Model checking boot code from AWS data centers

This paper describes our experience with symbolic model checking in an industrial setting. We have proved that the initial boot code running in data centers at Amazon Web Services is memory safe, an essential step in establishing the security of any data center. Standard static analysis tools cannot be easily used on boot code without modification owing to issues not commonly found in higher-level code, including memory-mapped device interfaces, byte-level memory access, and linker scripts. This paper describes automated solutions to these issues and their implementation in the C Bounded Model Checker (CBMC). CBMC is now the first source-level static analysis tool to extract the memory layout described in a linker script for use in its analysis.

[1]  Isil Dillig,et al.  Optimal Guard Synthesis for Memory Safety , 2014, CAV.

[2]  Carsten Sinz,et al.  A Precise Memory Model for Low-Level Bounded Model Checking , 2010, SSV.

[3]  George Candea,et al.  The S2E Platform: Design, Implementation, and Applications , 2012, TOCS.

[4]  Marsha Chechik,et al.  Ufo: A Framework for Abstraction- and Interpolation-Based Software Verification , 2012, CAV.

[5]  Roman Manevich,et al.  TVLA: A system for generating abstract interpreters , 2004, IFIP Congress Topical Sessions.

[6]  Alan J. Hu,et al.  A Scalable Memory Model for Low-Level Code , 2008, VMCAI.

[7]  Koushik Sen,et al.  Automated Test Generation Using Concolic Testing , 2015, ISEC.

[8]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[9]  Shuvendu K. Lahiri,et al.  A Solver for Reachability Modulo Theories , 2012, CAV.

[10]  Luca Bruno,et al.  AVATAR: A Framework to Support Dynamic Security Analysis of Embedded Systems' Firmwares , 2014, NDSS.

[11]  Daniel Kroening,et al.  Automating Software Analysis at Large Scale , 2014, MEMICS.

[12]  Parosh Aziz Abdulla,et al.  Monotonic Abstraction for Programs with Dynamic Memory Heaps , 2008, CAV.

[13]  William A. Arbaugh,et al.  A secure and reliable bootstrap architecture , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[14]  John R. White,et al.  Linkers and Loaders , 1972, CSUR.

[15]  Thomas A. Henzinger,et al.  Checking Memory Safety with Blast , 2005, FASE.

[16]  Dawn Xiaodong Song,et al.  BLITZ: Compositional bounded model checking for real-world programs , 2013, 2013 28th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[17]  Cynthia E. Irvine,et al.  A study of initialization in Linux and OpenBSD , 2005, OPSR.

[18]  Wei Wang,et al.  Cascade 2.0 , 2014, VMCAI.

[19]  Malay K. Ganai,et al.  Efficient SAT-based bounded model checking for software verification , 2008, Theor. Comput. Sci..

[20]  Stephen Kell,et al.  The missing link: explaining ELF static linking, semantically , 2016, OOPSLA.

[21]  Paul Pettersson,et al.  Tools and Algorithms for the Construction and Analysis of Systems: 28th International Conference, TACAS 2022, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2022, Munich, Germany, April 2–7, 2022, Proceedings, Part II , 1998, TACAS.

[22]  Ricardo Corin,et al.  Taint Analysis of Security Code in the KLEE Symbolic Execution Engine , 2012, ICICS.

[23]  Dirk Beyer,et al.  CPAchecker: A Tool for Configurable Software Verification , 2009, CAV.

[24]  Mark A. Hillebrand,et al.  VCC: A Practical System for Verifying Concurrent C , 2009, TPHOLs.

[25]  Shengchao Qin,et al.  Automated verification of the FreeRTOS scheduler in Hip/Sleek , 2012, 2012 Sixth International Symposium on Theoretical Aspects of Software Engineering.

[26]  Zvonimir Rakamaric,et al.  SMACK: Decoupling Source Language Details from Verifier Implementations , 2014, CAV.

[27]  Jorge A. Navas,et al.  The SeaHorn Verification Framework , 2015, CAV.

[28]  Daniel Kroening,et al.  SATABS: SAT-Based Predicate Abstraction for ANSI-C , 2005, TACAS.

[29]  Peter W. O'Hearn,et al.  Shape Analysis for Composite Data Structures , 2007, CAV.

[30]  Daniel Kroening,et al.  A Tool for Checking ANSI-C Programs , 2004, TACAS.

[31]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[32]  Paul A. S. Ward,et al.  Combining static analysis and targeted symbolic execution for scalable bug-finding in application binaries , 2016, CASCON.

[33]  Shuvendu K. Lahiri,et al.  Unifying type checking and property checking for low-level code , 2009, POPL '09.

[34]  Alberto Griggio,et al.  Software Model Checking via IC3 , 2012, CAV.

[35]  Mark R. Tuttle,et al.  Symbolic Execution for BIOS Security , 2015, WOOT.

[36]  Akash Lal,et al.  Powering the static driver verifier using corral , 2014, SIGSOFT FSE.

[37]  Yan Shoshitaishvili,et al.  Angr - The Next Generation of Binary Analysis , 2017, 2017 IEEE Cybersecurity Development (SecDev).

[38]  Christopher Krügel,et al.  BootStomp: On the Security of Bootloaders in Mobile Devices , 2017, USENIX Security Symposium.

[39]  Somesh Jha,et al.  FIE on Firmware: Finding Vulnerabilities in Embedded Systems Using Symbolic Execution , 2013, USENIX Security Symposium.

[40]  Kenneth L. McMillan,et al.  Lazy Abstraction with Interpolants , 2006, CAV.

[41]  Tiziana Margaria,et al.  Tools and algorithms for the construction and analysis of systems: a special issue for TACAS 2017 , 2001, International Journal on Software Tools for Technology Transfer.

[42]  Jochen Hoenicke,et al.  Weakly Equivalent Arrays , 2014, SMT.

[43]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[44]  Daniel Kroening,et al.  Decision Procedures - An Algorithmic Point of View , 2008, Texts in Theoretical Computer Science. An EATCS Series.

[45]  Fabrice Bellard,et al.  QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX ATC, FREENIX Track.

[46]  George Candea,et al.  Testing Closed-Source Binary Device Drivers with DDT , 2010, USENIX Annual Technical Conference.

[47]  Jan Maluszy¿ski Verification, Model Checking, and Abstract Interpretation , 2009, Lecture Notes in Computer Science.