Hoare Logic for Realistically Modelled Machine Code

Size: px

Start display at page:

Download "Hoare Logic for Realistically Modelled Machine Code"

Margery Garrett
5 years ago
Views:

1 Hoare Logic for Realistically Modelled Machine Code Magnus O. Myreen, Michael J. C. Gordon TACAS, March 2007

2 This talk Contribution: A mechanised Hoare logic for machine code with emphasis on resource usage. Outline: Motivation and Approach Footprints Example The Logic State Representation Memory Accesses Positions and Procedures Semantics Summary

3 Motivation Program verification: bug finding: high assurance: approximate models are OK realistic models required

4 Motivation Program verification: bug finding: high assurance: approximate models are OK realistic models required Why not use standard program logics on realistic models? infinite state space (stacks) separation of code and data (memory accesses) nontrivial to mechanise (detailed models) hardware restrictions (special purpose resources)

5 Motivation Program verification: bug finding: high assurance: approximate models are OK realistic models required Why not use standard program logics on realistic models? infinite state space (stacks) separation of code and data (memory accesses) nontrivial to mechanise (detailed models) hardware restrictions (special purpose resources) For instance, the ARM instruction MUL c,a,b is unpredictable, if registers a and c are the same. ARM allows y := z y but not y := y z.

6 Example An ARM program for calculating the factorial of a positive number: MOV b, #1 ; b := 1 L: MUL b, a, b ; b := a b SUBS a, a, #1 ; a := a - 1 BNE L ; jump to L if a 0 A classical Hoare-style specification: {(a = x) (x 0)} FACTORIAL {(a = 0) (b = x!)} Side condition: The registers associated with a and b are distinct.

7 Example An ARM program for calculating the factorial of a positive number: MOV b, #1 ; b := 1 L: MUL b, a, b ; b := a b SUBS a, a, #1 ; a := a - 1 BNE L ; jump to L if a 0 A classical Hoare-style specification: {(a = x) (x 0)} FACTORIAL {(a = 0) (b = x!)} Side condition: The registers associated with a and b are distinct. What is left unchanged?

8 Example The frame problem can be solved as follows: assign a footprint to assertions (separation logic) guarantee that nothing is changed outside of the footprint require that every state element leaves a footprint (not just memory assertions)

9 Example The frame problem can be solved as follows: assign a footprint to assertions (separation logic) guarantee that nothing is changed outside of the footprint require that every state element leaves a footprint (not just memory assertions) The specification of the factorial program: {R a x R b S x 0 } FACTORIAL +4 {R a 0 R b x! S } +4 is a separating conjunction similar to that of Separation Logic.

10 Example Reasoning about Hoare triples: {R a x R b y} MUL b,a,b +1 {R a x R b (x y)} +1 {R a x S } SUBS a,a,#1 +1 {R a (x 1) S (, x 1=0,, ) } +1 {S (n, z, c, v) } BNE #-4 +1 {S z } +1 2 {S z } 2

11 Example Reasoning about Hoare triples: {R a x R b y P} MUL b,a,b +1 {R a x R b (x y) P} +1 {R a x S } SUBS a,a,#1 +1 {R a (x 1) S (, x 1=0,, ) } +1 {S (n, z, c, v) } BNE #-4 +1 {S z } +1 2 {S z } 2

12 Example Reasoning about Hoare triples: {R a x R b y S } MUL b,a,b +1 {R a x R b (x y) S } +1 {R a x S } SUBS a,a,#1 +1 {R a (x 1) S (, x 1=0,, ) } +1 {S (n, z, c, v) } BNE #-4 +1 {S z } +1 2 {S z } 2

13 Example Reasoning about Hoare triples: {R a x R b y S } MUL b,a,b +1 {R a x R b (x y) S } +1 {R a x R b (x y) S } SUBS a,a,#1 +1 {R a (x 1) R b (x y) S (, x 1=0,, ) } +1 {S (n, z, c, v) } BNE #-4 +1 {S z } +1 2 {S z } 2

14 Example Reasoning about Hoare triples: {R a x R b y S } MUL b,a,b +1 {R a x R b (x y) S } +1 {R a x R b (x y) S } SUBS a,a,#1 +1 {R a (x 1) R b (x y) S (, x 1=0,, ) } +1 {S (, x 1=0,, ) } BNE #-4 +1 {S x 1=0 } +1 2 {S x 1 0 } 2

15 Example Reasoning about Hoare triples: {R a x R b y S } MUL b,a,b +1 {R a x R b (x y) S } +1 {R a x R b (x y) S } SUBS a,a,#1 +1 {R a (x 1) R b (x y) S (, x 1=0,, ) } +1 {R a (x 1) R b (x y) S (, x 1=0,, ) } BNE #-4 +1 {R a (x 1) R b (x y) S x 1=0 } +1 2 {R a (x 1) R b (x y) S x 1 0 } 2

16 Example Reasoning about Hoare triples: {R a x R b y S } MUL b,a,b +1 {R a x R b (x y) S } +1 {R a x R b (x y) S } SUBS a,a,#1 BNE #-4 +2 {R a (x 1) R b (x y) S x 1=0 } +2 1 {R a (x 1) R b (x y) S x 1 0 } 1

17 Example Reasoning about Hoare triples: {R a x R b y S } MUL b,a,b SUBS a,a,#1 BNE #-4 +3 {R a (x 1) R b (x y) S x 1=0 } {R a (x 1) R b (x y) S x 1 0 } +0

18 Example Reasoning about Hoare triples: {R a x R b y S } MUL b,a,b SUBS a,a,#1 BNE #-4 +3 {R a (x 1) R b (x y) S x 1=0 } {R a (x 1) R b (x y) S x 1 0 } +0 composition can be automated for straight line code

19 Example Reasoning about Hoare triples: {R a x R b y S } MUL b,a,b SUBS a,a,#1 BNE #-4 +3 {R a (x 1) R b (x y) S x 1=0 } {R a (x 1) R b (x y) S x 1 0 } +0 composition can be automated for straight line code but we want to prove more than straight-line code!

20 Example Reasoning about Hoare triples: {R a x R b y S } MUL b,a,b SUBS a,a,#1 BNE #-4 +3 {R a (x 1) R b (x y) S x 1=0 } {R a (x 1) R b (x y) S x 1 0 } +0 Define a partial factorial: x n = (x+1) (x+2)... (n 1) n, when x < n x x = 1, when x 0.

21 Example Reasoning about Hoare triples: {R a x R b (x n) S } MUL b,a,b SUBS a,a,#1 BNE #-4 +3 {R a (x 1) R b (x (x n)) S x 1=0 } {R a (x 1) R b (x (x n)) S x 1 0 } +0 Define a partial factorial: x n = (x+1) (x+2)... (n 1) n, when x < n x x = 1, when x 0.

22 Example Reasoning about Hoare triples: {R a x R b (x n) S x n } MUL b,a,b SUBS a,a,#1 BNE #-4 +3 {R a (x 1) R b (x (x n)) S x n x 1=0 } {R a (x 1) R b (x (x n)) S x n x 1 0 } +0 Define a partial factorial: x n = (x+1) (x+2)... (n 1) n, when x < n x x = 1, when x 0.

23 Example Reasoning about Hoare triples: {R a x R b (x n) S x n } MUL b,a,b SUBS a,a,#1 BNE #-4 +3 {R a 0 R b n! S } {R a (x 1) R b (x (x n)) S x n x 1 0 } +0 Define a partial factorial: x n = (x+1) (x+2)... (n 1) n, when x < n x x = 1, when x 0.

24 Example Reasoning about Hoare triples: {R a x R b (x n) S x n } MUL b,a,b SUBS a,a,#1 BNE #-4 +3 {R a 0 R b n! S } {R a (x 1) R b ((x 1) n) S x 1 n x 1 0 } +0 Define a partial factorial: x n = (x+1) (x+2)... (n 1) n, when x < n x x = 1, when x 0.

25 Example Reasoning about Hoare triples: {R a x R b (x n) S x n x 0 } MUL b,a,b SUBS a,a,#1 BNE #-4 +3 {R a 0 R b n! S } {R a (x 1) R b ((x 1) n) S x 1 n x 1 0 } +0 Define a partial factorial: x n = (x+1) (x+2)... (n 1) n, when x < n x x = 1, when x 0.

26 Example Reasoning about Hoare triples: {R a x R b (x n) S x n x 0 } MUL b,a,b SUBS a,a,#1 BNE #-4 +3 {R a 0 R b n! S } +3 Define a partial factorial: x n = (x+1) (x+2)... (n 1) n, when x < n x x = 1, when x 0.

27 Example Reasoning about Hoare triples: {R a x R b (x x) S x x x 0 } MUL b,a,b SUBS a,a,#1 BNE #-4 +3 {R a 0 R b x! S } +3 Define a partial factorial: x n = (x+1) (x+2)... (n 1) n, when x < n x x = 1, when x 0.

28 Example Reasoning about Hoare triples: {R a x R b 1 S x 0 } MUL b,a,b SUBS a,a,#1 BNE #-4 +3 {R a 0 R b x! S } +3 Define a partial factorial: x n = (x+1) (x+2)... (n 1) n, when x < n x x = 1, when x 0.

29 Example Reasoning about Hoare triples: {R a x R b S x 0 } MOV b,#1 MUL b,a,b SUBS a,a,#1 BNE #-4 +4 {R a 0 R b x! S } +4 Define a partial factorial: x n = (x+1) (x+2)... (n 1) n, when x < n x x = 1, when x 0.

30 This talk Contribution: A mechanised Hoare logic for machine code with emphasis on resource usage. Outline: Motivation and Approach Footprints Example The Logic State Representation Memory Accesses Positions and Procedures Semantics Summary

31 State Representation A state is a set enumerating state elements. A concrete state: { Reg 0 820, Reg 1 540,, Reg , Mem 0 34, Mem 1 82,, Mem (2 32 1) 40, Status F }

32 State Representation A state is a set enumerating state elements. A concrete state: { Reg 0 820, Reg 1 540,, Reg , Mem 0 34, Mem 1 82,, Mem (2 32 1) 40, Status F } Assertions on parts of states: R r x = λs. (s = {Reg r x}) M a x = λs. (s = {Mem a x}) S b = λs. (s = {Status b})

33 State Representation A state is a set enumerating state elements. A concrete state: { Reg 0 820, Reg 1 540,, Reg , Mem 0 34, Mem 1 82,, Mem (2 32 1) 40, Status F } Assertions on parts of states: R r x = λs. (s = {Reg r x}) M a x = λs. (s = {Mem a x}) S b = λs. (s = {Status b}) split s (u, v) = (u v = s) (u v = ) P Q = λs. u v. split s (u, v) P u Q v

34 State Representation A state is a set enumerating state elements. A concrete state: { Reg 0 820, Reg 1 540,, Reg , Mem 0 34, Mem 1 82,, Mem (2 32 1) 40, Status F } Assertions on parts of states: R r x = λs. (s = {Reg r x}) M a x = λs. (s = {Mem a x}) S b = λs. (s = {Status b}) split s (u, v) = (u v = s) (u v = ) P Q = λs. u v. split s (u, v) P u Q v Particularly: (R a x R b y P) s = (a b) if s is a valid state

35 Memory Access The set-based state representation handles all resources uniformly. Specifications for move and store: {R a x R b } MOV b,a +1 {R a x R b x} +1 {R a x R b y M y } STR a,[b] +1 {R a x R b y M y x} +1 Decrement-and-store, i.e. stack push: {R a x R b y M (y 1) } STR a,[b,#-4]! +1 {R a x R b (y 1) M (y 1) x} +1

36 Memory Access The set-based state representation handles all resources uniformly. Specifications for move and store: {R a x R b } MOV b,a +1 {R a x R b x} +1 {R a x R b y M y } STR a,[b] +1 {R a x R b y M y x} +1 Decrement-and-store, i.e. stack push: {R a x R b y M (y 1) } STR a,[b,#-4]! +1 {R a x R b (y 1) M (y 1) x} +1 Let stack(y, [x 0, x 1,, x m ], n) = R 13 y M (y+m) x m M (y+0) x 0 M (y 1) M (y n)

37 Memory Access The set-based state representation handles all resources uniformly. Specifications for move and store: {R a x R b } MOV b,a +1 {R a x R b x} +1 {R a x R b y M y } STR a,[b] +1 {R a x R b y M y x} +1 Decrement-and-store, i.e. stack push: {R a x R b y M (y 1) P} STR a,[b,#-4]! +1 {R a x R b (y 1) M (y 1) x P} +1 Let stack(y, [x 0, x 1,, x m ], n) = R 13 y M (y+m) x m M (y+0) x 0 M (y 1) M (y n)

38 Memory Access The set-based state representation handles all resources uniformly. Specifications for move and store: {R a x R b } MOV b,a +1 {R a x R b x} +1 {R a x R b y M y } STR a,[b] +1 {R a x R b y M y x} +1 Decrement-and-store, i.e. stack push: {R a x stack(y, xs, n+1)} STR a,[13,#-4]! +1 {R a x stack(y 1, cons x xs, n)} +1 Let stack(y, [x 0, x 1,, x m ], n) = R 13 y M (y+m) x m M (y+0) x 0 M (y 1) M (y n)

39 Positions The specifications shown so far have been of the form: {P} code {Q} +k

40 Positions The specifications shown so far have been of the form: {P} code {Q} h

41 Positions The specifications shown so far have been of the form: {P} f code g {Q} h

42 Positions The specifications shown so far have been of the form: {P} f code g {Q} h The meaning is best described using a different syntax: p. {f (p) : P} g(p) : code {h(p) : Q}

43 Positions The specifications shown so far have been of the form: {P} f code g {Q} h The meaning is best described using a different syntax: p. {f (p) : P} g(p) : code {h(p) : Q} For position independent code use λx.x and offsets p. {p : P} p : code {p+4 : Q}

44 Positions The specifications shown so far have been of the form: {P} f code g {Q} h The meaning is best described using a different syntax: p. {f (p) : P} g(p) : code {h(p) : Q} For position independent code use λx.x and offsets p. {p : P} p : code {p+4 : Q} For position dependent code use e.g. λx.0 and λx.4 {0 : P} 0 : code {4 : Q}

45 Procedures Procedures have this form: y. {P R 14 y} code {Q R 14 } λx.y which can be understood as: y p. {p : P R 14 y} p : code {y : Q R 14 }

46 Procedures Procedures have this form: y. {P R 14 y} code {Q R 14 } λx.y which can be understood as: y p. {p : P R 14 y} p : code {y : Q R 14 } The framework supports procedures by: a rule that calculates the effect of a call (derived from the general rule for composition) an induction rule for proving recursive procedures (complete induction over the natural numbers)

47 Procedures A verified specification for a procedure, which calculates the sum of the nodes in a binary tree: {R a x R s z S tree(x, t) stack(sp, [ ], 2 depth(t)) R 14 y} BINARY SUM {R a R s (z + sum(t)) S tree(x, t) stack(sp, [ ], 2 depth(t)) R 14 } λx.y

48 Procedures The code for BINARY SUM: sum: CMP a,#0 ; test: a = 0 MOVEQ r15,r14 ; return, if a = 0 STR a,[r13,#-4]! ; push a STR r14,[r13,#-4]! ; push link-register LDR r14,[a] ; temp := node value ADD s,s,r14 ; s := s + temp LDR a,[a,#+4] ; a := address of left BL sum ; s := s + sum of a LDR a,[r13,#+4] ; a := original a LDR a,[a,#+8] ; a := address of right BL sum ; s := s + sum of a LDR r15,[r13],#8 ; pop two and return

49 Semantics Define the execution from P to Q as: s Σ. F. (P F ) s = k. (Q F ) (run(k, s)) The meaning of {P} c 0 ;... ; c n {Q} h is given by: p. (P M p c 0 M (p + n) c n R 15 p) (Q M p c 0 M (p + n) c n R 15 h(p)) The formalised theory generalises {P} code {Q} h to allow multiple entry points, multiple exit points and multiple code segments: {P 1 } f1 {P n } fn code g 1 1 codem gm {Q 1 } h1 {Q k } h k

50 Summary Features: concise function/resource-usage specifications position (in)dependent code (recursive procedures) mechanised in HOL4 (supports some automation) is used in verifying ARM machine-code (on top of a detailed model of the ARM ISA)

51 Summary Features: concise function/resource-usage specifications position (in)dependent code (recursive procedures) mechanised in HOL4 (supports some automation) is used in verifying ARM machine-code (on top of a detailed model of the ARM ISA) THE END Questions? Acknowledgements: I would like to thank Mike Gordon, Anthony Fox, Joe Hurd, Konrad Slind, Thomas Teurk, Matthew Parkinson, Josh Berdine, Nick Benton and Richard Bornat for comments and discussions.

Proof-producing decompilation and compilation

Proof-producing decompilation and compilation Magnus Myreen May 2008 Introduction This talk concerns verification of functional correctness of machine code for commercial processors (ARM, PowerPC, x86...