toward verification of unchecked codes in checked csnejati/files/checkedc_finalpres_slides.pdf ·...
TRANSCRIPT
![Page 1: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/1.jpg)
Toward Verification of Unchecked Codes in
Checked C
Saeed Nejati
Mentor: David Tarditi
University of Waterloo
Microsoft
December 6th, 2019
![Page 2: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/2.jpg)
Motivation
Checked C: An extension of C designed for adding memory
safety
Bounds information for memory regions and pointers
_Ptr<int> p
_Array_ptr<int> a : bound(a, a+n)
_Nt_array_ptr<char> c : count(n)
Incremental adoption
Inter-operation of checked and unchecked codes
Calling Unchecked functions from Checked
Only through Bounds-safe interface
e.g. int *a : count(n)
C
Checked C
Interface
1
![Page 3: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/3.jpg)
Motivation
Checked C: An extension of C designed for adding memory
safetyBounds information for memory regions and pointers
_Ptr<int> p
_Array_ptr<int> a : bound(a, a+n)
_Nt_array_ptr<char> c : count(n)
Incremental adoption
Inter-operation of checked and unchecked codes
Calling Unchecked functions from Checked
Only through Bounds-safe interface
e.g. int *a : count(n)
C
Checked C
Interface
1
![Page 4: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/4.jpg)
Motivation
Checked C: An extension of C designed for adding memory
safetyBounds information for memory regions and pointers
_Ptr<int> p
_Array_ptr<int> a : bound(a, a+n)
_Nt_array_ptr<char> c : count(n)
Incremental adoption
Inter-operation of checked and unchecked codes
Calling Unchecked functions from Checked
Only through Bounds-safe interface
e.g. int *a : count(n)
C
Checked C
Interface
1
![Page 5: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/5.jpg)
Motivation
Checked C: An extension of C designed for adding memory
safetyBounds information for memory regions and pointers
_Ptr<int> p
_Array_ptr<int> a : bound(a, a+n)
_Nt_array_ptr<char> c : count(n)
Incremental adoption
Inter-operation of checked and unchecked codes
Calling Unchecked functions from Checked
Only through Bounds-safe interface
e.g. int *a : count(n)
C
Checked C
Interface
1
![Page 6: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/6.jpg)
Motivation
Checked C: An extension of C designed for adding memory
safetyBounds information for memory regions and pointers
_Ptr<int> p
_Array_ptr<int> a : bound(a, a+n)
_Nt_array_ptr<char> c : count(n)
Incremental adoption
Inter-operation of checked and unchecked codes
Calling Unchecked functions from Checked
Only through Bounds-safe interface
e.g. int *a : count(n)
C
Checked C
Interface
1
![Page 7: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/7.jpg)
Motivation
Checked C: An extension of C designed for adding memory
safetyBounds information for memory regions and pointers
_Ptr<int> p
_Array_ptr<int> a : bound(a, a+n)
_Nt_array_ptr<char> c : count(n)
Incremental adoption
Inter-operation of checked and unchecked codes
Calling Unchecked functions from Checked
Only through Bounds-safe interface
e.g. int *a : count(n)
C
Checked C
Interface
1
![Page 8: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/8.jpg)
Motivation
Checked C: An extension of C designed for adding memory
safetyBounds information for memory regions and pointers
_Ptr<int> p
_Array_ptr<int> a : bound(a, a+n)
_Nt_array_ptr<char> c : count(n)
Incremental adoptionInter-operation of checked and unchecked codes
Calling Unchecked functions from Checked
Only through Bounds-safe interface
e.g. int *a : count(n)
C Checked C
Interface
1
![Page 9: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/9.jpg)
Motivation
Checked C: An extension of C designed for adding memory
safetyBounds information for memory regions and pointers
_Ptr<int> p
_Array_ptr<int> a : bound(a, a+n)
_Nt_array_ptr<char> c : count(n)
Incremental adoptionInter-operation of checked and unchecked codes
Calling Unchecked functions from Checked
Only through Bounds-safe interface
e.g. int *a : count(n)
C Checked C
Interface
1
![Page 10: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/10.jpg)
Motivation
Checked C: An extension of C designed for adding memory
safetyBounds information for memory regions and pointers
_Ptr<int> p
_Array_ptr<int> a : bound(a, a+n)
_Nt_array_ptr<char> c : count(n)
Incremental adoptionInter-operation of checked and unchecked codes
Calling Unchecked functions from CheckedOnly through Bounds-safe interface
e.g. int *a : count(n)
C Checked C
Interface
1
![Page 11: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/11.jpg)
Motivation
Checked C: An extension of C designed for adding memory
safetyBounds information for memory regions and pointers
_Ptr<int> p
_Array_ptr<int> a : bound(a, a+n)
_Nt_array_ptr<char> c : count(n)
Incremental adoptionInter-operation of checked and unchecked codes
Calling Unchecked functions from CheckedOnly through Bounds-safe interface
e.g. int *a : count(n)
C Checked C
Interface
1
![Page 12: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/12.jpg)
Motivation
Checked C: An extension of C designed for adding memory
safetyBounds information for memory regions and pointers
_Ptr<int> p
_Array_ptr<int> a : bound(a, a+n)
_Nt_array_ptr<char> c : count(n)
Incremental adoptionInter-operation of checked and unchecked codes
Calling Unchecked functions from CheckedOnly through Bounds-safe interface
e.g. int *a : count(n)
Question
How do we provide security guarantees for a mix of checked and
unchecked C codes?
1
![Page 13: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/13.jpg)
Motivation
Pointers to memory regions are passed to an unchecked
function
Bounds-safe interface: Partial specification of the boundaries
Q: Does the function access those memory regions within
their boundaries?
Goal
Verify the safety of unchecked functions against their
bounds-safe interface.
2
![Page 14: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/14.jpg)
Motivation
Pointers to memory regions are passed to an unchecked
function
Bounds-safe interface: Partial specification of the boundaries
Q: Does the function access those memory regions within
their boundaries?
Goal
Verify the safety of unchecked functions against their
bounds-safe interface.
2
![Page 15: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/15.jpg)
Motivation
Pointers to memory regions are passed to an unchecked
function
Bounds-safe interface: Partial specification of the boundaries
Q: Does the function access those memory regions within
their boundaries?
Goal
Verify the safety of unchecked functions against their
bounds-safe interface.
2
![Page 16: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/16.jpg)
Motivation
Pointers to memory regions are passed to an unchecked
function
Bounds-safe interface: Partial specification of the boundaries
Q: Does the function access those memory regions within
their boundaries?
Goal
Verify the safety of unchecked functions against their
bounds-safe interface.
2
![Page 17: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/17.jpg)
Outline
1 Bug Finding
Clang Static Analyzer
A New Checker
Limitations
2 Verification
Verification of Unchecked Functions
Seahorn
Limitations
3 Conclusions
3
![Page 18: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/18.jpg)
Ep. 1: Finding Violations (Fantastic
Bugs and Where to Find them)
![Page 19: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/19.jpg)
Clang Static Analyzer
Checked C is implemented on top of Clang
Clang has a Static Analyzer
Use it to find memory bugs
Core engine
Explores all paths
Tracks program states
Maintains a hierarchical
memory model
A set of checkers that look
for specific types of bugs
4
![Page 20: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/20.jpg)
Clang Static Analyzer
Checked C is implemented on top of Clang
Clang has a Static Analyzer
Use it to find memory bugs
Core engine
Explores all paths
Tracks program states
Maintains a hierarchical
memory model
A set of checkers that look
for specific types of bugs
4
![Page 21: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/21.jpg)
Clang Static Analyzer
Checked C is implemented on top of Clang
Clang has a Static Analyzer
Use it to find memory bugs
Core engine
Explores all paths
Tracks program states
Maintains a hierarchical
memory model
A set of checkers that look
for specific types of bugs
4
![Page 22: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/22.jpg)
Clang Static Analyzer
Checked C is implemented on top of Clang
Clang has a Static Analyzer
Use it to find memory bugs
Core engine
Explores all paths
Tracks program states
Maintains a hierarchical
memory model
A set of checkers that look
for specific types of bugs
4
![Page 23: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/23.jpg)
Clang Static Analyzer
Checked C is implemented on top of Clang
Clang has a Static Analyzer
Use it to find memory bugs
Core engine
Explores all paths
Tracks program states
Maintains a hierarchical
memory model
A set of checkers that look
for specific types of bugs
4
![Page 24: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/24.jpg)
Clang Static Analyzer
Problem 1: None of the checkers make use of the available
Bounds information
5
![Page 25: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/25.jpg)
Clang Static Analyzer
Performs Symbolic Execution
int x;
int y;
int z = 2 * x;
int w = y - z;
x : $1
y : $2
z : 2 * $1
w : $2 - (2 * $1)
Internal solver
Limited power on handling complex arithmetic
Reasons about the ones with concrete starting point
Bounds-safe information:
void foo(int *a: count(n), int n);
6
![Page 26: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/26.jpg)
Clang Static Analyzer
Performs Symbolic Execution
int x;
int y;
int z = 2 * x;
int w = y - z;
x : $1
y : $2
z : 2 * $1
w : $2 - (2 * $1)
Internal solver
Limited power on handling complex arithmetic
Reasons about the ones with concrete starting point
Bounds-safe information:
void foo(int *a: count(n), int n);
6
![Page 27: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/27.jpg)
Clang Static Analyzer
Performs Symbolic Execution
int x;
int y;
int z = 2 * x;
int w = y - z;
x : $1
y : $2
z : 2 * $1
w : $2 - (2 * $1)
Internal solver
Limited power on handling complex arithmetic
Reasons about the ones with concrete starting point
Bounds-safe information:
void foo(int *a: count(n), int n);
6
![Page 28: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/28.jpg)
Clang Static Analyzer
Problem 1: None of the checkers make use of the available
Bounds information.
Problem 2: Bounds are commonly defined over non-concrete
symbols.
7
![Page 29: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/29.jpg)
SimpleBounds Checker
A new checker:
Reads and make use of Bounds expressions
Uses SMT solvers for handling complex bounds checking
expression
8
![Page 30: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/30.jpg)
Bounds Checking and Solvers
Checking if the accessed location is within bounds
LowerBound ≤ Index < UpperBound
Safety question: Is Index always in bounds?
Query for the negated version:
(Index < LowerBound) ∨ (Index ≥ UpperBound)
No solution: There is no index that goes out of bounds!
i.e. It is safe!
Solution: working example that could breaks the code!
9
![Page 31: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/31.jpg)
Bounds Checking and Solvers
Checking if the accessed location is within bounds
LowerBound ≤ Index < UpperBound
Safety question: Is Index always in bounds?
Query for the negated version:
(Index < LowerBound) ∨ (Index ≥ UpperBound)
No solution: There is no index that goes out of bounds!
i.e. It is safe!
Solution: working example that could breaks the code!
9
![Page 32: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/32.jpg)
Bounds Checking and Solvers
Checking if the accessed location is within bounds
LowerBound ≤ Index < UpperBound
Safety question: Is Index always in bounds?
Query for the negated version:
(Index < LowerBound) ∨ (Index ≥ UpperBound)
No solution: There is no index that goes out of bounds!
i.e. It is safe!
Solution: working example that could breaks the code!
9
![Page 33: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/33.jpg)
Bounds Checking and Solvers
Checking if the accessed location is within bounds
LowerBound ≤ Index < UpperBound
Safety question: Is Index always in bounds?
Query for the negated version:
(Index < LowerBound) ∨ (Index ≥ UpperBound)
No solution: There is no index that goes out of bounds!
i.e. It is safe!
Solution: working example that could breaks the code!
9
![Page 34: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/34.jpg)
Bounds Checking and Solvers
Checking if the accessed location is within bounds
LowerBound ≤ Index < UpperBound
Safety question: Is Index always in bounds?
Query for the negated version:
(Index < LowerBound) ∨ (Index ≥ UpperBound)
No solution: There is no index that goes out of bounds!
i.e. It is safe!
Solution: working example that could breaks the code!
9
![Page 35: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/35.jpg)
Bounds Checking and Solvers
Checking if the accessed location is within bounds
LowerBound ≤ Index < UpperBound
Safety question: Is Index always in bounds?
Query for the negated version:
(Index < LowerBound) ∨ (Index ≥ UpperBound)
No solution: There is no index that goes out of bounds!
i.e. It is safe!
Solution: working example that could breaks the code!
9
![Page 36: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/36.jpg)
Bounds Checking and Solvers
Checking if the accessed location is within bounds
LowerBound ≤ Index < UpperBound
Safety question: Is Index always in bounds?
Query for the negated version:
(Index < LowerBound) ∨ (Index ≥ UpperBound)
No solution: There is no index that goes out of bounds!
i.e. It is safe!
Solution: working example that could breaks the code!
9
![Page 37: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/37.jpg)
Bounds Checking and Solvers
Checking if the accessed location is within bounds
LowerBound ≤ Index < UpperBound
Safety question: Is Index always in bounds?
Query for the negated version:
(Index < LowerBound) ∨ (Index ≥ UpperBound)
No solution: There is no index that goes out of bounds!
i.e. It is safe!
Solution: working example that could breaks the code!
9
![Page 38: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/38.jpg)
SimpleBounds Checker
void foo(int *p: count(n), int n);
// count(n) expands to bounds(p, p+n)
// Assume the range is not invalid (n > 0)
void foo(int *p, int n) {
int *a = p; // Aliasing can be handled
a[n / 2] = 1; (n/2 < 0) ∨ (n/2 ≥ n)
// this should be ok
int k = n + n;
a[k] = 1; (n+ n < 0) ∨ (n+ n ≥ n)
// Buffer Overflow!
int t = (n & 1) | ((n & 1) ^ 1);
// This is always 1
a[t - 2] = 1; // Buffer Underflow!
}
10
![Page 39: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/39.jpg)
SimpleBounds Checker
void foo(int *p: count(n), int n);
// count(n) expands to bounds(p, p+n)
// Assume the range is not invalid (n > 0)
void foo(int *p, int n) {
int *a = p; // Aliasing can be handled
a[n / 2] = 1; (n/2 < 0) ∨ (n/2 ≥ n)
// this should be ok
int k = n + n;
a[k] = 1; (n+ n < 0) ∨ (n+ n ≥ n)
// Buffer Overflow!
int t = (n & 1) | ((n & 1) ^ 1);
// This is always 1
a[t - 2] = 1; // Buffer Underflow!
}
10
![Page 40: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/40.jpg)
SimpleBounds Checker
void foo(int *p: count(n), int n);
// count(n) expands to bounds(p, p+n)
// Assume the range is not invalid (n > 0)
void foo(int *p, int n) {
int *a = p; // Aliasing can be handled
a[n / 2] = 1; (n/2 < 0) ∨ (n/2 ≥ n)
// this should be ok
int k = n + n;
a[k] = 1; (n+ n < 0) ∨ (n+ n ≥ n)
// Buffer Overflow!
int t = (n & 1) | ((n & 1) ^ 1);
// This is always 1
a[t - 2] = 1; // Buffer Underflow!
}
10
![Page 41: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/41.jpg)
SimpleBounds Checker
void foo(int *p: count(n), int n);
// count(n) expands to bounds(p, p+n)
// Assume the range is not invalid (n > 0)
void foo(int *p, int n) {
int *a = p; // Aliasing can be handled
a[n / 2] = 1; (n/2 < 0) ∨ (n/2 ≥ n)
// this should be ok
int k = n + n;
a[k] = 1; (n+ n < 0) ∨ (n+ n ≥ n)
// Buffer Overflow!
int t = (n & 1) | ((n & 1) ^ 1);
// This is always 1
a[t - 2] = 1; // Buffer Underflow!
}
10
![Page 42: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/42.jpg)
SimpleBounds Checker
void foo(int *p: count(n), int n);
// count(n) expands to bounds(p, p+n)
// Assume the range is not invalid (n > 0)
void foo(int *p, int n) {
int *a = p; // Aliasing can be handled
a[n / 2] = 1; (n/2 < 0) ∨ (n/2 ≥ n)
// this should be ok
int k = n + n;
a[k] = 1; (n+ n < 0) ∨ (n+ n ≥ n)
// Buffer Overflow!
int t = (n & 1) | ((n & 1) ^ 1);
// This is always 1
a[t - 2] = 1; // Buffer Underflow!
}
10
![Page 43: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/43.jpg)
SimpleBounds Checker
void foo(int *p: count(n), int n);
// count(n) expands to bounds(p, p+n)
// Assume the range is not invalid (n > 0)
void foo(int *p, int n) {
int *a = p; // Aliasing can be handled
a[n / 2] = 1; (n/2 < 0) ∨ (n/2 ≥ n)
// this should be ok
int k = n + n;
a[k] = 1; (n+ n < 0) ∨ (n+ n ≥ n)
// Buffer Overflow!
int t = (n & 1) | ((n & 1) ^ 1);
// This is always 1
a[t - 2] = 1; // Buffer Underflow!
}
10
![Page 44: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/44.jpg)
SimpleBounds Checker
void foo(int *p: count(n), int n);
// count(n) expands to bounds(p, p+n)
// Assume the range is not invalid (n > 0)
void foo(int *p, int n) {
int *a = p; // Aliasing can be handled
a[n / 2] = 1; (n/2 < 0) ∨ (n/2 ≥ n)
// this should be ok
int k = n + n;
a[k] = 1; (n+ n < 0) ∨ (n+ n ≥ n)
// Buffer Overflow!
int t = (n & 1) | ((n & 1) ^ 1);
// This is always 1
a[t - 2] = 1; // Buffer Underflow!
}
10
![Page 45: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/45.jpg)
SimpleBounds Checker
void foo(int *p: count(n), int n);
// count(n) expands to bounds(p, p+n)
// Assume the range is not invalid (n > 0)
void foo(int *p, int n) {
int *a = p; // Aliasing can be handled
a[n / 2] = 1; (n/2 < 0) ∨ (n/2 ≥ n)
// this should be ok
int k = n + n;
a[k] = 1; (n+ n < 0) ∨ (n+ n ≥ n)
// Buffer Overflow!
int t = (n & 1) | ((n & 1) ^ 1);
// This is always 1
a[t - 2] = 1; // Buffer Underflow!
}
10
![Page 46: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/46.jpg)
SimpleBounds Checker
void foo(int *p: count(n), int n);
// count(n) expands to bounds(p, p+n)
// Assume the range is not invalid (n > 0)
void foo(int *p, int n) {
int *a = p; // Aliasing can be handled
a[n / 2] = 1; (n/2 < 0) ∨ (n/2 ≥ n)
// this should be ok
int k = n + n;
a[k] = 1; (n+ n < 0) ∨ (n+ n ≥ n)
// Buffer Overflow!
int t = (n & 1) | ((n & 1) ^ 1);
// This is always 1
a[t - 2] = 1; // Buffer Underflow!
}
10
![Page 47: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/47.jpg)
SimpleBounds Checker
void foo(int *p: count(n), int n);
// count(n) expands to bounds(p, p+n)
// Assume the range is not invalid (n > 0)
void foo(int *p, int n) {
int *a = p; // Aliasing can be handled
a[n / 2] = 1; (n/2 < 0) ∨ (n/2 ≥ n)
// this should be ok
int k = n + n;
a[k] = 1; (n+ n < 0) ∨ (n+ n ≥ n)
// Buffer Overflow!
int t = (n & 1) | ((n & 1) ^ 1);
// This is always 1
a[t - 2] = 1;
// Buffer Underflow!
}
10
![Page 48: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/48.jpg)
SimpleBounds Checker
void foo(int *p: count(n), int n);
// count(n) expands to bounds(p, p+n)
// Assume the range is not invalid (n > 0)
void foo(int *p, int n) {
int *a = p; // Aliasing can be handled
a[n / 2] = 1; (n/2 < 0) ∨ (n/2 ≥ n)
// this should be ok
int k = n + n;
a[k] = 1; (n+ n < 0) ∨ (n+ n ≥ n)
// Buffer Overflow!
int t = (n & 1) | ((n & 1) ^ 1);
// This is always 1
a[t - 2] = 1; // Buffer Underflow!
}
10
![Page 49: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/49.jpg)
SimpleBounds Checker
void foo(int *p: count(n), int n);
// count(n) expands to bounds(p, p+n)
// Assume the range is not invalid (n > 0)
void foo(int *p, int n) {
int *a = p; // Aliasing can be handled
a[n / 2] = 1; (n/2 < 0) ∨ (n/2 ≥ n)
// this should be ok
int k = n + n;
a[k] = 1; (n+ n < 0) ∨ (n+ n ≥ n)
// Buffer Overflow!
int t = (n & 1) | ((n & 1) ^ 1);
// This is always 1
a[t - 2] = 1; // Buffer Underflow!
}
10
![Page 50: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/50.jpg)
SimpleBounds Checker
ArrayBound checkers of clang static analyzer do not detect
these (underflow/overflow) bugs
Merged into Master (PR #737)
11
![Page 51: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/51.jpg)
SimpleBounds Checker
ArrayBound checkers of clang static analyzer do not detect
these (underflow/overflow) bugs
Merged into Master (PR #737)
11
![Page 52: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/52.jpg)
Limitations
Clang Static Analyzer is as
good as its checkers
Checkers power is bound by
the information provided by
the core engine
Very limited power on loops
and recursion
void foo(int *a : count(n), int n);
void foo(int *a : count(n), int n) {
int i;
for(i=0; i<n+1; i++)
a[i] = 0;
}
void foo(int *a : count(n), int n);
void foo(int *a : count(n), int n) {
int i;
for(i=n+1; i>=0; i--)
a[i] = 0;
}
12
![Page 53: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/53.jpg)
Limitations
Clang Static Analyzer is as
good as its checkers
Checkers power is bound by
the information provided by
the core engine
Very limited power on loops
and recursion
void foo(int *a : count(n), int n);
void foo(int *a : count(n), int n) {
int i;
for(i=0; i<n+1; i++)
a[i] = 0;
}
void foo(int *a : count(n), int n);
void foo(int *a : count(n), int n) {
int i;
for(i=n+1; i>=0; i--)
a[i] = 0;
}
12
![Page 54: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/54.jpg)
Ep.2: Safety Checking (Fantastic
Bugs: The Crimes of Programmer)
![Page 55: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/55.jpg)
Program Safety
How checked regions are protected?
Statically known OOB are caught by compiler
Otherwise a dynamic check is inserted to prevent runtime OOB
Safety question: Is there an input that makes the program go
into a bad state?
Bad state is being out of bound
i.e. Will any of the assertions fail?
Init Bad?
Init⇒ Inv
Inv(X) ∧ Tr(X,X ′)⇒ Inv(X ′)
Inv ⇒ ¬Bad
13
![Page 56: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/56.jpg)
Program Safety
How checked regions are protected?
Statically known OOB are caught by compiler
Otherwise a dynamic check is inserted to prevent runtime OOB
Safety question: Is there an input that makes the program go
into a bad state?
Bad state is being out of bound
i.e. Will any of the assertions fail?
Init Bad?
Init⇒ Inv
Inv(X) ∧ Tr(X,X ′)⇒ Inv(X ′)
Inv ⇒ ¬Bad
13
![Page 57: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/57.jpg)
Program Safety
How checked regions are protected?
Statically known OOB are caught by compiler
Otherwise a dynamic check is inserted to prevent runtime OOB
Safety question: Is there an input that makes the program go
into a bad state?
Bad state is being out of bound
i.e. Will any of the assertions fail?
Init Bad?
Init⇒ Inv
Inv(X) ∧ Tr(X,X ′)⇒ Inv(X ′)
Inv ⇒ ¬Bad
13
![Page 58: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/58.jpg)
Program Safety
How checked regions are protected?
Statically known OOB are caught by compiler
Otherwise a dynamic check is inserted to prevent runtime OOB
Safety question: Is there an input that makes the program go
into a bad state?
Bad state is being out of bound
i.e. Will any of the assertions fail?
Init Bad?
Init⇒ Inv
Inv(X) ∧ Tr(X,X ′)⇒ Inv(X ′)
Inv ⇒ ¬Bad
13
![Page 59: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/59.jpg)
Program Safety
How checked regions are protected?
Statically known OOB are caught by compiler
Otherwise a dynamic check is inserted to prevent runtime OOB
Safety question: Is there an input that makes the program go
into a bad state?
Bad state is being out of bound
i.e. Will any of the assertions fail?
Init Bad?
Init⇒ Inv
Inv(X) ∧ Tr(X,X ′)⇒ Inv(X ′)
Inv ⇒ ¬Bad
13
![Page 60: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/60.jpg)
Program Safety
How checked regions are protected?
Statically known OOB are caught by compiler
Otherwise a dynamic check is inserted to prevent runtime OOB
Safety question: Is there an input that makes the program go
into a bad state?
Bad state is being out of bound
i.e. Will any of the assertions fail?
Init Bad?
Init⇒ Inv
Inv(X) ∧ Tr(X,X ′)⇒ Inv(X ′)
Inv ⇒ ¬Bad
13
![Page 61: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/61.jpg)
Program Safety
How checked regions are protected?
Statically known OOB are caught by compiler
Otherwise a dynamic check is inserted to prevent runtime OOB
Safety question: Is there an input that makes the program go
into a bad state?
Bad state is being out of bound
i.e. Will any of the assertions fail?
Init Bad?
Init⇒ Inv
Inv(X) ∧ Tr(X,X ′)⇒ Inv(X ′)
Inv ⇒ ¬Bad
13
![Page 62: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/62.jpg)
Program Safety
How checked regions are protected?
Statically known OOB are caught by compiler
Otherwise a dynamic check is inserted to prevent runtime OOB
Safety question: Is there an input that makes the program go
into a bad state?
Bad state is being out of bound
i.e. Will any of the assertions fail?
Init Bad?
Init⇒ Inv
Inv(X) ∧ Tr(X,X ′)⇒ Inv(X ′)
Inv ⇒ ¬Bad
13
![Page 63: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/63.jpg)
Seahorn
Seahorn is a software verification framework
For LLVM-based languages
Based on state-of-the-art model checking and abstract
interpretation
Encodes the state transition as Constraint Horn Clauses
{Pre: x_old = x, y_old = y}
int n = non_deterministic_value ();
while (n--) {
int t1 = x;
int t2 = y;
x = t1 + 1;
y = t2 - 1;
}
{Post: x_old + y_old == x + y}
14
![Page 64: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/64.jpg)
Seahorn
Seahorn is a software verification framework
For LLVM-based languages
Based on state-of-the-art model checking and abstract
interpretation
Encodes the state transition as Constraint Horn Clauses
{Pre: x_old = x, y_old = y}
int n = non_deterministic_value ();
while (n--) {
int t1 = x;
int t2 = y;
x = t1 + 1;
y = t2 - 1;
}
{Post: x_old + y_old == x + y}
14
![Page 65: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/65.jpg)
Seahorn
Seahorn is a software verification framework
For LLVM-based languages
Based on state-of-the-art model checking and abstract
interpretation
Encodes the state transition as Constraint Horn Clauses
{Pre: x_old = x, y_old = y}
int n = non_deterministic_value ();
while (n--) {
int t1 = x;
int t2 = y;
x = t1 + 1;
y = t2 - 1;
}
{Post: x_old + y_old == x + y}
14
![Page 66: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/66.jpg)
Seahorn
Seahorn is a software verification framework
For LLVM-based languages
Based on state-of-the-art model checking and abstract
interpretation
Encodes the state transition as Constraint Horn Clauses
{Pre: x_old = x, y_old = y}
int n = non_deterministic_value ();
while (n--) {
int t1 = x;
int t2 = y;
x = t1 + 1;
y = t2 - 1;
}
{Post: x_old + y_old == x + y}
14
![Page 67: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/67.jpg)
Seahorn
Seahorn is a software verification framework
For LLVM-based languages
Based on state-of-the-art model checking and abstract
interpretation
Encodes the state transition as Constraint Horn Clauses
{Pre: x_old = x, y_old = y}
int n = non_deterministic_value ();
while (n--) {
int t1 = x;
int t2 = y;
x = t1 + 1;
y = t2 - 1;
}
{Post: x_old + y_old == x + y}
14
![Page 68: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/68.jpg)
Unchecked Code Verification
Problem 1: How do we put verification conditions at each
memory access location?
Use the dynamic checks as verification conditions
Problem 2: There is no dynamic checks in unchecked codes
Use the same logic as in checked codes to inject checks for
unchecked pointers
More relaxed than being a checked code
Assumption: all function calls within an unchecked region
should call to functions with bounds-safe interface
15
![Page 69: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/69.jpg)
Unchecked Code Verification
Problem 1: How do we put verification conditions at each
memory access location?
Use the dynamic checks as verification conditions
Problem 2: There is no dynamic checks in unchecked codes
Use the same logic as in checked codes to inject checks for
unchecked pointers
More relaxed than being a checked code
Assumption: all function calls within an unchecked region
should call to functions with bounds-safe interface
15
![Page 70: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/70.jpg)
Unchecked Code Verification
Problem 1: How do we put verification conditions at each
memory access location?
Use the dynamic checks as verification conditions
Problem 2: There is no dynamic checks in unchecked codes
Use the same logic as in checked codes to inject checks for
unchecked pointers
More relaxed than being a checked code
Assumption: all function calls within an unchecked region
should call to functions with bounds-safe interface
15
![Page 71: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/71.jpg)
Unchecked Code Verification
Problem 1: How do we put verification conditions at each
memory access location?
Use the dynamic checks as verification conditions
Problem 2: There is no dynamic checks in unchecked codes
Use the same logic as in checked codes to inject checks for
unchecked pointers
More relaxed than being a checked code
Assumption: all function calls within an unchecked region
should call to functions with bounds-safe interface
15
![Page 72: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/72.jpg)
Unchecked Code Verification
Problem 1: How do we put verification conditions at each
memory access location?
Use the dynamic checks as verification conditions
Problem 2: There is no dynamic checks in unchecked codes
Use the same logic as in checked codes to inject checks for
unchecked pointers
More relaxed than being a checked code
Assumption: all function calls within an unchecked region
should call to functions with bounds-safe interface
15
![Page 73: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/73.jpg)
Unchecked Code Verification
Problem 1: How do we put verification conditions at each
memory access location?
Use the dynamic checks as verification conditions
Problem 2: There is no dynamic checks in unchecked codes
Use the same logic as in checked codes to inject checks for
unchecked pointers
More relaxed than being a checked code
Assumption: all function calls within an unchecked region
should call to functions with bounds-safe interface
15
![Page 74: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/74.jpg)
Unchecked Code Verification
Replace the front-end of Seahorn with Checked C clang
1 Add bounds for unchecked pointers
2 Inject verification sink functions ( VERIFIER error) in the
LLVM bit-code at dynamic check points
3 Query Seahorn back-end for program safety
Merged into Master (PR #736)
16
![Page 75: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/75.jpg)
Unchecked Code Verification
Replace the front-end of Seahorn with Checked C clang
1 Add bounds for unchecked pointers
2 Inject verification sink functions ( VERIFIER error) in the
LLVM bit-code at dynamic check points
3 Query Seahorn back-end for program safety
Merged into Master (PR #736)
16
![Page 76: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/76.jpg)
Unchecked Code Verification
Replace the front-end of Seahorn with Checked C clang
1 Add bounds for unchecked pointers
2 Inject verification sink functions ( VERIFIER error) in the
LLVM bit-code at dynamic check points
3 Query Seahorn back-end for program safety
Merged into Master (PR #736)
16
![Page 77: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/77.jpg)
Unchecked Code Verification
Replace the front-end of Seahorn with Checked C clang
1 Add bounds for unchecked pointers
2 Inject verification sink functions ( VERIFIER error) in the
LLVM bit-code at dynamic check points
3 Query Seahorn back-end for program safety
Merged into Master (PR #736)
16
![Page 78: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/78.jpg)
Unchecked Code Verification
Replace the front-end of Seahorn with Checked C clang
1 Add bounds for unchecked pointers
2 Inject verification sink functions ( VERIFIER error) in the
LLVM bit-code at dynamic check points
3 Query Seahorn back-end for program safety
Merged into Master (PR #736)
16
![Page 79: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/79.jpg)
Unchecked Code Verification
int sum(int *a : count(n), int n);
int sum(int *a, int n) {
assume(a != NULL);
assume(n > 0);
int i = 0, s = 0;
for(i=0; i<n; i++) {
s += a[i+1];
sassert(i+1 < n);
sassert(i+1 >= 0);
}
a[n / 2] = 1;
return s;
}
The result should be ”SAT”: there exists a path to failing an
assertion!
17
![Page 80: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/80.jpg)
Unchecked Code Verification
int sum(int *a : count(n), int n);
int sum(int *a, int n) {
assume(a != NULL);
assume(n > 0);
int i = 0, s = 0;
for(i=0; i<n; i++) {
s += a[i+1];
sassert(i+1 < n);
sassert(i+1 >= 0);
}
a[n / 2] = 1;
return s;
}
The result should be ”SAT”: there exists a path to failing an
assertion!
17
![Page 81: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/81.jpg)
Unchecked Code Verification
int sum(int *a : count(n), int n);
int sum(int *a, int n) {
assume(a != NULL);
assume(n > 0);
int i = 0, s = 0;
for(i=0; i<n; i++) {
s += a[i+1];
sassert(i+1 < n);
sassert(i+1 >= 0);
}
a[n / 2] = 1;
return s;
}
The result should be ”SAT”: there exists a path to failing an
assertion!
17
![Page 82: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/82.jpg)
Unchecked Code Verification
int sum(int *a : count(n), int n);
int sum(int *a, int n) {
assume(a != NULL);
assume(n > 0);
int i = 0, s = 0;
for(i=0; i<n; i++) {
s += a[i+1];
sassert(i+1 < n);
sassert(i+1 >= 0);
}
a[n / 2] = 1;
return s;
}
The result should be ”SAT”: there exists a path to failing an
assertion! 17
![Page 83: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/83.jpg)
Limitations
Checked C+Seahorn is sound if the conditions are sound
Conditions are sound if the bounds inference is sound
Seahorn works completely on LLVM side.
18
![Page 84: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/84.jpg)
Conclusions
![Page 85: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/85.jpg)
Demo.
![Page 86: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/86.jpg)
Summary
Having an unchecked function with bounds-safe interface:
Bounds-aware static analyzer checker finding OOB accesses
Safety verification with Checked C+Seahorn
Identifying limitations of static analysis and verification in
Checked C
Paths for future work in verification of checked/unchecked C
codes
20
![Page 87: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/87.jpg)
Future Work
Bounds for unchecked pointers:
back-propagating the assumptions
forward-propagating the bounds
Improving bounds inference
Expanding the checker
21
![Page 88: Toward Verification of Unchecked Codes in Checked Csnejati/files/checkedc_finalpres_slides.pdf · Toward Veri cation of Unchecked Codes in Checked C Saeed Nejati Mentor: David Tarditi](https://reader034.vdocuments.us/reader034/viewer/2022050514/5f9ebd870c682d074956aeba/html5/thumbnails/88.jpg)
Thanks!
Questions?