You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+44-40Lines changed: 44 additions & 40 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -145,73 +145,77 @@ We also have patches in the `dh/implementation` directory which introduce bugs t
145
145
-`passthru_escape_in_corealloc_func_bug.patch`: leaks memory allocated in the Core allocation function to the App via a callback, violating the pass-through requirement that all memory allocated in the Core allocation function must only be accessible to the App via the function's return value
146
146
-`passthru_escape_in_coreapi_func_bug.patch`: leak permissions to access a slice allocated in the Core via a global variable which is then accessed in the App, resulting in accessing memory allocated in the Core which does not pass through the Core API function's return value
147
147
148
-
## Argot extensions for Diodon
149
-
150
-
We implemented Diodon by extending the Go static analysis tool [Argot](https://github.com/awslabs/ar-go-tools).
151
-
152
-
To see the documentation and public API for any of our analyses, use the `go doc` command with the analysis' package name.
153
-
```shell
154
-
cd ar-go-tools
155
-
go doc github.com/awslabs/ar-go-tools/analysis/passthru
156
-
```
157
-
158
-
The existing Argot analyses are documented more thoroughly in the `ar-go-tools/doc` directory.
159
148
160
-
### Argot configuration
149
+
## Argot extensions for Diodon
150
+
We instantiate Diodon for Go by extending the Go static analysis tool [Argot](https://github.com/awslabs/ar-go-tools).
151
+
In this subsection, we describe which static analyses we use from or added to Argot, grouped as introduced in the paper, and end with a short overview over Argot's API and configuration.
161
152
162
-
We configured Argot to run the above analyses on both the DH case study and the forked SSM Agent case study.
163
-
The configuration files are located in `dh/argot-proofs/argot-config-dh.yaml` and `ssm-agent/argot-proofs/argot-config-agent.yaml`, respectively.
164
-
The escape analysis is configured via `dh/argot-proofs/escape-config.json` and `ssm-agent/argot-proofs/escape-config.json`, respectively.
165
153
166
154
### I/O independence
155
+
As described in the Sec. 4.1 in the paper, we check I/O independence by running a taint analysis that considers implicit taint flows and checks that taint does not escape a thread.
156
+
Argot provides such a taint analysis, and we did not make any major changes for Diodon.
157
+
See the [taint analysis documentation](https://github.com/awslabs/ar-go-tools/blob/dffa660a6c22232f878d8d9dd5e998f5f52cdbf6/doc/01_taint.md) for more details.
167
158
168
-
#### Taint analysis
169
159
170
-
The taint analysis we use in Diodon is the standard taint analysis (with an integrated escape analysis) in Argot.
171
-
We did not make any major changes to the taint or integrated escape analysis for Diodon.
172
-
See the [taint analysis documentation](ar-go-tools/doc/01_taint.md) for more details.
160
+
### Analyzing the App
161
+
We analyze the App using a combination of static analyses to ensure that the Core's refinement proof is valid (Sec. 4.3 in the paper).
162
+
In the following, we describe these analyses and how they relate to the conditions (C1) - (C8) in the paper's Fig. 8.
173
163
174
-
### Core assumptions
175
164
176
165
#### Escape analysis
177
-
178
-
Argot's escape analysis was originally designed to be integrated with the taint analysis.
179
-
We kept this taint analysis integration but also added a stand-alone `argot escape` command which runs the escape analysis by itself.
180
-
We needed to extend the escape analysis to improve context sensitivity.
181
-
The escape analysis implementation is located in the `ar-go-tools/analysis/escape` directory.
166
+
While Argot's escape analysis was originally designed to be used by the taint analysis, we added a stand-alone `argot escape` command which runs the escape analysis by itself.
167
+
We modified the escape analysis to improve context sensitivity, and the escape analysis implementation is located in the `ar-go-tools/analysis/escape` directory.
182
168
183
169
Diodon uses the escape analysis to check:
184
-
- Condition C4: Core instances are used only in the thread they are created in.
185
-
- Condition C6: Parameters to Core APIs are local.
170
+
- Condition (C4): Core instances are used only in the thread they are created in.
171
+
- Condition (C6): Parameters to Core APIs are local.
186
172
187
-
#### Pointer analysis
188
173
189
-
Argot uses the [first-party Go pointer analysis](https://pkg.go.dev/golang.org/x/tools/go/pointer) which is vendored directly in the codebase in the directory `ar-go-tools/internal/pointer` to expose some pointer analysis internals.
190
-
The taint and escape analyses depend on the may-alias information computed by this pointer analysis.
191
-
We extended the pointer analysis to cache alias analysis results to improve performance.
174
+
#### Pointer analysis
175
+
The Go standard library provides a [first-party Go pointer analysis](https://pkg.go.dev/golang.org/x/tools/go/pointer) that Argot uses.
176
+
This pointer analysis is vendored directly in the codebase in the directory `ar-go-tools/internal/pointer`.
177
+
Argot uses the may-alias information computed by this pointer analysis for the taint and escape analyses.
178
+
For this purpose and to improve performance, the pointer analysis was modified to expose some pointer analysis internals and to cache may-alias results.
192
179
We use this pointer analysis to implement the below custom analyses for Diodon.
193
180
194
-
#### Pass-through analysis
195
181
182
+
##### Pass-through analysis
196
183
We implemented the pass-through analysis from scratch by using the pointer analysis' alias information and the SSA program representation.
197
184
The pass-through (called `passthru` for short) analysis implementation is located in the `ar-go-tools/analysis/passthru` directory.
198
185
199
186
Diodon uses the pass-through analysis to check:
200
-
- Condition C1: Core instances are created in a function ensuring the Core invariant in its postcondition.
201
-
- Condition C8: Reads and writes in the Application occur to memory allocated in the Application or transferred from the Core.
187
+
- Condition (C1): Core instances are created in a function ensuring the Core invariant in its postcondition.
188
+
- Condition (C3): Core instances are passed only to Core functions that preserve the invariant
189
+
- Condition (C8): Reads and writes in the Application occur to memory allocated in the Application or transferred from the Core.
202
190
203
-
#### Immutability analysis
204
191
205
-
We implemented an "immutability" analysis from scratch which records all reads, writes, and allocations of a given SSA value using the results from the pointer analysis.
192
+
#### Immutability analysis
193
+
We implemented an immutability analysis from scratch, which records all reads, writes, and allocations of a given SSA value using the results from the pointer analysis.
206
194
Note that we do not consider this to be a separate analysis in the paper and call it a "pointer analysis".
207
195
The immutability analysis implementation is located in the `ar-go-tools/analysis/immutability` directory.
208
196
209
-
Diodon uses the immutability analysis to check condition C2: The Application does not write to Core instances' internal state, even through an alias.
197
+
Diodon uses the immutability analysis to check condition (C2): The Application does not write to Core instances' internal state, even through an alias.
210
198
211
-
#### Alias analysis
212
199
213
-
We implemented an alias analysis from scratch which computes all of the SSA values that may alias a given SSA value using the results from the pointer analysis.
200
+
#### Alias analysis
201
+
We implemented an alias analysis from scratch, which computes all of the SSA values that may alias a given SSA value using the results from the pointer analysis.
214
202
Note that we do not consider this to be a separate analysis in the paper and call it a "pointer analysis".
215
203
The alias analysis implementation is located in the `ar-go-tools/analysis/alias` directory.
216
204
217
-
Diodon uses the alias analysis to check condition C7: parameters to the same Core API call do not alias.
205
+
Diodon uses the alias analysis to check condition (C7): Parameters to the same Core API call do not alias one another.
206
+
207
+
208
+
### Argot API & documentation
209
+
To see the documentation and public API for any of our analyses, use the `go doc` command with the analysis' package name. E.g.:
210
+
```shell
211
+
cd ar-go-tools
212
+
go doc github.com/awslabs/ar-go-tools/analysis/passthru
213
+
```
214
+
215
+
In addition, the `ar-go-tools/doc` directory contains detailed descriptions of the analyses that Argot provides.
216
+
217
+
218
+
### Argot configuration
219
+
We configured Argot to run the above analyses on both our case studies, namely the signed DH key exchange and the forked SSM Agent implementations.
220
+
The configuration files are located in `dh/argot-proofs/argot-config-dh.yaml` and `ssm-agent/argot-proofs/argot-config-agent.yaml`, respectively.
221
+
The escape analysis is configured via `dh/argot-proofs/escape-config.json` and `ssm-agent/argot-proofs/escape-config.json`, respectively.
0 commit comments