talx86 a realistic typed assembly language talx86 a
play

TALx86: A Realistic Typed Assembly Language TALx86: A Realistic - PowerPoint PPT Presentation

TALx86: A Realistic Typed Assembly Language TALx86: A Realistic Typed Assembly Language Dan Grossman, Fred Smith Cornell University Joint work with: Greg Morrisett, Karl Crary (CMU), Neal Glew, Richard Samuels, Dave Walker, Stephanie Weirich,


  1. TALx86: A Realistic Typed Assembly Language TALx86: A Realistic Typed Assembly Language Dan Grossman, Fred Smith Cornell University Joint work with: Greg Morrisett, Karl Crary (CMU), Neal Glew, Richard Samuels, Dave Walker, Stephanie Weirich, Steve Zdancewic

  2. Everyone wants extensibility: Everyone wants extensibility: • Web browser • applets, plug-ins • OS Kernel • packet filters, device drivers • “Active” networks • service routines • Databases • extensible ADTs 1 May 1999 2 www.cs.cornell.edu/talc

  3. The Language Approach The Language Approach Extension is written in a “safe” language: • Java, Modula-3, ML, Scheme • Key point: language provides abstractions • ADTs, closures, objects, modules, etc. • Can be used to build fine-grained capabilities Host ensures code respects abstractions: • Static checking (verification) • Inserting dynamic checks (code-rewriting) 1 May 1999 3 www.cs.cornell.edu/talc

  4. Example: Your Web Browser Example: Your Web Browser JVM verifier System Interface Low-Level IL Java Source Browser javac Optimizer JVM bytecode System Binary Binary 1 May 1999 4 www.cs.cornell.edu/talc

  5. JVM Pros & Cons JVM Pros & Cons Pros: • Portability • Hype: $, tools, libraries, books, training Cons: • Performance • unsatisfying, even with off-line compilation • Only really suitable for Java (or slight variants): • relatively high-level instructions tailored to Java • type system is Java specific • and... 1 May 1999 5 www.cs.cornell.edu/talc

  6. Large Trusted Computing Base Large Trusted Computing Base No complete JVM verifier System formal model Interface Must insert right Low-Level IL checks Browser Good code ⇒ Optimizer big optimizer ⇒ bugs in optimizer System Binary Lots of “native” methods Binary (i.e., not-safe code) 1 May 1999 6 www.cs.cornell.edu/talc

  7. Ideally: Ideally: trusted computing base System Your favorite verifier Interface language System Binary Low-Level IL optimizer machine code 1 May 1999 7 www.cs.cornell.edu/talc

  8. The Types Way The Types Way trusted computing base System Your safe verifier Interface language System Typed Binary Low-Level IL • Verifier is a type-checker Typed • Type system flexible and optimizer expressive • A useful instantiation of the TAL “proof carrying code” framework 1 May 1999 8 www.cs.cornell.edu/talc

  9. TALx86 in a Nutshell TALx86 in a Nutshell • Most of the IA32 80x86 flat model assembly language • Memory management primitives • Sound type system • Types for code, stacks, structs • Other advanced features • Future work (what we can’t do yet) 1 May 1999 9 www.cs.cornell.edu/talc

  10. TALx86 Basics: TALx86 Basics: Primitive types: (e.g., int) Code types: {r 1 : τ 1 ,…,r n : τ n } • “I’m code that requires register r i to have type τ i before you can jump to me.” • Code blocks are annotated with their types • Think pre-condition • Verify block assuming pre-condition 1 May 1999 10 www.cs.cornell.edu/talc

  11. Sample Loop Sample Loop C: TAL sketch: <n and retn addr as input> int sum(int n){ int s=0; sum: <type> while(!n) { <initialize s> s+=n; loop: <type> --n; <add to s, decrement n> } return n; test: <type> } <return if n is 0> 1 May 1999 11 www.cs.cornell.edu/talc

  12. Verification Verification sum: {ecx:int, ebx:{edx:int}} {ecx:int, ebx:{edx:int}, eax:int} mov eax,0 OK: sub-type of type labeling test jmp test loop:{ecx:int, ebx:{edx:int}, eax:int} {ecx:int, ebx:{edx:int}, eax:int} add eax,ecx {ecx:int, ebx:{edx:int}, eax:int} dec ecx OK: sub-type of type labeling next block test:{ecx:int, ebx:{edx:int}, eax:int} cmp ecx,0 {ecx:int, ebx:{edx:int}, eax:int} jne loop OK: sub-type of type labeling loop mov edx,eax {ecx:int, ebx:{edx:int}, eax:int, edx:int} OK: sub-type of {edx:int} -- type of ebx jmp ebx 1 May 1999 12 www.cs.cornell.edu/talc

  13. Stacks & Procedures Stacks & Procedures Stack Types (lists): σ ::= nil | τ :: σ | ρ where ρ is a stack type variable. Examples using C calling convention: int square(int); int mult(int,int); ∀ρ 1 {esp: τ 1 ::int:: ρ 1 } ∀ρ 2 {esp: τ 2 ::int::int:: ρ 2 } where where τ 1 ={eax: int, esp: int:: ρ 1 } τ 2 ={eax: int, esp: int::int:: ρ 2 } 1 May 1999 13 www.cs.cornell.edu/talc

  14. Stacks & Verification Stacks & Verification square: ∀ρ 1 {esp: τ 1 ::int:: ρ 1 } ρ 1 where τ 1 ={eax: int, esp: int:: ρ 1 } push [esp+4] push [esp+8] call mult [with ρ 2 = τ 1 ::int:: ρ 1 ] int τ aft ={eax:int, esp: int::int:: τ 1 ::int:: ρ 1 } add esp,8 τ 1 retn int mult: ∀ρ 2 {esp: τ 2 ::int::int:: ρ 2 } where τ 2 ={eax: int, esp: int::int:: ρ 2 } int {esp: τ 2 ::int::int:: τ 1 ::int:: ρ 1 } where τ 2 ={eax: int, esp: int::int:: τ 1 ::int:: ρ 1 } τ aft 1 May 1999 14 www.cs.cornell.edu/talc

  15. Important Properties Important Properties • Abstraction “Because the type of the rest of the stack is abstract the callee cannot read/write this portion of the stack” • Flexibility Can encode and enforce many calling conventions (stack shape on return, callee-save, tail calls, etc.) 1 May 1999 15 www.cs.cornell.edu/talc

  16. Callee- -Save Example Save Example Callee mult: ∀α ∀ρ 2 {ebp: α, esp: τ 2 ::int::int:: ρ 2 } where τ 2 ={ebp: α, eax: int, esp: int::int:: ρ 2 } 1 May 1999 16 www.cs.cornell.edu/talc

  17. Structs Structs • Goals: • Prevent reading uninitialized fields • Permit flexible scheduling of initialization • MALLOC “instruction” returns uninitialized record • Type of struct tracks initialization of fields • Example: {ecx: int} MALLOC eax,8 [int,int] ; eax : ^*[int u , int u ] mov [eax+0], ecx ; eax : ^*[int rw ,int u ] mov ecx, [eax+4] ; type error! 1 May 1999 17 www.cs.cornell.edu/talc

  18. Much, much more Much, much more • Arrays (see next slide) • Tagged Unions • Displays, Exceptions [TIC’98] • Static Data • Modules and Interfaces [POPL’99] • Run-time code generation [PEPM’99 Jim, Hornof] 1 May 1999 18 www.cs.cornell.edu/talc

  19. Mis- -features features Mis • MALLOC and garbage collection in trusted computing base [POPL’99] • No way to express aliasing • No array bounds check elimination [Walker] • Object/class support too primitive [Glew] 1 May 1999 19 www.cs.cornell.edu/talc

  20. Summary and Conclusions Summary and Conclusions • We can type real machine code Potential for performance + flexibility + safety • Challenge: Finding generally useful abstractions • Lots of work remains http://www.cs.cornell.edu/talc 1 May 1999 20 www.cs.cornell.edu/talc

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend


More recommend