幻灯片 1 - About | USTC-Yale Joint Research Center for

Download Report

Transcript 幻灯片 1 - About | USTC-Yale Joint Research Center for 

Towards Building Trusted Software
A Certifying Compiler and Pointer Logic
Zhaopeng Li
Software Security Lab.
Department of Computer Science and Technology,
University of Science and Technology of China
October 8, 2008
Outline



Motivation
Research Goals
Our Work





A Certifying Compiler
PointerC Language
Pointer Logic
Summary
Future Work
Software Security Lab, USTC
2
Motivation


Software Safety Problems
C language



Widely used & legacy C codes
Not easy to write a safe code with pointers
One Solution : Program Verification

Program + Annotation + Proof
Software Security Lab, USTC
3
Motivation (cont.)

Hoare Logic



Hoare triple : {P}C{Q}
Hard to reason pointer programs
Separation Logic



Low-level code, or high-level code with
restriction
Separation Conjunction (P*Q)
p
Example:
p p _* _,
p
l1 1 l1
l1
A Hoare-like Logic for C Language?
Software Security Lab, USTC
4
Research Goals

Verification for C pointer programs



Design a C-like language
Design a logic
Design a certifying compiler


Generate codes with proof
Minimize Trusted Computing Base
Software Security Lab, USTC
5
Outline



Motivation
Research Goals
Our Work





A Certifying Compiler
PointerC Language
Pointer Logic
Summary
Future Work
Software Security Lab, USTC
6
Our Certifying Compiler
Source Code + Specifications
PointerC
Language
Code Compiler
VCGen
Pointer Logic
Prover
Source Code
+ Spec.
+ Proof
Assem. Code
+Assem. Spec.
Proof Compiler
+Assem. Proof
Source-level Certifying System
Certifying Compiler
Software Security Lab, USTC
7
Our Certifying Compiler (cont.)

Prototype



plcc ver1.0 (2005.5-2006.9)
plcc ver2.0 (2006.9-2007.12)
Improvements



Build-in theorem prover
Support limited pointer arithmetic
Support more data structures

Doubly-linked list
Software Security Lab, USTC
8
Supported Programs

Singly-linked/doubly-linked list




traversal/reversal
delete/insert
create/clear
Binary Tree


traversal/rotate
delete/insert
Software Security Lab, USTC
9
Evaluation
Software Security Lab, USTC
10
PointerC Language

PointerC:



A subset of C language with pointer type
Memory management : malloc/free
Main Constrains:




Pointer Arithmetic is limited
No union type
No type cast
…
Software Security Lab, USTC
11
Pointer Logic

Motivation

PointerC typing rules with side conditions
  p : ptr(struct (…, x: int; …))
  p -> x : int

( valid(p) )
A logic proof system is needed

Reason about source programs with complex
pointer aliasing
Why not separation logic?
Software Security Lab, USTC
12
Pointer Logic (cont.)
Why not separation logic?
No Rule for this

kind of
…statement!
…
q = p->next;
t = q->next;
p->next = t;
free(q);
…
q = p->next;
p->next = p->next->next;
free(q);
…
List_delete.c
struct List{
int data;
struct list* next;}
No rule for
aliasing
inference!
q
t
List_delete_trans.c
p
NULL
Software Security Lab, USTC
13
Basic ideas

Precise pointer information collection


Pointer classification




At each program point
Valid pointer set
Null pointer set
Dangling pointer set
Equality between valid pointers
Software Security Lab, USTC
14
Specification
Pointer Information
head  next ?
head  next  next ?
  {{head , p},{ p  next},{ p  next  next , tail}}
N  {tail  next}N
D  {q}D
p( next )3 ?
The information is concise !
Software Security Lab, USTC
15
Specification (cont.)

Compare with separation logic
(p



_, l1  head  p)*(l1
_, l2 )*(l2
_, nil  tail  l2 )
Access path is short
Low-level address is used in assertion
Addresses are used to associate different heaps
l1
Software Security Lab, USTC
l2
16
Expressivity

Current Application




Singly-linked list
Doubly-linked list
Binary Tree
Graph?



Equality between pointers is not certain
Unable to be expressed in current pointer logic
Not well-supported in separation logic either
Software Security Lab, USTC
17
Expressivity (cont.)

Singly-linked list

Flat version
list (n, p) { p} { p  next} 


{ p( next )n1} { p( next )n}N
Inductive version
list ( p) { p}N  ({ p}  list ( p  next ))
p,l1logic
,l2,…,ln-1 are
Singly-linked list from separation

distinct!
Flat version
list (n, p) l1,..., ln1.( p
_, l1 )*(l1
_, l2 )* *(ln1
_, nil)
p
nil
Software Security Lab, USTC
18
Inference Rule

Hoare-logic-like rules



{P}C{Q}
Extend Hoare Logic
Calculate pointer information Q using P
Software Security Lab, USTC
19
Memory Leak
{{ p}  { p  next}N }
p  NULL
{?}
No rules
for this
case!
Pointer Logic
Assignment
Axiom of
Hoare Logic!
{p
_, nil}
p : nil
{x.x _, nil  p  nil}
must using precise assertion
to rule out this case!
Separtion Logic
Memory
Leak!
p
NULL
Software Security Lab, USTC
20
Comparison with Separation
Logic

Common features:



Extension of Hoare logic
Deal with pointer programs
Differences:




High-level vs low-level
Pointer logic can deal with long access paths
Precise information vs information hiding
Rule out memory leak via different means
Software Security Lab, USTC
21
Outline



Motivation
Research Goals
Our Work





A Certifying Compiler
PointerC Language
Pointer Logic
Summary
Future Work
Software Security Lab, USTC
22
Summary

A Certifying Compiler



Theorem prover for pointer logic
Generate codes with proof
A Pointer Logic



Verification for PointerC pointer programs
Hoare-logic-like rules
Compare with separation logic
Software Security Lab, USTC
23
Future Work

PointerC Language Extension



Pointer Logic Extension


Deal more data structures, such as DAG
Pointer Logic for



More language features
Unlimited pointer arithmetic
Java (static garbage detection etc.)
Concurrent programming
Realistic Certifying Compiler

Verify some codes of mini-OS
Software Security Lab, USTC
24
Questions?
Thanks!
Software Security Lab, USTC
25