The speaker will share his experience of participating in projects on formal verification and analysis of access control modules for Astra Linux SE and Elbrus kernels, as well as verification of the Contiki code (OS for IoT) within the European VESSEDIA program. The speaker will disclose details about the development of formal access control models (Rodin/Event-B) and code specifications (Frama-C/ACSL), the use of static and dynamic analyzers, and the inclusion of formal analysis in the continuous integration cycle (continuous verification). Other types of work that help meet the certification requirements will also be considered.
https://standoff365.com/phdays10/schedule/development/formal-verification-of-operating-system-kernels
Π’Π΅Ρ Π½ΠΎΠ»ΠΎΠ³ΠΈΠΈ Π°Π½Π°Π»ΠΈΠ·Π° Π±ΠΈΠ½Π°ΡΠ½ΠΎΠ³ΠΎ ΠΊΠΎΠ΄Π° ΠΏΡΠΈΠ»ΠΎΠΆΠ΅Π½ΠΈΠΉ: ΡΡΠ΅Π±ΠΎΠ²Π°Π½ΠΈΡ, ΠΏΡΠΎΠ±Π»Π΅ΠΌΡ, ΠΈΠ½ΡΡΡΡΠΌΠ΅Π½ΡΡPositive Development User Group
"Formal verification of C code" Efremov D.V.
The talk covers the issue of developing correct software applying one of the types of static code analysis. The speaker will also address the matters of using such methods, their weaknesses and limitations, as well as the results they can guarantee.
PHDays VII, PDUG section, Moscow, May 24 2017.
"Π€ΠΎΡΠΌΠ°Π»ΡΠ½Π°Ρ Π²Π΅ΡΠΈΡΠΈΠΊΠ°ΡΠΈΡ ΠΊΠΎΠ΄Π° Π½Π° ΡΠ·ΡΠΊΠ΅ Π‘ΠΈ" ΠΡΡΠ΅ΠΌΠΎΠ² Π.Π.
ΠΠΎΠΊΠ»Π°Π΄ ΠΏΠΎΡΠ²ΡΡΠ΅Π½ ΡΠ°Π·ΡΠ°Π±ΠΎΡΠΊΠ΅ ΠΊΠΎΡΡΠ΅ΠΊΡΠ½ΠΎΠ³ΠΎ ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΠ½ΠΎΠ³ΠΎ ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠ΅Π½ΠΈΡ Ρ ΠΏΡΠΈΠΌΠ΅Π½Π΅Π½ΠΈΠ΅ΠΌ ΠΎΠ΄Π½ΠΎΠ³ΠΎ ΠΈΠ· Π²ΠΈΠ΄ΠΎΠ² ΡΡΠ°ΡΠΈΡΠ΅ΡΠΊΠΎΠ³ΠΎ Π°Π½Π°Π»ΠΈΠ·Π° ΠΊΠΎΠ΄Π°. ΠΡΠ΄ΡΡ ΠΎΡΠ²Π΅ΡΠ΅Π½Ρ Π²ΠΎΠΏΡΠΎΡΡ ΠΏΡΠΈΠΌΠ΅Π½Π΅Π½ΠΈΡ ΠΏΠΎΠ΄ΠΎΠ±Π½ΡΡ ΠΌΠ΅ΡΠΎΠ΄ΠΎΠ², ΠΈΡ ΡΠ»Π°Π±ΡΠ΅ ΡΡΠΎΡΠΎΠ½Ρ ΠΈ ΠΎΠ³ΡΠ°Π½ΠΈΡΠ΅Π½ΠΈΡ, Π° ΡΠ°ΠΊΠΆΠ΅ ΡΠ°ΡΡΠΌΠΎΡΡΠ΅Π½Ρ ΡΠ΅Π·ΡΠ»ΡΡΠ°ΡΡ, ΠΊΠΎΡΠΎΡΡΠ΅ ΠΎΠ½ΠΈ ΠΌΠΎΠ³ΡΡ Π΄Π°ΡΡ. ΠΠ° ΠΊΠΎΠ½ΠΊΡΠ΅ΡΠ½ΡΡ ΠΏΡΠΈΠΌΠ΅ΡΠ°Ρ Π±ΡΠ΄Π΅Ρ ΠΏΡΠΎΠ΄Π΅ΠΌΠΎΠ½ΡΡΡΠΈΡΠΎΠ²Π°Π½ΠΎ, ΠΊΠ°ΠΊ Π²ΡΠ³Π»ΡΠ΄ΡΡ ΡΠ°Π·ΡΠ°Π±ΠΎΡΠΊΠ° ΡΠΏΠ΅ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΉ Π΄Π»Ρ ΠΊΠΎΠ΄Π° Π½Π° ΡΠ·ΡΠΊΠ΅ Π‘ΠΈ ΠΈ Π΄ΠΎΠΊΠ°Π·Π°ΡΠ΅Π»ΡΡΡΠ²ΠΎ ΡΠΎΠΎΡΠ²Π΅ΡΡΡΠ²ΠΈΡ ΠΊΠΎΠ΄Π° ΡΠΏΠ΅ΡΠΈΡΠΈΠΊΠ°ΡΠΈΡΠΌ.
ΠΠΎΠΊΠ»Π°Π΄ ΠΏΡΠ΅Π΄ΡΡΠ°Π²Π»Π΅Π½ Π½Π° ΠΊΠΎΠ½ΡΠ΅ΡΠ΅Π½ΡΠΈΠΈ PHDays VII (2017) 24 ΠΌΠ°Ρ Π² ΡΠ΅ΠΊΡΠΈΠΈ PDUG.
CVEhound is a tool for checking Linux kernel source archives for known CVEs. Allows one to easily audit their phones, routers, servers, etc. for missing CVE fixes from upstream kernel development. The talk will include a brief description of the CVE patching workflow in the Linux kernel and demonstration of the CVEhound tool.
https://zeronights.ru/en/reports-en/cvehound-check-linux-sources-for-known-cves/
Deductive verification of unmodified Linux kernel library functionsDenis Efremov
Β
This document discusses deductive verification of unmodified Linux kernel library functions using Frama-C, AstraVer, and Why3 tools. 26 library functions were verified, with 25 being fully proved. Issues encountered included integer overflows, casts to smaller types, and pointer arithmetic on different memory blocks. Specifications were published online along with proof artifacts. Future work includes an "lemma functions" extension to Frama-C to support more automated verification.
Practical Language for Extracting Data from Source Codes and Preparing Them f...Denis Efremov
Β
Talk at Yandex Perl Meetup (06 June 2018). The presentation is about how tools written in Perl can be used for verification of Linux kernel modules. Various types of source code transformations with style preservation, interactive callgraphs, report with various complexity metrics creation. How we use the tools in the AstraVer project for writing formal specifications (ACSL) on code and how it helps us with regulatory certification. The tools: https://github.com/evdenis/spec-utils
Automation of rule construction for ApproofDenis Efremov
Β
"Automation of rule construction for Approof" Efremov D. V.
Approof is a static code analyzer for testing web applications for vulnerable components. The analyzer is based on rules that store signatures of components it searches. The report examines the basic structure of rules for Approof and automation of their development.
PHDays VII, PDUG section, Moscow, May 24 2017.
"ΠΠ²ΡΠΎΠΌΠ°ΡΠΈΠ·Π°ΡΠΈΡ ΠΏΠΎΡΡΡΠΎΠ΅Π½ΠΈΡ ΠΏΡΠ°Π²ΠΈΠ» Π΄Π»Ρ Approof" ΠΡΡΠ΅ΠΌΠΎΠ² Π.Π.
Approof β ΡΡΠ°ΡΠΈΡΠ΅ΡΠΊΠΈΠΉ Π°Π½Π°Π»ΠΈΠ·Π°ΡΠΎΡ ΠΊΠΎΠ΄Π° Π΄Π»Ρ ΠΏΡΠΎΠ²Π΅ΡΠΊΠΈ Π²Π΅Π±-ΠΏΡΠΈΠ»ΠΎΠΆΠ΅Π½ΠΈΠΉ Π½Π° Π½Π°Π»ΠΈΡΠΈΠ΅ ΡΡΠ·Π²ΠΈΠΌΡΡ ΠΊΠΎΠΌΠΏΠΎΠ½Π΅Π½ΡΠΎΠ². Π ΡΠ²ΠΎΠ΅ΠΉ ΡΠ°Π±ΠΎΡΠ΅ Π°Π½Π°Π»ΠΈΠ·Π°ΡΠΎΡ ΠΎΡΠ½ΠΎΠ²ΡΠ²Π°Π΅ΡΡΡ Π½Π° ΠΏΡΠ°Π²ΠΈΠ»Π°Ρ , Ρ ΡΠ°Π½ΡΡΠΈΡ ΡΠΈΠ³Π½Π°ΡΡΡΡ ΠΈΡΠΊΠΎΠΌΡΡ ΠΊΠΎΠΌΠΏΠΎΠ½Π΅Π½ΡΠΎΠ². Π Π΄ΠΎΠΊΠ»Π°Π΄Π΅ ΡΠ°ΡΡΠΌΠ°ΡΡΠΈΠ²Π°Π΅ΡΡΡ Π±Π°Π·ΠΎΠ²Π°Ρ ΡΡΡΡΠΊΡΡΡΠ° ΠΏΡΠ°Π²ΠΈΠ»Π° Π΄Π»Ρ Approof ΠΈ ΠΏΡΠΎΡΠ΅ΡΡ Π°Π²ΡΠΎΠΌΠ°ΡΠΈΠ·Π°ΡΠΈΠΈ Π΅Π³ΠΎ ΡΠΎΠ·Π΄Π°Π½ΠΈΡ.
ΠΠΎΠΊΠ»Π°Π΄ ΠΏΡΠ΅Π΄ΡΡΠ°Π²Π»Π΅Π½ Π½Π° ΠΊΠΎΠ½ΡΠ΅ΡΠ΅Π½ΡΠΈΠΈ PHDays VII (2017) 24 ΠΌΠ°Ρ Π² ΡΠ΅ΠΊΡΠΈΠΈ PDUG.
10. ΠΠ°Π³ΠΎΠ»ΠΎΠ²ΠΎΠΊ
10
/*@ requires b != 0;
ensures a β a % b ==
b * result;
*/
int div(int a, int b) {
return a / b;
}
Π€ΡΠ΅ΠΉΠΌΠ²ΠΎΡΠΊ Frama-C. Π―Π·ΡΠΊ ΡΠΏΠ΅ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΉ ACSL (1)
11. ΠΠ°Π³ΠΎΠ»ΠΎΠ²ΠΎΠΊ
11
/*@ requires b != 0;
ensures a β a % b ==
b * result;
*/
int div(int a, int b) {
return a / b;
}
Π€ΡΠ΅ΠΉΠΌΠ²ΠΎΡΠΊ Frama-C. Π―Π·ΡΠΊ ΡΠΏΠ΅ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΉ ACSL (2)
Π£ΡΠ»ΠΎΠ²ΠΈΡ Π²Π΅ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ
constant min : int = -2147483648
constant max : int = 2147483647
predicate in_bounds (n:int) = min <= n / n <= max
type t17
function to_int t17 : int
function of_int int : t17
constant a_1 : t17
constant b_1 : t17
axiom H : not b_1 = of_int 0
goal WP_parameter_div2 :
not to_int b_1 = 0 / in_bounds (div (to_int a_1)
(to_int b_1))
12. ΠΠ°Π³ΠΎΠ»ΠΎΠ²ΠΎΠΊ
12
/*@ requires b != 0;
ensures a β a % b ==
b * result;
*/
int div(int a, int b) {
return a / b;
}
Π€ΡΠ΅ΠΉΠΌΠ²ΠΎΡΠΊ Frama-C. Π―Π·ΡΠΊ ΡΠΏΠ΅ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΉ ACSL (3)
Π£ΡΠ»ΠΎΠ²ΠΈΡ Π²Π΅ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ
ΠΡΠΏΡΠ°Π²Π»Π΅Π½ΠΈΠ΅
constant min : int = -2147483648
constant max : int = 2147483647
predicate in_bounds (n:int) = min <= n / n <= max
type t17
function to_int t17 : int
function of_int int : t17
constant a_1 : t17
constant b_1 : t17
axiom H : not b_1 = of_int 0
goal WP_parameter_div2 :
not to_int b_1 = 0 / in_bounds (div (to_int a_1)
(to_int b_1))
- int div(int a, int b) {
- return a / b;
+ long div(int a, int b) {
+ return (long) a / b;
}
13. ΠΠ°Π³ΠΎΠ»ΠΎΠ²ΠΎΠΊ
13
/*@ requires b != 0;
ensures a β a % b ==
b * result;
*/
int div(int a, int b) {
return a / b;
}
Π€ΡΠ΅ΠΉΠΌΠ²ΠΎΡΠΊ Frama-C. Π―Π·ΡΠΊ ΡΠΏΠ΅ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΉ ACSL (4)
Π£ΡΠ»ΠΎΠ²ΠΈΡ Π²Π΅ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ
ΠΡΠΏΡΠ°Π²Π»Π΅Π½ΠΈΠ΅
Π£ΡΠΎΡΠ½Π΅Π½ΠΈΠ΅ ΠΏΡΠ΅Π΄ΡΡΠ»ΠΎΠ²ΠΈΠΉ
constant min : int = -2147483648
constant max : int = 2147483647
predicate in_bounds (n:int) = min <= n / n <= max
type t17
function to_int t17 : int
function of_int int : t17
constant a_1 : t17
constant b_1 : t17
axiom H : not b_1 = of_int 0
goal WP_parameter_div2 :
not to_int b_1 = 0 / in_bounds (div (to_int a_1)
(to_int b_1))
/*@ requires b != 0;
requires a != INT_MIN;
ensures a β a % b ==
b * result;
*/
int div(int a, int b)
- int div(int a, int b) {
- return a / b;
+ long div(int a, int b) {
+ return (long) a / b;
}