a certifying compiler and pointer logic zhaopeng li software security lab. department of computer...
TRANSCRIPT
A Certifying Compiler and Pointer Logic
Zhaopeng Li
Software Security Lab.
Department of Computer Science and Technology,University of Science and Technology of China
October 8, 2008
Towards Building Trusted Software
Software Security Lab, USTC 2
Outline Motivation Research Goals Our Work
A Certifying Compiler PointerC Language Pointer Logic
Summary Future Work
Software Security Lab, USTC 3
Motivation
Software Safety Problems C language
Widely used & legacy C codes Not easy to write a safe code with
pointers One Solution : Program Verification
Program + Annotation + Proof
Software Security Lab, USTC 4
Motivation (cont.) Hoare Logic
Hoare triple : {P}C{Q} Hard to reason pointer programs
Separation Logic Low-level code, or high-level code with
restriction Separation Conjunction (P*Q) Example:
A Hoare-like Logic for C Language?
p
l11_* 1p p l 1_,p l
Software Security Lab, USTC 5
Research Goals
Verification for C pointer programs Design a C-like language Design a logic
Design a certifying compiler Generate codes with proof Minimize Trusted Computing Base
Software Security Lab, USTC 6
Outline Motivation Research Goals Our Work
A Certifying Compiler PointerC Language Pointer Logic
Summary Future Work
Software Security Lab, USTC 7
Our Certifying Compiler
Source-level Certifying System
Pointer Logic
VCGen
Prover
Code Compiler
Proof Compiler
Certifying Compiler
Source Code + Specifications
Source Code + Spec.+ Proof
Assem. Code +Assem. Spec.+Assem. Proof
PointerC Language
Software Security Lab, USTC 8
Our Certifying Compiler (cont.) Prototype
plcc ver1.0 (2005.5-2006.9) plcc ver2.0 (2006.9-2007.12)
Improvements Build-in theorem prover Support limited pointer arithmetic Support more data structures
Doubly-linked list
Software Security Lab, USTC 9
Supported Programs
Singly-linked/doubly-linked list traversal/reversal delete/insert create/clear
Binary Tree traversal/rotate delete/insert
Software Security Lab, USTC 10
Evaluation
Software Security Lab, USTC 11
PointerC Language PointerC:
A subset of C language with pointer type Memory management : malloc/free
Main Constrains: Pointer Arithmetic is limited No union type No type cast …
Software Security Lab, USTC 12
Pointer Logic
Motivation PointerC typing rules with side condition
s
A logic proof system is needed Reason about source programs with complex
pointer aliasingWhy not separation logic?
p : ptr(struct (…, x: int; …))
p -> x : int ( valid(p) )
Software Security Lab, USTC 13
Pointer Logic (cont.)
Why not separation logic?
p
…q = p->next;p->next = p->next->next;free(q);…
List_delete.c
…q = p->next;t = q->next;p->next = t;free(q);…
List_delete_trans.c
No Rule for this kind of statement!
tq
No rule for aliasing
inference!
NULL
struct List{ int data; struct list* next;}
Software Security Lab, USTC 14
Basic ideas
Precise pointer information collection At each program point
Pointer classification Valid pointer set Null pointer set Dangling pointer set
Equality between valid pointers
Software Security Lab, USTC 15
Specification
{{ , },{ },{ , }}head p p next p next next tail
{ }tail next NN
{ }q DD
?head next
3( ) ?p next
?head next next
The information is concise !
Pointer Information
Software Security Lab, USTC 16
Specification (cont.) Compare with separation logic
Access path is short Low-level address is used in assertion Addresses are used to associate different
heaps
1 1 2 2 2( _, )*( _, )*( _, )p l head p l l l nil tail l
1l 2l
Software Security Lab, USTC 17
Expressivity Current Application
Singly-linked list Doubly-linked list Binary Tree
Graph? Equality between pointers is not certain Unable to be expressed in current pointer
logic Not well-supported in separation logic either
Software Security Lab, USTC 18
Expressivity (cont.)
Singly-linked list Flat version
Inductive version
Singly-linked list from separation logic Flat version
1( , ) { } { } { ( ) } { ( ) }n nlist n p p p next p next p next N
1 1 1 1 2 1( , ) ,..., .( _, )*( _, )* *( _, )n nlist n p l l p l l l l nil
pnil
p,l1,l2,…,ln-1 are distinct!
( ) { } ({ } ( ))list p p p list p next N
Software Security Lab, USTC 19
Inference Rule
Hoare-logic-like rules {P}C{Q} Extend Hoare Logic Calculate pointer information Q using P
Software Security Lab, USTC 20
Memory Leak
p
NULL
{{ } { } }
NULL
{?}
p p next
p
N
Pointer Logic
{ _, }
:
{ . _, }
p nil
p nil
x x nil p nil
Separtion Logic
Memory
Leak!
No rules for this case!
Assignment Axiom of Hoare Logic!
must using precise assertion to rule out this case!
Software Security Lab, USTC 21
Comparison with Separation Logic Common features:
Extension of Hoare logic Deal with pointer programs
Differences: High-level vs low-level Pointer logic can deal with long access paths Precise information vs information hiding Rule out memory leak via different means
Software Security Lab, USTC 22
Outline Motivation Research Goals Our Work
A Certifying Compiler PointerC Language Pointer Logic
Summary Future Work
Software Security Lab, USTC 23
Summary
A Certifying Compiler Theorem prover for pointer logic Generate codes with proof
A Pointer Logic Verification for PointerC pointer program
s Hoare-logic-like rules Compare with separation logic
Software Security Lab, USTC 24
Future Work PointerC Language Extension
More language features Unlimited pointer arithmetic
Pointer Logic Extension Deal more data structures, such as DAG
Pointer Logic for Java (static garbage detection etc.) Concurrent programming
Realistic Certifying Compiler Verify some codes of mini-OS
Software Security Lab, USTC 25
Thanks!Questions?