Get Rid of Inline Assembly through Verification-Oriented Lifting

Formal methods for software development have made great strides in the last two decades, to the point that their application in safety-critical embedded software is an undeniable success. Their extension to non-critical software is one of the notable forthcoming challenges. For example, C programmers regularly use inline assembly for low-level optimizations and system primitives. This usually results in rendering state-of-the-art formal analyzers developed for C ineffective. We thus propose TINA, the first automated, generic, verification-friendly and trustworthy lifting technique turning inline assembly into semantically equivalent C code amenable to verification, in order to take advantage of existing C analyzers. Extensive experiments on real-world code (including GMP and ffmpeg) show the feasibility and benefits of TINA.

[1]  Aurélien Francillon,et al.  Inception: System-Wide Security Testing of Real-World Embedded Systems Software , 2018, USENIX Security Symposium.

[2]  Hanspeter Mössenböck,et al.  An Analysis of x86-64 Inline Assembly in C Programs , 2018, VEE.

[3]  Matt Noonan,et al.  Evolving Exact Decompilation , 2018 .

[4]  Minkyu Jung,et al.  Testing intermediate representations for binary analysis , 2017, 2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[5]  Amal Ahmed,et al.  FunTAL: reasonably mixing a functional language with assembly , 2017, PLDI.

[6]  David Bühler,et al.  Structuring an Abstract Interpreter through Value and State Abstractions:EVA, an Evolved Value Analysis for Frama-C. (Structurer un interpréteur abstrait au moyen d'abstractions de valeurs et d'états :Eva, une analyse de valeur évoluée pour Frama-C) , 2017 .

[7]  Adel Djoudi,et al.  Recovering High-Level Conditions from Binary Programs , 2016, FM.

[8]  Alastair David Reid,et al.  Trustworthy specifications of ARM® v8-A and v8-M system level architecture , 2016, 2016 Formal Methods in Computer-Aided Design (FMCAD).

[9]  Xi Chen,et al.  An In-Depth Analysis of Disassembly on Full-Scale x86/x64 Binaries , 2016, USENIX Security Symposium.

[10]  Barton P. Miller,et al.  Binary code is not easy , 2016, ISSTA.

[11]  Cristian Cadar,et al.  Shadow of a Doubt: Testing for Divergences between Software Versions , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE).

[12]  Jean-Yves Marion,et al.  BINSEC/SE: A Dynamic Symbolic Execution Toolkit for Binary-Level Analysis , 2016, 2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER).

[13]  Tom Schrijvers,et al.  From MinX to MinC: semantics-driven decompilation of recursive datatypes , 2015, POPL.

[14]  Peter W. O'Hearn,et al.  From Categorical Logic to Facebook Engineering , 2015, 2015 30th Annual ACM/IEEE Symposium on Logic in Computer Science.

[15]  Adel Djoudi,et al.  BINSEC: Binary Code Analysis with Low-Level Regions , 2015, TACAS.

[16]  Nikolai Kosmatov,et al.  Frama-C: A software analysis perspective , 2015, Formal Aspects of Computing.

[17]  Patrick Cousot,et al.  Abstract interpretation: past, present and future , 2014, CSL-LICS.

[18]  Jorge Sousa Pinto,et al.  Formal Verification of kLIBC with the WP Frama-C Plug-in , 2014, NASA Formal Methods.

[19]  David Brumley,et al.  Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring , 2013, USENIX Security Symposium.

[20]  Magnus O. Myreen,et al.  Translation validation for a verified OS kernel , 2013, PLDI.

[21]  Koushik Sen,et al.  Symbolic execution for software testing: three decades later , 2013, CACM.

[22]  Lauretta O. Osho,et al.  Axiomatic Basis for Computer Programming , 2013 .

[23]  Sabine Schmaltz,et al.  Integrated Semantics of Intermediate-Language C and Macro-Assembler for Pervasive Formal Verification of Operating Systems and Hypervisors from VerisoftXT , 2012, VSTTE.

[24]  Dmitry Kravchenko,et al.  Alternating Control Flow Reconstruction , 2012, VMCAI.

[25]  Patrice Godefroid,et al.  SAGE: Whitebox Fuzzing for Security Testing , 2012, ACM Queue.

[26]  Axel Simon,et al.  Precise Static Analysis of Binaries by Extracting Relational Information , 2011, 2011 18th Working Conference on Reverse Engineering.

[27]  Jörg Brauer,et al.  Precise control flow reconstruction using Boolean logic , 2011, 2011 Proceedings of the Ninth ACM International Conference on Embedded Software (EMSOFT).

[28]  Olivier Ly,et al.  The BINCOA Framework for Binary Code Analysis , 2011, CAV.

[29]  David Brumley,et al.  BAP: A Binary Analysis Platform , 2011, CAV.

[30]  David Brumley,et al.  TIE: Principled Reverse Engineering of Types in Binary Programs , 2011, NDSS.

[31]  Philippe Herrmann,et al.  Refinement-Based CFG Reconstruction from Unstructured Programs , 2011, VMCAI.

[32]  Stefan Maus,et al.  Verification of hypervisor subroutines written in Assembler = Verifikation von Hypervisorunterrutinen, geschrieben in Assembler , 2011 .

[33]  Thomas Ball,et al.  The Static Driver Verifier Research Platform , 2010, CAV.

[34]  Andrew W. Appel,et al.  Formal Verification of Coalescing Graph-Coloring Register Allocation , 2010, ESOP.

[35]  Thomas W. Reps,et al.  WYSINWYX: What you see is not what you eXecute , 2005, TOPL.

[36]  Cesare Tinelli,et al.  Satisfiability Modulo Theories , 2021, Handbook of Satisfiability.

[37]  Mark A. Hillebrand,et al.  VCC: A Practical System for Verifying Concurrent C , 2009, TPHOLs.

[38]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[39]  Konrad Slind,et al.  Machine-Code Verification for Multiple Architectures - An Application of Decompilation into Logic , 2008, 2008 Formal Methods in Computer-Aided Design.

[40]  Ralf Huuck,et al.  Some Assembly Required - Program Analysis of Embedded System Code , 2008, 2008 Eighth IEEE International Working Conference on Source Code Analysis and Manipulation.

[41]  Wolfram Schulte,et al.  Vx86: x86 Assembler Simulated in C Powered by Automated Theorem Proving , 2008, AMAST.

[42]  Jean Souyris,et al.  Astrée: From Research to Industry , 2007, SAS.

[43]  George C. Necula,et al.  Analysis of Low-Level Code Using Cooperating Decompilers , 2006, SAS.

[44]  Nick Benton,et al.  Simple relational correctness proofs for static analyses and program transformations , 2004, POPL.

[45]  Xavier Rival,et al.  Certification of compiled assembly code by invariant translation , 2004, International Journal on Software Tools for Technology Transfer.

[46]  George C. Necula,et al.  Translation validation for an optimizing compiler , 2000, PLDI '00.

[47]  MorrisettGreg,et al.  From system F to typed assembly language , 1999 .

[48]  Doug Simon,et al.  Assembly to high-level language translation , 1998, Proceedings. International Conference on Software Maintenance (Cat. No. 98CB36272).

[49]  Cristina Cifuentes,et al.  Interprocedural data flow decompilation , 1996, J. Program. Lang..

[50]  Cristina Cifuentes,et al.  Decompilation of binary programs , 1995, Softw. Pract. Exp..

[51]  Robert W. Floyd,et al.  Assigning Meanings to Programs , 1993 .

[52]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[53]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.