Presentation is loading. Please wait.

Presentation is loading. Please wait.

1/28 Type safety from the ground up. Chris Hawblitzel (joint work with Jean Yang, Juan Chen, and Gregory Malecha)

Published byJaqueline Broadwater Modified over 9 years ago

Similar presentations

Presentation on theme: "1/28 Type safety from the ground up. Chris Hawblitzel (joint work with Jean Yang, Juan Chen, and Gregory Malecha)"— Presentation transcript:

1 1/28 Type safety from the ground up. Chris Hawblitzel (joint work with Jean Yang, Juan Chen, and Gregory Malecha)

2 2/28 Modern computer systems are great! (but they have bugs)

3 3/28 Answer #1: Type Safety! source code (e.g. C#) source code (e.g. C#) assembly language Type checker Compiler (but compilers have bugs) Catches many common bugs (at compile time or run time): buffer overflows double frees... Web scripting: Java, Javascript,.NET,... Operating systems: SPIN, Singularity,...

4 4/28 Example compiler bug (in Bartok) void F(int[] arr, int i) { if (i <= arr.Length) { // i ≤ arr.Length int j = i - 1; // j < i ≤ arr.Length if (j >= 0) { // 0 ≤ j < i ≤ arr.Length // no bounds check required! arr[j]++; } } } counterexample: i = -2 31 j = 2 31 - 1 j > i vulnerability: address = &(arr[0]) + 4*j = &(arr[0]) + 4*(2 31 - 1) = &(arr[0]) - 4

5 5/28 Answer #2: Typed Assembly Language! (Morrisett et al, POPL 1998) source code (e.g. C#) source code (e.g. C#) typed assembly language typed assembly language Type checker Compiler catches type errors in assembly language program types for objects, stacks, code pointers, etc.

6 6/28 Answer #2: Typed Assembly Language! source code (e.g. C#) source code (e.g. C#) typed assembly language typed assembly language Type checker Compiler (but run-time systems and operating systems have bugs) run-time system (GC,...) OS services OS services Linker / loader

7 7/28 From: Apple Product Security Date: Fri, 11 Jul 2008... Available for: iPhone v1.0 through v1.1.4,iPod touch v1.1 through v1.1.4 Description: A memory corruption issue exists in JavaScriptCore's handling of runtime garbage collection. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved garbage collection. Example GC vulnerabilities Mozilla Firefox Bug in JavaScript Garbage Collector Lets Remote Users Deny Service Advisory: Mozilla Foundation Security Advisory Date: Apr 16 2008 A remote user can create specially crafted HTML that, when loaded by the target user, will trigger a flaw in the JavaScript garbage collector code and cause the target user's browser to crash.... The vendor indicates that similar crashes have been exploitable in the past, so arbitrary code execution may be possible... MS07-057: Cumulative security update for Internet Explorer Date: October 2007...Internet Explorer 6 may exit with an access violation when the JavaScript garbage collector runs and you have dynamically removed a TBODY, THEAD, or TFOOT HTML tag from a table in Windows XP...

8 8/28 Answer #3: Verification! (via automated theorem proving) source code (e.g. C#) source code (e.g. C#) typed assembly language typed assembly language Type checker Compiler run-time system (GC,...) low-level OS services low-level OS services Linker / loader Verifier

9 9/28 Verve: a verifiably safe OS Verified Garbage Collector Verified Threads Verified Interrupt Handlers Verified Device Interface Verified Startup Verify safety with TAL checker Verify safety & correctness with Boogie/Z3 Boot Loader x86 Hardware Small Operating System (C#) Typed Assembly Language Bartok “every assembly language instruction checked for safety” Kernel Nucleus

10 10/28 Kernel Nucleus Small Operating System (C#) Typed Assembly Language Bartok Boot Loader Threads GetStackState ResetStack YieldTo Threads GetStackState ResetStack YieldTo GC Heap AllocObject AllocVector GarbageCollect Throw (readField) (writeField) (readStack) (writeStack) GC Heap AllocObject AllocVector GarbageCollect Throw (readField) (writeField) (readStack) (writeStack) Interrupts FaultHandler ErrorHandler InterruptHandler FatalHandler Interrupts FaultHandler ErrorHandler InterruptHandler FatalHandler Device IO VgaTextWrite TryReadKeyboard StartTimer SendEoi PciConfigRead32 PciMemSetup PciMemRead32 PciMemWrite32 DmaBuffer DmaPhysicalAddr Rdtsc Device IO VgaTextWrite TryReadKeyboard StartTimer SendEoi PciConfigRead32 PciMemSetup PciMemRead32 PciMemWrite32 DmaBuffer DmaPhysicalAddr Rdtsc Startup NucleusEntryPoint Startup NucleusEntryPoint x86 Hardware Class types, interface types Array types Method invocations Stack frames Casts, array store checks... Verve: a verifiably safe OS BUILD!

11 11/28 Related work (Mostly) type-based – House (Hallgren et al) – TALK (Maeda et al) – Typed GC interface (Vanderwaart et al) (Mostly) interactive theorem proving – FLINT / certified code (Shao et al) – seL4 (Klein et al)

12 12/28 Demo: Boogie/Z3

13 13/28 Z3: Automated theorem prover DECIDABLE THEORIES boolean expressions e ::= true | false | !e | e && e | e ==> e |... linear integer arithmetic e ::=... | -2 | -1 | 0 | 1 | 2 | e + e | e – e | e <= e |... bit vector arithmetic e ::=... | e & e | e << e |... arrays e ::=... | e[e] | e[e := e] UNDECIDABLE quantifiers e ::=... | forall x.e | exists x.e

14 14/28 Practical, verified copying collector code procedure CopyAndForward(ptr:int, _tj:int) requires ecx == ptr; requires CopyGcInv(...); requires Pointer(r1, ptr, r1[ptr]);... { call edx := GcRead(ecx + 4); esp := esp - 4; call GetSize(ptr, edx, r1, r1); call ebp := Mov(eax);... call edi := Mov(0); call edx := Mov(0); loop: assert 4 * edi == edx; assert CopyGcInv(...);... if (edx >= ebp) { goto loopEnd; } call copyWord(ptr, _tj, esi, edi, ebp); call edi := Add(edi, 1); call edx := Add(edx, 4); goto loop; loopEnd: call eax := Lea(esi + 4); call GcWrite(ecx + 4, eax);... mov edi, 0 mov edx, 0 CopyAndForward$loop: cmp edx, ebp jae CopyAndForward$loopEnd automatic translation

15 15/28 Memory management Code, Static fields, GC info Code, Static fields, GC info Interrupt table Interrupt table IO-MMU page tables IO-MMU page tables DMA area DMA area General-purpose memory General-purpose memory Nucleus private stack Nucleus private stack PCI tables PCI tables Thread contexts Thread contexts C#/TAL stacks C#/TAL stacks GC heap GC heap Trusted specification Untrusted definitions

16 16/28 Memory management Code, Static fields, GC info Code, Static fields, GC info Interrupt table Interrupt table IO-MMU page tables IO-MMU page tables DMA area DMA area General-purpose memory General-purpose memory Nucleus private stack Nucleus private stack PCI tables PCI tables Thread contexts Thread contexts C#/TAL stacks C#/TAL stacks GC heap GC heap Defined by (trusted) specification Untrusted definitions from- space to- space... && (forall i:int::{T(i)} T(i) && Fi <= i && i < Fk && r1[i] != NO_ABS && (IsFwdPtr(gcMem[i + 4]) ==> Pointer(r2, gcMem[i + 4] - 4, r1[i]) && AlignedHeapAddr(i + 4) && word(gcMem[i + 4]))...

17 17/28 Memory management Code, Static fields, GC info Code, Static fields, GC info Interrupt table Interrupt table IO-MMU page tables IO-MMU page tables DMA area DMA area General-purpose memory General-purpose memory Nucleus private stack Nucleus private stack PCI tables PCI tables Thread contexts Thread contexts C#/TAL stacks C#/TAL stacks GC heap GC heap Trusted specification Untrusted definitions

18 18/28 DMA area DMA area Memory management Code, Static fields, GC info Code, Static fields, GC info Interrupt table Interrupt table IO-MMU page tables IO-MMU page tables General-purpose memory General-purpose memory Nucleus private stack Nucleus private stack PCI tables PCI tables Thread contexts Thread contexts C#/TAL stacks C#/TAL stacks GC heap GC heap Trusted specification Untrusted definitions IO page table IO-MMU IO page table IO page table... and(ptr, 4095) == 0 &&(forall i:int::{T(i)} T(i) && 0 IoPageTableEntry(IomMem[ptr + 8 * i], IomMem[ptr + 8 * i + 4])... ptr

19 19/28 Threads and interrupts Stacks Interrupt table Interrupt/error handling procedure InterruptHandler(stackState:[int]StackState, …); requires StackState[S] == StackRunning; ensures NucleusInv(... StackState[S := StackInterrupted(eax, ebx, …)] [Stack0 := StackRunning] …); TAL code 0 void KernelMain() { … // Schedule thread, wait for exception or // interrupt ScheduleNextThread(); // CurrentThread received exception, // interrupt, or exited voluntarily uint cid = CurrentThread; Thread t = threadTable[cid]; … } void KernelMain() { … // Schedule thread, wait for exception or // interrupt ScheduleNextThread(); // CurrentThread received exception, // interrupt, or exited voluntarily uint cid = CurrentThread; Thread t = threadTable[cid]; … }

20 20/28 Micro-benchmarks Verve functionality Cycles Round-trip yield 98 Round-trip wait + signal 216 ComparisonsCycles L4 (IPC)224 SeL4 (IPC)448 Singularity (yield)2156 Linux (yield)2390 Windows (yield)3554

21 21/28 Size of code, specification CopyingMark-sweep Specification Boogie lines1517 Verified Boogie lines51895734 x86 instructions17471859 Boogie verification ~1 person-year work Boogie/Z3 runs in ~10 minutes 3x code C# code (100% safe)35,000 CODE!

22 22/28 Building Verve Verified Kernel.cs Nucleus.bpl (x86) Kernel.obj (x86) Compiler Specification Boot loader TAL checkerBoogie/Z3 Verve.iso Translator / Assembler Linker / ISO generator DEMO!

23 23/28 BugWhose fault? InitializeGC: clobber ebp AllocObject: off-by-4 debugger stub linking GC tables String GC descriptor Bugs in the trusted computing base Specification Boot loader TAL checkerBoogie/Z3 Translator / Assembler Linker / ISO generator Specification Debugger stub Windows/Bartok TAL checker Specification TAL checker Linker / ISO gen Specification procedure InitializeGc(); requires SMemRequireRA(...); requires MemInv(...);... modifies Eip, eax,..., ebp, esp; ensures WellFormed(toAbs); ensures ebp == old(ebp); procedure AllocObject(...); requires isStack(S); requires NucleusInv(...);... ensures eax == 0 || Pointer(toAbs, eax - 4, abs); ensures ebp == old(ebp); Debugger stub Code, Static fields, GC info Code, Static fields, GC info public sealed class String :... { private int m_arrayLength; private int m_stringLength; internal char[] m_chars;...

24 24/28 Towards foundational Verve (Gregory Malecha) Nucleus specification Nucleus specification TAL checker Well-typed registers Well-typed objects Well-typed stack frames... Specification for values Specification for objects Specification for stack frames... Goal: mechanized connection

25 25/28 Unified invariant Nucleus invariant + TAL well-typedness... && (forall i:int::{T(i)} T(i) && Fi <= i && i < Fk && r1[i] != NO_ABS && (IsFwdPtr(gcMem[i + 4]) ==> Pointer(r2, gcMem[i + 4] - 4, r1[i]) && AlignedHeapAddr(i + 4) && word(gcMem[i + 4]))... && (forall i:int::{T(i)} T(i) && Fi <= i && i < Fk && r1[i] != NO_ABS && (IsFwdPtr(gcMem[i + 4]) ==> Pointer(r2, gcMem[i + 4] - 4, r1[i]) && AlignedHeapAddr(i + 4) && word(gcMem[i + 4]))... Inductive WellTypedIns : CodeType -> Instr -> CodeType -> Prop := | Tmov : forall st st' from to ty, opdType st from ty -> regTyUpd st to ty = st' -> WellTypedIns st (Imov to from) st‘ |... Inductive WellTypedIns : CodeType -> Instr -> CodeType -> Prop := | Tmov : forall st st' from to ty, opdType st from ty -> regTyUpd st to ty = st' -> WellTypedIns st (Imov to from) st‘ |...

26 26/28 Unified invariant MOV edx, esi CALL...Nucleus... MOV edx, esi CALL...Nucleus... MOV esi, eax MOV edx, esi CALL...Nucleus... MOV edx, esi CALL...Nucleus... MOV esi, eax Nucleus invariant + TAL well-typedness TAL instruction = 1 step Nucleus call = 1 step Each step maintains unified invariant

27 27/28 Progress on “foundational Verve” Approach so far (roughly) – Mechanically translate Boogie Spec into Coq – Specify “step” relation in Coq – Boogie/Z3 proofs become Coq axioms – (Try to!) prove invariant holds after each step We’re not done yet, but we’ve found spec bugs procedure YieldTo(s:int,...); requires ecx == s; requires (StackState[s] == StackRunning &&...) || (StackState[s] == StackYielded(...) &&...) || (StackState[s] == StackInterrupted(...) &&...) || (StackState[s] == StackEmpty &&...) || (!isStack(s)); implementation YieldTo(s:int,...) { if (ecx >= ?NumStacks) {... call debugBreak(); }... } procedure YieldTo(s:int,...); requires ecx == s; requires (StackState[s] == StackRunning &&...) || (StackState[s] == StackYielded(...) &&...) || (StackState[s] == StackInterrupted(...) &&...) || (StackState[s] == StackEmpty &&...) || (!isStack(s)); implementation YieldTo(s:int,...) { if (ecx >= ?NumStacks) {... call debugBreak(); }... }

28 28/28 Conclusions Every x86 instruction checked for safety! Automated tools: checking scales to large code. Open challenges – Complete, foundational TAL/runtime/OS – Concurrency, multicore – GPUs

Download ppt "1/28 Type safety from the ground up. Chris Hawblitzel (joint work with Jean Yang, Juan Chen, and Gregory Malecha)"

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
1/17 Automated Verification of Practical Garbage Collectors Chris Hawblitzel (Microsoft Research) Erez Petrank (Technion)

1/17 Automated Verification of Practical Garbage Collectors Chris Hawblitzel (Microsoft Research) Erez Petrank (Technion)
Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.

Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.
CS 4284 Systems Capstone Godmar Back Processes and Threads.

CS 4284 Systems Capstone Godmar Back Processes and Threads.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Automated and Modular Refinement Reasoning for Concurrent Programs Collaborators: Chris Hawblitzel (Microsoft) Erez Petrank (Technion) Serdar Tasiran (Koc.

Automated and Modular Refinement Reasoning for Concurrent Programs Collaborators: Chris Hawblitzel (Microsoft) Erez Petrank (Technion) Serdar Tasiran (Koc.
The Kernel Abstraction. Challenge: Protection How do we execute code with restricted privileges? – Either because the code is buggy or if it might be.

The Kernel Abstraction. Challenge: Protection How do we execute code with restricted privileges? – Either because the code is buggy or if it might be.
Will You Still Compile Me Tomorrow

Will You Still Compile Me Tomorrow
Lab#1 (14/3/1431h) Introduction To java programming cs425

Lab#1 (14/3/1431h) Introduction To java programming cs425
1.7.2008 Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.

Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.
CMPT 300: Operating Systems I Dr. Mohamed Hefeeda

CMPT 300: Operating Systems I Dr. Mohamed Hefeeda
1 Operating Systems and Protection CS 217. 2 Goals of Today’s Lecture How multiple programs can run at once  Processes  Context switching  Process.

1 Operating Systems and Protection CS Goals of Today’s Lecture How multiple programs can run at once  Processes  Context switching  Process.
Figure 2.8 Compiler phases. 2.8.1 Compiling. Figure 2.9 Object module. 2.8.2 Linking.

Figure 2.8 Compiler phases Compiling. Figure 2.9 Object module Linking.
PC hardware and x86 3/3/08 Frans Kaashoek MIT

PC hardware and x86 3/3/08 Frans Kaashoek MIT
1 ICS 51 Introductory Computer Organization Fall 2006 updated: Oct. 2, 2006.

1 ICS 51 Introductory Computer Organization Fall 2006 updated: Oct. 2, 2006.
Typed Memory Management in a Calculus of Capabilities David Walker (with Karl Crary and Greg Morrisett)

Typed Memory Management in a Calculus of Capabilities David Walker (with Karl Crary and Greg Morrisett)
3.5 Interprocess Communication

3.5 Interprocess Communication
Chapter 6 Implementing Processes, Threads, and Resources.

Chapter 6 Implementing Processes, Threads, and Resources.
Intro to Java The Java Virtual Machine. What is the JVM  a software emulation of a hypothetical computing machine that runs Java bytecodes (Java compiler.

Intro to Java The Java Virtual Machine. What is the JVM  a software emulation of a hypothetical computing machine that runs Java bytecodes (Java compiler.
CSE 451: Operating Systems Autumn 2013 Module 6 Review of Processes, Kernel Threads, User-Level Threads Ed Lazowska 570 Allen.

CSE 451: Operating Systems Autumn 2013 Module 6 Review of Processes, Kernel Threads, User-Level Threads Ed Lazowska 570 Allen.

Similar presentations

Ads by Google