Peter Sewell’s research while affiliated with University of Cambridge and other places

What is this page?


This page lists works of an author who doesn't have a ResearchGate profile or hasn't added the works to their profile yet. It is automatically generated from public (personal) data to further our legitimate goal of comprehensive and accurate scientific recordkeeping. If you are this author and want this page removed, please let us know.

Publications (159)


It Is Time to Standardize Principles and Practices for Software Memory Safety
  • Article

January 2025

·

1 Read

Communications of the ACM

Robert N.M. Watson

·

John Baldwin

·

David Chisnall

·

[...]

·

Konrad Witaszczyk

Twenty-one authors, spanning academia and industry, with expertise in memory-safety research, deployment, and policy, argue that standardization is an essential next step to achieving universal strong memory safety.



Fulminate: Testing CN Separation-Logic Specifications in C

January 2025

·

1 Read

Proceedings of the ACM on Programming Languages

Separation logic has become an important tool for formally capturing and reasoning about the ownership patterns of imperative programs, originally for paper proof, and now the foundation for industrial static analyses and multiple proof tools. However, there has been very little work on program testing of separation-logic specifications in concrete execution. At first sight, separation-logic formulas are hard to evaluate in reasonable time, with their implicit quantification over heap splittings, and other explicit existentials. In this paper we observe that a restricted fragment of separation logic, adopted in the CN proof tool to enable predictable proof automation, also has a natural and readable computational interpretation, that makes it practically usable in runtime testing. We discuss various design issues and develop this as a C+CN source to C source translation, Fulminate. This adds checks – including ownership checks and ownership transfer – for C code annotated with CN pre- and post-conditions; we demonstrate this on nontrivial examples, including the allocator from a production hypervisor. We formalise our runtime ownership testing scheme, showing (and proving) how its reified ghost state correctly captures ownership passing, in a semantics for a small C-like language.


Figure 1. The in-memory layout of 128-bit CHERI's capability and its tag bit. perms: permissions.
Figure 2. A die photo from the 7-nm Arm Morello SoC, showing the four cores, GPU, and caches.
Figure 3. The memory-safe KDE Plasma desktop environment running on an Arm Morello board.
CHERI: Hardware-Enabled C/C++ Memory Protection at Scale
  • Article
  • Full-text available

July 2024

·

49 Reads

·

1 Citation

IEEE Security and Privacy Magazine

The memory-safe Capability Hardware Enhanced RISC Instructions (CHERI) C and C++ languages build on architectural capabilities in the CHERI protection model. With the development of two industrial CHERI-enabled processors, Arm’s Morello and Microsoft’s CHERIoT, CHERI may offer the fastest path to widely deployed memory safety.

Download


An Axiomatic Basis for Computer Programming on the Relaxed Arm-A Architecture: The AxSL Logic

January 2024

·

7 Reads

·

1 Citation

Proceedings of the ACM on Programming Languages

Very relaxed concurrency memory models, like those of the Arm-A, RISC-V, and IBM Power hardware architectures, underpin much of computing but break a fundamental intuition about programs, namely that syntactic program order and the reads-from relation always both induce order in the execution. Instead, out-of-order execution is allowed except where prevented by certain pairwise dependencies, barriers, or other synchronisation. This means that there is no notion of the 'current' state of the program, making it challenging to design (and prove sound) syntax-directed, modular reasoning methods like Hoare logics, as usable resources cannot implicitly flow from one program point to the next. We present AxSL, a separation logic for the relaxed memory model of Arm-A, that captures the fine-grained reasoning underpinning the low-overhead synchronisation mechanisms used by high-performance systems code. In particular, AxSL allows transferring arbitrary resources using relaxed reads and writes when they induce inter-thread ordering. We mechanise AxSL in the Iris separation logic framework, illustrate it on key examples, and prove it sound with respect to the axiomatic memory model of Arm-A. Our approach is largely generic in the axiomatic model and in the instruction-set semantics, offering a potential way forward for compositional reasoning for other similar models, and for the combination of production concurrency models and full-scale ISAs.


Isla: integrating full-scale ISA semantics and axiomatic concurrency models (extended version)

May 2023

·

41 Reads

·

2 Citations

Formal Methods in System Design

Architecture specifications such as Armv8-A and RISC-V are the ultimate foundation for software verification and the correctness criteria for hardware verification. They should define the allowed sequential and relaxed-memory concurrency behaviour of programs, but hitherto there has been no integration of full-scale instruction-set architecture (ISA) semantics with axiomatic concurrency models, either in mathematics or in tools. These ISA semantics can be surprisingly large and intricate, e.g. 100k++ lines for Armv8-A. In this paper we present a tool, Isla, for computing the allowed behaviours of concurrent litmus tests with respect to full-scale ISA definitions, in the Sail language, and arbitrary axiomatic relaxed-memory concurrency models, in the Cat language. It is based on a generic symbolic engine for Sail ISA specifications. We equip the tool with a web interface to make it widely accessible, and illustrate and evaluate it for Armv8-A and RISC-V. The symbolic execution engine is valuable also for other verification tasks: it has been used in automated ISA test generation for the Arm Morello prototype architecture, extending Armv8-A with CHERI capabilities, and for Iris program-logic reasoning about binary code above the Armv8-A and RISC-V ISA specifications. By using full-scale and authoritative ISA semantics, Isla lets one evaluate litmus tests using arbitrary user instructions with high confidence. Moreover, because these ISA specifications give detailed and validated definitions of the sequential aspects of systems functionality, as used by hypervisors and operating systems, e.g. instruction fetch, exceptions, and address translation, our tool provides a basis for developing concurrency semantics for these. We demonstrate this for the Armv8-A instruction-fetch and virtual-memory models and examples of Simner et al.


The Arm Morello Evaluation Platform—Validating CHERI-Based Security in a High-Performance System

May 2023

·

12 Reads

·

10 Citations

IEEE Micro

Memory safety issues are a persistent source of security vulnerabilities, with conventional architectures and the C/C++ codebase chronically prone to exploitable errors. The Capability Hardware Enhanced RISC Instructions (CHERI) research project has explored a novel architectural approach to ameliorate such issues using unforgeable hardware capabilities to implement pointers. Morello is an Arm experimental platform for evaluation of CHERI in the Arm architecture context to explore its potential for mass-market adoption. This article describes the Morello Evaluation Platform, covering the motivation and functionality of the Morello architectural hardware extensions; their potential for fine-grained memory safety and software compartmentalization; formally proven security properties; impact on the microarchitecture of the high-performance, out-of-order multiprocessor Arm Morello processor; and the software-enablement program by Arm, the University of Cambridge, and Linaro. Together, this allows a wide range of researchers in both industry and academia to explore and assess the Morello platform.


CN: Verifying Systems C Code with Separation-Logic Refinement Types

January 2023

·

24 Reads

·

13 Citations

Proceedings of the ACM on Programming Languages

Despite significant progress in the verification of hypervisors, operating systems, and compilers, and in verification tooling, there exists a wide gap between the approaches used in verification projects and conventional development of systems software. We see two main challenges in bringing these closer together: verification handling the complexity of code and semantics of conventional systems software, and verification usability. We describe an experiment in verification tool design aimed at addressing some aspects of both: we design and implement CN, a separation-logic refinement type system for C systems software, aimed at predictable proof automation, based on a realistic semantics of ISO C. CN reduces refinement typing to decidable propositional logic reasoning, uses first-class resources to support pointer aliasing and pointer arithmetic, features resource inference for iterated separating conjunction, and uses a novel syntactic restriction of ghost variables in specifications to guarantee their successful inference. We implement CN and formalise key aspects of the type system, including a soundness proof of type checking. To demonstrate the usability of CN we use it to verify a substantial component of Google's pKVM hypervisor for Android.



Citations (75)


... Foundational semantics often include complex and low-level resource models that involve aliasing or references [27,39,45,72], in which case Separation Logic (SL) has shown to be an effective verification method [54]. In a typical workflow of an SL-based foundational verification, the process has the following steps: (1) extract SL entailments (i.e., implications between SL formulas) that imply program correctness (e.g., by a predicate transformer [31,64]), (2) then extract pure proof obligations (e.g., first-order logic formulas) to entail the validity of the entailments, and finally, (3) the pure proof obligations are sent to Automated Theorem Provers (ATPs) [1, 59, 64] for solving. ...

Reference:

Generically Automating Separation Logic by Functors, Homomorphisms and Modules
Formal Mechanised Semantics of CHERI C: Capabilities, Undefined Behaviour, and Provenance
  • Citing Conference Paper
  • April 2024

... In previous work, considerable effort has been put into formal verification of CHERI at the ISA level. In [15,19] an HOL model of the CHERI ISA based on SAIL [3] is subjected to security verification. Multiple security objectives are formulated and exhaustively proven on the SAIL model. ...

The Arm Morello Evaluation Platform—Validating CHERI-Based Security in a High-Performance System
  • Citing Article
  • May 2023

IEEE Micro

... Specifically, ( ) defines the set of concrete constructs that refine abstraction . The notion of refinement type in the recent works [59,64,65] corresponds to SL predicates in our theory. To emphasize this correspondence and to be intuitive, we introduce the notation ⦂ to abbreviate predicate application ( ), i.e., ⦂ ≜ ( ). ...

CN: Verifying Systems C Code with Separation-Logic Refinement Types
  • Citing Article
  • January 2023

Proceedings of the ACM on Programming Languages

... Therefore, foundational verification relies on a smaller trust base and produces more trustworthy results than other formal methods. These advantages have promoted the rapid development of the field in recent years [23,47,59,[63][64][65]. ...

Islaris: verification of machine code against authoritative ISA semantics
  • Citing Conference Paper
  • June 2022

... We sketch this in an axiomatic model. This is an essential part of the necessary foundation for confidently programming systems code, building on previous work that has clarified 'user' relaxed concurrency [1-3, 6-8, 12, 19, 24-28, 31, 48, 49, 51-53, 55, 58] and complementing recent work on the systems aspects of instruction fetch [57] and virtual memory [4,56]. It helps put processor architecture specifications such as Arm-A on an unambiguous footing, where the allowed behaviour of systems-code idioms can be computed from a precise and executable-as-test-oracle definition of the architecture. ...

Relaxed virtual memory in Armv8-A

Lecture Notes in Computer Science

... However, the results have been compelling: MSRC reported more than a two-thirds deterministic mitigation rate for memory-safety vulnerabilities with the deployment of CHERI's referential, spatial, and temporal memory safety. 3. Formal proof of architectural security properties: Formal modeling of the Morello and CHERI-MIPS ISAs has supported formal verification (machine-checked mathematical proof) that the ISAs enforce key properties, such as correctness of capability bounds comparison and isolation of arbitrary code by compartmentalization mechanisms, 12 and formal semantics for CHERI C has clarified its security properties. 13 4. Penetration-testing exercises, ideally performed with a strong attacker awareness of the CHERI model so that attack strategies can take this into account: These exercisers have primarily been performed externally and include an activity by MSRC to consider the impact of CHERI on WebKit JavaScriptCore ( JSC) with CHERI-aware attackers as well as a DARPA-sponsored, crowdsourced penetration activity. ...

Verified Security for the Morello Capability-enhanced Prototype Arm Architecture

Lecture Notes in Computer Science

... Такими проблемами, в частности, являются задание инвариантов циклов [14][15] и доказательство условий корректности [16]. Поэтому мы предложили участникам соревнования программную систему дедуктивной верификации, которая может упростить и решение проблемы инвариантов циклов, и решение проблемы доказательства условий корректности программ для выбранных задач верификации, а именно -систему C-lightVer для программ на языке C-light [17][18][19][20][21], представительном подмножестве языка C. В отличие от других известных систем дедуктивной верификации [22][23][24][25][26][27][28][29][30][31], система C-lightVer даёт возможность автоматизировать задание инвариантов циклов для программ, циклы которых являются финитными итерациями [32]. Класс финитных итераций над последовательностями данных покрывает такие распространенные виды циклов, как циклы над массивами, циклы над списками, циклы над деревьями и т.д. ...

VIP: verifying real-world C idioms with integer-pointer casts
  • Citing Article
  • January 2022

Proceedings of the ACM on Programming Languages

... • We develop an axiomatic model for Arm-A precise exceptions ( §5). We extend Isla [12] to support both ISA and relaxed-memory concurrency aspects of exceptions, and we use it to evaluate the axiomatic model on tests. • We identify and discuss the substantial open problem of what it means for exceptions to be precise in relaxed setting ( §6). ...

Isla: Integrating Full-Scale ISA Semantics and Axiomatic Concurrency Models
  • Citing Chapter
  • July 2021

Lecture Notes in Computer Science

... The client is responsible for connecting to the server and executing commands. This compartmentalization prevents an attacker who exploits a vulnerability in the client from gaining access to the server [10]. ...

Rigorous engineering for hardware security: Formal modelling and proof in the CHERI design and implementation process
  • Citing Conference Paper
  • May 2020

... The findings indicate that only 31% of the reported vulnerabilities could have been mitigated through the default configuration of CHERI. An additional 24% could be mitigated by CHERI when configured to provide partial temporal safety under the Cornucopia mechanism [82]. The analysis further highlights that at least 12% of the assessed vulnerabilities could have been mitigated if CHERI would protect against uninitialized access. ...

Cornucopia: Temporal Safety for CHERI Heaps
  • Citing Conference Paper
  • May 2020