Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,

Similar presentations


Presentation on theme: "1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,"— Presentation transcript:

1 1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg, Con McGarvey, Bohus Ondrusek, Sriram Rajamani & Abdullah Ustuner

2 2 Kernel DD HW DD HW Static Driver Verifier

3 3 Static Driver Verifier (a.k.a. SDV): A compile-time correctness checking tool based on deep semantic analysis via symbolic model checking Now available on the latest Windows DDK beta Static Driver Verifier

4 4 Static Driver Verifier (SDV) is a tool for finding bugs in Windows device drivers: SDV operates on the driver’s source code SDV is completely automatic SDV checks that drivers do not violate a set of “kernel API usage rules” Attempts to prove the correctness of the driver with the SLAM software model checker

5 5 Static Driver Verifier other.h driver.h driver.c Driver sources SDV X X X X

6 6 Static Driver Verifier

7 7

8 8

9 9

10 10

11 11

12 12

13 13

14 14

15 15

16 16

17 17

18 18

19 19

20 20

21 21

22 22

23 23

24 24

25 25

26 26

27 27

28 28

29 29 Outline Introduction to Static Driver Verifier Static Driver Verifier internals Conclusion & Discussion

30 30 Outline Introduction to Static Driver Verifier Static Driver Verifier internals Conclusion & Discussion

31 31 Static Driver Verifier other.h driver.h driver.c Driver sources SDV X X X X

32 32 Static Driver Verifier SDV Rules SLAM OS model other.h driver.h driver.c X X X X Driver sources

33 33 Static Driver Verifier: Rules Expressed in an event-based language Possible events:  Function entry  Function exit The code associated with events call the function error() to indicate a violation: IoCallDriver.entry { if ($2->Tail.Overlay.CurrentStackLocation->MajorFunction ==IRP_MJ_POWER) { error(); }

34 34 Static Driver Verifier: Rules

35 35 Static Driver Verifier SDV Rules SLAM OS model other.h driver.h driver.c X X X X

36 36 Static Driver Verifier: OS model Provides the main function Abstract implementations of kernel APIs (like IoCallDriver) Models some aspects of the OS state, like the “interrupt request level” (IRQL) Uses non-deterministic choice

37 37 Static Driver Verifier: OS model

38 38 Static Driver Verifier SDV Rules SLAM OS model other.h driver.h driver.c X X X X

39 39 Static Driver Verifier: SLAM Symbolic model checker for C Strategy: throw away as much irrelevant detail from the driver as possible through abstraction search Algorithm = Predicate Abstraction + Counter-example based refinement + Symbolic reachability for Boolean programs Simplifying (unsound) assumptions:  C unions are ignored  Memory layout is not known: pointer arithmetic is largely ignored  Coincidental pointer aliasing is ignored, purposeful aliasing is not  Functions cannot be called both by name and pointer  The OS model does not exercise all paths possible in practice

40 40 Static Driver Verifier: SLAM void main() { int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0; while(!rst) { a = f1(); b = f2(); c = f3(); if (a

41 41 Static Driver Verifier: SLAM int locked = 0; AcquireLock.entry { if (locked==1) { error(); } else { locked=1; } ReleaseLock.entry { if (locked==0) { error(); } else { locked=0; }

42 42 SLAM Static Driver Verifier: SLAM

43 43 Static Driver Verifier: SLAM SLAM Refine Step Abstract Step Check Step Driver passes rule Rule violation foundOS model Driver sources Rule Instrumen t Step

44 44 Static Driver Verifier: SLAM int locked = 0; if (locked==1) { error(); } else { locked=1; } if (locked==0) { error(); } else { locked=0; } int locked = 0; AcquireLock.entry { if (locked==1) { error(); } else { locked=1; } ReleaseLock.entry { if (locked==0) { error(); } else { locked=0; } void AcquireLock() { …………… } void ReleaseLock() { …………… } void main() { …………… void AcquireLock() { ……………… } void ReleaseLock() { ……………… } void main() { …………… Are these reachable?

45 45 Static Driver Verifier: SLAM SLAM Refine Step Check Step Instrumen t Step Driver passes rule Rule violation foundOS model Driver sources Rule Abstract Step

46 46 rst=0; !rst a = b = c = a

47 47 Static Driver Verifier: SLAM SLAM Refine Step Abstract Step Instrumen t Step Driver passes rule Rule violation foundOS model Driver sources Rule Check Step

48 48 Static Driver Verifier: SLAM Reachable state-space for steps <1

49 49 Static Driver Verifier: SLAM Reachable state-space for steps <1 Reachable state-space for steps <2 Reachable state-space for steps <3

50 50 Static Driver Verifier: SLAM Reachable state-space for steps <1 Reachable state-space for steps <2 Reachable state-space for steps <3 Reachable state- space for steps <4 Reachable state- space for steps <5 Reachable state-space for steps <6

51 51 Static Driver Verifier: SLAM Reachable state-space for steps <1 Reachable state-space for steps <2 Reachable state-space for steps <3 Reachable state- space for steps <4 Reachable state- space for steps <5 Reachable state-space for steps <6 Reachable state-space for steps <7 Reachable state- space for steps <8

52 52 Static Driver Verifier: SLAM Reachable state-space for steps <1 Reachable state-space for steps <2 Reachable state-space for steps <3 Reachable state- space for steps <4 Reachable state- space for steps <5 Reachable state-space for steps <6 Reachable state-space for steps <7 Reachable state- space for steps <8 Reachable state- space for steps <9 State where PC is at a call to error()

53 53 Static Driver Verifier: SLAM void main() { for(;;) { AcquireLock(); while( * ) { f1(); f2(); f3(); if ( * ) { ReleaseLock(); } g(); }

54 54 Static Driver Verifier: SLAM void main() { for(;;) { AcquireLock(); while( * ) { f1(); f2(); f3(); if ( * ) { ReleaseLock(); } g(); }

55 55 Static Driver Verifier: SLAM void main() { for(;;) { AcquireLock(); while( * ) { f1(); f2(); f3(); if ( * ) { ReleaseLock(); } g(); }

56 56 Static Driver Verifier: SLAM void main() { for(;;) { AcquireLock(); while( * ) { f1(); f2(); f3(); if ( * ) { ReleaseLock(); } g(); }

57 57 Static Driver Verifier: SLAM void main() { for(;;) { AcquireLock(); while( * ) { f1(); f2(); f3(); if ( * ) { ReleaseLock(); } g(); }

58 58 Static Driver Verifier: SLAM void main() { for(;;) { AcquireLock(); while( * ) { f1(); f2(); f3(); if ( * ) { ReleaseLock(); } g(); }

59 59 Static Driver Verifier: SLAM void main() { for(;;) { AcquireLock(); while( * ) { f1(); f2(); f3(); if ( * ) { ReleaseLock(); } g(); }

60 60 Static Driver Verifier: SLAM void main() { for(;;) { AcquireLock(); while( * ) { f1(); f2(); f3(); if ( * ) { ReleaseLock(); } g(); }

61 61 Static Driver Verifier: SLAM void main() { for(;;) { AcquireLock(); while( * ) { f1(); f2(); f3(); if ( * ) { ReleaseLock(); } g(); }

62 62 Static Driver Verifier: SLAM void main() { for(;;) { AcquireLock(); while( * ) { f1(); f2(); f3(); if ( * ) { ReleaseLock(); } g(); }

63 63 Static Driver Verifier: SLAM SLAM Abstract Step Check Step Instrumen t Step Driver passes rule Rule violation foundOS model Driver sources Rule Refine Step

64 64 Static Driver Verifier: SLAM void main() { int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0; while(!rst) { a = f1(); b = f2(); c = f3(); if (a

65 65 Static Driver Verifier: SLAM void main() { int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0; while(!rst) { a = f1(); b = f2(); c = f3(); if (a

66 66 Static Driver Verifier: SLAM void main() { int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0; while(!rst) { a = f1(); b = f2(); c = f3(); if (a

67 67 Static Driver Verifier: SLAM void main() { int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0; while(!rst) { a = f1(); b = f2(); c = f3(); if (a

68 68 Static Driver Verifier: SLAM void main() { int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0; while(!rst) { a = f1(); b = f2(); c = f3(); if (a

69 69 Static Driver Verifier: SLAM void main() { int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0; while(!rst) { a = f1(); b = f2(); c = f3(); if (a

70 70 Static Driver Verifier: SLAM void main() { int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0; while(!rst) { a = f1(); b = f2(); c = f3(); if (a

71 71 Static Driver Verifier: SLAM void main() { int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0; while(!rst) { a = f1(); b = f2(); c = f3(); if (a

72 72 Static Driver Verifier: SLAM void main() { int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0; while(!rst) { a = f1(); b = f2(); c = f3(); if (a

73 73 Static Driver Verifier: SLAM void main() { int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0; while(!rst) { a = f1(); b = f2(); c = f3(); if (a

74 74 Static Driver Verifier: SLAM void main() { int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0; while(!rst) { a = f1(); b = f2(); c = f3(); if (a

75 75 Static Driver Verifier: SLAM void main() { int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0; while(!rst) { a = f1(); b = f2(); c = f3(); if (a

76 76 Static Driver Verifier: SLAM SLAM Refine Step Check Step Instrumen t Step Driver passes rule Rule violation foundOS model Driver sources Rule Abstract Step

77 77 int a,b,c,rst,cnt; cnt = 0; void main() { for(;;) { AcquireLock(); while( ) { f1(); f2(); f3(); if ( ) { ReleaseLock(); } g(); } Static Driver Verifier: SLAM v0=1; v0 * v0=0; State space = 2^(1 + #bits(pc)) + stack bool v0; // represents rst==0 rst=0; !rst a = b = c = a

78 78 Static Driver Verifier: SLAM SLAM Refine Step Abstract Step Instrumen t Step Driver passes rule Rule violation foundOS model Driver sources Rule Check Step

79 79 Static Driver Verifier: SLAM Reachable state-space for steps

80 80 Static Driver Verifier: SLAM Reachable state-space for steps

81 81 Static Driver Verifier: SLAM Reachable state-space for steps

82 82 Static Driver Verifier: SLAM Reachable state-space for steps

83 83 Static Driver Verifier: SLAM The abstraction contains only the PC and these three state bits  locked>0  locked==0  rst==0 Abstracted away  Much of f1(), f2(), f3(), g(),  cnt,  a, b, c  Potential values from rst From this abstraction we can reasons that the original C program is also correct

84 84 Outline Introduction to Static Driver Verifier Static Driver Verifier internals Conclusion & Discussion

85 85 Outline Introduction to Static Driver Verifier Static Driver Verifier internals Conclusion & Discussion

86 86 Conclusion SDV  A compile-time tool that finds bugs in device drivers  Kernel API usage rules + the SLAM model checker  Released on the latest DDK beta  Subsequent releases will support additional driver models

87 87 Conclusion In the paper  More information on how SDV works  More information on what SDV checks, what it doesn’t check, and why.  Data from experiments with SDV on ~100 device drivers  Information about new work to support new driver models

88 88 Conclusion What’s next for SDV/SLAM-like tools within Microsoft? Proving deeper properties about programs that manipulate the heap SLAM-like tools with better support for concurrency Liveness properties & termination Contracts/specifications for additional APIs


Download ppt "1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,"

Similar presentations


Ads by Google