3 Certifying RISC Machine Code Safe from Aliasing

Computer Aided Verification, 2010

This paper discusses the obstacles that stand in the way of doing a good job of machine-code analysis. Compared with analysis of source code, the challenge is to drop all assumptions about having certain kinds of information available (variables, control-flow graph, callgraph, etc.) and also to address new kinds of behaviors (arithmetic on addresses, jumps to "hidden" instructions starting at positions that are out of registration with the instruction boundaries of a given reading of an instruction stream, self-modifying code, etc.). The paper describes some of the challenges that arise when analyzing machine code, and what can be done about them. It also provides a rationale for some of the design decisions made in the machine-codeanalysis tools that we have built over the past few years.

Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, 2020

This paper provides the first analysis on the feasibility of Return-Oriented programming (ROP) on RISC-V, a new instruction set architecture targeting embedded systems. We show the existence of a new class of gadgets, using several Linear Code Sequences And Jumps (LCSAJ), undetected by current Galileo-based ROP gadget searching tools. We argue that this class of gadgets is rich enough on RISC-V to mount complex ROP attacks, bypassing traditional mitigation like DEP, ASLR, stack canaries, G-Free and some compiler-based backward-edge CFI, by jumping over any guard inserted by a compiler to protect indirect jump instructions. We provide examples of such gadgets, as well as a proof-ofconcept ROP chain, using C code injection to leverage a privilege escalation attack on two standard Linux operating systems. Additionally, we discuss some of the required mitigations to prevent such attacks and provide a new ROP gadget finder algorithm that handles this new class of gadgets. CCS CONCEPTS • Security and privacy → Embedded systems security; Malware and its mitigation; Operating systems security.

Lecture Notes in Computer Science, 2004

In this paper we investigate the existence of a deductive veri cation method based on a logic that describes pointer aliasing. The main idea of such a method is that the user has to annotate the program with loop invariants, pre-and post-conditions. The annotations are then automatically checked for validity by propagating weakest preconditions and verifying a number of induced implications. Such a method requires an underlying logic which is decidable and has a sound and complete weakest precondition calculus. We start by presenting a powerful logic (wAL) which can describe the shapes of most recursively de ned data structures (lists, trees, etc.) has a complete weakest precondition calculus but is undecidable. Next, we identify a decidable subset (pAL) for which we show closure under the weakest precondition operators. In the latter logic one loses the ability of describing unbounded heap structures, yet bounded structures can be characterized up to isomorphism. For this logic two sound and complete proof systems are given, one based on natural deduction, and another based on the e ective method of analytic tableaux. The two logics presented in this paper can be seen as extreme values in a framework which attempts to reconcile the naturally oposite goals of expressiveness and decidability.

2008

It is well known that the use of points-to information can substantially improve the accuracy of a static program analysis. Commonly used algorithms for computing points-to information are known to be sound only for memory-safe programs. Thus, it appears problematic to utilize points-to information to verify the memory safety property without giving up soundness. We show that a sound combination is possible, even if the points-to information is computed separately and only conditionally sound.

ArXiv, 2020

Today's microprocessors have grown significantly in complexity and functionality. Most of today's processors provide at least three levels of memory hierarchy, are heavily pipelined, and support some sort of cache coherency protocol. These features are extremely complex and sophisticated, and present their own set of unique verification challenges. Verification is clearly not a point tool, but is part of a process that starts from initial product conception and is to some degrees complete when the product goes to market. Functional verification is necessary to verify the functionality at RTL level. Complex micro-processors like ARM are high performance, low cost and low power 32-bit RISC processors. In our paper complex microprocessor is ARM cortex M3, developed for the embedded applications having low interrupt latency, low gate count, 3- stage pipelining, branch prediction, THUMB and THUMB-2 instruction set. Functional verification is used to verify that the circuit full f...

arXiv (Cornell University), 2019

Hardware aliasing occurs when the same logical address sporadically accesses different physical memory locations and is a problem encountered by systems programmers (the opposite, software aliasing, when different addresses access the same location, is more familiar to application programmers). This paper shows how to compile so code works in the presence of hidden deterministic hardware aliasing. That means that a copy of an address always accesses the same location, and recalculating it exactly the same way also always gives the same access, but otherwise access appears arbitrary and unpredictable. The technique is extended to cover the emerging technology of encrypted computing too.

ArXiv, 2019

Hardware aliasing occurs when the same logical address can access different physical memory locations. This is a problem for software on some embedded systems and more generally when hardware becomes faulty in irretrievable locations, such as on a Mars Lander. We show how to work around the hardware problem with software logic, compiling code so it works on any platform with hardware aliasing with hidden determinism. That is: (i) a copy of an address accesses the same location, and (ii) repeating an address calculation exactly will repeat the same access again. Stuck bits can mean that even adding zero to an address can make a difference in that environment so nothing but a systematic approach has a chance of working. The technique is extended to generate aliasing as well as compensate for it, in so-called chaotic compilation, and a sketch proof is included to show it may produce object code that is secure against discovery of the programmer's intention. A prototype compiler imp...

Lecture Notes in Computer Science, 2003

We consider the machine-supported verification of a code generator computing machine code from WHILE-programs, i.e. abstract syntax trees which may be obtained by a parser from programs of an imperative programming language. We motivate the representation of states developed for the verification, which is crucial for success, as the interpretation of tree-structured WHILE-programs differs significantly in its operation from the interpretation of the linear machine code. This work has been developed for a course to demonstrate to the students the support gained by computer-aided verification in a central subject of computer science, boiled down to the classroom-level. We report about the insights obtained into the properties of machine code as well as the challenges and efforts encountered when verifying the correctness of the code generator. We also illustrate the performance of the eriFunsystem that was used for this work.

A KPU (`General Purpose Crypto-Processor') is a replacement for a standard CPU that natively runs encrypted machine code on encrypted data in registers and memory. Program addresses are not encrypted in a KPU, so a mix of encrypted and unencrypted data flows through the processor, and it is essential for correct functioning that those machine instructions that work on encrypted data get encrypted data at run-time, while those that work on unencrypted data get unencrypted data. That is `crypto-safety', and this paper treats the problem of checking a compiled RISC machine code, via static typing, to see if it is crypto-safe for a KPU.

The incorrect use of pointers is one of the most common source of bugs. As a consequence, any kind of static code checking capable of detecting potential bugs at compile time is welcome. This paper presents a static analysis for the detection of incorrect accesses to memory dereferences of invalid pointers. A pointer may b e i n valid because it has not been initialised or because it refers to a memory location which has been deallocated. The analyser is derived from an axiomatisation of alias and connectivity properties which i s s h o wn to be sound with respect to the natural semantics of the language. It deals with dynamically allocated data structures and it is accurate enough to handle circular structures.