Modular Verification of Programs with Effects and Effect Handlers in Coq

  • Thomas LetanEmail author
  • Yann Régis-Gianas
  • Pierre Chifflier
  • Guillaume Hiet
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10951)


Modern computing systems have grown in complexity, and the attack surface has increased accordingly. Even though system components are generally carefully designed and even verified by different groups of people, the composition of these components is often regarded with less attention. This paves the way for “architectural attacks”, a class of security vulnerabilities where the attacker is able to threaten the security of the system even if each of its components continues to act as expected. In this article, we introduce FreeSpec, a formalism built upon the key idea that components can be modelled as programs with algebraic effects to be realized by other components. FreeSpec allows for the modular modelling of a complex system, by defining idealized components connected together, and the modular verification of the properties of their composition. In addition, we have implemented a framework for the Coq proof assistant based on FreeSpec.


  1. 1.
    Letan, T., Chifflier, P., Hiet, G., Néron, P., Morin, B.: SpecCert: specifying and verifying hardware-based security enforcement. In: Fitzgerald, J., Heitmeyer, C., Gnesi, S., Philippou, A. (eds.) FM 2016. LNCS, vol. 9995, pp. 496–512. Springer, Cham (2016). Scholar
  2. 2.
    Wojtczuk, R., Rutkowska, J.: Attacking SMM memory via Intel CPU cache poisoning. Invisible Things Lab (2009)Google Scholar
  3. 3.
    Duflot, L., Levillain, O., Morin, B., Grumelard, O.: Getting into the SMRAM: SMM Reloaded. CanSecWest, Vancouver (2009)Google Scholar
  4. 4.
    Domas, C.: The memory sinkhole. In: BlackHat USA, July 2015Google Scholar
  5. 5.
    Kallenberg, C., Wojtczuk, R.: Speed racer: exploiting an intel flash protection race condition. Bromium Labs, January 2015Google Scholar
  6. 6.
    Kovah, X., Kallenberg, C., Butterworth, J., Cornwell, S.: SENTER Sandman: using Intel TXT to attack BIOSes. Hack in the Box (2015)Google Scholar
  7. 7.
    Stewin, P., Bystrov, I.: Understanding DMA malware. In: Flegel, U., Markatos, E., Robertson, W. (eds.) DIMVA 2012. LNCS, vol. 7591, pp. 21–41. Springer, Heidelberg (2013). Scholar
  8. 8.
    Manual I.P.: Intel IA-64 Architecture Software Developer’s Manual. Itanium Processor Microarchitecture Reference for Software Optimization, August 2000Google Scholar
  9. 9.
    Intel: Intel 5100 Memory Controller Hub ChipsetGoogle Scholar
  10. 10.
    Reid, A.: Who guards the guards? Formal validation of the Arm v8-M architecture specification. In: Proceedings of the ACM on Programming Languages, vol. 1(OOPSLA), p. 88 (2017)CrossRefGoogle Scholar
  11. 11.
    Leslie-Hurd, R., Caspi, D., Fernandez, M.: Verifying linearizability of Intel® software guard extensions. In: Kroening, D., Păsăreanu, C.S. (eds.) CAV 2015. LNCS, vol. 9207, pp. 144–160. Springer, Cham (2015). Scholar
  12. 12.
    Chong, S., Guttman, J., Datta, A., Myers, A., Pierce, B., Schaumont, P., Sherwood, T., Zeldovich, N.: Report on the NSF Workshop on Formal Methods for Security. ArXiv preprint arXiv:1608.00678 (2016)
  13. 13.
    Choi, J., Vijayaraghavan, M., Sherman, B., Chlipala, A., et al.: Kami: a platform for high-level parametric hardware specification and its modular verification. In: Proceedings of the ACM on Programming Languages, vol. 1(ICFP), p. 24 (2017)CrossRefGoogle Scholar
  14. 14.
    Inria: The Coq Proof Assistant.
  15. 15.
    Braibant, T.: Coquet: a coq library for verifying hardware. In: Jouannaud, J.-P., Shao, Z. (eds.) CPP 2011. LNCS, vol. 7086, pp. 330–345. Springer, Heidelberg (2011). Scholar
  16. 16.
    Morrisett, G., Tan, G., Tassarotti, J., Tristan, J.B., Gan, E.: RockSalt: better, faster, stronger SFI for the x86. In: ACM SIGPLAN Notices, vol. 47, pp. 395–404. ACM (2012)CrossRefGoogle Scholar
  17. 17.
    Jomaa, N., Nowak, D., Grimaud, G., Hym, S.: Formal proof of dynamic memory isolation based on MMU. In: 2016 10th International Symposium on Theoretical Aspects of Software Engineering (TASE), pp. 73–80. IEEE (2016)Google Scholar
  18. 18.
    Bauer, A., Pretnar, M.: Programming with algebraic effects and handlers. J. Log. Algebraic Methods Program. 84(1), 108–123 (2015)MathSciNetCrossRefGoogle Scholar
  19. 19.
    Apfelmus, H.: The operational package.
  20. 20.
    Hoareetal, C.: Tackling the awkward squad: monadic input/output, concurrency, exceptions, and foreign-language calls in Haskell. Engineering Theories of Software Construction (2001)Google Scholar
  21. 21.
    Liang, S., Hudak, P., Jones, M.: Monad transformers and modular interpreters. In: Proceedings of the 22nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 333–343. ACM (1995)Google Scholar
  22. 22.
    Heyman, T., Scandariato, R., Joosen, W.: Reusable formal models for secure software architectures. In: 2012 Joint Working IEEE/IFIP Conference on Software Architecture and European Conference on Software Architecture, WICSA/ECSA 2012, Helsinki, Finland, 20–24 August 2012, pp. 41–50 (2012)Google Scholar
  23. 23.
    Jackson, D.: Software Abstractions: Logic, Language and Analysis. MIT Press, Cambridge (2012)Google Scholar
  24. 24.
    Brady, E.: Resource-dependent algebraic effects. In: Hage, J., McCarthy, J. (eds.) TFP 2014. LNCS, vol. 8843, pp. 18–33. Springer, Cham (2015). Scholar
  25. 25.
    Nanevski, A., Morrisett, G., Shinnar, A., Govereau, P., Birkedal, L.: Ynot: dependent types for imperative programs. In: ACM Sigplan Notices, vol. 43, pp. 229–240. ACM (2008)CrossRefGoogle Scholar
  26. 26.
    Claret, G., Régis-Gianas, Y.: Mechanical verification of interactive programs specified by use cases. In: Proceedings of the Third FME Workshop on Formal Methods in Software Engineering, pp. 61–67. IEEE Press (2015)Google Scholar
  27. 27.
    Kiselyov, O., Ishii, H.: Freer monads, more extensible effects. In: ACM SIGPLAN Notices, vol. 50, pp. 94–105. ACM (2015)CrossRefGoogle Scholar
  28. 28.
    Abrial, J.R., Abrial, J.R.: The B-Book: Assigning Programs to Meanings. Cambridge University Press, Cambridge (2005)zbMATHGoogle Scholar
  29. 29.
    Pessaux, F.: FoCaLiZe: inside an F-IDE. ArXiv preprint arXiv:1404.6607 (2014)

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  • Thomas Letan
    • 1
    • 2
    Email author
  • Yann Régis-Gianas
    • 3
    • 4
  • Pierre Chifflier
    • 1
  • Guillaume Hiet
    • 2
  1. 1.French Network Information Security Agency (ANSSI)ParisFrance
  2. 2.CentraleSupélec, Inria Rennes – Bretagne Atlantique, IRISA-D1RennesFrance
  3. 3.Univ Paris Diderot, Sorbonne Paris Cité, IRIF/PPS, UMR 8243 CNRSParisFrance
  4. 4.PiR2, Inria Paris-RocquencourtParisFrance

Personalised recommendations