assembly code verification using model checking
DESCRIPTION
Assembly Code Verification Using Model Checking. Hao XIAO Singapore University of Technology and Design. Outline. Motivation Approach o verview ILA module @ PAT On-going & future work. Motivation. Benefits. Achieve more reliability. More software components can be verified . - PowerPoint PPT PresentationTRANSCRIPT
Assembly Code Verification Using Model Checking
Hao XIAOSingapore University of Technology
and Design
Outline
• Motivation• Approach overview• ILA module @ PAT• On-going & future work
Motivation
Design
• Design verification• SPIN, PRISM, UPPAAL, PAT, …
Source code
• Model checking source code • Java Pathfinder, CBMC, SLAM, …
Binary
• Model checking binary• MCSQUARE, Estes
Benefits
• Achieve more reliability.• More software components can be verified.
• Circumvent problems caused by compiler. • The verification target is most close to what is running
on a CPU than the source code.
• Easy to verify.• Binaries have more elegant syntax and well defined
semantics than source code.
Challenges
• Instruction complexity.• Lack of high level semantic information.• Dynamic jump and call, no clear boundaries for
“function”.
• How to specify properties for assembly code.• Scalability.• Assembly code is much longer than source code.
Design Goals
• Accuracy: Faithfully handle the complex instructions in some ISA.
• Extensibility: Easy extensible to handle different Instruction Set of various architecture.
• Ease of Use: Those who are not familiar with temporal logic or assembly language should also find it is useful.
• High Efficiency: Scalable to large programs.
Approach Overview (1)
ELF Vine ILVineEmulator
Static Analyzer
Model Checker
User & Built in properties
Properties Parser
Parser
Counter Example
Approach Overview (2)
• Accuracy and Extensibility: Vine IL.• Ease of Use: Built in properties, if source is
available, link counter examples back to source.
• High Efficiency: property guided abstractions techniques for state space reduction; Function abstraction.
ILA @ PAT• Vine IL• Emulator• Static Analyses• Built in properties• Example-buffer overflow checking
Vine IL
Binary file Assembly VEX IR Vine ILLibbfd VineLibVex
Vine IL Example
Emulator(State builder)• Emulator is used to generate the successor
states based on the current state.• A state consists of CPU registers, PC,
memory.• Separate global states from local states.• Byte precision memory model.
Static Analyses for Space Reduction• Stack Analysis• Dead Variable Analysis.• Value Set Analysis• Interrupt Flag Analysis.• Path Reduction
Built-in Properties• Stack overflow checking• Integer overflow checking• Null pointer deference.• Division by zero checking• Uninitialized variable checking• Data race checking
Example-Buffer Overflow Checking
• Buffer overflow in assembly level: • write to a memory location beyond the boundaries
of current stack frame.• Identify instrumentation point: • find write operations which have a variable d as its
destination address.• Assertion instrumentation: • Add assertion d > %ebp && d < %esp before the
write instruction.• Model checking assertions.
Example- C++ source code
Example-Assembly Code
s1s1
s2
s3
s4
s5
s6
S1
S2
S3
S4 S5
S6
J1
J2
J3
Control Flow Graph
S1
S3
S4.1
S5
S6
J1
J3
CFG for Instrumented Code
S4.2
A1Error
esp1 = esp0 - 0x4M[esp1] = ebp0ebp1 = esp1esp2 = esp1 - max{0, 15}esp3 = esp2 – 0x20
M[ebp1 +0x8]>1
eax0= M[ebp1 + 0xc]eax1= M[eax0 + 0x4]M[esp3 + 0x18] = eax1M[esp3 + 0x1c] = 0
ebx0 =φ(S3,S4.2,M[ esp3 + 0x1c])eax2 = M[esp3 + 0x18]eax3 = strlen (eax2)
eax3 < ebx0
eax4 = M[esp3 + 0x1c]eax5 = eax4 + M[esp3 + 0x18]edx0 = M[eax5]eax6 = esp3 + 0x10eax7 = M[esp3 + 0x1c] + eax6
eax7 > ebp1 && eax7 < esp3
M[eax7] = edx0M[esp3+0x1c] = M[esp3 + 0x1c] + 1
On-going & future Work
• Implementation.• More abstraction techniques(e.g., irrelevant
code elimination).• Symbolic model checking
The End
Thanks !