7 research outputs found
Get rid of inline assembly through verification-oriented lifting
Formal methods for software development have made great strides in the last
two decades, to the point that their application in safety-critical embedded
software is an undeniable success. Their extension to non-critical software is
one of the notable forthcoming challenges. For example, C programmers regularly
use inline assembly for low-level optimizations and system primitives. This
usually results in driving state-of-the-art formal analyzers developed for C
ineffective. We thus propose TInA, an automated, generic, trustable and
verification-oriented lifting technique turning inline assembly into
semantically equivalent C code, in order to take advantage of existing C
analyzers. Extensive experiments on real-world C code with inline assembly
(including GMP and ffmpeg) show the feasibility and benefits of TInA
Interface Compliance of Inline Assembly: Automatically Check, Patch and Refine
Inline assembly is still a common practice in low-level C programming,
typically for efficiency reasons or for accessing specific hardware resources.
Such embedded assembly codes in the GNU syntax (supported by major compilers
such as GCC, Clang and ICC) have an interface specifying how the assembly codes
interact with the C environment. For simplicity reasons, the compiler treats
GNU inline assembly codes as blackboxes and relies only on their interface to
correctly glue them into the compiled C code. Therefore, the adequacy between
the assembly chunk and its interface (named compliance) is of primary
importance, as such compliance issues can lead to subtle and hard-to-find bugs.
We propose RUSTInA, the first automated technique for formally checking inline
assembly compliance, with the extra ability to propose (proven) patches and
(optimization) refinements in certain cases. RUSTInA is based on an original
formalization of the inline assembly compliance problem together with novel
dedicated algorithms. Our prototype has been evaluated on 202 Debian packages
with inline assembly (2656 chunks), finding 2183 issues in 85 packages -- 986
significant issues in 54 packages (including major projects such as ffmpeg or
ALSA), and proposing patches for 92% of them. Currently, 38 patches have
already been accepted (solving 156 significant issues), with positive feedback
from development teams
VĂ©rification automatique de code bas-niveau : C, assembleur et binaire
Formal methods for software development have made great strides in the last twodecades, to the point that their application in safety-critical embedded software isan undeniable success. Their extension to non-critical software is one of the notableforthcoming challenges. For example, C programmers regularly use GNU style inlineassembly for low-level optimizations and system primitives. This usually results inrendering state-of-the-art formal analyzers developed for C ineffective. This is parti-culary problematic since inline assembly is notoriously hard to write correctlyⶠnotonly the assembly chunk may contain some errors, but there is a risk of a mismatchat the interface between C and assembly, leading to subtle and hard-to-find bugs.We propose to address the problem of verifying C programs containing inline assem-bly. We thus designed two techniques, named RUSTInA and TInA, based on anoriginal formalization of inline assembly together with novel dedicated algorithms.RUSTInA is the first automated technique for formally checking inline assemblyinteface compliance (i.e. no mismatch between code and interface), with the extraability to propose (proven) patches and code refinements (optimization) in certaincases. TInA is the first automated, generic, verification-friendly and trustworthylifting technique turning inline assembly into semantically equivalent C code ame-nable to verification, in order to take advantage of existing C analyzers. Extensiveexperiments on real-world code (all assembly chunks found on the Debian Jessiepackages) raised 986 significant issues in 54 packages, including 156 issues in 7 pa-ckages that were succesfully repported to and addressed by the developpers thanksto our automatic patch generation method, and show the feasibility of our principledassembly-to-C lifting and its benefits for state-of-the-art C analyzers.Les mĂ©thodes formelles pour le dĂ©veloppement logiciel ont fait de grands progrĂšs au cours des deux derniĂšres dĂ©cennies, au point que leur application dans les logiciels embarquĂ©s critiques pour la sĂ»retĂ© est un succĂšs indĂ©niable. Leur application aux logiciels non critiques est cependant lâun des dĂ©fis majeurs Ă venir. Par exemple, les programmeurs C utilisent rĂ©guliĂšrement lâassembleur embarquĂ© (inline assembly)GNU pour rĂ©aliser des optimisations de bas niveau ou accĂ©der aux primitives du systĂšme. Cela a gĂ©nĂ©ralement pour consĂ©quence de rendre inopĂ©rants les analyseurs formels de pointe dĂ©veloppĂ©s pour C. Ceci est doublement problĂ©matique puisque lâassembleur embarquĂ© est notoirement difficile Ă Ă©crire correctement : non seulement le morceau dâassembleur peut contenir des erreurs, mais il y a Ă©galement un risque dâincompatibilitĂ© Ă lâinterface entre C et assembleur, ce qui peut entraĂźner des bugs subtils et difficiles Ă trouver. Nous proposons dâattaquer le problĂšme de la vĂ©rification de programmes C contenant de lâassembleur embarquĂ©. Nous avons donc conçu deux techniques, nommĂ©es RUSTInA et TInA, basĂ©es sur une formalisation originale de lâassembleur embarquĂ©, ainsi que de nouveaux algorithmes dĂ©diĂ©s. RUSTInA est la premiĂšre technique automatisĂ©e pour la vĂ©rification formelle de la conformitĂ© de lâinterface de lâassembleur embarquĂ© (câest-Ă -dire lâabsence dâincompatibilitĂ© entre le code et lâinterface), avec la capacitĂ© supplĂ©mentaire de proposer des correctifs (prouvĂ©s) et des raffinements de code (optimisation). TInA est la premiĂšre technique de traduction automatique, gĂ©nĂ©rique, adaptĂ©e aux outils de vĂ©rification formelle et digne de confiance qui transforme lâassembleur embarquĂ© en code C sĂ©mantiquement Ă©quivalent, afin de tirer parti des analyseurs C existants. Des expĂ©riences intensives sur du code rĂ©el (tous les morceaux dâassembleur embarquĂ© trouvĂ©s dans les paquets de Debian Jessie) ont permis de remonter 986 problĂšmes significatifs dans 54 paquets,dont 156 problĂšmes de 7 paquets qui ont Ă©tĂ© signalĂ©s avec succĂšs et traitĂ©s par les dĂ©veloppeurs grĂące Ă notre gĂ©nĂ©ration automatique de correctifs. Ces expĂ©riences montrent Ă©galement la faisabilitĂ© de notre traduction « orientĂ©e pour la vĂ©rification »et ces avantages pour les analyseurs C de lâĂ©tat de lâart
VĂ©rification automatique de code bas-niveau : C, assembleur et binaire
Formal methods for software development have made great strides in the last twodecades, to the point that their application in safety-critical embedded software isan undeniable success. Their extension to non-critical software is one of the notableforthcoming challenges. For example, C programmers regularly use GNU style inlineassembly for low-level optimizations and system primitives. This usually results inrendering state-of-the-art formal analyzers developed for C ineffective. This is parti-culary problematic since inline assembly is notoriously hard to write correctlyⶠnotonly the assembly chunk may contain some errors, but there is a risk of a mismatchat the interface between C and assembly, leading to subtle and hard-to-find bugs.We propose to address the problem of verifying C programs containing inline assem-bly. We thus designed two techniques, named RUSTInA and TInA, based on anoriginal formalization of inline assembly together with novel dedicated algorithms.RUSTInA is the first automated technique for formally checking inline assemblyinteface compliance (i.e. no mismatch between code and interface), with the extraability to propose (proven) patches and code refinements (optimization) in certaincases. TInA is the first automated, generic, verification-friendly and trustworthylifting technique turning inline assembly into semantically equivalent C code ame-nable to verification, in order to take advantage of existing C analyzers. Extensiveexperiments on real-world code (all assembly chunks found on the Debian Jessiepackages) raised 986 significant issues in 54 packages, including 156 issues in 7 pa-ckages that were succesfully repported to and addressed by the developpers thanksto our automatic patch generation method, and show the feasibility of our principledassembly-to-C lifting and its benefits for state-of-the-art C analyzers.Les mĂ©thodes formelles pour le dĂ©veloppement logiciel ont fait de grands progrĂšs au cours des deux derniĂšres dĂ©cennies, au point que leur application dans les logiciels embarquĂ©s critiques pour la sĂ»retĂ© est un succĂšs indĂ©niable. Leur application aux logiciels non critiques est cependant lâun des dĂ©fis majeurs Ă venir. Par exemple, les programmeurs C utilisent rĂ©guliĂšrement lâassembleur embarquĂ© (inline assembly)GNU pour rĂ©aliser des optimisations de bas niveau ou accĂ©der aux primitives du systĂšme. Cela a gĂ©nĂ©ralement pour consĂ©quence de rendre inopĂ©rants les analyseurs formels de pointe dĂ©veloppĂ©s pour C. Ceci est doublement problĂ©matique puisque lâassembleur embarquĂ© est notoirement difficile Ă Ă©crire correctement : non seulement le morceau dâassembleur peut contenir des erreurs, mais il y a Ă©galement un risque dâincompatibilitĂ© Ă lâinterface entre C et assembleur, ce qui peut entraĂźner des bugs subtils et difficiles Ă trouver. Nous proposons dâattaquer le problĂšme de la vĂ©rification de programmes C contenant de lâassembleur embarquĂ©. Nous avons donc conçu deux techniques, nommĂ©es RUSTInA et TInA, basĂ©es sur une formalisation originale de lâassembleur embarquĂ©, ainsi que de nouveaux algorithmes dĂ©diĂ©s. RUSTInA est la premiĂšre technique automatisĂ©e pour la vĂ©rification formelle de la conformitĂ© de lâinterface de lâassembleur embarquĂ© (câest-Ă -dire lâabsence dâincompatibilitĂ© entre le code et lâinterface), avec la capacitĂ© supplĂ©mentaire de proposer des correctifs (prouvĂ©s) et des raffinements de code (optimisation). TInA est la premiĂšre technique de traduction automatique, gĂ©nĂ©rique, adaptĂ©e aux outils de vĂ©rification formelle et digne de confiance qui transforme lâassembleur embarquĂ© en code C sĂ©mantiquement Ă©quivalent, afin de tirer parti des analyseurs C existants. Des expĂ©riences intensives sur du code rĂ©el (tous les morceaux dâassembleur embarquĂ© trouvĂ©s dans les paquets de Debian Jessie) ont permis de remonter 986 problĂšmes significatifs dans 54 paquets,dont 156 problĂšmes de 7 paquets qui ont Ă©tĂ© signalĂ©s avec succĂšs et traitĂ©s par les dĂ©veloppeurs grĂące Ă notre gĂ©nĂ©ration automatique de correctifs. Ces expĂ©riences montrent Ă©galement la faisabilitĂ© de notre traduction « orientĂ©e pour la vĂ©rification »et ces avantages pour les analyseurs C de lâĂ©tat de lâart
VĂ©rification automatique de code bas-niveau : C, assembleur et binaire
Formal methods for software development have made great strides in the last twodecades, to the point that their application in safety-critical embedded software isan undeniable success. Their extension to non-critical software is one of the notableforthcoming challenges. For example, C programmers regularly use GNU style inlineassembly for low-level optimizations and system primitives. This usually results inrendering state-of-the-art formal analyzers developed for C ineffective. This is parti-culary problematic since inline assembly is notoriously hard to write correctlyⶠnotonly the assembly chunk may contain some errors, but there is a risk of a mismatchat the interface between C and assembly, leading to subtle and hard-to-find bugs.We propose to address the problem of verifying C programs containing inline assem-bly. We thus designed two techniques, named RUSTInA and TInA, based on anoriginal formalization of inline assembly together with novel dedicated algorithms.RUSTInA is the first automated technique for formally checking inline assemblyinteface compliance (i.e. no mismatch between code and interface), with the extraability to propose (proven) patches and code refinements (optimization) in certaincases. TInA is the first automated, generic, verification-friendly and trustworthylifting technique turning inline assembly into semantically equivalent C code ame-nable to verification, in order to take advantage of existing C analyzers. Extensiveexperiments on real-world code (all assembly chunks found on the Debian Jessiepackages) raised 986 significant issues in 54 packages, including 156 issues in 7 pa-ckages that were succesfully repported to and addressed by the developpers thanksto our automatic patch generation method, and show the feasibility of our principledassembly-to-C lifting and its benefits for state-of-the-art C analyzers.Les mĂ©thodes formelles pour le dĂ©veloppement logiciel ont fait de grands progrĂšs au cours des deux derniĂšres dĂ©cennies, au point que leur application dans les logiciels embarquĂ©s critiques pour la sĂ»retĂ© est un succĂšs indĂ©niable. Leur application aux logiciels non critiques est cependant lâun des dĂ©fis majeurs Ă venir. Par exemple, les programmeurs C utilisent rĂ©guliĂšrement lâassembleur embarquĂ© (inline assembly)GNU pour rĂ©aliser des optimisations de bas niveau ou accĂ©der aux primitives du systĂšme. Cela a gĂ©nĂ©ralement pour consĂ©quence de rendre inopĂ©rants les analyseurs formels de pointe dĂ©veloppĂ©s pour C. Ceci est doublement problĂ©matique puisque lâassembleur embarquĂ© est notoirement difficile Ă Ă©crire correctement : non seulement le morceau dâassembleur peut contenir des erreurs, mais il y a Ă©galement un risque dâincompatibilitĂ© Ă lâinterface entre C et assembleur, ce qui peut entraĂźner des bugs subtils et difficiles Ă trouver. Nous proposons dâattaquer le problĂšme de la vĂ©rification de programmes C contenant de lâassembleur embarquĂ©. Nous avons donc conçu deux techniques, nommĂ©es RUSTInA et TInA, basĂ©es sur une formalisation originale de lâassembleur embarquĂ©, ainsi que de nouveaux algorithmes dĂ©diĂ©s. RUSTInA est la premiĂšre technique automatisĂ©e pour la vĂ©rification formelle de la conformitĂ© de lâinterface de lâassembleur embarquĂ© (câest-Ă -dire lâabsence dâincompatibilitĂ© entre le code et lâinterface), avec la capacitĂ© supplĂ©mentaire de proposer des correctifs (prouvĂ©s) et des raffinements de code (optimisation). TInA est la premiĂšre technique de traduction automatique, gĂ©nĂ©rique, adaptĂ©e aux outils de vĂ©rification formelle et digne de confiance qui transforme lâassembleur embarquĂ© en code C sĂ©mantiquement Ă©quivalent, afin de tirer parti des analyseurs C existants. Des expĂ©riences intensives sur du code rĂ©el (tous les morceaux dâassembleur embarquĂ© trouvĂ©s dans les paquets de Debian Jessie) ont permis de remonter 986 problĂšmes significatifs dans 54 paquets,dont 156 problĂšmes de 7 paquets qui ont Ă©tĂ© signalĂ©s avec succĂšs et traitĂ©s par les dĂ©veloppeurs grĂące Ă notre gĂ©nĂ©ration automatique de correctifs. Ces expĂ©riences montrent Ă©galement la faisabilitĂ© de notre traduction « orientĂ©e pour la vĂ©rification »et ces avantages pour les analyseurs C de lâĂ©tat de lâart
L'interprĂšte, le JIT et la licorne
National audienceL'exécution symbolique, une méthode populaire d'analyse de programmes, a du mal à passer à l'échelle sur de gros codes. Outre les traditionnels problÚmes d'explosion de chemins et de résolution des prédicats logiques, d'aucuns se plaignent du coût d'interprétation du langage cible et se tournent par conséquent vers la compilation, qu'elle soit statique ou à la volée, pour améliorer les performances. Sceptiques mais non moins curieux, nous saisissons ce prétexte pour rajouter un peu de compilation à la volée dans le moteur d'exécution symbolique de la plateforme BINSEC, écrite en OCaml. Permettez-nous ainsi d'introduire JITPSI, une petite bibliothÚque qui tire son inspiration de MetaOCaml et ocaml-jit. JITPSI concourt à compiler harmonieusement en x86-64, directement depuis OCaml, une séquence d'appels de fonctions. Nous utilisons JITPSI pour transformer à la volée l'interpréteur d'arbres syntaxiques abstraits de BINSEC en sous-programmes filetés (threaded code). Notre intention premiÚre est ici d'améliorer la résolution du défi de rétro-ingénierie licorne issu du France CyberSecurity Challenge 2022 proposé par l'ANSSI ; soit une accélération d'environ 40%
Determination of the melting curve of gold up to 110 GPa
International audienceThe melting curve of gold has been measured up to 110 GPa using laser-heated diamond anvil cells and synchrotron x-ray diffraction techniques. Accurate pyrometry temperature measurements and a homogeneous heating of the gold sample were achieved by implementing a sample assembly consisting of two boron-doped diamond cupped disks sandwiching the gold sample. In the investigated pressure range, the fcc solid gold remains stable up to melting. A clear structural signature of bulk melting is observed. Ab initio molecular dynamics simulations within the two-phase approach give a melting curve in good agreement with the experimental one. We discuss the validity of calculations based on the Lindemann criteria of melting which have been up to now used to obtain the melting line of Au in the 100 GPa range