Certified Code Peter Lee Carnegie Mellon University

1
Certified CodePeter LeeCarnegie Mellon
University
Informatics Jamboree
May 2002
2
Arianne 5
3
Better, Faster, Cheaper
4
After a crew member mistakenly entered a zero
into the data field of an application, the
computer system proceeded to divide another
quantity by that zero. The operation caused a
buffer overflow, in which data leaked from a
temporary storage space in memory, and the error
eventually brought down the ship's propulsion
system. The result the USS Yorktown was dead in
the water for more than two hours.
5

• According to CERT, buffer overflow attacks are
  the 1 exploit for network security attacks.

http//www.cert.org/summaries/
6
(No Transcript)
7
(No Transcript)
8

• 429M mobile phones sold in 2001, vs 96M PCs
• 95 phones will be dynamically programmable by
  04.
• 64Mbits of RAM in 2002.
• Battery life a primary factor.
• Efficiency and bandwidth are (still) precious.

9
Observations

• Simple problems in the details.
• Reuse is critical but perilous
• Executable content
• Performance matters a lot

10
Safety engineering

• Small theorems about large programs
• Precise interfaces and checking of interface
  compliance
• Good performance

11
The Safe Code Problem
Please install and execute this.
12
Certified code
A certified maze
13
Logical frameworks

• The Edinburgh Logical Framework is a language for
  specifying logics.

Quick tutorial
14
Proof-carrying code
Code
Verification condition generator
LF typechecker
LF proof
Agent
Proof rules
Host
15
Proof-carrying code
OK, but let me quickly look over the instructions
first.
Please install and execute this.
Code producer
Host
16
Proof-carrying code
Code producer
Host
17
Proof-carrying code
This store instruction is dangerous!
Code producer
Host
18
Proof-carrying code
Can you prove that it is always safe?
Code producer
Host
19
Proof-carrying code
Yes! Heres the proof I got from my certifying
Java compiler!
Can you prove that it is always safe?
?
Code producer
Host
20
Proof-carrying code
Your proof checks out.
?
Code producer
Host
21
Proof-carrying code
I believe you because I believe in logic!
?
Code producer
Host
22
Semantics

• Define the states of the target machine
• S (?, ?, pc)
• and a transition function Step(S).
• Define also the safe machine states via the
  safety policy SP(S).

program
program counter
register state
23
Semantics, contd

• Then we have the following predicate for safe
  execution
• Safe(S) ?nNat. SP(Stepn(S))
• and proof-carrying code
• PCC (S0State, PSafe(S0))

24
Verification conditions

• The purpose of the verification conditions is to
  provide predicates that imply Safe(Si) for each
  machine state Si.
• Typically we must start with some initial
  pre/post conditions.

25
Implementation of PCC
Code
Certifying Prover
Proof
Proof Checker
26
The role ofprogramming languages

• Civilized programming languages can provide
  safety for free.
• Well-formed/well-typed ? safe.
• Idea Arrange for the compiler to explain why
  the target code it generates preserves the safety
  properties of the source program.

27
Certifying compilation
Certifying Compiler
Certifying Prover
Proof Checker
Example
28
Crypto test suite results
sec
29
Java Grande Suite v2.0
sec
30
(No Transcript)
31
Necula and Lee 96
Code
Verification condition generator
LF typechecker
LF proof
Agent
Proof rules
Host
32
Typed Assembly LanguageMorrisett, et al., 98

• Use modern type theory to develop a static type
  system for machine code.
• Prove decidability of typechecking.
• Prove soundness of type system.
• Developing such a type system is very hard, but
  done only once.

33
TAL
fact ALL rho.r1int, spr1int,
sprhorho jgz r1, positive mov r1,1
ret positive push r1 sp
intt1int,sprhorho sub r1,r1,1 call
factintr1int,sprhorho imul r1,r1,r2
pop r2 sp r1int,sprho ret
34
KVM ExampleFrank Yellin, Sun
0. aload_0 1. astore_1 2. goto 10 Long Number
ltgt 5. aload_1 6. invokeStatic
nextValue(Number) 9. astore_1 Long Number
ltgt 10. aload_1 11. invokeVirtual
intValue() 14. ffne 5 17. return
static void test(Long x) Number y x
while (y.IntValue() ! 0) y
nextValue(y) return y
35
Eliminating VCGen

• We can eliminate VCGen by using the logic to
  encode a global invariant on states, Inv(S).
• Then, the proof must show
• Inv(S0)
• ?SState. Inv(S) ! Inv(Step(S))
• ?SState. Inv(S) ! SP(S)

36
Foundational PCC

• Appel and Felty 00 develop a semantic model of
  types, starting from the foundations of
  mathematical logic.
• This model is used to construct the global
  invariant.
• Hamid, Shao, et al. define the global invariant
  to be a syntactic well-formedness condition on
  machine states.

37
Temporal-logic PCC

• Bernard and Lee 02 define the global invariant
  via a temporal-logic specification.
• A trusted generic program then interprets these
  specifications to extract verification conditions.

38
Conclusions

• Code safety is a problem of increasing
  importance.
• Certified code is a possible low-cost way to
  apply type theory and program verification to
  this problem.

39
(No Transcript)
40
Formal proofs

• Write x is a proof of P as xP.
• Example of a predicate

We can write proofs by stitching together the
application of rules of inference.
41
Example inference rule

• If we have a proof x of P and a proof y of Q,
  then x and y together constitute a proof of P ? Q.

• Or, in ASCII
• Given xP, yQ then (x,y)PQ.

42
More inference rules

• Assume we have a proof x of P. If we can then
  obtain a proof b of Q, then we have a proof of P
  ? Q.
• Given xP bQ then fn (xP)
  gt b P ? Q.
• More rules
• Given xPQ then fst(x)P
• Given yPQ then snd(y)Q

43
Types and proofs

• So, for example
• fn (xPQ) gt (snd(x), fst(x)) PQ ? QP
• This is an ML program!
• LF provides additional expressive power and an
  adequacy theorem.

return
44
(No Transcript)
45
Example Source code
public class Bcopy public static void
bcopy(int src, int dst)
int l src.length int i 0
for(i0 iltl i) dsti srci

46
Example Target code
L7 ANN_LOOP(INV (csubneq ebx 0), (csubneq
eax 0), (csubb edx ecx), (of rm mem),
MODREG (EDI,EDX,EFLAGS,FFLAGS,RM)) cmpl esi,
edx jae L13 movl 8(ebx, edx, 4),
edi movl edi, 8(eax, edx, 4) incl edx cmpl
ecx, edx jl L7 ret L13 call __Jv_ThrowBadA
rrayIndex ANN_UNREACHABLE nop L6 call __Jv_Thr
owNullPointer ANN_UNREACHABLE nop
ANN_LOCALS(_bcopy__6arrays5BcopyAIAI,
3) .text .align 4 .globl _bcopy__6arrays5BcopyAIAI
_bcopy__6arrays5BcopyAIAI cmpl 0,
4(esp) je L6 movl 4(esp), ebx movl 4(ebx),
ecx testl ecx, ecx jg L22 ret L22 xorl e
dx, edx cmpl 0, 8(esp) je L6 movl 8(esp),
eax movl 4(eax), esi
47
Example Proof excerpt(LF representation)
ANN_PROOF(_6arrays6Bcopy1_MbcopyAIAI, LF_(andi
(impi H_1 pf (of _p22 (jarray jint)) (andi
(impi H_2 pf (of _p23 (jarray jint)) (andi
(impi H_3 pf (of _p21 mem) (andi (impi H_4
pf (ceq (sub _p23 0)) truei) (andi (impi H_5
pf (cneq (sub _p23 0)) (andi (rd4 (arrLen H_2
(nullcsubne H_5)) szint) (andi (nullcsubne
H_5) (andi H_3 (andi H_1 (andi (impi H_10 pf
(nonnull _p23) (andi (impi H_11 pf (of _p64
mem) (andi (impi H_12 pf (of _p65 (jarray
jint)) (andi (impi H_13 pf (cnlt (sub _p49
(sel4 _p21 (add _p23 4)))) (andi
H_11 truei)) (andi (impi H_15 pf (clt (sub
_p49 (sel4 _p21 (add _p23 4)))) (andi (rd4
(arrLen H_2 H_10) szint) (andi (impi H_17 pf
(cnb (sub _p49 (sel4 _p64 (add _p23
4)))) truei) (andi (impi H_18 pf (cb (sub
_p49 (sel4 _p64 (add _p23 4)))) (andi (rd4
(arrElem H_2 H_11 H_10 szint (ultcsubb H_18))
szint) (andi (impi H_20 pf (ceq (sub _p65
0)) truei) (andi (impi H_21 pf (cneq (sub
_p65 0)) (andi (rd4 (arrLen H_12 (nullcsubne
H_21)) szint) (andi (impi H_23 pf (cnb (sub
_p49 (sel4 _p64 (add _p65 4)))) truei) (andi
(impi H_24 pf (cb (sub _p49 (sel4 _p64 (add
_p65 4)))) (andi (wr4 (arrElem H_12 H_11
(nullcsubne H_21) szint (ultcsubb H_24))
szint (jintany (sel4 _p64 (add _p23 (add (mul
_p49 4) 8))))) (andi H_10 (andi (ofamem 1) (andi
H_12 truei))))) truei)))) truei)))) truei)))) true
i))) truei)) truei)) truei)))))) truei))) truei))
truei)) truei)_LF)
48
Abadis favorite slide
rlrrllrrllrlrlrllrlrrllrrll
49
Example Complete proof(Oracle representation)
Lprf_6arrays6Bcopy1_MbcopyAIAI ANN_ARCHW1DECL 0x
76, 0xab, 0xb5, 0xd8, 0xeb, 0x10
Example