Modular Verification of Programs with Effects and Effect Handlers in Coq

Modern computing systems have grown in complexity, and the attack surface has increased accordingly. Even though system components are generally carefully designed and even verified by different groups of people, the composition of these components is often regarded with less attention. This paves the way for “architectural attacks”, a class of security vulnerabilities where the attacker is able to threaten the security of the system even if each of its components continues to act as expected. In this article, we introduce FreeSpec, a formalism built upon the key idea that components can be modelled as programs with algebraic effects to be realized by other components. FreeSpec allows for the modular modelling of a complex system, by defining idealized components connected together, and the modular verification of the properties of their composition. In addition, we have implemented a framework for the Coq proof assistant based on FreeSpec.

[1]  François Pessaux FoCaLiZe: Inside an F-IDE , 2014, F-IDE.

[2]  Paul Hudak,et al.  Monad transformers and modular interpreters , 1995, POPL '95.

[3]  Joseph Tassarotti,et al.  RockSalt: better, faster, stronger SFI for the x86 , 2012, PLDI.

[4]  Oleg Kiselyov,et al.  Freer monads, more extensible effects , 2015, Haskell.

[5]  Jean-Raymond Abrial,et al.  The B-book - assigning programs to meanings , 1996 .

[6]  Benjamin Morin,et al.  SpecCert: Specifying and Verifying Hardware-Based Security Enforcement , 2016, FM.

[7]  Adam Chlipala,et al.  Kami: a platform for high-level parametric hardware specification and its modular verification , 2017, Proc. ACM Program. Lang..

[8]  Patrick Stewin,et al.  Understanding DMA Malware , 2012, DIMVA.

[9]  Edwin Brady Resource-Dependent Algebraic Effects , 2014, Trends in Functional Programming.

[10]  Thomas Braibant,et al.  Coquet: A Coq Library for Verifying Hardware , 2011, CPP.

[11]  Andrej Bauer,et al.  Programming with algebraic effects and handlers , 2012, J. Log. Algebraic Methods Program..

[12]  Daniel Jackson,et al.  Software Abstractions - Logic, Language, and Analysis , 2006 .

[13]  Matthew Fernandez,et al.  Verifying Linearizability of Intel® Software Guard Extensions , 2015, CAV.

[14]  Alastair David Reid Who guards the guards? formal validation of the Arm v8-m architecture specification , 2017, Proc. ACM Program. Lang..

[15]  Corey Kallenberg,et al.  Speed Racer : Exploiting an Intel Flash Protection Race Condition , 2014 .

[16]  Yann Régis-Gianas,et al.  Mechanical Verification of Interactive Programs Specified by Use Cases , 2015, 2015 IEEE/ACM 3rd FME Workshop on Formal Methods in Software Engineering.

[17]  Lars Birkedal,et al.  Ynot: dependent types for imperative programs , 2008, ICFP 2008.

[18]  Wouter Joosen,et al.  Reusable Formal Models for Secure Software Architectures , 2012, 2012 Joint Working IEEE/IFIP Conference on Software Architecture and European Conference on Software Architecture.

[19]  Xeno Kovah,et al.  SENTER Sandman: Using Intel TXT to Attack BIOSes , 2014 .

[20]  Gilles Grimaud,et al.  Formal proof of dynamic memory isolation based on MMU , 2018, Sci. Comput. Program..

[21]  Simon Peyton Jones,et al.  Tackling the Awkward Squad: monadic input/output, concurrency, exceptions, and foreign-language calls in Haskell , 2005 .