compositional verifiers for mobile code safety
DESCRIPTION
Compositional Verifiers for Mobile Code Safety. Bor-Yuh Evan Chang Adam Chlipala George C. Necula May 12, 2005 OSQ Retreat Santa Cruz, California. code. OR. type checker. Type Safety as an Assurance Mechanism. Type checking is a well-accepted safety assurance mechanism - PowerPoint PPT PresentationTRANSCRIPT
Compositional Verifiers for Compositional Verifiers for Mobile Code SafetyMobile Code Safety
Bor-Yuh Evan ChangAdam Chlipala
George C. Necula
May 12, 2005OSQ Retreat
Santa Cruz, California
5/12/2005 Compositional Verifiers for Mobile Code Safety 2
OR codecode
type checker
Type Safety as an Assurance Type Safety as an Assurance MechanismMechanism
• Type checking is a well-accepted safety assurance mechanism
• Most checkers today:– source-level (e.g. ML, C#, Java)– bytecode-level (e.g. CLI, JVML)– not assembly-level
…pushl %ebpmovl %esp, %ebpsubl $8, %espmovl 12(%ebp), %eaxsubl $8, %espmovl (%eax), %edxaddl $28, %edxpushl $3pushl %eaxmovl (%edx), %eaxcall *%eax
…
…pushl %ebpmovl %esp, %ebpsubl $8, %espmovl 12(%ebp), %eaxsubl $8, %espmovl (%eax), %edxaddl $28, %edxpushl $3pushl %eaxmovl (%edx), %eaxcall *%eax
…
WantWant::a straightforward
extension to assembly-level
checking
5/12/2005 Compositional Verifiers for Mobile Code Safety 3
ProblemProblem
• Verifiers for lower-level code are more difficult and tedious to build
• Observation 1Observation 1:: Many verification tasks are common to large classes of verifiers– stack overflow checks, adherence to the
calling convention (almost all)– dynamic dispatch (object-oriented
languages)
• Observation 2Observation 2:: Various intermediate-level languages abstract various details
5/12/2005 Compositional Verifiers for Mobile Code Safety 4
Basic IdeaBasic Idea
Stack verifierCall verifierType verifier
call func(6)
mem[sp] := 6sp := sp – 4jump funcpush 6jump func
5/12/2005 Compositional Verifiers for Mobile Code Safety 5
jump func
state
state’
Verifier ConstructionVerifier Construction
• Verifiers are typically phrased as abstract interpreters or data-flow analyses
Call verifier
5/12/2005 Compositional Verifiers for Mobile Code Safety 6
state’
call func(6)
state
Verifier ConstructionVerifier Construction
Call verifier Type verifier
5/12/2005 Compositional Verifiers for Mobile Code Safety 7
state’’
call func(6)
jump func
state
call func(6)
state’’
Composing Flow FunctionsComposing Flow Functions
state’
Call verifier Type verifier
Decompile
state
Step
call func(6)
Decompile
state’Step
5/12/2005 Compositional Verifiers for Mobile Code Safety 8
SummarySummary
• Intermediate languages seem useful for interfacing between abstract interpreters– Re-use of existing higher-level verifiers (e.g. JBV)
• Decomposed abstract transition into– a decompilation phase– a transition phase
to expose the abstraction to “higher-level” verifiers
• Local decomposition of abstract transition hopefully makes soundness proofs of a composed verifier compositional