Input, Output, and Automation in x86 Proved by Jason Gross and Andrew Kennedy

Input, Output, and Automation in x86 Proved by Jason Gross and Andrew Kennedy
Slide Note
Embed
Share

Discover the formal verification of I/O programs in x86 architecture with insights from Jason Gross and Andrew Kennedy during their work in the summer of 2014. Uncover the process of verifying I/O programs, from coming up with simple examples to proving code correctness in a loop. Explore eternal output scenarios and the echo once concept demonstrated in the x86 environment. Dive into the world of input, output, and automation in x86 architecture through a series of verified I/O program examples.

  • x86 architecture
  • formal verification
  • I/O programs
  • automation
  • Jason Gross
nory
nory Follow

Uploaded on Feb 19, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Input, Output, and Automation in x86 Proved Jason Gross Hosted by Andrew Kennedy Summer 2014 x86 Proved

  2. Verified I/O Programs Precondition When doing formal verification, come up with the simplest non-trivial example you can. Then start with something simpler. Adam Chlipala (paraphrased) Postcondition while true do skip done {true} {false} [] I/O behavior

  3. Verified I/O Programs: Trivial Loop {true} while true do skip done [] {false} Example safe_loop_while eax : basic (EAX eax OSZCP?) (while (TEST EAX, EAX) CC_O false prog_skip) [] false. Proof. basic apply (while_rule_ro (I := ? b b = false EAX? SF? ZF? CF? PF?)) //=; rewrite /stateIsAny; specintros ; basic apply . Qed.

  4. Verified I/O Programs: Trivial Loop {true} while true do skip done {false} [] I/O Spec Postcondition Precondition Code Example safe_loop_while eax : basic (EAX eax OSZCP?) (while (TEST EAX, EAX) CC_O false prog_skip) [] false. Proof. basic apply (while_rule_ro (I := ? b b = false EAX? SF? ZF? CF? PF?)) //=; rewrite /stateIsAny; specintros ; basic apply . Qed. Loop invariant

  5. Verified I/O Programs: Eternal Output {true} while true doout 1 done 1* {false} Kleene star Example loop_forever_one channel : basic ( AL?) ( MOV AL, 1;; LOCAL LOOP; LOOP:;; OUT channel, AL;; JMP LOOP) 1* false. Proof. (elided) Qed.

  6. Verified I/O Programs: Eternal Output {true} while true doout 1 done {false} 1* Example loop_forever_one channel : loopy_basic ( AL?) ( MOV AL, (#1 : DWORD);; LOCAL LOOP; LOOP:;; OUT channel, AL;; JMP LOOP) (starOP (outOP (zeroExtend n8 channel) (#1 : BYTE))) lfalse. Proof. (still elided) Qed.

  7. Verified I/O Programs: Echo Once {true} {true} v input; out v In v; Out v v, Example safe_echo_once in_channel out_channel : v, basic ( AL?) ( IN in_channel, AL;; OUT out_channel, AL) [In v; Out v] (AL v). Proof. rewrite /stateIsAny; specintros al v. basic apply . basic apply . Qed.

  8. Digression: Hoare Rule for While Standard rule from Wikipedia ? ? ? {?} do ? done ? while while ? do done ? ? The I/O doesn t get to talk about state! Desired output annotations What s ? ? ?? ? (??+ ? ?) ? ([] ?) do ? done done ? ? ? ? ? {?} ? while while ? do ?

  9. Digression: Hoare Rule for While ? ? ? {?} do ? done ? while while ? do done ? ? ? lets us negate ?, (which is code) The test of ? had value ? ? test ? { ?,? ? ?~?} ? while while ? do ? true ?~true ? {?} done ? false ?~false do ? done

  10. Digression: Hoare Rule for While Example ? while while (? > 0) do do (OUT ?;? ) done ? false ?~false done We can drop B, which is technical info about flags ? test ? { ?,? ? ?~?} ? while while ? do ? true ?~true ? {?} done ? false ?~false do ? done

  11. Digression: Hoare Rule for While Example ? while while (? > 0) do do (OUT ?;? ) done done ? false ? test ? { ?,? ?} ? while while ? do ? true ? {?} done ? false do ? done

  12. Digression: Hoare Rule for While Example true test (? > 0) { ?, ? > 0 = ?} true test (? > 0) { ?, ? > 0 = ?} ? > 0 ? > 0 OUT ?;? {true} OUT ?;? {true} true while true while while (? > 0) do while (? > 0) do do (OUT ?;? ) done do (OUT ?;? ) done done ? 0 done ? 0 ? test ? { ?,? ?} ? while while ? do ? true ? {?} done ? false do ? done

  13. Digression: Hoare Rule for While Example with output true test (? > 0) { ?, ? > 0 = ?} ? > 0 OUT ?;? {true} ? = ? while while (? > 0) do do (OUT ?;? ) done done ? 0 [?,? 1,? 2, ,1] [] ?? Worry about side conditions later ? test ? { ?,? ?} ? while while ? do ? true ? {?} done ? false do ? done ?

  14. Digression: Hoare Rule for While Example with output Uh-oh! ? > 0 OUT ?;? {? = ?} ? = ? test (? > 0) { ?, ? > 0 = ?} ? = ? while while (? > 0) do do (OUT ?;? ) done done ? 0 [?,? 1,? 2, ,1] [] ?? Worry about side conditions later ? test ? { ?,? ?} ? while while ? do ? true ? {?} done ? false do ? done ?

  15. Digression: Hoare Rule for While ? ? ? {?} do ? done ? while while ? do done ? ? Eliding ?~? for space transition function ?, ? ? true ? {? (T ?)} ?, ? ? test ? { ?,? ? ?} ?, ? ? while ?,? ? true ? (T ?) ? ? ?,? ? false ? ? while ? do do ? done done ? ?

  16. Digression: Hoare Rule for While ? ? ? {?} do ? done ? while while ? do done ? ? Can t talk about state here ?,? ? true ?? ? + ? (? ?) ? ? ?,? ? false [] ? ? ?,? ? true ? (T ?) ? ? ?,? ? false ? ? ?, ? ? while while ? do do ? done done ? ? ?, ? ? true ? {? (T ?)} ?? ? ?, ? ? test ? { ?,? ? ?} [] ? ?

  17. Digression: Hoare Rule for While ? ? ? {?} do ? done ? while while ? do done ? ? Logical part of ? ?,?? ? true ?? ? + ? (? ?) ? ? ?,?? ? false [] ? ? ?,? ? true ? (T ?) ? ? ?,? ? false ? ? ?, ? ? while while ? do do ? done done ? ? ?, ? ? true ? {? (T ?)} ?? ? ?, ? ? test ? { ?,? ? ?} [] ? ?

  18. Digression: Hoare Rule for While Example with output ?, ? > 0 ? = ? OUT ?;? {? = ? 1} ?,? > 0 OUT ? + ? (? 1) ? ? OUT ? ?,? 0 [] ? ? ?, ? = ? test (? > 0) { ?, ? > 0 = ? ? = ?} ?,? > 0 ? = ? ? 0 ? 0 ?,? 0 ? = ? ? 0 On-the-fly demo [] do (OUT ?;? ) done at the end, time and interest permitting ?, ? = ? while while (? > 0) do done ? 0 ? ? map OUT [?,? 1,? 2, ,1] ?,?? ? true ?? ? + ? (? ?) ? ? ?,?? ? false [] ? ? ?,? ? true ? (T ?) ? ? ?,? ? false ? ? ?, ? ? while while ? do do ? done done ? ? ?, ? ? true ? {? (T ?)} ?? ? ?, ? ? test ? { ?,? ? ?} [] ? ?

  19. Verified I/O Programs: Echo ?? : stream, while true do (v input; out v) done {true} {true} map (? In ?; Out ?) ?? Example safe_echo eax in_channel out_channel : vs, basic ( AL? EAX eax OSZCP?) ( while (TEST EAX, EAX) CC_O false ( IN in_channel, AL;; OUT out_channel, AL ) (stream_Opred_map (? ? [In v; Out v]) ??) lfalse. Proof. (elided; 8 lines of filling in arguments to the while rule, 9 lines of automation about specs) Qed.

  20. Verified I/O Programs: Accumulator ?? : list (non-zero BYTE), {acc=x} while ((v input) 0) do (acc = accumulate acc v) done {acc = fold accumulate x vs} map (? In ?) ?? Example addB_until_zero_prog_safe ch o s z c p S al : S ( initial (x : BYTE) (xs : seq BYTE) (pf1 : only_last (? t : BYTE t == #0) x xs), (loopy_basic (AH initial AL al OSZCP o s z c p) ( IN ch, AL;; while (CMP AL, #0) CC_Z false (ADD AH, AL;; IN ch, AL)) (foldr catOP empOP (map (inOP (zeroExtend 8 ch)) (x::xs))) ((AH (foldl addB initial (drop_last x xs))) AL #0 OF? SF? ZF true CF? PF?))). Proof. specintros . basic apply (@accumulate_until_zero_prog_safe _ (? x AH x)) ; first assumption. basic apply . Qed.

  21. Verified I/O Programs: Next Steps readline (via accumulator template) prime number printer text adventure? use memory-mapped I/O rather than IN and OUT

  22. Automation

  23. Instruction Automation: Ideal 1. Define the instruction in the model 2. State the high-level (e.g., Hoare) rule 3. Push-button verification Maybe even omit 2, if the inference is good enough. Image from https://flic.kr/p/3KYpfJ, State of Mind , tshein

  24. Instruction Automation: Reality 1. Define the instruction in the model Definition evalBinOp {n} op : BITS n BITS n ST (BITS n) := match op with | OP_XOR evalLogicalOp xorB end. Definition evalLogicalOp {n} (f : BITS n BITS n BITS n) arg1 arg2 := let result := f arg1 arg2 in do! updateFlagInProcState CF false; do! updateFlagInProcState OF false; do! updateZPS result; retn result.

  25. Instruction Automation: Reality 2. State the high-level (e.g., Hoare) rule Lemma XOR_RR_rule s (r1 r2:VReg s) v1 (v2:VWORD s): basic (VRegIs r1 v1 VRegIs r2 v2 OSZCP?) (XOR r1, r2) [] (VRegIs r1 (xorB v1 v2) VRegIs r2 v2 OSZCP false (msb (xorB v1 v2)) (xorB v1 v2 == #0) false (lsb (xorB v1 v2))).

  26. Instruction Automation: Reality 3. Push-button verification Lemma XOR_RR_rule s (r1 r2:VReg s) v1 (v2:VWORD s): basic (VRegIs r1 v1 VRegIs r2 v2 OSZCP?) (XOR r1, r2) [] (VRegIs r1 (xorB v1 v2) VRegIs r2 v2 OSZCP false (msb (xorB v1 v2)) (xorB v1 v2 == #0) false (lsb (xorB v1 v2))). Proof. destruct s; do_instrrule_triple. Qed.

  27. Instruction Automation: Old Reality 3. Push-button verification

  28. Instruction Automation: Old Reality

  29. Instruction Automation: Mechanics Lemma XOR_RR_rule s (r1 r2:VReg s) v1 (v2:VWORD s): basic (VRegIs r1 v1 VRegIs r2 v2 OSZCP?) (XOR r1, r2) [] (VRegIs r1 (xorB v1 v2) VRegIs r2 v2 OSZCP false (msb (xorB v1 v2)) (xorB v1 v2 == #0) false (lsb (xorB v1 v2))). Proof. destruct s; do_instrrule_triple. Qed. 1. Lookup 2. Application 3. Heuristics

  30. Instruction Automation: Mechanics Automated timing scripts helped ensure that the automation didn t slow things down unreasonably. Example diff After | File Name | Before || Change ------------------------------------------------------------ 17m33.61s | Total | 18m51.54s || -1m17.92s ------------------------------------------------------------ 0m35.85s | examples/mulc | 0m42.18s || -0m06.32s 0m33.42s | examples/specexamples | 0m27.19s || +0m06.23s 0m24.29s | x86/lifeimp | 0m30.41s || -0m06.12s 0m17.60s | x86/inlinealloc | 0m21.79s || -0m04.18s 0m27.75s | x86/imp | 0m31.41s || -0m03.66s 0m17.56s | x86/instrrules/mov | 0m20.79s || -0m03.23s 0m15.76s | x86/call | 0m19.29s || -0m03.52s 0m51.82s | x86/instrrules/addsub | 0m54.54s || -0m02.71s

  31. Program Automation: Ideal 1. Write a program 2. State the spec 3. Sprinkle annotations 4. Push-button verification Maybe even omit 3, if the inference is good enough. Image from https://flic.kr/p/3KYpfJ, State of Mind , tshein

  32. Program Automation: Reality Example safe_echo eax in_c out_c : vs, basic ( AL? EAX eax OSZCP?) ( while (TEST EAX, EAX) CC_O false ( IN in_c, AL;; OUT out_c, AL ) (eq_opred_stream (stream_to_in_out in_c out_c ??)) lfalse. Proof. eapply @while_rule_ind with (I_logic := ? _ b false == b) (Otest := ?_ empOP) (Obody := ? s echo_once_OP_spec in_c out_c (hd s)) (I_state := ? s _ EAX eax AL? SF? ZF? CF? PF?) (transition_body := @tl _) (O_after_test := ? s default_PointedOPred (catOP (echo_once_OP_spec in_c out_c (hd s)) (eq_opred_stream (stream_to_in_out in_c out_c (tl s))))); do ![ progress rewrite ?empOPL, ?eq_opred_stream__echo_once | specintros | done | by ssimpl | basic apply | progress simpl OPred_pred | progress move | progress rewrite /stateIsAny | reflexivity ]. Qed. specapply takes care of essentially all of the unstructured code reasoning basic apply takes care of all of the code reasoning here

  33. Program Automation: Mechanics 1. Lookup (via typeclasses) 2. Application (via helper lemmas) 3. Heuristics (for side conditions)

  34. Open Issues

  35. Open Issues: Pointy Predicates Definition basic P (c : T) (O : OPred) Q : spec := (i j : DWORD) (O' : OPred OPred), (obs O' @ (EIP j Q) obs (O + O') @ (EIP i P)) <@ (i -- j c). Definition loopy_basic P (c : T) (O : OPred) Q : spec := (i j : DWORD) (O' : PointedOPred PointedOPred), (obs O' @ (EIP j Q) obs (O + O') @ (EIP i P)) <@ (i -- j c). Image from https://flic.kr/p/ab1bwS, Spiky balls Tom Magliery

  36. Open Issues: Quantifier Location Program Definition obs (O: OPred) := mkspec (? k P (s: ProcState), (P ltrue) s o, O o runsForWithPrefixOf k s o) _ _. Can we hide the quantifiers in the I/O predicate, so that the specification for echo doesn t have to quantify over streams? Currently, both ( ?,In ?;Out ?)* and ( ?,In ?;Out ?)* say the wrong thing.

  37. Take Home Messages We can verify the I/O behavior of simple assembly programs. Putting effort into Coq automation results in tactics which are: comparable in speed to manual proofs capable of push-button verification in well- specified domains

  38. Acknowledgements Thanks to: Andrew Kennedy, my host here at MSR, and Nick Benton, who is also on this project. Georges Gonthier, for help with Coq and SSReflect Jonas Jensen, Jesper Bengtson, Gregory Malecha, and Edward Z. Yang for discussions about various aspects of I/O specifications, among other things.

  39. Thanks! Questions? Requests for verification demo?

Related


Zoho Marketing Automation Alternatives | WebMaxy

Zoho Marketing Automation Alternatives | WebMaxy

WebMaxy24
Evolution of Test Automation and Its Impact on Software Engineering

Evolution of Test Automation and Its Impact on Software Engineering

elliemai
Maximizing Efficiency and Value: Business Process Automation in the Public Sector

Maximizing Efficiency and Value: Business Process Automation in the Public Sector

iverson
Input-Output Models in Economics

Input-Output Models in Economics

thelonious
Best Home Automation in Lyttelton

Best Home Automation in Lyttelton

Karen1
John F. Kennedy: A Life Marked by Tragedy and Legacy

John F. Kennedy: A Life Marked by Tragedy and Legacy

oaks
Input and Output Devices in Computing

Input and Output Devices in Computing

esha
Income Tax in India: Gross vs Total Income

Income Tax in India: Gross vs Total Income

aditya
A Look into Adrienne Kennedy's Play: Funny House of Negro

A Look into Adrienne Kennedy's Play: Funny House of Negro

isra
Basic Input/Output Operations in Computer Organization

Basic Input/Output Operations in Computer Organization

hart
Computer System and Organization

Computer System and Organization

katniss
Kennedy and the Cold War: A Presidential Election and New Strategies

Kennedy and the Cold War: A Presidential Election and New Strategies

nami
USDA Robotic Process Automation (RPA) Assessment and Development Process

USDA Robotic Process Automation (RPA) Assessment and Development Process

cullen
Machines: Work, Forces, and Efficiency

Machines: Work, Forces, and Efficiency

idalia
The Big Party: Jason and Amanda's Story Unfold

The Big Party: Jason and Amanda's Story Unfold

kobe
Overview of Computer Input and Output Devices

Overview of Computer Input and Output Devices

brennan
x86-64 Procedures and Data Structures

x86-64 Procedures and Data Structures

ftim
Interactive Programs and Input/Output in Java

Interactive Programs and Input/Output in Java

stev_457
Input and Output in Programming: A Comprehensive Guide

Input and Output in Programming: A Comprehensive Guide

yawn_den
Input and Output Limitations in Op Amps

Input and Output Limitations in Op Amps

humz_714
SMI Suppression in x86 BIOS Management

SMI Suppression in x86 BIOS Management

paccione_j
Overview of Input-Output Accounting and Economic-Environmental Integration

Overview of Input-Output Accounting and Economic-Environmental Integration

niemeier_j

More Related Content