A Formal Model of the X86 ISA for Binary Program...
Transcript of A Formal Model of the X86 ISA for Binary Program...
![Page 1: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/1.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
A Formal Model of the X86 ISAfor
Binary Program Verification
Shilpi Goel
The University of Texas at Austin
April 2, 2013
1/33
![Page 2: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/2.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
OUTLINE
INTRODUCTION
RELATED WORK
X86 ISA MODEL
X86 INSTRUCTION INTERPRETER
EXECUTING PROGRAMS ON X86 MODEL
BINARY PROGRAM VERIFICATION
CLOCK FUNCTION APPROACH
SYMBOLIC EXECUTION
CONCLUSION AND FUTURE WORK
2/33
![Page 3: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/3.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
OUTLINE
INTRODUCTION
RELATED WORK
X86 ISA MODEL
X86 INSTRUCTION INTERPRETER
EXECUTING PROGRAMS ON X86 MODEL
BINARY PROGRAM VERIFICATION
CLOCK FUNCTION APPROACH
SYMBOLIC EXECUTION
CONCLUSION AND FUTURE WORK
3/33
![Page 4: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/4.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
OUR GOALS
1. Develop an accurate, non-idealized model of the x86Instruction Set Architecture (ISA)
2. Develop automated procedures for reasoning about x86machine code
Infrastructure for verification of linux utilities like cat and od
4/33
![Page 5: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/5.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
OUR GOALS
1. Develop an accurate, non-idealized model of the x86Instruction Set Architecture (ISA)
2. Develop automated procedures for reasoning about x86machine code
Infrastructure for verification of linux utilities like cat and od
4/33
![Page 6: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/6.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
OUR GOALS
1. Develop an accurate, non-idealized model of the x86Instruction Set Architecture (ISA)
2. Develop automated procedures for reasoning about x86machine code
Infrastructure for verification of linux utilities like cat and od
4/33
![Page 7: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/7.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
WHY DO WE CARE?
I Analysis of high-level programs is not good enough.
I High-level programs are not always available.
I Formal verification of machine code!
I Formal Model of the x86 ISAI Reason about machine code on this model
5/33
![Page 8: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/8.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
WHY DO WE CARE?
I Analysis of high-level programs is not good enough.
I High-level programs are not always available.
I Formal verification of machine code!
I Formal Model of the x86 ISAI Reason about machine code on this model
5/33
![Page 9: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/9.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
WHY DO WE CARE?
I Analysis of high-level programs is not good enough.
I High-level programs are not always available.
I Formal verification of machine code!
I Formal Model of the x86 ISAI Reason about machine code on this model
5/33
![Page 10: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/10.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
WHY DO WE CARE?
I Analysis of high-level programs is not good enough.
I High-level programs are not always available.
I Formal verification of machine code!
I Formal Model of the x86 ISAI Reason about machine code on this model
5/33
![Page 11: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/11.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
WHY DO WE CARE?
I Analysis of high-level programs is not good enough.
I High-level programs are not always available.
I Formal verification of machine code!
I Formal Model of the x86 ISA
I Reason about machine code on this model
5/33
![Page 12: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/12.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
WHY DO WE CARE?
I Analysis of high-level programs is not good enough.
I High-level programs are not always available.
I Formal verification of machine code!
I Formal Model of the x86 ISAI Reason about machine code on this model
5/33
![Page 13: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/13.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
OUTLINE
INTRODUCTION
RELATED WORK
X86 ISA MODEL
X86 INSTRUCTION INTERPRETER
EXECUTING PROGRAMS ON X86 MODEL
BINARY PROGRAM VERIFICATION
CLOCK FUNCTION APPROACH
SYMBOLIC EXECUTION
CONCLUSION AND FUTURE WORK
6/33
![Page 14: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/14.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
MACHINE CODE VERIFICATION ON FORMAL
PROCESSOR MODELS
7/33
![Page 15: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/15.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
OUR GOALS, REVISITED
1. Develop an accurate, non-idealized, formal, andexecutable model of the x86 ISA
I Specifications: Intel’s Software Developer’s Manuals
I ~4000 pages of prose
I Model should emulate the real machine
I Co-simulations
I Need executability to do co-simulations
8/33
![Page 16: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/16.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
OUR GOALS, REVISITED
1. Develop an accurate, non-idealized, formal, andexecutable model of the x86 ISA
I Specifications: Intel’s Software Developer’s Manuals
I ~4000 pages of prose
I Model should emulate the real machine
I Co-simulations
I Need executability to do co-simulations
8/33
![Page 17: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/17.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
OUR GOALS, REVISITED
1. Develop an accurate, non-idealized, formal, andexecutable model of the x86 ISA
I Specifications: Intel’s Software Developer’s Manuals
I ~4000 pages of prose
I Model should emulate the real machine
I Co-simulations
I Need executability to do co-simulations
8/33
![Page 18: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/18.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
OUR GOALS, REVISITED
1. Develop an accurate, non-idealized, formal, andexecutable model of the x86 ISA
I Specifications: Intel’s Software Developer’s Manuals
I ~4000 pages of prose
I Model should emulate the real machine
I Co-simulations
I Need executability to do co-simulations
8/33
![Page 19: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/19.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
OUR GOALS, REVISITED
1. Develop an accurate, non-idealized, formal, andexecutable model of the x86 ISA
I Specifications: Intel’s Software Developer’s Manuals
I ~4000 pages of prose
I Model should emulate the real machine
I Co-simulations
I Need executability to do co-simulations
8/33
![Page 20: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/20.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
OUR GOALS, REVISITED
1. Develop an accurate, non-idealized, formal, andexecutable model of the x86 ISA
I Specifications: Intel’s Software Developer’s Manuals
I ~4000 pages of prose
I Model should emulate the real machine
I Co-simulations
I Need executability to do co-simulations
8/33
![Page 21: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/21.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
OUR GOALS, REVISITED
1. Develop an accurate, non-idealized, formal, andexecutable model of the x86 ISA
I Specifications: Intel’s Software Developer’s Manuals
I ~4000 pages of prose
I Model should emulate the real machine
I Co-simulations
I Need executability to do co-simulations
8/33
![Page 22: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/22.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
OUR GOALS, REVISITED
1. Develop an accurate, non-idealized, formal, andexecutable model of the x86 ISA
I Specifications: Intel’s Software Developer’s Manuals
I ~4000 pages of prose
I Model should emulate the real machine
I Co-simulations
I Need executability to do co-simulations
8/33
![Page 23: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/23.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
OUR GOALS, REVISITED
1. Develop an accurate, non-idealized, formal, andexecutable model of the x86 ISA
I Specifications: Intel’s Software Developer’s Manuals
I ~4000 pages of prose
I Model should emulate the real machine
I Co-simulations
I Need executability to do co-simulations
8/33
![Page 24: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/24.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
OUR GOALS, REVISITED
1. Develop an accurate, non-idealized, formal, andexecutable model of the x86 ISA
I Specifications: Intel’s Software Developer’s Manuals
I ~4000 pages of prose
I Model should emulate the real machine
I Co-simulations
I Need executability to do co-simulations
8/33
![Page 25: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/25.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
OUR GOALS, REVISITED
1. Develop an accurate, non-idealized, formal, andexecutable model of the x86 ISA
2. Develop automated procedures for reasoning about x86machine code
I Functional correctness of machine code
I Minimize lemma construction
9/33
![Page 26: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/26.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
OUR GOALS, REVISITED
1. Develop an accurate, non-idealized, formal, andexecutable model of the x86 ISA
2. Develop automated procedures for reasoning about x86machine code
I Functional correctness of machine code
I Minimize lemma construction
9/33
![Page 27: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/27.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
OUR GOALS, REVISITED
1. Develop an accurate, non-idealized, formal, andexecutable model of the x86 ISA
2. Develop automated procedures for reasoning about x86machine code
I Functional correctness of machine code
I Minimize lemma construction
9/33
![Page 28: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/28.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
OUR GOALS, REVISITED
1. Develop an accurate, non-idealized, formal, andexecutable model of the x86 ISA
2. Develop automated procedures for reasoning about x86machine code
I Functional correctness of machine code
I Minimize lemma construction
9/33
![Page 29: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/29.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
OUTLINE
INTRODUCTION
RELATED WORK
X86 ISA MODEL
X86 INSTRUCTION INTERPRETER
EXECUTING PROGRAMS ON X86 MODEL
BINARY PROGRAM VERIFICATION
CLOCK FUNCTION APPROACH
SYMBOLIC EXECUTION
CONCLUSION AND FUTURE WORK
10/33
![Page 30: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/30.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
OUTLINE
INTRODUCTION
RELATED WORK
X86 ISA MODEL
X86 INSTRUCTION INTERPRETER
EXECUTING PROGRAMS ON X86 MODEL
BINARY PROGRAM VERIFICATION
CLOCK FUNCTION APPROACH
SYMBOLIC EXECUTION
CONCLUSION AND FUTURE WORK
11/33
![Page 31: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/31.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
FORMALIZING X86 ISA IN ACL2
ACL2?
I A Computational Logic for Applicative Common Lisp
I Programming language
I Mathematical logic
I Mechanical theorem prover
12/33
![Page 32: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/32.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
FORMALIZING X86 ISA IN ACL2
ACL2?
I A Computational Logic for Applicative Common Lisp
I Programming language
I Mathematical logic
I Mechanical theorem prover
12/33
![Page 33: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/33.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
FORMALIZING X86 ISA IN ACL2
ACL2?
I A Computational Logic for Applicative Common Lisp
I Programming language
I Mathematical logic
I Mechanical theorem prover
12/33
![Page 34: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/34.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
FORMALIZING X86 ISA IN ACL2
ACL2?
I A Computational Logic for Applicative Common Lisp
I Programming language
I Mathematical logic
I Mechanical theorem prover
12/33
![Page 35: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/35.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
FORMALIZING X86 ISA IN ACL2
ACL2?
I A Computational Logic for Applicative Common Lisp
I Programming language
I Mathematical logic
I Mechanical theorem prover
12/33
![Page 36: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/36.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
FORMALIZING X86 ISA IN ACL2
I Our x86 ISA model has been formalized using aninterpreter approach to operational semantics.
I Semantics of a program is given by the effect it has on thestate of the machine.
I State-transition function is characterized by a recursivelydefined interpreter.
13/33
![Page 37: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/37.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
FORMALIZING X86 ISA IN ACL2
I Our x86 ISA model has been formalized using aninterpreter approach to operational semantics.
I Semantics of a program is given by the effect it has on thestate of the machine.
I State-transition function is characterized by a recursivelydefined interpreter.
13/33
![Page 38: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/38.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
FORMALIZING X86 ISA IN ACL2
I Our x86 ISA model has been formalized using aninterpreter approach to operational semantics.
I Semantics of a program is given by the effect it has on thestate of the machine.
I State-transition function is characterized by a recursivelydefined interpreter.
13/33
![Page 39: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/39.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
X86 STATE
Component Descriptionregisters general-purpose,
segment, debug, control,model-specific registers
rip instruction pointerflg 64-bit flags registermem physical memory (4096 TB)
14/33
![Page 40: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/40.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
RUN FUNCTION
Recursively defined interpreter that specifies the x86 model
run (n, x86):
if n == 0:return (x86)
elseif halt instruction encountered:
return (x86)else
run (n - 1, step (x86))
15/33
![Page 41: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/41.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
RUN FUNCTION
Recursively defined interpreter that specifies the x86 model
run (n, x86):
if n == 0:return (x86)
elseif halt instruction encountered:
return (x86)else
run (n - 1, step (x86))
15/33
![Page 42: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/42.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
STEP FUNCTION
step (x86):
pc = rip (x86)
[prefixes, opcode, ... , imm] = Fetch-and-Decode (pc, x86)
case opcode:#x00 -> add-semantic-fn (prefixes, ... , imm, x86)
... ...
#xFF -> inc-semantic-fn (prefixes, ... , imm, x86)
16/33
![Page 43: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/43.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
INSTRUCTION SEMANTIC FUNCTIONS
I INPUT: x86 stateDecoded components of the instruction
OUTPUT: Next x86 state
I A semantic function describes the effects of executing aninstruction.
I Every instruction in the model has its own semanticfunction.
17/33
![Page 44: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/44.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
INSTRUCTION SEMANTIC FUNCTIONS
I INPUT: x86 stateDecoded components of the instruction
OUTPUT: Next x86 state
I A semantic function describes the effects of executing aninstruction.
I Every instruction in the model has its own semanticfunction.
17/33
![Page 45: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/45.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
INSTRUCTION SEMANTIC FUNCTIONS
I INPUT: x86 stateDecoded components of the instruction
OUTPUT: Next x86 state
I A semantic function describes the effects of executing aninstruction.
I Every instruction in the model has its own semanticfunction.
17/33
![Page 46: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/46.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
X86 MODEL
We use Intel’s Software Developer’s Manuals as ourspecification.
I 64-bit mode
I Model entire 252 bytes (4096 TB) of memory
I All addressing modes
I 118 user-mode instructions (219 opcodes)
I Execution speed: ~3.3 million instructions/second
I +40,000 lines of code
18/33
![Page 47: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/47.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
X86 MODEL
We use Intel’s Software Developer’s Manuals as ourspecification.
I 64-bit mode
I Model entire 252 bytes (4096 TB) of memory
I All addressing modes
I 118 user-mode instructions (219 opcodes)
I Execution speed: ~3.3 million instructions/second
I +40,000 lines of code
18/33
![Page 48: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/48.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
X86 MODEL
We use Intel’s Software Developer’s Manuals as ourspecification.
I 64-bit mode
I Model entire 252 bytes (4096 TB) of memory
I All addressing modes
I 118 user-mode instructions (219 opcodes)
I Execution speed: ~3.3 million instructions/second
I +40,000 lines of code
18/33
![Page 49: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/49.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
X86 MODEL
We use Intel’s Software Developer’s Manuals as ourspecification.
I 64-bit mode
I Model entire 252 bytes (4096 TB) of memory
I All addressing modes
I 118 user-mode instructions (219 opcodes)
I Execution speed: ~3.3 million instructions/second
I +40,000 lines of code
18/33
![Page 50: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/50.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
X86 MODEL
We use Intel’s Software Developer’s Manuals as ourspecification.
I 64-bit mode
I Model entire 252 bytes (4096 TB) of memory
I All addressing modes
I 118 user-mode instructions (219 opcodes)
I Execution speed: ~3.3 million instructions/second
I +40,000 lines of code
18/33
![Page 51: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/51.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
X86 MODEL
We use Intel’s Software Developer’s Manuals as ourspecification.
I 64-bit mode
I Model entire 252 bytes (4096 TB) of memory
I All addressing modes
I 118 user-mode instructions (219 opcodes)
I Execution speed: ~3.3 million instructions/second
I +40,000 lines of code
18/33
![Page 52: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/52.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
OUTLINE
INTRODUCTION
RELATED WORK
X86 ISA MODEL
X86 INSTRUCTION INTERPRETER
EXECUTING PROGRAMS ON X86 MODEL
BINARY PROGRAM VERIFICATION
CLOCK FUNCTION APPROACH
SYMBOLIC EXECUTION
CONCLUSION AND FUTURE WORK
19/33
![Page 53: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/53.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
EXECUTING BINARY PROGRAMS ON X86 MODEL
GCC/LLVM Compiler
Objdump, Shell Scripts, Python
ACL2/LispConstant
Memory
X86 State
Registers
Instruction Pointer Flags
X86 Model in ACL2
X86 Run Function
X86 Step Function
X86 Instruction Semantic Functions
( d e f c o n s t * p r o g r a m - b i n a r y *. . . )
Subset Operation
Implemented Opcodes
ProgramOpcodes
No --- implement required opcodes
Yes
Real Machine
Machine State
Registers
Instruction Pointer Flags
Memory
...
...
...
Co-simulation
Are program opcodes a subset of implemented opcodes?
TransformOperation
State-by-StateDiff
GDB scripts,Formatting functions
ACL2 printingfunctions
20/33
![Page 54: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/54.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
OUTLINE
INTRODUCTION
RELATED WORK
X86 ISA MODEL
X86 INSTRUCTION INTERPRETER
EXECUTING PROGRAMS ON X86 MODEL
BINARY PROGRAM VERIFICATION
CLOCK FUNCTION APPROACH
SYMBOLIC EXECUTION
CONCLUSION AND FUTURE WORK
21/33
![Page 55: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/55.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
OUTLINE
INTRODUCTION
RELATED WORK
X86 ISA MODEL
X86 INSTRUCTION INTERPRETER
EXECUTING PROGRAMS ON X86 MODEL
BINARY PROGRAM VERIFICATION
CLOCK FUNCTION APPROACH
SYMBOLIC EXECUTION
CONCLUSION AND FUTURE WORK
22/33
![Page 56: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/56.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
CODE PROOFS: CLOCK FUNCTION APPROACH
I Write the program’s specification
I Write the algorithm used in the program
I Prove that the algorithm satisfies the specification
I Define clock functions
I Prove that the program implements the algorithm
I Prove that the program satisfies the specification
23/33
![Page 57: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/57.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
CODE PROOFS: CLOCK FUNCTION APPROACH
I Write the program’s specification
I Write the algorithm used in the program
I Prove that the algorithm satisfies the specification
I Define clock functions
I Prove that the program implements the algorithm
I Prove that the program satisfies the specification
23/33
![Page 58: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/58.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
CODE PROOFS: CLOCK FUNCTION APPROACH
I Write the program’s specification
I Write the algorithm used in the program
I Prove that the algorithm satisfies the specification
I Define clock functions
I Prove that the program implements the algorithm
I Prove that the program satisfies the specification
23/33
![Page 59: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/59.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
CODE PROOFS: CLOCK FUNCTION APPROACH
I Write the program’s specification
I Write the algorithm used in the program
I Prove that the algorithm satisfies the specification
I Define clock functions
I Prove that the program implements the algorithm
I Prove that the program satisfies the specification
23/33
![Page 60: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/60.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
CODE PROOFS: CLOCK FUNCTION APPROACH
I Write the program’s specification
I Write the algorithm used in the program
I Prove that the algorithm satisfies the specification
I Define clock functions
I Prove that the program implements the algorithm
I Prove that the program satisfies the specification
23/33
![Page 61: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/61.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
CODE PROOFS: CLOCK FUNCTION APPROACH
I Write the program’s specification
I Write the algorithm used in the program
I Prove that the algorithm satisfies the specification
I Define clock functions
I Prove that the program implements the algorithm
I Prove that the program satisfies the specification
23/33
![Page 62: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/62.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
OUTLINE
INTRODUCTION
RELATED WORK
X86 ISA MODEL
X86 INSTRUCTION INTERPRETER
EXECUTING PROGRAMS ON X86 MODEL
BINARY PROGRAM VERIFICATION
CLOCK FUNCTION APPROACH
SYMBOLIC EXECUTION
CONCLUSION AND FUTURE WORK
24/33
![Page 63: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/63.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
SYMBOLIC EXECUTION IN ACL2
I Symbolic Execution: Executing functions on symbolicdata
; can be used as a proof procedure
I GL: verified framework for proving ACL2 theoremsinvolving finite objects
I Symbolic objects: finite objects represented by booleanexpressions
I Computations involving these symbolic objects done usingverified BDD operations
25/33
![Page 64: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/64.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
SYMBOLIC EXECUTION IN ACL2
I Symbolic Execution: Executing functions on symbolicdata; can be used as a proof procedure
I GL: verified framework for proving ACL2 theoremsinvolving finite objects
I Symbolic objects: finite objects represented by booleanexpressions
I Computations involving these symbolic objects done usingverified BDD operations
25/33
![Page 65: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/65.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
SYMBOLIC EXECUTION IN ACL2
I Symbolic Execution: Executing functions on symbolicdata; can be used as a proof procedure
I GL: verified framework for proving ACL2 theoremsinvolving finite objects
I Symbolic objects: finite objects represented by booleanexpressions
I Computations involving these symbolic objects done usingverified BDD operations
25/33
![Page 66: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/66.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
SYMBOLIC EXECUTION IN ACL2
I Symbolic Execution: Executing functions on symbolicdata; can be used as a proof procedure
I GL: verified framework for proving ACL2 theoremsinvolving finite objects
I Symbolic objects: finite objects represented by booleanexpressions
I Computations involving these symbolic objects done usingverified BDD operations
25/33
![Page 67: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/67.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
SYMBOLIC EXECUTION IN ACL2
I Symbolic Execution: Executing functions on symbolicdata; can be used as a proof procedure
I GL: verified framework for proving ACL2 theoremsinvolving finite objects
I Symbolic objects: finite objects represented by booleanexpressions
I Computations involving these symbolic objects done usingverified BDD operations
25/33
![Page 68: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/68.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
SYMBOLIC EXECUTION IN ACL2
I Symbolic Execution: Executing functions on symbolicdata; can be used as a proof procedure
I GL: verified framework for proving ACL2 theoremsinvolving finite objects
I Symbolic objects: finite objects represented by booleanexpressions
I Computations involving these symbolic objects done usingverified BDD operations
25/33
![Page 69: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/69.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
SYMBOLIC EXECUTION IN ACL2
I Symbolic Execution: Executing functions on symbolicdata; can be used as a proof procedure
I GL: verified framework for proving ACL2 theoremsinvolving finite objects
I Symbolic objects: finite objects represented by booleanexpressions
I Computations involving these symbolic objects done usingverified BDD operations
25/33
![Page 70: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/70.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
DEMO
Automatic correctness proof for an x86 popcount binaryprogram, for counting the number of non-zero bits in the
bit-level representation of an unsigned integer input.
26/33
![Page 71: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/71.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
CODE PROOFS: SYMBOLIC EXECUTION APPROACH
I Write the program’s specification
I Prove that the program satisfies the specification (fullyautomatic)
27/33
![Page 72: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/72.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
CODE PROOFS: SYMBOLIC EXECUTION APPROACH
I Write the program’s specification
I Prove that the program satisfies the specification (fullyautomatic)
27/33
![Page 73: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/73.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
CODE PROOFS: SYMBOLIC EXECUTION APPROACH
I No lemma construction needed; proof done fullyautomatically
I Reason directly about semantics of programs (+40,000 LoC)
I Proofs of correctness of larger programs to be obtainedcompositionally using traditional theorem provingtechniques
28/33
![Page 74: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/74.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
CODE PROOFS: SYMBOLIC EXECUTION APPROACH
I No lemma construction needed; proof done fullyautomatically
I Reason directly about semantics of programs (+40,000 LoC)
I Proofs of correctness of larger programs to be obtainedcompositionally using traditional theorem provingtechniques
28/33
![Page 75: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/75.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
CODE PROOFS: SYMBOLIC EXECUTION APPROACH
I No lemma construction needed; proof done fullyautomatically
I Reason directly about semantics of programs (+40,000 LoC)
I Proofs of correctness of larger programs to be obtainedcompositionally using traditional theorem provingtechniques
28/33
![Page 76: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/76.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
OUTLINE
INTRODUCTION
RELATED WORK
X86 ISA MODEL
X86 INSTRUCTION INTERPRETER
EXECUTING PROGRAMS ON X86 MODEL
BINARY PROGRAM VERIFICATION
CLOCK FUNCTION APPROACH
SYMBOLIC EXECUTION
CONCLUSION AND FUTURE WORK
29/33
![Page 77: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/77.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
CONCLUSION
I Executable, formal model of a significant subset of x86 ISA
I No simplification of the semantics of x86 instructions
I X86 ISA model capable of running and reasoning aboutreal x86 binary programs
30/33
![Page 78: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/78.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
CONCLUSION
I Executable, formal model of a significant subset of x86 ISA
I No simplification of the semantics of x86 instructions
I X86 ISA model capable of running and reasoning aboutreal x86 binary programs
30/33
![Page 79: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/79.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
CONCLUSION
I Executable, formal model of a significant subset of x86 ISA
I No simplification of the semantics of x86 instructions
I X86 ISA model capable of running and reasoning aboutreal x86 binary programs
30/33
![Page 80: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/80.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
PAPERSI [ACL2 Workshop’13]: S. Goel, W. Hunt, and M. Kaufmann
Abstract Stobjs and Their Application to ISA ModelingI [VSTTE’13]: S. Goel and W. Hunt
Automated Code Proofs on a Formal Model of the X86
31/33
![Page 81: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/81.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
PAPERSI [ACL2 Workshop’13]: S. Goel, W. Hunt, and M. Kaufmann
Abstract Stobjs and Their Application to ISA ModelingI [VSTTE’13]: S. Goel and W. Hunt
Automated Code Proofs on a Formal Model of the X86
31/33
![Page 82: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/82.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
FUTURE WORK
I Add system calls to enable reasoning about I/O (open,read, write, etc.)
I Further automate the co-simulation frameworkI Automated test case generationI Enhance GDB mode framework
I Build automated binary program annotation andinstrumentation tools
I Infrastructure for verification of linux utilities like cat andod
32/33
![Page 83: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/83.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
FUTURE WORK
I Add system calls to enable reasoning about I/O (open,read, write, etc.)
I Further automate the co-simulation frameworkI Automated test case generationI Enhance GDB mode framework
I Build automated binary program annotation andinstrumentation tools
I Infrastructure for verification of linux utilities like cat andod
32/33
![Page 84: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/84.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
FUTURE WORK
I Add system calls to enable reasoning about I/O (open,read, write, etc.)
I Further automate the co-simulation frameworkI Automated test case generationI Enhance GDB mode framework
I Build automated binary program annotation andinstrumentation tools
I Infrastructure for verification of linux utilities like cat andod
32/33
![Page 85: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/85.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
FUTURE WORK
I Add system calls to enable reasoning about I/O (open,read, write, etc.)
I Further automate the co-simulation frameworkI Automated test case generationI Enhance GDB mode framework
I Build automated binary program annotation andinstrumentation tools
I Infrastructure for verification of linux utilities like cat andod
32/33
![Page 86: A Formal Model of the X86 ISA for Binary Program Verificationshigoel/x86isaInfo/ShilpiGoel-RPE-Talk.pdf · a formal model of the x86 isa for binary program verification shilpi goel](https://reader035.fdocuments.us/reader035/viewer/2022071219/605577b087a3113b93050414/html5/thumbnails/86.jpg)
INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK
A Formal Model of the X86 ISAfor
Binary Program Verification
Shilpi Goel
The University of Texas at Austin
April 2, 2013
33/33