Improved Tool Support for Machine-Code Decompilation in HOL4

The HOL4 interactive theorem prover provides a sound logical environment for reasoning about machine-code programs. The rigour of HOL’s LCF-style kernel naturally guarantees very high levels of assurance, but it does present challenges when it comes implementing efficient proof tools. This paper presents improvements that have been made to our methodology for soundly decompiling machine-code programs to functions expressed in HOL logic. These advancements have been facilitated by the development of a domain specific language, called L3, for the specification of Instruction Set Architectures (ISAs). As a result of these improvements, decompilation is faster (on average by one to two orders of magnitude), the instruction set specifications are easier to write, and the proof tools are easier to maintain. Traditional formal software verification has primarily focussed on developing and using formalisations of high-level programming languages, with formal reasoning occurring at the level of the programmer. However, in some high-assurance applications, such language formalisations could be too abstract or unrealistic, and the trustworthiness of compilers may come into play. These issues can be addressed by using a verified compiler, see [9] and [8]. However, an alternative approach is to work directly with machine-code, which could be generated by any compiler for a particular platform. This has the advantage that one does not have to formalise the semantics of high-level source languages, and formal reasoning relates more directly to the code that is actually being run. The success of this approach hinges upon the ability to accurately formalise a processor’s instruction set and on the ability to overcome the challenges of working with lowlevel code, which is less structured and replete with platform specific details. To this end, Magnus Myreen has developed an approach for soundly decompiling machine-code using the HOL4 interactive theorem prover, see [12]. Commercial instruction set architectures are large and complex, with reference manuals running to thousands of pages in length. We use the L3 domain specific language to formally specify ISAs, see [4]. Details of our current ISA formalisations can be found in Sections 2 and 8. Each architecture has its own idiosyncrasies, which must be accommodated when writing proof automation for a theorem prover. In this paper our main working instruction set is ARMv7-A 1 For example, 2736 pages for ARMv7-A, 5242 pages for ARM-v8 (which contains a full description of the legacy AArch32 mode) and 3020 pages for x86.