1 / 28

Type safety from the ground up.

Type safety from the ground up. Chris Hawblitzel (joint work with Jean Yang, Juan Chen, and Gregory Malecha ). Modern computer systems are great!. (but they have bugs). Answer #1: Type Safety!. (but compilers have bugs). source code (e.g. C#).

uttara
Télécharger la présentation

Type safety from the ground up.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Type safety from the ground up. Chris Hawblitzel (joint work with Jean Yang, Juan Chen, and Gregory Malecha)

  2. Modern computer systems are great! (but they have bugs)

  3. Answer #1: Type Safety! (but compilers have bugs) source code (e.g. C#) • Catches many common bugs (at compile time or run time): • buffer overflows • double frees • ... Type checker Compiler assembly language Web scripting: Java, Javascript, .NET, ... Operating systems: SPIN, Singularity, ...

  4. Example compiler bug (in Bartok) void F(int[] arr, inti) { if (i <= arr.Length) { // i ≤ arr.Length int j = i - 1; // j < i ≤ arr.Length if (j >= 0) { // 0 ≤ j < i ≤ arr.Length // no bounds check required! arr[j]++; } } } counterexample: i = -231 j = 231 - 1 j > i vulnerability: address = &(arr[0]) + 4*j = &(arr[0]) + 4*(231 - 1) = &(arr[0]) - 4

  5. Answer #2: Typed Assembly Language!(Morrisett et al, POPL 1998) source code (e.g. C#) Compiler typed assembly language • catches type errors in assembly language program • types for objects, stacks, code pointers, etc. Type checker

  6. Answer #2: Typed Assembly Language! (but run-time systems and operating systems have bugs) source code (e.g. C#) Compiler typed assembly language run-time system (GC, ...) OS services Type checker Linker / loader

  7. Example GC vulnerabilities MS07-057: Cumulative security update for Internet Explorer Date: October 2007 ...Internet Explorer 6 may exit with an access violation when the JavaScript garbage collector runs and you have dynamically removed a TBODY, THEAD, or TFOOT HTML tag from a table in Windows XP... Mozilla Firefox Bug in JavaScript Garbage Collector Lets Remote Users Deny ServiceAdvisory:  Mozilla Foundation Security Advisory Date:  Apr 16 2008 A remote user can create specially crafted HTML that, when loaded by the target user, will trigger a flaw in the JavaScript garbage collector code and cause the target user's browser to crash. ... The vendor indicates that similar crashes have been exploitable in the past, so arbitrary code execution may be possible... From: Apple Product Security Date: Fri, 11 Jul 2008 ... Available for:iPhone v1.0 through v1.1.4,iPod touch v1.1 through v1.1.4 Description: A memory corruption issue exists in JavaScriptCore's handling of runtime garbage collection. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved garbage collection.

  8. Answer #3: Verification!(via automated theorem proving) source code (e.g. C#) Compiler typed assembly language run-time system (GC, ...) low-level OS services Type checker Verifier Linker / loader

  9. “every assembly language instruction checked for safety” Verve: a verifiably safe OS Small Operating System (C#) Typed Assembly Language Verify safety with TAL checker Bartok Kernel Verify safety & correctness with Boogie/Z3 Nucleus Verified Threads Verified Interrupt Handlers Verified Device Interface Verified Startup Verified Garbage Collector Boot Loader x86 Hardware

  10. Verve: a verifiably safe OS Small Operating System (C#) Typed Assembly Language • Class types, interface types • Array types • Method invocations • Stack frames • Casts, array store checks • ... Bartok Kernel Device IO VgaTextWrite TryReadKeyboard StartTimer SendEoi PciConfigRead32 PciMemSetup PciMemRead32 PciMemWrite32 DmaBuffer DmaPhysicalAddr Rdtsc GC Heap AllocObject AllocVector GarbageCollect Throw (readField) (writeField) (readStack) (writeStack) Threads GetStackState ResetStack YieldTo Nucleus BUILD! Interrupts FaultHandler ErrorHandler InterruptHandler FatalHandler Startup NucleusEntryPoint Boot Loader x86 Hardware

  11. Related work • (Mostly) type-based • House (Hallgrenet al) • TALK (Maeda et al) • Typed GC interface (Vanderwaartet al) • (Mostly) interactive theorem proving • FLINT / certified code (Shaoet al) • seL4 (Klein et al)

  12. Demo: Boogie/Z3

  13. Z3: Automated theorem prover DECIDABLE THEORIES boolean expressions e ::= true | false | !e | e && e | e ==> e | ... linear integer arithmetic e ::= ... | -2 | -1 | 0 | 1 | 2 | e + e | e – e | e <= e | ... bit vector arithmetic e ::= ... | e & e | e << e | ... arrays e ::= ... | e[e] | e[e := e] UNDECIDABLE quantifiers e ::= ... | forallx.e | exists x.e

  14. procedure CopyAndForward(ptr:int, _tj:int) requires ecx == ptr; requires CopyGcInv(...); requires Pointer(r1, ptr, r1[ptr]); ... { call edx := GcRead(ecx + 4); esp := esp - 4; call GetSize(ptr, edx, r1, r1); call ebp := Mov(eax); ... call edi := Mov(0); call edx := Mov(0); loop: assert 4 * edi == edx; assert CopyGcInv(...); ... if (edx >= ebp) { gotoloopEnd; } call copyWord(ptr, _tj, esi, edi, ebp); call edi := Add(edi, 1); call edx := Add(edx, 4); goto loop; loopEnd: call eax := Lea(esi + 4); call GcWrite(ecx + 4, eax); ... Practical, verified copying collector code automatic translation movedi, 0 movedx, 0 CopyAndForward$loop: cmpedx, ebp jaeCopyAndForward$loopEnd

  15. Memory management Trusted specification IO-MMU page tables DMA area General-purpose memory Interrupt table Code, Static fields, GC info Thread contexts C#/TAL stacks Nucleus private stack PCI tables GC heap Untrusted definitions

  16. Memory management from-space to-space ... && (forall i:int::{T(i)} T(i) && Fi <= i && i < Fk && r1[i] != NO_ABS && (IsFwdPtr(gcMem[i+ 4]) ==> Pointer(r2, gcMem[i+ 4] - 4, r1[i]) && AlignedHeapAddr(i + 4) && word(gcMem[i+ 4])) ... Defined by (trusted) specification IO-MMU page tables DMA area General-purpose memory Interrupt table Code, Static fields, GC info Thread contexts C#/TAL stacks Nucleus private stack PCI tables GC heap Untrusted definitions

  17. Memory management Trusted specification IO-MMU page tables DMA area General-purpose memory Interrupt table Code, Static fields, GC info Thread contexts C#/TAL stacks Nucleus private stack PCI tables GC heap Untrusted definitions

  18. Memory management Trusted specification IO-MMU page tables DMA area General-purpose memory Interrupt table Code, Static fields, GC info IO-MMU IO page table ... and(ptr, 4095) == 0 &&(forall i:int::{T(i)} T(i) && 0 <= i && i < 512 ==> IoPageTableEntry(IomMem[ptr+ 8 * i], IomMem[ptr+ 8 * i + 4]) ... Nucleus private stack PCI tables GC heap IO page table Thread contexts C#/TAL stacks ptr IO page table Untrusted definitions

  19. Threads and interrupts TAL code void KernelMain() { … // Schedule thread, wait for exception or // interrupt ScheduleNextThread(); // CurrentThread received exception, // interrupt, or exited voluntarily uintcid = CurrentThread; Thread t = threadTable[cid]; … } Interrupt table 0 Interrupt/error handling Stacks procedure InterruptHandler(stackState:[int]StackState, …); requires StackState[S] == StackRunning; ensures NucleusInv(... StackState[S := StackInterrupted(eax, ebx, …)]             [Stack0 := StackRunning] …);

  20. Micro-benchmarks

  21. Size of code, specification 3x code • Boogie verification • ~1 person-year work • Boogie/Z3 runs in ~10 minutes CODE!

  22. Building Verve Kernel.cs Compiler Verified Nucleus.bpl (x86) Kernel.obj (x86) Boogie/Z3 Specification TAL checker Translator / Assembler Linker / ISO generator Boot loader DEMO! Verve.iso

  23. Bugs in the trusted computing base procedure InitializeGc(); requires SMemRequireRA(...); requires MemInv(...); ... modifies Eip, eax, ..., ebp, esp; ensures WellFormed(toAbs); ensures ebp == old(ebp); procedure AllocObject(...); requires isStack(S); requires NucleusInv(...); ... ensures eax == 0 || Pointer(toAbs, eax- 4, abs); ensures ebp == old(ebp); Specification Windows/Bartok public sealed class String : ... { private intm_arrayLength; private intm_stringLength; internal char[] m_chars; ... Specification TAL checker Specification Debugger stub Code, Static fields, GC info Linker / ISO gen TAL checker Specification TAL checker Boogie/Z3 Specification TAL checker Debugger stub Translator / Assembler Linker / ISO generator Boot loader

  24. Towards foundational Verve(Gregory Malecha) Well-typed registers Well-typed objects Well-typed stack frames ... Specification for values Specification for objects Specification for stack frames ... Nucleus specification TAL checker Goal: mechanized connection

  25. Unified invariant ... && (forall i:int::{T(i)} T(i) && Fi <= i && i < Fk && r1[i] != NO_ABS && (IsFwdPtr(gcMem[i+ 4]) ==> Pointer(r2, gcMem[i+ 4] - 4, r1[i]) && AlignedHeapAddr(i + 4) && word(gcMem[i+ 4])) ... Inductive WellTypedIns : CodeType -> Instr -> CodeType -> Prop := | Tmov : forallstst' from to ty, opdTypest from ty -> regTyUpdst to ty = st' -> WellTypedInsst (Imov to from) st‘ | ... Nucleus invariant + TAL well-typedness

  26. Unified invariant Nucleus invariant + TAL well-typedness MOV edx, esi CALL ...Nucleus... MOV edx, esi CALL ...Nucleus... MOV esi, eax TAL instruction = 1 step Nucleus call = 1 step Each step maintains unified invariant

  27. Progress on “foundational Verve” procedure YieldTo(s:int, ...); requires ecx == s; requires (StackState[s] == StackRunning && ...) || (StackState[s] == StackYielded(...) && ...) || (StackState[s] == StackInterrupted(...) && ...) || (StackState[s] == StackEmpty && ...) || (!isStack(s)); implementation YieldTo(s:int, ...) { if (ecx >= ?NumStacks) { ... call debugBreak(); } ... } • Approach so far (roughly) • Mechanically translate Boogie Spec into Coq • Specify “step” relation in Coq • Boogie/Z3 proofs become Coq axioms • (Try to!) prove invariant holds after each step • We’re not done yet, but we’ve found spec bugs

  28. Conclusions Every x86 instruction checked for safety! Automated tools: checking scales to large code. • Open challenges • Complete, foundational TAL/runtime/OS • Concurrency, multicore • GPUs

More Related