Download presentation
Presentation is loading. Please wait.
Published byEsmond Clark Modified over 9 years ago
1
1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research bycook@microsoft.com Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg, Con McGarvey, Bohus Ondrusek, Sriram Rajamani & Abdullah Ustuner
2
2 Kernel DD HW DD HW Static Driver Verifier
3
3 Static Driver Verifier (a.k.a. SDV): A compile-time correctness checking tool based on deep semantic analysis via symbolic model checking Now available on the latest Windows DDK beta Static Driver Verifier
4
4 Static Driver Verifier (SDV) is a tool for finding bugs in Windows device drivers: SDV operates on the driver’s source code SDV is completely automatic SDV checks that drivers do not violate a set of “kernel API usage rules” Attempts to prove the correctness of the driver with the SLAM software model checker
5
5 Static Driver Verifier other.h driver.h driver.c Driver sources SDV X X X X
6
6 Static Driver Verifier
7
7
8
8
9
9
10
10
11
11
12
12
13
13
14
14
15
15
16
16
17
17
18
18
19
19
20
20
21
21
22
22
23
23
24
24
25
25
26
26
27
27
28
28
29
29 Outline Introduction to Static Driver Verifier Static Driver Verifier internals Conclusion & Discussion
30
30 Outline Introduction to Static Driver Verifier Static Driver Verifier internals Conclusion & Discussion
31
31 Static Driver Verifier other.h driver.h driver.c Driver sources SDV X X X X
32
32 Static Driver Verifier SDV Rules SLAM OS model other.h driver.h driver.c X X X X Driver sources
33
33 Static Driver Verifier: Rules Expressed in an event-based language Possible events: Function entry Function exit The code associated with events call the function error() to indicate a violation: IoCallDriver.entry { if ($2->Tail.Overlay.CurrentStackLocation->MajorFunction ==IRP_MJ_POWER) { error(); }
34
34 Static Driver Verifier: Rules
35
35 Static Driver Verifier SDV Rules SLAM OS model other.h driver.h driver.c X X X X
36
36 Static Driver Verifier: OS model Provides the main function Abstract implementations of kernel APIs (like IoCallDriver) Models some aspects of the OS state, like the “interrupt request level” (IRQL) Uses non-deterministic choice
37
37 Static Driver Verifier: OS model
38
38 Static Driver Verifier SDV Rules SLAM OS model other.h driver.h driver.c X X X X
39
39 Static Driver Verifier: SLAM Symbolic model checker for C Strategy: throw away as much irrelevant detail from the driver as possible through abstraction search Algorithm = Predicate Abstraction + Counter-example based refinement + Symbolic reachability for Boolean programs Simplifying (unsound) assumptions: C unions are ignored Memory layout is not known: pointer arithmetic is largely ignored Coincidental pointer aliasing is ignored, purposeful aliasing is not Functions cannot be called both by name and pointer The OS model does not exercise all paths possible in practice
40
40 Static Driver Verifier: SLAM void main() { int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0; while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } g(); } Assume that f1, f2, f3 and g do not call AcquireLock or ReleaseLock
41
41 Static Driver Verifier: SLAM int locked = 0; AcquireLock.entry { if (locked==1) { error(); } else { locked=1; } ReleaseLock.entry { if (locked==0) { error(); } else { locked=0; }
42
42 SLAM Static Driver Verifier: SLAM
43
43 Static Driver Verifier: SLAM SLAM Refine Step Abstract Step Check Step Driver passes rule Rule violation foundOS model Driver sources Rule Instrumen t Step
44
44 Static Driver Verifier: SLAM int locked = 0; if (locked==1) { error(); } else { locked=1; } if (locked==0) { error(); } else { locked=0; } int locked = 0; AcquireLock.entry { if (locked==1) { error(); } else { locked=1; } ReleaseLock.entry { if (locked==0) { error(); } else { locked=0; } void AcquireLock() { …………… } void ReleaseLock() { …………… } void main() { …………… void AcquireLock() { ……………… } void ReleaseLock() { ……………… } void main() { …………… Are these reachable?
45
45 Static Driver Verifier: SLAM SLAM Refine Step Check Step Instrumen t Step Driver passes rule Rule violation foundOS model Driver sources Rule Abstract Step
46
46 rst=0; !rst a = b = c = a<b && b<c rst=1; void main() { for(;;) { AcquireLock(); while( ) { f1(); f2(); f3(); if ( ) { ReleaseLock(); } g(); } int a,b,c,rst,cnt; cnt = 0; Static Driver Verifier: SLAM * * State space = 2^(#bits(pc)) + stack
47
47 Static Driver Verifier: SLAM SLAM Refine Step Abstract Step Instrumen t Step Driver passes rule Rule violation foundOS model Driver sources Rule Check Step
48
48 Static Driver Verifier: SLAM Reachable state-space for steps <1
49
49 Static Driver Verifier: SLAM Reachable state-space for steps <1 Reachable state-space for steps <2 Reachable state-space for steps <3
50
50 Static Driver Verifier: SLAM Reachable state-space for steps <1 Reachable state-space for steps <2 Reachable state-space for steps <3 Reachable state- space for steps <4 Reachable state- space for steps <5 Reachable state-space for steps <6
51
51 Static Driver Verifier: SLAM Reachable state-space for steps <1 Reachable state-space for steps <2 Reachable state-space for steps <3 Reachable state- space for steps <4 Reachable state- space for steps <5 Reachable state-space for steps <6 Reachable state-space for steps <7 Reachable state- space for steps <8
52
52 Static Driver Verifier: SLAM Reachable state-space for steps <1 Reachable state-space for steps <2 Reachable state-space for steps <3 Reachable state- space for steps <4 Reachable state- space for steps <5 Reachable state-space for steps <6 Reachable state-space for steps <7 Reachable state- space for steps <8 Reachable state- space for steps <9 State where PC is at a call to error()
53
53 Static Driver Verifier: SLAM void main() { for(;;) { AcquireLock(); while( * ) { f1(); f2(); f3(); if ( * ) { ReleaseLock(); } g(); }
54
54 Static Driver Verifier: SLAM void main() { for(;;) { AcquireLock(); while( * ) { f1(); f2(); f3(); if ( * ) { ReleaseLock(); } g(); }
55
55 Static Driver Verifier: SLAM void main() { for(;;) { AcquireLock(); while( * ) { f1(); f2(); f3(); if ( * ) { ReleaseLock(); } g(); }
56
56 Static Driver Verifier: SLAM void main() { for(;;) { AcquireLock(); while( * ) { f1(); f2(); f3(); if ( * ) { ReleaseLock(); } g(); }
57
57 Static Driver Verifier: SLAM void main() { for(;;) { AcquireLock(); while( * ) { f1(); f2(); f3(); if ( * ) { ReleaseLock(); } g(); }
58
58 Static Driver Verifier: SLAM void main() { for(;;) { AcquireLock(); while( * ) { f1(); f2(); f3(); if ( * ) { ReleaseLock(); } g(); }
59
59 Static Driver Verifier: SLAM void main() { for(;;) { AcquireLock(); while( * ) { f1(); f2(); f3(); if ( * ) { ReleaseLock(); } g(); }
60
60 Static Driver Verifier: SLAM void main() { for(;;) { AcquireLock(); while( * ) { f1(); f2(); f3(); if ( * ) { ReleaseLock(); } g(); }
61
61 Static Driver Verifier: SLAM void main() { for(;;) { AcquireLock(); while( * ) { f1(); f2(); f3(); if ( * ) { ReleaseLock(); } g(); }
62
62 Static Driver Verifier: SLAM void main() { for(;;) { AcquireLock(); while( * ) { f1(); f2(); f3(); if ( * ) { ReleaseLock(); } g(); }
63
63 Static Driver Verifier: SLAM SLAM Abstract Step Check Step Instrumen t Step Driver passes rule Rule violation foundOS model Driver sources Rule Refine Step
64
64 Static Driver Verifier: SLAM void main() { int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0; while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } g(); }
65
65 Static Driver Verifier: SLAM void main() { int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0; while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } g(); }
66
66 Static Driver Verifier: SLAM void main() { int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0; while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } g(); }
67
67 Static Driver Verifier: SLAM void main() { int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0; while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } g(); } cnt==0
68
68 Static Driver Verifier: SLAM void main() { int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0; while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } g(); } cnt==0
69
69 Static Driver Verifier: SLAM void main() { int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0; while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } g(); } cnt==0
70
70 Static Driver Verifier: SLAM void main() { int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0; while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } g(); } cnt==0
71
71 Static Driver Verifier: SLAM void main() { int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0; while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } g(); } cnt==0 rst==0
72
72 Static Driver Verifier: SLAM void main() { int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0; while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } g(); } cnt==0 rst==0
73
73 Static Driver Verifier: SLAM void main() { int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0; while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } g(); } cnt==0 rst==0
74
74 Static Driver Verifier: SLAM void main() { int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0; while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } g(); } cnt==0 rst==0 !(rst==0)
75
75 Static Driver Verifier: SLAM void main() { int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0; while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } g(); } cnt==0 rst==0 !(rst==0) New predicate to track: main { rst==0 }
76
76 Static Driver Verifier: SLAM SLAM Refine Step Check Step Instrumen t Step Driver passes rule Rule violation foundOS model Driver sources Rule Abstract Step
77
77 int a,b,c,rst,cnt; cnt = 0; void main() { for(;;) { AcquireLock(); while( ) { f1(); f2(); f3(); if ( ) { ReleaseLock(); } g(); } Static Driver Verifier: SLAM v0=1; v0 * v0=0; State space = 2^(1 + #bits(pc)) + stack bool v0; // represents rst==0 rst=0; !rst a = b = c = a<b && b<c rst=1;
78
78 Static Driver Verifier: SLAM SLAM Refine Step Abstract Step Instrumen t Step Driver passes rule Rule violation foundOS model Driver sources Rule Check Step
79
79 Static Driver Verifier: SLAM Reachable state-space for steps <n
80
80 Static Driver Verifier: SLAM Reachable state-space for steps <n Reachable state-space for steps <n+1 Reachable state-space for steps <n+2
81
81 Static Driver Verifier: SLAM Reachable state-space for steps <n Reachable state-space for steps <n+1 Reachable state-space for steps <n+2 Reachable state- space for steps <n+3 Reachable state- space for steps <n+4 Reachable state- space for steps <n+5 and <n+4
82
82 Static Driver Verifier: SLAM Reachable state-space for steps <n Reachable state-space for steps <n+1 Reachable state-space for steps <n+2 Reachable state- space for steps <n+3 Reachable state- space for steps <n+4 Reachable state- space for steps <n+5 and <n+4
83
83 Static Driver Verifier: SLAM The abstraction contains only the PC and these three state bits locked>0 locked==0 rst==0 Abstracted away Much of f1(), f2(), f3(), g(), cnt, a, b, c Potential values from rst From this abstraction we can reasons that the original C program is also correct
84
84 Outline Introduction to Static Driver Verifier Static Driver Verifier internals Conclusion & Discussion
85
85 Outline Introduction to Static Driver Verifier Static Driver Verifier internals Conclusion & Discussion
86
86 Conclusion SDV A compile-time tool that finds bugs in device drivers Kernel API usage rules + the SLAM model checker Released on the latest DDK beta Subsequent releases will support additional driver models
87
87 Conclusion In the paper More information on how SDV works More information on what SDV checks, what it doesn’t check, and why. Data from experiments with SDV on ~100 device drivers Information about new work to support new driver models
88
88 Conclusion What’s next for SDV/SLAM-like tools within Microsoft? Proving deeper properties about programs that manipulate the heap SLAM-like tools with better support for concurrency Liveness properties & termination Contracts/specifications for additional APIs
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.