Abstract
Low-level systems code often needs to interact with data, such as page table entries or network packet headers, in which multiple pieces of information are packaged together as bitfield components of a single machine integer and accessed via bitfield manipulations (e.g., shifts and masking). Most existing approaches to verifying such code employ SMT solvers, instantiated with theories for bit vector reasoning: these provide a powerful hammer, but also significantly increase the trusted computing base of the verification toolchain.
In this work, we propose an alternative approach to the verification of bitfield-manipulating systems code, which we call BFF. Building on the RefinedC framework, BFF is not only highly automated (as SMT-based approaches are) but also foundational---i.e., it produces a machine-checked proof of program correctness against a formal semantics for C programs, fully mechanized in Coq. Unlike SMT-based approaches, we do not try to solve the general problem of arbitrary bit vector reasoning, but rather observe that real systems code typically accesses bitfields using simple, well-understood programming patterns: the layout of a bit vector is known up front, and its bitfields are accessed in predictable ways through a handful of bitwise operations involving bit masks. Correspondingly, we center our approach around the concept of a structured bit vector---i.e., a bit vector with a known bitfield layout---which we use to drive simple and predictable automation. We validate the BFF approach by verifying a range of bitfield-manipulating C functions drawn from real systems code, including page table manipulation code from the Linux kernel and the pKVM hypervisor.
- Amal Ahmed, Andrew W. Appel, Christopher D. Richards, Kedar N. Swadi, Gang Tan, and Daniel C. Wang. 2010. Semantic foundations for typed assembly languages. TOPLAS, 32, 3 (2010), 1–67.
Google Scholar
Digital Library
- Haniel Barbosa, Clark W. Barrett, Martin Brain, Gereon Kremer, Hanna Lachnitt, Makai Mann, Abdalrhman Mohamed, Mudathir Mohamed, Aina Niemetz, Andres Nötzli, Alex Ozdemir, Mathias Preiner, Andrew Reynolds, Ying Sheng, Cesare Tinelli, and Yoni Zohar. 2022. CVC5: A Versatile and Industrial-Strength SMT Solver. In Tools and Algorithms for the Construction and Analysis of Systems - 28th International Conference, TACAS 2022, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2022, Munich, Germany, April 2-7, 2022, Proceedings, Part I, Dana Fisman and Grigore Rosu (Eds.) (Lecture Notes in Computer Science, Vol. 13243). Springer, 415–442. https://doi.org/10.1007/978-3-030-99524-9_24
Google Scholar
Digital Library
- Clark Barrett, Aaron Stump, and Cesare Tinelli. 2010. The SMT-LIB standard: Version 2.0. In Proceedings of the 8th international workshop on satisfiability modulo theories (Edinburgh, England). 13, 14.
Google Scholar
- Clark W. Barrett, Christopher L. Conway, Morgan Deters, Liana Hadarean, Dejan Jovanovic, Tim King, Andrew Reynolds, and Cesare Tinelli. 2011. CVC4. In Computer Aided Verification - 23rd International Conference, CAV 2011, Snowbird, UT, USA, July 14-20, 2011. Proceedings, Ganesh Gopalakrishnan and Shaz Qadeer (Eds.) (Lecture Notes in Computer Science, Vol. 6806). Springer, 171–177. https://doi.org/10.1007/978-3-642-22110-1_14
Google Scholar
Cross Ref
- Sascha Böhme, Anthony C. J. Fox, Thomas Sewell, and Tjark Weber. 2011. Reconstruction of Z3’s Bit-Vector Proofs in HOL4 and Isabelle/HOL. In Certified Programs and Proofs - First International Conference, CPP 2011, Kenting, Taiwan, December 7-9, 2011. Proceedings, Jean-Pierre Jouannaud and Zhong Shao (Eds.) (Lecture Notes in Computer Science, Vol. 7086). Springer, 183–198. https://doi.org/10.1007/978-3-642-25379-9_15
Google Scholar
Digital Library
- Thomas Bouton, Diego Caminha Barbosa De Oliveira, David Déharbe, and Pascal Fontaine. 2009. veriT: An Open, Trustable and Efficient SMT-Solver. In Automated Deduction - CADE-22, 22nd International Conference on Automated Deduction, Montreal, Canada, August 2-7, 2009. Proceedings, Renate A. Schmidt (Ed.) (Lecture Notes in Computer Science, Vol. 5663). Springer, 151–156. https://doi.org/10.1007/978-3-642-02959-2_12
Google Scholar
Digital Library
- Robert Brummayer and Armin Biere. 2009. Boolector: An Efficient SMT Solver for Bit-Vectors and Arrays. In Tools and Algorithms for the Construction and Analysis of Systems, 15th International Conference, TACAS 2009, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2009, York, UK, March 22-29, 2009. Proceedings, Stefan Kowalewski and Anna Philippou (Eds.) (Lecture Notes in Computer Science, Vol. 5505). Springer, 174–177. https://doi.org/10.1007/978-3-642-00768-2_16
Google Scholar
Digital Library
- Alessandro Cimatti, Alberto Griggio, Bastiaan Joost Schaafsma, and Roberto Sebastiani. 2013. The MathSAT5 SMT Solver. In Tools and Algorithms for the Construction and Analysis of Systems - 19th International Conference, TACAS 2013, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2013, Rome, Italy, March 16-24, 2013. Proceedings, Nir Piterman and Scott A. Smolka (Eds.) (Lecture Notes in Computer Science, Vol. 7795). Springer, 93–107. https://doi.org/10.1007/978-3-642-36742-7_7
Google Scholar
Digital Library
- Leonardo Mendonça de Moura and Nikolaj Bjørner. 2008. Proofs and Refutations, and Z3. In Proceedings of the LPAR 2008 Workshops, Knowledge Exchange: Automated Provers and Proof Assistants, and the 7th International Workshop on the Implementation of Logics, Doha, Qatar, November 22, 2008, Piotr Rudnicki, Geoff Sutcliffe, Boris Konev, Renate A. Schmidt, and Stephan Schulz (Eds.) (CEUR Workshop Proceedings, Vol. 418). CEUR-WS.org. http://ceur-ws.org/Vol-418/paper10.pdf
Google Scholar
- Leonardo Mendonça de Moura and Nikolaj Bjørner. 2008. Z3: An Efficient SMT Solver. In Tools and Algorithms for the Construction and Analysis of Systems, 14th International Conference, TACAS 2008, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2008, Budapest, Hungary, March 29-April 6, 2008. Proceedings, C. R. Ramakrishnan and Jakob Rehof (Eds.) (Lecture Notes in Computer Science, Vol. 4963). Springer, 337–340. https://doi.org/10.1007/978-3-540-78800-3_24
Google Scholar
Cross Ref
- Will Deacon. 2020. Virtualization for the Masses: Exposing KVM on Android. https://www.youtube.com/watch?v=wY-u6n75iXc KVM Forum Talk
Google Scholar
- Claire Dross, Clément Fumex, Jens Gerlach, and Claude Marché. 2015. High-level functional properties of bit-level programs: Formal specifications and automated proofs. Ph. D. Dissertation. Inria Saclay.
Google Scholar
- Bruno Dutertre and Leonardo De Moura. 2006. The yices smt solver. Tool paper at http://yices. csl. sri. com/tool-paper. pdf, 2, 2 (2006), 1–2.
Google Scholar
- Jake Edge. 2020. KVM for Android. https://lwn.net/Articles/836693/
Google Scholar
- Burak Ekici, Alain Mebsout, Cesare Tinelli, Chantal Keller, Guy Katz, Andrew Reynolds, and Clark W. Barrett. 2017. SMTCoq: A Plug-In for Integrating SMT Solvers into Coq. In CAV (2) (Lecture Notes in Computer Science, Vol. 10427). Springer, 126–133. https://doi.org/10.1007/978-3-319-63390-9_7
Google Scholar
Cross Ref
- Ranjit Jhala and Rupak Majumdar. 2006. Bit level types for high level reasoning. In SIGSOFT FSE. ACM, 128–140. https://doi.org/10.1145/1181775.1181791
Google Scholar
Digital Library
- Ralf Jung, Jacques-Henri Jourdan, Robbert Krebbers, and Derek Dreyer. 2018. RustBelt: Securing the foundations of the Rust programming language. Proc. ACM Program. Lang., 2, POPL (2018), 66:1–66:34. https://doi.org/10.1145/3158154
Google Scholar
Digital Library
- K. Rustan M. Leino. 2010. Dafny: An Automatic Program Verifier for Functional Correctness. In Logic for Programming, Artificial Intelligence, and Reasoning - 16th International Conference, LPAR-16, Dakar, Senegal, April 25-May 1, 2010, Revised Selected Papers, Edmund M. Clarke and Andrei Voronkov (Eds.) (Lecture Notes in Computer Science, Vol. 6355). Springer, 348–370. https://doi.org/10.1007/978-3-642-17511-4_20
Google Scholar
Cross Ref
- Rodolphe Lepigre, Michael Sammler, Kayvan Memarian, Robbert Krebbers, Derek Dreyer, and Peter Sewell. 2022. VIP: Verifying real-world C idioms with integer-pointer casts. Proc. ACM Program. Lang., 6, POPL (2022), 1–32. https://doi.org/10.1145/3498681
Google Scholar
Digital Library
- Andreas Lochbihler. 2018. Fast Machine Words in Isabelle/HOL. In Interactive Theorem Proving - 9th International Conference, ITP 2018, Held as Part of the Federated Logic Conference, FloC 2018, Oxford, UK, July 9-12, 2018, Proceedings, Jeremy Avigad and Assia Mahboubi (Eds.) (Lecture Notes in Computer Science, Vol. 10895). Springer, 388–410. https://doi.org/10.1007/978-3-319-94821-8_23
Google Scholar
Cross Ref
- Muhammad Numair Mansur, Maria Christakis, Valentin Wüstholz, and Fuyuan Zhang. 2020. Detecting critical bugs in SMT solvers using blackbox mutational fuzzing. In ESEC/FSE ’20: 28th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, Virtual Event, USA, November 8-13, 2020, Prem Devanbu, Myra B. Cohen, and Thomas Zimmermann (Eds.). ACM, 701–712. https://doi.org/10.1145/3368089.3409763
Google Scholar
Digital Library
- Peter Müller, Malte Schwerhoff, and Alexander J. Summers. 2016. Viper: A Verification Infrastructure for Permission-Based Reasoning. In Verification, Model Checking, and Abstract Interpretation - 17th International Conference, VMCAI 2016, St. Petersburg, FL, USA, January 17-19, 2016. Proceedings, Barbara Jobstmann and K. Rustan M. Leino (Eds.) (Lecture Notes in Computer Science, Vol. 9583). Springer, 41–62. https://doi.org/10.1007/978-3-662-49122-5_2
Google Scholar
Digital Library
- Jiwon Park, Dominik Winterer, Chengyu Zhang, and Zhendong Su. 2021. Generative type-aware mutation for testing SMT solvers. Proc. ACM Program. Lang., 5, OOPSLA (2021), 1–19. https://doi.org/10.1145/3485529
Google Scholar
Digital Library
- Michael Sammler, Rodolphe Lepigre, Robbert Krebbers, Kayvan Memarian, Derek Dreyer, and Deepak Garg. 2021. RefinedC: Automating the foundational verification of C code with refined ownership types. In PLDI. ACM, 158–174. https://doi.org/10.1145/3453483.3454036
Google Scholar
Digital Library
- Xiaomu Shi, Yu-Fu Fu, Jiaxiang Liu, Ming-Hsien Tsai, Bow-Yaw Wang, and Bo-Yin Yang. 2021. CoqQFBV: A Scalable Certified SMT Quantifier-Free Bit-Vector Solver. In Computer Aided Verification - 33rd International Conference, CAV 2021, Virtual Event, July 20-23, 2021, Proceedings, Part II, Alexandra Silva and K. Rustan M. Leino (Eds.) (Lecture Notes in Computer Science, Vol. 12760). Springer, 149–171. https://doi.org/10.1007/978-3-030-81688-9_7
Google Scholar
Digital Library
- Aaron Stump, Duckki Oe, Andrew Reynolds, Liana Hadarean, and Cesare Tinelli. 2013. SMT proof checking using a logical framework. Formal Methods Syst. Des., 42, 1 (2013), 91–118. https://doi.org/10.1007/s10703-012-0163-3
Google Scholar
Digital Library
- Nikhil Swamy, Catalin Hritcu, Chantal Keller, Aseem Rastogi, Antoine Delignat-Lavaud, Simon Forest, Karthikeyan Bhargavan, Cédric Fournet, Pierre-Yves Strub, Markulf Kohlweiss, Jean Karim Zinzindohoue, and Santiago Zanella Béguelin. 2016. Dependent types and multi-monadic effects in F. In POPL. ACM, 256–270. https://doi.org/10.1145/2837614.2837655
Google Scholar
Digital Library
- Sol Swords and Jared Davis. 2011. Bit-Blasting ACL2 Theorems. In Proceedings 10th International Workshop on the ACL2 Theorem Prover and its Applications, ACL2 2011, Austin, Texas, USA, November 3-4, 2011, David S. Hardin and Julien Schmaltz (Eds.) (EPTCS, Vol. 70). 84–102. https://doi.org/10.4204/EPTCS.70.7
Google Scholar
Cross Ref
- The Coqutil Team. 2022. coqutil. https://github.com/mit-plv/coqutil
Google Scholar
- The Tokei Team. 2022. Tokei. https://github.com/XAMPPRocky/tokei
Google Scholar
- Dominik Winterer, Chengyu Zhang, and Zhendong Su. 2020. On the Unusual Effectiveness of Type-Aware Operator Mutations for Testing SMT Solvers. Proc. ACM Program. Lang., 4, OOPSLA (2020), Article 193, nov, 25 pages. https://doi.org/10.1145/3428261
Google Scholar
Digital Library
- Dominik Winterer, Chengyu Zhang, and Zhendong Su. 2020. Validating SMT Solvers via Semantic Fusion. In Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 2020). Association for Computing Machinery, New York, NY, USA. 718–730. isbn:9781450376136 https://doi.org/10.1145/3385412.3385985
Google Scholar
Digital Library
- Fengmin Zhu, Michael Sammler, Rodolphe Lepigre, Derek Dreyer, and Deepak Garg. 2022. BFF: Foundational and Automated Verification of Bitfield-Manipulating Programs (Artifact). https://doi.org/10.5281/zenodo.7079022 Repository:
Google Scholar
Digital Library
Index Terms
BFF: foundational and automated verification of bitfield-manipulating programs
Recommendations
RefinedC: automating the foundational verification of C code with refined ownership types
PLDI 2021: Proceedings of the 42nd ACM SIGPLAN International Conference on Programming Language Design and ImplementationGiven the central role that C continues to play in systems software, and the difficulty of writing safe and correct C code, it remains a grand challenge to develop effective formal methods for verifying C programs. In this paper, we propose a new ...
Foundational program verification in Coq with automated proofs
MSFP '10: Proceedings of the third ACM SIGPLAN workshop on Mathematically structured functional programmingMost people who know of the proof assistant Coq associate it with long, manual proofs via tactic scripts. In contrast, classical verification tools, based on automated theorem-provers for first-order logic, are well established as supporting program ...
Diaframe: automated verification of fine-grained concurrent programs in Iris
PLDI 2022: Proceedings of the 43rd ACM SIGPLAN International Conference on Programming Language Design and ImplementationFine-grained concurrent programs are difficult to get right, yet play an important role in modern-day computers. We want to prove strong specifications of such programs, with minimal user effort, in a trustworthy way. In this paper, we present Diaframe—...






Comments