The HACMS program: using formal methods to eliminate exploitable bugs

For decades, formal methods have offered the promise of verified software that does not have exploitable bugs. Until recently, however, it has not been possible to verify software of sufficient complexity to be useful. Recently, that situation has changed. SeL4 is an open-source operating system microkernel efficient enough to be used in a wide range of practical applications. Its designers proved it to be fully functionally correct, ensuring the absence of buffer overflows, null pointer exceptions, use-after-free errors, etc., and guaranteeing integrity and confidentiality. The CompCert Verifying C Compiler maps source C programs to provably equivalent assembly language, ensuring the absence of exploitable bugs in the compiler. A number of factors have enabled this revolution, including faster processors, increased automation, more extensive infrastructure, specialized logics and the decision to co-develop code and correctness proofs rather than verify existing artefacts. In this paper, we explore the promise and limitations of current formal-methods techniques. We discuss these issues in the context of DARPA’s HACMS program, which had as its goal the creation of high-assurance software for vehicles, including quadcopters, helicopters and automobiles. This article is part of the themed issue ‘Verified trustworthy software systems’.

[1]  Sidney Amani,et al.  File systems deserve verification too! , 2013, PLOS '13.

[2]  Olivier Roussel,et al.  The International SAT Solver Competitions , 2012, AI Mag..

[3]  John Launchbury,et al.  Building embedded systems with embedded DSLs , 2014, ICFP 2014.

[4]  Hovav Shacham,et al.  Comprehensive Experimental Analyses of Automotive Attack Surfaces , 2011, USENIX Security Symposium.

[5]  E Hertz,et al.  ANALYSIS OF THE CRASH EXPERIENCE OF VEHICLES EQUIPPED WITH ALL WHEEL ANTILOCK BRAKING SYSTEMS (ABS) - A SECOND UPDATE INCLUDING VEHICLES WITH OPTIONAL ABS , 2000 .

[6]  Gernot Heiser,et al.  Comprehensive formal verification of an OS microkernel , 2014, TOCS.

[7]  Xuejun Yang,et al.  Finding and understanding bugs in C compilers , 2011, PLDI '11.

[8]  Adam Chlipala,et al.  Certified Programming with Dependent Types - A Pragmatic Introduction to the Coq Proof Assistant , 2013 .

[9]  Matti Valovirta,et al.  Experimental Security Analysis of a Modern Automobile , 2011 .

[10]  Sorin Lerner,et al.  Establishing Browser Security Guarantees through Formal Shim Verification , 2012, USENIX Security Symposium.

[11]  Brian Huffman,et al.  SAW: the software analysis workbench , 2013, HILT.

[12]  Tobias Nipkow,et al.  Concrete Semantics: With Isabelle/HOL , 2014 .

[13]  Peter W. O'Hearn,et al.  Moving Fast with Software Verification , 2015, NFM.

[14]  Chris Hawblitzel,et al.  Safe to the last instruction: automated verification of a type-safe operating system , 2011, CACM.

[15]  Yu Guo,et al.  Deep Specifications and Certified Abstraction Layers , 2015, POPL.

[16]  Konrad Slind,et al.  Resolute: an assurance case language for architecture models , 2014, HILT '14.

[17]  Cesare Tinelli,et al.  Satisfiability Modulo Theories , 2021, Handbook of Satisfiability.

[18]  Jianqi Shi,et al.  ORIENTAIS: Formal Verified OSEK/VDX Real-Time Operating System , 2012, 2012 IEEE 17th International Conference on Engineering of Complex Computer Systems.

[19]  Tobias Nipkow,et al.  Concrete Semantics , 2014, Springer International Publishing.

[20]  Andrew W. Appel,et al.  Verified Correctness and Security of OpenSSL HMAC , 2015, USENIX Security Symposium.

[21]  Salvatore J. Stolfo,et al.  Print Me If You Dare: Firmware Modification Attacks and the Rise of Printer Malware , 2011 .

[22]  Xavier Leroy,et al.  Formal certification of a compiler back-end or: programming a compiler with a proof assistant , 2006, POPL '06.

[23]  Joseph Tassarotti,et al.  RockSalt: better, faster, stronger SFI for the x86 , 2012, PLDI.

[24]  David Delahaye,et al.  A Tactic Language for the System Coq , 2000, LPAR.

[25]  Sanjai Rayadurgam,et al.  Your "What" Is My "How": Iteration and Hierarchy in System Design , 2013, IEEE Software.

[26]  Fan Zhang,et al.  Use of Formal Methods at Amazon Web Services , 2014 .

[27]  Marc Pantel,et al.  Towards Formally Verified Optimizing Compilation in Flight Control Software , 2011, PPES.

[28]  Adam Chlipala,et al.  Using Crash Hoare logic for certifying the FSCQ file system , 2015, USENIX Annual Technical Conference.