Model-Checking Speculation-Dependent Security Properties: Abstracting and Reducing Processor Models for Sound and Complete Verification

Spectre and Meltdown attacks in modern microprocessors represent a new class of attacks that have been difficult to deal with. They underline vulnerabilities in hardware design that have been going unnoticed for years. This shows the weakness of the state-of-the-art verification process and design practices. These attacks are OS-independent, and they do not exploit any software vulnerabilities. Moreover, they violate all security assumptions ensured by standard security procedures, (e.g., address space isolation), and, as a result, every security mechanism built upon these guarantees. These vulnerabilities allow the attacker to retrieve leaked data without accessing the secret directly. Indeed, they make use of covert channels, which are mechanisms of hidden communication that convey sensitive information without any visible information flow between the malicious party and the victim. The root cause of this type of side-channel attacks lies within the speculative and out-of-order execution of modern high-performance microarchitectures. Since modern processors are hard to verify with standard formal verification techniques, we present a methodology that shows how to transform a realistic model of a speculative and out-of-order processor into an abstract one. Following related formal verification approaches, we simplify the model under consideration by abstraction and refinement steps. We also present an approach to formally verify the abstract model using a standard model checker. The theoretical flow, reliant on established formal verification results, is introduced and a sketch of proof is provided for soundness and correctness. Finally, we demonstrate the feasibility of our approach, by applying it on a pipelined DLX RISC-inspired processor architecture. We show preliminary experimental results to support our claim, performing Bounded Model-Checking with a state-of-the-art model checker.

Download Full-text

LLMC: Verifying High-Performance Software

Computer Aided Verification - Lecture Notes in Computer Science ◽

10.1007/978-3-030-81688-9_32 ◽

2021 ◽

pp. 690-703

Author(s):

Freark I. van der Berg

Keyword(s):

Model Checking ◽

Data Structures ◽

High Performance ◽

State Of The Art ◽

The State ◽

State Model ◽

Test Suite ◽

Model Checker ◽

Unit Tests

AbstractMulti-threaded unit tests for high-performance thread-safe data structures typically do not test all behaviour, because only a single scheduling of threads is witnessed per invocation of the unit tests. Model checking such unit tests allows to verify all interleavings of threads. These tests could be written in or compiled to LLVM IR. Existing LLVM IR model checkers like divine and Nidhugg, use an LLVM IR interpreter to determine the next state. This paper introduces llmc, a multi-core explicit-state model checker of multi-threaded LLVM IR that translates LLVM IR to LLVM IR that is executed instead of interpreted. A test suite of 24 tests, stressing data structures, shows that on average llmc clearly outperforms the state-of-the-art tools divine and Nidhugg.

Download Full-text

Memory models for the formal verification of assembler code using bounded model checking

Seventh IEEE International Symposium onObject-Oriented Real-Time Distributed Computing, 2004. Proceedings. ◽

10.1109/isorc.2004.1300338 ◽

2004 ◽

Cited By ~ 1

Author(s):

W. Ecker ◽

V. Esen ◽

T. Steininger ◽

M. Zambaldi

Keyword(s):

Model Checking ◽

Formal Verification ◽

Bounded Model Checking ◽

Memory Models ◽

Assembler Code

Download Full-text

Bounded Verification of Multi-threaded Programs via Lazy Sequentialization

ACM Transactions on Programming Languages and Systems ◽

10.1145/3478536 ◽

2022 ◽

Vol 44 (1) ◽

pp. 1-50

Author(s):

Omar Inverso ◽

Ermenegildo Tomasco ◽

Bernd Fischer ◽

Salvatore La Torre ◽

Gennaro Parlato

Keyword(s):

Program Analysis ◽

High Performance ◽

Software Verification ◽

Bounded Model Checking ◽

New Approach ◽

C Programming Language ◽

C Programming ◽

Verification Problem ◽

Practical Program ◽

Verification Techniques

Bounded verification techniques such as bounded model checking (BMC) have successfully been used for many practical program analysis problems, but concurrency still poses a challenge. Here, we describe a new approach to BMC of sequentially consistent imperative programs that use POSIX threads. We first translate the multi-threaded program into a nondeterministic sequential program that preserves reachability for all round-robin schedules with a given bound on the number of rounds. We then reuse existing high-performance BMC tools as backends for the sequential verification problem. Our translation is carefully designed to introduce very small memory overheads and very few sources of nondeterminism, so it produces tight SAT/SMT formulae, and is thus very effective in practice: Our Lazy-CSeq tool implementing this translation for the C programming language won several gold and silver medals in the concurrency category of the Software Verification Competitions (SV-COMP) 2014–2021 and was able to find errors in programs where all other techniques (including testing) failed. In this article, we give a detailed description of our translation and prove its correctness, sketch its implementation using the CSeq framework, and report on a detailed evaluation and comparison of our approach.

Download Full-text

SUPPORTING FORMAL VERIFICATION OF DIMA MULTI-AGENTS MODELS: TOWARDS A FRAMEWORK BASED ON MAUDE MODEL CHECKING

International Journal of Software Engineering and Knowledge Engineering ◽

10.1142/s021819400800391x ◽

2008 ◽

Vol 18 (07) ◽

pp. 853-875 ◽

Cited By ~ 5

Author(s):

NOURA BOUDIAF ◽

FARID MOKHATI ◽

MOURAD BADRI

Keyword(s):

Model Checking ◽

Development Process ◽

Formal Semantics ◽

Concurrent Systems ◽

Model Checker ◽

Rewriting Logic ◽

Generic Framework ◽

Systems Quality ◽

Verification Techniques ◽

Multi Agents

Model Checking based verification techniques represent an important issue in the field of concurrent systems quality assurance. The lack of formal semantics in the existing formalisms describing multi-agents models combined with multi-agents systems complexity are sources of several problems during their development process. The Maude language, based on rewriting logic, offers a rich notation supporting formal specification and implementation of concurrent systems. In addition to its modeling capacity, the Maude environment integrates a Model Checker based on Linear Temporal Logic (LTL) for distributed systems verification. In this paper, we present a formal and generic framework (DIMA-Maude) supporting formal description and verification of DIMA multi-agents models.

Download Full-text

Efficient Bounded Model Checking for LTL

Applied Mechanics and Materials ◽

10.4028/www.scientific.net/amm.380-384.1239 ◽

2013 ◽

Vol 380-384 ◽

pp. 1239-1242

Author(s):

Rui Wang ◽

Xian Jin Fu

Keyword(s):

Model Checking ◽

Efficient Method ◽

Bounded Model Checking ◽

Specification Languages ◽

Model Checker ◽

System Designs

Bounded Model Checking is an efficient method of finding bugs in system designs. LTL is one of the most frequently used specification languages in model checking. In this paper, We present an linearization encoding for LTL bounded model checking. We use the incremental SAT technology to solve the BMC problem. We implement the new encoding in NuSMV model checker.

Download Full-text

Dartagnan: Leveraging Compiler Optimizations and the Price of Precision (Competition Contribution)

Tools and Algorithms for the Construction and Analysis of Systems - Lecture Notes in Computer Science ◽

10.1007/978-3-030-72013-1_26 ◽

2021 ◽

pp. 428-432

Author(s):

Hernán Ponce-de-León ◽

Thomas Haas ◽

Roland Meyer

Keyword(s):

Model Checking ◽

Bounded Model Checking ◽

Model Checker ◽

Compiler Optimizations ◽

Sequential Programs ◽

Input Program ◽

Order Of Magnitude ◽

Speed Up ◽

First Time ◽

Bitwise Operations

AbstractWe describe the new features of the bounded model checker Dartagnan for SV-COMP ’21. We participate, for the first time, in the ReachSafety category on the verification of sequential programs. In some of these verification tasks, bugs only show up after many loop iterations, which is a challenge for bounded model checking. We address the challenge by simplifying the structure of the input program while preserving its semantics. For simplification, we leverage common compiler optimizations, which we get for free by using LLVM. Yet, there is a price to pay. Compiler optimizations may introduce bitwise operations, which require bit-precise reasoning. We evaluated an SMT encoding based on the theory of integers + bit conversions against one based on the theory of bit-vectors and found that the latter yields better performance. Compared to the unoptimized version of Dartagnan, the combination of compiler optimizations and bit-vectors yields a speed-up of an order of magnitude on average.

Download Full-text

Formal Verification of Heuristic Autonomous Intersection Management Using Statistical Model Checking

Sensors ◽

10.3390/s20164506 ◽

2020 ◽

Vol 20 (16) ◽

pp. 4506

Author(s):

Aaditya Prakash Chouhan ◽

Gourinath Banda

Keyword(s):

Model Checking ◽

Statistical Model ◽

Formal Verification ◽

Autonomous Vehicles ◽

Timed Automata ◽

Autonomous Systems ◽

Statistical Model Checking ◽

Stage Of Development ◽

Verification Techniques ◽

Intersection Management

Autonomous vehicles are gaining popularity throughout the world among researchers and consumers. However, their popularity has not yet reached the level where it is widely accepted as a fully developed technology as a large portion of the consumer base feels skeptical about it. Proving the correctness of this technology will help in establishing faith in it. That is easier said than done because of the fact that the formal verification techniques has not attained the level of development and application that it is ought to. In this work, we present Statistical Model Checking (SMC) as a possible solution for verifying the safety of autonomous systems and algorithms. We apply it on Heuristic Autonomous Intersection Management (HAIM) algorithm. The presented verification routine can be adopted for other conflict point based autonomous intersection management algorithms as well. Along with verifying the HAIM, we also demonstrate the modeling and verification applied at each stage of development to verify the inherent behavior of the algorithm. The HAIM scheme is formally modeled using a variant of the language of Timed Automata. The model consists of automata that encode the behavior of vehicles, intersection manager (IM) and collision checkers. To verify the complete nature of the heuristic and ensure correct modeling of the system, we model it in layers and verify each layer separately for their expected behavior. Along with that, we perform implementation verification and error injection testing to ensure faithful modeling of the system. Results show with high confidence the freedom from collisions of the intersection controlled by the HAIM algorithm.

Download Full-text

Comparison of Model Checking Tools

Advanced Materials Research ◽

10.4028/www.scientific.net/amr.659.181 ◽

2013 ◽

Vol 659 ◽

pp. 181-185

Author(s):

Wei Gong ◽

Jun Wei Jia

Keyword(s):

Model Checking ◽

Software Verification ◽

Bounded Model Checking ◽

Hardware Verification ◽

Model Checker ◽

Software And Hardware ◽

Inherent Part

Model Checking is a method for verification. The model will be checked until the specification of it is proved or disproved. With the rising complexity of big models, there are non-checkable cases, in which cases the problem can be analyzed by some models, for example, bounded Model Checking means to analyze the model until a defined time or depth. The verification happens automatically. The programs for doing this are called Model Checking Tools or Model Checker. Model Checking are used in both software and hardware verification. It is an inherent part of hardware verification, whereas it is less used in the software verification.

Download Full-text

Formal Verification of Software Designs in Hierarchical State Transition Matrix with SMT-based Bounded Model Checking

2011 18th Asia-Pacific Software Engineering Conference ◽

10.1109/apsec.2011.17 ◽

2011 ◽

Cited By ~ 7

Author(s):

Weiqiang Kong ◽

Noriyuki Katahira ◽

Masahiko Watanabe ◽

Tetsuro Katayama ◽

Kenji Hisazumi ◽

...

Keyword(s):

Model Checking ◽

Formal Verification ◽

Transition Matrix ◽

State Transition ◽

Bounded Model Checking ◽

State Transition Matrix

Download Full-text

Bounded Model Checking of ETL Cooperating with Finite and Looping Automata Connectives

Journal of Applied Mathematics ◽

10.1155/2013/462532 ◽

2013 ◽

Vol 2013 ◽

pp. 1-12 ◽

Cited By ~ 2

Author(s):

Rui Wang ◽

Wanwei Liu ◽

Tun Li ◽

Xiaoguang Mao ◽

Ji Wang

Keyword(s):

Model Checking ◽

Temporal Logic ◽

Bounded Model Checking ◽

Symbolic Model Checking ◽

Model Checker ◽

Symbolic Model ◽

Complementary Technique

As a complementary technique of the BDD-based approach, bounded model checking (BMC) has been successfully applied to LTL symbolic model checking. However, the expressiveness of LTL is rather limited, and some important properties cannot be captured by such logic. In this paper, we present a semantic BMC encoding approach to deal with the mixture ofETLfandETLl. Since such kind of temporal logic involves both finite and looping automata as connectives, all regular properties can be succinctly specified with it. The presented algorithm is integrated into the model checker ENuSMV, and the approach is evaluated via conducting a series of imperial experiments.

Download Full-text