Periodic Reporting for period 2 - VESTA (VErified STAtic analysis platform)
Période du rapport: 2020-03-01 au 2021-08-31
The VESTA project propose guidance and tool-support to the designers of static analysis, in order to build advanced but reliable static analysis tools. We focus on analyzing low-level softwares written in C, leveraging on the CompCert verified compiler. This compiler toolchain is fully verified in the Coq proof assistant.
Verasco is a verified static analyser that I have architected. It analyses C programs and follows many of the advanced abstract interpretation technique developped for Astrée, but it is formally verified. The outcome of the VESTA project will be a platform that help designing other verified advanced abstract interpreters like Verasco, without starting from a white page. We will apply this technique to develop security analyses for C programs. The platform will be open-source and will help the adoption of abstract interpretation techniques.
WP1: We study cost analysis that try to predict the cost of a program. We give a rigorous cost model and perform an analysis that can predict a bound on this cost. This is a work in progress. The code analysis has not been published yet but one its underlying component has lead to a new discovery in static analysis.
WP2: We study the security property of cryptographic constant-time. We provide provably a correct analysis that can verify this property.
WP3: We prove that the CompCert compiler can preserve the previous security property during compilation.
WP4: We study new challenging verification problems where extraction of efficient code is necessary. The current focus is on extracting a verified JIT compiler.
WP5: We study how to automatise more the design and the proof of correctness of a static analysis. The current achievement is a mostly automatic proof of correctness for a small abstract interpreter, using the F* prover.
2) Preserving a security property like cryptographic constant-time is a clear progress in the state of the art (POPL'20)
3) Significative proof effort reduction in verified static analysis (SAS'2021)