SlideShare une entreprise Scribd logo

Certifying (RISC) Machine Code Safe from Aliasing (OpenCert 2013)

Peter Breuer
Peter Breuer

Slide presentation for Certifying (RISC) Machine Code Safe from Aliasing, presented at OpenCert 2013, Madrid. See http://www.academia.edu/3244313/Certifying_Machine_Code_Safe_from_Hardware_Aliasing_RISC_is_not_necessarily_risky.

TechnologieFormation
1  sur  18
Télécharger pour lire hors ligne
Certifying (RISC) Machine Code Safe from Aliasing Peter T. Breuer University of Birmingham, UK Jonathan P. Bowen London South Bank University, UK
Little and Large Problem ● Small arithmetic unit, embedded processor – 40 bit arithmetic ● Large memory unit – 64 bit addressing ● What do we do with the extra wires?
Hardware Aliasing ● What happens to the extra wires? – depends on the hardware ● 4 + 0xfffffffffffffffc = 0x0000000000000000 or 0xfffff00000000000 ? ● Both mean 0 – If use arithmetic to calculate address 0 ● Sometimes get the 0 you want ● Sometimes not!
Also happens in KPU ● A KPU is an encrypted processor – Instead of 4 - 4 = 0 – Does 99900 - 99900 = 78763298 ● Homomorphism conditions on encrypted arithmetic guarantee correct behaviour – Real encryption is always 1-many ● The encoding of 0 is 9896861 ● 99900 - 99900 = 78763298  9896861 ● Another encoding of 0 is 78763298 – Encrypted arithmetic gives different result ● Depending on how you do the calculation
Problem ● How to check a program is safe from hardware aliasing ● Where `hardware aliasing' means that arithmetic on addresses does not always give the same result. – Trust only exactly the same calculation – Because 4 - 4 != 0 – It's `equivalent' to 0, not identical!
Can imagine in both cases ... ● Values have invisible extra bits ● 42.1101101 ● Represent different encodings of '42' ● Arithmetic ignores but mutates the extra bits ● 42.1101101 + 42.1100001 = 84.0110110 ● Memory unit is sensitive to invisible extra bits ● Can't see just '42'. ● Needs loving care from programmer
How to deal with hardware aliasing ● Left program returns different alias of SP to caller Subroutine foo: SP -= 32 # 8 local vars …code ... SP += 32 # destroy frame return Subroutine foo: GP = SP SP -= 32 …code ... SP = GP return GoodBad
Regard machine code as compiled from Stack Machine control language ● Good code: cspt GP # copy stack pointer to GP push 32 # make 32B space on stack … rspf GP # restore stack pointer from GP return
What makes that SM code safe? ● No access outside the current frame – The stack access commands are ● Get 10 gp # 10th stack cell contents.. ● Put 10 gp # .. transfer to/from reg gp – If all access offsets in current frame range ● Only one way to access stack content.. ● By offset from current stack pointer – Can only make new frame, not shift sp ● Push 32 – Can only return sp to value saved earlier ● Cspt gp … rspf gp
Heap access ● Deal with that later! – Look for array and string treatment in text
Verifying SM code ● Means verifying that all stack accesses are within the current frame boundary ● That's so easy! Check n in 'get n r'. ● But we have machine code, not SM code!
Machine code looks like this ● Mov gp sp # cspt gp Addi sp sp -32 # push 32 … mov sp gp # rspf gp jr ra # return ● Is it compiled from safe SM code?
To prove m/c safe ● Apply Hoare-like rules of reasoning – Whose names are the SM code that the m/c is supposed to be compiled from ● Requires human being to chose rule – Or an automaton to search solution space – Either way, it's deduction-guided disassembly
Example ● Think about a 32B current frame { sp=c32 !10; (10)=x } ld gp 10(sp) [get 10 gp] {sp=c32 !10; (10)=gp=x} ● 'c32 !10' means pointer to 32B – Already written at offset 10 ● (10)=x means stack cell 10 has an x-thing ● Machine code is 'ld gp 10(sp)' – Load reg gp from offset 10 from stack ptr ● Name of the rule is 'get 10 gp'
Types ● Logic is based on stack machine model – manipulates types in register/stack/heap ● C32 – pointer to stack frame of size 32 – Only access by bounded offset from ptr ● U10 – array of size 10 on heap – Can only access by offset from fixed base ● C1 - string accessed in increments of 1 – String is like a stack of frames size 1 – Stepping up `pops one off the stack' – Access within `current frame' only
Typing ● Milner typing – Assign type variables to every register and stack position within current frame – Calculate effect of instructions – Ambiguous modulo assignment of rule ● Equals dis-assembly of instruction ● Proved – soundness – Assigned types say what really happens
Other Proved Things ● Termination – Milner algorithm terminates – With a typing, if one exists, errors if not ● Uniqueness – The type found is unique most general ● For a given annotation ● There are at most 32 valid annotations – Differ in position of stack pointer register
Conclusion 1.Disassemble machine code • Human activity 2.Apply Milner typing • Includes stack machine bounds verification • Automated activity 3.Certify m/c as hardware alias safe ● Steps 1 & 2 can be mixed/simultaneous ● Inference-guided disassembly 4.Apply to assembler in Linux kernel

Recommandé

Q4.11: NEON Intrinsics
Q4.11: NEON IntrinsicsQ4.11: NEON Intrinsics
Q4.11: NEON IntrinsicsLinaro
 
JIT compilation in modern platforms – challenges and solutions
JIT compilation in modern platforms – challenges and solutionsJIT compilation in modern platforms – challenges and solutions
JIT compilation in modern platforms – challenges and solutionsaragozin
 
Q4.11: Using GCC Auto-Vectorizer
Q4.11: Using GCC Auto-VectorizerQ4.11: Using GCC Auto-Vectorizer
Q4.11: Using GCC Auto-VectorizerLinaro
 
[Sitcon2018] Analysis and Improvement of IOTA PoW Implementation
[Sitcon2018] Analysis and Improvement of IOTA PoW Implementation[Sitcon2018] Analysis and Improvement of IOTA PoW Implementation
[Sitcon2018] Analysis and Improvement of IOTA PoW ImplementationZhen Wei
 
New text document
New text documentNew text document
New text documentRoja Patro
 
MOVED: The challenge of SVE in QEMU - SFO17-103
MOVED: The challenge of SVE in QEMU - SFO17-103MOVED: The challenge of SVE in QEMU - SFO17-103
MOVED: The challenge of SVE in QEMU - SFO17-103Linaro
 
Ch9a
Ch9aCh9a
Ch9akinnarshah8888
 
EMBEDDED SYSTEMS 4&5
EMBEDDED SYSTEMS 4&5EMBEDDED SYSTEMS 4&5
EMBEDDED SYSTEMS 4&5PRADEEP
 

Recommandé

Q4.11: NEON Intrinsics
Q4.11: NEON IntrinsicsQ4.11: NEON Intrinsics
Q4.11: NEON IntrinsicsLinaro
 
JIT compilation in modern platforms – challenges and solutions
JIT compilation in modern platforms – challenges and solutionsJIT compilation in modern platforms – challenges and solutions
JIT compilation in modern platforms – challenges and solutionsaragozin
 
Q4.11: Using GCC Auto-Vectorizer
Q4.11: Using GCC Auto-VectorizerQ4.11: Using GCC Auto-Vectorizer
Q4.11: Using GCC Auto-VectorizerLinaro
 
[Sitcon2018] Analysis and Improvement of IOTA PoW Implementation
[Sitcon2018] Analysis and Improvement of IOTA PoW Implementation[Sitcon2018] Analysis and Improvement of IOTA PoW Implementation
[Sitcon2018] Analysis and Improvement of IOTA PoW ImplementationZhen Wei
 
New text document
New text documentNew text document
New text documentRoja Patro
 
MOVED: The challenge of SVE in QEMU - SFO17-103
MOVED: The challenge of SVE in QEMU - SFO17-103MOVED: The challenge of SVE in QEMU - SFO17-103
MOVED: The challenge of SVE in QEMU - SFO17-103Linaro
 
Ch9a
Ch9aCh9a
Ch9akinnarshah8888
 
EMBEDDED SYSTEMS 4&5
EMBEDDED SYSTEMS 4&5EMBEDDED SYSTEMS 4&5
EMBEDDED SYSTEMS 4&5PRADEEP
 
Dive into CPython Bytecode
Dive into CPython BytecodeDive into CPython Bytecode
Dive into CPython BytecodeAlex Gaynor
 
Lab8 s2
Lab8 s2Lab8 s2
Lab8 s2rajbabureliance
 
openMP loop parallelization
openMP loop parallelizationopenMP loop parallelization
openMP loop parallelizationAlbert DeFusco
 
Thrfit从入门到精通
Thrfit从入门到精通Thrfit从入门到精通
Thrfit从入门到精通炜龙 何
 
Lab6 s2
Lab6 s2Lab6 s2
Lab6 s2rajbabureliance
 
Ch9b
Ch9bCh9b
Ch9bkinnarshah8888
 
Lab4 s1
Lab4 s1Lab4 s1
Lab4 s1rajbabureliance
 
Ruby basics || updated
Ruby basics || updatedRuby basics || updated
Ruby basics || updateddatt30
 
Конверсия управляемых языков в неуправляемые
Конверсия управляемых языков в неуправляемыеКонверсия управляемых языков в неуправляемые
Конверсия управляемых языков в неуправляемыеPlatonov Sergey
 
Lab6 s1
Lab6 s1Lab6 s1
Lab6 s1rajbabureliance
 
Nesting of for loops using C++
Nesting of for loops using C++Nesting of for loops using C++
Nesting of for loops using C++prashant_sainii
 
Day4 順序控制的循序邏輯實現
Day4 順序控制的循序邏輯實現Day4 順序控制的循序邏輯實現
Day4 順序控制的循序邏輯實現Ron Liu
 
Lab5 s1
Lab5 s1Lab5 s1
Lab5 s1rajbabureliance
 
Assembly lab up to 6 up (1)
Assembly lab up to 6 up (1)Assembly lab up to 6 up (1)
Assembly lab up to 6 up (1)ilias ahmed
 
[C++ Korea] Effective Modern C++ Study item 34 36
[C++ Korea] Effective Modern C++ Study item 34 36[C++ Korea] Effective Modern C++ Study item 34 36
[C++ Korea] Effective Modern C++ Study item 34 36Seok-joon Yun
 
Asymptotic
AsymptoticAsymptotic
AsymptoticTuhin Utsab Paul
 
A formalization of complex event stream processing
A formalization of complex event stream processingA formalization of complex event stream processing
A formalization of complex event stream processingSylvain Hallé
 
Lec15 Intro to Computer Engineering by Hsien-Hsin Sean Lee Georgia Tech -- Re...
Lec15 Intro to Computer Engineering by Hsien-Hsin Sean Lee Georgia Tech -- Re...Lec15 Intro to Computer Engineering by Hsien-Hsin Sean Lee Georgia Tech -- Re...
Lec15 Intro to Computer Engineering by Hsien-Hsin Sean Lee Georgia Tech -- Re...Hsien-Hsin Sean Lee, Ph.D.
 
Autovectorization in llvm
Autovectorization in llvmAutovectorization in llvm
Autovectorization in llvmChangWoo Min
 
Lab8 s1
Lab8 s1Lab8 s1
Lab8 s1rajbabureliance
 
Play Group Math Matching number to the correct set bangla ১
Play Group Math Matching number to the correct set bangla ১Play Group Math Matching number to the correct set bangla ১
Play Group Math Matching number to the correct set bangla ১Cambriannews
 
Shipping
ShippingShipping
ShippingKelso Igano
 

Contenu connexe

Tendances

Dive into CPython Bytecode
Dive into CPython BytecodeDive into CPython Bytecode
Dive into CPython BytecodeAlex Gaynor
 
openMP loop parallelization
openMP loop parallelizationopenMP loop parallelization
openMP loop parallelizationAlbert DeFusco
 
Thrfit从入门到精通
Thrfit从入门到精通Thrfit从入门到精通
Thrfit从入门到精通炜龙 何
 
Ruby basics || updated
Ruby basics || updatedRuby basics || updated
Ruby basics || updateddatt30
 
Конверсия управляемых языков в неуправляемые
Конверсия управляемых языков в неуправляемыеКонверсия управляемых языков в неуправляемые
Конверсия управляемых языков в неуправляемыеPlatonov Sergey
 
Nesting of for loops using C++
Nesting of for loops using C++Nesting of for loops using C++
Nesting of for loops using C++prashant_sainii
 
Day4 順序控制的循序邏輯實現
Day4 順序控制的循序邏輯實現Day4 順序控制的循序邏輯實現
Day4 順序控制的循序邏輯實現Ron Liu
 
Assembly lab up to 6 up (1)
Assembly lab up to 6 up (1)Assembly lab up to 6 up (1)
Assembly lab up to 6 up (1)ilias ahmed
 
[C++ Korea] Effective Modern C++ Study item 34 36
[C++ Korea] Effective Modern C++ Study item 34 36[C++ Korea] Effective Modern C++ Study item 34 36
[C++ Korea] Effective Modern C++ Study item 34 36Seok-joon Yun
 
A formalization of complex event stream processing
A formalization of complex event stream processingA formalization of complex event stream processing
A formalization of complex event stream processingSylvain Hallé
 
Lec15 Intro to Computer Engineering by Hsien-Hsin Sean Lee Georgia Tech -- Re...
Lec15 Intro to Computer Engineering by Hsien-Hsin Sean Lee Georgia Tech -- Re...Lec15 Intro to Computer Engineering by Hsien-Hsin Sean Lee Georgia Tech -- Re...
Lec15 Intro to Computer Engineering by Hsien-Hsin Sean Lee Georgia Tech -- Re...Hsien-Hsin Sean Lee, Ph.D.
 
Autovectorization in llvm
Autovectorization in llvmAutovectorization in llvm
Autovectorization in llvmChangWoo Min
 

Tendances (20)

Dive into CPython Bytecode
Dive into CPython BytecodeDive into CPython Bytecode
Dive into CPython Bytecode
 
Lab8 s2
Lab8 s2Lab8 s2
Lab8 s2
 
openMP loop parallelization
openMP loop parallelizationopenMP loop parallelization
openMP loop parallelization
 
Thrfit从入门到精通
Thrfit从入门到精通Thrfit从入门到精通
Thrfit从入门到精通
 
Lab6 s2
Lab6 s2Lab6 s2
Lab6 s2
 
Ch9b
Ch9bCh9b
Ch9b
 
Lab4 s1
Lab4 s1Lab4 s1
Lab4 s1
 
Ruby basics || updated
Ruby basics || updatedRuby basics || updated
Ruby basics || updated
 
Конверсия управляемых языков в неуправляемые
Конверсия управляемых языков в неуправляемыеКонверсия управляемых языков в неуправляемые
Конверсия управляемых языков в неуправляемые
 
Lab6 s1
Lab6 s1Lab6 s1
Lab6 s1
 
Nesting of for loops using C++
Nesting of for loops using C++Nesting of for loops using C++
Nesting of for loops using C++
 
Day4 順序控制的循序邏輯實現
Day4 順序控制的循序邏輯實現Day4 順序控制的循序邏輯實現
Day4 順序控制的循序邏輯實現
 
Lab5 s1
Lab5 s1Lab5 s1
Lab5 s1
 
Assembly lab up to 6 up (1)
Assembly lab up to 6 up (1)Assembly lab up to 6 up (1)
Assembly lab up to 6 up (1)
 
[C++ Korea] Effective Modern C++ Study item 34 36
[C++ Korea] Effective Modern C++ Study item 34 36[C++ Korea] Effective Modern C++ Study item 34 36
[C++ Korea] Effective Modern C++ Study item 34 36
 
Asymptotic
AsymptoticAsymptotic
Asymptotic
 
A formalization of complex event stream processing
A formalization of complex event stream processingA formalization of complex event stream processing
A formalization of complex event stream processing
 
Lec15 Intro to Computer Engineering by Hsien-Hsin Sean Lee Georgia Tech -- Re...
Lec15 Intro to Computer Engineering by Hsien-Hsin Sean Lee Georgia Tech -- Re...Lec15 Intro to Computer Engineering by Hsien-Hsin Sean Lee Georgia Tech -- Re...
Lec15 Intro to Computer Engineering by Hsien-Hsin Sean Lee Georgia Tech -- Re...
 
Autovectorization in llvm
Autovectorization in llvmAutovectorization in llvm
Autovectorization in llvm
 
Lab8 s1
Lab8 s1Lab8 s1
Lab8 s1
 

En vedette

Play Group Math Matching number to the correct set bangla ১
Play Group Math Matching number to the correct set bangla ১Play Group Math Matching number to the correct set bangla ১
Play Group Math Matching number to the correct set bangla ১Cambriannews
 
Возможности и препятствия для развития распределенной энергетики в России, ср...
Возможности и препятствия для развития распределенной энергетики в России, ср...Возможности и препятствия для развития распределенной энергетики в России, ср...
Возможности и препятствия для развития распределенной энергетики в России, ср...НП "Сообщество потребителей энергии"
 
молодежный вектор
молодежный вектормолодежный вектор
молодежный векторNatalya Balchunas
 
쿵짝 관련 App 조사(google play)
쿵짝 관련 App 조사(google play)쿵짝 관련 App 조사(google play)
쿵짝 관련 App 조사(google play)Dongyeul Han
 

En vedette (8)

Play Group Math Matching number to the correct set bangla ১
Play Group Math Matching number to the correct set bangla ১Play Group Math Matching number to the correct set bangla ১
Play Group Math Matching number to the correct set bangla ১
 
Shipping
ShippingShipping
Shipping
 
Возможности и препятствия для развития распределенной энергетики в России, ср...
Возможности и препятствия для развития распределенной энергетики в России, ср...Возможности и препятствия для развития распределенной энергетики в России, ср...
Возможности и препятствия для развития распределенной энергетики в России, ср...
 
молодежный вектор
молодежный вектормолодежный вектор
молодежный вектор
 
Unidad 13
Unidad 13Unidad 13
Unidad 13
 
Prezentatsia volonterstvo
Prezentatsia volonterstvoPrezentatsia volonterstvo
Prezentatsia volonterstvo
 
쿵짝 관련 App 조사(google play)
쿵짝 관련 App 조사(google play)쿵짝 관련 App 조사(google play)
쿵짝 관련 App 조사(google play)
 
Dinamika ekosistem
Dinamika ekosistemDinamika ekosistem
Dinamika ekosistem
 

Similaire à Certifying (RISC) Machine Code Safe from Aliasing (OpenCert 2013)

Avoiding Hardware Aliasing
Avoiding Hardware AliasingAvoiding Hardware Aliasing
Avoiding Hardware AliasingPeter Breuer
 
Kernel Recipes 2016 - entry_*.S: A carefree stroll through kernel entry code
Kernel Recipes 2016 - entry_*.S: A carefree stroll through kernel entry codeKernel Recipes 2016 - entry_*.S: A carefree stroll through kernel entry code
Kernel Recipes 2016 - entry_*.S: A carefree stroll through kernel entry codeAnne Nicolas
 
StHack 2013 - Nicolas "@baldanos" Oberli Please insert inject more coin
StHack 2013 - Nicolas "@baldanos" Oberli Please insert inject more coinStHack 2013 - Nicolas "@baldanos" Oberli Please insert inject more coin
StHack 2013 - Nicolas "@baldanos" Oberli Please insert inject more coinStHack
 
Efficient JIT to 32-bit Arches
Efficient JIT to 32-bit ArchesEfficient JIT to 32-bit Arches
Efficient JIT to 32-bit ArchesNetronome
 
Semtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege EscalationSemtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege EscalationKernel TLV
 
Two fish & Rijndael (AES) Encryption Algorithm
Two fish & Rijndael (AES) Encryption AlgorithmTwo fish & Rijndael (AES) Encryption Algorithm
Two fish & Rijndael (AES) Encryption AlgorithmRifat Tasnim
 
BKK16-304 The State of GDB on AArch64
BKK16-304 The State of GDB on AArch64BKK16-304 The State of GDB on AArch64
BKK16-304 The State of GDB on AArch64Linaro
 
from Binary to Binary: How Qemu Works
from Binary to Binary: How Qemu Worksfrom Binary to Binary: How Qemu Works
from Binary to Binary: How Qemu WorksZhen Wei
 
Multiplatform JIT Code Generator for NetBSD by Alexander Nasonov
Multiplatform JIT Code Generator for NetBSD by Alexander NasonovMultiplatform JIT Code Generator for NetBSD by Alexander Nasonov
Multiplatform JIT Code Generator for NetBSD by Alexander Nasonoveurobsdcon
 
JVM Memory Model - Yoav Abrahami, Wix
JVM Memory Model - Yoav Abrahami, WixJVM Memory Model - Yoav Abrahami, Wix
JVM Memory Model - Yoav Abrahami, WixCodemotion Tel Aviv
 
Python-in-Embedded-systems.pptx
Python-in-Embedded-systems.pptxPython-in-Embedded-systems.pptx
Python-in-Embedded-systems.pptxTuynLCh
 
Kernel Recipes 2014 - x86 instruction encoding and the nasty hacks we do in t...
Kernel Recipes 2014 - x86 instruction encoding and the nasty hacks we do in t...Kernel Recipes 2014 - x86 instruction encoding and the nasty hacks we do in t...
Kernel Recipes 2014 - x86 instruction encoding and the nasty hacks we do in t...Anne Nicolas
 
Mirko Damiani - An Embedded soft real time distributed system in Go
Mirko Damiani - An Embedded soft real time distributed system in GoMirko Damiani - An Embedded soft real time distributed system in Go
Mirko Damiani - An Embedded soft real time distributed system in Golinuxlab_conf
 
Digital logic-formula-notes-final-1
Digital logic-formula-notes-final-1Digital logic-formula-notes-final-1
Digital logic-formula-notes-final-1Kshitij Singh
 

Similaire à Certifying (RISC) Machine Code Safe from Aliasing (OpenCert 2013) (20)

Avoiding Hardware Aliasing
Avoiding Hardware AliasingAvoiding Hardware Aliasing
Avoiding Hardware Aliasing
 
Kernel Recipes 2016 - entry_*.S: A carefree stroll through kernel entry code
Kernel Recipes 2016 - entry_*.S: A carefree stroll through kernel entry codeKernel Recipes 2016 - entry_*.S: A carefree stroll through kernel entry code
Kernel Recipes 2016 - entry_*.S: A carefree stroll through kernel entry code
 
StHack 2013 - Nicolas "@baldanos" Oberli Please insert inject more coin
StHack 2013 - Nicolas "@baldanos" Oberli Please insert inject more coinStHack 2013 - Nicolas "@baldanos" Oberli Please insert inject more coin
StHack 2013 - Nicolas "@baldanos" Oberli Please insert inject more coin
 
Auto Tuning
Auto TuningAuto Tuning
Auto Tuning
 
Efficient JIT to 32-bit Arches
Efficient JIT to 32-bit ArchesEfficient JIT to 32-bit Arches
Efficient JIT to 32-bit Arches
 
Semtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege EscalationSemtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege Escalation
 
Interpreter, Compiler, JIT from scratch
Interpreter, Compiler, JIT from scratchInterpreter, Compiler, JIT from scratch
Interpreter, Compiler, JIT from scratch
 
Two fish & Rijndael (AES) Encryption Algorithm
Two fish & Rijndael (AES) Encryption AlgorithmTwo fish & Rijndael (AES) Encryption Algorithm
Two fish & Rijndael (AES) Encryption Algorithm
 
BKK16-304 The State of GDB on AArch64
BKK16-304 The State of GDB on AArch64BKK16-304 The State of GDB on AArch64
BKK16-304 The State of GDB on AArch64
 
from Binary to Binary: How Qemu Works
from Binary to Binary: How Qemu Worksfrom Binary to Binary: How Qemu Works
from Binary to Binary: How Qemu Works
 
Multiplatform JIT Code Generator for NetBSD by Alexander Nasonov
Multiplatform JIT Code Generator for NetBSD by Alexander NasonovMultiplatform JIT Code Generator for NetBSD by Alexander Nasonov
Multiplatform JIT Code Generator for NetBSD by Alexander Nasonov
 
JVM Memory Model - Yoav Abrahami, Wix
JVM Memory Model - Yoav Abrahami, WixJVM Memory Model - Yoav Abrahami, Wix
JVM Memory Model - Yoav Abrahami, Wix
 
Python-in-Embedded-systems.pptx
Python-in-Embedded-systems.pptxPython-in-Embedded-systems.pptx
Python-in-Embedded-systems.pptx
 
Kernel Recipes 2014 - x86 instruction encoding and the nasty hacks we do in t...
Kernel Recipes 2014 - x86 instruction encoding and the nasty hacks we do in t...Kernel Recipes 2014 - x86 instruction encoding and the nasty hacks we do in t...
Kernel Recipes 2014 - x86 instruction encoding and the nasty hacks we do in t...
 
Cryptography 202
Cryptography 202Cryptography 202
Cryptography 202
 
Mirko Damiani - An Embedded soft real time distributed system in Go
Mirko Damiani - An Embedded soft real time distributed system in GoMirko Damiani - An Embedded soft real time distributed system in Go
Mirko Damiani - An Embedded soft real time distributed system in Go
 
Digital logic-formula-notes-final-1
Digital logic-formula-notes-final-1Digital logic-formula-notes-final-1
Digital logic-formula-notes-final-1
 
Advanced+pointers
Advanced+pointersAdvanced+pointers
Advanced+pointers
 
Lecture-05.pdf
Lecture-05.pdfLecture-05.pdf
Lecture-05.pdf
 
C from FW
C from FWC from FW
C from FW
 

Plus de Peter Breuer

Empirical Patterns in Google Scholar Citation Counts (CyberPatterns 2014)
Empirical Patterns in Google Scholar Citation Counts (CyberPatterns 2014)Empirical Patterns in Google Scholar Citation Counts (CyberPatterns 2014)
Empirical Patterns in Google Scholar Citation Counts (CyberPatterns 2014)Peter Breuer
 
Tutorial: Formal Methods for Hardware Verification - Overview and Application...
Tutorial: Formal Methods for Hardware Verification - Overview and Application...Tutorial: Formal Methods for Hardware Verification - Overview and Application...
Tutorial: Formal Methods for Hardware Verification - Overview and Application...Peter Breuer
 
A Semantic Model for VHDL-AMS (CHARME '97)
A Semantic Model for VHDL-AMS (CHARME '97)A Semantic Model for VHDL-AMS (CHARME '97)
A Semantic Model for VHDL-AMS (CHARME '97)Peter Breuer
 
The mixed-signal modelling language VHDL-AMS and its semantics (ICNACSA 1999)
The mixed-signal modelling language VHDL-AMS and its semantics (ICNACSA 1999)The mixed-signal modelling language VHDL-AMS and its semantics (ICNACSA 1999)
The mixed-signal modelling language VHDL-AMS and its semantics (ICNACSA 1999)Peter Breuer
 
Higher Order Applicative XML (Monterey 2002)
Higher Order Applicative XML (Monterey 2002)Higher Order Applicative XML (Monterey 2002)
Higher Order Applicative XML (Monterey 2002)Peter Breuer
 
Raiding the Noosphere
Raiding the NoosphereRaiding the Noosphere
Raiding the NoospherePeter Breuer
 
Abstract Interpretation meets model checking near the 1000000 LOC mark: Findi...
Abstract Interpretation meets model checking near the 1000000 LOC mark: Findi...Abstract Interpretation meets model checking near the 1000000 LOC mark: Findi...
Abstract Interpretation meets model checking near the 1000000 LOC mark: Findi...Peter Breuer
 
Detecting Deadlock, Double-Free and Other Abuses in a Million Lines of Linux ...
Detecting Deadlock, Double-Free and Other Abuses in a Million Lines of Linux ...Detecting Deadlock, Double-Free and Other Abuses in a Million Lines of Linux ...
Detecting Deadlock, Double-Free and Other Abuses in a Million Lines of Linux ...Peter Breuer
 
Open Source Verification under a Cloud (OpenCert 2010)
Open Source Verification under a Cloud (OpenCert 2010)Open Source Verification under a Cloud (OpenCert 2010)
Open Source Verification under a Cloud (OpenCert 2010)Peter Breuer
 

Plus de Peter Breuer (9)

Empirical Patterns in Google Scholar Citation Counts (CyberPatterns 2014)
Empirical Patterns in Google Scholar Citation Counts (CyberPatterns 2014)Empirical Patterns in Google Scholar Citation Counts (CyberPatterns 2014)
Empirical Patterns in Google Scholar Citation Counts (CyberPatterns 2014)
 
Tutorial: Formal Methods for Hardware Verification - Overview and Application...
Tutorial: Formal Methods for Hardware Verification - Overview and Application...Tutorial: Formal Methods for Hardware Verification - Overview and Application...
Tutorial: Formal Methods for Hardware Verification - Overview and Application...
 
A Semantic Model for VHDL-AMS (CHARME '97)
A Semantic Model for VHDL-AMS (CHARME '97)A Semantic Model for VHDL-AMS (CHARME '97)
A Semantic Model for VHDL-AMS (CHARME '97)
 
The mixed-signal modelling language VHDL-AMS and its semantics (ICNACSA 1999)
The mixed-signal modelling language VHDL-AMS and its semantics (ICNACSA 1999)The mixed-signal modelling language VHDL-AMS and its semantics (ICNACSA 1999)
The mixed-signal modelling language VHDL-AMS and its semantics (ICNACSA 1999)
 
Higher Order Applicative XML (Monterey 2002)
Higher Order Applicative XML (Monterey 2002)Higher Order Applicative XML (Monterey 2002)
Higher Order Applicative XML (Monterey 2002)
 
Raiding the Noosphere
Raiding the NoosphereRaiding the Noosphere
Raiding the Noosphere
 
Abstract Interpretation meets model checking near the 1000000 LOC mark: Findi...
Abstract Interpretation meets model checking near the 1000000 LOC mark: Findi...Abstract Interpretation meets model checking near the 1000000 LOC mark: Findi...
Abstract Interpretation meets model checking near the 1000000 LOC mark: Findi...
 
Detecting Deadlock, Double-Free and Other Abuses in a Million Lines of Linux ...
Detecting Deadlock, Double-Free and Other Abuses in a Million Lines of Linux ...Detecting Deadlock, Double-Free and Other Abuses in a Million Lines of Linux ...
Detecting Deadlock, Double-Free and Other Abuses in a Million Lines of Linux ...
 
Open Source Verification under a Cloud (OpenCert 2010)
Open Source Verification under a Cloud (OpenCert 2010)Open Source Verification under a Cloud (OpenCert 2010)
Open Source Verification under a Cloud (OpenCert 2010)
 

Dernier

From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 

Dernier (20)

From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 

Certifying (RISC) Machine Code Safe from Aliasing (OpenCert 2013)

  • 1. Certifying (RISC) Machine Code Safe from Aliasing Peter T. Breuer University of Birmingham, UK Jonathan P. Bowen London South Bank University, UK
  • 2. Little and Large Problem ● Small arithmetic unit, embedded processor – 40 bit arithmetic ● Large memory unit – 64 bit addressing ● What do we do with the extra wires?
  • 3. Hardware Aliasing ● What happens to the extra wires? – depends on the hardware ● 4 + 0xfffffffffffffffc = 0x0000000000000000 or 0xfffff00000000000 ? ● Both mean 0 – If use arithmetic to calculate address 0 ● Sometimes get the 0 you want ● Sometimes not!
  • 4. Also happens in KPU ● A KPU is an encrypted processor – Instead of 4 - 4 = 0 – Does 99900 - 99900 = 78763298 ● Homomorphism conditions on encrypted arithmetic guarantee correct behaviour – Real encryption is always 1-many ● The encoding of 0 is 9896861 ● 99900 - 99900 = 78763298  9896861 ● Another encoding of 0 is 78763298 – Encrypted arithmetic gives different result ● Depending on how you do the calculation
  • 5. Problem ● How to check a program is safe from hardware aliasing ● Where `hardware aliasing' means that arithmetic on addresses does not always give the same result. – Trust only exactly the same calculation – Because 4 - 4 != 0 – It's `equivalent' to 0, not identical!
  • 6. Can imagine in both cases ... ● Values have invisible extra bits ● 42.1101101 ● Represent different encodings of '42' ● Arithmetic ignores but mutates the extra bits ● 42.1101101 + 42.1100001 = 84.0110110 ● Memory unit is sensitive to invisible extra bits ● Can't see just '42'. ● Needs loving care from programmer
  • 7. How to deal with hardware aliasing ● Left program returns different alias of SP to caller Subroutine foo: SP -= 32 # 8 local vars …code ... SP += 32 # destroy frame return Subroutine foo: GP = SP SP -= 32 …code ... SP = GP return GoodBad
  • 8. Regard machine code as compiled from Stack Machine control language ● Good code: cspt GP # copy stack pointer to GP push 32 # make 32B space on stack … rspf GP # restore stack pointer from GP return
  • 9. What makes that SM code safe? ● No access outside the current frame – The stack access commands are ● Get 10 gp # 10th stack cell contents.. ● Put 10 gp # .. transfer to/from reg gp – If all access offsets in current frame range ● Only one way to access stack content.. ● By offset from current stack pointer – Can only make new frame, not shift sp ● Push 32 – Can only return sp to value saved earlier ● Cspt gp … rspf gp
  • 10. Heap access ● Deal with that later! – Look for array and string treatment in text
  • 11. Verifying SM code ● Means verifying that all stack accesses are within the current frame boundary ● That's so easy! Check n in 'get n r'. ● But we have machine code, not SM code!
  • 12. Machine code looks like this ● Mov gp sp # cspt gp Addi sp sp -32 # push 32 … mov sp gp # rspf gp jr ra # return ● Is it compiled from safe SM code?
  • 13. To prove m/c safe ● Apply Hoare-like rules of reasoning – Whose names are the SM code that the m/c is supposed to be compiled from ● Requires human being to chose rule – Or an automaton to search solution space – Either way, it's deduction-guided disassembly
  • 14. Example ● Think about a 32B current frame { sp=c32 !10; (10)=x } ld gp 10(sp) [get 10 gp] {sp=c32 !10; (10)=gp=x} ● 'c32 !10' means pointer to 32B – Already written at offset 10 ● (10)=x means stack cell 10 has an x-thing ● Machine code is 'ld gp 10(sp)' – Load reg gp from offset 10 from stack ptr ● Name of the rule is 'get 10 gp'
  • 15. Types ● Logic is based on stack machine model – manipulates types in register/stack/heap ● C32 – pointer to stack frame of size 32 – Only access by bounded offset from ptr ● U10 – array of size 10 on heap – Can only access by offset from fixed base ● C1 - string accessed in increments of 1 – String is like a stack of frames size 1 – Stepping up `pops one off the stack' – Access within `current frame' only
  • 16. Typing ● Milner typing – Assign type variables to every register and stack position within current frame – Calculate effect of instructions – Ambiguous modulo assignment of rule ● Equals dis-assembly of instruction ● Proved – soundness – Assigned types say what really happens
  • 17. Other Proved Things ● Termination – Milner algorithm terminates – With a typing, if one exists, errors if not ● Uniqueness – The type found is unique most general ● For a given annotation ● There are at most 32 valid annotations – Differ in position of stack pointer register
  • 18. Conclusion 1.Disassemble machine code • Human activity 2.Apply Milner typing • Includes stack machine bounds verification • Automated activity 3.Certify m/c as hardware alias safe ● Steps 1 & 2 can be mixed/simultaneous ● Inference-guided disassembly 4.Apply to assembler in Linux kernel