Over the last seven years, we have developed static-analysis methods to recover a good approximation to the variables and dynamically-allocated memory objects of a stripped executable, and to track the flow of values through them. The paper presents the algorithms that we developed, explains how they are used to recover intermediate representations (IRs) from executables that are similar to the IRs that would be available if one started from source code, and describes their application in the context of program understanding and automated bug hunting. Unlike algorithms for analyzing executables that existed prior to our work, the ones presented in this paper provide useful information about memory accesses, even in the absence of debugging information. The ideas described in the paper are incorporated in a tool for analyzing Intel x86 executables, called CodeSurfer/x86. CodeSurfer/x86 builds a system dependence graph for the program, and provides a GUI for exploring the graph by (i) navigating its edges, and (ii) invoking operations, such as forward slicing, backward slicing, and chopping, to discover how parts of the program can impact other parts. To assess the usefulness of the IRs recovered by CodeSurfer/x86 in the context of automated bug hunting, we built a tool on top of CodeSurfer/x86, called Device-Driver Analyzer for x86

Software systems usually use many different computation features and span different abstraction levels (e.g., user code level and the runtime system level). To build foundational certified systems, it is hard to have one verification system supporting all computation features. In this paper we present an open framework for foundational proof-carrying code (FPCC). It allows program modules to be specified and certified separately using different type systems or program logics. Certified modules (code + proof) can be linked to compose fully certified systems. The framework supports modular verification and proof reuse. It is extensible, and is expressive enough to allow invariants established in verification systems to be maintained when they are embedded in. Our framework is the first FPCC framework that systematically supports interoperation between different verification systems. It is fully mechanized in the Coq proof assistant with machine-checkable soundness proof.

Hardware interrupts are widely used in the world’s critical software systems to support preemptive threads, device drivers, operating system kernels, and hypervisors. Handling interrupts properly is an essential component of low-level system programming. Unfortunately, interrupts are also extremely hard to reason about: they dramatically alter the program control flow and complicate the invariants in low-level concurrent code (e.g., implementation of synchronization primitives). Existing formal verification techniques— including Hoare logic, typed assembly language, concurrent separation logic, and the assume-guarantee method—have consistently ignored the issues of interrupts; this severely limits the applicability and power of today’s program verification systems. In this paper we present a novel Hoare-logic-like framework for certifying low-level system programs involving both hardware interrupts and preemptive threads. We show that enabling and disabling interrupts can be formalized precisely using simple ownership-transfer semantics, and the same technique also extends to the concurrent setting. By carefully reasoning about the interaction among interrupt handlers, context switching, and synchronization libraries, we are able to—for the first time—successfully certify a preemptive thread implementation and a large number of common synchronization primitives. Our work provides a foundation for reasoning about interrupt-based kernel programs and makes an important advance toward building fully certified operating system kernels and hypervisors. 1.

A major challenge for verifying complete software systems is their complexity. A complete software system consists of program modules that use many language features and span different abstraction levels (e.g., user code and run-time system code). It is extremely difficult to use one verification system (e.g., type system or Hoare-style program logic) to support all these features and abstraction levels. In our previous work, we have developed a new methodology to solve this problem. We apply specialized “domain-specific ” verification systems to verify individual program modules and then link the modules in a foundational open logical framework to compose the verified complete software package. In this paper, we show how this new methodology is applied to verify a software package containing implementations of preemptive threads and a set of synchronization primitives. Our experience shows that domain-specific verification systems can greatly simplify the verification process of low-level software, and new techniques for combining domain-specific and foundational logics are critical for the successful verification of complete software systems.

We discuss a proof-producing compiler which translates first order recursion equations, defined in higher order logic, to assembly language. The front end of the compiler is based on a series of source-tosource translations, starting with a semantic CPS translation and culminating in graph-colouring register allocation. Equality of the original program and the result of register allocation is proved automatically. A translation validation assertion is then generated, relating values of the original function to the result of running the compiled code on a subset of the ARM machine. Approaches to the automatic proof of this formula are also discussed.

Abstract not found

Abstract. This report presents a methodology and some preliminary results for verification of machine code implementations of cryptographic operations. Modularity and reusability of proofs is emphasised. 1

Abstract We present the verification of the machine-level implementation of a conservative variant of the standard marksweep garbage collector in a Hoare-style program logic. The specification of the collector is given on a machine-level memory model using separation logic, and is strong enough to preserve the safety property of any common mutator program. Our verification is fully implemented in the Coq proof assistant and can be packed immediately as foundational proof-carrying code package. Our work makes important attempt toward building fully certified production-quality garbage collectors.

Abstract—Separation logic has proven to be a highly effective tool for the verification of heap-manipulating programs. However, it has been applied almost exclusively in language settings where either memory is managed manually or the issue of memory management is ignored altogether. In this paper, we present a variant of separation logic, GCSL, for reasoning about low-level programs that interface to a garbage collector. In contrast to prior work by Calcagno et al., our model of GCSL (1) permits reasoning about programs that use internal pointers and address arithmetic, (2) supports logical variables that range over pointers, and (3) validates the “frame ” rule, as well as a standard interpretation of separation-logic assertions, without requiring any restrictions on existentially-quantified formulae. Essential to our approach is the technique (due originally to McCreight et al.) of distinguishing between “logical” and “physical ” states, which enables us to insulate the logic from the physical reality that pointer “values ” may be moved and/or deallocated by the garbage collector. I.

Formally establishing safety properties of software presents a grand challenge to the computer science community. Producing proof-carrying code, i.e., machine code with machine-checkable specifications and proofs, is particularly difficult for system softwares written in low-level languages. One central problem is the lack of verification theories that can handle the expressive power of low-level code in a modular fashion. In partic-ular, traditional type- and logic-based verification approaches have restrictions on either expressive power or modularity. This dissertation presents XCAP, a logic-based proof-carrying code framework for modular machine code verification. In XCAP, program specifications are written as gen-eral logic predicates, in which syntactic constructs are used to modularly specify some crucial higher-order programming concepts for system code, including embedded code pointers, impredicative polymorphisms, recursive invariants, and general references, all in a logical setting. Thus, XCAP achieves the expressive power of logic-based approaches and the modularity of type-based approaches. Its meta theory has been completely mech-anized and proved.