Zhifang Wang,Yiyun Chen,Zhenming Wang,Baojian Hua

DOI: https://doi.org/10.1007/s11704-008-0033-8

2010-01-01

Abstract:As the security of software is deeply valued while its complexity and size are increasing, automated verification is highly desirable. On the other hand, verification of pointer programs remains a major challenge. In our previous work pointer logic has been proposed to verify basic safety properties of pointer programs, and in this work, we developed efficient algorithms and techniques to implement pointer logic rules for automated verification. The algorithms and techniques are dedicated to reducing the human effort involved in program verification. Moreover, they have been implemented in a tool -- PLCC to automatically verify a range of non-trivial programs such as basic operations on singly-linked lists, trees, circular doubly-linked list etc. and the experimental results show that in acceptable time pointer logic can be applied to automated verification.

Chen Yiyun,Ge Lin,Hua Baojian,Li Zhaopeng,Liu Cheng,Wang Zhifang

DOI: https://doi.org/10.1007/s11704-007-0029-9

IF: 2.6688

2007-01-01

Frontiers of Computer Science

Abstract:Proof-Carrying Code brings two big challenges to the research field of programming languages. One is to seek more expressive logics or type systems to specify or reason about the properties of low-level or high-level programs. The other is to study the technology of certifying compilation in which the compiler generates proofs for programs with annotations. This paper presents our progress in the above two aspects. A pointer logic was designed for PointerC (a C-like programming language) in our research. As an extension of Hoare logic, our pointer logic expresses the change of pointer information for each statement in its inference rules to support program verification. Meanwhile, based on the ideas from CAP (Certified Assembly Programming) and SCAP (Stack-based Certified Assembly Programming), a reasoning framework was built to verify the properties of object code in a Hoare style. And a certifying compiler prototype for PointerC was implemented based on this framework. The main contribution of this paper is the design of the pointer logic and the implementation of the certifying compiler prototype. In our certifying compiler, the source language contains rich pointer types and operations and also supports dynamic storage allocation and deallocation.

Yiyun Chen,Zhao-Peng Li,Zhifang Wang,Bao-Jian Hua

DOI: https://doi.org/10.3724/sp.j.1001.2010.03620

2010-01-01

Journal of Software

Abstract:This paper improves and extends the pointer logic that has been designed for verifying pointer programs.Its main contribution is that a concept of legal sets of access paths is presented, which simplifies elementary operations on access paths and makes inference rules of the logic easier to understand.Furthermore, the logic with inference rules is extended for local reasoning and for function construction, making the logic used conveniently in the context of function calls.

陈意云,李兆鹏,王志芳,华保健

DOI: https://doi.org/10.3724/sp.j.1001.2010.03620

2010-01-01

Abstract:This paper improves and extends the pointer logic that has been designed for verifying pointer programs.Its main contribution is that a concept of legal sets of access paths is presented, which simplifies elementary operations on access paths and makes inference rules of the logic easier to understand.Furthermore, the logic with inference rules is extended for local reasoning and for function construction, making the logic used conveniently in the context of function calls.

Huan Sun,Ziyu Mao,Jingyi Wang,Ziyan Zhao,Wenhai Wang

DOI: https://doi.org/10.1007/978-3-031-43681-9_13

2023-01-01

Abstract:Real-time operating systems (RTOSs) such as mu C/OS-II are critical components of many industrial systems, which makes it of vital importance to verify their correctness. However, earlier specifications for verification of RTOSs often do not explicitly specify the behavior of possible unbounded kernel service invocations. To address the problem, a new event-based modelling approach is recently proposed to treat the operating system as a concurrent reactive system (CRS). Besides, a respective parametric rely-guarantee style reasoning framework called PiCore is developed to verify such systems effectively. Witnessing the advancement, we conduct a case study to investigate the use of PiCore to compositionally verify two important entangled modules of a practical RTOS mu C/OS-II, i.e., the memory management module and the mailbox module. Several desirable safety properties regarding the memory pools and mailboxes are formally defined and proved with PiCore (approximate to 2500 lines of specifications and proof scripts in Isabelle/HOL) based on a formal execution model considering the two modules simultaneously. We also discuss the shortcomings of PiCore for our case study and present possible improvement directions.

Yutian Yang,Jinjiang Tu,Wenbo Shen,Songbo Zhu,Rui Chang,Yajin Zhou

DOI: https://doi.org/10.1109/tdsc.2023.3334268

2024-01-01

Abstract:Nowadays, code reuse attacks impose a substantial threat to the security of operating system kernels. Control-flow graph-based CFI techniques, while effective, bring considerable performance overhead, thus limiting their practical adoption in real-world products. As an alternative approach, recent research suggests safeguarding the integrity of sensitive pointers as a countermeasure against manipulation attempts. Unfortunately, existing pointer integrity protection schemes only protect sensitive pointers partially and ignore assembly code, leaving protection gaps. To fill up these protection gaps, we propose a novel security concept named full life-cycle integrity , which enforces the integrity of a sensitive pointer at every step on its value flow chain. To realize full life-cycle integrity, we propose three novel techniques, including assembly-aware sensitivity for analyzing assembly code, Merkle PAC tree for protecting interrupt context securely and efficiently, and pointer-grained authentication for defeating spatial substitution attacks. We have developed a practical implementation of comprehensive life-cycle integrity for the Linux kernel, called ”kernel Code Pointer Authentication” (kCPA), which leverages the ARM Pointer Authentication (PAuth) mechanism. This implementation has been extended to the Apple M1 architecture for real-world evaluation on PAuth hardware. Our assessment demonstrates that kCPA effectively mitigates a range of real-world attacks while incurring a minimal 2.5% performance overhead for the Phoronix Test Suite and nearly negligible performance impact for SPEC2017 benchmarks.

Huan Sun,Ziyu Mao,Jingyi Wang,Ziyan Zhao,Wenhai Wang

DOI: https://doi.org/10.1007/978-3-031-43681-9_13

2023-01-01

Abstract:Real-time operating systems (RTOSs) such as C/OS-II are critical components of many industrial systems, which makes it of vital importance to verify their correctness. However, earlier specifications for verification of RTOSs often do not explicitly specify the behavior of possible unbounded kernel service invocations. To address the problem, a new event-based modelling approach is recently proposed to treat the operating system as a concurrent reactive system (CRS). Besides, a respective parametric rely-guarantee style reasoning framework called PiCore is developed to verify such systems effectively. Witnessing the advancement, we conduct a case study to investigate the use of PiCore to compositionally verify two important entangled modules of a practical RTOS C/OS-II, i.e., the memory management module and the mailbox module. Several desirable safety properties regarding the memory pools and mailboxes are formally defined and proved with PiCore ( 2500 lines of specifications and proof scripts in Isabelle/HOL) based on a formal execution model considering the two modules simultaneously. We also discuss the shortcomings of PiCore for our case study and present possible improvement directions.

Zhang Zhitian,Chen Yiyun,Liu Gang

DOI: https://doi.org/10.3969/j.issn.1674-7720.2011.16.004

2011-01-01

Abstract:Analysis and verification of programs dealing with pointers are still difficult problems so far.This paper uses a shape graph logic and a shape system to solve these problems.Using our method,programmers must declare the shapes that the recursive data structuresintend to build,and the shapes that pointer variables point to.Thus shape graphs can be constructed using an analysis tool and used tosupport the program verification.This paper presents a method for pointer program verification avoiding to make complicated extensions to Hoare logic in the situation that equalities over pointers can be decided statically.

梁红瑾,张昱,陈意云,李兆鹏,华保健

DOI: https://doi.org/10.3724/sp.j.1001.2010.03783

2010-01-01

Journal of Software

Abstract:A pointer logic is designed for a C-like programming language PointerC.The pointer logic is an extension of Hoare logic,and it uses the idea of precise alias analysis in pointer program verification to support safety verification of programs in which equality of pointers is well-regulated.This paper presents an extension to the pointer logic by introducing a set of uncertain-equality pointer access path sets,so as to reason in the extended pointer logic about properties of programs which manipulate data structures like directed graph in which equality of pointers is uncertain.

Yifeng Chen,J W Sanders

2007-01-01

Abstract:Compositional reasoning about pointers and references is c rucial to verification of contemporary software. This paper introduces a pointer logic that extends Sep aration Logic with a fixpoint operator and new compositions different from separating conjunction. H igher level of abstraction can be achieved if the right compositions are used in the right places. In parti cular, if a relation is a ‘full unique decomposition’ then the corresponding composition decomposes a ny given graph uniquely into two parts; an example is the separation between the non-garbage and garba ge parts of memory. The logic is proved to be largely satisfaction-decidable in the sense that there i s a finite procedure to determine whether or not a program state satisfies a formula. The main technical resul t of the paper is that if only full unique decompositions are used in compositions, then a rather genera l fragment becomes validity-decidable. The logic is axiomatized and, with the help of an infinitary infer ence rule, proved to be complete. Separation Logic without pointer arithmetic is shown to be a fragment of he logic. Yifeng Chen is a lecturer in Computer Science at the University of Durham , England, with interests in imperative, parallel and object-oriented programming l anguages, including design, translation, static analysis, semantics, specifications and their support for d ecentralised software development. Jeff Sandersis Principal Research Fellow at UNU-IIST, having recently j oined from the Programming Research Group at Oxford. His interests lie largely in Forma l Methods. Copyright c © 2007by UNU-IIST

Bouillaguet Quentin,Bobot François,Sighireanu Mihaela,Yakobowski Boris

DOI: https://doi.org/10.48550/arXiv.1811.12515

2018-11-30

Abstract:Cooperation between verification methods is crucial to tackle the challenging problem of software verification. The paper focuses on the verification of C programs using pointers and it formalizes a cooperation between static analyzers doing pointer analysis and a deductive verification tool based on first order logic. We propose a framework based on memory models that captures the partitioning of memory inferred by pointer analyses, and complies with the memory models used to generate verification conditions. The framework guided us to propose a pointer analysis that accommodates to various low-level operations on pointers while providing precise information about memory partitioning to the deductive verification. We implemented this cooperation inside the Frama-C platform and we show its effectiveness in reducing the task of deductive verification on a complex case study.

Programming Languages

张阳,程亮

DOI: https://doi.org/10.3724/sp.j.1016.2009.01119

2009-01-01

Chinese Journal of Computers

Abstract:This paper proposes an improved verification method for code security property on the basis of the study of predecessors’ work. According to the situation that current code property verification can only deal with a subset of C programming language,this paper introduces the pointer logic,whose result can be used by the replacement algorithm to substitute all the pointers in the source code,to the conventional code security property verification tools. The proposed approach avoids the weakness of pointer processing in the traditional static code property verification,and therefore can handle pointers in C programming language when property verification partially.

Wei Lei,Xie Li

DOI: https://doi.org/10.3969/j.issn.1000-386X.2008.12.004

2008-01-01

Abstract:In the paper it puts forward a new pointer analysis method with higher security.It selects the Steensgaard algorithm after comprehensively analyzed four common pointer analysis algorithms and improves its security.Based on it,through adding semantics of compulsory type conversion and further modifying the inference rules of type system,the missing report of attacks caused by precision losses is avoided.Meanwhile it keeps the original algorithm complexity constant.

Hongjin Liang,Yu Zhang,Yiyun Chen

2010-01-01

Abstract:Pointer programs remain a major challenge for program analysis and verification. Shape analysis can discover the shape invariants of data structures in the heap and detect errors about manipulating pointers in a program. This paper presents a shape analysis for linked list programs based on a new shape graph representation. Our shape graphs could describe unbounded data structures without loss of pointer information. A novel shape system is designed to help the shape analysis. The shape system contains a set of shape inference rules to deduce the shapes of the heap contents at each program point and a set of shape checking rules to find shape errors in pointer programs. In the shape system, programmers are expected to declare the shapes of the data structures constructed by recursive data types and to annotate each pointer variable with the shape of the objects which it should point to, so that compilers or other tools can check whether the programs have shape errors and generate loop invariants and even pre/post conditions for program verification. Keywords-Shape Graph, Loop Invariant Inference, Shape Analysis, Program Analysis, Pointer Logic

Huang Bo,Zang Binyu,Li Jing,Zhu Chuanqi

DOI: https://doi.org/10.1007/bf02943202

2001-01-01

Abstract:Pointer analysis is a technique to identify at compile-time the potential values of the pointer expressions in a program, which promises significant benefits for optimizing and parallelizing compilers. In this paper, a new approach to pointer analysis for assignments is presented. In this approach, assignments are classified into three categories: pointer assignments, structure (union) assignments and normal assignments which don’t affect the point-to information. Pointer analyses for these three kinds of assignments respectively make up the integrated algorithm. When analyzing a pointer assignment, a new method called expression expansion is used to calculate both the left targets and the right targets. The integration of recursive data structure analysis into pointer analysis is a significant originality of this paper, which uniforms the pointer analysis for heap variables and the pointer analysis for stack variables. This algorithm is implemented in Agassiz, an analyzing tool for C programs developed by Institute of Parallel Processing, Fudan University Its accuracy and effectiveness are illustrated by experimental data.

Georges-Axel Jaloyan

DOI: https://doi.org/10.48550/arXiv.1710.07047

2017-10-19

Abstract:In the context of deductive software verification, programs with pointers present a major challenge due to pointer aliasing. In this paper, we introduce pointers to SPARK, a well-defined subset of the Ada language, intended for formal verification of mission-critical software. Our solution is based on static alias analysis inspired by Rust's borrow-checker and affine types, and enforces the Concurrent Read, Exclusive Write principle. This analysis has been implemented in the GNAT Ada compiler and tested against a number of challenging examples including parts of real-life applications. Our tests show that only minor changes in the source code are required to fit the idiomatic Ada code into SPARK extended with pointers, which is a significant improvement upon the previous state of the art. The proposed extension has been approved by the Language Design Committee for SPARK for inclusion in a future version of SPARK, and is being discussed by the Ada Rapporteur Group for inclusion in the next version of Ada. In the report, we give a formal presentation of the analysis rules for a miniature version of SPARK and prove their soundness. We discuss the implementation and the case studies, and compare our solution with Rust.

Programming Languages

Yuexing Wang,Min Zhou,Ming Gu,Jiaguang Sun

DOI: https://doi.org/10.1109/apsec48747.2019.00044

2019-01-01

Abstract:Precise pointer analysis is desired since many program analyses benefit from it both in precision and performance. There are several dimensions of pointer analysis precision, flow sensitivity, context sensitivity, field sensitivity and path sensitivity. The more dimensions a pointer analysis considers, the more accurate its results will be. However, considering all dimensions is difficult because the trade-off between precision and efficiency should be balanced. This paper presents a flow, context, field and quasi path sensitive pointer analysis algorithm for C programs. Our algorithm runs on a control flow automaton, a key structure for our analysis to be flow sensitive. During the analysis process, we use function summaries to get context information. Elements of aggregate structures are handled to improve precision. We collect path conditions to filter unreachable paths and make all points-to relations gated. For efficiency, we propose a multi-entry mechanism. The algorithm is implemented in TsmartGP, which is an extension of CPAchecker. Our algorithm is compared with some state-of-the-art algorithms and TsmartGP is compared with cppcheck and Clang Static Analyzer by detecting uninitialized pointer errors in 13 real-world applications. The experimental results show that our algorithm is more accurate and TsmartGP can find more errors than other tools.

Jianhua Zhao,Xuandong Li

DOI: https://doi.org/10.48550/arXiv.0912.4184

2009-12-21

Abstract:This paper presents an extension to Hoare logic for pointer program verification. First, the Logic for Partial Function (LPF) used by VDM is extended to specify memory access using pointers and memory layout of composite types. Then, the concepts of data-retrieve functions (DRF) and memory-scope functions (MSF) are introduced in this paper. People can define DRFs to retrieve abstract values from interconnected concrete data objects. The definition of the corresponding MSF of a DRF can be derived syntactically from the definition of the DRF. This MSF computes the set of memory units accessed when the DRF retrieves an abstract value. This memory unit set is called the memory scope of the abstract value. Finally, the proof rule of assignment statements in Hoare's logic is modified to deal with pointers. The basic idea is that a virtual value keeps unmodified as long as no memory unit in its scope is over-written. Another proof rule is added for memory allocation statements. The consequence rule and the rules for control-flow statements are slightly modified. They are essentially same as their original version in Hoare logic. An example is presented to show the efficacy of this logic. We also give some heuristics on how to verify pointer programs.

Logic in Computer Science

Mohamed A. El-Zawawy

DOI: https://doi.org/10.48550/arXiv.1112.3756

2011-12-16

Programming Languages

Abstract:The use of pointers and data-structures based on pointers results in circular memory references that are interpreted by a vital compiler analysis, namely pointer analysis. For a pair of memory references at a program point, a typical pointer analysis specifies if the points-to relation between them may exist, definitely does not exist, or definitely exists. The "may be" case, which describes the points-to relation for most of the pairs, cannot be dealt with by most compiler optimizations. This is so to guarantee the soundness of these optimizations. However, the "may be" case can be capitalized by the modern class of speculative optimizations if the probability that two memory references alias can be measured. Focusing on multithreading, a prevailing technique of programming, this paper presents a new flow-sensitive technique for probabilistic pointer analysis of multithreaded programs. The proposed technique has the form of a type system and calculates the probability of every points-to relation at each program point. The key to our approach is to calculate the points-to information via a post-type derivation. The use of type systems has the advantage of associating each analysis results with a justification (proof) for the correctness of the results. This justification has the form of a type derivation and is very much required in applications like certified code.

Roland Meyer,Sebastian Wolff

DOI: https://doi.org/10.1145/3371136

2020-01-01

Proceedings of the ACM on Programming Languages

Abstract:We consider the verification of lock-free data structures that manually manage their memory with the help of a safe memory reclamation (SMR) algorithm. Our first contribution is a type system that checks whether a program properly manages its memory. If the type check succeeds, it is safe to ignore the SMR algorithm and consider the program under garbage collection. Intuitively, our types track the protection of pointers as guaranteed by the SMR algorithm. There are two design decisions. The type system does not track any shape information, which makes it extremely lightweight. Instead, we rely on invariant annotations that postulate a protection by the SMR. To this end, we introduce angels, ghost variables with an angelic semantics. Moreover, the SMR algorithm is not hard-coded but a parameter of the type system definition. To achieve this, we rely on a recent specification language for SMR algorithms. Our second contribution is to automate the type inference and the invariant check. For the type inference, we show a quadratic-time algorithm. For the invariant check, we give a source-to-source translation that links our programs to off-the-shelf verification tools. It compiles away the angelic semantics. This allows us to infer appropriate annotations automatically in a guess-and-check manner. To demonstrate the effectiveness of our type-based verification approach, we check linearizability for various list and set implementations from the literature with both hazard pointers and epoch-based memory reclamation. For many of the examples, this is the first time they are verified automatically. For the ones where there is a competitor, we obtain a speed-up of up to two orders of magnitude.