Optimal Guard Synthesis for Memory Safety

Dillig, Thomas; Dillig, Işıl; Chaudhuri, Swarat

doi:10.1007/978-3-319-08867-9_32

“…Klein et al [35] prove the correctness of the seL4 kernel, but that code was written with the goal of proof. Dillig et al [26] synthesize guards ensuring memory safety in low-level code, but our code is written by hand. Rakamarić and Hu [50] developed a conservative, scalable approach to memory safety in low-level code, but the models there are not tailored to our code that routinely accesses memory by an explicit integer-valued memory address.…”

Section: Related Workmentioning

confidence: 99%

Model checking boot code from AWS data centers

Cook

¹

,

Khazem

²

,

Kroening

³

et al. 2020

Form Methods Syst Des

View full text Add to dashboard Cite

This paper describes our experience with symbolic model checking in an industrial setting. We have proved that the initial boot code running in data centers at Amazon Web Services is memory safe, an essential step in establishing the security of any data center. Standard static analysis tools cannot be easily used on boot code without modification owing to issues not commonly found in higher-level code, including memory-mapped device interfaces, bytelevel memory access, and linker scripts. This paper describes automated solutions to these issues and their implementation in the C Bounded Model Checker (CBMC). CBMC is now the first source-level static analysis tool to extract the memory layout described in a linker script for use in its analysis. Keywords Formal verification • Model checking • CBMC • Boot code • Firmware • Linker script • Amazon Web Services (AWS)

show abstract

“…Hence, our approach bears similarity to other efforts for optimal program synthesis [5,6,8]. In addition to addressing a different synthesis domain, we propose a different definition of optimality in this paper.…”

Section: Related Workmentioning

confidence: 99%

Synthesizing data structure transformations from input-output examples

Feser

¹

,

Chaudhuri

²

,

Dillig

³

2015

Proceedings of the 36th ACM SIGPLAN Conference on Programming Language Design and Implementation

Self Cite

View full text Add to dashboard Cite

We present a method for example-guided synthesis of functional programs over recursive data structures. Given a set of input-output examples, our method synthesizes a program in a functional language with higher-order combinators like map and fold. The synthesized program is guaranteed to be the simplest program in the language to fit the examples.Our approach combines three technical ideas: inductive generalization, deduction, and enumerative search. First, we generalize the input-output examples into hypotheses about the structure of the target program. For each hypothesis, we use deduction to infer new input/output examples for the missing subexpressions. This leads to a new subproblem where the goal is to synthesize expressions within each hypothesis. Since not every hypothesis can be realized into a program that fits the examples, we use a combination of best-first enumeration and deduction to search for a hypothesis that meets our needs.We have implemented our method in a tool called λ 2 , and we evaluate this tool on a large set of synthesis problems involving lists, trees, and nested data structures. The experiments demonstrate the scalability and broad scope of λ 2 . A highlight is the synthesis of a program believed to be the world's earliest functional pearl.

show abstract

“…Klein et al [38] prove the correctness of the seL4 kernel, but that code was written with the goal of proof. Dillig et al [26] synthesize guards ensuring memory safety in low-level code, but our code is written by hand. Rakamarić and Hu [50] developed a conservative, scalable approach to memory safety in low-level code, but the models there are not tailored to our code that routinely accesses memory by an explicit integer-valued memory address.…”

Section: Related Workmentioning

confidence: 99%

Model Checking Boot Code from AWS Data Centers

Cook

¹

,

Khazem

²

,

Kroening

³

et al. 2018

Lecture Notes in Computer Science

View full text Add to dashboard Cite

This paper describes our experience with symbolic model checking in an industrial setting. We have proved that the initial boot code running in data centers at Amazon Web Services is memory safe, an essential step in establishing the security of any data center. Standard static analysis tools cannot be easily used on boot code without modification owing to issues not commonly found in higher-level code, including memory-mapped device interfaces, byte-level memory access, and linker scripts. This paper describes automated solutions to these issues and their implementation in the C Bounded Model Checker (CBMC). CBMC is now the first source-level static analysis tool to extract the memory layout described in a linker script for use in its analysis. 1. memory-mapped input/output (MMIO) for accessing devices, 2. device behavior behind these MMIO regions, 3. byte-level memory access as the dominant form of memory access, and 4. linker scripts used during the build process. Not handling MMIO or linker scripts results in imprecision (false positives), and not modeling device behavior is unsound (false negatives). We describe the solutions to these challenges that we developed. We implemented our solutions in the C Bounded Model Checker (CBMC) [20]. We achieve

show abstract

Optimal Guard Synthesis for Memory Safety

Cited by 16 publications

References 43 publications

Model checking boot code from AWS data centers

Model checking boot code from AWS data centers

Synthesizing data structure transformations from input-output examples

Model Checking Boot Code from AWS Data Centers

Contact Info

Product

Resources

About