TU Darmstadt

Formalizing type theory in type theory using nominal techniques Ulrik Buchholtz TU Darmstadt HoTT/UF Workshop, Oxford, September 9, 2017 Motivation 1 Preliminaries 2 Nominal sets and types 3 Formalizing type theory 4 Conclusion 5

831 views • 40 slides
Lesson 3 Formalizing and Implementing Pure Lambda Calculus 1/15/02 Chapters 5.3, 6, 7 Outline

Lesson 3 Formalizing and Implementing Pure Lambda Calculus 1/15/02 Chapters 5.3, 6, 7 Outline

Lesson 3: Formalizing Lambda Calculus Lesson 3 Formalizing and Implementing Pure Lambda Calculus 1/15/02 Chapters 5.3, 6, 7 Outline Operational semantics of the lambda calculus substitution alpha-conversion, beta reduction

459 views • 8 slides
Formalizing Termination Proofs under Polynomial Quasi-interpretations Naohi Eguchi 1 Chiba

Formalizing Termination Proofs under Polynomial Quasi-interpretations Naohi Eguchi 1 Chiba

Formalizing Termination Proofs under Polynomial Quasi-interpretations Naohi Eguchi 1 Chiba University July 5, 2015, LCC 2015, Kyoto, Japan 1 Supported by Grants-in-Aid for JSPS fellows (No. 25 726 ) Naohi Eguchi (Chiba) Formalizing

565 views • 21 slides
Formalizing Frankls Conjecture: FC-Families c, Miodrag Filip Mari c, Bojan Vu ckovi

Formalizing Frankls Conjecture: FC-Families c, Miodrag Filip Mari c, Bojan Vu ckovi

Formalizing Frankls Conjecture: FC-Families Formalizing Frankls Conjecture: FC-Families c, Miodrag Filip Mari c, Bojan Vu ckovi Zivkovi c Faculty of Mathematics, University of Belgrade Intelligent Computer Mathematics,

457 views • 42 slides
Formalizing Subsumption Relations in Ontologies using Type Classes in Coq Richard Dapoigny 1

Formalizing Subsumption Relations in Ontologies using Type Classes in Coq Richard Dapoigny 1

Formalizing Subsumption Relations in Ontologies using Type Classes in Coq Richard Dapoigny 1 Patrick Barlatier 1 1 LISTIC/PolytechSavoie University of Savoie, Annecy, (FRANCE) Dapoigny, Barlatier (University of Savoie) Formalizing Subsumption

394 views • 37 slides
Formalizing o-minimality Reid Barton University of Pittsburgh January 6, 2020 FoMM / Lean

Formalizing o-minimality Reid Barton University of Pittsburgh January 6, 2020 FoMM / Lean

Formalizing o-minimality Reid Barton University of Pittsburgh January 6, 2020 FoMM / Lean Together The story Johan Commelin and I are interested in formalizing the theory of o-minimal structures . The story Johan Commelin and I are

747 views • 50 slides
Formalizing and Ref ining Authorization in SQL by Aaron Rosenthal and Edward Sciore (MI TRE) J

Formalizing and Ref ining Authorization in SQL by Aaron Rosenthal and Edward Sciore (MI TRE) J

Formalizing and Ref ining Authorization in SQL by Aaron Rosenthal and Edward Sciore (MI TRE) J i-Won Byun Tr uSe Reading Group J anuar y 11, 2005 I ntroduction Problems of current aut horizat ion semant ics of SQL t oo complex due t

611 views • 32 slides
///// Respectfully Formalizing the Informal ///// Holistic Strategies for Integrating and

///// Respectfully Formalizing the Informal ///// Holistic Strategies for Integrating and

///// Respectfully Formalizing the Informal ///// Holistic Strategies for Integrating and Integrative Mobility For Urban Areas of the Global South Arnd N. Arnd N. Btzner tzner MSc MSc ETH, TH, cand and. . Ph Ph.D. University of

909 views • 58 slides
Formalizing projective geometry in Coq Nicolas Magaud Julien Narboux Pascal Schreck Universit

Formalizing projective geometry in Coq Nicolas Magaud Julien Narboux Pascal Schreck Universit

Formalizing projective geometry in Coq Nicolas Magaud Julien Narboux Pascal Schreck Universit e de Strasbourg, France GDR LTP, 21 Octobre 2009, Universit e Paris XII Magaud Schreck Narboux (UdS) Formalizing projective geometry GDR LTP

650 views • 41 slides
Formalizing CyberPhysical System Model Transformation via Abstract Interpretation Natasha

Formalizing CyberPhysical System Model Transformation via Abstract Interpretation Natasha

Formalizing CyberPhysical System Model Transformation via Abstract Interpretation Natasha Jarus, Sahra Sedigh Sarvestani, and Ali Hurson Department of Electrical and Computer Engineering Missouri University of Science and Technology Rolla,

432 views • 21 slides
Pause to Pivot An Exploration of Crisis as an Opportunity Hero | Heroines Journey Heros

Pause to Pivot An Exploration of Crisis as an Opportunity Hero | Heroines Journey Heros

FACILITATOR Tevis Trower CEO/Founder Balance Integration Pause to Pivot An Exploration of Crisis as an Opportunity Hero | Heroines Journey Heros Journey The Pit Heroines Journey The Pit When written in Chinese, the word Crisis is

361 views • 8 slides
Summary Magnus Wiktorsson long range dependence? Stylized facts in returns No

Summary Magnus Wiktorsson long range dependence? Stylized facts in returns No

Summary Magnus Wiktorsson long range dependence? Stylized facts in returns No Autocorrelation in returns Unconditional heavy tails Gain/Loss asymmetry. Aggregational Gaussianity Volatility clustering Conditional heavy

128 views • 12 slides
Structured Inference Networks for Nonlinear State Space Models Rahul G. Krishnan, Uri Shalit,

Structured Inference Networks for Nonlinear State Space Models Rahul G. Krishnan, Uri Shalit,

Structured Inference Networks for Nonlinear State Space Models Rahul G. Krishnan, Uri Shalit, David Sontag New York University 30 Sep 2016 Chris Cremer CSC2541 Nov 4 2016 Overview VAE Gaussian State Space Models Inference Network

348 views • 11 slides
Short Course State Space Models, Generalized Dynamic Systems and Sequential Monte Carlo Methods,

Short Course State Space Models, Generalized Dynamic Systems and Sequential Monte Carlo Methods,

Short Course State Space Models, Generalized Dynamic Systems and Sequential Monte Carlo Methods, and their applications in Engineering, Bioinformatics and Finance Rong Chen Rutgers University Peking University 1 Part Three: Advanced

355 views • 33 slides
Human Papillomavirus (HPV) testing in cervical screening: a systematic review and clinical

Human Papillomavirus (HPV) testing in cervical screening: a systematic review and clinical

Human Papillomavirus (HPV) testing in cervical screening: a systematic review and clinical practice guideline presented by: Erin Kennedy, PEBC Research Coordinator at: World Cancer Congress 2012 August 28, 2012 Background and Methods !

149 views • 3 slides
CLOVER HMC AND STAGGERED MULTIGRID ON SUMMIT AND VOLTA Kate Clark, July 25th 2018 OUTLINE with

CLOVER HMC AND STAGGERED MULTIGRID ON SUMMIT AND VOLTA Kate Clark, July 25th 2018 OUTLINE with

CLOVER HMC AND STAGGERED MULTIGRID ON SUMMIT AND VOLTA Kate Clark, July 25th 2018 OUTLINE with Clover HMC Multigrid Blint Jo Setup acceleration Arjun Gambhir Mathias Wagner Results Evan Weinberg Improving strong scaling Frank Winter

1.19k views • 78 slides
Report from the Executive Committee Paul Mackenzie mackenzie@fnal.gov USQCD All Hands

Report from the Executive Committee Paul Mackenzie mackenzie@fnal.gov USQCD All Hands

Report from the Executive Committee Paul Mackenzie mackenzie@fnal.gov USQCD All Hands Meeting Jefferson Lab April 28-29, 2017 Paul Mackenzie Report from the Executive Committee, USQCD All Hands Meeting, 2017 1 Activities and

266 views • 26 slides
Infinitary logic, large cardinals and AECs: some reflections Andrs Villaveces - Universidad

Infinitary logic, large cardinals and AECs: some reflections Andrs Villaveces - Universidad

A Catalan Prelude Reflection Classes (Beyond Syntax...) Back to syntax! Back to syntax, really? Infinitary logic, large cardinals and AECs: some reflections Andrs Villaveces - Universidad Nacional de Colombia - Bogot Reflections on Set

854 views • 69 slides

More recommend