董渊,任恺,王生原,张素琴

DOI: https://doi.org/10.3724/sp.j.1001.2010-.03794

2010-01-01

Journal of Software

Abstract:This paper presents a method to build and verify bytecode virtual machine.The formal definition and the operational semantics of a bytecode virtual machine(BVM) are given.CertVM(certified virtual machine) is implemented with X86 assembly code.It is proved in this paper that the CertVM is satisfied with the formal definition of the bytecode machine with simulation relation.The virtual machine implementation program is certified in the Coq proof assistant.The proof is machine checkable.This method guarantees that a certified bytecode program will run on the certified virtual machine without stuck unless hardware faults.This work does not only provide a solid theoretical foundation for reasoning about virtual machine,but also makes an important advance toward building the trustworthy software.

Yuan Dong,Shengyuan Wang,Liwei Zhang,Ping Yang

DOI: https://doi.org/10.1109/compsac.2009.81

2009-01-01

Abstract:Modular certification of low-level intermediate representation (IR) programs is one of the key steps of proof-transforming compilation. The major challenges are the complexity of abstract control stacks and the lack of control flow information due to their flat nature.To tackle these challenges, we present in this paper a novel Hoare-style logic framework for modular certification of p-machine style bytecode as IR programs. This logic can fully support abstract control stacks and unstructured control flows for modular certification of IR programs involving while loops, procedure call/return, recursive procedures, and even nested procedures. It applies foundational proof-carrying code (FPCC) concepts to IR level. This system is expressive and fully mechanized. We prove its soundness and demonstrate its power by certifying the implementation of some IR programs in the Coq proof assistant. This work not only provides a solid theoretical foundation for reasoning about IR programs, but also makes an important advance toward building proof-transforming compilation environment in which certified IR code with proofs can be compiled to machine checkable proof-carrying low-level assembly code.

J. S. Moore,Hanbing Liu

2006-01-01

Abstract:How do we know that a bytecode-verified Java program will run safely? This dissertation addresses the question by building a precise model of the JVM and its bytecode verifier. We also built a "small" machine and its bytecode verifier to demonstrate an approach to solving this problem. We proved that for any program on the small machine that has been vetted by the small bytecode verifier, then that program will run safely on the small machine. We created substantial libraries of ACL2 definitions and lemmas towards specifying and proving that the JVM safely executes verified programs. The fundamental problem is to connect the abstract execution of the bytecode verifier with the concrete execution of the JVM. These diverge in two ways: (1) the bytecode verifier executes on more abstract states and (2) its execution of INVOKE-family and BRANCH-family instructions differs from their execution by the JVM. Our contribution was identification of a critical "on-track" property that, despite these divergences between the bytecode verifier and the JVM, enables one to use the success of bytecode verification to predict the safety of concrete execution. The second difficulty is that the official specification describes many "procedural" aspects of the bytecode verification process. These aspects obscure the checks conducted by the bytecode verifier. We introduce an alternative bytecode verifier without such "procedural" aspects. We use the new bytecode verifier as a stepping stone for proving that the official bytecode verifier is effective. Following this methodology allowed us to prove, on our "small" machine, that executions of bytecode-verified programs never overflow the operand stack. We note that significant effort is required in order to extend this result from our "small" machine to the full JVM. We have formulated appropriate stronger notions of "safe" execution for programs on the full JVM. We introduced an alternative bytecode verifier. We proved the “reduction theorem” that relates the official bytecode verifier with the alternative bytecode verifier. We completed proofs of several thousand lemmas towards proving the "safe" execution of bytecode-verified programs on the full JVM. Our results are organized into supporting lemma libraries.

Songzhu Mei,Zhiying Wang,Yong Cheng,Jiangchun Ren,Jiangjiang Wu,Jie Zhou

DOI: https://doi.org/10.1080/18756891.2012.733231

IF: 2.259

2012-01-01

International Journal of Computational Intelligence Systems

Abstract:Cloud computing bring a tremendous complexity to information security. Remote attestation can be used to establish trust relationship in cloud. TBVMM is designed to extend the existing chain of trust into the software layers to support dynamic remote attestation for cloud computing. TBVMM uses Bayesian network and Kalman filter to solve the dynamicity of the trusted relationship. It is proposed to fill the trust gap between the infrastructure and upper software stacks.

Hendra Gunadi,Alwen Tiu,Rajeev Gore

DOI: https://doi.org/10.48550/arXiv.1504.01842

2015-04-08

Programming Languages

Abstract:Android is an operating system that has been used in a majority of mobile devices. Each application in Android runs in an instance of the Dalvik virtual machine, which is a register-based virtual machine (VM). Most applications for Android are developed using Java, compiled to Java bytecode and then translated to DEX bytecode using the dx tool in the Android SDK. In this work, we aim to develop a type-based method for certifying non-interference properties of DEX bytecode, following a methodology that has been developed for Java bytecode certification by Barthe et al. To this end, we develop a formal operational semantics of the Dalvik VM, a type system for DEX bytecode, and prove the soundness of the type system with respect to a notion of non-interference. We then study the translation process from Java bytecode to DEX bytecode, as implemented in the dx tool in the Android SDK. We show that an abstracted version of the translation from Java bytecode to DEX bytecode preserves the non-interference property. More precisely, we show that if the Java bytecode is typable in Barthe et al's type system (which guarantees non-interference) then its translation is typable in our type system. This result opens up the possibility to leverage existing bytecode verifiers for Java to certify non-interference properties of Android bytecode.

Zhaopeng Li,Zhong Zhuang,Yiyun Chen,Simin Yang,Zhenting Zhang,Dawei Fan

DOI: https://doi.org/10.1109/tase.2010.8

2010-01-01

Abstract:Proof-carrying code (PCC) is a technique that allows code consumers to check whether the code is safe to execute or not through a formal safety proof provided by the code producer. And a certifying compiler makes PCC practical by compiling annotated source code into low-level code and proofs. In this paper we present a certifying compiler for a subset of the C programming language, named Clike, with built-in automated theorem provers. Clike programs can be compiled by ANSI C compiler without any modification. Our compiler is intended to deal with data structures such as singly-linked lists, doubly-linked lists and trees. At the source level, we have designed a program logic combining a constrained first-order logic and a fragment of separation logic. We use a verification-condition-based method, and the generated verification conditions are sent to the built-in automated theorem prover. Our prover will generate proof terms when the input formula is valid. The low-level verification framework follows Hoare-style verification methods. The assembly code, its specification and proofs are generated automatically based on a variant of Stack-based Certifying Assembly Programming (SCAP). We implement our certifying compiler prototype in SML/NJ and build our prover libraries using the meta logic provided by Coq. We have used our prototype to successfully certify a considerable number of programs manipulating linked-lists and binary trees.

Yun-min ZHU,Li-wei ZHANG,Sheng-yuan WANG,Yuan DONG,Su-qin ZHANG

DOI: https://doi.org/10.3321/j.issn:0372-2112.2009.z1.001

2009-01-01

Tien Tzu Hsueh Pao/Acta Electronica Sinica

Abstract:2 Abstract As the multi-core processor is widely used and advanced high-trusted software is required, the verification of parallel programs for multi-core processor becomes more and more important. This paper presents a proof framework about the verification of parallel programs, including the definition of our abstract machine, the formal specification for object code, logic inference rules and the proof of soundness theory. We certify the code at an assembly-level directly in order to disregard the correctness of compilers. The classic spin-lock technology is introduced to implement the mutually exclusive access to shared memory. Our proof framework supports Hoare-logic style reasoning. In addition, we use high-order logic to describe both operational semantics and security-policy, so the partial correctness of multi-core parallel programs can be verified in our system.

Hanru Jiang,Hongjin Liang,Siyang Xiao,Junpeng Zha,Xinyu Feng

DOI: https://doi.org/10.1145/3314221.3314595

2019-01-01

Abstract:Certified separate compilation is important for establishing end-to-end guarantees for certified systems consisting of multiple program modules. There has been much work building certified compilers for sequential programs. In this paper, we propose a language-independent framework consisting of the key semantics components and lemmas that bridge the verification gap between the compilers for sequential programs and those for (race-free) concurrent programs, so that the existing verification work for the former can be reused. One of the key contributions of the framework is a novel footprint-preserving compositional simulation as the compilation correctness criterion. The framework also provides a new mechanism to support confined benign races which are usually found in efficient implementations of synchronization primitives. With our framework, we develop CASCompCert, which extends CompCert for certified separate compilation of race-free concurrent Clight programs. It also allows linking of concurrent Clight modules with x86-TSO implementations of synchronization primitives containing benign races. All our work has been implemented in the Coq proof assistant.

zhang yu,dong yunwei,feng wenlong,huang mengxing

DOI: https://doi.org/10.13328/j.cnki.jos.005214

2017-01-01

Abstract:Cyber-Physical System(CPS) tightly integrates control software and embedded components, incorporating software with control domains. CPSs are pervasive and often mission-critical, therefore, they must have high level of security. With the extensive use of information technology, embedded control software plays a greater role in such systems. The close interactions between control software and embedded components demand co-verification. In this paper, an automata-theoretic approach is presented to co-verification. Co-verification, which verifies control software and embedded components together, is essential to establish the correctness of a complete system. The foundation of this approach is a unified model for co-verification and reachability analysis of the model. The LTL formula is converted into a Büchi automata, which is interleaved with the execution of the unified model under analysis. An online-capture offline-replay approach is proposed to improve the usefulness for formal verification. Case studies on a suite of realistic examples show that the presented approach has major potential in verifying system level properties, therefore improving the high-assurance of system.

Nils Froleyks,Emily Yu,Armin Biere,Keijo Heljanko

2024-05-07

Abstract:Certification helps to increase trust in formal verification of safety-critical systems which require assurance on their correctness. In hardware model checking, a widely used formal verification technique, phase abstraction is considered one of the most commonly used preprocessing techniques. We present an approach to certify an extended form of phase abstraction using a generic certificate format. As in earlier works our approach involves constructing a witness circuit with an inductive invariant property that certifies the correctness of the entire model checking process, which is then validated by an independent certificate checker. We have implemented and evaluated the proposed approach including certification for various preprocessing configurations on hardware model checking competition benchmarks. As an improvement on previous work in this area, the proposed method is able to efficiently complete certification with an overhead of a fraction of model checking time.

Symbolic Computation

WANG Wei,CHEN Xingshu,LAN Xiao,JIN Xin

DOI: https://doi.org/10.11959/j.issn.2096-109x.2018098

2018-01-01

Abstract:The virtual machine attestation scheme proposed by trusted computing group (TCG) can provide attestation service of virtual machine for cloud computing.However,the service using the scheme proposed by the TCG directly would be threatened by the cuckoo attack and its performance would be lower.Therefore,a new virtual machine remote attestation scheme based on virtual machine introspection (VMI) was proposed.Firstly,it eliminated the path to perform cuckoo attacks in virtual machines via obtaining virtual machines′ remote attestation evidence in virtual machine monitor (VMM).Secondly,it used physical trusted platform module (TPM) to ensure the integrity of virtual machines’ remote attestation evidence and reduced the number of attestation identity key (AIK) certificates required during remote attestation to balance the load of private CA.Experiments show that the proposed scheme can verify the status of virtual machines correctly and increase the performance of bulk virtual machines’ remote attestation significantly.

Ling Zhang,Yuting Wang,Jinhua Wu,Jérémie Koenig,Zhong Shao

DOI: https://doi.org/10.1145/3632914

2023-11-18

Abstract:Verified compilation of open modules (i.e., modules whose functionality depends on other modules) provides a foundation for end-to-end verification of modular programs ubiquitous in contemporary software. However, despite intensive investigation in this topic for decades, the proposed approaches are still difficult to use in practice as they rely on assumptions about the internal working of compilers which make it difficult for external users to apply the verification results. We propose an approach to verified compositional compilation without such assumptions in the setting of verifying compilation of heterogeneous modules written in first-order languages supporting global memory and pointers. Our approach is based on the memory model of CompCert and a new discovery that a Kripke relation with a notion of memory protection can serve as a uniform and composable semantic interface for the compiler passes. By absorbing the rely-guarantee conditions on memory evolution for all compiler passes into this Kripke Memory Relation and by piggybacking requirements on compiler optimizations onto it, we get compositional correctness theorems for realistic optimizing compilers as refinements that directly relate native semantics of open modules and that are ignorant of intermediate compilation processes. Such direct refinements support all the compositionality and adequacy properties essential for verified compilation of open modules. We have applied this approach to the full compilation chain of CompCert with its Clight source language and demonstrated that our compiler correctness theorem is open to composition and intuitive to use with reduced verification complexity through end-to-end verification of non-trivial heterogeneous modules that may freely invoke each other (e.g., mutually recursively).

Programming Languages

Vishnu Murali,Ashutosh Trivedi,Majid Zamani

2023-11-14

Abstract:Barrier certificates provide functional overapproximations for the reachable set of dynamical systems and provide inductive guarantees on the safe evolution of the system. Formally a barrier certificate is a real-valued function over the state set that is required to be non-positive for the initial states, positive over the set of unsafe states and nonincreasing along the state transitions. These conditions together provide an inductive argument that the system will not reach an unsafe state even once as the barrier certificate remains non-positive for all reachable states. In the automata-theoretic approach to verification, a key query is to determine whether the system visits a given predicate over the states finitely often, typically resulting from the complement of the traditional Buchi acceptance condition. This paper proposes a barrier certificate approach to answer such queries by developing a notion of co-Buchi barrier certificates (CBBCs) that generalize classic barrier certificates to ensure that the traces of a system visit a given predicate a fixed number of times. Our notion of CBBC is inspired from bounded synthesis paradigm to LTL realizability, where the LTL specifications are converted to safety automata via universal co-Buchi automata with a bound on final state visitations provided as a hyperparameter. Our application of CBBCs in verification is analogous in nature: we fix a bound and search for a suitable barrier certificate, increasing the bound if no suitable function can be found. We then use these CBBCs to verify our system against properties specified by co-Buchi automata and demonstrate their effectiveness via some case studies. We also show that the present approach strictly generalizes performant barrier certificate based approaches that rely on cutting the paths of the automata that start from an initial state and reach some accepting states.

Formal Languages and Automata Theory,Systems and Control

LUO Xiao-Guang,WANG Sheng-Yuan,DONG Yuan,ZHANG Su-Qin

DOI: https://doi.org/10.3969/j.issn.1002-137X.2007.02.070

2007-01-01

Computer Science

Abstract:Using certifying compiler for the the safety solution of mobile codes is a new approache in the literature,featured with that a large percentage of the load for checking the safty policy can be transfered from a code consumer to a code producer so that the much run-time load at the code consumer can be reduced.Besides,it is more trustworthy and can support the verification of anonymous codes because the code itself instead of the authority of a code producer is verified.An analysis for such a reasearch is presented in the paper.It can be seen that supporting a higher level safety policy would be one of the potential focused directions in this area to get more widely applications.Our preliminary work on this direction is introduced briefly between the lines,in order to share it with other researchers.

Junyan Qian,Baowen Xu

2007-01-01

Abstract:we present a methodology for automatically verifying programs against safety specifications based on finite state machine. Firstly, computing the abstract transition between abstract states is done by calling a theorem prover, and then an initial abstract model automatically is extracted from concrete program using predicate abstraction. However, the process of abstraction can be exponential in the number of predicates used. Program slicing, predicate inference and partitioning the set of candidate predicates into subsets make abstract model construction effective. By counterexample-guided abstraction refinement scheme, the abstraction refines incrementally until the specification is either satisfied or refuted. Finally, our methods can be extended to verifying concurrency programs by parallel composition.

Anbang Ruan,Qingni Shen,Li Wang,Chao Qin,Liang Gu,Zhong Chen

2009-01-01

China Communications

Abstract:The Binary-based attestation (BA) mechanism presented by the Trusted Computing Group can equip the application with the capability of genuinely identifying configurations of remote system. However, BA only supports the attestation for specific patterns of binary codes defined by a trusted party, mostly the software vendor, for a particular version of a software. In this paper, we present a Source-Code Oriented Attestation (SCOA) framework to enable custom built application to be attested to in the TCG attestation architecture. In SCOA, security attributes are bond with the source codes of an application instead of its binaries codes. With a proof chain generated by a Trusted Building System to record the building procedure, the challengers can determine whether the binary interacted with is genuinely built from a particular set of source codes. Moreover, with the security attribute certificates assigned to the source codes, they can deter-mine the trustworthiness of the binary. In this paper, we present a TBS implementation with virtualization.

Zhang Wei-ping,Chen Wen-yuan,Zhao Xiao-lin,Li Sheng-yong,Jiang Yong

DOI: https://doi.org/10.1007/s11741-006-0010-0

2006-01-01

Abstract:The virtual machine of code mechanism (VMCM) as a new concept for code mechanical solidification and verification is proposed and can be applied in MEMS (micro-electromechanical systems) security device for high consequence systems. Based on a study of the running condition of physical code mechanism, VMCM′s configuration, ternary encoding method, running action and logic are derived. The cases of multi-level code mechanism are designed and verified with the VMCM method, showing that the presented method is effective.

Niels Mommen,Bart Jacobs

2023-07-14

Abstract:We propose an approach for modular verification of programs written in an object-oriented language where, like in C++, the same virtual method call is bound to different methods at different points during the construction or destruction of an object. Our separation logic combines Parkinson and Bierman's abstract predicate families with essentially explicitly tracking each subobject's vtable pointer. Our logic supports polymorphic destruction. Virtual inheritance is not yet supported. We formalised our approach and implemented it in our VeriFast tool for semi-automated modular formal verification of C++ programs.

Programming Languages

Si-min YANG,Zhao-peng LI,Zhong ZHUANG,Zhen-ting ZHANG

2011-01-01

Abstract:Recently,as an important way to build high-confidence software,certifying compiler is becoming the research focus of the compiler and formal verification.In its theoretical framework,the compiler proves the verification conditions and generates the machine-checkable proof automatically with automated theorem prover,so a good automated theorem prover is essential for certifying compiler.This paper describes a linear arithmetic prover based on the Simplex algorithm,and proposes an innovative method of proof generation,which is applied to our automated theorem prover to build the Coq-checkable proof.

LIU Cheng,CHEN Yi-yun,GE Lin,HUA Bao-jian

DOI: https://doi.org/10.3321/j.issn:1002-8331.2007.21.031

2007-01-01

Abstract:Certifying compiler is such a tool coming up with the increasing demands for higher reliability and safety of computer software.It combines the techniques in programming languages and program verifications.This paper describes some details in implementing our prototype of a certifying compiler.