Wiki and useful background materials: https://github.com/agurfinkel/verifyTrusty/wiki
Trusted Execution Environment(TEE) provides physically separate hardware for storing and processing sensitive data With TEEs, even a compromised OS cannot access and leak sensitive data Applications running on TEEs are juicy attack targets. The goal of this project is to apply formal verification techniques on applications running on TEEs with the state-of-the-art framework SeaHorn.
All harnesses and stubs within this repository depend on the Trusty repository. To run verification jobs locally, follow steps below to install/build missing dependencies and trusty:
clang-10.0
andllvm-link-10.0
- Repo
- SeaHorn, use docker image or build from source then set
$SEA
or$SEAHORN
environment variable to<path_to_build_dir>/run/bin/sea
executable. - If
libc++-10-dev
is not available, you can useGNU libstdc++
by adding the following option tocmake
-DCPPSTDLIB="libstdc++"
-
Clone this repository (change your diretory into verifyTrusty)
-
mkdir trusty && cd trusty && \ repo init -u https://github.com/seahorn/verifyTrusty.git -b master && \ repo sync -j32 && cd .. \
-
Using CMake to build LLVM assembly:
mkdir build && cd build && cmake \ -DSEA_LINK=llvm-link-10 \ -DCMAKE_C_COMPILER=clang-10 \ -DCMAKE_CXX_COMPILER=clang++-10 \ -DSEAHORN_ROOT=<SEAHORN_ROOT> -DTRUSTY_TARGET=<TRUSTY_TARGET> \ ../ -GNinja
Note that, the trusty target now supports
arm32
,arm64
, andx86_64
. If LLVM bitcode generation is successful, you should see<BC_FILE_NAME>.ir.bc
files underseahorn/jobs/<job_name>/llvm-ir/<job_name>.ir
. -
Compile
ninja
or
cmake --build .
-
Verify as unit test
ninja test
or
cmake --build . --target test
-
Run individual file manually
./verify [option] <BC_FILE_NAME>
-
storage_ipc_port_create_destroy
simple example that showsSeaHorn
can model simple ipc functions in thestorage
app likeipc_port_create
andipc_port_destroy
; this example also shows that stubbing of handles table (seahorn/lib/handle_table.c
) works.- Verification command:
./verify seahorn/jobs/storage_ipc_port_create_destroy
- Expected output:
unsat
, meaning nosassert
is not violated.
- Verification command:
-
storage_ipc_indirect_handlers
thestorage
application use function pointers extensively for port/channel event handlers. This example demonstrates thatSeaHorn
can model this programming pattern by applying its function devirtualization pass.- Verification command:
./verify seahorn/jobs/storage_ipc_indirect_handlers
- Expected output:
unsat
, meaning nosassert
is not violated.
- Verification command:
-
storage_ipc_msg_buffer
test potential buffer overflow onmsg_buf
by stubbingrealloc
.- Verification command:
./verify seahorn/jobs/storage_ipc_msg_buffer
- Expected output:
unsat
, meaning no overflow is not possible. - Try removing
return ERR_NOT_ENOUGH_BUFFER
block on line150
inipc.c
, and rebuild the verification example. Doing so should result insat
because now overflow is possible.
- Verification command: