Yuan Dong,Kai Ren,Shengyuan Wang,Suqin Zhang

DOI: https://doi.org/10.1007/978-3-642-10672-9_20

2009-01-01

Abstract:Bytecodes and virtual machines (VM) are prevailing programming facilities in contemporary software industry due to their ease of portability across various platforms. Thus, it is critical to improve their trustworthiness. This paper addresses the interesting and challenging problem of certifying bytecode programs over certified VMs. Our solutions to this problem include: 1) A logical systems (CBP) for a bytecode machine is built to modularly certify bytecode programs with abstract control stacks and unstructured control flows, 2) and the corresponding stack-based virtual machine is implemented and certified, 3) a simulation relation between bytecode program and VM implementation is developed and proved to achieve the objective that once some safety property of a bytecode program is certified in CBP system, the property will be preserved on any certified VM. We prove the soundness and demonstrate its power by certifying some example programs with the Coq proof assistant. This work not only provides a solid theoretical foundation for reasoning about bytecode programs, but also gains insight into building proof-preserving compilers.

Hendra Gunadi,Alwen Tiu,Rajeev Gore

DOI: https://doi.org/10.48550/arXiv.1504.01842

2015-04-08

Programming Languages

Abstract:Android is an operating system that has been used in a majority of mobile devices. Each application in Android runs in an instance of the Dalvik virtual machine, which is a register-based virtual machine (VM). Most applications for Android are developed using Java, compiled to Java bytecode and then translated to DEX bytecode using the dx tool in the Android SDK. In this work, we aim to develop a type-based method for certifying non-interference properties of DEX bytecode, following a methodology that has been developed for Java bytecode certification by Barthe et al. To this end, we develop a formal operational semantics of the Dalvik VM, a type system for DEX bytecode, and prove the soundness of the type system with respect to a notion of non-interference. We then study the translation process from Java bytecode to DEX bytecode, as implemented in the dx tool in the Android SDK. We show that an abstracted version of the translation from Java bytecode to DEX bytecode preserves the non-interference property. More precisely, we show that if the Java bytecode is typable in Barthe et al's type system (which guarantees non-interference) then its translation is typable in our type system. This result opens up the possibility to leverage existing bytecode verifiers for Java to certify non-interference properties of Android bytecode.

Wei Chen,Weixia Xu,Zhiying Wang,Qiang Dou,Yongwen Wang,Baokang Zhao,Baosheng Wang

DOI: https://doi.org/10.1109/IMIS.2011.144

2011-01-01

Abstract:Co-designed Virtual Machine (Co-VM) technique combining software and hardware enables a different approach to microprocessor design, where the host architecture is designed concurrently with the software that runs on it. The key of a Co-VM is to emulate the source architecture on the target architecture through interpretation and binary translation. There is some commonness of different Co-VMs. In this paper, we propose a formalization of the emulation based co-designed virtual machine. Some theorem, lemma and properties are put forward, like the VM should take the binary translation strategy based on the semantics of a basic code block or a super block rather than the strategy based on instruction. The solutions proposed in this paper can be used as a guide for choosing the interpretation or binary translation strategy when designing a Co-VM.

Sergio Demian Lerner,Ramon Amela,Shreemoy Mishra,Martin Jonas,Javier Álvarez Cid-Fuentes

DOI: https://doi.org/10.48550/arXiv.2405.06842

2024-05-11

Abstract:BitVMX is a new design for a virtual CPU to optimistically execute arbitrary programs on Bitcoin based on a challenge response game introduced in BitVM. Similar to BitVM1 we create a general-purpose CPU to be verified in Bitcoin script. Our design supports common architectures, such as RISC-V or MIPS. Our main contribution to the state of the art is a design that uses hash chains of program traces, memory mapped registers, and a new challenge-response protocol. We present a new message linking protocol as a means to allow authenticated communication between the participants. This protocol emulates stateful smart contracts by sharing state between transactions. This provides a basis for our verification game which uses a graph of pre-signed transactions to support challenge-response interactions. In case of a dispute, the hash chain of program trace is used with selective pre-signed transactions to locate (via $n$-ary search) and then recover the precise nature of errors in the computation. Unlike BitVM1, our approach does not require the creation of Merkle trees for CPU instructions or memory words. Additionally, it does not rely on signature equivocations. These differences help avoid complexities associated with BitVM1 and make BitVMX a compelling alternative to BitVM2. Our approach is quite flexible, BitVMX can be instantiated to balance transaction cost vs round complexity, prover cost vs verifier cost, and precomputations vs round complexity.

Cryptography and Security,Distributed, Parallel, and Cluster Computing

Zhang Wei-ping,Chen Wen-yuan,Zhao Xiao-lin,Li Sheng-yong,Jiang Yong

DOI: https://doi.org/10.1007/s11741-006-0010-0

2006-01-01

Abstract:The virtual machine of code mechanism (VMCM) as a new concept for code mechanical solidification and verification is proposed and can be applied in MEMS (micro-electromechanical systems) security device for high consequence systems. Based on a study of the running condition of physical code mechanism, VMCM′s configuration, ternary encoding method, running action and logic are derived. The cases of multi-level code mechanism are designed and verified with the VMCM method, showing that the presented method is effective.

Yun-min ZHU,Li-wei ZHANG,Sheng-yuan WANG,Yuan DONG,Su-qin ZHANG

DOI: https://doi.org/10.3321/j.issn:0372-2112.2009.z1.001

2009-01-01

Tien Tzu Hsueh Pao/Acta Electronica Sinica

Abstract:2 Abstract As the multi-core processor is widely used and advanced high-trusted software is required, the verification of parallel programs for multi-core processor becomes more and more important. This paper presents a proof framework about the verification of parallel programs, including the definition of our abstract machine, the formal specification for object code, logic inference rules and the proof of soundness theory. We certify the code at an assembly-level directly in order to disregard the correctness of compilers. The classic spin-lock technology is introduced to implement the mutually exclusive access to shared memory. Our proof framework supports Hoare-logic style reasoning. In addition, we use high-order logic to describe both operational semantics and security-policy, so the partial correctness of multi-core parallel programs can be verified in our system.

Yuehua Dai,Yi Shi,Yong Qi,Jianbao Ren,Peijian Wang

DOI: https://doi.org/10.1007/s11704-012-2084-0

2013-01-01

Abstract:Virtual machine monitors (VMMs) play a central role in cloud computing. Their reliability and availability are critical for cloud computing. Virtualization and device emulation make the VMM code base large and the interface between OS and VMM complex. This results in a code base that is very hard to verify the security of the VMM. For example, a misuse of a VMM hyper-call by a malicious guest OS can corrupt the whole VMM. The complexity of the VMM also makes it hard to formally verify the correctness of the system's behavior. In this paper a new VMM, operating system virtualization (OSV), is proposed. The multiprocessor boot interface and memory configuration interface are virtualized in OSV at boot time in the Linux kernel. After booting, only inter-processor interrupt operations are intercepted by OSV, which makes the interface between OSV and OS simple. The interface is verified using formal model checking, which ensures a malicious OS cannot attack OSV through the interface. Currently, OSV is implemented based on the AMD Opteron multi-core server architecture. Evaluation results show that Linux running on OSV has a similar performance to native Linux. OSV has a performance improvement of 4%-13% over Xen.

Dexi Wang,Chao Zhang,Guang Chen,Ming Gu,Jiaguang Sun

2016-01-01

Abstract:The C programming language is widely used in safety-critical software systems. With its large appliance and increasing complexity, the need of ensuring the correctness of C codes emerged. This paper presents Ceagle , a fully automated program verifier for finding assertion violations in C programs. It is decent in both accuracy and efficiency by using a semantically equivalent program model language that is specifically designed for C program, together with various optimizations that make the satisfiability checking faster and memoryfriendly. More specifically, Ceagle uses LLVM clang as front-end parser, an extended labeled transition system as program model, and Z3 SMT solver as the back-end satisfiability checker. Ceagle is designed to be fully automatic and requires no user interaction as long as the assertions are provided. For evaluation, we compare Ceagle with existing C program verifiers based on open benchmarks. Ceagle outperforms others in terms of accuracy, and time and memory consumption.

Anbang Ruan,Qingni Shen,Li Wang,Chao Qin,Liang Gu,Zhong Chen

2009-01-01

China Communications

Abstract:The Binary-based attestation (BA) mechanism presented by the Trusted Computing Group can equip the application with the capability of genuinely identifying configurations of remote system. However, BA only supports the attestation for specific patterns of binary codes defined by a trusted party, mostly the software vendor, for a particular version of a software. In this paper, we present a Source-Code Oriented Attestation (SCOA) framework to enable custom built application to be attested to in the TCG attestation architecture. In SCOA, security attributes are bond with the source codes of an application instead of its binaries codes. With a proof chain generated by a Trusted Building System to record the building procedure, the challengers can determine whether the binary interacted with is genuinely built from a particular set of source codes. Moreover, with the security attribute certificates assigned to the source codes, they can deter-mine the trustworthiness of the binary. In this paper, we present a TBS implementation with virtualization.

Hasini Witharana,Hansika Weerasena,Prabhat Mishra

DOI: https://doi.org/10.1109/tcad.2024.3443008

IF: 2.9

2024-11-09

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

Abstract:Trusted execution environments (TEEs) provide a secure environment for computation, ensuring that the code and data inside the TEE are protected with respect to confidentiality and integrity. Virtual machine (VM)-based TEEs extend this concept by utilizing virtualization technology to create isolated execution spaces that can support a complete operating system or specific applications. As the complexity and importance of VM-based TEEs grow, ensuring their reliability and security through formal verification becomes crucial. However, these technologies often operate without formal assurances of their security properties. Our research introduces a formal framework for representing and verifying VM-based TEEs. This approach provides a rigorous foundation for defining and verifying key security attributes for safeguarding execution environments. To demonstrate the applicability of our verification framework, we conduct an analysis of real-world TEE platforms, including Intel's trust domain extensions (TDX). This work not only emphasizes the necessity of formal verification in enhancing the security of VM-based TEEs but also provides a systematic approach for evaluating the resilience of these platforms against sophisticated adversarial models.

engineering, electrical & electronic,computer science, interdisciplinary applications, hardware & architecture

Zheng Yang,Hang Lei,Weizhong Qian

DOI: https://doi.org/10.1109/access.2020.2969437

IF: 3.9

2020-01-01

IEEE Access

Abstract:This paper reports a formal symbolic process virtual machine (FSPVM) denoted as FSPVM-E for verifying the reliability and security of Ethereum-based services at the source code level of smart contracts. A Coq proof assistant is employed for programming the system and for proving its correctness. The current version of FSPVM-E adopts execution-verification isomorphism, which is an application extension of Curry-Howard isomorphism, as its fundamental theoretical framework to combine symbolic execution and higher-order logic theorem proving. The four primary components of FSPVM-E include a general, extensible, and reusable formal memory framework, an extensible and universal formal intermediate programming language denoted as Lolisa, which is a large subset of the Solidity programming language using generalized algebraic datatypes, the corresponding formally verified interpreter of Lolisa, denoted as FEther, and assistant tools and libraries. The self-correctness of all components is certified in Coq. FSPVM-E supports the ERC20 token standard, and can automatically and symbolically execute Ethereum-based smart contracts, scan their standard vulnerabilities, and verify their reliability and security properties with Hoare-style logic in Coq.

Yuan Dong,Shengyuan Wang,Liwei Zhang,Ping Yang

DOI: https://doi.org/10.1109/compsac.2009.81

2009-01-01

Abstract:Modular certification of low-level intermediate representation (IR) programs is one of the key steps of proof-transforming compilation. The major challenges are the complexity of abstract control stacks and the lack of control flow information due to their flat nature.To tackle these challenges, we present in this paper a novel Hoare-style logic framework for modular certification of p-machine style bytecode as IR programs. This logic can fully support abstract control stacks and unstructured control flows for modular certification of IR programs involving while loops, procedure call/return, recursive procedures, and even nested procedures. It applies foundational proof-carrying code (FPCC) concepts to IR level. This system is expressive and fully mechanized. We prove its soundness and demonstrate its power by certifying the implementation of some IR programs in the Coq proof assistant. This work not only provides a solid theoretical foundation for reasoning about IR programs, but also makes an important advance toward building proof-transforming compilation environment in which certified IR code with proofs can be compiled to machine checkable proof-carrying low-level assembly code.

文勇,蔡铭,陈刚,杨子江,金星

DOI: https://doi.org/10.16208/j.issn1000-7024.2010.11.037

2010-01-01

Abstract:To effectively carry out the object code analysis and verification,a novel method of control flow and structural coverage measurement for object code verification is presented based on CPU module extension.By branch instruction function extension,along with a new module for dynamic branch target buffer,the control flow of object code is collected effectively.And then,the algorithm for control flow construction and structural coverage measurement are given respectively.Both the overhead and computation complexity are acceptable with analysis study.Competitive advantage of this method is independent of compiler and non-incursive measurement for the object code.

Lennart Beringer,Gordon Stewart,Robert Dockins,Andrew W. Appel

DOI: https://doi.org/10.1007/978-3-642-54833-8_7

2014-01-01

Abstract:We present a new architecture for specifying and proving optimizing compilers in the presence of shared-memory interactions such as buffer-based system calls, shared-memory concurrency, and separate compilation. The architecture, which is implemented in the context of CompCert, includes a novel interaction-oriented model for C-like languages, and a new proof technique, called logical simulation relations, for compositionally proving compiler correctness with respect to this interaction model. We apply our techniques to CompCert’s primary memory-reorganizing compilation phase, Cminorgen. Our results are formalized in Coq, building on the recently released CompCert 2.0.

Si-min YANG,Zhao-peng LI,Zhong ZHUANG,Zhen-ting ZHANG

2011-01-01

Abstract:Recently,as an important way to build high-confidence software,certifying compiler is becoming the research focus of the compiler and formal verification.In its theoretical framework,the compiler proves the verification conditions and generates the machine-checkable proof automatically with automated theorem prover,so a good automated theorem prover is essential for certifying compiler.This paper describes a linear arithmetic prover based on the Simplex algorithm,and proposes an innovative method of proof generation,which is applied to our automated theorem prover to build the Coq-checkable proof.

Junyan Qian,Baowen Xu

2007-01-01

Abstract:we present a methodology for automatically verifying programs against safety specifications based on finite state machine. Firstly, computing the abstract transition between abstract states is done by calling a theorem prover, and then an initial abstract model automatically is extracted from concrete program using predicate abstraction. However, the process of abstraction can be exponential in the number of predicates used. Program slicing, predicate inference and partitioning the set of candidate predicates into subsets make abstract model construction effective. By counterexample-guided abstraction refinement scheme, the abstraction refines incrementally until the specification is either satisfied or refuted. Finally, our methods can be extended to verifying concurrency programs by parallel composition.

Nils Froleyks,Emily Yu,Armin Biere,Keijo Heljanko

2024-05-07

Abstract:Certification helps to increase trust in formal verification of safety-critical systems which require assurance on their correctness. In hardware model checking, a widely used formal verification technique, phase abstraction is considered one of the most commonly used preprocessing techniques. We present an approach to certify an extended form of phase abstraction using a generic certificate format. As in earlier works our approach involves constructing a witness circuit with an inductive invariant property that certifies the correctness of the entire model checking process, which is then validated by an independent certificate checker. We have implemented and evaluated the proposed approach including certification for various preprocessing configurations on hardware model checking competition benchmarks. As an improvement on previous work in this area, the proposed method is able to efficiently complete certification with an overhead of a fraction of model checking time.

Symbolic Computation

Qi Zhou,David Heath,William Harris

DOI: https://doi.org/10.48550/arXiv.1705.03110

2017-05-09

Abstract:Verifying partial (i.e., termination-insensitive) equivalence of programs has significant practical applications in software development and education. Conventional equivalence verifiers typically rely on a combination of given relational summaries and suggested synchronization points; such information can be extremely difficult for programmers without a background in formal methods to provide for pairs of programs with dissimilar logic. In this work, we propose a completely automated verifier for determining partial equivalence, named Pequod. Pequod automatically synthesizes expressive proofs of equivalence conventionally only achievable via careful, manual constructions of product programs To do so, Pequod syntheses relational proofs for selected pairs of program paths and combines the per-path relational proofs to synthesize relational program invariants. To evaluate Pequod, we implemented it as a tool that targets Java Virtual Machine bytecode and applied it to verify the equivalence of hundreds of pairs of solutions submitted by students for problems hosted on popular online coding platforms, most of which could not be verified by existing techniques.

Programming Languages

WANG Xiaolin,ZHANG Binbin,JIN Xinxin,WANG Zhenlin,LUO Yingwei,LI Xiaoming

DOI: https://doi.org/10.3778/j.issn.1673-9418.2011.06.002

2011-01-01

Abstract:It’s essential to learn about sensitive instructions that cause virtual machine (VM) to exit to the virtual machine monitor (VMM) to find new ways to optimize the performance of VM.This paper proposes a novel method,competition in bucket method (CBM),to track all VM exits efficiently,by mapping sensitive instructions to buckets according to instruction addresses,and find out hot instructions in each bucket.

Tong Li,Yang Lin,Xueyuan Kong,Yue Yu,Fajiang Yu

2011-01-01

Abstract:Current technology in trusted computing cannot comply with the requirement of trusted behaviour. One method for trusted computing dynamic attestation is proposed in this paper. This method uses a behaviour model based on the static analysis of binary code. One same source code may have several different binary versions, therefore one method is proposed for building almost the same core function model for different binary versions. This research also overcame the difficulty where some dynamic behaviours could not be obtained by static analysis. The paper also provides solutions for dynamic attestation of some complex programs, such as recursion, library link and multi threads programs.