# **BDD-based Machine Code Verification for SFI Systems**

Zachary Yedidia

Stanford University

Goal: run isolated untrusted programs in a single address space.

**SFI** approach: analyze a binary's machine code to determine if it is safe to run.

Program must adhere to certain invariants in order to be accepted as safe.

**Example** (LFI): sandboxes are regions of size 4GiB, and aligned to 4GiB boundaries.

- 1. x18 must contain an address within the sandbox.
- 2. x21 must contain the base address of the sandbox.

| svc | #0   |       |     |      | // | not  | allowed |
|-----|------|-------|-----|------|----|------|---------|
| mov | x18, | x1    |     |      | // | not  | allowed |
| add | x18, | x21,  | w1, | uxtw | // | allo | wed     |
| ldr | x0,  | [x1]  |     |      | // | not  | allowed |
| ldr | x0,  | [x18] |     |      | // | allo | wed     |

**Example** (LFI): sandboxes are regions of size 4GiB, and aligned to 4GiB boundaries.

- 1. x18 must contain an address within the sandbox.
- 2. x21 must contain the base address of the sandbox.

| svc | #0   |       |     |      | // | not allowed |
|-----|------|-------|-----|------|----|-------------|
| mov | x18, | x1    |     |      | // | not allowed |
| add | x18, | x21,  | w1, | uxtw | // | allowed     |
| ldr | x0,  | [x1]  |     |      | // | not allowed |
| ldr | x0,  | [x18] |     |      | // | allowed     |

Idea: design the verifier so that it just inspects a single instruction at a time.

#### **Stateless Verification Visualized**



Every ARM64 instruction is a 32-bit integer.

750M legal instructions.

The existing verifier uses a disassembler to determine if an instruction is legal or not.

### Stateless Verification with Binary Decision Diagrams

A stateless verifier can be encoded as a binary decision diagram (BDD).



**Problem**: finding the optimal BDD is NP-hard (and we have 32 inputs).

### Stateless Verification with Binary Decision Diagrams

A stateless verifier can be encoded as a binary decision diagram (BDD).

Key: choose a variable ordering that matches the top-level ARM64 encoding.

 $x_{31}, x_{25-30}, x_{24-0}$ 

|                                   | Top-level encodings for A64 |       |           |                                                                  |  |  |  |  |  |
|-----------------------------------|-----------------------------|-------|-----------|------------------------------------------------------------------|--|--|--|--|--|
| 31                                | 30 29                       | 28 27 | 26 25     | 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 |  |  |  |  |  |
| 0qa                               |                             | o     | <b>p1</b> |                                                                  |  |  |  |  |  |
| Decode fields Instruction details |                             |       |           |                                                                  |  |  |  |  |  |
|                                   | ၂                           |       | op1       |                                                                  |  |  |  |  |  |
|                                   | (                           | 9     | 000       | Reserved                                                         |  |  |  |  |  |
|                                   | 1                           | 1     | 000       | B SME encodings                                                  |  |  |  |  |  |
|                                   |                             |       | 000       | UNALLOCATED                                                      |  |  |  |  |  |
|                                   |                             |       | 001       | SVE encodings                                                    |  |  |  |  |  |
|                                   |                             |       | 001       | UNALLOCATED                                                      |  |  |  |  |  |
|                                   |                             |       | 100       | Data Processing Immediate                                        |  |  |  |  |  |
|                                   |                             |       | 101       | Branches, Exception Generating and System instructions           |  |  |  |  |  |
|                                   |                             |       | x10       | Data Processing Register                                         |  |  |  |  |  |
|                                   |                             |       | x11       | Data Processing Scalar Floating-Point and Advanced SIMD          |  |  |  |  |  |
|                                   |                             |       | x1x       | Loads and Stores                                                 |  |  |  |  |  |

## Stateless Verification with Binary Decision Diagrams

A stateless verifier can be encoded as a binary decision diagram (BDD).

Result: BDD with 1393 nodes.



| Metric                  | BDD-based verifier | Previous verifier |
|-------------------------|--------------------|-------------------|
| Memory size             | 8370 B             | 3 MiB             |
| Verification throughput | 100 MiB/s          | 30 MiB/s          |