SBIR-STTR Award

Binary Assurance Through Proofs of Properties
Award last edited on: 3/31/2023

Sponsored Program
SBIR
Awarding Agency
DOD : DARPA
Total Award Amount
$1,660,365
Award Phase
2
Solicitation Topic Code
HR001121S0007-08
Principal Investigator
Eric Smith

Company Information

Kestrel Technology LLC (AKA: Kestrel Development Corporation~KTS~KT)

3260 Hillview Avenue
Palo Alto, CA 94304
   (650) 320-8474
   info@kestreltechnology.com
   www.kestreltechnology.com
Location: Single
Congr. District: 16
County: Santa Clara

Phase I

Contract Number: W31P4Q-22-C-0006
Start Date: 7/13/2021    Completed: 10/17/2022
Phase I year
2021
Phase I Amount
$224,160
Kestrel Technology proposes to extend its Axe toolkit to build a lightweight, easy-to-use tool that can prove important safety, security, and correctness properties of software binaries, such as those used in off-the-shelf embedded systems. This will combine the strengths of several of our existing tools: our Axe Lifter, which can transform x86 binaries into a logical form for further analysis; our Axe Prover, which can prove properties of lifted programs using a variety of proof tactics; our Axe Equivalence Checker, which can compare lifted programs to specifications or to known good programs; and our Formal Unit Tester, which helps users without formal methods expertise explore bounded program behaviors. The latter tool currently operates on Java programs but will be retargeted to binaries. We plan to target x86 but can pivot to a different CPU type if desired. Kestrel's Axe Lifter can explore a program or subroutine using symbolic execution, obtaining a mathematical term that represents its behavior. Lifting is done using the Axe Rewriter together with a model of the target machine (currently, the Java Virtual Machine or x86 CPU). The lifted form represents the operation of the program on arbitrary data. Axe has techniques to avoid path explosion (rejoining the execution after conditional branches) and can lift entire loops into recursive functions. Kestrel's Axe Prover can then be used to prove properties of the lifted program, such as the fact that program operation satisfies given requirements. A variety of proof tactics are available, including rewriting with our extensive library of proven rules, case splitting, and calling the ACL2 prover or an external SMT solver. Kestrel's Axe Equivalence Checker can prove the equivalence of two lifted programs, or of a program and a specification. This provides a convenient way to specify correct behavior, and the proof can be highly automatic when the amount of computation is bounded (e.g., when loops can be unrolled). Kestrel's Formal Unit Tester, currently only for Java bytecode programs, provides a convenient way for users without formal methods training to check desired properties of a program. Unlike traditional unit tests, each of which covers a single input, formal unit tests are small proofs that can cover very large input spaces. The user writes small test harnesses in a traditional programming language, and the tool attempts to prove that the tests always pass. Because the tests can take symbolic inputs, each covers many possible computations. The tool can provide assurance that all behaviors (perhaps within some bound on the input size) satisfy the desired property. Or it can produce an input that violates the desired property. The novelty of the project will be to combine all these tools, bringing the above capabilities to binaries. We will also improve the automation, usability, and scalability of the tools and apply them to industrial use cases.

Phase II

Contract Number: W31P4Q23C0034
Start Date: 7/12/2023    Completed: 7/13/2027
Phase II year
2023
Phase II Amount
$1,436,205
Kestrel Technology is extending its Axe toolkit to build a lightweight, easy-to-use tool that can prove important safety, security, and correctness properties of software binaries, such as those used in off-the-shelf embedded systems. The tool combines the strengths of several of our existing tools: our Axe Lifter, which can transform x86 binaries into a logical form for further analysis; our Axe Prover, which can prove properties of lifted programs using a variety of proof tactics; our Axe Equivalence Checker, which can compare lifted programs to specifications or to known-good programs; and Axe's connections to SMT solvers, which can quickly discharge complex proof goals. In Phase I, we developed a prototype tool that can prove non-trivial properties of 64-bit ELF and Mach-O binary programs. The tool uses Kestrel's Axe Lifter to explore a program or subroutine using symbolic execution, obtaining a mathematical term that represents its behavior. Lifting is done using the Axe Rewriter together with a model of the x86 CPU. The lifted form represents the operation of the program on arbitrary data. Kestrel's Axe Prover can then be used to prove properties of the lifted program, such as the fact that it satisfies given requirements, or computes the same result as some other program. A variety of proof tactics are available, including rewriting with our extensive library of proven rules, case splitting, and calling the ACL2 prover or an external SMT solver. The prototype tool, called the Formal Unit Tester for Binaries, provides a convenient way for users without formal methods training to check desired properties of a program. Unlike traditional unit tests, each of which covers a single input, formal unit tests are proofs that can cover very large input spaces. The user writes small test harnesses in a traditional programming language, and the tool attempts to prove that the tests always pass. Because the tests take inputs, each proof covers many possible computations. Often, the tool can provide assurance that all behaviors (perhaps within some bound on the input size) satisfy the desired property, or produce an input that violates the desired property. Our goal in Phase II will be to improve the usability, generality, and scalability of the tool and work to transition it to handle industrial use cases.