scaling symbolic evaluation for automated verification of
play

Scaling symbolic evaluation for automated verification of systems - PowerPoint PPT Presentation

Dec 21, 2023 •315 likes •713 views

Scaling symbolic evaluation for automated verification of systems code with Serval Luke Nelson , James Bornholt , Ronghui Gu , Andrew Baumann , Emina Torlak , Xi Wang University of Washington, Columbia University,

  1. Scaling symbolic evaluation for automated verification of systems code with Serval Luke Nelson ¹ , James Bornholt ¹ , Ronghui Gu ² , Andrew Baumann ³ , Emina Torlak ¹ , Xi Wang ¹ ¹ University of Washington, ² Columbia University, ³ Microsoft Research 1

  2. Goal : eliminating bugs with formal verification Safety specification (e.g. noninterference) Refinement System implementation Functional specification Process Process Process OS Kernel / security monitor 2

  3. Using interactive / auto-active verification seL4 (SOSP’09) Ironclad Apps (OSDI’14) • Require manual proof annotations/tactics • Expensive: CertiKOS 200k LOC proof FSCQ (SOSP’15) • Multiple person-years CertiKOS (PLDI’16) Komodo (SOSP’17) 3

  4. This talk: automated (push-button) verification Implementation Specification • Trade-off: automation vs expressivity Automated verifier • No proofs on implementation SMT formula • Requires bounded implementation • Restricts spec to first-order logic SMT solver • Examples: Hyperkernel (SOSP’17), Nickel (OSDI’18) ✘ ✔ 4

  5. This talk: automated (push-button) verification Implementation Specification How to write and maintain automated verifiers? Automated verifier How to systematically fix SMT formula verification bottlenecks? SMT solver How to retrofit to existing systems? ✘ ✔ 5

  6. Contributions • Serval: a framework for writing automated verifiers • Lift interpreters into verifiers: RISC-V, BPF, x86-32, LLVM • Symbolic optimization for repairing verification bottlenecks • Experience with Serval • Retrofitted CertiKOS and Komodo for automated verification • Found 18 new bugs in Linux BPF JIT and Keystone • Assumption: no guarantees on concurrency or side channels 6

  7. Verification stack System BPF RISC-V x86-32 LLVM specification instructions instructions instructions instructions RISC-V x86-32 LLVM BPF verifier verifier verifier verifier Serval : Specification library, symbolic optimizations, machine code support Rosette : Symbolic evaluation, symbolic profiling, symbolic reflection SMT solver : Z3 Constraint solving, counterexample generation 7

  8. Verification stack System BPF RISC-V x86-32 LLVM specification instructions instructions instructions instructions RISC-V x86-32 LLVM BPF verifier verifier verifier verifier Serval : Specification library, symbolic optimizations, machine code support Rosette : Symbolic evaluation, symbolic profiling, symbolic reflection SMT solver : Z3 Constraint solving, counterexample generation 8

  9. Verification stack System BPF RISC-V x86-32 LLVM specification instructions instructions instructions instructions RISC-V x86-32 LLVM BPF verifier verifier verifier verifier Serval : Specification library, symbolic optimizations, machine code support Rosette : Symbolic evaluation, symbolic profiling, symbolic reflection SMT solver : Z3 Constraint solving, counterexample generation 9

  10. Verification stack System BPF RISC-V x86-32 LLVM specification instructions instructions instructions instructions RISC-V x86-32 LLVM BPF verifier verifier verifier verifier Serval : Specification library, symbolic optimizations, machine code support Rosette : Symbolic evaluation, symbolic profiling, symbolic reflection SMT solver : Z3 Constraint solving, counterexample generation 10

  11. Verification stack System BPF RISC-V x86-32 LLVM specification instructions instructions instructions instructions RISC-V x86-32 LLVM BPF verifier verifier verifier verifier Serval : Specification library, symbolic optimizations, machine code support Rosette : Symbolic evaluation, symbolic profiling, symbolic reflection SMT solver : Z3 Constraint solving, counterexample generation 11

  12. Verification stack System BPF RISC-V x86-32 LLVM specification instructions instructions instructions instructions RISC-V x86-32 LLVM BPF verifier verifier verifier verifier Serval : Specification library, symbolic optimizations, machine code support Rosette : Symbolic evaluation, symbolic profiling, symbolic reflection SMT solver : Z3 Constraint solving, counterexample generation 12

  13. Verifier = interpreter + symbolic optimization ✔ Write a verifier as Symbolic profiling to interpreter find bottleneck Develop / apply symbolic optimizations 13

  14. Example: proving refinement for sign 0: sltz a0 a1 1: bnez a1 4 (define (sign x) 2: sgtz a0 a0 (cond 3: ret [(negative? x) -1] 4: li a0 -1 [(positive? x) 1] [(zero? x) 0])) 5: ret Specification library RISC-V verifier Serval 14

  15. Verifier [1/3]: writing an interpreter (struct cpu (pc regs ...) #:mutable) System RISC-V x86-32 specification instructions instructions (define (interpret c program) (define pc (cpu-pc c)) RISC-V x86-32 (define insn (fetch c program)) verifier verifier (match insn [('li rd imm) (set-cpu-pc! c (+ 1 pc)) (set-cpu-reg! c rd imm)] [('bnez rs imm) (if (! (= (cpu-reg c rs) 0)) (set-cpu-pc! c imm) (set-cpu-pc! c (+ 1 pc)))] ...)) 15

  16. Verifier [1/3]: writing an interpreter (struct cpu (pc regs ...) #:mutable) System RISC-V x86-32 specification instructions instructions (define (interpret c program) (define pc (cpu-pc c)) RISC-V x86-32 (define insn (fetch c program)) verifier verifier (match insn [('li rd imm) (set-cpu-pc! c (+ 1 pc)) (set-cpu-reg! c rd imm)] [('bnez rs imm) (if (! (= (cpu-reg c rs) 0)) (set-cpu-pc! c imm) (set-cpu-pc! c (+ 1 pc)))] ...)) 16

  17. Verifier [1/3]: writing an interpreter (struct cpu (pc regs ...) #:mutable) (define (interpret c program) (define pc (cpu-pc c)) (define insn (fetch c program)) (match insn [('li rd imm) (set-cpu-pc! c (+ 1 pc)) (set-cpu-reg! c rd imm)] [('bnez rs imm) (if (! (= (cpu-reg c rs) 0)) (set-cpu-pc! c imm) (set-cpu-pc! c (+ 1 pc)))] ...)) 17

  18. Verifier [1/3]: writing an interpreter (struct cpu (pc regs ...) #:mutable) (define (interpret c program) (define pc (cpu-pc c)) (define insn (fetch c program)) (match insn [('li rd imm) (set-cpu-pc! c (+ 1 pc)) (set-cpu-reg! c rd imm)] [('bnez rs imm) (if (! (= (cpu-reg c rs) 0)) (set-cpu-pc! c imm) (set-cpu-pc! c (+ 1 pc)))] ...)) 18

  19. Verifier [1/3]: writing an interpreter (struct cpu (pc regs ...) #:mutable) (define (interpret c program) (define pc (cpu-pc c)) • Natural to write (define insn (fetch c program)) • Easy to audit (match insn • Can reuse CPU test suite [('li rd imm) (set-cpu-pc! c (+ 1 pc)) (set-cpu-reg! c rd imm)] [('bnez rs imm) (if (! (= (cpu-reg c rs) 0)) (set-cpu-pc! c imm) (set-cpu-pc! c (+ 1 pc)))] ...)) 19

  20. Verifier [2/3]: identifying bottlenecks in symbolic evaluation 0: sltz a0 a1 1: bnez a1 4 (define (sign x) 2: sgtz a0 a0 (cond 3: ret [(negative? x) -1] 4: li a0 -1 [(positive? x) 1] [(zero? x) 0])) 5: ret Specification library RISC-V verifier Serval 20

  21. Verifier [2/3]: identifying bottlenecks in symbolic evaluation 0: sltz a0 a1 1: bnez a1 4 (define (sign x) 2: sgtz a0 a0 (cond 3: ret [(negative? x) -1] 4: li a0 -1 [(positive? x) 1] [(zero? x) 0])) Slow / Timeout 5: ret Specification library RISC-V verifier Serval 21

  22. Verifier [2/3]: identifying bottlenecks in symbolic evaluation 22

  23. Bottleneck: state explosion due to symbolic PC (struct cpu (pc regs) #:mutable) (define (interpret c program) 0: sltz a0 a1 (define pc (cpu-pc c)) 1: bnez a1 4 (define insn (fetch c program)) 2: sgtz a0 a0 (match insn [('li rd imm) 3: ret (set-cpu-pc! c (+ 1 pc)) 4: li a0 -1 (set-cpu-reg! c rd imm)] 5: ret [('bnez rs imm) (if (! (= (cpu-reg c rs) 0)) (set-cpu-pc! c imm) (set-cpu-pc! c (+ 1 pc)))] ...)) 23

  24. Bottleneck: state explosion due to symbolic PC v 0 : X < 0 B (struct cpu (pc regs) #:mutable) v 1 : ¬ v 0 c 7! cpu(0 , X, Y ) v 2 : ite( v 0 , 1 , 0) i 7! (sltz 1 0 # f) v 3 : ite( v 0 , 4 , 2) v 0 v 1 (define (interpret c program) J I v 4 : ite( v 0 , li , sgtz) 0: sltz a0 a1 c 7! cpu(1 , X, 1) c 7! cpu(1 , X, 0) v 5 : ite( v 0 , # f , 0) (define pc (cpu-pc c)) v 6 : ite( v 0 , � 1 , # f) 1: bnez a1 4 B (define insn (fetch c program)) v 7 : ite( v 0 , 5 , 3) c 7! cpu(1 , X, v 2 ) 2: sgtz a0 a0 v 8 : X > 0 (match insn i 7! (bnez # f 1 4) v 9 : ¬ v 8 [('li rd imm) v 0 v 1 3: ret v 10 : ite( v 8 , 1 , 0) E F v 11 : ite( v 0 , � 1 , v 10 ) (set-cpu-pc! c (+ 1 pc)) c 7! cpu(4 , X, v 2 ) c 7! cpu(2 , X, v 2 ) 4: li a0 -1 (set-cpu-reg! c rd imm)] A 5: ret [('bnez rs imm) c 7! cpu( v 3 , X, v 2 ) C (if (! (= (cpu-reg c rs) 0)) v 1 v 3 = 5 (set-cpu-pc! c imm) v 0 v 3 = 0 v 3 = 1 v 3 = 3 (set-cpu-pc! c (+ 1 pc)))] vector-ref ...)) B c 7! cpu( v 3 , X, v 2 ) i 7! (v 4 0 v 5 v 6 ) v 4 = sltz 24 v 4 = bnez

  25. Bottleneck: state explosion due to symbolic PC • Conditional jump (struct cpu (pc regs) #:mutable) (define (interpret c program) 0: sltz a0 a1 (define pc (cpu-pc c)) 1: bnez a1 4 (define insn (fetch c program)) 2: sgtz a0 a0 (match insn [('li rd imm) 3: ret (set-cpu-pc! c (+ 1 pc)) 4: li a0 -1 (set-cpu-reg! c rd imm)] 5: ret [('bnez rs imm) (if (! (= (cpu-reg c rs) 0)) (set-cpu-pc! c imm) (set-cpu-pc! c (+ 1 pc)))] ...)) 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Scaling symbolic evaluation for automated verification of systems code with Serval Luke Nelson

Scaling symbolic evaluation for automated verification of systems code with Serval Luke Nelson

Scaling symbolic evaluation for automated verification of systems code with Serval Luke Nelson , James Bornholt , Ronghui Gu , Andrew Baumann , Emina Torlak , Xi Wang University of Washington, Columbia University,

661 views • 42 slides
Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems &amp; Applications Nancy France August 2018 Outline 1 Formal Models 2

1.01k views • 81 slides
Scaling Up Symbolic Reasoning for Relational Queries or, speeding up debugging &amp; verification

Scaling Up Symbolic Reasoning for Relational Queries or, speeding up debugging &amp; verification

Scaling Up Symbolic Reasoning for Relational Queries or, speeding up debugging &amp; verification of database queries Chenglong Wang , Alvin Cheung, Ras Bodik University of Washington 1 Relational Queries The language between human and

427 views • 41 slides
Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and Algorithmic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems &amp; Applications Nancy France August 2018

1.23k views • 78 slides
Automated Verification of Automated Verification of asynchronous CIRCUITS USING CIRCUIT

Automated Verification of Automated Verification of asynchronous CIRCUITS USING CIRCUIT

ASYNC08 Automated Verification of Automated Verification of asynchronous CIRCUITS USING CIRCUIT asynchronous CIRCUITS USING CIRCUIT Petri nets Petri nets Iva n Polia kov, Andre y Mokhov, Da nil Sokolov, Ashur Ra fie v, Ale x Ya kovle v

474 views • 25 slides
Formal Verification Methods 2: Symbolic Simulation John Harrison Intel Corporation

Formal Verification Methods 2: Symbolic Simulation John Harrison Intel Corporation

Formal Verification Methods 2: Symbolic Simulation Formal Verification Methods 2: Symbolic Simulation John Harrison Intel Corporation Simulation Symbolic and ternary simulation BDDs Quaternary lattice Symbolic trajectory

334 views • 14 slides
Symbolic Polytopes for Quantitative Interpolation and Verification Klaus v. Gleissenthall, TU

Symbolic Polytopes for Quantitative Interpolation and Verification Klaus v. Gleissenthall, TU

Symbolic Polytopes for Quantitative Interpolation and Verification Klaus v. Gleissenthall, TU Munich joint work with Andrey Rybalchenko, Microsoft Research and Boris Kpf, IMDEA Verification Quantitative verification Quantitative

599 views • 16 slides
Decidability Decidability and Symbolic Symbolic Verification Symbolic Symbolic Verification

Decidability Decidability and Symbolic Symbolic Verification Symbolic Symbolic Verification

Decidability Decidability and Symbolic Symbolic Verification Symbolic Symbolic Verification Verification Verification Kim G. Larsen Kim G. Larsen Aalborg Aalborg University Aalborg Aalborg University University DENMARK University, ,

682 views • 46 slides
Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson,

Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson,

Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson, &quot;Applications of Symbolic Evaluation,&quot; Journal of Systems and Software, 5 (1), January 1985, pp.15-35. Symbolic Evaluation/Execution

1.07k views • 60 slides
Symbolic String Verification: An Automata-based Approach Fang Yu Tevfik Bultan Marco Cova

Symbolic String Verification: An Automata-based Approach Fang Yu Tevfik Bultan Marco Cova

Outline Motivation Symbolic String Verification Experiments Conclusion Symbolic String Verification: An Automata-based Approach Fang Yu Tevfik Bultan Marco Cova Oscar H. Ibarra Dept. of Computer Science University of California Santa

465 views • 35 slides
Introduction to Symbolic Verification Methods David Basin Institute of Information Security ETH

Introduction to Symbolic Verification Methods David Basin Institute of Information Security ETH

Introduction to Symbolic Verification Methods David Basin Institute of Information Security ETH Zurich Road map Motivation Basic notions Problems Symbolic models 1 Security protocols Omnipresent Authentication:

827 views • 37 slides
Symbolic verification of cryptographic protocols using Tamarin Part 1 : Introduction David Basin

Symbolic verification of cryptographic protocols using Tamarin Part 1 : Introduction David Basin

Symbolic verification of cryptographic protocols using Tamarin Part 1 : Introduction David Basin ETH Zurich Summer School on Verification Technology, Systems &amp; Applications Nancy France August 2018 Organization of the course Two

774 views • 74 slides
Symbolic Verification of Programs with Pointers using Tree Automata Ji r Sim a

Symbolic Verification of Programs with Pointers using Tree Automata Ji r Sim a

Symbolic Verification of Programs with Pointers using Tree Automata Ji r Sim a cek Universit e Joseph Fourrier (France) Brno University of Technology (Czech Republic) 1 Ph.D. 1st year of doctoral degree programme at

377 views • 21 slides
Symbolic evaluation of log-sine integrals in polylogarithmic terms Joint Mathematics Meetings,

Symbolic evaluation of log-sine integrals in polylogarithmic terms Joint Mathematics Meetings,

Symbolic evaluation of log-sine integrals in polylogarithmic terms Joint Mathematics Meetings, Boston, MA Armin Straub January 7, 2012 Tulane University, New Orleans Joint work with : Jon Borwein U. of Newcastle, AU Symbolic evaluation of

652 views • 37 slides
Scaling Automated Database Monitoring at Uber with M3 and Prometheus Richard Artoul Agenda

Scaling Automated Database Monitoring at Uber with M3 and Prometheus Richard Artoul Agenda

Scaling Automated Database Monitoring at Uber with M3 and Prometheus Richard Artoul Agenda 01 Automated database monitoring 02 Why scaling automated monitoring is hard 03 M3 architecture and why it scales so well 04 How you can use M3

3.89k views • 37 slides
Cloud9 Parallel Symbolic Execution for Automated Real-World Software Testing Stefan Bucur, Vlad

Cloud9 Parallel Symbolic Execution for Automated Real-World Software Testing Stefan Bucur, Vlad

Cloud9 Parallel Symbolic Execution for Automated Real-World Software Testing Stefan Bucur, Vlad Ureche, Cristian Zamfir, George Candea School of Computer and Communication Sciences Automated Software Testing Automated Industrial Techniques

1.25k views • 59 slides
In times of unforeseen events 2014 2010 Fire at Dover Campus 2009 H1N1 Outbreak 2003 SARS

In times of unforeseen events 2014 2010 Fire at Dover Campus 2009 H1N1 Outbreak 2003 SARS

E-LAB IN INSTITUTE OF TECHNICAL EDUCATION (ITE) Chua Wee Seng Ong Chao Xiang 1 INSTITUTE OF TECHNICAL EDUCATION In times of unforeseen events 2014 2010 Fire at Dover Campus 2009 H1N1 Outbreak 2003 SARS Outbreak 2 INSTITUTE OF TECHNICAL

466 views • 32 slides
Adaptive)Concretization)for) Parallel)Program)Synthesis) Jinseong(Jeon 1 ,)Xiaokang)Qiu 2 ,)

Adaptive)Concretization)for) Parallel)Program)Synthesis) Jinseong(Jeon 1 ,)Xiaokang)Qiu 2 ,)

Adaptive)Concretization)for) Parallel)Program)Synthesis) Jinseong(Jeon 1 ,)Xiaokang)Qiu 2 ,) Armando)Solar@Lezama 2 ,)and)Jeffrey)S.)Foster 1) ) 1.)University)of)Maryland,)College)Park) 2.)MIT)CSAIL ) Syntax@guided)Synthesis) bit[32]

579 views • 57 slides
Model Finding for Recursive Functions in SMT Andrew Reynolds Jasmin Christian Blanchette Cesare

Model Finding for Recursive Functions in SMT Andrew Reynolds Jasmin Christian Blanchette Cesare

Model Finding for Recursive Functions in SMT Andrew Reynolds Jasmin Christian Blanchette Cesare Tinelli SMT July 18, 2015 Recursive Functions Recursive function definitions: f( x:Int ) := if x0 then 0 else f(x -1)+x Are useful in

523 views • 39 slides
Guarantees in in Program Synthesis Qinheping Hu , Jason Breck , John Cyphert , Loris D'Antoni ,

Guarantees in in Program Synthesis Qinheping Hu , Jason Breck , John Cyphert , Loris D'Antoni ,

Guarantees in in Program Synthesis Qinheping Hu , Jason Breck , John Cyphert , Loris D'Antoni , Thomas Reps Program Synthesis Specification Solution Program Synthesizer Search space Program Synthesis is Un Unpredicta edictable ble

1.05k views • 41 slides
MaxSAT and Related Optimization Problems Joao Marques-Silva 1 , 2 1 University College Dublin,

MaxSAT and Related Optimization Problems Joao Marques-Silva 1 , 2 1 University College Dublin,

MaxSAT and Related Optimization Problems Joao Marques-Silva 1 , 2 1 University College Dublin, Ireland 2 IST/INESC-ID, Lisbon, Portugal SAT/SMT Summer School 2012 FBK, Trento, Italy Example Problem: Minimum Vertex Cover The problem: Graph

1.66k views • 145 slides
ITE Early Admissions Exercise Impetus 2017 For those who are clear what they want to pursue, we

ITE Early Admissions Exercise Impetus 2017 For those who are clear what they want to pursue, we

All you need to know about the ITE Early Admissions Exercise Impetus 2017 For those who are clear what they want to pursue, we should support them as much as possible, to facilitate their admission into our PSEIs based on interests and

775 views • 42 slides
Multiband With Contaminated Training Data Results on AURORA 2 TCTS Facult Polytechnique de

Multiband With Contaminated Training Data Results on AURORA 2 TCTS Facult Polytechnique de

Multiband With Contaminated Training Data Results on AURORA 2 TCTS Facult Polytechnique de Mons Belgium INTRODUCTION The noise contamination of speech corpus leads to quasi optimal performance when test noise conditions match

638 views • 10 slides
CMSC201 Computer Science I for Majors Lecture 25 Final Exam Review Prof. Katherine Gibson

CMSC201 Computer Science I for Majors Lecture 25 Final Exam Review Prof. Katherine Gibson

CMSC201 Computer Science I for Majors Lecture 25 Final Exam Review Prof. Katherine Gibson Prof. Jeremy Dixon www.umbc.edu Office Hours Tuesday is the last day office hours will be held 2 www.umbc.edu Exam Rules The final is

478 views • 27 slides

More recommend