Re: Formal verification of MUSL

mailing list of musl libc
 help / color / mirror / code / Atom feed

From: Szabolcs Nagy <nsz@port70.net>
To: musl@lists.openwall.com
Subject: Re: Formal verification of MUSL
Date: Mon, 11 Apr 2016 14:21:07 +0200	[thread overview]
Message-ID: <20160411122107.GA22574@port70.net> (raw)
In-Reply-To: <20160411042313.GT21636@brightrain.aerifal.cx>

* Rich Felker <dalias@libc.org> [2016-04-11 00:23:13 -0400]:
> On Sun, Apr 10, 2016 at 07:18:23PM -0700, Joe Duarte wrote:
> > Has there been any discussion of getting MUSL into a formally verified
> > state? What would it take?
> 
> There's been some discussion (off-list) of using tis-interpreter on
> musl, but that's not the same as formal verification. So far I'm not
> aware of anything in the way of actual verification.
> 

in general libc won't be formally verified until its api
and the underlying platform are formally defined
(i.e. the implemented posix api and underlying linux and
toolchain behaviour) this won't happen any time soon.

formal verification requires a precise model of the
interface (which means an alternative implementation)
and some annotation to help proving that the libc
matches the model.

this is a lot of work even for simple apis, it is more
realistic to only prove some easy but practically useful
property for a subset of the libc code, so you have to
be more precise what you ask for.

some properties are easy to model, but still hard to verify
(e.g. ieee 754 arithmetics has formal models, but verifying
the accuracy of math functions is hard.)

some properties are easy to verify with moderate modelling
effort (e.g. checking for posix namespace violations in libc
headers).

some properties are hard to verify, but easy to check at
runtime with moderate overhead (e.g. signed int overflow
checks with ubsan instrumentation).

etc.

checking for security issues is a small subset of formal
verification (in c the most relevant property is probably
well-defiend memory accesses).

     prev parent reply	other threads:[~2016-04-11 12:21 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-04-11  2:18 Joe Duarte
2016-04-11  4:23 ` Rich Felker
2016-04-11  4:35   ` Khem Raj
2016-04-11 15:55     ` Eric Engeström
2016-04-12  1:00       ` Joe Duarte
2016-04-12  2:47         ` Isaac Dunham
2016-05-02  0:35       ` Joe Duarte
2016-04-11 12:21   ` Szabolcs Nagy [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20160411122107.GA22574@port70.net \
    --to=nsz@port70.net \
    --cc=musl@lists.openwall.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://git.vuxu.org/mirror/musl/

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).