## Model-Driven Construction of Certified Binaries

Citations: | 1 - 0 self |

### BibTeX

@MISC{Chaki_model-drivenconstruction,

author = {Sagar Chaki and James Ivers and Peter Lee and Kurt Wallnau and Noam Zeilberger},

title = {Model-Driven Construction of Certified Binaries},

year = {}

}

### OpenURL

### Abstract

(CMC) are established paradigms for certifying the run-time behavior of programs. While PCC allows us to certify low-level binary code against relatively simple (e.g., memory-safety) policies, CMC enables the certification of a richer class of temporal logic policies, but is typically restricted to high-level (e.g., source) descriptions. In this paper, we present an automated approach to generate certified software component binaries from UML Statechart specifications. The proof certificates are constructed using information that is generated via CMC at the specification level and transformed, along with the component, to the binary level. Our technique combines the strengths of PCC and CMC, and demonstrates that formal certification technology is compatible with, and can indeed exploit, model-driven approaches to software development. We describe an implementation of our approach that targets the Pin component technology, and present experimental results on a collection of benchmarks. 1

### Citations

1163 | Proof-carrying code
- Necula
- 1997
(Show Context)
Citation Context ... the worst case, such a reordering might result in a failure in proof checking, but will never validate a proof for a program that violates a policy. 7 Related Work PCC was proposed by Necula and Lee =-=[19, 2, 20]-=- for certifying memory safety policies on binaries. PCC works by hard-coding the desired safety policies within the machine instruction semantics, while our approach works at the specification level a... |

852 |
Design and synthesis of synchronization skeletons using branching time temporal logic
- Clarke, Emerson
- 1981
(Show Context)
Citation Context ...at the validity of the proof and its relation to the code can be independently verified before the code is deployed. In contrast, Certifying Model Checking (CMC) [3] is an extension of model checking =-=[4]-=- for generating “proof certificates” for finite state models against a rich class of temporal logic policies. In recent years, CMC has been augmented with iterative abstraction-refinement to enable th... |

411 | Safe kernel extensions without run-time checking
- Necula, Lee
- 1996
(Show Context)
Citation Context ...his work is available as a technical report [1]. Our approach builds on two existing paradigms for software certification: proof-carrying code and certifying model checking. Proof-Carrying Code (PCC) =-=[2]-=- constructs a proof that machine code respects a desired policy, packages the proof with the code so that the validity of the proof and its relation to the code can be independently verified before th... |

407 | Automatically validating temporal safety properties of interfaces
- Ball, Rajamani
- 2001
(Show Context)
Citation Context ...s approach is still restricted to certifying source code while our work aims for low-level binaries. Iterative refinement has been applied successfully by several software model checkers such as SLAM =-=[16]-=-, BLAST [17] and MAGIC [18]. While SLAM and MAGIC do not generate any proof certificates, BLAST implements a method [5] for lifting proofs of correctness. However, BLAST’s certification is limited to ... |

354 |
Concurrency State Models and Java Programs
- Magee, Kramer
- 2005
(Show Context)
Citation Context ...// end of react R } // end of component comp Fig. 3. CCL Specification for a Simple Component. Interpreting CCL to C. CCL specifications are transformed into an equivalent representation in C and FSP =-=[15]-=- for use with Copper, a software model checker. This corresponds to Step 2 from Figure 2. In the interpreted form, each state of the specification state machine is implemented in a correspondingly lab... |

239 | W.: Foundational proof-carrying code
- Appel
- 2001
(Show Context)
Citation Context ... how its size and complexity is reduced is an important theoretical and practical concern for future applications of PCC. There are several approaches to this concern. For example, “foundational” PCC =-=[13]-=- aims to reduce the TCB to its bare minimum of logic foundations. We adopt the more systems-oriented approach pioneered by Necula and Lee which does not seek a pure foundation, but rather seeks to ach... |

219 | Modular verification of software components
- Chaki, Clarke, et al.
- 2003
(Show Context)
Citation Context ...ted to certifying source code while our work aims for low-level binaries. Iterative refinement has been applied successfully by several software model checkers such as SLAM [16], BLAST [17] and MAGIC =-=[18]-=-. While SLAM and MAGIC do not generate any proof certificates, BLAST implements a method [5] for lifting proofs of correctness. However, BLAST’s certification is limited to source code and purely safe... |

154 | Translation validation
- Pnueli, Siegel, et al.
- 1998
(Show Context)
Citation Context ...ty properties. Assurance about the correctness of binaries can also be achieved by proving the correctness of compilers (which is difficult and yet to be widely adopted) or via translation validation =-=[28]-=- (which still assumes that the source code is correct). In contrast, our approach requires no such correctness assumptions. In previous work, we developed an expressive linear temporal logic called SE... |

111 | Validating sat solvers using an independent resolution-based checker: Practical implementations and other applications
- Zhang, Malik
- 2003
(Show Context)
Citation Context ...n we use a SAT-based theorem prover for this step. In essence, we convert ¬VC (RF3 ) (i.e., the logical negation of VC (RF3 )) to a Boolean formula φ. We then check if φ is unsatisfiable using ZChaff =-=[12]-=-. If ¬VC (RF3 ) is unsatisfiable, i.e., if VC (RF3 ) is valid, then the resolution proof emitted by ZChaff serves as Π. The use of SAT enables us to obtain extremely compact proofs [6] in practice. Fi... |

98 | A syntactic approach to foundational proof-carrying code
- Hamid, Shao, et al.
- 2002
(Show Context)
Citation Context ... hard-coding the desired safety policies within the machine instruction semantics, while our approach works at the specification level and encodes the policy as a separate automaton. Foundational PCC =-=[13, 21]-=- attempts to reduce the trusted computing base of PCC to include only the foundations of mathematical logic. Bernard and Lee [22] propose a new temporal logic to express PCC policies for machine code.... |

66 | Efficient representation and validation of proofs
- Necula, Lee
- 1998
(Show Context)
Citation Context ...include only the foundations of mathematical logic. Bernard and Lee [22] propose a new temporal logic to express PCC policies for machine code. Non-SAT-based techniques for minimizing PCC proof sizes =-=[23, 24]-=- have also been proposed. Whalen et al. [25] describe a technique for synthesizing certified code. They augment the AUTOBAYES synthesizer to add annotations based on “domain knowledge” to the generat... |

60 | Oracle-based checking of untrusted software
- Necula, Rahul
- 2001
(Show Context)
Citation Context ...include only the foundations of mathematical logic. Bernard and Lee [22] propose a new temporal logic to express PCC policies for machine code. Non-SAT-based techniques for minimizing PCC proof sizes =-=[23, 24]-=- have also been proposed. Whalen et al. [25] describe a technique for synthesizing certified code. They augment the AUTOBAYES synthesizer to add annotations based on “domain knowledge” to the generat... |

39 | Certifying model checkers
- Namjoshi
- 2001
(Show Context)
Citation Context ...packages the proof with the code so that the validity of the proof and its relation to the code can be independently verified before the code is deployed. In contrast, Certifying Model Checking (CMC) =-=[3]-=- is an extension of model checking [4] for generating “proof certificates” for finite state models against a rich class of temporal logic policies. In recent years, CMC has been augmented with iterati... |

35 | Safe untrusted agents using proof-carrying code
- Necula, Lee
- 1998
(Show Context)
Citation Context ... the worst case, such a reordering might result in a failure in proof checking, but will never validate a proof for a program that violates a policy. 7 Related Work PCC was proposed by Necula and Lee =-=[19, 2, 20]-=- for certifying memory safety policies on binaries. PCC works by hard-coding the desired safety policies within the machine instruction semantics, while our approach works at the specification level a... |

30 | Synthesizing certified code
- WHALEN, SCHUMANN, et al.
- 2002
(Show Context)
Citation Context ...ic. Bernard and Lee [22] propose a new temporal logic to express PCC policies for machine code. Non-SAT-based techniques for minimizing PCC proof sizes [23, 24] have also been proposed. Whalen et al. =-=[25]-=- describe a technique for synthesizing certified code. They augment the AUTOBAYES synthesizer to add annotations based on “domain knowledge” to the generated code. Their approach is not based on CMC,... |

24 |
Temporal logic for proof-carrying code
- Bernard, Lee
- 2002
(Show Context)
Citation Context ...l and encodes the policy as a separate automaton. Foundational PCC [13, 21] attempts to reduce the trusted computing base of PCC to include only the foundations of mathematical logic. Bernard and Lee =-=[22]-=- propose a new temporal logic to express PCC policies for machine code. Non-SAT-based techniques for minimizing PCC proof sizes [23, 24] have also been proposed. Whalen et al. [25] describe a techniqu... |

18 |
Snapshot of CCL: A Language for Predictable Assembly
- Wallnau, Ivers
- 2003
(Show Context)
Citation Context ...t must never occur, while a liveness policy stipulates a condition that must eventually occur.sand their binary (assembly language) form. The syntax and semantics of CCL have been presented elsewhere =-=[8]-=-, and we use the PowerPC assembly language. Hence, we only describe the other two (analysis and C implementation) forms. In its analysis form, a component is simply a control flow graph (CFG) with a s... |

15 |
Overview of ComFoRT: A model checking reasoning framework
- Ivers, Sharygina
- 2004
(Show Context)
Citation Context ...be processed by a model checker. C is comprised of a C program along with finite state machine specifications for procedures invoked by the program. This step was implemented by augmenting prior work =-=[11]-=- so that C contains additional information relating its line numbers, variables and other data structures with those of Spec. This information is crucial for the subsequent reverseinterpretation of ra... |

14 |
A basis for composition language CL
- Ivers, Sinha, et al.
- 2002
(Show Context)
Citation Context ...target. The specification Spec contains a description of the component as well as the desired SE-LTL policy ϕ that the component is to be certified against. Step 2. Spec is transformed (“interpreted” =-=[10]-=-) into a component C , that can be processed by a model checker. C is comprised of a C program along with finite state machine specifications for procedures invoked by the program. This step was imple... |

13 | From complementation to certification
- Kupferman, Vardi
- 2004
(Show Context)
Citation Context ...nthesizer to add annotations based on “domain knowledge” to the generated code. Their approach is not based on CMC, and generates certified source code rather than binaries. Certifying model checkers =-=[3, 26]-=- emit an independently checkable certificate of correctness when a temporal logic formula is found to be satisfiable by a finite state model. Namjoshi [27] has proposed a two-step technique for obtain... |

11 | G.C.: A gradual approach to a more trustworthy, yet scalable, proof-carrying code
- Schneck, Necula
(Show Context)
Citation Context ...ts bare minimum of logic foundations. We adopt the more systems-oriented approach pioneered by Necula and Lee which does not seek a pure foundation, but rather seeks to achieve a practical compromise =-=[14]-=-. Even this more “pragmatic” approach can achieve good results. In our own implementation, the TCB is over fifteen times smaller in size (30 KB vs. 450 KB) than the rest of the infrastructure. 4 Certi... |

7 | Lifting temporal proofs through abstractions
- Namjoshi
(Show Context)
Citation Context ... than binaries. Certifying model checkers [3, 26] emit an independently checkable certificate of correctness when a temporal logic formula is found to be satisfiable by a finite state model. Namjoshi =-=[27]-=- has proposed a two-step technique for obtaining proofs of Mu-Calculus policies on infinite state systems. In the first step, a proof is obtained via certifying model checking. In the second step, the... |

4 |
SAT-based Software Certification
- Chaki
- 2006
(Show Context)
Citation Context ...es” for finite state models against a rich class of temporal logic policies. In recent years, CMC has been augmented with iterative abstraction-refinement to enable the certification of C source code =-=[5, 6]-=-. PCC and CMC have complementary strengths and limitations. Specifically, while PCC operates directly on binaries, its applications to date have been restricted to relatively simple memory safety 1 p... |

1 | N.: ”certified binaries for software components
- Chaki, Ivers, et al.
(Show Context)
Citation Context ...nerating trustworthy “binaries” from component specifications, and for proving that such binaries satisfy specific policies. A more detailed exposition of this work is available as a technical report =-=[1]-=-. Our approach builds on two existing paradigms for software certification: proof-carrying code and certifying model checking. Proof-Carrying Code (PCC) [2] constructs a proof that machine code respec... |

1 |
K.: ”Results of SEI Independent Research and Development Projects and Report on Emerging Technologies and Technology Trends
- Chaki, Wallnau
- 2005
(Show Context)
Citation Context ...re, we modified SE-LTL to express certifiable policies. Also previously, we developed an infrastructure to generate compact certificates for C source code against SE-LTL claims in an automated manner =-=[29]-=-. There, the model checker is used to generate invariants and ranking functions that are required for certificate and proof construction. Compact proofs were obtained via state-of-the-art Boolean sati... |