modular verification of assembly code with stack-based control abstractions

Modular Verification of Assembly Code with Stack-Based Control Abstractions

Xinyu Feng

Yale University

Joint work with Zhong Shao, Alexander Vaynberg, Sen Xiang and Zhaozhong Ni

Motivation

How to verify the safety & correctness properties of low-level system software?

Vanilla C & C++ & Assembly?

Hardware

Java (JML) C# (Spec #)

Cyclone CCured TAL

…System Software

Verifying C & Assembly? Many challenges …

This talk: how to specify/verify low-level stack-based control flows?

How to formulate the stack invariants? How to design a compositional program logic?

Previous work does not apply! Hoare-Logic done at high-level: no explicit stacks! TAL & Proof-Carrying Code:

Mostly use continuations & CPS-based reasoning Too general to distinguish different stack abstractions

Problems – call/returnvoid f(){ void h(){

h(); return;

return; }

}

f: ...

sw $ra, -4($fp) h:

jal h ;; $ra contains ct

ct: lw $ra, -4($fp) jr $ra

...

jr $ra

Stacks are hidden!

Does f use the right return addr.?

pc

pcpc

f2

…

f1

…

Problems – setjmp/longjmp

int rev(int x){

if (setjmp(env) == 0){

cmp0(x, env); return 0;

}else{

return 1;

}

}

void cmp0(int x,jmp_buf env){

cmp1(x, env);

}


if (x == 0)

longjmp(env, 1);

else

return;

}

jmp_buf env = …;

pc

f0

… sp

env

f0

f1

pc

pc

f2

env cannot outlive the stack frame of rev !

No ’s!

Our ContributionsA simple program logic (SCAP) for modular verification of (1) compiled C code & (2) manually-written assembly code

All systems are lemma libraries built on a single CAP0 framework!

Outline of This Talk Motivations and contributions

SCAP logic for verifying function call/return Basic framework Specifications Stack-invariant Instruction rules (to enforce the invariant)

Generalizations for complicated controls

Implementation & applications

The Machine

I1f1:

I2f2:

I3f3:

…

(code heap) C

0

r1

1 2 …

r2 r3 … rn

(data heap) H

(register file) R

(state) S

addu … lw … sw … … j f

(instr. seq.) I

(program) P::=(C,S,pc)

::=(H,R)::={f I}*

pc

Invariant-Based Verification

Initial condition: Inv(S0)

S0

c1 S1

c2 S2

c3 … cn Sn

Progress: if Inv(S), then S’. S c S’.

Preservation: if Inv(S) and S c S’, then Inv(S’).

Program Specifications

I1f1:

I2f2:

I3f3:

…

(code heap) C

0

r1

1 2 …

r2 r3 … rn

(data heap) H

(register file) R

(state) S

addu … lw … sw … … j f

(instr. seq.) I

(program) P::=(C,S,pc)

::=(H,R)::={f I}*

pc

a1

a2

a3

(spec) ::= {f a}*

The SCAP Program Logic

the form of specification “a”

the invariant (based on the spec. )

the proof obligations Instruction rules for call, ret, tail call, …

Specifications

f:

...

sw $ra, -4($fp)

jal h

ct:

lw $ra, -4($fp)

...

jr $ra

{(p0, g0)}

{(p1, g1)}

SCAP specifications: (p, g) p: State Prop g: State State Prop

g0

g1

g0 S S’ S’.$ra = S.$ra …

Challenges f uses the “right” return addr.?

Hoare triple {p} f {q}? In different basic blocks!

{$ra = n …}

{$ra = n …}

Program Spec. and Code Pointers

jal f

jal h

jr $ra

jr $ra

Program Specification::= {f1(p1,g1), …,fn(pn,gn)}

“safe” to return (jr $ra): $radom() ($ra)=(p,g) p holds at the time of return

g0

g4

p0

p4

g1

p1

g2

p2

g3

p3

…

jr $ra

SCAP : Stack Invariant

p0

g0p1

g1p2

g2p3

g3

g0 S0 S1

S1.$ra (S1.$ra))=(p1, g1) p1 S1

g0 S0 S1 g1 S1 S2

S2.$ra (S2.$ra)=(p2, g2) p2 S2

g0 S0 S1 g1 S1 S2 g2 S2 S3

S3.$ra (S3.$ra)=(p3, g3) p3 S3

jr $ra

Logical control stack

Always safe to return?S0

S1

S2

S3

SCAP : Stack InvariantWFST(n, g0 S0, ) S1. g0 S0 S1

p1,g1.

(S1.$ra)=(p1, g1) p1 S1 WFST(n-1, g1 S1, )

WFST(0, g0 S0, ) S1. g0 S0 S1

Invariant:p S n.WFST(n, g S, )

p0

g0p1

g1p2

g2p3

g3

jr $ra

Logical control stack

S0

S1

S2

S3

SCAP : Invariant Preservation Inv(S):

p S n.WFST(n, g S, )

cS’

p S n.WFST(n,g S,)

S

p’ S’ n.WFST(n,g’S’,)

SCAP: call

p0

g0p1

g1

jr $ra

p0

g0jr $ra

p

g

jal f

p S WFST(n, g S, ) p0 S0 WFST(n+1, g0 S0, )

S S0

n+1

n

…

p S p0 S0

p1

g1

n

…

p S g0 S0 S1 p1 S1

p S g0 S0 S1 g1 S1 S2 g S S2

g0 S0 S1 S0.$ra = S1.$ra

S1S1

S2 S2

SCAP: ret

pgp1

g1

p1

g1jr $ra

p S WFST(n, g S, ) p1 S1 WFST(n-1, g1 S1, )

n

n-1

… n-1

…

p S g S S1

SS1

SCAP: tail call

p0

g0

jr $ra

p

g

S

n

… j f

p0

g0

jr $ra

S0

n

…

p S WFST(n, g S, ) p0 S0 WFST(n, g0 S0, )

p S p0 S0 p S g0 S0 S1 g S S1

S1S1

SCAP: call

p0

g0p1

g1

jr $ra

p0

g0jr $ra

p

g

jal f

p S WFST(n, g S, ) p0 S0 WFST(n+1, g0 S0, )

S S0

n+1

n

…

p S p0 S0

p1

g1

n

…

p S g0 S0 S1 p1 S1

p S g0 S0 S1 g1 S1 S2 g S S2

g0 S0 S1 S0.$ra = S1.$ra

S1S1

S2 S2

Generalization: Stack unwinding/cutting

g1

p1

jr ra

p

g

+

p1

g1jr ra

p

g

Multi-ret

p1

g1

jr ra

p

g

Tail-call

Example: setjmp/longjmp

int rev(int x){

if (setjmp(env) == 0){

cmp0(x, env); return 0;

}else{

return 1;

}

}


cmp1(x, env);

}


if (x == 0)

longjmp(env, 1);

else

return;

}

jmp_buf env = …;

Further extensions

switch

switch

switch

switch

switch

call

ret

switch

switch

switch

coroutines

coroutines w. functions calls

Implementation & Applications Coq implementation

Encoding of machine (370 lines) Syntax & Operational semantics

Encoding of CAP0 framework/SCAP systems (1800L)

Inference rules & Soundness proof Certified programs w. proofs (10,000+ L)

malloc/free …… garbage collectors [McCreight et al 06]

Summary SCAP-family logics as lemmas

CAP0: the generic framework Inference rules are lemmas in CAP0

Function call;

tail-call optimization

SCAP

Exceptions: Stack-unwinding SCAP-I, EUCAP

Exceptions: Stack-cutting SCAP-II, ECAP

Weak-continuation

setjmp/longjmp

SCAP-II

Coroutines (w. function call) CAP-CR (SCAP-CR)

Threads FCCAP

modular verification of assembly code with stack-based control abstractions

Documents