Verification of Hypervisor Subroutines written in Assembler

We present a methodology for the specification and verification of functional specifications of programs written in Assembler. We have evaluated the methodology in an industrial setting, the verification of the Microsoft Hypervisor. Many industrial software projects are written in a high-level language like C. For performance reasons or for direct hardware access, some of the routines are implemented in Assembler. Our goal is the automatic modular verification of functional specifications for C programs with subroutines in Assembler. This goal entails the need for checking an Assembler procedure against its functional specification. The specification of the Assembler program is used also in the specification of the C code that calls the Assembler program as a subroutine. Therefore, we need to translate back and forth between specifications for C code and specifications for Assembler code. The particular context of our work is the verification of the Microsoft Hypervisor where the static checker VCC is used to verify the part of the code written in C. VCC uses modular reasoning and comes with its own annotation language for functional specifications for C programs. The functional specifications for the Assembler routines in the Microsoft Hypervisor are given in the form of specifications for the C routines that call them. In this thesis, we introduce the tool Vx86 and the corresponding methodology to verify Assembler code against functional specifications of the form described above. In our approach, we use Vx86 to translate the Assembler code into C code. We give the translation of each Assembler instruction into a short piece of C code. Some instructions of x86 are complex in that their behavior depends on the internal processor state such as flag or control registers. The high-level semantics of C does not, however, foresee such low-level featuers. In order to account for the processor state in the high-level semantics, we introduce a C structure that contains the complete processor state. The modification of this C structure during the execution of the C code simulates the modification of the internal processor state during the execution of the Assembler instructions. Since we can refer to this C structure in the annotation language, we can specify the functional correctness of Assembler routines also if the functional correctness refers to the hardware directly. Our tool Vx86, integrated with VCC, leads to a methodology for the verification of functional specifications of programs written in Assembler and, thus, the pervasive verification of mixed programs such as the Microsoft Hypervisor which are written in C and Assembler. In this methodology, the program has to be annotated manually with modular specifications, e.g., preand postconditions and loop invariants. The verification of the code against these specifications is then fully automatic. We have used the methodology and the tool Vx86 in order to verify all subroutines of the Microsoft Hypervisor which are written in Assembler.

[1]  J. Strother Moore,et al.  An approach to systems verification , 1989, Journal of Automated Reasoning.

[2]  K. Rustan M. Leino,et al.  The Spec# Programming System: Challenges and Directions , 2005, VSTTE.

[3]  Zhong Shao,et al.  Certified assembly programming with embedded code pointers , 2006, POPL '06.

[4]  Thomas W. Reps,et al.  CodeSurfer/x86-A Platform for Analyzing x86 Executables , 2005, CC.

[5]  Wolfgang J. Paul,et al.  Towards the Formal Verification of a C0 Compiler: Code Generation and Implementation Correctnes , 2005, SEFM.

[6]  Norbert Schirmer,et al.  From Operating-System Correctness to Pervasively Verified Applications , 2010, IFM.

[7]  Mark A. Hillebrand,et al.  VCC: A Practical System for Verifying Concurrent C , 2009, TPHOLs.

[8]  Xinyu Feng,et al.  Modular verification of concurrent assembly code with dynamic thread creation and termination , 2005, ICFP '05.

[9]  Frank Pfenning,et al.  Automated Deduction - CADE-21, 21st International Conference on Automated Deduction, Bremen, Germany, July 17-20, 2007, Proceedings , 2007, CADE.

[10]  K. Rustan M. Leino,et al.  The Spec# Programming System: An Overview , 2004, CASSIS.

[11]  Mark A. Hillebrand,et al.  Invariants, Modularity, and Rights , 2009, Ershov Memorial Conference.

[12]  Wolfram Schulte,et al.  A Precise Yet Efficient Memory Model For C , 2009, Electron. Notes Theor. Comput. Sci..

[13]  Thomas W. Reps,et al.  A Next-Generation Platform for Analyzing Executables , 2005, APLAS.

[14]  Laurie Hendren Compiler Construction, 17th International Conference, CC 2008, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2008, Budapest, Hungary, March 29 - April 6, 2008. Proceedings , 2008, CC.

[15]  Peter Müller,et al.  Formal Translation of Bytecode into BoogiePL , 2007, Electron. Notes Theor. Comput. Sci..

[16]  Nikolaj Bjørner,et al.  Proofs and Refutations, and Z3 , 2008, LPAR Workshops.

[17]  Bernhard Beckert,et al.  Formal Verification of a Microkernel Used in Dependable Software Systems , 2009, SAFECOMP.

[18]  Aleksy Schubert,et al.  ESC/Java2 as a Tool to Ensure Security in the Source Code of Java Applications , 2006, SET.

[19]  Robert S. Boyer,et al.  Automated Correctness Proofs of Machine Code Programs for a Commercial Microprocessor , 1992, CADE.

[20]  Wolfram Schulte,et al.  Vx86: x86 Assembler Simulated in C Powered by Automated Theorem Proving , 2008, AMAST.

[21]  Wolfram Schulte,et al.  VCC: Contract-based modular verification of concurrent C , 2009, 2009 31st International Conference on Software Engineering - Companion Volume.

[22]  Mark A. Hillebrand,et al.  On the Correctness of Operating System Kernels , 2005, TPHOLs.

[23]  Wolfram Schulte,et al.  Local Verification of Global Invariants in Concurrent Programs , 2010, CAV.

[24]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[25]  Thomas W. Reps,et al.  Analyzing Stripped Device-Driver Executables , 2008, TACAS.

[26]  Zhong Shao,et al.  Using XCAP to Certify Realistic Systems Code: Machine Context Management , 2007, TPHOLs.

[27]  Mohamed Nassim Seghir,et al.  Integration of a Software Model Checker into Isabelle , 2005, LPAR.

[28]  Jochen Liedtke,et al.  On micro-kernel construction , 1995, SOSP.

[29]  Claude Marché,et al.  Multi-prover Verification of C Programs , 2004, ICFEM.

[30]  Burkhart Wolff,et al.  A Verification Approach for System-Level Concurrent Programs , 2008, VSTTE.

[31]  K. Rustan M. Leino Specifying and verifying software , 2007, ASE '07.

[32]  Thomas W. Reps,et al.  Analyzing Memory Accesses in x86 Executables , 2004, CC.

[33]  K. Rustan M. Leino,et al.  Class-local object invariants , 2008, ISEC '08.

[34]  George C. Necula,et al.  Proof-Carrying Code , 2011, Encyclopedia of Cryptography and Security.

[35]  Thomas W. Reps,et al.  Low-Level Library Analysis and Summarization , 2007, CAV.

[36]  Norbert Schirmer,et al.  Verification of sequential imperative programs in Isabelle-HOL , 2006 .

[37]  Frank S. de Boer,et al.  Formal Methods for Components and Objects, 4th International Symposium, FMCO 2005, Amsterdam, The Netherlands, November 1-4, 2005, Revised Lectures , 2006, FMCO.

[38]  Erik Poll,et al.  Teaching Program Specification and Verification Using JML and ESC/Java2 , 2009, TFM.

[39]  Yu Guo,et al.  Foundational Typed Assembly Language with Certified Garbage Collection , 2007, First Joint IEEE/IFIP Symposium on Theoretical Aspects of Software Engineering (TASE '07).

[40]  Frank Piessens,et al.  A programming model for concurrent object-oriented programs , 2008, TOPL.

[41]  Burkhart Wolff,et al.  Proving Fairness and Implementation Correctness of a Microkernel Scheduler , 2009, Journal of Automated Reasoning.

[42]  Chi-Hua Chen,et al.  Model Checking x86 Executables with CodeSurfer/x86 and WPDS++ , 2005, CAV.

[43]  Karl Crary,et al.  Type Structure for Low-Level Programming Languages , 1999, ICALP.

[44]  Rafal Kolanski,et al.  Formalising the L4 microkernel API , 2006, CATS.

[45]  Gerwin Klein,et al.  The L4.verified Project - Next Steps , 2010, VSTTE.

[46]  Mark A. Hillebrand,et al.  The Verisoft Approach to Systems Verification , 2008, VSTTE.

[47]  Stefan M. Petters,et al.  Towards trustworthy computing systems: taking microkernels to the next level , 2007, OPSR.

[48]  Michael Norrish,et al.  Types, bytes, and separation logic , 2007, POPL '07.

[49]  Mark Lillibridge,et al.  Extended static checking for Java , 2002, PLDI '02.