AUSPICE: Automatic Safety Property Verification for Unmodified Executables

Tan, Jiaqi; Tay, Hui Jun; Gandhi, Rajeev; Narasimhan, Priya

doi:10.1007/978-3-319-29613-5_12

Cited by 8 publications

(6 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Fully automated approaches to formal verification, however, do not scale either. The recent automated approach AUSPICE takes about 6 hours for a 533-instruction string search algorithm [56]. To the best of our knowledge, our methodology is the first that is able to deal with optimized x86-64 binaries produced by production code, with a "manual effort vs. instruction count ratio" of roughly 1 to 11.…”

Section: Related Workmentioning

confidence: 99%

“…As example of interactive theorem proving, Boyer and Yu verified machine-code implementations of various standard sort-and string functions, requiring over 19,000 lines of manually written proof code for the verification of roughly 900 instructions [8]. As example of automated theorem proving, Tan et al presented an approach which takes about 6 hours for a 533-instruction string search algorithm [56]. In constrast, this paper involves a degree of user interaction of ≈85 lines of proof code per 1,000 lines of assembly.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Highly Automated Formal Proofs over Memory Usage of Assembly Code

Verbeek

Bockenek

Ravindran

2020

Tools and Algorithms for the Construction and Analysis of Systems

View full text Add to dashboard Cite

We present a methodology for generating a characterization of the memory used by an assembly program, as well as a formal proof that the assembly is bounded to the generated memory regions. A formal proof of memory usage is required for compositional reasoning over assembly programs. Moreover, it can be used to prove low-level security properties, such as integrity of the return address of a function. Our verification method is based on interactive theorem proving, but provides automation by generating pre- and postconditions, invariants, control-flow, and assumptions on memory layout. As a case study, three binaries of the Xen hypervisor are disassembled. These binaries are the result of a complex build-chain compiling production code, and contain various complex and nested loops, large and compound data structures, and functions with over 100 basic blocks. The methodology has been successfully applied to 251 functions, covering 12,252 assembly instructions.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Highly Automated Formal Proofs over Memory Usage of Assembly Code

Verbeek

Bockenek

Ravindran

2020

Tools and Algorithms for the Construction and Analysis of Systems

View full text Add to dashboard Cite

show abstract

“…Balliu et al [3] does this for noninterference, Tan et al [22] for safety-properties. Despite the seeming similarities, ISA analysis and binary code analysis dier in many respects.…”

Section: Related Workmentioning

confidence: 99%

“…As discussed above, we choose an instruction-wide context from the beginning. Both [3] and [22] employ a more local reasoning. In [22] a Hoare-style logic is used and context is provided by selective synchronisation of pre-and postconditions between neighbouring code blocks.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Automatic Derivation of Platform Noninterference Properties

Schwarz

Dam

2016

Software Engineering and Formal Methods

View full text Add to dashboard Cite

Abstract. For the verication of system software, information ow properties of the instruction set architecture (ISA) are essential. They show how information propagates through the processor, including sometimes opaque control registers. Thus, they can be used to guarantee that user processes cannot infer the state of privileged system components, such as secure partitions. Formal ISA models -for example for the HOL4 theorem prover -have been available for a number of years. However, little work has been published on the formal analysis of these models. In this paper, we present a general framework for proving information ow properties of a number of ISAs automatically, for example for ARM. The analysis is represented in HOL4 using a direct semantical embedding of noninterference, and does not use an explicit type system, in order to (i) minimize the trusted computing base, and to (ii) support a large degree of context-sensitivity, which is needed for the analysis. The framework determines automatically which system components are accessible at a given privilege level, guaranteeing both soundness and accuracy.

show abstract

Hoare-Style Logic for Unstructured Programs

Lundberg

Guanciale

Lindner

et al. 2020

Software Engineering and Formal Methods

View full text Add to dashboard Cite

Enabling Hoare-style reasoning for low-level code is attractive since it opens the way to regain structure and modularity in a domain where structure is essentially absent. The field, however, has not yet arrived at a fully satisfactory solution, in the sense of avoiding restrictions on control flow (important for compiler optimization), controlling access to intermediate program points (important for modularity), and supporting total correctness. Proposals in the literature support some of these properties, but a solution that meets them all is yet to be found. We introduce the novel Hoare-style program logic LA, which interprets postconditions relative to program points when these are first encountered. The logic can support both partial and total correctness, derive contracts for arbitrary control flow, and allows one to freely choose decomposition strategy during verification while avoiding step-indexed approximations and global invariants. The logic can be instantiated for a variety of concrete instruction set architectures and intermediate languages. The rules of LA have been verified in the interactive theorem prover HOL4 and integrated with the toolbox HolBA for semi-automated program verification, making it applicable to the ARMv6 and ARMv8 instruction sets.

show abstract

AUSPICE: Automatic Safety Property Verification for Unmodified Executables

Cited by 8 publications

References 26 publications

Highly Automated Formal Proofs over Memory Usage of Assembly Code

Highly Automated Formal Proofs over Memory Usage of Assembly Code

Automatic Derivation of Platform Noninterference Properties

Hoare-Style Logic for Unstructured Programs

Contact Info

Product

Resources

About