Assembly Code Verification Using Model Checking
description
Transcript of Assembly Code Verification Using Model Checking
![Page 1: Assembly Code Verification Using Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062310/5681637c550346895dd459ff/html5/thumbnails/1.jpg)
Assembly Code Verification Using Model Checking
Hao XIAOSingapore University of Technology
and Design
![Page 2: Assembly Code Verification Using Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062310/5681637c550346895dd459ff/html5/thumbnails/2.jpg)
Outline
• Motivation• Approach overview• ILA module @ PAT• On-going & future work
![Page 3: Assembly Code Verification Using Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062310/5681637c550346895dd459ff/html5/thumbnails/3.jpg)
Motivation
Design
• Design verification• SPIN, PRISM, UPPAAL, PAT, …
Source code
• Model checking source code • Java Pathfinder, CBMC, SLAM, …
Binary
• Model checking binary• MCSQUARE, Estes
![Page 4: Assembly Code Verification Using Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062310/5681637c550346895dd459ff/html5/thumbnails/4.jpg)
Benefits
• Achieve more reliability.• More software components can be verified.
• Circumvent problems caused by compiler. • The verification target is most close to what is running
on a CPU than the source code.
• Easy to verify.• Binaries have more elegant syntax and well defined
semantics than source code.
![Page 5: Assembly Code Verification Using Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062310/5681637c550346895dd459ff/html5/thumbnails/5.jpg)
Challenges
• Instruction complexity.• Lack of high level semantic information.• Dynamic jump and call, no clear boundaries for
“function”.
• How to specify properties for assembly code.• Scalability.• Assembly code is much longer than source code.
![Page 6: Assembly Code Verification Using Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062310/5681637c550346895dd459ff/html5/thumbnails/6.jpg)
Design Goals
• Accuracy: Faithfully handle the complex instructions in some ISA.
• Extensibility: Easy extensible to handle different Instruction Set of various architecture.
• Ease of Use: Those who are not familiar with temporal logic or assembly language should also find it is useful.
• High Efficiency: Scalable to large programs.
![Page 7: Assembly Code Verification Using Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062310/5681637c550346895dd459ff/html5/thumbnails/7.jpg)
Approach Overview (1)
ELF Vine ILVineEmulator
Static Analyzer
Model Checker
User & Built in properties
Properties Parser
Parser
Counter Example
![Page 8: Assembly Code Verification Using Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062310/5681637c550346895dd459ff/html5/thumbnails/8.jpg)
Approach Overview (2)
• Accuracy and Extensibility: Vine IL.• Ease of Use: Built in properties, if source is
available, link counter examples back to source.
• High Efficiency: property guided abstractions techniques for state space reduction; Function abstraction.
![Page 9: Assembly Code Verification Using Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062310/5681637c550346895dd459ff/html5/thumbnails/9.jpg)
ILA @ PAT• Vine IL• Emulator• Static Analyses• Built in properties• Example-buffer overflow checking
![Page 10: Assembly Code Verification Using Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062310/5681637c550346895dd459ff/html5/thumbnails/10.jpg)
Vine IL
Binary file Assembly VEX IR Vine ILLibbfd VineLibVex
![Page 11: Assembly Code Verification Using Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062310/5681637c550346895dd459ff/html5/thumbnails/11.jpg)
Vine IL Example
![Page 12: Assembly Code Verification Using Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062310/5681637c550346895dd459ff/html5/thumbnails/12.jpg)
Emulator(State builder)• Emulator is used to generate the successor
states based on the current state.• A state consists of CPU registers, PC,
memory.• Separate global states from local states.• Byte precision memory model.
![Page 13: Assembly Code Verification Using Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062310/5681637c550346895dd459ff/html5/thumbnails/13.jpg)
Static Analyses for Space Reduction• Stack Analysis• Dead Variable Analysis.• Value Set Analysis• Interrupt Flag Analysis.• Path Reduction
![Page 14: Assembly Code Verification Using Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062310/5681637c550346895dd459ff/html5/thumbnails/14.jpg)
Built-in Properties• Stack overflow checking• Integer overflow checking• Null pointer deference.• Division by zero checking• Uninitialized variable checking• Data race checking
![Page 15: Assembly Code Verification Using Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062310/5681637c550346895dd459ff/html5/thumbnails/15.jpg)
Example-Buffer Overflow Checking
• Buffer overflow in assembly level: • write to a memory location beyond the boundaries
of current stack frame.• Identify instrumentation point: • find write operations which have a variable d as its
destination address.• Assertion instrumentation: • Add assertion d > %ebp && d < %esp before the
write instruction.• Model checking assertions.
![Page 16: Assembly Code Verification Using Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062310/5681637c550346895dd459ff/html5/thumbnails/16.jpg)
Example- C++ source code
![Page 17: Assembly Code Verification Using Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062310/5681637c550346895dd459ff/html5/thumbnails/17.jpg)
Example-Assembly Code
s1s1
s2
s3
s4
s5
s6
![Page 18: Assembly Code Verification Using Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062310/5681637c550346895dd459ff/html5/thumbnails/18.jpg)
S1
S2
S3
S4 S5
S6
J1
J2
J3
Control Flow Graph
![Page 19: Assembly Code Verification Using Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062310/5681637c550346895dd459ff/html5/thumbnails/19.jpg)
S1
S3
S4.1
S5
S6
J1
J3
CFG for Instrumented Code
S4.2
A1Error
esp1 = esp0 - 0x4M[esp1] = ebp0ebp1 = esp1esp2 = esp1 - max{0, 15}esp3 = esp2 – 0x20
M[ebp1 +0x8]>1
eax0= M[ebp1 + 0xc]eax1= M[eax0 + 0x4]M[esp3 + 0x18] = eax1M[esp3 + 0x1c] = 0
ebx0 =φ(S3,S4.2,M[ esp3 + 0x1c])eax2 = M[esp3 + 0x18]eax3 = strlen (eax2)
eax3 < ebx0
eax4 = M[esp3 + 0x1c]eax5 = eax4 + M[esp3 + 0x18]edx0 = M[eax5]eax6 = esp3 + 0x10eax7 = M[esp3 + 0x1c] + eax6
eax7 > ebp1 && eax7 < esp3
M[eax7] = edx0M[esp3+0x1c] = M[esp3 + 0x1c] + 1
![Page 20: Assembly Code Verification Using Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062310/5681637c550346895dd459ff/html5/thumbnails/20.jpg)
On-going & future Work
• Implementation.• More abstraction techniques(e.g., irrelevant
code elimination).• Symbolic model checking
![Page 21: Assembly Code Verification Using Model Checking](https://reader035.fdocuments.us/reader035/viewer/2022062310/5681637c550346895dd459ff/html5/thumbnails/21.jpg)
The End
Thanks !