High-level separation logic for low-level code

Separation logic is a powerful tool for reasoning about structured, imperative programs that manipulate pointers. However, its application to unstructured, lower-level languages such as assembly language or machine code remains challenging. In this paper we describe a separation logic tailored for this purpose that we have applied to x86 machine-code programs. The logic is built from an assertion logic on machine states over which we construct a specification logic that encapsulates uses of frames and step indexing. The traditional notion of Hoare triple is not applicable directly to unstructured machine code, where code and data are mixed together and programs do not in general run to completion, so instead we adopt a continuation-passing style of specification with preconditions alone. Nevertheless, the range of primitives provided by the specification logic, which include a higher-order frame connective, a novel read-only frame connective, and a 'later' modality, support the definition of derived forms to support structured-programming-style reasoning for common cases, in which standard rules for Hoare triples are derived as lemmas. Furthermore, our encoding of scoped assembly-language labels lets us give definitions and proof rules for powerful assembly-language 'macros' such as while loops, conditionals and procedures. We have applied the framework to a model of sequential x86 machine code built entirely within the Coq proof assistant, including tactic support based on computational reflection.

[1]  Robert W. Floyd,et al.  Assigning Meanings to Programs , 1993 .

[2]  Matthieu Sozeau,et al.  First-Class Type Classes , 2008, TPHOLs.

[3]  Hiroshi Nakano,et al.  A modality for recursion , 2000, Proceedings Fifteenth Annual IEEE Symposium on Logic in Computer Science (Cat. No.99CB36332).

[4]  John C. Reynolds An Introduction to Specification Logic , 1983, Logic of Programs.

[5]  Nicolas Tabareau,et al.  Compiling functional types to relational specifications for low level imperative code , 2009, TLDI '09.

[6]  R. M. Burstall,et al.  Some Techniques for Proving Correctness of Programs which Alter Data Structures , 2013 .

[7]  Peter W. O'Hearn,et al.  Permission accounting in separation logic , 2005, POPL '05.

[8]  Zhong Shao,et al.  Certified assembly programming with embedded code pointers , 2006, POPL '06.

[9]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[10]  François Pottier Hiding Local State in Direct Style: A Higher-Order Anti-Frame Rule , 2008, 2008 23rd Annual IEEE Symposium on Logic in Computer Science.

[11]  William D. Young,et al.  A mechanically verified code generator , 1989, Journal of Automated Reasoning.

[12]  Magnus O. Myreen Verified just-in-time compiler on x86 , 2010, POPL '10.

[13]  Adam Chlipala,et al.  Mostly-automated verification of low-level programs in computational separation logic , 2011, PLDI '11.

[14]  Nick Benton Abstracting Allocation , 2006, CSL.

[15]  Nick Benton A Typed, Compositional Logic for a Stack-Based Abstract Machine , 2005, APLAS.

[16]  Erez Petrank,et al.  Automated verification of practical garbage collectors , 2009, POPL '09.

[17]  J. Strother Moore,et al.  A mechanically verified language implementation , 1989, Journal of Automated Reasoning.

[18]  Adam Chlipala,et al.  Certified Programming with Dependent Types - A Pragmatic Introduction to the Coq Proof Assistant , 2013 .

[19]  Andrew W. Appel,et al.  A very modal model of a modern, major, general type system , 2007, POPL '07.

[20]  Reynald Affeldt,et al.  Certifying assembly with formal security proofs: The case of BBS , 2012, Sci. Comput. Program..

[21]  Jonathan Aldrich,et al.  Verifying Higher-Order Imperative Programs with Higher-Order Separation Logic , 2012 .

[22]  Tarmo Uustalu,et al.  A compositional natural semantics and Hoare logic for low-level languages , 2007, Theor. Comput. Sci..

[23]  Hongseok Yang,et al.  Semantics of separation-logic typing and higher-order frame rules , 2005, 20th Annual IEEE Symposium on Logic in Computer Science (LICS' 05).

[24]  Peter W. O'Hearn,et al.  Local Action and Abstract Separation Logic , 2007, 22nd Annual IEEE Symposium on Logic in Computer Science (LICS 2007).

[25]  Joseph Tassarotti,et al.  RockSalt: better, faster, stronger SFI for the x86 , 2012, PLDI.

[26]  Magnus O. Myreen,et al.  Hoare Logic for Realistically Modelled Machine Code , 2007, TACAS.

[27]  A. M. Turing,et al.  Checking a large routine , 1989 .

[28]  Lars Birkedal,et al.  Fictional Separation Logic , 2012, ESOP.

[29]  Zhong Shao,et al.  Certified self-modifying code , 2007, PLDI '07.

[30]  Peter W. O'Hearn,et al.  Separation and information hiding , 2004, POPL.

[31]  Enrico Tassi,et al.  A Small Scale Reflection Extension for the Coq system , 2008 .

[32]  Jean-François Monin,et al.  Designing a CPU model: from a pseudo-formal document to fast code , 2011, ArXiv.

[33]  John McCarthy,et al.  Correctness of a compiler for arithmetic expressions , 1966 .

[34]  Yu Guo,et al.  A Simple Model for Certifying Assembly Programs with First-Class Function Pointers , 2011, 2011 Fifth International Conference on Theoretical Aspects of Software Engineering.

[35]  Hongseok Yang,et al.  Relational Parametricity and Separation Logic , 2008, Log. Methods Comput. Sci..

[36]  Andrew W. Appel,et al.  A Compositional Logic for Control Flow , 2006, VMCAI.

[37]  Andrew W. Appel,et al.  An indexed model of recursive types for foundational proof-carrying code , 2001, TOPL.

[38]  Hongseok Yang,et al.  Semantics of Separation-Logic Typing and Higher-Order Frame Rules , 2005, LICS.

[39]  Nick Benton Abstracting allocation : The new new thing , 2006 .

[40]  Magnus O. Myreen,et al.  A Trustworthy Monadic Formalization of the ARMv7 Instruction Set Architecture , 2010, ITP.

[41]  Lars Birkedal,et al.  Charge! - A Framework for Higher-Order Separation Logic in Coq , 2012, ITP.