end to end verification of stack space bounds for c
play

End-to-End Verification of Stack-Space Bounds for C Programs - PowerPoint PPT Presentation

Dec 16, 2023 •221 likes •764 views

End-to-End Verification of Stack-Space Bounds for C Programs Quentin Carbonneaux Jan Hoffmann Tahina Ramananandro Zhong Shao Yale University April 14th, 2014 Does this program safely run? gcc -O0 && ./a.out #include

  1. End-to-End Verification of Stack-Space Bounds for C Programs Quentin Carbonneaux Jan Hoffmann Tahina Ramananandro Zhong Shao Yale University April 14th, 2014

  2. Does this program safely run? ● gcc -O0 && ./a.out #include <stdint.h> typedef uint64_t t; – Segfault ( stack void f (t* pa, t* pb) { overflow ) if (*pa == 0) return ; *pa--; ● gcc -O1 && ./a.out f (pa, pb); *pb++; – OK (function inlining) } int main ( int argc, char * argv[]) { t a = UINT64_MAX, b = 0; f (&a, &b); return a; }

  5. Does this program stack-overflow? ● Important in embedded software – led to deadly software bugs in Toyota cars ● Most stack analysis tools available for compiled code only – Harder to analyze – User interaction is troublesome ● How to prove, at the source level , that the compiled code does not stack-overflow? – How to model stack overflow at the source level? – How to prove stack-aware compiler correctness?

  6. CompCert ● Formal C and assembly semantics ● Verified semantics-preserving compiler – Safety is preserved – For safe programs, I/O events and termination/divergence are preserved

  7. CompCert and stack overflow ● Stack frame allocation always succeeds – Stack-overflow not modeled in either C or assembly – How to guarantee that, if source program does not crash, then neither does compiled code not even by stack overflow?

  8. [...] it is hopeless to prove a stack memory bound on the source program and expect this resource certification to carry out to compiled code: stack consumption, like execution time, is a program property that is not preserved by compilation. POPL 2006 Xavier Leroy (1968- )

  9. [...] it is hopeless to prove a stack memory bound on the source program and expect this resource certification to carry out to compiled code: stack consumption, like execution time, is a program property that is not preserved by compilation. POPL 2006 Really? Xavier Leroy (1968- )

  10. Our solution: Quantitative CompCert ● Introduce stack consumption in C semantics ● Preserve stack consumption by compilation passes: quantitative refinement ● Refine assembly semantics with finite stack ● Make compiler correctness depend on source-level stack bound – Introduce a program logic on Clight to derive stack consumption bound – Introduce automatic stack analyzer to automatically use program logic on programs without recursion

  11. Overview

  12. Overview

  13. Stack consumption in C semantics ● CompCert C produces an I/O event trace – Preserved by compilation ● Add function call/return events ● Model the stack consumption as trace weight parameterized by an event metric for call/return events – Preserve the weights – Stack consumption of a function is parameterized by the stack frame sizes of its callees ● Operational semantics does not go wrong on stack overflow – Does not know the event metric, only generates events

  14. Example ● main() generates trace: int f (int x) { return x+1; call(main) :: call(f) :: return(f) :: } return(main) :: nil ● Stack consumption: main () { M( main ) + M( f ) f(0); } where M is an event metric (giving non- negative stack frame size for each function)

  15. Stack consumption ● Events e ::= … | call(f) | return(f) ● Event and trace valuation: V M (call(f)) = M(f); V M (return(f)) = -M(f); V M (e) = 0 otherwise V M (nil) = 0; V M (e::t) = V M (e) + V M (t) ● Trace weight: W M (T) = sup {V M (t) | T = t . T'}

  16. Stack consumption Coq implementation: I/O events have constant (maybe non-null) stack consumption ● Event and trace valuation: V' M (e) = V M (e) for call/return V' M (nil) = 0; V' M (t++e::nil) = max( V' M (t), V M (t)+V' M (e) ) ● Trace weight: W' M (T) = sup {V' M (t) | T = t . T'}

  17. Quantitative refinement For any target behavior T', there exists a source behavior T such that: – Pruned traces (call/return events removed) are preserved – Termination/divergence is preserved – For all metrics M, W M (T') ≤ W M (T) ● Equality holds for most passes (all events preserved) ● Do not change the metric during a pass (use the assembly metric)

  18. Quantitative compiler correctness ● Given stack size β < 2 31 , for all source code s , if all the following hold: – The compiler produces assembly code C(s) and event metric M – s does not go wrong in infinite stack space – All traces T of s have weight W M (T) ≤ β – Assembly C(s) is run with β stack size ● Then: – C(s) refines s (I/O events and termination/divergence are preserved) – C(s) does not go wrong – In particular, C(s) is guaranteed to not stack overflow

  19. Quantitative CompCert ● Function inlining and tailcall recognition underway ● All other passes supported

  20. Quantitative CompCert

  21. CompCert stack management ● CompCert memory model: allocate a fresh stack frame memory block upon function entry – No pointer arithmetics across different memory blocks – Always succeeds ● Still used for assembly language semantics – Requires Pallocframe/Pfreeframe pseudo-instructions to manage stack frame blocks – Turned into pointer arithmetics by unverified “pretty- printing” phase

  22. CompCert-generated assembly... int g(int y); f: Pallocframe 12, 4 mov $4(%esp) , %edx int f(int x) { movl (%edx) , %eax subl $1 , %eax return g(x-1)-2; movl %eax , (%esp) } call g subl $2 , %eax Pfreeframe 12, 4 ret ● Formal semantics of Pallocframe/Pfreeframe also: x 0 – stores/loads return address in/from callee's stack frame ● Uses RA pseudo-register to model caller's return address slot 12 RA – stores/loads back link to caller's stack frame 8 4 y=x-1 0 Addresses increase grows Stack

  23. … after unverified “pretty-printing” f: f: Pallocframe 12, 4 subl $8 , %esp mov $4(%esp) , %edx leal $12(%esp) , %edx movl (%edx) , %eax movl %edx , 4(esp) subl $1 , %eax mov $4(%esp) , %edx movl %eax , (%esp) movl (%edx) , %eax call g subl $1 , %eax subl $2 , %eax movl %eax , (%esp) Pfreeframe 12, 4 ret call g subl $2 , %eax x 12 RA 8 addl $8 , %esp ret 4 y=x-1 0 Addresses increase grows Stack

  24. But we can do better and prove it! f: f: subl $8 , %esp subl $4 , %esp leal $12(%esp) , %edx mov $8(%esp) , %eax movl %edx , 4(esp) mov $4(%esp) , %edx subl $1 , %eax movl (%edx) , %eax movl %eax , (%esp) subl $1 , %eax call g movl %eax , (%esp) call g subl $2 , %eax subl $2 , %eax addl $4 , %esp addl $8 , %esp ret ret x 12 RA 8 x 4 8 y=x-1 RA 0 4 y=x-1 Addresses 0 increase grows Stack

  25. Assembly with finite stack ● Allocate one single stack block at program start – Program goes wrong on stack overflow – No need for pseudo-instructions ● Merge all stack frames together into the single stack block – Requires memory injection proof

  26. Quantitative CompCert

  27. Stack merging ● CompCert Mach to single-stack Mach2 phase – Mach already puts arguments into stack – Mach no longer stores RA into stack, Mach2 does – Mach and Mach2 have same syntax – No code transformation: reinterpretation of semantics with single stack ● Mach2 to assembly – Implement function entry/exit with stack pointer arithmetics – No significant memory changes ● Total changes: 5k LOC (out of CompCert's 90k)

  28. Mach vs. Mach2 ● Registers (x86) r := EAX | EBX | ECX | EDX | FP0 ● Statements (r* registers, ofs constant integer) S ::=Mload(chunk, raddr, rres) | Mstore(chunk, raddr, rval) | Mgetstack(chunk, ofs, rres) Mach Mach2 | Msetstack(chunk, ofs, rres) | Mgetparam(chunk, ofs, rres) | Mcall func | Mret x 0 | Mgoto label | Mlabel label: | ... x 8 y=x-1 RA 0 4 y=x-1 Addresses 0 increase grows Stack

  29. Mach vs. Mach2 int g {...} int g(int y); int f { Mgetparam(Mint32, 0, EAX); int f(int x) { Mop(Osubimm 1, EAX); return g(x-1)-2; Msetstack(Mint32, 0, EAX); } Mcall(g); Mop(Osubimm 2, EAX); Mach Mach2 Mret } x 0 x Memory 8 injection RA 4 y=x-1 y=x-1 0 0 Addresses increase grows Stack

  30. Overview

  31. Quantitative program logic ● Hoare-like logic ● Assertions have values in {0, 1, 2, …, ∞} – Represent available stack space ● {P} S {Q} roughly: if P stack space is available before S, then: – S does not stack overflow (unless P= ∞ ), and – for all possible terminating executions of S, Q stack space is available after S

  32. Assertions ● Clight statements S, continuations K, local state θ ● Global state (“heap” = CompCert memory state) H ● Mutable state σ = ( θ , H) ● Configuration C = (S, K, σ ) ● Assertion P: C → {0, 1, 2, …, ∞} – Coq implementation: C→ N → Prop , represents sets of valid bounds

  33. Selected rules

  34. Selected rules

  35. Selected rules With: • Global variable addresses Δ • Mutable state ( θ , H) • Loop break • Return value • One argument those rules become: But we also support: • Several function arguments • Auxiliary state • Stack framing See paper for more details.

  36. Example with auxiliary state

Recommend

Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of

Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of

Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of bounds-checking HUGE PROBLEM x86-64 Linux Memory Layout ... ... 0x00007fffffffffff Stack not drawn to scale Caller Frame Extra Arguments

325 views • 16 slides
Formal Verification of Roundoff Error Bounds using Semidefinite Programming Victor Magron , CNRS

Formal Verification of Roundoff Error Bounds using Semidefinite Programming Victor Magron , CNRS

Formal Verification of Roundoff Error Bounds using Semidefinite Programming Victor Magron , CNRS VERIMAG Jointly Certified Upper Bounds with G. Constantinides and A. Donaldson Jointly Certified Lower Bounds with M. Farid GTVerif IRIF, 16 June 2016

687 views • 50 slides
172 Plan 1. Space Complexity in Resolution 2. Space lower bounds for Random Formulas 3.

172 Plan 1. Space Complexity in Resolution 2. Space lower bounds for Random Formulas 3.

172 Plan 1. Space Complexity in Resolution 2. Space lower bounds for Random Formulas 3. Combinatorial Characterization of width 4. Width vs Space 5. Feasible Interpolation for Resolution and size lower bounds 6. Proof Search,

1.52k views • 83 slides
ASLR / NX / Bounds Checking 1 last time stack canaries less-compatible alternative: shadow

ASLR / NX / Bounds Checking 1 last time stack canaries less-compatible alternative: shadow

ASLR / NX / Bounds Checking 1 last time stack canaries less-compatible alternative: shadow stacks page-level protection RELRO protect global ofgset table guard pages around memory allocations/etc. start ASLR choose random addresses

1.1k views • 73 slides
Buffer Overflow Attacks IA32 Linux Stack Higher Addresses Virtual Address Space Heap Data

Buffer Overflow Attacks IA32 Linux Stack Higher Addresses Virtual Address Space Heap Data

Buffer Overflow Attacks IA32 Linux Stack Higher Addresses Virtual Address Space Heap Data Text Lower Addresses Stack and Base Pointers Stack is made up of stack frames Stack frames contain: parameters, local variables, return

604 views • 45 slides
Teaching the stack for fun and profit Hugh Nowlan A HackerWeek presentation Me TCD

Teaching the stack for fun and profit Hugh Nowlan A HackerWeek presentation Me TCD

Teaching the stack for fun and profit Hugh Nowlan A HackerWeek presentation Me TCD Grand DCU Grand Warnings Lecture pertains to IA32 for the most part No insta-l33t Frames, pointers, bounds Stack discipline is

703 views • 31 slides
Program address space What does the OS loader do? 0x7ffffffff0000 Stack 8MB reserved Creates

Program address space What does the OS loader do? 0x7ffffffff0000 Stack 8MB reserved Creates

Program address space What does the OS loader do? 0x7ffffffff0000 Stack 8MB reserved Creates new process Sets up address space/segments Read executable file, load instructions, init global data 0x7ffff770000 Shared library

844 views • 16 slides
Better Time-Space Lower Bounds for SAT and Related Problems Ryan Williams Carnegie Mellon

Better Time-Space Lower Bounds for SAT and Related Problems Ryan Williams Carnegie Mellon

Better Time-Space Lower Bounds for SAT and Related Problems Ryan Williams Carnegie Mellon University June 12, 2005 0-0 Introduction Few super-linear time lower bounds known for natural problems in NP (Existing ones generally use a restricted

1.28k views • 106 slides
1 Distinguishing Upper and Lower Bounds Triangular Iteration Space Example Simple Algorithm (

1 Distinguishing Upper and Lower Bounds Triangular Iteration Space Example Simple Algorithm (

Code Generation Using Fourier Motzkin Code Generation Previously Goals Data dependences and loops express outermost loop bounds in terms of symbolic constants and constants Loop transformations express inner loop bounds in

300 views • 4 slides
Processs Address Space Linux Address Space 0x7fffffff Stack Data (Heap) Data (Heap)

Processs Address Space Linux Address Space 0x7fffffff Stack Data (Heap) Data (Heap)

10/21/2014 Processes, Address Spaces, and PROCESS Memory Management A running program and its associated data Jonathan Misurda jmisurda@cs.pitt.edu Processs Address Space Linux Address Space 0x7fffffff Stack Data (Heap) Data (Heap)

579 views • 3 slides
SIPBs IAP Programming in C Pointers, and Arrays Memory and Addresses stack stack grows

SIPBs IAP Programming in C Pointers, and Arrays Memory and Addresses stack stack grows

SIPBs IAP Programming in C Pointers, and Arrays Memory and Addresses stack stack grows down - C programs exist inside a memory space (unmapped) - That memory space is a sequence of bytes heap grows heap up - Each of those bytes

900 views • 77 slides
Software Defined Radio Developments and Verification for Space Environment on NASAs

Software Defined Radio Developments and Verification for Space Environment on NASAs

National Aeronautics and Space Administration Software Defined Radio Developments and Verification for Space Environment on NASAs Communication Navigation, and Networking Testbed (CoNNeCT) Richard Reinhart NASA Glenn Research Center,

645 views • 19 slides
User Space TCP based on LKL H.K. Jerry Chu, Yuan Liu, Andreas Abel Google Inc. Netdev 1.2

User Space TCP based on LKL H.K. Jerry Chu, Yuan Liu, Andreas Abel Google Inc. Netdev 1.2

User Space TCP based on LKL H.K. Jerry Chu, Yuan Liu, Andreas Abel Google Inc. Netdev 1.2 Conference Netdev 1.2 Conference Oct 5-7, 2016; Tokyo, Japan User-space TCP Traditionally, TCP stack in kernel space A TCP stack in user space can

557 views • 24 slides
Stack and Queue Stack Overview Stack ADT Basic operations of stack Pushing, popping

Stack and Queue Stack Overview Stack ADT Basic operations of stack Pushing, popping

Stack and Queue Stack Overview Stack ADT Basic operations of stack Pushing, popping etc. Implementations of stacks using array linked list The Stack ADT A stack is a list with the restriction that insertions and

566 views • 44 slides
Formal Verification of Stack Manipulation in the SCIP Processor J. Aaron Pendergrass High Level

Formal Verification of Stack Manipulation in the SCIP Processor J. Aaron Pendergrass High Level

Formal Verification of Stack Manipulation in the SCIP Processor J. Aaron Pendergrass High Level Challenges to developing capability in formal methods: Perceived high barrier to entry, Specialized tools and jargon, Need for a

424 views • 23 slides
How to use image information? Pawe Kukoowicz Verification of radiotherapy In space of

How to use image information? Pawe Kukoowicz Verification of radiotherapy In space of

IGRT2 How to use image information? Pawe Kukoowicz Verification of radiotherapy In space of dose Comparison of prescribed and delivered dose (dose distribution) Eg. In-vivo dosimetry In space of location Portal control

621 views • 42 slides
An open source user space fast path TCP/IP stack Industry network challenges Growth in data

An open source user space fast path TCP/IP stack Industry network challenges Growth in data

An open source user space fast path TCP/IP stack Industry network challenges Growth in data traffic means that even small network nodes needs a fast path The Linux IP stack is slow and does not scale High throughput IP processing

361 views • 20 slides
The Stack Eric McCreath The Stack The stack is a simple but useful data structure in computer

The Stack Eric McCreath The Stack The stack is a simple but useful data structure in computer

The Stack Eric McCreath The Stack The stack is a simple but useful data structure in computer science. The stack is an abstract data type that has two main operations. These are push which adds an element to the top of the stack and pop which

754 views • 8 slides
CPSC 213 Procedures - 3.7 Out-of-Bounds Memory References and Buffer Overflow - 3.12

CPSC 213 Procedures - 3.7 Out-of-Bounds Memory References and Buffer Overflow - 3.12

Readings for Next 3 Lectures Textbook CPSC 213 Procedures - 3.7 Out-of-Bounds Memory References and Buffer Overflow - 3.12 Introduction to Computer Systems Unit 1e Procedures and the Stack 1 2 Local Variables of a Procedure

201 views • 8 slides
Stack Basics and Procedure Calls Systems Design &amp; Programming CMPE 310 Purpose of Stack

Stack Basics and Procedure Calls Systems Design &amp; Programming CMPE 310 Purpose of Stack

Stack Basics and Procedure Calls Systems Design &amp; Programming CMPE 310 Purpose of Stack Memory used to pass parameters to procedures (including C function calls) Memory used for allocating space for local variables Save return

296 views • 8 slides
Stack ADT Tiziana Ligorio 1 Todays Plan Questons? Stack ADT 2 Abstract Data Types

Stack ADT Tiziana Ligorio 1 Todays Plan Questons? Stack ADT 2 Abstract Data Types

Stack ADT Tiziana Ligorio 1 Todays Plan Questons? Stack ADT 2 Abstract Data Types Bag List Stack 3 Stack 34 A data structure representing a stack of things Objects can be pushed onto the stack or popped from the stack

1.62k views • 116 slides
Aiming Low is Harder Induction for Lower Bounds in Probabilistic Program Verification Marcel Hark

Aiming Low is Harder Induction for Lower Bounds in Probabilistic Program Verification Marcel Hark

Aiming Low is Harder Induction for Lower Bounds in Probabilistic Program Verification Marcel Hark Benjamin Kaminski Jrgen Giesl Joost-Pieter Katoen POPL 2020 Aiming Low is Harder Hark , Kaminski, Giesl, Katoen 1/25/20 1

1.38k views • 112 slides
Large genus bounds for the distribution of triangulated surfaces in moduli space Sahana Vasudevan

Large genus bounds for the distribution of triangulated surfaces in moduli space Sahana Vasudevan

Large genus bounds for the distribution of triangulated surfaces in moduli space Sahana Vasudevan (MIT) Informal Geometry and Dynamics Seminar, Harvard April 29, 2020 Triangulated surfaces Glue T equilateral triangles to form a genus g compact

676 views • 20 slides
Address Space Randomization A n E f f e c t i v e I m p l e m e n t a t i o n Michael Cloppert

Address Space Randomization A n E f f e c t i v e I m p l e m e n t a t i o n Michael Cloppert

Address Space Randomization A n E f f e c t i v e I m p l e m e n t a t i o n Michael Cloppert May, 2006 Address Space Randomization Theory Randomize location of memory objects Libraries Heap User, kernel-space stack Foils attacks like

560 views • 15 slides

More recommend