formal verification of x86 machine code programs
play

Formal Verification of x86 Machine-Code Programs Computer - PowerPoint PPT Presentation

Jan 31, 2023 •239 likes •891 views

Formal Verification of x86 Machine-Code Programs Computer Architecture and Program Analysis Shilpi Goel shigoel@cs.utexas.edu Department of Computer Science The University of Texas at Austin Software and Reliability Can we rely on our

  1. Formal Verification of x86 Machine-Code Programs Computer Architecture and Program Analysis Shilpi Goel shigoel@cs.utexas.edu Department of Computer Science The University of Texas at Austin

  2. Software and Reliability Can we rely on our software systems? Recent example of a serious bug: CVE-2016-5195 or “Dirty COW” • Privilege escalation vulnerability in Linux • E.g.: allowed a user to write to files intended to be read only • Copy-on-Write (COW) breakage of private read-only memory mappings • Existed since around v2.6.22 ( 2007 ) and was fixed on Oct 18, 2016 2

  3. Formal Verification of Software: Example 1 Software Formal Verification: proving or disproving that the implementation of a program meets its specification using mathematical techniques 3

  4. Formal Verification of Software: Example 1 Software Formal Verification: proving or disproving that the implementation of a program meets its specification using mathematical techniques Suppose you needed to count the number of 1s in the binary representation of a natural number ( population count ) . Specification: popcountSpec (v): [v: natural number] if v <= 0 then return 0 else lsb = v & 1 v = v >> 1 return (lsb + popcountSpec (v)) endif 3

  5. Formal Verification of Software: Example 1 Specification: popcountSpec (v): [v: natural number] if v <= 0 then return 0 else lsb = v & 1 v = v >> 1 return (lsb + popcountSpec (v)) endif Source: Sean Anderson’s Bit-Twiddling Hacks 4

  6. Formal Verification of Software: Example 1 Specification: popcountSpec (v): [v: natural number] if v <= 0 then return 0 else lsb = v & 1 v = v >> 1 return (lsb + popcountSpec (v)) endif Implementation: int popcount_32 (unsigned int v) { v = v - ((v >> 1) & 0x55555555); v = (v & 0x33333333) + ((v >> 2) & 0x33333333); v = ((v + (v >> 4) & 0xF0F0F0F) * 0x1010101) >> 24; return(v); } Source: Sean Anderson’s Bit-Twiddling Hacks 4

  7. Formal Verification of Software: Example 1 Specification: popcountSpec (v): [v: natural number] if v <= 0 then return 0 else lsb = v & 1 v = v >> 1 return (lsb + popcountSpec (v)) endif Implementation: int popcount_32 (unsigned int v) { v = v - ((v >> 1) & 0x55555555); v = (v & 0x33333333) + ((v >> 2) & 0x33333333); v = ((v + (v >> 4) & 0xF0F0F0F) * 0x1010101) >> 24; return(v); } Do the specification and implementation behave the same way for all inputs? Source: Sean Anderson’s Bit-Twiddling Hacks 4

  8. Formal Verification of Software: Example 2 Suppose you needed to check if a given natural number is a power of 2. Specification: isPowerOfTwoSpec (x): [x: natural number] if x == 0 then return 0 else if x == 1 then return 1 else if remainder(x,2) == 0 then return isPowerOfTwoSpec (x/2) else return 0 endif endif endif 5

  9. Formal Verification of Software: Example 2 Can you trust your specification? Source: Sean Anderson’s Bit-Twiddling Hacks 6

  10. Formal Verification of Software: Example 2 Can you trust your specification? Correctness of isPowerOfTwoSpec : 1. If isPowerOfTwoSpec(v) returns 1, then there exists a natural number n such that v = 2 n . 2. If v = 2 n , where n is a natural number, then isPowerOfTwoSpec(v) returns 1. Source: Sean Anderson’s Bit-Twiddling Hacks 6

  11. Formal Verification of Software: Example 2 Can you trust your specification? Correctness of isPowerOfTwoSpec : 1. If isPowerOfTwoSpec(v) returns 1, then there exists a natural number n such that v = 2 n . 2. If v = 2 n , where n is a natural number, then isPowerOfTwoSpec(v) returns 1. Implementation: bool powerOfTwo (long unsigned int v) { bool f; f = v && !(v & (v - 1)); return f; } Source: Sean Anderson’s Bit-Twiddling Hacks 6

  12. Formal Verification of Software: Example 2 Can you trust your specification? Correctness of isPowerOfTwoSpec : 1. If isPowerOfTwoSpec(v) returns 1, then there exists a natural number n such that v = 2 n . 2. If v = 2 n , where n is a natural number, then isPowerOfTwoSpec(v) returns 1. Implementation: bool powerOfTwo (long unsigned int v) { bool f; f = v && !(v & (v - 1)); return f; } Do the specification and implementation behave the same way for all inputs? Source: Sean Anderson’s Bit-Twiddling Hacks 6

  13. Inspection of a Program’s Behavior • Testing: x�� Exhaustive analysis is infeasible • Formal Verification: ✓ Wide variety of techniques ‣ Lightweight: e.g., checking if array indices are within bounds ‣ Heavyweight: e.g., proving functional correctness 7

  14. Example: Pop-Count Program popcount_64: 89 fa mov %edi,%edx 89 d1 mov %edx,%ecx d1 e9 shr %ecx 81 e1 55 55 55 55 and $0x55555555,%ecx 29 ca sub %ecx,%edx Functional Correctness: 89 d0 mov %edx,%eax c1 ea 02 shr $0x2,%edx RAX = popcountSpec(v) 25 33 33 33 33 and $0x33333333,%eax 81 e2 33 33 33 33 and $0x33333333,%edx 01 c2 add %eax,%edx 89 d0 mov %edx,%eax specification function c1 e8 04 shr $0x4,%eax 01 c2 add %eax,%edx 48 89 f8 mov %rdi,%rax 48 c1 e8 20 shr $0x20,%rax popcountSpec (v): 81 e2 0f 0f 0f 0f and $0xf0f0f0f,%edx [v: unsigned int] 89 c1 mov %eax,%ecx d1 e9 shr %ecx 81 e1 55 55 55 55 and $0x55555555,%ecx if v <= 0 then 29 c8 sub %ecx,%eax 89 c1 mov %eax,%ecx return 0 c1 e8 02 shr $0x2,%eax else 81 e1 33 33 33 33 and $0x33333333,%ecx 25 33 33 33 33 and $0x33333333,%eax lsb = v & 1 01 c8 add %ecx,%eax 89 c1 mov %eax,%ecx v = v >> 1 c1 e9 04 shr $0x4,%ecx return (lsb + popcountSpec (v)) 01 c8 add %ecx,%eax 25 0f 0f 0f 0f and $0xf0f0f0f,%eax endif 69 d2 01 01 01 01 imul $0x1010101,%edx,%edx 69 c0 01 01 01 01 imul $0x1010101,%eax,%eax c1 ea 18 shr $0x18,%edx c1 e8 18 shr $0x18,%eax 01 d0 add %edx,%eax c3 retq 8

  15. Case Study: Pop-Count Program (defthm x86-popcount-64-symbolic-simulation (implies (and (x86p x86) (equal (model-related-error x86) nil) (unsigned-byte-p 64 n) (equal n (read 'register *rdi* x86)) (equal *popcount-64-program* (read 'memory (address-range (read 'pc x86) (len *popcount-64-program*)) x86))) (equal (read 'register *rax* (x86-run *num-of-steps* x86)) (popcountSpec n) ))) 9

  16. Heavyweight Formal Verification 10

  17. Heavyweight Formal Verification • Build a mathematical or formal model of programs • Prove theorems about this model in order to establish program properties 10

  18. Heavyweight Formal Verification ISA model • Build a mathematical or formal model of programs • Prove theorems about this model in order to establish program properties 10

  19. Heavyweight Formal Verification ISA model • Build a mathematical or formal model of programs • Prove theorems about this model in order to establish program properties Instruction Set Architecture: interface between hardware and software - Defines the machine language - Specification of state (registers, memory), machine instructions, instruction encodings, etc. 10

  20. Heavyweight Formal Verification ISA model • Build a mathematical or formal model of programs • Prove theorems about this model in order to establish program properties Instruction Set Architecture: interface between hardware and software - Defines the machine language - Specification of state (registers, memory), machine instructions, instruction encodings, etc. • An ISA model specifies the behavior of each machine instruction in terms of effects made to the processor state . 10

  21. Heavyweight Formal Verification ISA model • Build a mathematical or formal model of programs • Prove theorems about this model in order to establish program properties Instruction Set Architecture: interface between hardware and software - Defines the machine language - Specification of state (registers, memory), machine instructions, instruction encodings, etc. • An ISA model specifies the behavior of each machine instruction in terms of effects made to the processor state . • All high-level programs compile down to machine-code programs. - A program is just a sequence of machine instructions. 10

  22. Heavyweight Formal Verification ISA model • Build a mathematical or formal model of programs • Prove theorems about this model in order to establish program properties Instruction Set Architecture: interface between hardware and software - Defines the machine language - Specification of state (registers, memory), machine instructions, instruction encodings, etc. • An ISA model specifies the behavior of each machine instruction in terms of effects made to the processor state . • All high-level programs compile down to machine-code programs. - A program is just a sequence of machine instructions. • We can reason about a program by inspecting the cumulative effects of its constituent instructions on the machine state . 10

  23. Why Not Use Abstract Machine Models? 11

  24. Why Not Use Abstract Machine Models? 11

Recommend

Formal verification of numerical programs: from C annotated programs to Coq proofs Sylvie Boldo

Formal verification of numerical programs: from C annotated programs to Coq proofs Sylvie Boldo

Third International Workshop on Numerical Software Verification Formal verification of numerical programs: from C annotated programs to Coq proofs Sylvie Boldo INRIA Saclay - Ile-de-France July 15th, 2010 Thanks to the organizers !

1.72k views • 136 slides
Machine Learning in Formal Verification Manish Pandey, PhD Chief Architect, New Technologies

Machine Learning in Formal Verification Manish Pandey, PhD Chief Architect, New Technologies

Machine Learning in Formal Verification Manish Pandey, PhD Chief Architect, New Technologies Synopsys, Inc. June 18, 2017 1 Build Better Formal Verification Tools? CAR BICYCLE DOG S oftware that learns from experience and enables

767 views • 40 slides
Formal Verification in Industry John Harrison Intel Corporation The cost of bugs Formal

Formal Verification in Industry John Harrison Intel Corporation The cost of bugs Formal

Formal Verification in Industry 1 Formal Verification in Industry John Harrison Intel Corporation The cost of bugs Formal verification Machine-checked proof Automatic and interactive approaches HOL Light Floating point

366 views • 25 slides
CS 4160 Formal Verification Prof. Clarkson Spring 2019 Approaches to validation Social

CS 4160 Formal Verification Prof. Clarkson Spring 2019 Approaches to validation Social

CS 4160 Formal Verification Prof. Clarkson Spring 2019 Approaches to validation Social Less formal: Techniques may Code reviews miss problems in programs Extreme/Pair programming Methodological Design patterns

330 views • 18 slides
Formal Verification of Floating-Point Arithmetic John Harrison Intel Corporation Formal

Formal Verification of Floating-Point Arithmetic John Harrison Intel Corporation Formal

Formal Verification of Floating-Point Arithmetic 1 Formal Verification of Floating-Point Arithmetic John Harrison Intel Corporation Formal verification Machine-checked proof Automatic and interactive approaches HOL Light

539 views • 19 slides
Practical Formal Verification of MPI and Thread Programs Ganesh Gopalakrishnan, School of

Practical Formal Verification of MPI and Thread Programs Ganesh Gopalakrishnan, School of

Practical Formal Verification of MPI and Thread Programs Ganesh Gopalakrishnan, School of Computing, University of Utah, Salt Lake City, UT 84112 A Half-Day Tutorial Proposed for ICS 2009 http:// www.cs.utah.edu / formal_verification

1.3k views • 102 slides
Model-Checking Acknowledgment Formal Verification Formal verification means to apply

Model-Checking Acknowledgment Formal Verification Formal verification means to apply

Model-Checking Acknowledgment Formal Verification Formal verification means to apply mathematical arguments to prove the correctness of systems Systems have bugs Formal verification aims to find and correct such bugs Why? Computer systems

1.42k views • 122 slides
Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for

Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for

Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for Analyzing Computing Systems Shilpi Goel shilpi@centtech.com Formal Verification Engineer Centaur Technology, Inc. Software and Reliability Can we rely

1.14k views • 78 slides
Spark verification features Paul Jackson School of Informatics University of Edinburgh Formal

Spark verification features Paul Jackson School of Informatics University of Edinburgh Formal

Spark verification features Paul Jackson School of Informatics University of Edinburgh Formal Verification Spring 2018 Adding specification information to programs Verification concerns checking whether some model (or program) has desired

476 views • 22 slides
Formal verification of a code generator for a modeling language: the Velus project Xavier Leroy

Formal verification of a code generator for a modeling language: the Velus project Xavier Leroy

Formal verification of a code generator for a modeling language: the Velus project Xavier Leroy (joint work with Timothy Bourke, L elio Brun, Pierre- Evariste Dagand, Marc Pouzet, and Lionel Rieg) Inria, Paris MARS/VPT workshop, ETAPS

1.43k views • 55 slides
Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim

Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim

Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim for automation (bit level) Find niches where formal methods work well Use assertions/ properties first in sim. and then in FV (the acronym is ABV,

1.14k views • 65 slides
Formal Verification of Binary Code Roberto Guanciale // a0=GETBYTE(s0, 3); ldr r3, [r7,

Formal Verification of Binary Code Roberto Guanciale // a0=GETBYTE(s0, 3); ldr r3, [r7,

Formal Verification of Binary Code Roberto Guanciale // a0=GETBYTE(s0, 3); ldr r3, [r7, #84] lsrs r3, r3, #24 uxtb r3, r3 str r3, [r7, #48] ... // v0=*(Te[0] + a0); ldr r3, [r7, #48] lsls r2, r3, #2 ldr r3, [pc,

562 views • 30 slides
Trustworthy decompilation: Extracting models of machine code inside an ITP Magnus O. Myreen

Trustworthy decompilation: Extracting models of machine code inside an ITP Magnus O. Myreen

Trustworthy decompilation: Extracting models of machine code inside an ITP Magnus O. Myreen University of Cambridge TEITP 2010 The GCD program in ARM machine code: E1510002 B0422001 C0411002 01AFFFFFB Problems with machine code Formal

660 views • 46 slides
A Proof Repository for Formal Verification of Software Michael Franssen WASDeTT- 3 September 20

A Proof Repository for Formal Verification of Software Michael Franssen WASDeTT- 3 September 20

A Proof Repository for Formal Verification of Software Michael Franssen WASDeTT- 3 September 20 th 2010 Cocktail Derive programs from their specifications Does not scale and nobody programs like this Create proofs interactively with an

342 views • 7 slides
Formal Verification of Floating-Point programs Sylvie Boldo and Jean-Christophe Filli atre

Formal Verification of Floating-Point programs Sylvie Boldo and Jean-Christophe Filli atre

Formal Verification of Floating-Point programs Sylvie Boldo and Jean-Christophe Filli atre Montpellier June, 26th 2007 INRIA Futurs CNRS, LRI Existing tools Model and specification of FP numbers Examples Conclusion Motivations

410 views • 39 slides
Formal Verification of Differentially Private Mechanisms Marco Gaboardi University at Buffalo,

Formal Verification of Differentially Private Mechanisms Marco Gaboardi University at Buffalo,

Formal Verification of Differentially Private Mechanisms Marco Gaboardi University at Buffalo, SUNY Goal of formal verification: building programs that are correct. Why correctness matters? Why correctness matters? An example: DARPA HACMS

448 views • 40 slides
Verification of Industry Code : Challenges R Venkatesh r.venky@tcs.com 1 Overview Focus of

Verification of Industry Code : Challenges R Venkatesh r.venky@tcs.com 1 Overview Focus of

Verification of Industry Code : Challenges R Venkatesh r.venky@tcs.com 1 Overview Focus of talk Scalability problems in industry code Ideas we are exploring Formal verification @ TRDDC Apply academic ideas to address

174 views • 13 slides
Formal Verification of Mathematical Algorithms John Harrison Intel Corporation The cost of

Formal Verification of Mathematical Algorithms John Harrison Intel Corporation The cost of

Formal Verification of Mathematical Algorithms 1 Formal Verification of Mathematical Algorithms John Harrison Intel Corporation The cost of bugs Formal verification Levels of verification HOL Light Formalizing mathematics

353 views • 19 slides
Formal Verification of RISC-V cores with riscv-formal Clifford Wolf CTO, Symbiotic EDA

Formal Verification of RISC-V cores with riscv-formal Clifford Wolf CTO, Symbiotic EDA

Formal Verification of RISC-V cores with riscv-formal Clifford Wolf CTO, Symbiotic EDA http://www.clifford.at/papers/2018/riscv-formal/ About assertion based formal verification (formal ABV) Assertion based verification (ABV) Uses

781 views • 39 slides
Formal Verification with Yosys-SMTBMC Clifford Wolf Yosys Flows Synthesis Formal

Formal Verification with Yosys-SMTBMC Clifford Wolf Yosys Flows Synthesis Formal

Formal Verification with Yosys-SMTBMC Clifford Wolf Yosys Flows Synthesis Formal Verification Yosys-STMBMC iCE40 FPGAs Bounded Model Checking (Project IceStorm) Using any SMT-LIB2 solver (using QF_AUFBV logic) Xilinx

707 views • 56 slides
Towards Formal Verification in Cryptographic Web Applications A Three Year Evolution Nadim

Towards Formal Verification in Cryptographic Web Applications A Three Year Evolution Nadim

Towards Formal Verification in Cryptographic Web Applications A Three Year Evolution Nadim Kobeissi PROSECCO: Pro gramming Sec urely with C rypt o graphy. Team at INRIA Paris specializing in applied cryptography and formal verification.

357 views • 14 slides
Death, Taxes, and Formal Verification Justin Hsu University of Pennsylvania May 4, 2015 1

Death, Taxes, and Formal Verification Justin Hsu University of Pennsylvania May 4, 2015 1

Death, Taxes, and Formal Verification Justin Hsu University of Pennsylvania May 4, 2015 1 (Brian Hayes) 2 A quirk of the US tax code US corporations pay US tax on worldwide income But only when money re-enters the US Result:

633 views • 10 slides
Code Generation Machine code generation cs4713 1 Machine code generation machine Intermediate

Code Generation Machine code generation cs4713 1 Machine code generation machine Intermediate

Code Generation Machine code generation cs4713 1 Machine code generation machine Intermediate Code optimizer Code generator Code generator Input: intermediate code + symbol tables In our case, three-address code All variables

717 views • 38 slides
SMT-based model checking techniques for formal software verification of synchronous dataflow

SMT-based model checking techniques for formal software verification of synchronous dataflow

An insight into SMT-based model checking techniques for formal software verification of synchronous dataflow programs Jonathan Laurent Ecole Normale Sup erieure, National Institute of Aerospace, NASA Langley Research Center August 11 th ,

1.01k views • 67 slides

More recommend