Formal Verification of a C-like Memory Model and Its Uses for Verifying Program Transformations

Leroy, Xavier; Blazy, Sandrine

doi:10.1007/s10817-008-9099-0

Cited by 124 publications

(112 citation statements)

References 18 publications

Supporting

Mentioning

111

Contrasting

Order By: Relevance

“…Abstract Machine The memory-safety abstract machine presents a block-based memory model to the programmer [15], [57], [58]: it operates on values that are either ordinary machine words w or pointers p.…”

Section: Memory Safety Micro-policymentioning

confidence: 99%

Micro-Policies: Formally Verified, Tag-Based Security Monitors

Amorim¹,

Dénès

Giannarakis

et al. 2015

2015 IEEE Symposium on Security and Privacy

View full text Add to dashboard Cite

Abstract-Recent advances in hardware design have demonstrated mechanisms allowing a wide range of low-level security policies (or micro-policies) to be expressed using rules on metadata tags. We propose a methodology for defining and reasoning about such tag-based reference monitors in terms of a high-level "symbolic machine," and we use this methodology to define and formally verify micro-policies for dynamic sealing, compartmentalization, control-flow integrity, and memory safety; in addition, we show how to use the tagging mechanism to protect its own integrity. For each micro-policy, we prove by refinement that the symbolic machine instantiated with the policy's rules embodies a high-level specification characterizing a useful security property. Last, we show how the symbolic machine itself can be implemented in terms of a hardware rule cache and a software controller.

show abstract

Section: Memory Safety Micro-policymentioning

confidence: 99%

Micro-Policies: Formally Verified, Tag-Based Security Monitors

Amorim¹,

Dénès

Giannarakis

et al. 2015

2015 IEEE Symposium on Security and Privacy

View full text Add to dashboard Cite

show abstract

“…We adopt a simplified version of the memory model of Leroy and Blazy [13]locations are interpreted as integer values and field accesses as pointer offsets. We introduce to the assertion language a variable h, and the non-interpreted functions load, store, alloc, and free, and the predicate Valid.…”

Section: Logical Validationmentioning

confidence: 99%

Beyond 2-Safety: Asymmetric Product Programs for Relational Program Verification

Barthe

Crespo

Kunz

2013

Logical Foundations of Computer Science

View full text Add to dashboard Cite

Abstract. Relational Hoare Logic is a generalization of Hoare logic that allows reasoning about executions of two programs, or two executions of the same program. It can be used to verify that a program is robust or (information flow) secure, and that two programs are observationally equivalent. Product programs provide a means to reduce verification of relational judgments to the verification of a (standard) Hoare judgment, and open the possibility of applying standard verification tools to relational properties. However, previous notions of product programs are defined for deterministic and structured programs. Moreover, these notions are symmetric, and cannot be applied to properties such as refinement, which are asymmetric and involve universal quantification on the traces of the first program and existential quantification on the traces of the second program. Asymmetric products generalize previous notions of products in three directions: they are based on a control-flow graph representation of programs, they are applicable to non-deterministic languages, and they are by construction asymmetric. Thanks to these characteristics, asymmetric products allow to validate abstraction/refinement relations between two programs, and to prove the correctness of advanced loop optimizations that could not be handled by our previous work. We validate their effectiveness by applying a prototype implementation to verify representative examples from translation validation and predicate abstraction.

show abstract

“…These models can be used on different levels of abstraction, ranging from low-level representations modeling the whole memory as a single byte array (e. g. Leroy et al [LB08]) up to high-level representations using multiple typed heaps to create separate memories for each data type or even each struct in the model (e. g. Bornat et al [Bor00]). Typed data structure models can handle inter-type aliasing but neither intratype aliasing nor the frame problem.…”

Section: Typed Data Structure Memory Modelsmentioning

confidence: 99%

“…This is an adaption of typed data structure memory models, which are widely used to formalize the memory model of C-like languages [Bor00,LB08]. The main advantage of this approach is its expressiveness and efficiency.…”

Section: Systemc/tlmmentioning

confidence: 99%

Model Checking Memory-Related Properties of Hardware/Software Co-designs

Pockrandt

Herber

Klös

et al. 2013

IFIP Advances in Information and Communication Technology

View full text Add to dashboard Cite

Hardware/software codesign enables the integrated development of hardware and software in a single design language. In combination with transaction level modeling, it can be used to efficiently model complex systems on different levels of abstraction. As such systems are often used in safety-critical applications, the correctness is crucial to prevent high financial losses or casualties. Especially memory-related errors can cause severe problems as they either result in deadlocks, runtime-errors or undefined system behavior. Although HW/SW codesign usually provides means for testing and simulation during the whole development process, these techniques are incomplete and can never ensure the absence of errors. In contrast, formal verification techniques like model checking can be used to guarantee the correctness of a design. Although there exist several approaches for the formal verification of HW/SW codesigns, memory-related constructs and operations are only insufficiently considered.In this thesis, we present an approach for model checking of memoryrelated properties on digital HW/SW systems. To this end, we focus on the system level description language SystemC, the de facto standard for HW/SW codesign. To support transaction level modeling, we additionally take the widely used SystemC transaction level modeling standard (TLM) into account. The main idea of our approach is to provide a formal semantics for the most relevant parts of the TLM standard and a formal memory model, which captures all relevant memory-related constructs and operations. We combine these with an already existing formalization of the basic SystemC constructs and provide transformation rules to enable the fully automatic transformation of SystemC/TLM designs into semantically equivalent Uppaal timed automata models. On the resulting model, we use the Uppaal model checker to verify important properties, including memory-related properties, timing, liveness and safety properties. To ease this verification, we automatically generate a set of verification properties, which can be used to ensure the absence of many common errors in a given design. This includes memory-related errors like null pointer accesses and array out of bounds accesses on a given design as well as the absence of assertion violations.If a property is violated, the Uppaal model checker generates a counterexample. As our formal semantics for SystemC/TLM is structure-preserving, this counterexample can easily be transferred back to the SystemC/TLM code manually and thereby allows for the localization of detected errors. To enhance the applicability of our approach for complex designs, we provide a set of optimization techniques. These are used to reduce the semantic state space and, thus, yield a better verification performance.We have implemented our transformation and our optimization techniques in a toolchain, which can be applied to SystemC/TLM designs fully automatically. We demonstrate both, the verification performance and the errordetection capabilities of ...

show abstract

Formal Verification of a C-like Memory Model and Its Uses for Verifying Program Transformations

Cited by 124 publications

References 18 publications

Micro-Policies: Formally Verified, Tag-Based Security Monitors

Micro-Policies: Formally Verified, Tag-Based Security Monitors

Beyond 2-Safety: Asymmetric Product Programs for Relational Program Verification

Model Checking Memory-Related Properties of Hardware/Software Co-designs

Contact Info

Product

Resources

About