350 research outputs found
First steps towards the certification of an ARM simulator using Compcert
The simulation of Systems-on-Chip (SoC) is nowadays a hot topic because,
beyond providing many debugging facilities, it allows the development of
dedicated software before the hardware is available. Low-consumption CPUs such
as ARM play a central role in SoC. However, the effectiveness of simulation
depends on the faithfulness of the simulator. To this effect, we propose here
to prove significant parts of such a simulator, SimSoC. Basically, on one hand,
we develop a Coq formal model of the ARM architecture while on the other hand,
we consider a version of the simulator including components written in
Compcert-C. Then we prove that the simulation of ARM operations, according to
Compcert-C formal semantics, conforms to the expected formal model of ARM. Size
issues are partly dealt with using automatic generation of significant parts of
the Coq model and of SimSoC from the official textual definition of ARM.
However, this is still a long-term project. We report here the current stage of
our efforts and discuss in particular the use of Compcert-C in this framework.Comment: First International Conference on Certified Programs and Proofs 7086
(2011
A formally verified compiler back-end
This article describes the development and formal verification (proof of
semantic preservation) of a compiler back-end from Cminor (a simple imperative
intermediate language) to PowerPC assembly code, using the Coq proof assistant
both for programming the compiler and for proving its correctness. Such a
verified compiler is useful in the context of formal methods applied to the
certification of critical software: the verification of the compiler guarantees
that the safety properties proved on the source code hold for the executable
compiled code as well
Embedded Program Annotations for WCET Analysis
We present __builtin_ais_annot(), a user-friendly, versatile way to transfer annotations (also known as flow facts) written on the source code level to the machine code level. To do so, we couple two tools often used during the development of safety-critical hard real-time systems, the formally verified C compiler CompCert and the static WCET analyzer aiT. CompCert stores the AIS annotations given via __builtin_ais_annot() in a special section of the ELF binary, which can later be extracted automatically by aiT
C์ ์ ์์ค ๊ธฐ๋ฅ๊ณผ ์ปดํ์ผ๋ฌ ์ต์ ํ ์กฐํ์ํค๊ธฐ
ํ์๋
ผ๋ฌธ (๋ฐ์ฌ)-- ์์ธ๋ํ๊ต ๋ํ์ : ๊ณต๊ณผ๋ํ ์ปดํจํฐ๊ณตํ๋ถ, 2019. 2. ํ์ถฉ๊ธธ.์ฃผ๋ฅ C ์ปดํ์ผ๋ฌ๋ค์ ํ๋ก๊ทธ๋จ์ ์ฑ๋ฅ์ ๋์ด๊ธฐ ์ํด ๊ณต๊ฒฉ์ ์ธ ์ต์ ํ๋ฅผ ์ํํ๋๋ฐ, ๊ทธ๋ฐ ์ต์ ํ๋ ์ ์์ค ๊ธฐ๋ฅ์ ์ฌ์ฉํ๋ ํ๋ก๊ทธ๋จ์ ํ๋์ ๋ฐ๊พธ๊ธฐ๋ ํ๋ค. ๋ถํํ๋ C ์ธ์ด๋ฅผ ๋์์ธํ ๋ ์ ์์ค ๊ธฐ๋ฅ๊ณผ ์ปดํ์ผ๋ฌ ์ต์ ํ๋ฅผ ์ ์ ํ๊ฒ ์กฐํ์ํค๊ฐ ๊ต์ฅํ ์ด๋ ต๋ค๋ ๊ฒ์ด ํ๊ณ์ ์
๊ณ์ ์ค๋ก ์ด๋ค. ์ ์์ค ๊ธฐ๋ฅ์ ์ํด์๋, ๊ทธ๋ฌํ ๊ธฐ๋ฅ์ด ์์คํ
ํ๋ก๊ทธ๋๋ฐ์ ์ฌ์ฉ๋๋ ํจํด์ ์ ์ง์ํด์ผ ํ๋ค. ์ปดํ์ผ๋ฌ ์ต์ ํ๋ฅผ ์ํด์๋, ์ฃผ๋ฅ ์ปดํ์ผ๋ฌ๊ฐ ์ํํ๋ ๋ณต์กํ๊ณ ๋ ํจ๊ณผ์ ์ธ ์ต์ ํ๋ฅผ ์ ์ง์ํด์ผ ํ๋ค. ๊ทธ๋ฌ๋ ์ ์์ค ๊ธฐ๋ฅ๊ณผ ์ปดํ์ผ๋ฌ ์ต์ ํ๋ฅผ ๋์์ ์ ์ง์ํ๋ ์คํ์๋ฏธ๋ ์ค๋๋ ๊น์ง ์ ์๋ ๋ฐ๊ฐ ์๋ค.
๋ณธ ๋ฐ์ฌํ์ ๋
ผ๋ฌธ์ ์์คํ
ํ๋ก๊ทธ๋๋ฐ์์ ์๊ธดํ๊ฒ ์ฌ์ฉ๋๋ ์ ์์ค ๊ธฐ๋ฅ๊ณผ ์ฃผ์ํ ์ปดํ์ผ๋ฌ ์ต์ ํ๋ฅผ ์กฐํ์ํจ๋ค. ๊ตฌ์ฒด์ ์ผ๋ก, ์ฐ๋ฆฐ ๋ค์ ์ฑ์ง์ ๋ง์กฑํ๋ ๋์จํ ๋์์ฑ, ๋ถํ ์ปดํ์ผ, ์ ์-ํฌ์ธํฐ ๋ณํ์ ์คํ์๋ฏธ๋ฅผ ์ฒ์์ผ๋ก ์ ์ํ๋ค. ์ฒซ์งธ, ๊ธฐ๋ฅ์ด ์์คํ
ํ๋ก๊ทธ๋๋ฐ์์ ์ฌ์ฉ๋๋ ํจํด๊ณผ, ๊ทธ๋ฌํ ํจํด์ ๋
ผ์ฆํ ์ ์๋ ๊ธฐ๋ฒ์ ์ง์ํ๋ค. ๋์งธ, ์ฃผ์ํ ์ปดํ์ผ๋ฌ ์ต์ ํ๋ค์ ์ง์ํ๋ค. ์ฐ๋ฆฌ๊ฐ ์ ์ํ ์คํ์๋ฏธ์ ์์ ๊ฐ์ ์ป๊ธฐ ์ํด ์ฐ๋ฆฌ๋ ๋
ผ๋ฌธ์ ์ฃผ์ ๊ฒฐ๊ณผ๋ฅผ ๋๋ถ๋ถ Coq ์ฆ๋ช
๊ธฐ ์์์ ์ฆ๋ช
ํ๊ณ , ๊ทธ ์ฆ๋ช
์ ๊ธฐ๊ณ์ ์ด๊ณ ์๋ฐํ๊ฒ ํ์ธํ๋ค.To improve the performance of C programs, mainstream compilers perform aggressive optimizations that may change the behaviors of programs that use low-level features in unidiomatic ways. Unfortunately, despite many years of research and industrial efforts, it has proven very difficult to adequately balance the conflicting criteria for low-level features and compiler optimizations in the design of the C programming language. On the one hand, C should support the common usage patterns of the low-level features in systems programming. On the other hand, C should also support the sophisticated and yet effective optimizations performed by mainstream compilers. None of the existing proposals for C semantics, however, sufficiently support low-level features and compiler optimizations at the same time.
In this dissertation, we resolve the conflict between some of the low-level features crucially used in systems programming and major compiler optimizations. Specifically, we develop the first formal semantics of relaxed-memory concurrency, separate compilation, and cast between integers and pointers that (1) supports their common usage patterns and reasoning principles for programmers, and (2) provably validates major compiler optimizations at the same time. To establish confidence in our formal semantics, we have formalized most of our key results in the Coq theorem prover, which automatically and rigorously checks the validity of the results.Abstract
Acknowledgements
Chapter I Prologue
Chapter II Relaxed-Memory Concurrency
Chapter III Separate Compilation and Linking
Chapter IV Cast between Integers and Pointers
Chapter V Epilogue
์ด๋กDocto
SEPIA: Search for Proofs Using Inferred Automata
This paper describes SEPIA, a tool for automated proof generation in Coq.
SEPIA combines model inference with interactive theorem proving. Existing proof
corpora are modelled using state-based models inferred from tactic sequences.
These can then be traversed automatically to identify proofs. The SEPIA system
is described and its performance evaluated on three Coq datasets. Our results
show that SEPIA provides a useful complement to existing automated tactics in
Coq.Comment: To appear at 25th International Conference on Automated Deductio
Certified computer-aided cryptography: efficient provably secure machine code from high-level implementations
We present a computer-aided framework for proving concrete security bounds for cryptographic machine code implementations. The front-end of the framework is an interactive verification tool that extends the EasyCrypt framework to reason about relational properties of C-like programs extended with idealised probabilistic operations in the style of code-based security proofs. The framework also incorporates an extension of the CompCert certified compiler to support trusted libraries providing complex arithmetic calculations or instantiating idealized components such as sampling operations. This certified compiler allows us to carry to executable code the security guarantees established at the high-level, and is also instrumented to detect when compilation may interfere with side-channel countermeasures deployed in source code.
We demonstrate the applicability of the framework by applying it to the RSA-OAEP encryption scheme, as standard- ized in PKCS#1 v2.1. The outcome is a rigorous analysis of the advantage of an adversary to break the security of as- sembly implementations of the algorithms specified by the standard. The example also provides two contributions of independent interest: it bridges the gap between computer-assisted security proofs and real-world cryptographic implementations as described by standards such as PKCS,and demonstrates the use of the CompCert certified compiler in the context of cryptographic software development.ONR -Office of Naval Research(N000141210914
Fully Composable and Adequate Verified Compilation with Direct Refinements between Open Modules (Technical Report)
Verified compilation of open modules (i.e., modules whose functionality
depends on other modules) provides a foundation for end-to-end verification of
modular programs ubiquitous in contemporary software. However, despite
intensive investigation in this topic for decades, the proposed approaches are
still difficult to use in practice as they rely on assumptions about the
internal working of compilers which make it difficult for external users to
apply the verification results. We propose an approach to verified
compositional compilation without such assumptions in the setting of verifying
compilation of heterogeneous modules written in first-order languages
supporting global memory and pointers. Our approach is based on the memory
model of CompCert and a new discovery that a Kripke relation with a notion of
memory protection can serve as a uniform and composable semantic interface for
the compiler passes. By absorbing the rely-guarantee conditions on memory
evolution for all compiler passes into this Kripke Memory Relation and by
piggybacking requirements on compiler optimizations onto it, we get
compositional correctness theorems for realistic optimizing compilers as
refinements that directly relate native semantics of open modules and that are
ignorant of intermediate compilation processes. Such direct refinements support
all the compositionality and adequacy properties essential for verified
compilation of open modules. We have applied this approach to the full
compilation chain of CompCert with its Clight source language and demonstrated
that our compiler correctness theorem is open to composition and intuitive to
use with reduced verification complexity through end-to-end verification of
non-trivial heterogeneous modules that may freely invoke each other (e.g.,
mutually recursively)
Development of a Translator from LLVM to ACL2
In our current work a library of formally verified software components is to
be created, and assembled, using the Low-Level Virtual Machine (LLVM)
intermediate form, into subsystems whose top-level assurance relies on the
assurance of the individual components. We have thus undertaken a project to
build a translator from LLVM to the applicative subset of Common Lisp accepted
by the ACL2 theorem prover. Our translator produces executable ACL2 formal
models, allowing us to both prove theorems about the translated models as well
as validate those models by testing. The resulting models can be translated and
certified without user intervention, even for code with loops, thanks to the
use of the def::ung macro which allows us to defer the question of termination.
Initial measurements of concrete execution for translated LLVM functions
indicate that performance is nearly 2.4 million LLVM instructions per second on
a typical laptop computer. In this paper we overview the translation process
and illustrate the translator's capabilities by way of a concrete example,
including both a functional correctness theorem as well as a validation test
for that example.Comment: In Proceedings ACL2 2014, arXiv:1406.123
- โฆ