1. 3

Abstract: “We present an approach to modeling and verifying machine-code programs that exhibit non-determinism. Specifi- cally, we add support for system calls to our formal, executable model of the user-level x86 instruction-set architecture (ISA). The resulting model, implemented in the ACL2 theorem-proving system, allows both formal analysis and efficient simulation of x86 machine-code programs; the logical mode characterizes an external environment to support reasoning about programs that interact with an operating system, and the execution mode directly queries the underlying operating system to support simulation. The execution mode of our x86 model is validated against both its logical mode and the real machine, providing test-based assurance that our model faithfully represents the semantics of an actual x86 processor. Our framework is the first that enables mechanical proofs of functional correctness of user-level x86 machine-code programs that make system calls. We demonstrate the capabilities of our model with the mechanical verification of a machine- code program, produced by the GCC compiler, that computes the number of characters, lines, and words in an input stream. Such reasoning is facilitated by our libraries of ACL2 lemmas that allow automated proofs of a program’s memory-related properties.”


  2. 1

    @derek-jones How they do the ISA model is more similar to what I have in mind combining formal and empirical methods. However, I’d throw lots of spec-based, test generation and fuzzing in there to make establishing equivalence easier to parallelize. This stuff shouldn’t be manual. A person can always eyeball the output to make sure the spec-based tests really correspond to the specs.