scaling symbolic evaluation for automated verification of
play

Scaling symbolic evaluation for automated verification of systems - PowerPoint PPT Presentation

Dec 21, 2023 •315 likes •713 views

Scaling symbolic evaluation for automated verification of systems code with Serval Luke Nelson , James Bornholt , Ronghui Gu , Andrew Baumann , Emina Torlak , Xi Wang University of Washington, Columbia University,

  1. Scaling symbolic evaluation for automated verification of systems code with Serval Luke Nelson ¹ , James Bornholt ¹ , Ronghui Gu ² , Andrew Baumann ³ , Emina Torlak ¹ , Xi Wang ¹ ¹ University of Washington, ² Columbia University, ³ Microsoft Research 1

  2. Goal : eliminating bugs with formal verification Safety specification (e.g. noninterference) Refinement System implementation Functional specification Process Process Process OS Kernel / security monitor 2

  3. Using interactive / auto-active verification seL4 (SOSP’09) Ironclad Apps (OSDI’14) • Require manual proof annotations/tactics • Expensive: CertiKOS 200k LOC proof FSCQ (SOSP’15) • Multiple person-years CertiKOS (PLDI’16) Komodo (SOSP’17) 3

  4. This talk: automated (push-button) verification Implementation Specification • Trade-off: automation vs expressivity Automated verifier • No proofs on implementation SMT formula • Requires bounded implementation • Restricts spec to first-order logic SMT solver • Examples: Hyperkernel (SOSP’17), Nickel (OSDI’18) ✘ ✔ 4

  5. This talk: automated (push-button) verification Implementation Specification How to write and maintain automated verifiers? Automated verifier How to systematically fix SMT formula verification bottlenecks? SMT solver How to retrofit to existing systems? ✘ ✔ 5

  6. Contributions • Serval: a framework for writing automated verifiers • Lift interpreters into verifiers: RISC-V, BPF, x86-32, LLVM • Symbolic optimization for repairing verification bottlenecks • Experience with Serval • Retrofitted CertiKOS and Komodo for automated verification • Found 18 new bugs in Linux BPF JIT and Keystone • Assumption: no guarantees on concurrency or side channels 6

  7. Verification stack System BPF RISC-V x86-32 LLVM specification instructions instructions instructions instructions RISC-V x86-32 LLVM BPF verifier verifier verifier verifier Serval : Specification library, symbolic optimizations, machine code support Rosette : Symbolic evaluation, symbolic profiling, symbolic reflection SMT solver : Z3 Constraint solving, counterexample generation 7

  8. Verification stack System BPF RISC-V x86-32 LLVM specification instructions instructions instructions instructions RISC-V x86-32 LLVM BPF verifier verifier verifier verifier Serval : Specification library, symbolic optimizations, machine code support Rosette : Symbolic evaluation, symbolic profiling, symbolic reflection SMT solver : Z3 Constraint solving, counterexample generation 8

  9. Verification stack System BPF RISC-V x86-32 LLVM specification instructions instructions instructions instructions RISC-V x86-32 LLVM BPF verifier verifier verifier verifier Serval : Specification library, symbolic optimizations, machine code support Rosette : Symbolic evaluation, symbolic profiling, symbolic reflection SMT solver : Z3 Constraint solving, counterexample generation 9

  10. Verification stack System BPF RISC-V x86-32 LLVM specification instructions instructions instructions instructions RISC-V x86-32 LLVM BPF verifier verifier verifier verifier Serval : Specification library, symbolic optimizations, machine code support Rosette : Symbolic evaluation, symbolic profiling, symbolic reflection SMT solver : Z3 Constraint solving, counterexample generation 10

  11. Verification stack System BPF RISC-V x86-32 LLVM specification instructions instructions instructions instructions RISC-V x86-32 LLVM BPF verifier verifier verifier verifier Serval : Specification library, symbolic optimizations, machine code support Rosette : Symbolic evaluation, symbolic profiling, symbolic reflection SMT solver : Z3 Constraint solving, counterexample generation 11

  12. Verification stack System BPF RISC-V x86-32 LLVM specification instructions instructions instructions instructions RISC-V x86-32 LLVM BPF verifier verifier verifier verifier Serval : Specification library, symbolic optimizations, machine code support Rosette : Symbolic evaluation, symbolic profiling, symbolic reflection SMT solver : Z3 Constraint solving, counterexample generation 12

  13. Verifier = interpreter + symbolic optimization ✔ Write a verifier as Symbolic profiling to interpreter find bottleneck Develop / apply symbolic optimizations 13

  14. Example: proving refinement for sign 0: sltz a0 a1 1: bnez a1 4 (define (sign x) 2: sgtz a0 a0 (cond 3: ret [(negative? x) -1] 4: li a0 -1 [(positive? x) 1] [(zero? x) 0])) 5: ret Specification library RISC-V verifier Serval 14

  15. Verifier [1/3]: writing an interpreter (struct cpu (pc regs ...) #:mutable) System RISC-V x86-32 specification instructions instructions (define (interpret c program) (define pc (cpu-pc c)) RISC-V x86-32 (define insn (fetch c program)) verifier verifier (match insn [('li rd imm) (set-cpu-pc! c (+ 1 pc)) (set-cpu-reg! c rd imm)] [('bnez rs imm) (if (! (= (cpu-reg c rs) 0)) (set-cpu-pc! c imm) (set-cpu-pc! c (+ 1 pc)))] ...)) 15

  16. Verifier [1/3]: writing an interpreter (struct cpu (pc regs ...) #:mutable) System RISC-V x86-32 specification instructions instructions (define (interpret c program) (define pc (cpu-pc c)) RISC-V x86-32 (define insn (fetch c program)) verifier verifier (match insn [('li rd imm) (set-cpu-pc! c (+ 1 pc)) (set-cpu-reg! c rd imm)] [('bnez rs imm) (if (! (= (cpu-reg c rs) 0)) (set-cpu-pc! c imm) (set-cpu-pc! c (+ 1 pc)))] ...)) 16

  17. Verifier [1/3]: writing an interpreter (struct cpu (pc regs ...) #:mutable) (define (interpret c program) (define pc (cpu-pc c)) (define insn (fetch c program)) (match insn [('li rd imm) (set-cpu-pc! c (+ 1 pc)) (set-cpu-reg! c rd imm)] [('bnez rs imm) (if (! (= (cpu-reg c rs) 0)) (set-cpu-pc! c imm) (set-cpu-pc! c (+ 1 pc)))] ...)) 17

  18. Verifier [1/3]: writing an interpreter (struct cpu (pc regs ...) #:mutable) (define (interpret c program) (define pc (cpu-pc c)) (define insn (fetch c program)) (match insn [('li rd imm) (set-cpu-pc! c (+ 1 pc)) (set-cpu-reg! c rd imm)] [('bnez rs imm) (if (! (= (cpu-reg c rs) 0)) (set-cpu-pc! c imm) (set-cpu-pc! c (+ 1 pc)))] ...)) 18

  19. Verifier [1/3]: writing an interpreter (struct cpu (pc regs ...) #:mutable) (define (interpret c program) (define pc (cpu-pc c)) • Natural to write (define insn (fetch c program)) • Easy to audit (match insn • Can reuse CPU test suite [('li rd imm) (set-cpu-pc! c (+ 1 pc)) (set-cpu-reg! c rd imm)] [('bnez rs imm) (if (! (= (cpu-reg c rs) 0)) (set-cpu-pc! c imm) (set-cpu-pc! c (+ 1 pc)))] ...)) 19

  20. Verifier [2/3]: identifying bottlenecks in symbolic evaluation 0: sltz a0 a1 1: bnez a1 4 (define (sign x) 2: sgtz a0 a0 (cond 3: ret [(negative? x) -1] 4: li a0 -1 [(positive? x) 1] [(zero? x) 0])) 5: ret Specification library RISC-V verifier Serval 20

  21. Verifier [2/3]: identifying bottlenecks in symbolic evaluation 0: sltz a0 a1 1: bnez a1 4 (define (sign x) 2: sgtz a0 a0 (cond 3: ret [(negative? x) -1] 4: li a0 -1 [(positive? x) 1] [(zero? x) 0])) Slow / Timeout 5: ret Specification library RISC-V verifier Serval 21

  22. Verifier [2/3]: identifying bottlenecks in symbolic evaluation 22

  23. Bottleneck: state explosion due to symbolic PC (struct cpu (pc regs) #:mutable) (define (interpret c program) 0: sltz a0 a1 (define pc (cpu-pc c)) 1: bnez a1 4 (define insn (fetch c program)) 2: sgtz a0 a0 (match insn [('li rd imm) 3: ret (set-cpu-pc! c (+ 1 pc)) 4: li a0 -1 (set-cpu-reg! c rd imm)] 5: ret [('bnez rs imm) (if (! (= (cpu-reg c rs) 0)) (set-cpu-pc! c imm) (set-cpu-pc! c (+ 1 pc)))] ...)) 23

  24. Bottleneck: state explosion due to symbolic PC v 0 : X < 0 B (struct cpu (pc regs) #:mutable) v 1 : ¬ v 0 c 7! cpu(0 , X, Y ) v 2 : ite( v 0 , 1 , 0) i 7! (sltz 1 0 # f) v 3 : ite( v 0 , 4 , 2) v 0 v 1 (define (interpret c program) J I v 4 : ite( v 0 , li , sgtz) 0: sltz a0 a1 c 7! cpu(1 , X, 1) c 7! cpu(1 , X, 0) v 5 : ite( v 0 , # f , 0) (define pc (cpu-pc c)) v 6 : ite( v 0 , � 1 , # f) 1: bnez a1 4 B (define insn (fetch c program)) v 7 : ite( v 0 , 5 , 3) c 7! cpu(1 , X, v 2 ) 2: sgtz a0 a0 v 8 : X > 0 (match insn i 7! (bnez # f 1 4) v 9 : ¬ v 8 [('li rd imm) v 0 v 1 3: ret v 10 : ite( v 8 , 1 , 0) E F v 11 : ite( v 0 , � 1 , v 10 ) (set-cpu-pc! c (+ 1 pc)) c 7! cpu(4 , X, v 2 ) c 7! cpu(2 , X, v 2 ) 4: li a0 -1 (set-cpu-reg! c rd imm)] A 5: ret [('bnez rs imm) c 7! cpu( v 3 , X, v 2 ) C (if (! (= (cpu-reg c rs) 0)) v 1 v 3 = 5 (set-cpu-pc! c imm) v 0 v 3 = 0 v 3 = 1 v 3 = 3 (set-cpu-pc! c (+ 1 pc)))] vector-ref ...)) B c 7! cpu( v 3 , X, v 2 ) i 7! (v 4 0 v 5 v 6 ) v 4 = sltz 24 v 4 = bnez

  25. Bottleneck: state explosion due to symbolic PC • Conditional jump (struct cpu (pc regs) #:mutable) (define (interpret c program) 0: sltz a0 a1 (define pc (cpu-pc c)) 1: bnez a1 4 (define insn (fetch c program)) 2: sgtz a0 a0 (match insn [('li rd imm) 3: ret (set-cpu-pc! c (+ 1 pc)) 4: li a0 -1 (set-cpu-reg! c rd imm)] 5: ret [('bnez rs imm) (if (! (= (cpu-reg c rs) 0)) (set-cpu-pc! c imm) (set-cpu-pc! c (+ 1 pc)))] ...)) 25

Recommend

Scaling symbolic evaluation for automated verification of systems code with Serval Luke Nelson

Scaling symbolic evaluation for automated verification of systems code with Serval Luke Nelson

Scaling symbolic evaluation for automated verification of systems code with Serval Luke Nelson , James Bornholt , Ronghui Gu , Andrew Baumann , Emina Torlak , Xi Wang University of Washington, Columbia University,

661 views • 42 slides
Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems &amp; Applications Nancy France August 2018 Outline 1 Formal Models 2

1.01k views • 81 slides
Scaling Up Symbolic Reasoning for Relational Queries or, speeding up debugging &amp; verification

Scaling Up Symbolic Reasoning for Relational Queries or, speeding up debugging &amp; verification

Scaling Up Symbolic Reasoning for Relational Queries or, speeding up debugging &amp; verification of database queries Chenglong Wang , Alvin Cheung, Ras Bodik University of Washington 1 Relational Queries The language between human and

427 views • 41 slides
Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and Algorithmic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems &amp; Applications Nancy France August 2018

1.23k views • 78 slides
Automated Verification of Automated Verification of asynchronous CIRCUITS USING CIRCUIT

Automated Verification of Automated Verification of asynchronous CIRCUITS USING CIRCUIT

ASYNC08 Automated Verification of Automated Verification of asynchronous CIRCUITS USING CIRCUIT asynchronous CIRCUITS USING CIRCUIT Petri nets Petri nets Iva n Polia kov, Andre y Mokhov, Da nil Sokolov, Ashur Ra fie v, Ale x Ya kovle v

474 views • 25 slides
Formal Verification Methods 2: Symbolic Simulation John Harrison Intel Corporation

Formal Verification Methods 2: Symbolic Simulation John Harrison Intel Corporation

Formal Verification Methods 2: Symbolic Simulation Formal Verification Methods 2: Symbolic Simulation John Harrison Intel Corporation Simulation Symbolic and ternary simulation BDDs Quaternary lattice Symbolic trajectory

334 views • 14 slides
Symbolic Polytopes for Quantitative Interpolation and Verification Klaus v. Gleissenthall, TU

Symbolic Polytopes for Quantitative Interpolation and Verification Klaus v. Gleissenthall, TU

Symbolic Polytopes for Quantitative Interpolation and Verification Klaus v. Gleissenthall, TU Munich joint work with Andrey Rybalchenko, Microsoft Research and Boris Kpf, IMDEA Verification Quantitative verification Quantitative

599 views • 16 slides
Decidability Decidability and Symbolic Symbolic Verification Symbolic Symbolic Verification

Decidability Decidability and Symbolic Symbolic Verification Symbolic Symbolic Verification

Decidability Decidability and Symbolic Symbolic Verification Symbolic Symbolic Verification Verification Verification Kim G. Larsen Kim G. Larsen Aalborg Aalborg University Aalborg Aalborg University University DENMARK University, ,

682 views • 46 slides
Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson,

Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson,

Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson, &quot;Applications of Symbolic Evaluation,&quot; Journal of Systems and Software, 5 (1), January 1985, pp.15-35. Symbolic Evaluation/Execution

1.07k views • 60 slides
Symbolic String Verification: An Automata-based Approach Fang Yu Tevfik Bultan Marco Cova

Symbolic String Verification: An Automata-based Approach Fang Yu Tevfik Bultan Marco Cova

Outline Motivation Symbolic String Verification Experiments Conclusion Symbolic String Verification: An Automata-based Approach Fang Yu Tevfik Bultan Marco Cova Oscar H. Ibarra Dept. of Computer Science University of California Santa

465 views • 35 slides
Introduction to Symbolic Verification Methods David Basin Institute of Information Security ETH

Introduction to Symbolic Verification Methods David Basin Institute of Information Security ETH

Introduction to Symbolic Verification Methods David Basin Institute of Information Security ETH Zurich Road map Motivation Basic notions Problems Symbolic models 1 Security protocols Omnipresent Authentication:

827 views • 37 slides
Symbolic verification of cryptographic protocols using Tamarin Part 1 : Introduction David Basin

Symbolic verification of cryptographic protocols using Tamarin Part 1 : Introduction David Basin

Symbolic verification of cryptographic protocols using Tamarin Part 1 : Introduction David Basin ETH Zurich Summer School on Verification Technology, Systems &amp; Applications Nancy France August 2018 Organization of the course Two

774 views • 74 slides
Symbolic Verification of Programs with Pointers using Tree Automata Ji r Sim a

Symbolic Verification of Programs with Pointers using Tree Automata Ji r Sim a

Symbolic Verification of Programs with Pointers using Tree Automata Ji r Sim a cek Universit e Joseph Fourrier (France) Brno University of Technology (Czech Republic) 1 Ph.D. 1st year of doctoral degree programme at

377 views • 21 slides
Symbolic evaluation of log-sine integrals in polylogarithmic terms Joint Mathematics Meetings,

Symbolic evaluation of log-sine integrals in polylogarithmic terms Joint Mathematics Meetings,

Symbolic evaluation of log-sine integrals in polylogarithmic terms Joint Mathematics Meetings, Boston, MA Armin Straub January 7, 2012 Tulane University, New Orleans Joint work with : Jon Borwein U. of Newcastle, AU Symbolic evaluation of

652 views • 37 slides
Scaling Automated Database Monitoring at Uber with M3 and Prometheus Richard Artoul Agenda

Scaling Automated Database Monitoring at Uber with M3 and Prometheus Richard Artoul Agenda

Scaling Automated Database Monitoring at Uber with M3 and Prometheus Richard Artoul Agenda 01 Automated database monitoring 02 Why scaling automated monitoring is hard 03 M3 architecture and why it scales so well 04 How you can use M3

3.89k views • 37 slides
Cloud9 Parallel Symbolic Execution for Automated Real-World Software Testing Stefan Bucur, Vlad

Cloud9 Parallel Symbolic Execution for Automated Real-World Software Testing Stefan Bucur, Vlad

Cloud9 Parallel Symbolic Execution for Automated Real-World Software Testing Stefan Bucur, Vlad Ureche, Cristian Zamfir, George Candea School of Computer and Communication Sciences Automated Software Testing Automated Industrial Techniques

1.25k views • 59 slides
Outline Static Analysis: Symbolic Execution and Inductive Verification Methods Overview TDDC90:

Outline Static Analysis: Symbolic Execution and Inductive Verification Methods Overview TDDC90:

Outline Static Analysis: Symbolic Execution and Inductive Verification Methods Overview TDDC90: Software Security Symbolic Execution Ahmed Rezine Hoare Triples and Deductive Reasoning IDA, Linkpings Universitet Hsttermin 2014 Static

373 views • 6 slides
Evaluation Synthesis on IFADs Support to Scaling Up of Results 96 th Session of the Evaluation

Evaluation Synthesis on IFADs Support to Scaling Up of Results 96 th Session of the Evaluation

Evaluation Synthesis on IFADs Support to Scaling Up of Results 96 th Session of the Evaluation Committee 23 March 2017 Introduction Definition (2015): expanding, adapting and supporting successful policies, programmes and knowledge, so

368 views • 9 slides
Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security

Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security

Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security Ahmed Rezine IDA, Linkpings Universitet Hsttermin 2020 Outline Overview Symbolic Execution Hoare Triples and Deductive Reasoning Outline

767 views • 33 slides
Formal Verification Methods 2: Symbolic Simulation John Harrison Intel Corporation

Formal Verification Methods 2: Symbolic Simulation John Harrison Intel Corporation

Formal Verification Methods 2: Symbolic Simulation John Harrison Intel Corporation Marktoberdorf 2003 Thu 31st July 2003 (11:25 12:10) 0 Summary Simulation Symbolic and ternary simulation BDDs Quaternary lattice

507 views • 16 slides
COMP60332: Automated Reasoning and Verification Konstantin Korovin and Renate Schmidt Theme:

COMP60332: Automated Reasoning and Verification Konstantin Korovin and Renate Schmidt Theme:

COMP60332: Automated Reasoning and Verification Konstantin Korovin and Renate Schmidt Theme: Ontology Engineering and Automated Reasoning K. Korovin &amp; R. Schmidt Automated Reasoning and Verification 1 / 10 Outline 1 Why Automated

371 views • 22 slides
Symbolic String Verification: Combining String Analysis and Size Analysis Fang Yu Tevfik Bultan

Symbolic String Verification: Combining String Analysis and Size Analysis Fang Yu Tevfik Bultan

Symbolic String Verification: Combining String Analysis and Size Analysis Symbolic String Verification: Combining String Analysis and Size Analysis Fang Yu Tevfik Bultan Oscar H. Ibarra Deptartment of Computer Science University of California

477 views • 36 slides
Security Protocol Verification: Symbolic and Computational Models Bruno Blanchet INRIA,

Security Protocol Verification: Symbolic and Computational Models Bruno Blanchet INRIA,

Introduction Symbolic Model Computational Model Implementations Conclusion Security Protocol Verification: Symbolic and Computational Models Bruno Blanchet INRIA, Ecole Normale Sup erieure, CNRS Bruno.Blanchet@ens.fr March 2012

905 views • 53 slides
Symbolic Verification in Synchronous Constraint Programming (Work in progress) Synchronous

Symbolic Verification in Synchronous Constraint Programming (Work in progress) Synchronous

Symbolic Verification in Synchronous Constraint Programming (Work in progress) Synchronous workshop 2003 Christophe Mauras Christophe.Mauras@univ-nantes.fr Irin/Universit e de Nantes Overview From Symbolic Simulation to Constraint

388 views • 19 slides

More recommend