幻灯片 1 - About | USTC-Yale Joint Research Center for
Download
Report
Transcript 幻灯片 1 - About | USTC-Yale Joint Research Center for
Towards Building Trusted Software
A Certifying Compiler and Pointer Logic
Zhaopeng Li
Software Security Lab.
Department of Computer Science and Technology,
University of Science and Technology of China
October 8, 2008
Outline
Motivation
Research Goals
Our Work
A Certifying Compiler
PointerC Language
Pointer Logic
Summary
Future Work
Software Security Lab, USTC
2
Motivation
Software Safety Problems
C language
Widely used & legacy C codes
Not easy to write a safe code with pointers
One Solution : Program Verification
Program + Annotation + Proof
Software Security Lab, USTC
3
Motivation (cont.)
Hoare Logic
Hoare triple : {P}C{Q}
Hard to reason pointer programs
Separation Logic
Low-level code, or high-level code with
restriction
Separation Conjunction (P*Q)
p
Example:
p p _* _,
p
l1 1 l1
l1
A Hoare-like Logic for C Language?
Software Security Lab, USTC
4
Research Goals
Verification for C pointer programs
Design a C-like language
Design a logic
Design a certifying compiler
Generate codes with proof
Minimize Trusted Computing Base
Software Security Lab, USTC
5
Outline
Motivation
Research Goals
Our Work
A Certifying Compiler
PointerC Language
Pointer Logic
Summary
Future Work
Software Security Lab, USTC
6
Our Certifying Compiler
Source Code + Specifications
PointerC
Language
Code Compiler
VCGen
Pointer Logic
Prover
Source Code
+ Spec.
+ Proof
Assem. Code
+Assem. Spec.
Proof Compiler
+Assem. Proof
Source-level Certifying System
Certifying Compiler
Software Security Lab, USTC
7
Our Certifying Compiler (cont.)
Prototype
plcc ver1.0 (2005.5-2006.9)
plcc ver2.0 (2006.9-2007.12)
Improvements
Build-in theorem prover
Support limited pointer arithmetic
Support more data structures
Doubly-linked list
Software Security Lab, USTC
8
Supported Programs
Singly-linked/doubly-linked list
traversal/reversal
delete/insert
create/clear
Binary Tree
traversal/rotate
delete/insert
Software Security Lab, USTC
9
Evaluation
Software Security Lab, USTC
10
PointerC Language
PointerC:
A subset of C language with pointer type
Memory management : malloc/free
Main Constrains:
Pointer Arithmetic is limited
No union type
No type cast
…
Software Security Lab, USTC
11
Pointer Logic
Motivation
PointerC typing rules with side conditions
p : ptr(struct (…, x: int; …))
p -> x : int
( valid(p) )
A logic proof system is needed
Reason about source programs with complex
pointer aliasing
Why not separation logic?
Software Security Lab, USTC
12
Pointer Logic (cont.)
Why not separation logic?
No Rule for this
kind of
…statement!
…
q = p->next;
t = q->next;
p->next = t;
free(q);
…
q = p->next;
p->next = p->next->next;
free(q);
…
List_delete.c
struct List{
int data;
struct list* next;}
No rule for
aliasing
inference!
q
t
List_delete_trans.c
p
NULL
Software Security Lab, USTC
13
Basic ideas
Precise pointer information collection
Pointer classification
At each program point
Valid pointer set
Null pointer set
Dangling pointer set
Equality between valid pointers
Software Security Lab, USTC
14
Specification
Pointer Information
head next ?
head next next ?
{{head , p},{ p next},{ p next next , tail}}
N {tail next}N
D {q}D
p( next )3 ?
The information is concise !
Software Security Lab, USTC
15
Specification (cont.)
Compare with separation logic
(p
_, l1 head p)*(l1
_, l2 )*(l2
_, nil tail l2 )
Access path is short
Low-level address is used in assertion
Addresses are used to associate different heaps
l1
Software Security Lab, USTC
l2
16
Expressivity
Current Application
Singly-linked list
Doubly-linked list
Binary Tree
Graph?
Equality between pointers is not certain
Unable to be expressed in current pointer logic
Not well-supported in separation logic either
Software Security Lab, USTC
17
Expressivity (cont.)
Singly-linked list
Flat version
list (n, p) { p} { p next}
{ p( next )n1} { p( next )n}N
Inductive version
list ( p) { p}N ({ p} list ( p next ))
p,l1logic
,l2,…,ln-1 are
Singly-linked list from separation
distinct!
Flat version
list (n, p) l1,..., ln1.( p
_, l1 )*(l1
_, l2 )* *(ln1
_, nil)
p
nil
Software Security Lab, USTC
18
Inference Rule
Hoare-logic-like rules
{P}C{Q}
Extend Hoare Logic
Calculate pointer information Q using P
Software Security Lab, USTC
19
Memory Leak
{{ p} { p next}N }
p NULL
{?}
No rules
for this
case!
Pointer Logic
Assignment
Axiom of
Hoare Logic!
{p
_, nil}
p : nil
{x.x _, nil p nil}
must using precise assertion
to rule out this case!
Separtion Logic
Memory
Leak!
p
NULL
Software Security Lab, USTC
20
Comparison with Separation
Logic
Common features:
Extension of Hoare logic
Deal with pointer programs
Differences:
High-level vs low-level
Pointer logic can deal with long access paths
Precise information vs information hiding
Rule out memory leak via different means
Software Security Lab, USTC
21
Outline
Motivation
Research Goals
Our Work
A Certifying Compiler
PointerC Language
Pointer Logic
Summary
Future Work
Software Security Lab, USTC
22
Summary
A Certifying Compiler
Theorem prover for pointer logic
Generate codes with proof
A Pointer Logic
Verification for PointerC pointer programs
Hoare-logic-like rules
Compare with separation logic
Software Security Lab, USTC
23
Future Work
PointerC Language Extension
Pointer Logic Extension
Deal more data structures, such as DAG
Pointer Logic for
More language features
Unlimited pointer arithmetic
Java (static garbage detection etc.)
Concurrent programming
Realistic Certifying Compiler
Verify some codes of mini-OS
Software Security Lab, USTC
24
Questions?
Thanks!
Software Security Lab, USTC
25