Skip to content

[wip] analysis: klee-based verification pipeline for patchestry#146

Open
kumarak wants to merge 2 commits intomainfrom
kumarak/klee
Open

[wip] analysis: klee-based verification pipeline for patchestry#146
kumarak wants to merge 2 commits intomainfrom
kumarak/klee

Conversation

@kumarak
Copy link
Collaborator

@kumarak kumarak commented Mar 4, 2026

This PR adds a design document describing the integration of a KLEE-based symbolic verification pipeline for Patchestry patches and contracts.

@kumarak kumarak marked this pull request as draft March 4, 2026 17:59
@kumarak kumarak marked this pull request as ready for review March 4, 2026 17:59
kyle-elliott-tob
kyle-elliott-tob requested changes Mar 10, 2026
View reviewed changes
docs/KLEEVerification.md Outdated

```text
Firmware Binary
→ [Ghidra 12.0.1] → P-Code JSON
Copy link
Collaborator

@kyle-elliott-tob kyle-elliott-tob Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Stale version, should either be bumped or rewritten to just be [Ghidra]

docs/KLEEVerification.md Outdated
# when omitted
```

### 4.2 Contract Source
Copy link
Collaborator

@kyle-elliott-tob kyle-elliott-tob Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One thing this doesn't highlight is the potential for large amounts of code duplication. I imagine we're going to perform essentially the same tasks between our seahorn/KLEE integrations, may be wroth extracting some of the parsing code for generating predicates here.

docs/KLEEVerification.md
```llvm
; ─── KLEE runtime declarations (added once per module) ───────────────────────
declare void @klee_make_symbolic(ptr, i64, ptr)
declare void @klee_assume(i64)
Copy link
Collaborator

@kyle-elliott-tob kyle-elliott-tob Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would this break on 32bit firmware for shorter pointer widths?

docs/KLEEVerification.md Outdated

## 6. Predicate-to-IR Translation

The following table defines how each predicate kind in the contract spec is translated into harness IR:
Copy link
Collaborator

@kyle-elliott-tob kyle-elliott-tob Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing expr kind and Symbol target kind from the table

docs/KLEEVerification.md

## 5. Generated Harness Structure

For a patched function `int f(int arg0, char* arg1)` with:
Copy link
Collaborator

@kyle-elliott-tob kyle-elliott-tob Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IIRC we use a two operand MDNode format where this doc seems to assume a simple reference

@kumarak
Copy link
Collaborator Author

kumarak commented Mar 13, 2026

I addressed some of the comments here. Klee's interface design is still in-flight and will change as we work on it. It talks about harnessing the entire function that is patched. Does the current support of static contracts allow us? Should it be passed through YAML specifications, we will decide on that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kyle-elliott-tob kyle-elliott-tob kyle-elliott-tob requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kumarak @kyle-elliott-tob