Source-Level Bitwise Branching for Temporal Verification of Lifted Binaries

There is increasing interest in applying verification tools to programs that have bitvector operations (e.g., decompiled binaries). SMT solvers, which serve as a foundation for these tools, have thus increased support for bitvector reasoning through bit-blasting and linear arithmetic approximations. In this paper we show that similar linear arithmetic approximation of bitvector operations can be done at the source level through transformations. Specifically, we introduce new paths that over-approximate bitvector operations with linear conditions/constraints, increasing branching but allowing us to better exploit the well-developed integer reasoning and interpolation of verification tools. We show that, for reachability of bitvector programs, increased branching incurs negligible overhead yet, when combined with integer interpolation optimizations, enables more programs to be verified. We further show this exploitation of integer interpolation in the common case also enables competitive termination verification of bitvector programs and leads to the first effective technique for LTL verification of bitvector programs. Finally, we provide an in-depth case study of decompiled (“lifted”) binary programs, which emulate X86 execution through frequent use of bitvector operations. We present a new tool DarkSea, the first tool capable of verifying reachability, termination, and LTL of such lifted binaries.

[1]  Helmut Veith,et al.  Precise static analysis of untrusted driver binaries , 2010, Formal Methods in Computer Aided Design.

[2]  Sandeep Dasgupta,et al.  Scalable validation of binary lifters , 2020, PLDI.

[3]  David Brumley,et al.  BAP: A Binary Analysis Platform , 2011, CAV.

[4]  Magnus O. Myreen,et al.  Hoare Logic for Realistically Modelled Machine Code , 2007, TACAS.

[5]  Sibylle Schupp,et al.  A non-convex abstract domain for the value analysis of binaries , 2015, 2015 IEEE 22nd International Conference on Software Analysis, Evolution, and Reengineering (SANER).

[6]  Deepak Kapur,et al.  Termination Analysis of Imperative Programs Using Bitvector Arithmetic , 2012, VSTTE.

[7]  Marco Bozzano,et al.  Encoding RTL Constructs for MathSAT: a Preliminary Report , 2006, Electron. Notes Theor. Comput. Sci..

[8]  Dirk Beyer,et al.  Reliable benchmarking: requirements and solutions , 2017, International Journal on Software Tools for Technology Transfer.

[9]  Daniel Kroening,et al.  Approximating Predicate Images for Bit-Vector Logic , 2006, TACAS.

[10]  Bor-Yuh Evan Chang,et al.  Boogie: A Modular Reusable Verifier for Object-Oriented Programs , 2005, FMCO.

[11]  Eran Yahav,et al.  Generating precise and concise procedure summaries , 2008, POPL '08.

[12]  Joël Ouaknine,et al.  Deciding Bit-Vector Arithmetic with Abstraction , 2007, TACAS.

[13]  Jochen Hoenicke,et al.  Nested interpolants , 2010, POPL '10.

[14]  Jürgen Giesl,et al.  Proving Termination of Programs with Bitvector Arithmetic by Symbolic Execution , 2016, SEFM.

[15]  Jochen Hoenicke,et al.  Ultimate Automizer and the Search for Perfect Interpolants - (Competition Contribution) , 2018, TACAS.

[16]  Grigore Rosu,et al.  A complete formal semantics of x86-64 user-level instruction set architecture , 2019, PLDI.

[17]  Matthias Heizmann,et al.  Geometric Nontermination Arguments , 2016, TACAS.

[18]  Daniel Kroening,et al.  Ranking function synthesis for bit-vector relations , 2010, Formal Methods Syst. Des..

[19]  Jochen Hoenicke,et al.  Termination Analysis by Learning Terminating Programs , 2014, CAV.

[20]  Konrad Slind,et al.  Machine-Code Verification for Multiple Architectures - An Application of Decompilation into Logic , 2008, 2008 Formal Methods in Computer-Aided Design.

[21]  Zvonimir Rakamaric,et al.  Counterexample-Guided Bit-Precision Selection , 2017, APLAS.

[22]  Daniel Kroening,et al.  Synthesising Interprocedural Bit-Precise Termination Proofs (T) , 2015, 2015 30th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[23]  Youssef Hamadi,et al.  Efficiently solving quantified bit-vector formulas , 2010, Formal Methods in Computer Aided Design.

[24]  Deepak Kapur,et al.  Termination Analysis of C Programs Using Compiler Intermediate Languages , 2011, RTA.

[25]  Eric Koskinen,et al.  Making prophecies with decision predicates , 2011, POPL '11.

[26]  Taddeus Kroes,et al.  BinRec: dynamic binary lifting and recompilation , 2020, EuroSys.

[27]  Tiziana Margaria,et al.  Tools and algorithms for the construction and analysis of systems: a special issue for TACAS 2017 , 2001, International Journal on Software Tools for Technology Transfer.

[28]  Christopher Krügel,et al.  SOK: (State of) The Art of War: Offensive Techniques in Binary Analysis , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[29]  Daniel Kroening,et al.  Bit-Precise Procedure-Modular Termination Analysis , 2017, TOPL.

[30]  Robert M. Norton,et al.  ISA semantics for ARMv8-a, RISC-v, and CHERI-MIPS , 2019, Proc. ACM Program. Lang..

[31]  Andreas Lindner,et al.  Sound Transpilation from Binary to Machine-Independent Code , 2017, SBMF.

[32]  Konrad Slind,et al.  Decompilation into logic — Improved , 2012, 2012 Formal Methods in Computer-Aided Design (FMCAD).

[33]  Binoy Ravindran,et al.  Formally verified big step semantics out of x86-64 binaries , 2019, CPP.

[34]  Freek Verbeek,et al.  Sound C Code Decompilation for a Subset of x86-64 Binaries , 2020, SEFM.

[35]  Jürgen Giesl,et al.  Analyzing Program Termination and Complexity Automatically with AProVE , 2016, Journal of Automated Reasoning.

[36]  Isil Dillig,et al.  Precise and compact modular procedure summaries for heap manipulating programs , 2011, PLDI '11.