3d: Dependent Data Descriptions for Verified Validation¶

Formal guarantees¶

For each message type in the source data formats, the generated C code provides a _validator_, a procedure to determine if a given input array of bytes contains a valid representation of a message, with the following properties:

• Memory safety: The validator is memory safe, meaning it never accesses memory out of bounds, accesses memory at an incompatible type, uses memory after it has been freed, etc.
• Arithmetic safety: The validator has no integer overflows or underflows.
• Double-fetch freedom: The validator reads every byte in the input array at most once, defending against certain kinds of time-of-check/time-of-use bugs.
• Write footprint: The validator does not modify the input array, and only modifies memory as described by user-controlled imperative actions that are explicit in the specification.
• No heap allocation: The validator does not allocate any memory on the heap.
• Functionally correct: The validator accepts all input arrays that contain valid representations of the message according to its specification, rejecting all others.

Default mode¶

In default mode, EverParse3d produces C code corresponding to validators proven correct with respect to the 3d specification.

Options are treated from left to right:

• --odir output_directory_name

  Tell EverParse to write all files to the directory output_directory_name. This directory must already exist (EverParse will not create it.) The default is . (current directory)

• --batch

  Verify the produced F* .fst and .fsti files and generate C .c and .h files. This is toggled by default.

• --no_batch

  Do not verify the produced F* .fst and .fsti files or generate C .c and .h files.

• --clang_format

  Call clang-format on extracted .c/.h files. This option automatically toggles --batch.

  This is toggled by default on Windows, since the Windows binary package contains a copy of clang-format. On Linux, this is toggled by default only if clang-format is reachable through the PATH environment variable.

• --no_clang_format

  Do not call clang-format on extracted .c/.h files.

• --clang_format_executable

  Provide the path to clang-format if not reachable through PATH (or to override the one provided in the Windows binary package.) This option automatically toggles --clang_format and --batch.

• --clang_format_use_custom_config

  With --clang_format, skip copying the .clang-format file from the EverParse distribution, and assume that there is already an existing .clang-format

• --cleanup

  With --batch, remove all produced intermediate files other than .c and .h` files (thus: ``.fst, .fsti, .checked, .krml)

• --no_cleanup

  Keep all produced intermediate files. This is toggled by default.

• --skip_c_makefiles

  Skip generating the default Makefiles produced by Karamel to compile the produced C code.

• --add_include <myinclude.h>

  --add_include "myinclude.h"

  Prepend each produced C file with a #include <myinclude.h> or a #include "myinclude.h" C preprocessor directive.

• --config myfile.config

  Use the specified JSON file myfile.config to declare compile-time flags (see compile-time configuration in the 3D language reference.)

• --fstar path/to/fstar.exe

  Allows to specify the location of the F* executable. The everparse.sh / everparse.cmd script in the EverParse binary package is already configured to use the F* executable provided in the package. Otherwise, the default is to use the fstar.exe found from the PATH.

• --input_stream buffer|extern|static

  Specifies the format of validator input buffers:

  • With buffer (which is the default), a validator takes as argument a byte array and its length.

  • With extern, a validator takes as argument a value of a user-defined EVERPARSE_INPUT_STREAM_BASE type, representing an input byte stream, for which the following functions need to be defined:

    extern BOOLEAN EverParseHas(
      EVERPARSE_EXTRA_T _extra_t,
      EVERPARSE_INPUT_STREAM_BASE x,
      uint64_t n
    );
    

    EverParseHas returns 1 if the input stream x has n bytes available to read, 0 otherwise.

    extern uint8_t* EverParseRead(
      EVERPARSE_EXTRA_T _extra_t,
      EVERPARSE_INPUT_STREAM_BASE x,
      uint64_t n,
      uint8_t *dst
    );
    

    EverParseRead takes and reads n bytes from the input stream x, possibly copying them into dst, and returns a byte array containing the bytes read. There is no requirement that the function returns dst, or even that a copy to dst is made. `

    extern void EverParseSkip(
      EVERPARSE_EXTRA_T _extra_t,
      EVERPARSE_INPUT_STREAM_BASE x,
      uint64_t n
    );
    

    EverParseSkip advances the input stream x by n bytes without reading them.

    extern uint8_t* EverParsePeep(
      EVERPARSE_EXTRA_T _extra_t,
      EVERPARSE_INPUT_STREAM_BASE x,
      uint64_t n
    );
    

    EverParsePeep returns a pointer to a byte array that is part of the input stream x and points to its next n bytes, then advances the input stream by n. If such operation is impossible, then returns NULL. Such a pointer is returned by the field_ptr action (see “Atomic actions” in the 3d language reference), so it is the responsibility of the application to ensure double-fetch freedom on the contents of the returned field is preserved.

    extern uint64_t EverParseEmpty(
      EVERPARSE_EXTRA_T _extra_t,
      EVERPARSE_INPUT_STREAM_BASE x
    );
    

    EverParseEmpty skips to the end of the input stream x and returns the number of bytes so skipped, without reading them.

    In all such functions, EVERPARSE_EXTRA_T is a user-defined type for the context used for error handling (see “Error handling” in the 3d language reference.)

  • static is like extern except that the functions on EVERPARSE_INPUT_STREAM_BASE are declared static.

  In any case, to compile the C code produced by EverParse, you need to add to the include path the subdirectory src/3d/prelude/<input_stream_format> of the EverParse binary package or repository; this directory contains the EverParse.h corresponding to the input stream format given by --input_stream

• --input_stream_include myinclude.h

  With --input_stream, defines the name of the C include file that provides definitions for EVERPARSE_INPUT_STREAM_BASE and its associated functions.

Alternate mode: generating a Makefile¶

By default, with --batch, given a .3d specification, EverParse produces .c and .h files by first producing .fsti and .fst files files containing verified F* specifications and implementations of validators, and then calling F* and KaRaMeL on each such file to verify and extract them to C. EverParse will issue all such calls to F* and KaRaMeL sequentially.

Alternatively, with everparse.cmd --makefile gmake Test.3d (on Windows; use ./everparse.sh on Linux), instead of producing .c and .h files, EverParse will take Test.3d and all of the modules it depends on, and produce a GNU Makefile containing all recipes and rules to produce .c and .h files and all intermediate files with proper dependencies so that the user can leverage GNU Make parallelism for any rules that do not depend on one another. Other build systems are supported with variations of the --makefile option, as stated below.

The produced Makefile will make use of three variables:

• EVERPARSE_CMD: the command to run EverParse. This variable must contain the path and name of the EverParse executable, and any options (--clang_format, etc.) useful to produce .
• EVERPARSE_INPUT_DIR: the path to the input files.

• EVERPARSE_OUTPUT_DIR: the path to the output files. EverParse will append the --odir option appropriately.
• CC: the path and name of the C compiler that will be used to compile the produced C files.
• CFLAGS: options to provide to the C compiler to compile the produced C files.

The produced Makefile, by default called EverParse.Makefile, is meant to be included in the main Makefile of your project. On Linux, such a typical main Makefile for use with GNU Make may look like:

Also valid in Makefile generation mode are the following options:

• --clang_format

  Add .clang-format as a dependency of generated .c and .h files, and produce a rule to generate .clang-format

• --clang_format_use_custom_config

  Same as --clang_format, but do not produce a rule to generate .clang-format

all: test

EVERPARSE_CMD=/path/to/everparse.sh
EVERPARSE_OUTPUT_DIR=obj
EVERPARSE_INPUT_DIR=src

everparse_makefile=$(EVERPARSE_OUTPUT_DIR)/EverParse.Makefile
source_files=$(wildcard $(EVERPARSE_INPUT_DIR)/*.3d)

$(EVERPARSE_OUTPUT_DIR):
	mkdir -p $@

$(everparse_makefile): $(source_files) $(EVERPARSE_OUTPUT_DIR)
	$(EVERPARSE_CMD) --makefile gmake --makefile_name $@ $(source_files)

include $(everparse_makefile)

test: $(EVERPARSE_ALL_O_FILES)

clean:
	rm -rf $(EVERPARSE_OUTPUT_DIR)

.PHONY: all test clean

A fully commented version of that main Makefile is available in the EverParse repository.

EverParse supports the following command-line options relevant to this mode:

• --makefile gmake: produce a Makefile for use with GNU Make.
• --makefile nmake: produce a Makefile for use with Microsoft NMAKE.
• --makefile_name my_file_name: the name of the produced Makefile shall be my_file_name instead of the default EverParse.Makefile.
• --skip_o_rules: do not output rules that would produce .o files by compiling .c files.

Alternate mode: hash checking¶

To speed up some scenarios where the user maintains a snapshot of the generated .c and .h files to skip unnecessary verification time when .3d files are not changed, EverParse provides an optional mechanism to record the hash of .3d, .c and .h files and to compare them to skip reverification and regeneration. This mechanism is disabled by default, and has to be explicitly enabled using the --check_hashes option as described below. WARNING: this mode will weaken verification guarantees to the probability of hash collisions!

If enabled, then EverParse checks the hashes of the .3d and maybe .c and .h files (depending on the variant, as described below) and fails if hashes do not match; no verification or regeneration is performed at all.

Hashes are computed and checked using the EverCrypt verified cryptographic library, which is included in EverParse binary packages.

Options relevant to this mode:

• --save_hashes: save the hashes of the contents of source .3d, .c and .h files into a .json file. This option can be added in default mode when generating .c and .h files.
• --check_hashes strong : checks the hashes of the contents of source .3d, .c and .h files, by reading the recorded hash from the .json file created by --save_hashes.
• --check_hashes weak : checks the hashes of the contents of source .3d files only, by reading the recorded hash from the .json file created by --save_hashes, leaving the option for the user to manually change the generated .c and .h files (WARNING: this will void all verification guarantees!)
• --check_hashes inplace: same as --check_hashes weak, but uses the hash recorded in the copyright header of the generated .c and .h files instead of the .json file. The hash is introduced by using the EVERPARSEHASHES keyword in the corresponding .copyright.txt used to prepend generated .c and .h files with copyright headers; see Copyright headers for more details.
• --check_inplace_hash MyFile.3d=MyFile.h: same as --check_hashes inplace, but instead manually specifies the pair of the source .3d file and the already-generated .h (or .c) file in which to check the hash. This option can be specified several times to provide several such pairs to check.

Alternate mode: test case generation¶

Given a 3d specification, EverParse can now generate positive (resp. negative) test cases. Internally, EverParse converts the 3d specification into a SMT2 theory, and then asks Z3 for the following satisfiability question: is there any sequence of bytes passing (resp. failing) the parser specification?

The following options are mutually exclusive:

• --z3_test MyModule.my_parser

  (requires MyModule.3d to be specified on the command line) produces positive and negative test cases for my_parser defined in MyModule.3d .

  This option produces the following results:

  • a series of binary files containing the contents of each test case. Each binary file is named as follows:

    witness.n.POS.i.validatorname.args.dat

    where:

    • n is the test case number

    • POS (resp. NEG) indicates a positive (resp. negative) test case

    • i is a probe counter: 0 corresponds to the input buffer passed to the validator; a positive value corresponds to the i-th time a probe 3d construct is encountered. (If the 3d specification contains no probe construct, then only the 0 file will be created for each test case.)

      More precisely, when encountering a T *ptr probe ProbeFunction(length = ..., destination = ...) pointer field, the binary contents for that field in a test case is the big-endian representation of a positive 64-bit integer i so that the contents of the file with probe index i is meant to be passed to the validator for T.

    • validatorname is the name of the validator function produced by EverParse. It has the shape ModuleValidateMyParser

    • args is the sequence of the non-outparameter argument values passed to the validator, separated by . ; all of those argument values are integers.

  • a C test program, testcases.c, that produces C definitions of the test cases, and calls to the validator with those test cases.

    A given test case is an array of layers; a layer is a byte array and its length. Layer 0 contains the byte array passed to the validator; layer of a positive index i contains the byte array passed to the validator corresponding to the i-th time a probe pointer field is encountered.

  • with --batch (set by default when using the everparse.sh / everparse.bat script from the binary package), this option also compiles the C test program into test.exe and runs it to check whether the generated test cases are actually accepted or rejected by the verified validator implementations for the given 3d parser specifications. Then, the test program prints on standard output the C definitions of the test cases.

    Use --no_batch to disable compilation of the C test program.

• --z3_diff_test MyModule1.my_parser1,MyModule2.my_parser2

  (requires MyModule1.3d and MyModule2.3d to be specified on the command line) produces a set of test cases that are positive for my_parser1 but negative for my_parser2, and a set of test cases for the converse.

  The shape of the produced results is similar to those produced by --z3_test (see above), except that the test file name also contains the name of the second validator against which it is negative.

• --emit_smt_encoding

  produces the SMT2 encoding corresponding to the .3d files passed as argument. Such encoding is printed on standard output.

• --test_checker MyModule.my_parser

  (requires MyModule.3d to be specified on the command line) produces a test checker executable for the given parser, test.exe. The test checker takes as arguments:

  • a binary file name containing the contents of the input buffer to be passed to the validator
  • the non-outparameter integer argument values to be passed to the validator

  The test checker executable returns exit code:

  • 0 if validation succeeds and consumes all input bytes
  • 1 if validation succeeds but the validator does not consume all input bytes
  • 2 if validation fails
  • 3 if the input file is larger than 4 GB, or if any system error occurs (file does not exist, read error, etc.)

  Note

  The test checker executable currently does not work with 3d specifications containing probes.

Alternate mode: help and version¶

Some options make EverParse do nothing other than show a help or version message:

• --version

  Print the version of EverParse/3d and exit (do not process any further options to the right, nor any files at all.)

• --help

  Show the usage message and the status of some options given so far, and exit (do not process any further options to the right, nor any files at all.)