skip to main content

BFF: foundational and automated verification of bitfield-manipulating programs

Published:31 October 2022Publication History
Skip Abstract Section

Abstract

Low-level systems code often needs to interact with data, such as page table entries or network packet headers, in which multiple pieces of information are packaged together as bitfield components of a single machine integer and accessed via bitfield manipulations (e.g., shifts and masking). Most existing approaches to verifying such code employ SMT solvers, instantiated with theories for bit vector reasoning: these provide a powerful hammer, but also significantly increase the trusted computing base of the verification toolchain.

In this work, we propose an alternative approach to the verification of bitfield-manipulating systems code, which we call BFF. Building on the RefinedC framework, BFF is not only highly automated (as SMT-based approaches are) but also foundational---i.e., it produces a machine-checked proof of program correctness against a formal semantics for C programs, fully mechanized in Coq. Unlike SMT-based approaches, we do not try to solve the general problem of arbitrary bit vector reasoning, but rather observe that real systems code typically accesses bitfields using simple, well-understood programming patterns: the layout of a bit vector is known up front, and its bitfields are accessed in predictable ways through a handful of bitwise operations involving bit masks. Correspondingly, we center our approach around the concept of a structured bit vector---i.e., a bit vector with a known bitfield layout---which we use to drive simple and predictable automation. We validate the BFF approach by verifying a range of bitfield-manipulating C functions drawn from real systems code, including page table manipulation code from the Linux kernel and the pKVM hypervisor.

References

  1. Amal Ahmed, Andrew W. Appel, Christopher D. Richards, Kedar N. Swadi, Gang Tan, and Daniel C. Wang. 2010. Semantic foundations for typed assembly languages. TOPLAS, 32, 3 (2010), 1–67. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Haniel Barbosa, Clark W. Barrett, Martin Brain, Gereon Kremer, Hanna Lachnitt, Makai Mann, Abdalrhman Mohamed, Mudathir Mohamed, Aina Niemetz, Andres Nötzli, Alex Ozdemir, Mathias Preiner, Andrew Reynolds, Ying Sheng, Cesare Tinelli, and Yoni Zohar. 2022. CVC5: A Versatile and Industrial-Strength SMT Solver. In Tools and Algorithms for the Construction and Analysis of Systems - 28th International Conference, TACAS 2022, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2022, Munich, Germany, April 2-7, 2022, Proceedings, Part I, Dana Fisman and Grigore Rosu (Eds.) (Lecture Notes in Computer Science, Vol. 13243). Springer, 415–442. https://doi.org/10.1007/978-3-030-99524-9_24 Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Clark Barrett, Aaron Stump, and Cesare Tinelli. 2010. The SMT-LIB standard: Version 2.0. In Proceedings of the 8th international workshop on satisfiability modulo theories (Edinburgh, England). 13, 14. Google ScholarGoogle Scholar
  4. Clark W. Barrett, Christopher L. Conway, Morgan Deters, Liana Hadarean, Dejan Jovanovic, Tim King, Andrew Reynolds, and Cesare Tinelli. 2011. CVC4. In Computer Aided Verification - 23rd International Conference, CAV 2011, Snowbird, UT, USA, July 14-20, 2011. Proceedings, Ganesh Gopalakrishnan and Shaz Qadeer (Eds.) (Lecture Notes in Computer Science, Vol. 6806). Springer, 171–177. https://doi.org/10.1007/978-3-642-22110-1_14 Google ScholarGoogle ScholarCross RefCross Ref
  5. Sascha Böhme, Anthony C. J. Fox, Thomas Sewell, and Tjark Weber. 2011. Reconstruction of Z3’s Bit-Vector Proofs in HOL4 and Isabelle/HOL. In Certified Programs and Proofs - First International Conference, CPP 2011, Kenting, Taiwan, December 7-9, 2011. Proceedings, Jean-Pierre Jouannaud and Zhong Shao (Eds.) (Lecture Notes in Computer Science, Vol. 7086). Springer, 183–198. https://doi.org/10.1007/978-3-642-25379-9_15 Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Thomas Bouton, Diego Caminha Barbosa De Oliveira, David Déharbe, and Pascal Fontaine. 2009. veriT: An Open, Trustable and Efficient SMT-Solver. In Automated Deduction - CADE-22, 22nd International Conference on Automated Deduction, Montreal, Canada, August 2-7, 2009. Proceedings, Renate A. Schmidt (Ed.) (Lecture Notes in Computer Science, Vol. 5663). Springer, 151–156. https://doi.org/10.1007/978-3-642-02959-2_12 Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Robert Brummayer and Armin Biere. 2009. Boolector: An Efficient SMT Solver for Bit-Vectors and Arrays. In Tools and Algorithms for the Construction and Analysis of Systems, 15th International Conference, TACAS 2009, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2009, York, UK, March 22-29, 2009. Proceedings, Stefan Kowalewski and Anna Philippou (Eds.) (Lecture Notes in Computer Science, Vol. 5505). Springer, 174–177. https://doi.org/10.1007/978-3-642-00768-2_16 Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Alessandro Cimatti, Alberto Griggio, Bastiaan Joost Schaafsma, and Roberto Sebastiani. 2013. The MathSAT5 SMT Solver. In Tools and Algorithms for the Construction and Analysis of Systems - 19th International Conference, TACAS 2013, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2013, Rome, Italy, March 16-24, 2013. Proceedings, Nir Piterman and Scott A. Smolka (Eds.) (Lecture Notes in Computer Science, Vol. 7795). Springer, 93–107. https://doi.org/10.1007/978-3-642-36742-7_7 Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Leonardo Mendonça de Moura and Nikolaj Bjørner. 2008. Proofs and Refutations, and Z3. In Proceedings of the LPAR 2008 Workshops, Knowledge Exchange: Automated Provers and Proof Assistants, and the 7th International Workshop on the Implementation of Logics, Doha, Qatar, November 22, 2008, Piotr Rudnicki, Geoff Sutcliffe, Boris Konev, Renate A. Schmidt, and Stephan Schulz (Eds.) (CEUR Workshop Proceedings, Vol. 418). CEUR-WS.org. http://ceur-ws.org/Vol-418/paper10.pdf Google ScholarGoogle Scholar
  10. Leonardo Mendonça de Moura and Nikolaj Bjørner. 2008. Z3: An Efficient SMT Solver. In Tools and Algorithms for the Construction and Analysis of Systems, 14th International Conference, TACAS 2008, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2008, Budapest, Hungary, March 29-April 6, 2008. Proceedings, C. R. Ramakrishnan and Jakob Rehof (Eds.) (Lecture Notes in Computer Science, Vol. 4963). Springer, 337–340. https://doi.org/10.1007/978-3-540-78800-3_24 Google ScholarGoogle ScholarCross RefCross Ref
  11. Will Deacon. 2020. Virtualization for the Masses: Exposing KVM on Android. https://www.youtube.com/watch?v=wY-u6n75iXc KVM Forum Talk Google ScholarGoogle Scholar
  12. Claire Dross, Clément Fumex, Jens Gerlach, and Claude Marché. 2015. High-level functional properties of bit-level programs: Formal specifications and automated proofs. Ph. D. Dissertation. Inria Saclay. Google ScholarGoogle Scholar
  13. Bruno Dutertre and Leonardo De Moura. 2006. The yices smt solver. Tool paper at http://yices. csl. sri. com/tool-paper. pdf, 2, 2 (2006), 1–2. Google ScholarGoogle Scholar
  14. Jake Edge. 2020. KVM for Android. https://lwn.net/Articles/836693/ Google ScholarGoogle Scholar
  15. Burak Ekici, Alain Mebsout, Cesare Tinelli, Chantal Keller, Guy Katz, Andrew Reynolds, and Clark W. Barrett. 2017. SMTCoq: A Plug-In for Integrating SMT Solvers into Coq. In CAV (2) (Lecture Notes in Computer Science, Vol. 10427). Springer, 126–133. https://doi.org/10.1007/978-3-319-63390-9_7 Google ScholarGoogle ScholarCross RefCross Ref
  16. Ranjit Jhala and Rupak Majumdar. 2006. Bit level types for high level reasoning. In SIGSOFT FSE. ACM, 128–140. https://doi.org/10.1145/1181775.1181791 Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Ralf Jung, Jacques-Henri Jourdan, Robbert Krebbers, and Derek Dreyer. 2018. RustBelt: Securing the foundations of the Rust programming language. Proc. ACM Program. Lang., 2, POPL (2018), 66:1–66:34. https://doi.org/10.1145/3158154 Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. K. Rustan M. Leino. 2010. Dafny: An Automatic Program Verifier for Functional Correctness. In Logic for Programming, Artificial Intelligence, and Reasoning - 16th International Conference, LPAR-16, Dakar, Senegal, April 25-May 1, 2010, Revised Selected Papers, Edmund M. Clarke and Andrei Voronkov (Eds.) (Lecture Notes in Computer Science, Vol. 6355). Springer, 348–370. https://doi.org/10.1007/978-3-642-17511-4_20 Google ScholarGoogle ScholarCross RefCross Ref
  19. Rodolphe Lepigre, Michael Sammler, Kayvan Memarian, Robbert Krebbers, Derek Dreyer, and Peter Sewell. 2022. VIP: Verifying real-world C idioms with integer-pointer casts. Proc. ACM Program. Lang., 6, POPL (2022), 1–32. https://doi.org/10.1145/3498681 Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Andreas Lochbihler. 2018. Fast Machine Words in Isabelle/HOL. In Interactive Theorem Proving - 9th International Conference, ITP 2018, Held as Part of the Federated Logic Conference, FloC 2018, Oxford, UK, July 9-12, 2018, Proceedings, Jeremy Avigad and Assia Mahboubi (Eds.) (Lecture Notes in Computer Science, Vol. 10895). Springer, 388–410. https://doi.org/10.1007/978-3-319-94821-8_23 Google ScholarGoogle ScholarCross RefCross Ref
  21. Muhammad Numair Mansur, Maria Christakis, Valentin Wüstholz, and Fuyuan Zhang. 2020. Detecting critical bugs in SMT solvers using blackbox mutational fuzzing. In ESEC/FSE ’20: 28th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, Virtual Event, USA, November 8-13, 2020, Prem Devanbu, Myra B. Cohen, and Thomas Zimmermann (Eds.). ACM, 701–712. https://doi.org/10.1145/3368089.3409763 Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Peter Müller, Malte Schwerhoff, and Alexander J. Summers. 2016. Viper: A Verification Infrastructure for Permission-Based Reasoning. In Verification, Model Checking, and Abstract Interpretation - 17th International Conference, VMCAI 2016, St. Petersburg, FL, USA, January 17-19, 2016. Proceedings, Barbara Jobstmann and K. Rustan M. Leino (Eds.) (Lecture Notes in Computer Science, Vol. 9583). Springer, 41–62. https://doi.org/10.1007/978-3-662-49122-5_2 Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Jiwon Park, Dominik Winterer, Chengyu Zhang, and Zhendong Su. 2021. Generative type-aware mutation for testing SMT solvers. Proc. ACM Program. Lang., 5, OOPSLA (2021), 1–19. https://doi.org/10.1145/3485529 Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Michael Sammler, Rodolphe Lepigre, Robbert Krebbers, Kayvan Memarian, Derek Dreyer, and Deepak Garg. 2021. RefinedC: Automating the foundational verification of C code with refined ownership types. In PLDI. ACM, 158–174. https://doi.org/10.1145/3453483.3454036 Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Xiaomu Shi, Yu-Fu Fu, Jiaxiang Liu, Ming-Hsien Tsai, Bow-Yaw Wang, and Bo-Yin Yang. 2021. CoqQFBV: A Scalable Certified SMT Quantifier-Free Bit-Vector Solver. In Computer Aided Verification - 33rd International Conference, CAV 2021, Virtual Event, July 20-23, 2021, Proceedings, Part II, Alexandra Silva and K. Rustan M. Leino (Eds.) (Lecture Notes in Computer Science, Vol. 12760). Springer, 149–171. https://doi.org/10.1007/978-3-030-81688-9_7 Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Aaron Stump, Duckki Oe, Andrew Reynolds, Liana Hadarean, and Cesare Tinelli. 2013. SMT proof checking using a logical framework. Formal Methods Syst. Des., 42, 1 (2013), 91–118. https://doi.org/10.1007/s10703-012-0163-3 Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Nikhil Swamy, Catalin Hritcu, Chantal Keller, Aseem Rastogi, Antoine Delignat-Lavaud, Simon Forest, Karthikeyan Bhargavan, Cédric Fournet, Pierre-Yves Strub, Markulf Kohlweiss, Jean Karim Zinzindohoue, and Santiago Zanella Béguelin. 2016. Dependent types and multi-monadic effects in F. In POPL. ACM, 256–270. https://doi.org/10.1145/2837614.2837655 Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Sol Swords and Jared Davis. 2011. Bit-Blasting ACL2 Theorems. In Proceedings 10th International Workshop on the ACL2 Theorem Prover and its Applications, ACL2 2011, Austin, Texas, USA, November 3-4, 2011, David S. Hardin and Julien Schmaltz (Eds.) (EPTCS, Vol. 70). 84–102. https://doi.org/10.4204/EPTCS.70.7 Google ScholarGoogle ScholarCross RefCross Ref
  29. The Coqutil Team. 2022. coqutil. https://github.com/mit-plv/coqutil Google ScholarGoogle Scholar
  30. The Tokei Team. 2022. Tokei. https://github.com/XAMPPRocky/tokei Google ScholarGoogle Scholar
  31. Dominik Winterer, Chengyu Zhang, and Zhendong Su. 2020. On the Unusual Effectiveness of Type-Aware Operator Mutations for Testing SMT Solvers. Proc. ACM Program. Lang., 4, OOPSLA (2020), Article 193, nov, 25 pages. https://doi.org/10.1145/3428261 Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Dominik Winterer, Chengyu Zhang, and Zhendong Su. 2020. Validating SMT Solvers via Semantic Fusion. In Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 2020). Association for Computing Machinery, New York, NY, USA. 718–730. isbn:9781450376136 https://doi.org/10.1145/3385412.3385985 Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Fengmin Zhu, Michael Sammler, Rodolphe Lepigre, Derek Dreyer, and Deepak Garg. 2022. BFF: Foundational and Automated Verification of Bitfield-Manipulating Programs (Artifact). https://doi.org/10.5281/zenodo.7079022 Repository: Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. BFF: foundational and automated verification of bitfield-manipulating programs

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in

        Full Access

        • Article Metrics

          • Downloads (Last 12 months)119
          • Downloads (Last 6 weeks)11

          Other Metrics

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader
        About Cookies On This Site

        We use cookies to ensure that we give you the best experience on our website.

        Learn more

        Got it!