A Formal Model of the X86 ISA for Binary Program...

INTRODUCTION RELATED WORK X86 ISA MODEL BINARY PROGRAM VERIFICATION CONCLUSION AND FUTURE WORK

A Formal Model of the X86 ISAfor

Binary Program Verification

Shilpi Goel

The University of Texas at Austin

April 2, 2013

OUTLINE

INTRODUCTION

RELATED WORK

X86 ISA MODEL

X86 INSTRUCTION INTERPRETER

EXECUTING PROGRAMS ON X86 MODEL

BINARY PROGRAM VERIFICATION

CLOCK FUNCTION APPROACH

SYMBOLIC EXECUTION

CONCLUSION AND FUTURE WORK

OUTLINE

INTRODUCTION

RELATED WORK

X86 ISA MODEL

SYMBOLIC EXECUTION

OUR GOALS

1. Develop an accurate, non-idealized model of the x86Instruction Set Architecture (ISA)

2. Develop automated procedures for reasoning about x86machine code

Infrastructure for verification of linux utilities like cat and od

OUR GOALS

WHY DO WE CARE?

I Analysis of high-level programs is not good enough.

I High-level programs are not always available.

I Formal verification of machine code!

I Formal Model of the x86 ISAI Reason about machine code on this model

WHY DO WE CARE?

I Formal Model of the x86 ISA

I Reason about machine code on this model

WHY DO WE CARE?

OUTLINE

INTRODUCTION

RELATED WORK

X86 ISA MODEL

SYMBOLIC EXECUTION

MACHINE CODE VERIFICATION ON FORMAL

PROCESSOR MODELS

OUR GOALS, REVISITED

1. Develop an accurate, non-idealized, formal, andexecutable model of the x86 ISA

I Specifications: Intel’s Software Developer’s Manuals

I ~4000 pages of prose

I Model should emulate the real machine

I Co-simulations

I Need executability to do co-simulations

I Co-simulations

I Functional correctness of machine code

I Minimize lemma construction

OUTLINE

INTRODUCTION

RELATED WORK

X86 ISA MODEL

SYMBOLIC EXECUTION

OUTLINE

INTRODUCTION

RELATED WORK

X86 ISA MODEL

SYMBOLIC EXECUTION

FORMALIZING X86 ISA IN ACL2

I A Computational Logic for Applicative Common Lisp

I Programming language

I Mathematical logic

I Mechanical theorem prover

I Our x86 ISA model has been formalized using aninterpreter approach to operational semantics.

I Semantics of a program is given by the effect it has on thestate of the machine.

I State-transition function is characterized by a recursivelydefined interpreter.

X86 STATE

Component Descriptionregisters general-purpose,

segment, debug, control,model-specific registers

rip instruction pointerflg 64-bit flags registermem physical memory (4096 TB)

RUN FUNCTION

Recursively defined interpreter that specifies the x86 model

run (n, x86):

if n == 0:return (x86)

elseif halt instruction encountered:

return (x86)else

run (n - 1, step (x86))

RUN FUNCTION

Recursively defined interpreter that specifies the x86 model

run (n, x86):

if n == 0:return (x86)

elseif halt instruction encountered:

return (x86)else

run (n - 1, step (x86))

STEP FUNCTION

step (x86):

pc = rip (x86)

[prefixes, opcode, ... , imm] = Fetch-and-Decode (pc, x86)

case opcode:#x00 -> add-semantic-fn (prefixes, ... , imm, x86)

... ...

#xFF -> inc-semantic-fn (prefixes, ... , imm, x86)

INSTRUCTION SEMANTIC FUNCTIONS

I INPUT: x86 stateDecoded components of the instruction

OUTPUT: Next x86 state

I A semantic function describes the effects of executing aninstruction.

I Every instruction in the model has its own semanticfunction.

X86 MODEL

We use Intel’s Software Developer’s Manuals as ourspecification.

I 64-bit mode

I Model entire 252 bytes (4096 TB) of memory

I All addressing modes

I 118 user-mode instructions (219 opcodes)

I Execution speed: ~3.3 million instructions/second

I +40,000 lines of code

X86 MODEL

I 64-bit mode

X86 MODEL

I 64-bit mode

X86 MODEL

I 64-bit mode

X86 MODEL

I 64-bit mode

X86 MODEL

I 64-bit mode

OUTLINE

INTRODUCTION

RELATED WORK

X86 ISA MODEL

SYMBOLIC EXECUTION

EXECUTING BINARY PROGRAMS ON X86 MODEL

GCC/LLVM Compiler

Objdump, Shell Scripts, Python

ACL2/LispConstant

Memory

X86 State

Registers

Instruction Pointer Flags

X86 Model in ACL2

X86 Run Function

X86 Step Function

X86 Instruction Semantic Functions

( d e f c o n s t * p r o g r a m - b i n a r y *. . . )

Subset Operation

Implemented Opcodes

ProgramOpcodes

No --- implement required opcodes

Real Machine

Machine State

Registers

Instruction Pointer Flags

Memory

Co-simulation

Are program opcodes a subset of implemented opcodes?

TransformOperation

State-by-StateDiff

GDB scripts,Formatting functions

ACL2 printingfunctions

OUTLINE

INTRODUCTION

RELATED WORK

X86 ISA MODEL

SYMBOLIC EXECUTION

OUTLINE

INTRODUCTION

RELATED WORK

X86 ISA MODEL

SYMBOLIC EXECUTION

CODE PROOFS: CLOCK FUNCTION APPROACH

I Write the program’s specification

I Write the algorithm used in the program

I Prove that the algorithm satisfies the specification

I Define clock functions

I Prove that the program implements the algorithm

I Prove that the program satisfies the specification

OUTLINE

INTRODUCTION

RELATED WORK

X86 ISA MODEL

SYMBOLIC EXECUTION

SYMBOLIC EXECUTION IN ACL2

I Symbolic Execution: Executing functions on symbolicdata

; can be used as a proof procedure

I GL: verified framework for proving ACL2 theoremsinvolving finite objects

I Symbolic objects: finite objects represented by booleanexpressions

I Computations involving these symbolic objects done usingverified BDD operations

I Symbolic Execution: Executing functions on symbolicdata; can be used as a proof procedure

Automatic correctness proof for an x86 popcount binaryprogram, for counting the number of non-zero bits in the

bit-level representation of an unsigned integer input.

CODE PROOFS: SYMBOLIC EXECUTION APPROACH

I Prove that the program satisfies the specification (fullyautomatic)

I No lemma construction needed; proof done fullyautomatically

I Reason directly about semantics of programs (+40,000 LoC)

I Proofs of correctness of larger programs to be obtainedcompositionally using traditional theorem provingtechniques

OUTLINE

INTRODUCTION

RELATED WORK

X86 ISA MODEL

SYMBOLIC EXECUTION

CONCLUSION

I Executable, formal model of a significant subset of x86 ISA

I No simplification of the semantics of x86 instructions

I X86 ISA model capable of running and reasoning aboutreal x86 binary programs

CONCLUSION

PAPERSI [ACL2 Workshop’13]: S. Goel, W. Hunt, and M. Kaufmann

Abstract Stobjs and Their Application to ISA ModelingI [VSTTE’13]: S. Goel and W. Hunt

Automated Code Proofs on a Formal Model of the X86

PAPERSI [ACL2 Workshop’13]: S. Goel, W. Hunt, and M. Kaufmann

Abstract Stobjs and Their Application to ISA ModelingI [VSTTE’13]: S. Goel and W. Hunt

Automated Code Proofs on a Formal Model of the X86

FUTURE WORK

I Add system calls to enable reasoning about I/O (open,read, write, etc.)

I Further automate the co-simulation frameworkI Automated test case generationI Enhance GDB mode framework

I Build automated binary program annotation andinstrumentation tools

I Infrastructure for verification of linux utilities like cat andod

FUTURE WORK

A Formal Model of the X86 ISAfor

Binary Program Verification

Shilpi Goel

The University of Texas at Austin

April 2, 2013

A Formal Model of the X86 ISA for Binary Program...

Documents

Transcript of A Formal Model of the X86 ISA for Binary Program...