LMS-Verify: abstraction without regret for verified systems programming

Nada Amin, Tiark Rompf
{"title":"LMS-Verify: abstraction without regret for verified systems programming","authors":"Nada Amin, Tiark Rompf","doi":"10.1145/3009837.3009867","DOIUrl":null,"url":null,"abstract":"Performance critical software is almost always developed in C, as programmers do not trust high-level languages to deliver the same reliable performance. This is bad because low-level code in unsafe languages attracts security vulnerabilities and because development is far less productive, with PL advances mostly lost on programmers operating under tight performance constraints. High-level languages provide memory safety out of the box, but they are deemed too slow and unpredictable for serious system software. Recent years have seen a surge in staging and generative programming: the key idea is to use high-level languages and their abstraction power as glorified macro systems to compose code fragments in first-order, potentially domain-specific, intermediate languages, from which fast C can be emitted. But what about security? Since the end result is still C code, the safety guarantees of the high-level host language are lost. In this paper, we extend this generative approach to emit ACSL specifications along with C code. We demonstrate that staging achieves ``abstraction without regret'' for verification: we show how high-level programming models, in particular higher-order composable contracts from dynamic languages, can be used at generation time to compose and generate first-order specifications that can be statically checked by existing tools. We also show how type classes can automatically attach invariants to data types, reducing the need for repetitive manual annotations. We evaluate our system on several case studies that varyingly exercise verification of memory safety, overflow safety, and functional correctness. We feature an HTTP parser that is (1) fast (2) high-level: implemented using staged parser combinators (3) secure: with verified memory safety. This result is significant, as input parsing is a key attack vector, and vulnerabilities related to HTTP parsing have been documented in all widely-used web servers.","PeriodicalId":20657,"journal":{"name":"Proceedings of the 44th ACM SIGPLAN Symposium on Principles of Programming Languages","volume":"10 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2017-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"17","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 44th ACM SIGPLAN Symposium on Principles of Programming Languages","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3009837.3009867","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 17

Abstract

Performance critical software is almost always developed in C, as programmers do not trust high-level languages to deliver the same reliable performance. This is bad because low-level code in unsafe languages attracts security vulnerabilities and because development is far less productive, with PL advances mostly lost on programmers operating under tight performance constraints. High-level languages provide memory safety out of the box, but they are deemed too slow and unpredictable for serious system software. Recent years have seen a surge in staging and generative programming: the key idea is to use high-level languages and their abstraction power as glorified macro systems to compose code fragments in first-order, potentially domain-specific, intermediate languages, from which fast C can be emitted. But what about security? Since the end result is still C code, the safety guarantees of the high-level host language are lost. In this paper, we extend this generative approach to emit ACSL specifications along with C code. We demonstrate that staging achieves ``abstraction without regret'' for verification: we show how high-level programming models, in particular higher-order composable contracts from dynamic languages, can be used at generation time to compose and generate first-order specifications that can be statically checked by existing tools. We also show how type classes can automatically attach invariants to data types, reducing the need for repetitive manual annotations. We evaluate our system on several case studies that varyingly exercise verification of memory safety, overflow safety, and functional correctness. We feature an HTTP parser that is (1) fast (2) high-level: implemented using staged parser combinators (3) secure: with verified memory safety. This result is significant, as input parsing is a key attack vector, and vulnerabilities related to HTTP parsing have been documented in all widely-used web servers.
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
LMS-Verify:对经过验证的系统编程进行无悔的抽象
性能关键型软件几乎都是用C语言开发的,因为程序员不相信高级语言能提供同样可靠的性能。这很糟糕,因为使用不安全语言编写的低级代码会吸引安全漏洞,而且开发的效率要低得多,在严格的性能约束下操作的程序员大多会失去PL的进步。高级语言提供了开箱即用的内存安全性,但对于严肃的系统软件来说,它们被认为太慢且不可预测。近年来,我们看到了分段编程和生成编程的激增:关键思想是使用高级语言及其抽象能力作为美化的宏系统,以一阶、可能特定于领域的中间语言组成代码片段,从中可以发出快速的C语言。但是安全性呢?由于最终结果仍然是C代码,因此失去了高级宿主语言的安全保证。在本文中,我们扩展了这种生成方法,使其与C代码一起发出ACSL规范。我们演示了阶段性实现了验证的“无悔抽象”:我们展示了高级编程模型,特别是来自动态语言的高阶可组合契约,如何在生成时使用它们来组合和生成可由现有工具静态检查的一阶规范。我们还将展示类型类如何自动将不变量附加到数据类型上,从而减少对重复手动注释的需要。我们通过几个案例研究来评估我们的系统,这些案例研究对内存安全性、溢出安全性和功能正确性进行了不同的验证。我们的HTTP解析器具有以下特点:(1)快速(2)高级:使用分阶段解析器组合子实现(3)安全:具有经过验证的内存安全性。这个结果很重要,因为输入解析是一个关键的攻击向量,并且在所有广泛使用的web服务器中都记录了与HTTP解析相关的漏洞。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
自引率
0.00%
发文量
0
期刊最新文献
Gradual refinement types A semantic account of metric preservation A posteriori environment analysis with Pushdown Delta CFA Type systems as macros Complexity verification using guided theorem enumeration
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1