Sound Modular Verification of C Code Executing in an Unverified Context

Over the past decade, great progress has been made in the static modular verification of C code by means of separation logic-based program logics. However, the runtime guarantees offered by such verification are relatively limited when the verified modules are part of a whole program that also contains unverified modules. In particular, a memory safety error in an unverified module can corrupt the runtime state, leading to assertion failures or invalid memory accesses in the verified modules. This paper develops runtime checks to be inserted at the boundary between the verified and the unverified part of a program, to guarantee that no assertion failures or invalid memory accesses can occur at runtime in any verified module. One of the key challenges is enforcing the separation logic frame rule, which we achieve by checking the integrity of the footprint of the verified part of the program on each control flow transition from the unverified to the verified part. This in turn requires the presence of some support for module-private memory at runtime. We formalize our approach and prove soundness. We implement the necessary runtime checks by means of a program transformation that translates C code with separation logic annotations into plain C, and that relies on a protected module architecture for providing module-private memory and restricted module entry points. Benchmarks show the performance impact of this transformation depends on the choice of boundary between the verified and unverified parts of the program, but is below 4% for real-world applications.

[1]  Bertrand Meyer,et al.  Applying 'design by contract' , 1992, Computer.

[2]  David Walker,et al.  Modular Protections against Non-control Data Attacks , 2011, 2011 IEEE 24th Computer Security Foundations Symposium.

[3]  Frank Piessens,et al.  Fides: selectively hardening software application components against kernel-level or process-level malware , 2012, CCS '12.

[4]  Mark A. Hillebrand,et al.  VCC: A Practical System for Verifying Concurrent C , 2009, TPHOLs.

[5]  Shuang Wu,et al.  Analysis of BLAKE2 , 2014, CT-RSA.

[6]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, POPL '02.

[7]  Viktor Vafeiadis,et al.  Bi-abductive Resource Invariant Synthesis , 2009, APLAS.

[8]  Peter W. O'Hearn,et al.  Smallfoot: Modular Automatic Assertion Checking with Separation Logic , 2005, FMCO.

[9]  Wolfram Schulte,et al.  VCC: Contract-based modular verification of concurrent C , 2009, 2009 31st International Conference on Software Engineering - Companion Volume.

[10]  Úlfar Erlingsson,et al.  Low-Level Software Security: Attacks and Defenses , 2007, FOSAD.

[11]  James Cheney,et al.  Cyclone: A Safe Dialect of C , 2002, USENIX Annual Technical Conference, General Track.

[12]  Frank Piessens,et al.  Expressive modular fine-grained concurrency specification , 2011, POPL '11.

[13]  Frank Piessens,et al.  Secure Compilation to Modern Processors , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[14]  Frank Piessens,et al.  Software verification with VeriFast: Industrial case studies , 2014, Sci. Comput. Program..

[15]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[16]  Frank Piessens,et al.  A Quick Tour of the VeriFast Program Verifier , 2010, APLAS.

[17]  Matthias Felleisen,et al.  Correct blame for contracts: no more scapegoating , 2011, POPL '11.

[18]  Ohio Library,et al.  Programming Languages , 2013, Lecture Notes in Computer Science.

[19]  Michael K. Reiter,et al.  Flicker: an execution infrastructure for tcb minimization , 2008, Eurosys '08.

[20]  Wei-Ngan Chin,et al.  Runtime Checking for Separation Logic , 2008, VMCAI.

[21]  Todd M. Austin,et al.  Efficient detection of all pointer and array access errors , 1994, PLDI '94.

[22]  Matthew J. Parkinson,et al.  jStar: towards practical verification for java , 2008, OOPSLA.

[23]  Michael D. Ernst,et al.  An overview of JML tools and applications , 2003, International Journal on Software Tools for Technology Transfer.

[24]  Wolfram Schulte,et al.  Runtime verification of .NET contracts , 2003, J. Syst. Softw..

[25]  Juan Chen,et al.  Gradual typing embedded securely in JavaScript , 2014, POPL.

[26]  Benjamin C. Pierce,et al.  Contracts made manifest , 2010, POPL '10.

[27]  Frank Piessens,et al.  Sancus: Low-cost Trustworthy Extensible Networked Devices with a Zero-software Trusted Computing Base , 2013, USENIX Security Symposium.

[28]  Martín Abadi,et al.  Protection in Programming-Language Translations , 1998, ICALP.

[29]  Juan Chen,et al.  Fully abstract compilation to JavaScript , 2013, POPL.

[30]  ChinWei-Ngan,et al.  Automated verification of shape, size and bag properties via user-defined predicates in separation logic , 2012 .

[31]  Matthias Felleisen,et al.  Contract Soundness for object-oriented languages , 2001, OOPSLA '01.

[32]  James Newsome,et al.  Design, Implementation and Verification of an eXtensible and Modular Hypervisor Framework , 2013, 2013 IEEE Symposium on Security and Privacy.

[33]  Marco Patrignani,et al.  Secure Compilation to Protected Module Architectures , 2015, TOPL.

[34]  Nikolai Kosmatov,et al.  An Optimized Memory Monitoring for Runtime Assertion Checking of C Programs , 2013, RV.

[35]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.