scaling symbolic evaluation for automated verification of
play

Scaling symbolic evaluation for automated verification of systems - PowerPoint PPT Presentation

Jan 20, 2023 •232 likes •661 views

Scaling symbolic evaluation for automated verification of systems code with Serval Luke Nelson , James Bornholt , Ronghui Gu , Andrew Baumann , Emina Torlak , Xi Wang University of Washington, Columbia University,

  1. Scaling symbolic evaluation for automated verification of systems code with Serval Luke Nelson ¹ , James Bornholt ¹ , Ronghui Gu ² , Andrew Baumann ³ , Emina Torlak ¹ , Xi Wang ¹ ¹ University of Washington, ² Columbia University, ³ Microsoft Research 1

  2. Eliminating bugs with formal verification seL4 (SOSP’09) Process Process Process Ironclad Apps (OSDI’14) FSCQ (SOSP’15) CertiKOS (PLDI’16) OS Kernel / security monitor Komodo (SOSP’17) 2

  3. Eliminating bugs with formal verification seL4 (SOSP’09) • Strong correctness guarantees Process Process Process Ironclad Apps (OSDI’14) • Require manual proofs FSCQ (SOSP’15) CertiKOS (PLDI’16) OS Kernel / security monitor • CertiKOS 200k lines of proof Komodo (SOSP’17) • Multiple person-years 3

  4. Prior work: automated (push-button) verification Implementation Specification • No proofs on implementation Automated verifier • Requires bounded implementation • Restricts specification SMT formula Example: Hyperkernel (SOSP’17) SMT solver ✔ ✘ 4

  5. Challenges Implementation Specification How to lower effort of writing automated verifiers? Automated verifier How to find and fix performance SMT formula bottlenecks? SMT solver How to retrofit to existing systems? ✔ ✘ 5

  6. Contributions • Serval: a framework for writing automated verifiers • RISC-V, x86-32, LLVM, BPF • Scaling via symbolic optimizations • Experience • Retrofitted CertiKOS and Komodo for Serval • Found 15 new bugs in Linux BPF JIT 6

  7. Contributions • Serval: a framework for writing automated verifiers • RISC-V, x86-32, LLVM, BPF • Scaling via symbolic optimizations • Experience • Retrofitted CertiKOS and Komodo for Serval • Found 15 new bugs in Linux BPF JIT no guarantees on concurrency or side channels 7

  8. Verifying a system with Serval System specification RISC-V instructions RISC-V verifier Serval Rosette Z3 SMT solver 8

  9. Verifying a system with Serval System specification RISC-V instructions RISC-V verifier Serval Rosette Z3 SMT solver 9

  10. Verifying a system with Serval System specification RISC-V instructions RISC-V verifier Serval Rosette Z3 SMT solver 10

  11. Verifying a system with Serval System specification RISC-V instructions RISC-V verifier Serval Rosette Z3 SMT solver 11

  12. Verifying a system with Serval System specification RISC-V instructions RISC-V verifier Serval Rosette Z3 SMT solver 12

  13. Verifying a system with Serval System specification RISC-V instructions RISC-V verifier Serval Rosette Z3 SMT solver 13

  14. Example: proving refinement for sign 0: sltz a1 a0 1: bnez a1 4 2: sgtz a0 a0 3: ret 4: li a0 -1 (define (sign x) (cond 5: ret [(negative? x) -1] [(positive? x) 1] [(zero? x) 0])) RISC-V verifier Serval 14

  15. Verifier = interpreter + symbolic optimization ✔ 1. Write a verifier 2. Symbolic profiling as interpreter to find bottleneck 3. Apply symbolic optimizations 15

  16. Verifier [1/3]: writing an interpreter (struct cpu (pc regs ...) #:mutable) System RISC-V x86-32 specification instructions instructions (define (interpret c program) (define pc (cpu-pc c)) RISC-V x86-32 (define insn (fetch pc program)) verifier verifier (match insn [('li rd imm) (set-cpu-pc! c (+ 1 pc)) (set-cpu-reg! c rd imm)] [('bnez rs imm) (if (! (= (cpu-reg c rs) 0)) (set-cpu-pc! c imm) (set-cpu-pc! c (+ 1 pc)))] ...)) 16

  17. Verifier [1/3]: writing an interpreter (struct cpu (pc regs ...) #:mutable) System RISC-V x86-32 specification instructions instructions (define (interpret c program) (define pc (cpu-pc c)) RISC-V x86-32 (define insn (fetch pc program)) verifier verifier (match insn [('li rd imm) (set-cpu-pc! c (+ 1 pc)) (set-cpu-reg! c rd imm)] [('bnez rs imm) (if (! (= (cpu-reg c rs) 0)) (set-cpu-pc! c imm) (set-cpu-pc! c (+ 1 pc)))] ...)) 17

  18. Verifier [1/3]: writing an interpreter (struct cpu (pc regs ...) #:mutable) (define (interpret c program) (define pc (cpu-pc c)) (define insn (fetch pc program)) (match insn [('li rd imm) (set-cpu-pc! c (+ 1 pc)) (set-cpu-reg! c rd imm)] [('bnez rs imm) (if (! (= (cpu-reg c rs) 0)) (set-cpu-pc! c imm) (set-cpu-pc! c (+ 1 pc)))] ...)) 18

  19. Verifier [1/3]: writing an interpreter (struct cpu (pc regs ...) #:mutable) (define (interpret c program) (define pc (cpu-pc c)) (define insn (fetch pc program)) (match insn [('li rd imm) (set-cpu-pc! c (+ 1 pc)) (set-cpu-reg! c rd imm)] [('bnez rs imm) (if (! (= (cpu-reg c rs) 0)) (set-cpu-pc! c imm) (set-cpu-pc! c (+ 1 pc)))] ...)) 19

  20. Verifier [1/3]: writing an interpreter (struct cpu (pc regs ...) #:mutable) (define (interpret c program) (define pc (cpu-pc c)) (define insn (fetch pc program)) (match insn • Easy to write [('li rd imm) • Reuse CPU test suite (set-cpu-pc! c (+ 1 pc)) (set-cpu-reg! c rd imm)] [('bnez rs imm) (if (! (= (cpu-reg c rs) 0)) (set-cpu-pc! c imm) (set-cpu-pc! c (+ 1 pc)))] ...)) 20

  21. Verifier [2/3]: identifying bottlenecks in symbolic evaluation 😁 0: sltz a1 a0 1: bnez a1 4 2: sgtz a0 a0 3: ret 4: li a0 -1 (define (sign x) (cond 5: ret [(negative? x) -1] [(positive? x) 1] RISC-V verifier [(zero? x) 0])) Serval 21

  22. Verifier [2/3]: identifying bottlenecks in symbolic evaluation 🤰 0: sltz a1 a0 1: bnez a1 4 2: sgtz a0 a0 3: ret 4: li a0 -1 (define (sign x) (cond 5: ret Slow/Timeout [(negative? x) -1] [(positive? x) 1] RISC-V verifier [(zero? x) 0])) Serval 22

  23. Verifier [2/3]: identifying bottlenecks in symbolic evaluation 23

  24. Verifier [2/3]: identifying bottlenecks in symbolic evaluation fetch 24

  25. Verifier [2/3]: identifying bottlenecks in symbolic evaluation (struct cpu (pc regs) #:mutable) (define (interpret c program) 0: sltz a1 a0 (define pc (cpu-pc c)) 1: bnez a1 4 (define insn (fetch pc program)) 2: sgtz a0 a0 (match insn [('li rd imm) 3: ret (set-cpu-pc! c (+ 1 pc)) 4: li a0 -1 (set-cpu-reg! c rd imm)] 5: ret [('bnez rs imm) (if (! (= (cpu-reg c rs) 0)) (set-cpu-pc! c imm) (set-cpu-pc! c (+ 1 pc)))] ...)) 25

  26. Merge states to avoid path explosion PC → 0 a0 → X X < 0 ¬(X < 0) 0: sltz a1 a0 a1 → Y 1: bnez a1 4 PC → 1 PC → 1 2: sgtz a0 a0 a0 → X a0 → X 3: ret a1 → 1 a1 → 0 4: li a0 -1 5: ret PC → 1 a0 → X a1 → if(X < 0, 1, 0) 26

  27. Bottleneck: state explosion due to symbolic PC Conditional jump PC → 1 a0 → X 0: sltz a1 a0 a1 → if(X < 0, 1, 0) 1: bnez a1 4 2: sgtz a0 a0 3: ret ... ... 4: li a0 -1 5: ret PC → if(X < 0, 4, 2) a0 → X a1 → if(X < 0, 1, 0) 27

  28. Bottleneck: state explosion due to symbolic PC Conditional jump PC → if(...) a0 → X 0: sltz a1 a0 a1 → if(...) 1: bnez a1 4 2: sgtz a0 a0 3: ret 4: li a0 -1 PC → 0 PC → 1 PC → 2 5: ret PC → 3 PC → 4 PC → 5 28

  29. Verifier [3/3]: Repairing with symbolic optimizations • Symbolic optimization: • “Peephole” optimization on symbolic state • Fine-tune symbolic evaluation • Use domain knowledge • Serval provides set of symbolic optimizations for verifiers 29

  30. Verifier [3/3]: Repairing with symbolic optimizations (define (interpret c program) - (define pc (cpu-pc c)) (define insn (fetch pc program)) (match insn (define (interpret c program) ...)) + ( serval:split-pc [cpu pc] c (define insn (fetch pc program)) (match insn ...))) • Match on symbolic structure of PC • Evaluate separately using each concrete PC value • Merge states afterwards 30

  31. Verifier [3/3]: Repairing with symbolic optimizations PC → if(X < 0, 4, 2) a0 → X PC → if(X < 0, 4, 2) a1 → if(...) a0 → X a1 → if(...) split-pc PC → 0 PC → 1 PC → 2 PC → 4 PC → 2 PC → 3 PC → 4 PC → 5 31

  32. Verifier [3/3]: Repairing with symbolic optimizations PC → if(X < 0, 4, 2) a0 → X PC → if(X < 0, 4, 2) a1 → if(...) Domain knowledge: a0 → X a1 → if(...) • Split PC to avoid state explosion • Merge other registers to avoid path explosion PC → 0 PC → 1 PC → 2 PC → 4 PC → 2 PC → 3 PC → 4 PC → 5 32

  33. Verifier summary • Verifier = interpreter + symbolic optimizations • Easy to test verifiers • Systematic way to scale symbolic evaluation • Caveats: • Symbolic profiling cannot identify expensive SMT operations • Repair requires expertise 33

  34. Implementation RISC-V x86-32 LLVM BPF verifier verifier verifier verifier Serval Rosette Z3 SMT solver 34

  35. Experience • Can existing systems be retrofitted for Serval? • Are Serval’s verifiers reusable? 35

  36. Retrofitting previously verified security monitors • Port CertiKOS (PLDI’16) and Komodo (SOSP’17) to RISC-V • Retrofit the systems to automated verification • Apply the RISC-V verifier to binary image • Prove functional correctness and noninterference • ≈ 4 weeks each 36

  37. Retrofitting overview Is the specification Is the implementation free of expressible in Serval? unbounded loops? System implementation System specification 37

  38. Example: retrofitting CertiKOS • OS kernel providing strict isolation • Physical memory quota, partitioned PIDs • Security specification: noninterference Process Process Process CertiKOS 38

Recommend

Scaling symbolic evaluation for automated verification of systems code with Serval Luke Nelson

Scaling symbolic evaluation for automated verification of systems code with Serval Luke Nelson

Scaling symbolic evaluation for automated verification of systems code with Serval Luke Nelson , James Bornholt , Ronghui Gu , Andrew Baumann , Emina Torlak , Xi Wang University of Washington, Columbia University,

713 views • 38 slides
Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems &amp; Applications Nancy France August 2018 Outline 1 Formal Models 2

1.01k views • 81 slides
Scaling Up Symbolic Reasoning for Relational Queries or, speeding up debugging &amp; verification

Scaling Up Symbolic Reasoning for Relational Queries or, speeding up debugging &amp; verification

Scaling Up Symbolic Reasoning for Relational Queries or, speeding up debugging &amp; verification of database queries Chenglong Wang , Alvin Cheung, Ras Bodik University of Washington 1 Relational Queries The language between human and

427 views • 41 slides
Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and Algorithmic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems &amp; Applications Nancy France August 2018

1.23k views • 78 slides
Automated Verification of Automated Verification of asynchronous CIRCUITS USING CIRCUIT

Automated Verification of Automated Verification of asynchronous CIRCUITS USING CIRCUIT

ASYNC08 Automated Verification of Automated Verification of asynchronous CIRCUITS USING CIRCUIT asynchronous CIRCUITS USING CIRCUIT Petri nets Petri nets Iva n Polia kov, Andre y Mokhov, Da nil Sokolov, Ashur Ra fie v, Ale x Ya kovle v

474 views • 25 slides
Formal Verification Methods 2: Symbolic Simulation John Harrison Intel Corporation

Formal Verification Methods 2: Symbolic Simulation John Harrison Intel Corporation

Formal Verification Methods 2: Symbolic Simulation Formal Verification Methods 2: Symbolic Simulation John Harrison Intel Corporation Simulation Symbolic and ternary simulation BDDs Quaternary lattice Symbolic trajectory

334 views • 14 slides
Symbolic Polytopes for Quantitative Interpolation and Verification Klaus v. Gleissenthall, TU

Symbolic Polytopes for Quantitative Interpolation and Verification Klaus v. Gleissenthall, TU

Symbolic Polytopes for Quantitative Interpolation and Verification Klaus v. Gleissenthall, TU Munich joint work with Andrey Rybalchenko, Microsoft Research and Boris Kpf, IMDEA Verification Quantitative verification Quantitative

599 views • 16 slides
Decidability Decidability and Symbolic Symbolic Verification Symbolic Symbolic Verification

Decidability Decidability and Symbolic Symbolic Verification Symbolic Symbolic Verification

Decidability Decidability and Symbolic Symbolic Verification Symbolic Symbolic Verification Verification Verification Kim G. Larsen Kim G. Larsen Aalborg Aalborg University Aalborg Aalborg University University DENMARK University, ,

682 views • 46 slides
Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson,

Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson,

Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson, &quot;Applications of Symbolic Evaluation,&quot; Journal of Systems and Software, 5 (1), January 1985, pp.15-35. Symbolic Evaluation/Execution

1.07k views • 60 slides
Symbolic String Verification: An Automata-based Approach Fang Yu Tevfik Bultan Marco Cova

Symbolic String Verification: An Automata-based Approach Fang Yu Tevfik Bultan Marco Cova

Outline Motivation Symbolic String Verification Experiments Conclusion Symbolic String Verification: An Automata-based Approach Fang Yu Tevfik Bultan Marco Cova Oscar H. Ibarra Dept. of Computer Science University of California Santa

465 views • 35 slides
Introduction to Symbolic Verification Methods David Basin Institute of Information Security ETH

Introduction to Symbolic Verification Methods David Basin Institute of Information Security ETH

Introduction to Symbolic Verification Methods David Basin Institute of Information Security ETH Zurich Road map Motivation Basic notions Problems Symbolic models 1 Security protocols Omnipresent Authentication:

827 views • 37 slides
Symbolic verification of cryptographic protocols using Tamarin Part 1 : Introduction David Basin

Symbolic verification of cryptographic protocols using Tamarin Part 1 : Introduction David Basin

Symbolic verification of cryptographic protocols using Tamarin Part 1 : Introduction David Basin ETH Zurich Summer School on Verification Technology, Systems &amp; Applications Nancy France August 2018 Organization of the course Two

774 views • 74 slides
Symbolic Verification of Programs with Pointers using Tree Automata Ji r Sim a

Symbolic Verification of Programs with Pointers using Tree Automata Ji r Sim a

Symbolic Verification of Programs with Pointers using Tree Automata Ji r Sim a cek Universit e Joseph Fourrier (France) Brno University of Technology (Czech Republic) 1 Ph.D. 1st year of doctoral degree programme at

377 views • 21 slides
Symbolic evaluation of log-sine integrals in polylogarithmic terms Joint Mathematics Meetings,

Symbolic evaluation of log-sine integrals in polylogarithmic terms Joint Mathematics Meetings,

Symbolic evaluation of log-sine integrals in polylogarithmic terms Joint Mathematics Meetings, Boston, MA Armin Straub January 7, 2012 Tulane University, New Orleans Joint work with : Jon Borwein U. of Newcastle, AU Symbolic evaluation of

652 views • 37 slides
Scaling Automated Database Monitoring at Uber with M3 and Prometheus Richard Artoul Agenda

Scaling Automated Database Monitoring at Uber with M3 and Prometheus Richard Artoul Agenda

Scaling Automated Database Monitoring at Uber with M3 and Prometheus Richard Artoul Agenda 01 Automated database monitoring 02 Why scaling automated monitoring is hard 03 M3 architecture and why it scales so well 04 How you can use M3

3.89k views • 37 slides
Cloud9 Parallel Symbolic Execution for Automated Real-World Software Testing Stefan Bucur, Vlad

Cloud9 Parallel Symbolic Execution for Automated Real-World Software Testing Stefan Bucur, Vlad

Cloud9 Parallel Symbolic Execution for Automated Real-World Software Testing Stefan Bucur, Vlad Ureche, Cristian Zamfir, George Candea School of Computer and Communication Sciences Automated Software Testing Automated Industrial Techniques

1.25k views • 59 slides
Outline Static Analysis: Symbolic Execution and Inductive Verification Methods Overview TDDC90:

Outline Static Analysis: Symbolic Execution and Inductive Verification Methods Overview TDDC90:

Outline Static Analysis: Symbolic Execution and Inductive Verification Methods Overview TDDC90: Software Security Symbolic Execution Ahmed Rezine Hoare Triples and Deductive Reasoning IDA, Linkpings Universitet Hsttermin 2014 Static

373 views • 6 slides
Evaluation Synthesis on IFADs Support to Scaling Up of Results 96 th Session of the Evaluation

Evaluation Synthesis on IFADs Support to Scaling Up of Results 96 th Session of the Evaluation

Evaluation Synthesis on IFADs Support to Scaling Up of Results 96 th Session of the Evaluation Committee 23 March 2017 Introduction Definition (2015): expanding, adapting and supporting successful policies, programmes and knowledge, so

368 views • 9 slides
Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security

Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security

Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security Ahmed Rezine IDA, Linkpings Universitet Hsttermin 2020 Outline Overview Symbolic Execution Hoare Triples and Deductive Reasoning Outline

767 views • 33 slides
Formal Verification Methods 2: Symbolic Simulation John Harrison Intel Corporation

Formal Verification Methods 2: Symbolic Simulation John Harrison Intel Corporation

Formal Verification Methods 2: Symbolic Simulation John Harrison Intel Corporation Marktoberdorf 2003 Thu 31st July 2003 (11:25 12:10) 0 Summary Simulation Symbolic and ternary simulation BDDs Quaternary lattice

507 views • 16 slides
COMP60332: Automated Reasoning and Verification Konstantin Korovin and Renate Schmidt Theme:

COMP60332: Automated Reasoning and Verification Konstantin Korovin and Renate Schmidt Theme:

COMP60332: Automated Reasoning and Verification Konstantin Korovin and Renate Schmidt Theme: Ontology Engineering and Automated Reasoning K. Korovin &amp; R. Schmidt Automated Reasoning and Verification 1 / 10 Outline 1 Why Automated

371 views • 22 slides
Symbolic String Verification: Combining String Analysis and Size Analysis Fang Yu Tevfik Bultan

Symbolic String Verification: Combining String Analysis and Size Analysis Fang Yu Tevfik Bultan

Symbolic String Verification: Combining String Analysis and Size Analysis Symbolic String Verification: Combining String Analysis and Size Analysis Fang Yu Tevfik Bultan Oscar H. Ibarra Deptartment of Computer Science University of California

477 views • 36 slides
Security Protocol Verification: Symbolic and Computational Models Bruno Blanchet INRIA,

Security Protocol Verification: Symbolic and Computational Models Bruno Blanchet INRIA,

Introduction Symbolic Model Computational Model Implementations Conclusion Security Protocol Verification: Symbolic and Computational Models Bruno Blanchet INRIA, Ecole Normale Sup erieure, CNRS Bruno.Blanchet@ens.fr March 2012

905 views • 53 slides
Symbolic Verification in Synchronous Constraint Programming (Work in progress) Synchronous

Symbolic Verification in Synchronous Constraint Programming (Work in progress) Synchronous

Symbolic Verification in Synchronous Constraint Programming (Work in progress) Synchronous workshop 2003 Christophe Mauras Christophe.Mauras@univ-nantes.fr Irin/Universit e de Nantes Overview From Symbolic Simulation to Constraint

388 views • 19 slides

More recommend