Jean Pichon-Pharabod’s research while affiliated with Aarhus University and other places

What is this page?


This page lists works of an author who doesn't have a ResearchGate profile or hasn't added the works to their profile yet. It is automatically generated from public (personal) data to further our legitimate goal of comprehensive and accurate scientific recordkeeping. If you are this author and want this page removed, please let us know.

Publications (21)


CertiCoq-Wasm: A Verified WebAssembly Backend for CertiCoq
  • Conference Paper

January 2025

·

3 Reads

Wolfgang Meier

·

Martin Jensen

·

Jean Pichon-Pharabod

·


Fig. 10. GIC automaton, for each PE and each INTID, based on Figure 4-3 "Interrupt handling state machine" from Arm [10, §4.1.2], specialised to edge-triggered behaviour.
Relaxed exception semantics for Arm-A (extended version)
  • Preprint
  • File available

December 2024

·

5 Reads

Ben Simner

·

Alasdair Armstrong

·

Thomas Bauereiss

·

[...]

·

and Peter Sewell

To manage exceptions, software relies on a key architectural guarantee, precision: that exceptions appear to execute between instructions. However, this definition, dating back over 60 years, fundamentally assumes a sequential programmers model. Modern architectures such as Arm-A with programmer-observable relaxed behaviour make such a naive definition inadequate, and it is unclear exactly what guarantees programmers have on exception entry and exit. In this paper, we clarify the concepts needed to discuss exceptions in the relaxed-memory setting -- a key aspect of precisely specifying the architectural interface between hardware and software. We explore the basic relaxed behaviour across exception boundaries, and the semantics of external aborts, using Arm-A as a representative modern architecture. We identify an important problem, present yet unexplored for decades: pinning down what it means for exceptions to be precise in a relaxed setting. We describe key phenomena that any definition should account for. We develop an axiomatic model for Arm-A precise exceptions, tooling for axiomatic model execution, and a library of tests. Finally we explore the relaxed semantics of software-generated interrupts, as used in sophisticated programming patterns, and sketch how they too could be modelled.

Download

Iris-MSWasm: Elucidating and Mechanising the Security Invariants of Memory-Safe WebAssembly

October 2024

·

1 Read

·

2 Citations

Proceedings of the ACM on Programming Languages

WebAssembly offers coarse-grained encapsulation guarantees via its module system, but does not support fine-grained sharing of its linear memory. MSWasm is a recent proposal which extends WebAssembly with fine-grained memory sharing via handles, a type of capability that guarantees spatial and temporal safety, and thus enables an expressive yet safe style of programming with flexible sharing. In this paper, we formally validate the pen-and-paper design of MSWasm. To do so, we first define MSWasmCert, a mechanisation of MSWasm that makes it a fully-defined, conservative extension of WebAssembly 1.0, including the module system. We then develop Iris-MSWasm, a foundational reasoning framework for MSWasm composed of a separation logic to reason about known code, and a logical relation to reason about unknown, potentially adversarial code. Iris-MSWasm thereby makes explicit a key aspect of the implicit universal contract of MSWasm: robust capability safety. We apply Iris-MSWasm to reason about key use cases of handles, in which the effect of calling an unknown function is bounded by robust capability safety. Iris-MSWasm thus works as a framework to prove complex security properties of MSWasm programs, and provides a foundation to evaluate the language-level guarantees of MSWasm.


An Axiomatic Basis for Computer Programming on the Relaxed Arm-A Architecture: The AxSL Logic

January 2024

·

7 Reads

·

1 Citation

Proceedings of the ACM on Programming Languages

Very relaxed concurrency memory models, like those of the Arm-A, RISC-V, and IBM Power hardware architectures, underpin much of computing but break a fundamental intuition about programs, namely that syntactic program order and the reads-from relation always both induce order in the execution. Instead, out-of-order execution is allowed except where prevented by certain pairwise dependencies, barriers, or other synchronisation. This means that there is no notion of the 'current' state of the program, making it challenging to design (and prove sound) syntax-directed, modular reasoning methods like Hoare logics, as usable resources cannot implicitly flow from one program point to the next. We present AxSL, a separation logic for the relaxed memory model of Arm-A, that captures the fine-grained reasoning underpinning the low-overhead synchronisation mechanisms used by high-performance systems code. In particular, AxSL allows transferring arbitrary resources using relaxed reads and writes when they induce inter-thread ordering. We mechanise AxSL in the Iris separation logic framework, illustrate it on key examples, and prove it sound with respect to the axiomatic memory model of Arm-A. Our approach is largely generic in the axiomatic model and in the instruction-set semantics, offering a potential way forward for compositional reasoning for other similar models, and for the combination of production concurrency models and full-scale ISAs.


Iris-Wasm: Robust and Modular Verification of WebAssembly Programs

June 2023

·

17 Reads

·

9 Citations

Proceedings of the ACM on Programming Languages

WebAssembly makes it possible to run C/C++ applications on the web with near-native performance. A WebAssembly program is expressed as a collection of higher-order ML-like modules, which are composed together through a system of explicit imports and exports using a host language, enabling a form of higher- order modular programming. We present Iris-Wasm, a mechanized higher-order separation logic building on a specification of Wasm 1.0 mechanized in Coq and the Iris framework. Using Iris-Wasm, we are able to specify and verify individual modules separately, and then compose them modularly in a simple host language featuring the core operations of the WebAssembly JavaScript Interface. Building on Iris-Wasm, we develop a logical relation that enforces robust safety: unknown, adversarial code can only affect other modules through the functions that they explicitly export. Together, the program logic and the logical relation allow us to formally verify functional correctness of WebAssembly programs, even when they invoke and are invoked by unknown code, thereby demonstrating that WebAssembly enforces strong isolation between modules.


VMSL: A Separation Logic for Mechanised Robust Safety of Virtual Machines Communicating above FF-A

June 2023

·

7 Reads

·

2 Citations

Proceedings of the ACM on Programming Languages

Thin hypervisors make it possible to isolate key security components like keychains, fingerprint readers, and digital wallets from the easily-compromised operating system. To work together, virtual machines running on top of the hypervisor can make hypercalls to the hypervisor to share pages between each other in a controlled way. However, the design of such hypercall ABIs remains a delicate balancing task between conflicting needs for expressivity, performance, and security. In particular, it raises the question of what makes the specification of a hypervisor, and of its hypercall ABIs, good enough for the virtual machines. In this paper, we validate the expressivity and security of the design of the hypercall ABIs of Arm's FF-A. We formalise a substantial fragment of FF-A as a machine with a simplified ISA in which hypercalls are steps of the machine. We then develop VMSL, a novel separation logic, which we prove sound with respect to the machine execution model, and use it to reason modularly about virtual machines which communicate through the hypercall ABIs, demonstrating the hypercall ABIs' expressivity. Moreover, we use the logic to prove robust safety of communicating virtual machines, that is, the guarantee that even if some of the virtual machines are compromised and execute unknown code, they cannot break the safety properties of other virtual machines running known code. This demonstrates the intended security guarantees of the hypercall ABIs. All the results in the paper have been formalised in Coq using the Iris framework.



Relaxed virtual memory in Armv8-A

March 2022

·

60 Reads

·

10 Citations

Lecture Notes in Computer Science

Virtual memory is an essential mechanism for enforcing security boundaries, but its relaxed-memory concurrency semantics has not previously been investigated in detail. The concurrent systems code managing virtual memory has been left on an entirely informal basis, and OS and hypervisor verification has had to make major simplifying assumptions. We explore the design space for relaxed virtual memory semantics in the Armv8-A architecture, to support future system-software verification. We identify many design questions, in discussion with Arm; develop a test suite, including use cases from the pKVM production hypervisor under development by Google; delimit the design space with axiomatic-style concurrency models; prove that under simple stable configurations our architectural model collapses to previous “user” models; develop tooling to compute allowed behaviours in the model integrated with the full Armv8-A ISA semantics; and develop a hardware test harness. This lays out some of the main issues in relaxed virtual memory bringing these security-critical systems phenomena into the domain of programming-language semantics and verification with foundational architecture semantics.


Figure 1
Figure 5: pKVM.host _ handle _ trap.stage2 _ idmap.l3: forbidden candidate execution
Relaxed virtual memory in Armv8-A (extended version)

March 2022

·

140 Reads

Virtual memory is an essential mechanism for enforcing security boundaries, but its relaxed-memory concurrency semantics has not previously been investigated in detail. The concurrent systems code managing virtual memory has been left on an entirely informal basis, and OS and hypervisor verification has had to make major simplifying assumptions. We explore the design space for relaxed virtual memory semantics in the Armv8-A architecture, to support future system-software verification. We identify many design questions, in discussion with Arm; develop a test suite, including use cases from the pKVM production hypervisor under development by Google; delimit the design space with axiomatic-style concurrency models; prove that under simple stable configurations our architectural model collapses to previous "user" models; develop tooling to compute allowed behaviours in the model integrated with the full Armv8-A ISA semantics; and develop a hardware test harness. This lays out some of the main issues in relaxed virtual memory bringing these security-critical systems phenomena into the domain of programming-language semantics and verification with foundational architecture semantics. This document is an extended version of a paper in ESOP 2022, with additional explanation and examples in the main body, and appendices detailing our litmus tests, models, proofs, and test results.


Two Mechanisations of WebAssembly 1.0

November 2021

·

48 Reads

·

15 Citations

Lecture Notes in Computer Science

WebAssembly (Wasm) is a new bytecode language supported by all major Web browsers, designed primarily to be an efficient compilation target for low-level languages such as C/C++ and Rust. It is unusual in that it is officially specified through a formal semantics. An initial draft specification was published in 2017 [14], with an associated mechanised specification in Isabelle/HOL published by Watt that found bugs in the original specification, fixed before its publication [37]. The first official W3C standard, WebAssembly 1.0, was published in 2019 [45]. Building on Watt’s original mechanisation, we introduce two mechanised specifications of the WebAssembly 1.0 semantics, written in different theorem provers: WasmCert-Isabelle and WasmCert-Coq. Wasm’s compact design and official formal semantics enable our mechanisations to be particularly complete and close to the published language standard. We present a high-level description of the language’s updated type soundness result, referencing both mechanisations. We also describe the current state of the mechanisation of language features not previously supported: WasmCert-Isabelle includes a verified executable definition of the instantiation phase as part of an executable verified interpreter; WasmCert-Coq includes executable parsing and numeric definitions as on-going work towards a more ambitious end-to-end verified interpreter which does not require an OCaml harness like WasmCert-Isabelle.


Citations (15)


... 53] in binaries. Watt et al. (2021) [154] extend the WebAssembly semantic and provide two different theorem provers: WasmCert-Isabelle and WasmCert-Coq. VanHattum et al. (2024)[155] present Crocus, a system for lightweight, modular verification of instruction-lowering rules within ''Cranelift''[156], a compiler backend used by the Wasmtime runtime.Legoupil et al. (2024) [157] extend the verification process to MSWasm, the WebAssembly extension provided by ...

Reference:

WebAssembly and security: A review
Iris-MSWasm: Elucidating and Mechanising the Security Invariants of Memory-Safe WebAssembly
  • Citing Article
  • October 2024

Proceedings of the ACM on Programming Languages

... Rao et al. [22] provided Iris-Wasm, which is a logic that independently validates individual wasm modules and assembles them in a host language. Jangda et al. [23] analyzed applications compiled to WebAssembly using SPEC CPU benchmarks in Firefox and Chrome to determine WebAssembly performance. ...

Iris-Wasm: Robust and Modular Verification of WebAssembly Programs
  • Citing Article
  • June 2023

Proceedings of the ACM on Programming Languages

... Sail has already been used for writing specifications of multiple architectures (x86, Arm, RISC-V, MIPS, CHERI, and IBM Power). Sail has also resulted in tools such as Isla [21] for symbolic execution of Sail code using the Z3 SMT Solver, and verification of machine code using Islaris [43]. ...

Islaris: verification of machine code against authoritative ISA semantics
  • Citing Conference Paper
  • June 2022

... We sketch this in an axiomatic model. This is an essential part of the necessary foundation for confidently programming systems code, building on previous work that has clarified 'user' relaxed concurrency [1-3, 6-8, 12, 19, 24-28, 31, 48, 49, 51-53, 55, 58] and complementing recent work on the systems aspects of instruction fetch [57] and virtual memory [4,56]. It helps put processor architecture specifications such as Arm-A on an unambiguous footing, where the allowed behaviour of systems-code idioms can be computed from a precise and executable-as-test-oracle definition of the architecture. ...

Relaxed virtual memory in Armv8-A

Lecture Notes in Computer Science

... That is, codes written in these languages can be compiled as wasm modules. Since wasm is designed with formal semantics from the start, there is no need for an extra trust mechanism to execute wasm modules efficiently and securely [25]. As Figure 7 presents, moreover, with the wasm system interface (WASI) released to abstract the host operating system, wasm modules started running outside of the browser runtime [26]. ...

Two Mechanisations of WebAssembly 1.0

Lecture Notes in Computer Science

... In these cases, split-RW hurt the optimality and thus incurred considerable overhead. [23,24] chase-lev An implementation of the Chase-Lev deque adapted from [23,24] dq An implementation of the Chase-Lev deque adapted from [25] linuxrwlocks A reader-writer lock ported from the Linux kernel adapted from [23,24] mcs spinlock An implementation of the MCS lock extracted from the Linux kernel [17] mpmc-queue A multiple-producer multiple-consumer queue adapted from [23,24] ms-queue An implementation of the Michael-Scott queue adapted from [23,24] qspinlock Queued spinlocks (1.2 KLOC) extracted from the Linux kernel [17] qu An implementation of the Michael-Scott queue adapted from [25] seqlock Sequential locks (1.0 KLOC) extracted from the Linux kernel [17] stc An implementation of the Treiber stack adapted from [25] * The race detection was disabled because of intentionally racy non-atomic accesses. ...

Promising-ARM/RISC-V: a simpler and faster operational concurrency model
  • Citing Conference Paper
  • June 2019

... The implication of language consistency models was only later identified, facing along with informal prose, the non-trivial effects on compilation [27], [7], [17], [33], [14]. Earlier criticisms of Java were primarily based on informal/unclear specifications that were hard to understand, naturally leading to most JVMs violating them [28]. ...

Repairing and mechanising the JavaScript relaxed memory model
  • Citing Conference Paper
  • June 2020

... We sketch this in an axiomatic model. This is an essential part of the necessary foundation for confidently programming systems code, building on previous work that has clarified 'user' relaxed concurrency [1-3, 6-8, 12, 19, 24-28, 31, 48, 49, 51-53, 55, 58] and complementing recent work on the systems aspects of instruction fetch [57] and virtual memory [4,56]. It helps put processor architecture specifications such as Arm-A on an unambiguous footing, where the allowed behaviour of systems-code idioms can be computed from a precise and executable-as-test-oracle definition of the architecture. ...

ARMv8-A System Semantics: Instruction Fetch in Relaxed Architectures

Lecture Notes in Computer Science

... This wasi32-thread implementation efficiently manages locks and maintains synchronization during checkpoint and restore operations in Wasm-based systems. For memory consistency, there's formal proof of the previous version of Wasm spec for the general multi-threaded memory access from Weakening Wasm [72]. The ordering of WASI thread [52] from WASI Proposal follows the thread definition, which is Sequential Consistency. ...

Weakening WebAssembly

Proceedings of the ACM on Programming Languages

... These correspond to the three behaviours the function may have: either it encodes the fault as a bitvector, the combination of arguments was invalid and an assertion fails, or it calls the Unreachable function indicating something that should never occur in the model. Figure 3 shows the web interface we have developed for our tool, based on the web interface for the C memory model tool Cerberus-BMC by Lau et al. [34]. This can either be run locally, or via a website, https://isla-axiomatic.cl.cam.ac.uk. ...

Cerberus-BMC: A Principled Reference Semantics and Exploration Tool for Concurrent and Sequential C

Lecture Notes in Computer Science