You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: verification/readme.md
+8-8Lines changed: 8 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3,16 +3,16 @@
3
3
This directory contains work-in-progress on verifying the security monitor.
4
4
Currently, the verification is in early stages.
5
5
6
-
We use the tool [RefinedRust](https://plv.mpi-sws.org/refinedrust/) in the [Coq proof assistant](https://coq.inria.fr/) for verification.
6
+
We use the tool [RefinedRust](https://plv.mpi-sws.org/refinedrust/) in the [Rocq prover](https://rocq-prover.org/) for verification.
7
7
8
8
## Architecture
9
9
Our approach to proving code in the security monitor is to add verification annotations to the Rust source code.
10
10
These include invariants as well as pre- and postconditions.
11
11
12
-
Afterwards, RefinedRust translates the Rust source code and annotations into a representation in the Coq proof assistant.
12
+
Afterwards, RefinedRust translates the Rust source code and annotations into a representation in the Rocq prover.
13
13
This is initiated by running `make verify` in the root directory of the repository.
14
14
15
-
The generated Coq code is placed in the [`verification/rust_proofs/ace`](/verification/rust_proofs/ace) folder.
15
+
The generated Rocq code is placed in the [`verification/rust_proofs/ace`](/verification/rust_proofs/ace) folder.
16
16
There are two subfolders, [`generated`](/verification/rust_proofs/ace/generated) and [`proofs`](/verification/rust_proofs/ace/proofs).
17
17
The [`generated`](/verification/rust_proofs/ace/generated) subfolder contains the automatically generated model of the Rust code, the translated specifications, and proof templates.
18
18
It is re-generated on every run of `make verify` and thus should not be modified manually.
@@ -28,7 +28,7 @@ These files are manually created and written, and imported into RefinedRust thro
@@ -39,7 +39,7 @@ As a more concrete example, let us consider the `Page` structure and the `Page::
39
39
For the `Page` structure, RefinedRust generates the following code:
40
40
1. in generated code: the definition `Page_sls` describing the layout of the `Page` struct
41
41
2. in generated specs: the definition `Page_ty` and `Page_inv_t` describing the `Page` struct type and the type containing the invariant specified through the annotations on the struct
42
-
The definition of the invariant on `Page` uses some extra (manually written) Coq theories, for instance the definition of the `page_size`Coq type.
42
+
The definition of the invariant on `Page` uses some extra (manually written) Rocq theories, for instance the definition of the `page_size`Rocq type.
43
43
44
44
For the `Page::read` function, RefinedRust generates the following code:
45
45
1. in generated code: the definition `core_page_allocator_page_Page_core_page_allocator_page_T_read_def` containing the source code of the function translated into RefinedRust's operational model Radium
@@ -102,7 +102,7 @@ There are several efforts which are complementary to the aims of this project:
102
102
103
103
**Software**
104
104
* Hypervisor verification: While our security monitor architecture can ensure confidentiality of VMs without trusting the hypervisor, VMs may still need to communicate with the hypervisor (e.g. for IO). One may want to prove that the hypervisor is still trustworthy or that it responds correctly to hypercalls.
105
-
Our architecture assumes that the hypervisor retains control over threads scheduling, so it is in control over the availability of confidential VMs. One might try to prove the correctness of the hypervisor in order to get availability guarantees.
105
+
Our architecture assumes that the hypervisor retains control over thread scheduling, so it is in control over the availability of confidential VMs. One might try to prove the correctness of the hypervisor in order to get availability guarantees.
106
106
* VM verification: In order to actually run a secure workload end-to-end, one would have to verify the code of confidential VMs protected by the security monitor.
107
107
* Low-level firmware/bootloader verification: Our security monitor currently builds on OpenSBI, which we trust.
108
108
In future work, we would like to deprivilege firmware (see discussions in the RISC-V community on M-mode partitioning or M-mode lightweight isolation) or reimplement and prove the minimal set of required functionalities of the M-mode firmware (e.g., OpenSBI).
@@ -129,13 +129,13 @@ In the current stage of the project, we do not yet verify the inline Assembly se
129
129
Accurate verification of multi-language programs and verification of system software against authoritative ISA semantics are an open research problem under active research.
130
130
131
131
### Trusted Computing Base
132
-
RefinedRust's is a foundational verification tool (i.e., the proofs are done in a proof assistant with a small proof kernel; concretely, the Coq proof assistant), and as such its trusted computing base is fairly small.
132
+
RefinedRust's is a foundational verification tool (i.e., the proofs are done in a proof assistant with a small proof kernel; concretely, the Rocq prover), and as such its trusted computing base is fairly small.
133
133
The risk of unintentional soundness bugs is much lower compared to tools relying on, e.g., SMT solvers.
134
134
135
135
Nevertheless, there are some code parts which have to be trusted:
136
136
- the formalization of Rust's operational semantics in RefinedRust
137
137
- the statement of RefinedRust's top-level soundness statement
138
-
- the translation from Rust's MIR intermediate representation to RefinedRust's Coq code
138
+
- the translation from Rust's MIR intermediate representation to RefinedRust's Rocq code
139
139
140
140
If you want to validate the behavior of the generated machine code with the verification, you have to add the translation from MIR to machine code in the Rust compiler.
141
141
On the other hand, if you want to validate that your surface-level Rust code has the correct behavior, you have to add the translation from surface-level Rust to MIR.
0 commit comments