Meta-F*: Proof Automation with SMT, Tactics, and Metaprograms

We introduce Meta-F*, a tactics and metaprogramming framework for the F* program verifier. The main novelty of Meta-F* is allowing the use of tactics and metaprogramming to discharge assertions not solvable by SMT, or to just simplify them into well-behaved SMT fragments. Plus, Meta-F* can be used to generate verified code automatically. Meta-F* is implemented as an F* effect, which, given the powerful effect system of F*, heavily increases code reuse and even enables the lightweight verification of metaprograms. Metaprograms can be either interpreted, or compiled to efficient native code that can be dynamically loaded into the F* type-checker and can interoperate with interpreted code. Evaluation on realistic case studies shows that Meta-F* provides substantial gains in proof development, efficiency, and robustness.Comment: Full version of ESOP'19 pape

Micro-Policies: Formally Verified, Tag-Based Security Monitors

Recent advances in hardware design have demonstrated mechanisms allowing a wide range of low-level security policies (or micro-policies) to be expressed using rules on metadata tags. We propose a methodology for defining and reasoning about such tag-based reference monitors in terms of a high-level “symbolic machine,” and we use this methodology to define and formally verify micro-policies for dynamic sealing, compartmentalization, control-flow integrity, and memory safety; in addition, we show how to use the tagging mechanism to protect its own integrity. For each micro-policy, we prove by refinement that the symbolic machine instantiated with the policy’s rules embodies a high-level specification characterizing a useful security property. Last, we show how the symbolic machine itself can be implemented in terms of a hardware rule cache and a software controller

An Intermediate Language for Network Verification

Computer networks have become an integral part of our daily lives, and essential infrastructure to most industries. This had led to unprecedented growth in their size and complexity. In recent years, misconfiguration-induced outages in networks have become rampant both in frequency and impact. Such misconfigurations are often found in the network's control plane, a distributed system responsible for exchanging routing information between routers. To set the routing policy, operators have to issue per-device configurations in low-level languages, while accounting for interactions with external networks, and potential device or link failures. This is a challenging task, especially for large networks which consist of millions of lines of configuration spread across thousands of devices. To aid operators, researchers have developed a range of static analyses to establish correctness properties of networks. However, developing and maintaining such tools is an enormous undertaking due to the complexity of configuration languages and the plethora of features networking protocols pack. Inspired by intermediate verification languages, such as Boogie and Why3, this dissertation describes the design and implementation of NV, an intermediate language for verification of networks and their configurations. NV was designed to strike a balance between expressiveness, tractability and ease of use. We show that NV is sufficiently expressive via a translation from a practical subset of real protocols (and their configurations) to NV. Furthermore, we explain how NV enabled efficient implementations (often outperforming the state-of-the-art by an order of magnitude) of standard analyses such as network simulation and SMT-based verification. NV also facilitates the rapid development of new analyses; we present the key insights behind a new, highly scalable fault tolerance analysis, as well as its effortless implementation as a "meta-protocol" in NV. Finally, in a similar but orthogonal approach, we present a new take on network compression ---implemented on top of NV--- that significantly speeds up verification of fault-tolerance properties