Islaris: verification of machine code against authoritative ISA semantics

Sammler, Michael; Hammond, Angus; Lepigre, Rodolphe; Campbell, B. K.; Pichon-Pharabod, Jean; Dreyer, Derek; Garg, Deepak; Sewell, Peter

doi:10.1145/3519939.3523434

Cited by 8 publications

(4 citation statements)

References 57 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Since Cerise, we have seen more instantiations of low-level languages in Iris. For example, Sammler et al [2022] present Islaris, which can used to verify machine code against authoritative ISA semantics of Armv8-A and RISC-V, and Liu et al [2023] introduce VMSL, a novel separation logic, which can be used to reason about virtual machines which communicate through a hypercall API. To reason about stored code, the latter work introduces a new kind of weakest precondition (called single-step weakest precondition), which could probably be used to slightly simplify the formal treatment of stored code in Cerise.…”

Section: Discussion and Perspectivesmentioning

confidence: 99%

Cerise: Program Verification on a Capability Machine in the Presence of Untrusted Code

Georges,

Guéneau,

Van Strydonck

et al. 2024

J. ACM

View full text Add to dashboard Cite

A capability machine is a type of CPU allowing fine-grained privilege separation using capabilities , machine words that represent certain kinds of authority. We present a mathematical model and accompanying proof methods that can be used for formal verification of functional correctness of programs running on a capability machine, even when they invoke and are invoked by unknown (and possibly malicious) code. We use a program logic called Cerise for reasoning about known code, and an associated logical relation, for reasoning about unknown code. The logical relation formally captures the capability safety guarantees provided by the capability machine. The Cerise program logic, logical relation, and all the examples considered in the paper have been mechanized using the Iris program logic framework in the Coq proof assistant. The methodology we present underlies recent work of the authors on formal reasoning about capability machines [15, 33, 37], but was left somewhat implicit in those publications. In this paper we present a pedagogical introduction to the methodology, in a simpler setting (no exotic capabilities), and starting from minimal examples. We work our way up to new results about a heap-based calling convention and implementations of sophisticated object-capability patterns of the kind previously studied for high-level languages with object-capabilities, demonstrating that the methodology scales to such reasoning.

show abstract

Section: Discussion and Perspectivesmentioning

confidence: 99%

Cerise: Program Verification on a Capability Machine in the Presence of Untrusted Code

Georges,

Guéneau,

Van Strydonck

et al. 2024

J. ACM

View full text Add to dashboard Cite

show abstract

“…We demonstrate in Section 6 that our UC supports this using the femtokernel case study: a minimal RISC-V PMP machine mode kernel that interacts with untrusted user-mode code over a simple system call. Interestingly, this verification reuses Katamaran as a verification tool for RISC-V assembly, by reusing an idea from previous work [46].…”

Section: Verifying and Applying A Universal Contractmentioning

confidence: 98%

“…It then remains to prove contracts for the kernel and interrupt handler, establishing that they jump to user-mode code in a correct state (i.e., in user-mode, with the intended PMP configuration) and use but don't break the registered invariants. Inspired by Islaris [46], we can largely automate the remaining verification, by reusing existing components and proofs of Katamaran to derive a sound verifier for known assembly code. Essentially, the idea is that a contract for {Pre}B{Post} for a basic block of assembly code can also be regarded as a contract for the ISA semantics, under the assumption that it is looking at basic block 𝐵.…”

Section: Applying the Universal Contract: Femtokernel Verificationmentioning

confidence: 99%

“…This Coq soundness proof provides very high assurance directly against the µSail operational semantics. Additionally, taking inspiration from related work [46], Katamaran doubles as a verification tool for the ISA's assembly language, essentially by treating a contract for an assembly program 𝑃 as a contract for the ISA semantics under the assumption that it is executing program 𝑃, following related work [46]. Compared to other foundational verifiers like Diaframe [39], Lithium [45], MoSeL [34] or Bedrock [15], Katamaran is in a sense a verified verification tool rather than a verifying one, meaning that it is implemented in Gallina and does not rely on Coq and meta-programming tactics to manage and manipulate intermediate assumptions and VCs.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Formalizing, Verifying and Applying ISA Security Guarantees as Universal Contracts

Huyghebaert,

Keuchel,

De Roover

et al. 2023

Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

Progress has recently been made on specifying instruction set architectures (ISAs) in executable formalisms rather than through prose. However, to date, those formal specifications are limited to the functional aspects of the ISA and do not cover its security guarantees. We present a novel, general method for formally specifying an ISA's security guarantees to (1) balance the needs of ISA implementations (hardware) and clients (software), ( 2) can be semiautomatically verified to hold for the ISA operational semantics, producing a high-assurance mechanically-verifiable proof, and (3) support informal and formal reasoning about security-critical software in the presence of adversarial code. Our method leverages universal contracts: software contracts that express bounds on the authority of arbitrary untrusted code. Universal contracts can be kept agnostic of software abstractions, and strike the right balance between requiring sufficient detail for reasoning about software and preserving implementation freedom of ISA designers and CPU implementers. We semi-automatically verify universal contracts against Sail implementations of ISA semantics using our Katamaran tool; a semi-automatic separation logic verifier for Sail which produces machine-checked proofs for successfully verified contracts. We demonstrate the generality of our method by applying it to two ISAs that offer very different security primitives:(1) MinimalCaps: a custom-built capability machine ISA and (2) a (somewhat simplified) version of RISC-V with PMP. We verify a femtokernel using the security guarantee we have formalized for RISC-V with PMP.

show abstract

Isla: integrating full-scale ISA semantics and axiomatic concurrency models (extended version)

Armstrong

Campbell

Simner

et al. 2023

Form Methods Syst Des

View full text Add to dashboard Cite

Architecture specifications such as Armv8-A and RISC-V are the ultimate foundation for software verification and the correctness criteria for hardware verification. They should define the allowed sequential and relaxed-memory concurrency behaviour of programs, but hitherto there has been no integration of full-scale instruction-set architecture (ISA) semantics with axiomatic concurrency models, either in mathematics or in tools. These ISA semantics can be surprisingly large and intricate, e.g. 100k$$+$$ + lines for Armv8-A. In this paper we present a tool, Isla, for computing the allowed behaviours of concurrent litmus tests with respect to full-scale ISA definitions, in the Sail language, and arbitrary axiomatic relaxed-memory concurrency models, in the Cat language. It is based on a generic symbolic engine for Sail ISA specifications. We equip the tool with a web interface to make it widely accessible, and illustrate and evaluate it for Armv8-A and RISC-V. The symbolic execution engine is valuable also for other verification tasks: it has been used in automated ISA test generation for the Arm Morello prototype architecture, extending Armv8-A with CHERI capabilities, and for Iris program-logic reasoning about binary code above the Armv8-A and RISC-V ISA specifications. By using full-scale and authoritative ISA semantics, Isla lets one evaluate litmus tests using arbitrary user instructions with high confidence. Moreover, because these ISA specifications give detailed and validated definitions of the sequential aspects of systems functionality, as used by hypervisors and operating systems, e.g. instruction fetch, exceptions, and address translation, our tool provides a basis for developing concurrency semantics for these. We demonstrate this for the Armv8-A instruction-fetch and virtual-memory models and examples of Simner et al.

show abstract

Islaris: verification of machine code against authoritative ISA semantics

Cited by 8 publications

References 57 publications

Cerise: Program Verification on a Capability Machine in the Presence of Untrusted Code

Cerise: Program Verification on a Capability Machine in the Presence of Untrusted Code

Formalizing, Verifying and Applying ISA Security Guarantees as Universal Contracts

Isla: integrating full-scale ISA semantics and axiomatic concurrency models (extended version)

Contact Info

Product

Resources

About