trustworthy decompilation extracting models of machine
play

Trustworthy decompilation: Extracting models of machine code inside - PowerPoint PPT Presentation

Jun 17, 2023 •199 likes •660 views

Trustworthy decompilation: Extracting models of machine code inside an ITP Magnus O. Myreen University of Cambridge TEITP 2010 The GCD program in ARM machine code: E1510002 B0422001 C0411002 01AFFFFFB Problems with machine code Formal

  1. Trustworthy decompilation: Extracting models of machine code inside an ITP Magnus O. Myreen University of Cambridge TEITP 2010

  2. The GCD program in ARM machine code: E1510002 B0422001 C0411002 01AFFFFFB

  3. Problems with machine code Formal verification of machine code: machine code code

  4. Problems with machine code Formal verification of machine code: machine code correctness statement { P } code { Q } code

  5. Problems with machine code Formal verification of machine code: ARM/x86/PowerPC model . . . machine code correctness statement (12100/4500/2100 lines) { P } code { Q } code . . .

  6. Problems with machine code Formal verification of machine code: ARM/x86/PowerPC model . . . machine code correctness statement (12100/4500/2100 lines) { P } code { Q } code . . . Contribution: tools/methods which ◮ expose as little as possible of the big models to the user; ◮ make non-automatic proofs independent of the models

  7. Proposed solution code decompiler (func,thm) Decompiler: ◮ input: machine code ◮ output: function computed by code & certificate theorem

  8. Trusted extension My tools = ML programs which steer HOL4 to a proof my tools standard HOL4 theories and tools: SIMP, EVAL, METIS, SAT, Z3... HOL4 kernel HOL4 Every proof passes the LCF-style logical kernel of HOL4.

  9. This talk: ◮ explaining decompilation � demo ◮ pros/cons of HOL4

  10. Models of machine languages Formal verification of machine code: ARM/x86/PowerPC model . . . machine code correctness statement (12100/4500/2100 lines) { P } code { Q } code . . .

  11. Models of machine languages Machine models borrowed from work by others: ARM model, by Fox [ITP’10] ◮ covers practically all ARM instructions, for old and new ARMs ◮ extensively tested against real hardware x86 model, by Sarkar et al. [POPL’09] ◮ covers all addressing modes in 32-bit mode x86 ◮ includes approximately 30 instructions PowerPC model, originally from Leroy [POPL’06] ◮ manual translation (Coq → HOL4) of Leroy’s PowerPC model ◮ instruction decoder added

  12. Hoare triple Each model can be evaluated, e.g. ARM instruction add r0,r0,r0 is described by theorem: |- (ARM READ MEM ((31 >< 2) (ARM READ REG 15w state)) state = 0xE0800000w) ∧ ¬ state.undefined ⇒ (NEXT ARM MMU cp state = ARM WRITE REG 15w (ARM READ REG 15w state + 4w) (ARM WRITE REG 0w (ARM READ REG 0w state + ARM READ REG 0w state) state))

  13. Hoare triple Each model can be evaluated, e.g. ARM instruction add r0,r0,r0 is described by theorem: |- (ARM READ MEM ((31 >< 2) (ARM READ REG 15w state)) state = 0xE0800000w) ∧ ¬ state.undefined ⇒ (NEXT ARM MMU cp state = ARM WRITE REG 15w (ARM READ REG 15w state + 4w) (ARM WRITE REG 0w (ARM READ REG 0w state + ARM READ REG 0w state) state)) As a total-correctness machine-code Hoare triple: |- SPEC ARM MODEL (aR 0w x * aPC p) { (p,0xE0800000w) } (aR 0w (x+x) * aPC (p+4w))

  14. Hoare triple Each model can be evaluated, e.g. ARM instruction add r0,r0,r0 is described by theorem: |- (ARM READ MEM ((31 >< 2) (ARM READ REG 15w state)) state = 0xE0800000w) ∧ ¬ state.undefined ⇒ (NEXT ARM MMU cp state = ARM WRITE REG 15w (ARM READ REG 15w state + 4w) (ARM WRITE REG 0w (ARM READ REG 0w state + ARM READ REG 0w state) state)) As a total-correctness machine-code Hoare triple: |- SPEC ARM MODEL Informal syntax for this talk: { R0 x ∗ PC p } (aR 0w x * aPC p) { (p,0xE0800000w) } p : E0800000 { R0 ( x + x ) ∗ PC ( p +4) } (aR 0w (x+x) * aPC (p+4w))

  15. Demo.

  16. Decompilation Decompiler automates Hoare triple reasoning. Example: Given some ARM machine code, 0: E3A00000 4: E3510000 8: 12800001 12: 15911000 16: 1AFFFFFB

  17. Decompilation Decompiler automates Hoare triple reasoning. Example: Given some ARM machine code, 0: E3A00000 mov r0, #0 4: E3510000 L: cmp r1, #0 8: 12800001 addne r0, r0, #1 12: 15911000 ldrne r1, [r1] 16: 1AFFFFFB bne L

  18. Decompilation Decompiler automates Hoare triple reasoning. Example: Given some ARM machine code, 0: E3A00000 mov r0, #0 4: E3510000 L: cmp r1, #0 8: 12800001 addne r0, r0, #1 12: 15911000 ldrne r1, [r1] 16: 1AFFFFFB bne L the decompiler automatically extracts a readable function: f ( r 0 , r 1 , m ) = let r 0 = 0 in g ( r 0 , r 1 , m ) g ( r 0 , r 1 , m ) = if r 1 = 0 then ( r 0 , r 1 , m ) else let r 0 = r 0 +1 in let r 1 = m ( r 1 ) in g ( r 0 , r 1 , m )

  19. Decompilation, correct? Decompiler automatically proves a certificate theorem: f pre ( r 0 , r 1 , m ) ⇒ { ( R0 , R1 , M ) is ( r 0 , r 1 , m ) ∗ PC p ∗ S } p : E3A00000 E3510000 12800001 15911000 1AFFFFFB { ( R0 , R1 , M ) is f ( r 0 , r 1 , m ) ∗ PC ( p + 20) ∗ S } which informally reads: for any initially value ( r 0 , r 1 , m ) in reg 0, reg 1 and memory, the code terminates with f ( r 0 , r 1 , m ) in reg 0, reg 1 and memory.

  20. Decompilation, verification example To verify code: prove properties of function f , ∀ x l a m . list ( l , a , m ) ⇒ f ( x , a , m ) = ( length ( l ) , 0 , m ) ∀ x l a m . list ( l , a , m ) ⇒ f pre ( x , a , m ) since properties of f carry over to machine code via the certificate.

  21. Decompilation, verification example To verify code: prove properties of function f , ∀ x l a m . list ( l , a , m ) ⇒ f ( x , a , m ) = ( length ( l ) , 0 , m ) ∀ x l a m . list ( l , a , m ) ⇒ f pre ( x , a , m ) since properties of f carry over to machine code via the certificate. Proof reuse : Given similar x86 and PowerPC code: 31C085F67405408B36EBF7 38A000002C140000408200107E80A02E38A500014BFFFFF0 which decompiles into f ′ and f ′′ , respectively. Manual proofs above can be reused if f = f ′ = f ′′ .

  22. Demo.

  23. Decompilation, algorithm Algorithm: 1. derive a Hoare-triple for each instruction 2. find all paths through code 3. for each loop/sub-component: a. compose Hoare triples along each path b. merge resulting Hoare triples c. apply a loop rule, if necessary The loop rule introduces a tail-recursive function, an instance of tailrec ( x ) = if G ( x ) then tailrec ( F ( x )) else D ( x )

  24. Decompiler, implementation Implementation: ◮ ML program which fully-automatically performs forward proof, ◮ no heuristics and no dangling proof obligations, ◮ ‘smart’ tactics, e.g. SIMP , avoided to be robust. Details in Myreen et al. [FMCAD’08].

  25. Applications code decompiler (func,thm) machine-code Hoare triple ARM x86 PowerPC

  26. Applications func compiler (code,thm) code decompiler (func,thm) machine-code Hoare triple ARM x86 PowerPC

  27. Compiler Synthesis often more practical. Given function f , f ( r 1 ) = if r 1 < 10 then r 1 else let r 1 = r 1 − 10 in f ( r 1 ) our compiler generates ARM machine code: E351000A L: cmp r1,#10 2241100A subcs r1,r1,#10 2AFFFFFC bcs L

  28. Compiler Synthesis often more practical. Given function f , f ( r 1 ) = if r 1 < 10 then r 1 else let r 1 = r 1 − 10 in f ( r 1 ) our compiler generates ARM machine code: E351000A L: cmp r1,#10 2241100A subcs r1,r1,#10 2AFFFFFC bcs L and automatically proves a certificate HOL theorem: ⊢ { R1 r 1 ∗ PC p ∗ s } p : E351000A 2241100A 2AFFFFFC { R1 f ( r 1 ) ∗ PC ( p +12) ∗ s }

  29. Compilation example, cont. One can prove properties of f since it lives inside HOL: ⊢ ∀ x . f ( x ) = x mod 10

  30. Compilation example, cont. One can prove properties of f since it lives inside HOL: ⊢ ∀ x . f ( x ) = x mod 10 Properties proved of f translate to properties of the machine code: ⊢ { R1 r 1 ∗ PC p ∗ s } p : E351000A 2241100A 2AFFFFFC { R1 ( r 1 mod 10) ∗ PC ( p +12) ∗ s }

  31. Compilation example, cont. One can prove properties of f since it lives inside HOL: ⊢ ∀ x . f ( x ) = x mod 10 Properties proved of f translate to properties of the machine code: ⊢ { R1 r 1 ∗ PC p ∗ s } p : E351000A 2241100A 2AFFFFFC { R1 ( r 1 mod 10) ∗ PC ( p +12) ∗ s } Additional feature: the compiler can use the above theorem to extend its input language with: let r 1 = r 1 mod 10 in

  32. Additional feature: user-defined extensions Using our theorem about mod, the compiler accepts: g ( r 1 , r 2 , r 3 ) = let r 1 = r 1 + r 2 in let r 1 = r 1 + r 3 in let r 1 = r 1 mod 10 in ( r 1 , r 2 , r 3 ) Previously proved theorems can be used as building blocks for subsequent compilations.

  33. Implementation To compile function f : 1. generate, without proof, code from input f ; 2. decompile, with proof, a function f ′ from generated code; 3. prove f = f ′ .

  34. Implementation To compile function f : 1. generate, without proof, code from input f ; 2. decompile, with proof, a function f ′ from generated code; 3. prove f = f ′ . Features: ◮ code generation completely separate from proof ◮ supports many light-weight optimisations without any additional proof burden: instruction reordering, conditional execution, dead-code elimination, duplicate-tail elimination, ... ◮ allows for significant user-defined extensions Details in Myreen et al. [CC’09]

  35. Demo.

  36. LISP case study Verified LISP implementations via compilation. verified code for LISP primitives car, cdr, cons, etc. HOL4 functions for ARM, x86, PowerPC code compiler LISP parse, eval, print and certificate theorems decompiler machine-code Hoare triple ARM x86 PowerPC

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Lecture 16 Decompilation Why decompilation? This course is ostensibly about Optimising

Lecture 16 Decompilation Why decompilation? This course is ostensibly about Optimising

Lecture 16 Decompilation Why decompilation? This course is ostensibly about Optimising Compilers. It is really about program analysis and transformation . Decompilation is achieved through analysis and transformation of target code; the

408 views • 37 slides
Why decompilation? This course is ostensibly about Optimising Compilers. It is really about

Why decompilation? This course is ostensibly about Optimising Compilers. It is really about

Why decompilation? This course is ostensibly about Optimising Compilers. It is really about program analysis and transformation . Decompilation is achieved through analysis and transformation of target code; the transformations just work in the

650 views • 35 slides
HATS: Highly Adaptable &amp; Trustworthy Software Using Formal Models Reiner H ahnle

HATS: Highly Adaptable &amp; Trustworthy Software Using Formal Models Reiner H ahnle

Titlepage HATS: Highly Adaptable &amp; Trustworthy Software Using Formal Models Reiner H ahnle Chalmers University of Technology, Gothenburg, Sweden Sophia-Antipolis, 23 October 2008 R. H ahnle HATS: Adaptable &amp; Trustworthy

563 views • 28 slides
Building Trustworthy Intrusion Detection Through Virtual Machine Introspection Fabrizio Baiardi 1

Building Trustworthy Intrusion Detection Through Virtual Machine Introspection Fabrizio Baiardi 1

Problem Overall Architecture Evaluation Conclusion Building Trustworthy Intrusion Detection Through Virtual Machine Introspection Fabrizio Baiardi 1 Daniele Sgandurra 2 1 Polo G. Marconi - La Spezia, University of Pisa 2 Department of Computer

472 views • 20 slides
Living beyond your means Extracting Response Time Densities and Quantiles from Stochastic Models

Living beyond your means Extracting Response Time Densities and Quantiles from Stochastic Models

Living beyond your means Extracting Response Time Densities and Quantiles from Stochastic Models Susanna Au-Yeung, Jeremy Bradley, Nicholas Dingle, Tony Field, Peter Harrison, William Knottenbelt , Aleksandar Trifunovic, Helen Wilson email: {

663 views • 51 slides
Extracting and Verifying Cryptographic Models from C Protocol Code by Symbolic Execution Mihhail

Extracting and Verifying Cryptographic Models from C Protocol Code by Symbolic Execution Mihhail

Extracting and Verifying Cryptographic Models from C Protocol Code by Symbolic Execution Mihhail Aizatulin 1 supervised by Andrew Gordon 23 , Jan J urjens 4 , Bashar Nuseibeh 1 1 The Open University 2 Microsoft Research Cambridge 3 University of

543 views • 29 slides
Measurements - time Measurements - steps MASPAR MP-1 256 processors (Zimmermann, Kumm)

Measurements - time Measurements - steps MASPAR MP-1 256 processors (Zimmermann, Kumm)

Machine Models What are models good for? Abstracting from machine properties Bridging Models and Machines Making programming simple Making programs portable Reflecting essential machine properties Functionality (sure) PRAM

340 views • 13 slides
TCIPG TECHNICAL CLUSTERS AND THREADS Trustworthy Trustworthy Technologies for Wide Technologies

TCIPG TECHNICAL CLUSTERS AND THREADS Trustworthy Trustworthy Technologies for Wide Technologies

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G TCIPG TECHNICAL CLUSTERS AND THREADS Trustworthy Trustworthy Technologies for Wide Technologies for Local Responding To and Trust Assessment Area Monitoring and Area

291 views • 8 slides
Decompilation, type inference and finding the code to decompile Alan Mycroft Computer

Decompilation, type inference and finding the code to decompile Alan Mycroft Computer

UNIVERSITY OF CAMBRIDGE Decompilation, type inference and finding the code to decompile Alan Mycroft Computer Laboratory, University of Cambridge http://www.cl.cam.ac.uk/users/am/ 30 January 2012 Decompilation, type inference and finding

614 views • 34 slides
CTSRD CRASH-worthy Trustworthy Systems Research and Development Beyond the PDP-11:

CTSRD CRASH-worthy Trustworthy Systems Research and Development Beyond the PDP-11:

CTSRD CTSRD CRASH-worthy Trustworthy Systems Research and Development Beyond the PDP-11: Architectural support for a memory-safe C abstract machine David Chisnall , Colin Rothwell , Brooks Davis , Robert N.M. Watson ,

252 views • 22 slides
Extracting Gait Parameters Extracting Gait Parameters from Raw Data from Raw Data

Extracting Gait Parameters Extracting Gait Parameters from Raw Data from Raw Data

Extracting Gait Parameters Extracting Gait Parameters from Raw Data from Raw Data Accelerometers Accelerometers Andr DIAS a,b,c , Lukas GORZELNIAK b , Angela DRING c , Gunnar HARTVIGSEN a,d , Alexander HORSCH b,d a Norwegian Centre for

582 views • 15 slides
Latent Models: Sequence Models Beyond HMMs and Machine Translation Alignment CMSC 473/673 UMBC

Latent Models: Sequence Models Beyond HMMs and Machine Translation Alignment CMSC 473/673 UMBC

Latent Models: Sequence Models Beyond HMMs and Machine Translation Alignment CMSC 473/673 UMBC Outline Review: EM for HMMs Machine Translation Alignment Limited Sequence Models Maximum Entropy Markov Models Conditional Random Fields

1.37k views • 100 slides
Latent Models: Sequence Models Beyond HMMs and Machine Translation Alignment CMSC 473/673 UMBC

Latent Models: Sequence Models Beyond HMMs and Machine Translation Alignment CMSC 473/673 UMBC

Latent Models: Sequence Models Beyond HMMs and Machine Translation Alignment CMSC 473/673 UMBC Outline Review: EM for HMMs Machine Translation Alignment Limited Sequence Models Maximum Entropy Markov Models Conditional Random Fields

1.2k views • 101 slides
Deploying Machine Learning Models on The Edge Deploying Machine Learning Models on The Edge Yan

Deploying Machine Learning Models on The Edge Deploying Machine Learning Models on The Edge Yan

Deploying Machine Learning Models on The Edge Deploying Machine Learning Models on The Edge Yan Zhang, Mathew Salvaris Microsoft https://github.com/microsoft/deploy-MLmodels-on-iotedge Cloud Analytics Edge Analytics Device/Sensor Analytics

373 views • 34 slides
1 Methods of Extracting or Obtaining Essential Oils The most common method for extracting

1 Methods of Extracting or Obtaining Essential Oils The most common method for extracting

1 Methods of Extracting or Obtaining Essential Oils The most common method for extracting essential oils is using steam distillation. Solvents are often used in extracting oils that are waxy The most expensive method is using CO2 which does not

358 views • 16 slides
Extracting Tables from PDFs Extracting Tables from PDFs Using Camelot and Excalibur to

Extracting Tables from PDFs Extracting Tables from PDFs Using Camelot and Excalibur to

Extracting Tables from PDFs Extracting Tables from PDFs Using Camelot and Excalibur to automate PDF table extraction and export Dimiter Naydenov @dimitern 1 . 1 Overview Overview PDF: brief history, structure, representing tables Camelot

355 views • 13 slides
Innovations in Rural and Community Health: Lessons From the Front Line Aaron George, DO May 9,

Innovations in Rural and Community Health: Lessons From the Front Line Aaron George, DO May 9,

Innovations in Rural and Community Health: Lessons From the Front Line Aaron George, DO May 9, 2017 Family Physician Summit Primary Care Innovations in Rural Primary Care Local Context State Context Global Perspective Chambersburg, PA

429 views • 29 slides
Organizations Harnessing Open Source Simulations to Address Climate Change Addressing climate

Organizations Harnessing Open Source Simulations to Address Climate Change Addressing climate

Organizations Harnessing Open Source Simulations to Address Climate Change Addressing climate change will require, amongst most everyone from business and government leaders to global citizens, exponential, cross-cultural diffusion of two ideas:

520 views • 39 slides
Network Dynamics and Network Dynamics and Cell Physiology Cell Physiology John J. Tyson John

Network Dynamics and Network Dynamics and Cell Physiology Cell Physiology John J. Tyson John

Network Dynamics and Network Dynamics and Cell Physiology Cell Physiology John J. Tyson John J. Tyson Dept. Biological Sciences Dept. Biological Sciences Virginia Tech Virginia Tech Collaborators Collaborators Budapest Univ. Techn

709 views • 41 slides
Modelling nonstationary signals using stochastic and nonstochastic approach Jacek Lekow

Modelling nonstationary signals using stochastic and nonstochastic approach Jacek Lekow

Cyclostationary signals FOT approach Stochastic approach Acknowledgement References-selected Modelling nonstationary signals using stochastic and nonstochastic approach Jacek Lekow Institute of Mathematics Cracow University of Technology

565 views • 44 slides
Language Recognition for Dialects and Closely Related Languages NIST OpenLRE 2015 G. Gelly,

Language Recognition for Dialects and Closely Related Languages NIST OpenLRE 2015 G. Gelly,

Language Recognition for Dialects and Closely Related Languages NIST OpenLRE 2015 G. Gelly, J.L. Gauvain, L. Lamel, A. Laurent, V.B. Le, A. Messaoudi 1 / 3 Language Recognition for Dialects and Closely Related Languages (G. Gelly, et

322 views • 3 slides
Deep Learning for Network Biology Marinka Zitnik and Jure Leskovec Stanford University Deep

Deep Learning for Network Biology Marinka Zitnik and Jure Leskovec Stanford University Deep

Deep Learning for Network Biology Marinka Zitnik and Jure Leskovec Stanford University Deep Learning for Network Biology -- snap.stanford.edu/deepnetbio-ismb -- ISMB 2018 1 This Tutorial snap.stanford.edu/deepnetbio-ismb ISMB 2018 July 6,

464 views • 31 slides
Thank you for joining us. The program will commence momentarily. Virtual Molecular Tumor Board:

Thank you for joining us. The program will commence momentarily. Virtual Molecular Tumor Board:

Thank you for joining us. The program will commence momentarily. Virtual Molecular Tumor Board: Identification of New and Emerging Genomic Alterations in Metastatic Non-Small Cell Lung Cancer Friday, August 7, 2020 9:00 AM 10:00 AM ET

1.38k views • 89 slides
Logical modelling of cellular decisions Denis Thieffry (thieffry@ens.fr) Contents Introduction

Logical modelling of cellular decisions Denis Thieffry (thieffry@ens.fr) Contents Introduction

Logical modelling of cellular decisions Denis Thieffry (thieffry@ens.fr) Contents Introduction Logical modelling T-helper cell differentiation MAPK network Porquerolles, June 25th, 2013 Cell proliferation, differentiation or

907 views • 54 slides

More recommend