A Certifying Compiler and Pointer Logic

1
A Certifying Compiler and Pointer Logic
Towards Building Trusted Software

• Zhaopeng Li
• Software Security Lab.

Department of Computer Science and
Technology, University of Science and Technology
of China October 8, 2008
2
Outline

• Motivation
• Research Goals
• Our Work
• A Certifying Compiler
• PointerC Language
• Pointer Logic
• Summary
• Future Work

3
Motivation

• Software Safety Problems
• C language
• Widely used legacy C codes
• Not easy to write a safe code with pointers
• One Solution Program Verification
• Program Annotation Proof

4
Motivation (cont.)

• Hoare Logic
• Hoare triple PCQ
• Hard to reason pointer programs
• Separation Logic
• Low-level code, or high-level code with
  restriction
• Separation Conjunction (PQ)
• Example

A Hoare-like Logic for C Language?
5
Research Goals

• Verification for C pointer programs
• Design a C-like language
• Design a logic
• Design a certifying compiler
• Generate codes with proof
• Minimize Trusted Computing Base

6
Outline

• Motivation
• Research Goals
• Our Work
• A Certifying Compiler
• PointerC Language
• Pointer Logic
• Summary
• Future Work

7
Our Certifying Compiler
Source Code Specifications
PointerC Language
Certifying Compiler
Code Compiler
Source Code Spec. Proof
Assem. Code Assem. Spec. Assem. Proof
Proof Compiler
8
Our Certifying Compiler (cont.)

• Prototype
• plcc ver1.0 (2005.5-2006.9)
• plcc ver2.0 (2006.9-2007.12)
• Improvements
• Build-in theorem prover
• Support limited pointer arithmetic
• Support more data structures
• Doubly-linked list

9
Supported Programs

• Singly-linked/doubly-linked list
• traversal/reversal
• delete/insert
• create/clear
• Binary Tree
• traversal/rotate
• delete/insert

10
Evaluation
11
PointerC Language

• PointerC
• A subset of C language with pointer type
• Memory management malloc/free
• Main Constrains
• Pointer Arithmetic is limited
• No union type
• No type cast

12
Pointer Logic

• Motivation
• PointerC typing rules with side conditions
• A logic proof system is needed
• Reason about source programs with complex pointer
  aliasing

( valid(p) )
Why not separation logic?
13
Pointer Logic (cont.)
No rule for aliasing inference!
No Rule for this kind of statement!

• Why not separation logic?

t
q
p
struct List int data struct list next
14
Basic ideas

• Precise pointer information collection
• At each program point
• Pointer classification
• Valid pointer set
• Null pointer set
• Dangling pointer set
• Equality between valid pointers

15
Specification
Pointer Information
The information is concise !
16
Specification (cont.)

• Compare with separation logic
• Access path is short
• Low-level address is used in assertion
• Addresses are used to associate different heaps

17
Expressivity

• Current Application
• Singly-linked list
• Doubly-linked list
• Binary Tree
• Graph?
• Equality between pointers is not certain
• Unable to be expressed in current pointer logic
• Not well-supported in separation logic either

18
Expressivity (cont.)

• Singly-linked list
• Flat version
• Inductive version
• Singly-linked list from separation logic
• Flat version

p,l1,l2,,ln-1 are distinct!
19
Inference Rule

• Hoare-logic-like rules
• PCQ
• Extend Hoare Logic
• Calculate pointer information Q using P

20
Memory Leak
Assignment Axiom of Hoare Logic!
No rules for this case!
Pointer Logic
Memory Leak!
p
21
Comparison with Separation Logic

• Common features
• Extension of Hoare logic
• Deal with pointer programs
• Differences
• High-level vs low-level
• Pointer logic can deal with long access paths
• Precise information vs information hiding
• Rule out memory leak via different means

22
Outline

• Motivation
• Research Goals
• Our Work
• A Certifying Compiler
• PointerC Language
• Pointer Logic
• Summary
• Future Work

23
Summary

• A Certifying Compiler
• Theorem prover for pointer logic
• Generate codes with proof
• A Pointer Logic
• Verification for PointerC pointer programs
• Hoare-logic-like rules
• Compare with separation logic

24
Future Work

• PointerC Language Extension
• More language features
• Unlimited pointer arithmetic
• Pointer Logic Extension
• Deal more data structures, such as DAG
• Pointer Logic for
• Java (static garbage detection etc.)
• Concurrent programming
• Realistic Certifying Compiler
• Verify some codes of mini-OS

25
Thanks!
Questions?