No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
A Proof Infrastructure for Binary Programs
Abstract
Establishing properties of binary programs by proof is a desirable goal when the properties of interest are crucial, such as those that arise in safety- and security-critical applications. Practical development of proofs for binary programs requires a substantial infrastructure to disassemble the program, define the machine semantics, and actually undertake the required proofs. At the center of these infrastructure requirements is the need to document semantics in a formal language. In this paper we present a work-in-progress proof infrastructure for binary programs based on AdaCore and Altran’s integrated development and verification environment, SPARKPro. We illustrate the infrastructure with proof of a security property.
... The output of static analysis includes the entire binary program translated into SPARK Ada [1]. SPARK Ada is used as an intermediate representation of the binary program, because the language supports specification of security properties and is supported by a high-quality proof infrastructure, the SPARK Pro analysis tools [6]. ...
Software for which development artifacts are missing is increasingly common and difficult to avoid, including in embedded systems. The lack of development artifacts leaves doubt about whether the software possesses critical security properties and makes enhancement of the software extremely difficult. Embedded systems often have strict resource restrictions/constraints making the application of security enhancements especially difficult. In this paper, we present details of a system that is being developed to provide significant protection against security exploits of embedded systems. The system operates on binary programs. No source code or other development artifacts are required, and the typical size and time constraints of embedded systems are accounted for in the analysis and processing of subject binary programs. Formal verification of security properties is used to eliminate unnecessary security transformations, and transformations are applied by a highly efficient static binary rewriter.
Verification of machine-code programs using program logic has focused on functional correctness, and proofs have required manually-provided program specifications. Fortunately, the verification of shallow safety properties such as memory isolation and control-flow safety can be easier to automate, but past techniques for automatically verifying machine-code safety have required post-compilation transformations, which can change program behavior. In this work, we automatically verify safety properties for unmodified machine-code programs without requiring user-supplied specifications. Our novel logic framework, AUSPICE, for automatic safety property verification for unmodified executables, extends an existing trustworthy Hoare logic for local reasoning, and provides a novel proof tactic for selective composition. We demonstrate our automated proof technique on synthetic and realistic programs. Our verification completes in 6 h for a realistic 533-instruction string search algorithm, demonstrating the feasibility of our approach.
We have designed and implemented ARMor, a system that uses software fault isolation (SFI) to sandbox application code running on small embedded processors. Sandboxing can be used to protect components such as the RTOS and critical control loops from other, less-trusted components. ARMor guarantees memory safety and control flow integrity; it works by rewriting a binary to put a check in front of every potentially dangerous operation. We formally and automatically verify that an ARMored application respects the SFI safety properties using the HOL theorem prover. Thus, ARMor provides strong isolation guarantees and has an exceptionally small trusted computing base - there is no trusted compiler, binary rewriter, verifier, or operating system.
Verification condition (VC) generation is a fundamental part of many program analysis and applications, including proving pro-gram correctness, automatic test case generation, proof carrying code, and others. In all application domains, there are two criti-cal factors for VC generation algorithms: compact final VCs and fast VC generation. Compact VCs save more than bits; empirically compact formulas are easier to reason about in subsequent steps such as VC verification [12, 18]. The theoretically most efficient algorithms for generating VCs are based upon weakest preconditions (WP). Current WP algo-rithms iterate over program statements backwards from the last statement in the program to the first, and can generate a VC that is at most O(M 2) the size of a program. In practice, however, ap-plication domains that rely on VC generation often opt to use for-ward symbolic execution (FSE), which works in the forward di-rection from the first program statement to the last. Forward-based algorithms are attractive in practice because they easily afford opti-mizations such as eliminating constant expressions from VCs dur-ing generation. FSE, however, is theoretically exponentially worse than WP-based algorithms — it produces a separate VC for each program path, thus the final VC for all paths is O(2 M). We propose a new directionless weakest precondition that can be run in both the forward and backward direction. Our algorithm provides a O(M 2) VC generation time and predicate size while affording optimizations that make FSE attractive in practice. We provide end-to-end proofs of correctness, size, and generation time. We then show how our approach leads to a proof of equivalence between VCs generated with WPs and FSE for typical structured programs.
This paper presents a new HOL4 formalization of the current ARM instruction set architecture, ARMv7. This is a modern RISC
architecture with many advanced features. The formalization is detailed and extensive. Considerable tool support has been
developed, with the goal of making the model accessible and easy to work with. The model and supporting tools are publicly
available – we wish to encourage others to make use of this resource. This paper explains our monadic specification approach
and gives some details of the endeavours that have been made to ensure that the sizeable model is valid and trustworthy. A
novel and efficient testing approach has been developed, based on automated forward proof and communication with ARM development
boards.
XFI is a comprehensive protection system that offers both flexible access control and fundamental integrity guarantees, at any privilege level and even for legacy code in commodity systems. For this purpose, XFI com-bines static analysis with inline software guards and a two-stack execution model. We have implemented XFI for Windows on the x86 architecture using binary rewrit-ing and a simple, stand-alone verifier; the implementa-tion's correctness depends on the verifier, but not on the rewriter. We have applied XFI to software such as device drivers and multimedia codecs. The resulting modules function safely within both kernel and user-mode address spaces, with only modest enforcement overheads.
SPARK: The Proven Approach to High Integrity Software
- J Barnes