skip to main content
research-article

Sound Modular Verification of C Code Executing in an Unverified Context

Published:14 January 2015Publication History
Skip Abstract Section

Abstract

Over the past decade, great progress has been made in the static modular verification of C code by means of separation logic-based program logics. However, the runtime guarantees offered by such verification are relatively limited when the verified modules are part of a whole program that also contains unverified modules. In particular, a memory safety error in an unverified module can corrupt the runtime state, leading to assertion failures or invalid memory accesses in the verified modules. This paper develops runtime checks to be inserted at the boundary between the verified and the unverified part of a program, to guarantee that no assertion failures or invalid memory accesses can occur at runtime in any verified module. One of the key challenges is enforcing the separation logic frame rule, which we achieve by checking the integrity of the footprint of the verified part of the program on each control flow transition from the unverified to the verified part. This in turn requires the presence of some support for module-private memory at runtime. We formalize our approach and prove soundness. We implement the necessary runtime checks by means of a program transformation that translates C code with separation logic annotations into plain C, and that relies on a protected module architecture for providing module-private memory and restricted module entry points. Benchmarks show the performance impact of this transformation depends on the choice of boundary between the verified and unverified parts of the program, but is below 4% for real-world applications.

Skip Supplemental Material Section

Supplemental Material

p581-sidebyside.mpg

References

  1. M. Abadi. Protection in programming-language translations. In Proceedings of the 25th International Colloquium on Automata, Languages and Programming, ICALP '98, pages 868--883, London, UK, UK, 1998. Springer-Verlag. ISBN 3-540-64781-3. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. P. Agten, R. Strackx, B. Jacobs, and F. Piessens. Secure compilation to modern processors. In Proceedings of the 2012 IEEE 25th Computer Security Foundations Symposium, CSF '12, pages 171--185, Washington, DC, USA, 2012. IEEE Computer Society. ISBN 978-0--7695--4718--3. URL http://dx.doi.org/10.1109/CSF.2012.12. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. P. Agten, B. Bart Jacobs, and F. Piessens. Sound modular verification of C code executing in an unverified context: extended version. Technical Report CW 676, KU Leuven, 2014. URL http://www.cs.kuleuven.be/publicaties/rapporten/cw/CW676.abs.html.Google ScholarGoogle Scholar
  4. T. M. Austin, S. E. Breach, and G. S. Sohi. Efficient detection of all pointer and array access errors. In Proceedings of the ACM SIGPLAN 1994 Conference on Programming Language Design and Implementation, PLDI '94, pages 290--301, New York, NY, USA, 1994. ACM. ISBN 0--89791--662-X. URL http://doi.acm.org/10.1145/178243.178446. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. M. Barnett and W. Schulte. Runtime verification of .net contracts. J. Syst. Softw., 65(3):199--208, Mar. 2003. ISSN 0164-1212. URL http://dx.doi.org/10.1016/S0164--1212(02)00041--9. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. J. Berdine, C. Calcagno, and P. W. O'Hearn. Smallfoot: Modular automatic assertion checking with separation logic. In Proceedings of the 4th International Conference on Formal Methods for Components and Objects, FMCO'05, pages 115--137, Berlin, Heidelberg, 2006. Springer-Verlag. ISBN 3-540-36749-7, 978-3-540-36749-9. URL http://dx.doi.org/10.1007/11804192_6. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. L. Burdy, Y. Cheon, D. R. Cok, M. D. Ernst, J. R. Kiniry, G. T. Leavens, K. R. M. Leino, and E. Poll. An overview of jml tools and applications. Int. J. Softw. Tools Technol. Transf., 7(3):212--232, June 2005. ISSN 1433-2779. URL http://dx.doi.org/10.1007/s10009-004-0167-4. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. C. Calcagno, D. Distefano, and V. Vafeiadis. Bi-abductive resource invariant synthesis. In Proceedings of the 7th Asian Symposium on Programming Languages and Systems, APLAS '09, pages 259--274, Berlin, Heidelberg, 2009. Springer-Verlag. ISBN 978--3--642--10671--2. URL http://dx.doi.org/10.1007/978-3-642-10672-9_19. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. W.-N. Chin, C. David, H. H. Nguyen, and S. Qin. Automated verification of shape, size and bag properties via user-defined predicates in separation logic. Sci. Comput. Program., 77(9):1006--1036, Aug. 2012. ISSN 0167-6423. URL http://dx.doi.org/10.1016/j.scico.2010.07.004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. E. Cohen, M. Dahlweid, M. Hillebrand, D. Leinenbach, M. Moskal, T. Santen, W. Schulte, and S. Tobies. Vcc: A practical system for verifying concurrent c. In Proceedings of the 22nd International Conference on Theorem Proving in Higher Order Logics, TPHOLs '09, pages 23--42, Berlin, Heidelberg, 2009. Springer-Verlag. ISBN 978-3-642-03358-2. URL http://dx.doi.org/10.1007/978-3-642-03359--9_2. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. M. Dahlweid, M. Moskal, T. Santen, S. Tobies, and W. Schulte. Vcc: Contract-based modular verification of concurrent c. In 31st International Conference on Software Engineering, ICSE 2009, pages 429--430, May 2009.Google ScholarGoogle ScholarCross RefCross Ref
  12. C. Dimoulas, R. B. Findler, C. Flanagan, and M. Felleisen. Correct blame for contracts: No more scapegoating. In Proceedings of the 38th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL '11, pages 215--226, New York, NY, USA, 2011. ACM. ISBN 978-1-4503-0490-0. URL http://doi.acm.org/10.1145/1926385.1926410. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. D. Distefano and M. J. Parkinson J. jstar: Towards practical verification for java. In Proceedings of the 23rd ACM SIGPLAN Conference on Object-oriented Programming Systems Languages and Applications, OOPSLA '08, pages 213--226, New York, NY, USA, 2008. ACM. ISBN 978-1-60558-215-3. URL http://doi.acm.org/10.1145/1449764.1449782. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. U. Erlingsson. Low-level software security: Attacks and defenses. In A. Aldini and R. Gorrieri, editors, Foundations of Security Analysis and Design IV, pages 92--134. Springer-Verlag, Berlin, Heidelberg, 2007. ISBN 3-540-74809-1, 978-3-540-74809-0. URL http://dl.acm.org/citation.cfm?id=1793914.1793919. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. R. B. Findler and M. Felleisen. Contract soundness for object-oriented languages. In Proceedings of the 16th ACM SIGPLAN Conference on Object-oriented Programming, Systems, Languages, and Applications, OOPSLA '01, pages 1--15, New York, NY, USA, 2001. ACM. ISBN 1-58113-335-9. URL http://doi.acm.org/10.1145/504282.504283. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. M. Flatt and PLT. Reference: Racket. Technical Report PLT-TR-2010--1, PLT Inc., 2010. http://racket-lang.org/tr1/.Google ScholarGoogle Scholar
  17. C. Fournet, N. Swamy, J. Chen, P.-E. Dagand, P.-Y. Strub, and B. Livshits. Fully abstract compilation to javascript. In Proceedings of the 40th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL '13, pages 371--384, New York, NY, USA, 2013. ACM. ISBN 978-1-4503-1832-7. URL http://doi.acm.org/10.1145/2429069.2429114. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. M. Greenberg, B. C. Pierce, and S. Weirich. Contracts made manifest. In Proceedings of the 37th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL '10, pages 353--364, New York, NY, USA, 2010. ACM. ISBN 978-1-60558-479-9. URL http://doi.acm.org/10.1145/1706299.1706341. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. J. Guo, P. Karpman, I. Nikolic, L. Wang, and S. Wu. Analysis of blake2. Cryptology ePrint Archive, Report 2013/467, 2013. http://eprint.iacr.org/.Google ScholarGoogle Scholar
  20. Intel Corporation. Intel software guard extensions, 2013. URL http://software.intel.com/en-us/intel-isa-extensions#pid-19539-1495.Google ScholarGoogle Scholar
  21. B. Jacobs and F. Piessens. Expressive modular fine-grained concurrency specification. In Proceedings of the 38th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL '11, pages 271--282, New York, NY, USA, 2011. ACM. ISBN 978-1-4503-0490-0. URL http://doi.acm.org/10.1145/1926385.1926417. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. B. Jacobs, J. Smans, and F. Piessens. A quick tour of the verifast program verifier. In Proceedings of the 8th Asian Conference on Programming Languages and Systems, APLAS'10, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. T. Jim, J. G. Morrisett, D. Grossman, M. W. Hicks, J. Cheney, and Y. Wang. Cyclone: A safe dialect of c. In Proceedings of the General Track of the Annual Conference on USENIX Annual Technical Conference, ATEC '02, pages 275--288, Berkeley, CA, USA, 2002. USENIX Association. ISBN 1-880446-00-6. URL http://dl.acm.org/citation.cfm?id=647057.713871. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. G. Klein, K. Elphinstone, G. Heiser, J. Andronick, D. Cock, P. Derrin, D. Elkaduwe, K. Engelhardt, R. Kolanski, M. Norrish, T. Sewell, H. Tuch, and S. Winwood. sel4: Formal verification of an os kernel. In Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles, SOSP '09, pages 207--220, New York, NY, USA, 2009. ACM. ISBN 978-1-60558-752-3. URL http://doi.acm.org/10.1145/1629575.1629596. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. N. Kosmatov, G. Petiot, and J. Signoles. An optimized memory monitoring for runtime assertion checking of C programs. In Runtime Verification - 4th International Conference, RV 2013, Rennes, France, September 24--27, 2013. Proceedings, pages 167--182, 2013. URL http://dx.doi.org/10.1007/978-3-642-40787-1_10.Google ScholarGoogle Scholar
  26. J. M. McCune, B. J. Parno, A. Perrig, M. K. Reiter, and H. Isozaki. Flicker: An execution infrastructure for tcb minimization. In Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems 2008, Eurosys '08, pages 315--328, New York, NY, USA, 2008. ACM. ISBN 978-1-60558-013-5. URL http://doi.acm.org/10.1145/1352592.1352625. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. B. Meyer. Applying "design by contract". Computer, 25(10):40--51, Oct. 1992. ISSN 0018-9162. URL http://dx.doi.org/10.1109/2.161279. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. G. C. Necula, S. McPeak, and W. Weimer. Ccured: Type-safe retrofitting of legacy code. In Proceedings of the 29th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL'02, pages 128--139, New York, NY, USA, 2002. ACM. ISBN 1-58113-450-9. URL http://doi.acm.org/10.1145/503272.503286. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. H. H. Nguyen, V. Kuncak, and W.-N. Chin. Runtime checking for separation logic. In Proceedings of the 9th International Conference on Verification, Model Checking, and Abstract Interpretation, VM- CAI'08, pages 203--217, Berlin, Heidelberg, 2008. Springer-Verlag. ISBN 3-540-78162-5, 978-3-540-78162-2. URL http://dl.acm.org/citation.cfm?id=1787526.1787545. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. J. Noorman, P. Agten, W. Daniels, R. Strackx, A. Van Herrewege, C. Huygens, B. Preneel, I. Verbauwhede, and F. Piessens. Sancus: Low-cost trustworthy extensible networked devices with a zero- software trusted computing base. In Proceedings of the 22nd USENIX Conference on Security, SEC'13, pages 479--494, Berkeley, CA, USA, 2013. USENIX Association. ISBN 978-1-931971-03-4. URL http://dl.acm.org/citation.cfm?id=2534766.2534808. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. M. Patrignani, P. Agten, R. Strackx, B. Jacobs, D. Clarke, and F. Piessens. Secure compilation to protected module architectures. ACM Transactions on Programming Languages and Systems (TOPLAS), accepted for publication in ACM TOPLAS.Google ScholarGoogle Scholar
  32. P. Philippaerts, J. T. Mühlberg, W. Penninckx, J. Smans, B. Jacobs, and F. Piessens. Software verification with VeriFast: Industrial case studies. Science of Computer Programming, 82(1):77--97, Mar. 2014. URL https://lirias.kuleuven.be/handle/123456789/388689. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. J. C. Reynolds. Separation logic: A logic for shared mutable data structures. In Proceedings of the 17th Annual IEEE Symposium on Logic in Computer Science, LICS '02, pages 55--74, Washington, DC, USA, 2002. IEEE Computer Society. ISBN 0-7695-1483-9. URL http://dl.acm.org/citation.cfm?id=645683.664578. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. C. Schlesinger, K. Pattabiraman, N. Swamy, D. Walker, and B. Zorn. Modular protections against non-control data attacks. In Proceedings of the 2011 IEEE 24th Computer Security Foundations Symposium, CSF '11, pages 131--145, Washington, DC, USA, 2011. IEEE Computer Society. ISBN 978-0-7695-4365-9. URL http://dx.doi.org/10.1109/CSF.2011.16. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. R. Strackx and F. Piessens. Fides: Selectively hardening software application components against kernel-level or process-level malware. In Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS '12, pages 2--13, New York, NY, USA, 2012. ACM. ISBN 978-1-4503-1651-4. URL http://doi.acm.org/10.1145/2382196.2382200. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. N. Swamy, C. Fournet, A. Rastogi, K. Bhargavan, J. Chen, P.-Y. Strub, and G. Bierman. Gradual typing embedded securely in javascript. In Proceedings of the 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL '14, pages 425--437, New York, NY, USA, 2014. ACM. ISBN 978-1-4503-2544-8. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. A. Vasudevan, S. Chaki, L. Jia, J. McCune, J. Newsome, and A. Datta. Design, implementation and verification of an extensible and modular hypervisor framework. In Proceedings of the 2013 IEEE Symposium on Security and Privacy, SP '13, pages 430--444, Washington, DC, USA, 2013. IEEE Computer Society. ISBN 978-0-7695-4977-4. URL http://dx.doi.org/10.1109/SP.2013.36. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Sound Modular Verification of C Code Executing in an Unverified Context

            Recommendations

            Comments

            Login options

            Check if you have access through your login credentials or your institution to get full access on this article.

            Sign in

            Full Access

            • Published in

              cover image ACM SIGPLAN Notices
              ACM SIGPLAN Notices  Volume 50, Issue 1
              POPL '15
              January 2015
              682 pages
              ISSN:0362-1340
              EISSN:1558-1160
              DOI:10.1145/2775051
              • Editor:
              • Andy Gill
              Issue’s Table of Contents
              • cover image ACM Conferences
                POPL '15: Proceedings of the 42nd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages
                January 2015
                716 pages
                ISBN:9781450333009
                DOI:10.1145/2676726

              Copyright © 2015 ACM

              Publisher

              Association for Computing Machinery

              New York, NY, United States

              Publication History

              • Published: 14 January 2015

              Check for updates

              Qualifiers

              • research-article

            PDF Format

            View or Download as a PDF file.

            PDF

            eReader

            View online with eReader.

            eReader
            About Cookies On This Site

            We use cookies to ensure that we give you the best experience on our website.

            Learn more

            Got it!