A Certifying Compiler and Pointer Logic Zhaopeng Li Software Security Lab. Department of Computer...

A Certifying Compiler and Pointer Logic

Zhaopeng Li

Software Security Lab.

Department of Computer Science and Technology,University of Science and Technology of China

October 8, 2008

Towards Building Trusted Software

Software Security Lab, USTC 2

Outline Motivation Research Goals Our Work

A Certifying Compiler PointerC Language Pointer Logic

Summary Future Work


Motivation

Software Safety Problems C language

Widely used & legacy C codes Not easy to write a safe code with

pointers One Solution : Program Verification

Program + Annotation + Proof


Motivation (cont.) Hoare Logic

Hoare triple : {P}C{Q} Hard to reason pointer programs

Separation Logic Low-level code, or high-level code with

restriction Separation Conjunction (P*Q) Example:

A Hoare-like Logic for C Language?

p

l11_* 1p p l 1_,p l


Research Goals

Verification for C pointer programs Design a C-like language Design a logic

Design a certifying compiler Generate codes with proof Minimize Trusted Computing Base




Summary Future Work


Our Certifying Compiler

Source-level Certifying System

Pointer Logic

VCGen

Prover

Code Compiler

Proof Compiler

Certifying Compiler

Source Code + Specifications

Source Code + Spec.+ Proof

Assem. Code +Assem. Spec.+Assem. Proof

PointerC Language


Our Certifying Compiler (cont.) Prototype

plcc ver1.0 (2005.5-2006.9) plcc ver2.0 (2006.9-2007.12)

Improvements Build-in theorem prover Support limited pointer arithmetic Support more data structures

Doubly-linked list


Supported Programs

Singly-linked/doubly-linked list traversal/reversal delete/insert create/clear

Binary Tree traversal/rotate delete/insert


Evaluation


PointerC Language PointerC:

A subset of C language with pointer type Memory management : malloc/free

Main Constrains: Pointer Arithmetic is limited No union type No type cast …


Pointer Logic

Motivation PointerC typing rules with side condition

s

A logic proof system is needed Reason about source programs with complex

pointer aliasingWhy not separation logic?

p : ptr(struct (…, x: int; …))

p -> x : int ( valid(p) )


Pointer Logic (cont.)

Why not separation logic?

p

…q = p->next;p->next = p->next->next;free(q);…

List_delete.c

…q = p->next;t = q->next;p->next = t;free(q);…

List_delete_trans.c

No Rule for this kind of statement!

tq

No rule for aliasing

inference!

NULL

struct List{ int data; struct list* next;}


Basic ideas

Precise pointer information collection At each program point

Pointer classification Valid pointer set Null pointer set Dangling pointer set

Equality between valid pointers


Specification

{{ , },{ },{ , }}head p p next p next next tail

{ }tail next NN

{ }q DD

?head next

3( ) ?p next

?head next next

The information is concise !

Pointer Information


Specification (cont.) Compare with separation logic

Access path is short Low-level address is used in assertion Addresses are used to associate different

heaps

1 1 2 2 2( _, )*( _, )*( _, )p l head p l l l nil tail l

1l 2l


Expressivity Current Application

Singly-linked list Doubly-linked list Binary Tree

Graph? Equality between pointers is not certain Unable to be expressed in current pointer

logic Not well-supported in separation logic either


Expressivity (cont.)

Singly-linked list Flat version

Inductive version

Singly-linked list from separation logic Flat version

1( , ) { } { } { ( ) } { ( ) }n nlist n p p p next p next p next N

1 1 1 1 2 1( , ) ,..., .( _, )*( _, )* *( _, )n nlist n p l l p l l l l nil

pnil

p,l1,l2,…,ln-1 are distinct!

( ) { } ({ } ( ))list p p p list p next N


Inference Rule

Hoare-logic-like rules {P}C{Q} Extend Hoare Logic Calculate pointer information Q using P


Memory Leak

p

NULL

{{ } { } }

NULL

{?}

p p next

p

N

Pointer Logic

{ _, }

:

{ . _, }

p nil

p nil

x x nil p nil

Separtion Logic

Memory

Leak!

No rules for this case!

Assignment Axiom of Hoare Logic!

must using precise assertion to rule out this case!


Comparison with Separation Logic Common features:

Extension of Hoare logic Deal with pointer programs

Differences: High-level vs low-level Pointer logic can deal with long access paths Precise information vs information hiding Rule out memory leak via different means




Summary Future Work


Summary

A Certifying Compiler Theorem prover for pointer logic Generate codes with proof

A Pointer Logic Verification for PointerC pointer program

s Hoare-logic-like rules Compare with separation logic


Future Work PointerC Language Extension

More language features Unlimited pointer arithmetic

Pointer Logic Extension Deal more data structures, such as DAG

Pointer Logic for Java (static garbage detection etc.) Concurrent programming

Realistic Certifying Compiler Verify some codes of mini-OS


Thanks!Questions?

A Certifying Compiler and Pointer Logic Zhaopeng Li Software Security Lab. Department of Computer...

Documents

Transcript of A Certifying Compiler and Pointer Logic Zhaopeng Li Software Security Lab. Department of Computer...