Compositional Verifiers for Compositional Verifiers for Mobile Code SafetyMobile Code Safety

Bor-Yuh Evan ChangAdam Chlipala

George C. Necula

May 12, 2005OSQ Retreat

Santa Cruz, California

5/12/2005 Compositional Verifiers for Mobile Code Safety 2

OR codecode

type checker

Type Safety as an Assurance Type Safety as an Assurance MechanismMechanism

• Type checking is a well-accepted safety assurance mechanism

• Most checkers today:– source-level (e.g. ML, C#, Java)– bytecode-level (e.g. CLI, JVML)– not assembly-level

…pushl %ebpmovl %esp, %ebpsubl $8, %espmovl 12(%ebp), %eaxsubl $8, %espmovl (%eax), %edxaddl $28, %edxpushl $3pushl %eaxmovl (%edx), %eaxcall *%eax

…

…pushl %ebpmovl %esp, %ebpsubl $8, %espmovl 12(%ebp), %eaxsubl $8, %espmovl (%eax), %edxaddl $28, %edxpushl $3pushl %eaxmovl (%edx), %eaxcall *%eax

…

WantWant::a straightforward

extension to assembly-level

checking

5/12/2005 Compositional Verifiers for Mobile Code Safety 3

ProblemProblem

• Verifiers for lower-level code are more difficult and tedious to build

• Observation 1Observation 1:: Many verification tasks are common to large classes of verifiers– stack overflow checks, adherence to the

calling convention (almost all)– dynamic dispatch (object-oriented

languages)

• Observation 2Observation 2:: Various intermediate-level languages abstract various details

5/12/2005 Compositional Verifiers for Mobile Code Safety 4

Basic IdeaBasic Idea

Stack verifierCall verifierType verifier

call func(6)

mem[sp] := 6sp := sp – 4jump funcpush 6jump func

5/12/2005 Compositional Verifiers for Mobile Code Safety 5

jump func

state

state’

Verifier ConstructionVerifier Construction

• Verifiers are typically phrased as abstract interpreters or data-flow analyses

Call verifier

5/12/2005 Compositional Verifiers for Mobile Code Safety 6

state’

call func(6)

state

Verifier ConstructionVerifier Construction

Call verifier Type verifier

5/12/2005 Compositional Verifiers for Mobile Code Safety 7

state’’

call func(6)

jump func

state

call func(6)

state’’

Composing Flow FunctionsComposing Flow Functions

state’

Call verifier Type verifier

Decompile

state

Step

call func(6)

Decompile

state’Step

5/12/2005 Compositional Verifiers for Mobile Code Safety 8

SummarySummary

• Intermediate languages seem useful for interfacing between abstract interpreters– Re-use of existing higher-level verifiers (e.g. JBV)

• Decomposed abstract transition into– a decompilation phase– a transition phase

to expose the abstraction to “higher-level” verifiers

• Local decomposition of abstract transition hopefully makes soundness proofs of a composed verifier compositional