Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,

Published byEsmond Clark Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,"— Presentation transcript:

1 1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research bycook@microsoft.com Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg, Con McGarvey, Bohus Ondrusek, Sriram Rajamani & Abdullah Ustuner

2 2 Kernel DD HW DD HW Static Driver Verifier

3 3 Static Driver Verifier (a.k.a. SDV): A compile-time correctness checking tool based on deep semantic analysis via symbolic model checking Now available on the latest Windows DDK beta Static Driver Verifier

4 4 Static Driver Verifier (SDV) is a tool for finding bugs in Windows device drivers: SDV operates on the driver’s source code SDV is completely automatic SDV checks that drivers do not violate a set of “kernel API usage rules” Attempts to prove the correctness of the driver with the SLAM software model checker

5 5 Static Driver Verifier other.h driver.h driver.c Driver sources SDV X X X X

6 6 Static Driver Verifier

7 7

8 8

9 9

10 10

11 11

12 12

13 13

14 14

15 15

16 16

17 17

18 18

19 19

20 20

21 21

22 22

23 23

24 24

25 25

26 26

27 27

28 28

29 29 Outline Introduction to Static Driver Verifier Static Driver Verifier internals Conclusion & Discussion

30 30 Outline Introduction to Static Driver Verifier Static Driver Verifier internals Conclusion & Discussion

31 31 Static Driver Verifier other.h driver.h driver.c Driver sources SDV X X X X

32 32 Static Driver Verifier SDV Rules SLAM OS model other.h driver.h driver.c X X X X Driver sources

33 33 Static Driver Verifier: Rules Expressed in an event-based language Possible events:  Function entry  Function exit The code associated with events call the function error() to indicate a violation: IoCallDriver.entry { if ($2->Tail.Overlay.CurrentStackLocation->MajorFunction ==IRP_MJ_POWER) { error(); }

34 34 Static Driver Verifier: Rules

35 35 Static Driver Verifier SDV Rules SLAM OS model other.h driver.h driver.c X X X X

36 36 Static Driver Verifier: OS model Provides the main function Abstract implementations of kernel APIs (like IoCallDriver) Models some aspects of the OS state, like the “interrupt request level” (IRQL) Uses non-deterministic choice

37 37 Static Driver Verifier: OS model

38 38 Static Driver Verifier SDV Rules SLAM OS model other.h driver.h driver.c X X X X

39 39 Static Driver Verifier: SLAM Symbolic model checker for C Strategy: throw away as much irrelevant detail from the driver as possible through abstraction search Algorithm = Predicate Abstraction + Counter-example based refinement + Symbolic reachability for Boolean programs Simplifying (unsound) assumptions:  C unions are ignored  Memory layout is not known: pointer arithmetic is largely ignored  Coincidental pointer aliasing is ignored, purposeful aliasing is not  Functions cannot be called both by name and pointer  The OS model does not exercise all paths possible in practice

40 40 Static Driver Verifier: SLAM void main() { int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0; while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } g(); } Assume that f1, f2, f3 and g do not call AcquireLock or ReleaseLock

41 41 Static Driver Verifier: SLAM int locked = 0; AcquireLock.entry { if (locked==1) { error(); } else { locked=1; } ReleaseLock.entry { if (locked==0) { error(); } else { locked=0; }

42 42 SLAM Static Driver Verifier: SLAM

43 43 Static Driver Verifier: SLAM SLAM Refine Step Abstract Step Check Step Driver passes rule Rule violation foundOS model Driver sources Rule Instrumen t Step

44 44 Static Driver Verifier: SLAM int locked = 0; if (locked==1) { error(); } else { locked=1; } if (locked==0) { error(); } else { locked=0; } int locked = 0; AcquireLock.entry { if (locked==1) { error(); } else { locked=1; } ReleaseLock.entry { if (locked==0) { error(); } else { locked=0; } void AcquireLock() { …………… } void ReleaseLock() { …………… } void main() { …………… void AcquireLock() { ……………… } void ReleaseLock() { ……………… } void main() { …………… Are these reachable?

45 45 Static Driver Verifier: SLAM SLAM Refine Step Check Step Instrumen t Step Driver passes rule Rule violation foundOS model Driver sources Rule Abstract Step

46 46 rst=0; !rst a = b = c = a<b && b<c rst=1; void main() { for(;;) { AcquireLock(); while( ) { f1(); f2(); f3(); if ( ) { ReleaseLock(); } g(); } int a,b,c,rst,cnt; cnt = 0; Static Driver Verifier: SLAM * * State space = 2^(#bits(pc)) + stack

47 47 Static Driver Verifier: SLAM SLAM Refine Step Abstract Step Instrumen t Step Driver passes rule Rule violation foundOS model Driver sources Rule Check Step

48 48 Static Driver Verifier: SLAM Reachable state-space for steps <1

49 49 Static Driver Verifier: SLAM Reachable state-space for steps <1 Reachable state-space for steps <2 Reachable state-space for steps <3

50 50 Static Driver Verifier: SLAM Reachable state-space for steps <1 Reachable state-space for steps <2 Reachable state-space for steps <3 Reachable state- space for steps <4 Reachable state- space for steps <5 Reachable state-space for steps <6

51 51 Static Driver Verifier: SLAM Reachable state-space for steps <1 Reachable state-space for steps <2 Reachable state-space for steps <3 Reachable state- space for steps <4 Reachable state- space for steps <5 Reachable state-space for steps <6 Reachable state-space for steps <7 Reachable state- space for steps <8

52 52 Static Driver Verifier: SLAM Reachable state-space for steps <1 Reachable state-space for steps <2 Reachable state-space for steps <3 Reachable state- space for steps <4 Reachable state- space for steps <5 Reachable state-space for steps <6 Reachable state-space for steps <7 Reachable state- space for steps <8 Reachable state- space for steps <9 State where PC is at a call to error()

53 53 Static Driver Verifier: SLAM void main() { for(;;) { AcquireLock(); while( * ) { f1(); f2(); f3(); if ( * ) { ReleaseLock(); } g(); }

54 54 Static Driver Verifier: SLAM void main() { for(;;) { AcquireLock(); while( * ) { f1(); f2(); f3(); if ( * ) { ReleaseLock(); } g(); }

55 55 Static Driver Verifier: SLAM void main() { for(;;) { AcquireLock(); while( * ) { f1(); f2(); f3(); if ( * ) { ReleaseLock(); } g(); }

56 56 Static Driver Verifier: SLAM void main() { for(;;) { AcquireLock(); while( * ) { f1(); f2(); f3(); if ( * ) { ReleaseLock(); } g(); }

57 57 Static Driver Verifier: SLAM void main() { for(;;) { AcquireLock(); while( * ) { f1(); f2(); f3(); if ( * ) { ReleaseLock(); } g(); }

58 58 Static Driver Verifier: SLAM void main() { for(;;) { AcquireLock(); while( * ) { f1(); f2(); f3(); if ( * ) { ReleaseLock(); } g(); }

59 59 Static Driver Verifier: SLAM void main() { for(;;) { AcquireLock(); while( * ) { f1(); f2(); f3(); if ( * ) { ReleaseLock(); } g(); }

60 60 Static Driver Verifier: SLAM void main() { for(;;) { AcquireLock(); while( * ) { f1(); f2(); f3(); if ( * ) { ReleaseLock(); } g(); }

61 61 Static Driver Verifier: SLAM void main() { for(;;) { AcquireLock(); while( * ) { f1(); f2(); f3(); if ( * ) { ReleaseLock(); } g(); }

62 62 Static Driver Verifier: SLAM void main() { for(;;) { AcquireLock(); while( * ) { f1(); f2(); f3(); if ( * ) { ReleaseLock(); } g(); }

63 63 Static Driver Verifier: SLAM SLAM Abstract Step Check Step Instrumen t Step Driver passes rule Rule violation foundOS model Driver sources Rule Refine Step

64 64 Static Driver Verifier: SLAM void main() { int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0; while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } g(); }

65 65 Static Driver Verifier: SLAM void main() { int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0; while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } g(); }

66 66 Static Driver Verifier: SLAM void main() { int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0; while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } g(); }

67 67 Static Driver Verifier: SLAM void main() { int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0; while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } g(); } cnt==0

68 68 Static Driver Verifier: SLAM void main() { int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0; while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } g(); } cnt==0

69 69 Static Driver Verifier: SLAM void main() { int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0; while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } g(); } cnt==0

70 70 Static Driver Verifier: SLAM void main() { int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0; while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } g(); } cnt==0

71 71 Static Driver Verifier: SLAM void main() { int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0; while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } g(); } cnt==0 rst==0

72 72 Static Driver Verifier: SLAM void main() { int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0; while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } g(); } cnt==0 rst==0

73 73 Static Driver Verifier: SLAM void main() { int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0; while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } g(); } cnt==0 rst==0

74 74 Static Driver Verifier: SLAM void main() { int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0; while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } g(); } cnt==0 rst==0 !(rst==0)

75 75 Static Driver Verifier: SLAM void main() { int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0; while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } g(); } cnt==0 rst==0 !(rst==0) New predicate to track: main { rst==0 }

76 76 Static Driver Verifier: SLAM SLAM Refine Step Check Step Instrumen t Step Driver passes rule Rule violation foundOS model Driver sources Rule Abstract Step

77 77 int a,b,c,rst,cnt; cnt = 0; void main() { for(;;) { AcquireLock(); while( ) { f1(); f2(); f3(); if ( ) { ReleaseLock(); } g(); } Static Driver Verifier: SLAM v0=1; v0 * v0=0; State space = 2^(1 + #bits(pc)) + stack bool v0; // represents rst==0 rst=0; !rst a = b = c = a<b && b<c rst=1;

78 78 Static Driver Verifier: SLAM SLAM Refine Step Abstract Step Instrumen t Step Driver passes rule Rule violation foundOS model Driver sources Rule Check Step

79 79 Static Driver Verifier: SLAM Reachable state-space for steps <n

80 80 Static Driver Verifier: SLAM Reachable state-space for steps <n Reachable state-space for steps <n+1 Reachable state-space for steps <n+2

81 81 Static Driver Verifier: SLAM Reachable state-space for steps <n Reachable state-space for steps <n+1 Reachable state-space for steps <n+2 Reachable state- space for steps <n+3 Reachable state- space for steps <n+4 Reachable state- space for steps <n+5 and <n+4

82 82 Static Driver Verifier: SLAM Reachable state-space for steps <n Reachable state-space for steps <n+1 Reachable state-space for steps <n+2 Reachable state- space for steps <n+3 Reachable state- space for steps <n+4 Reachable state- space for steps <n+5 and <n+4

83 83 Static Driver Verifier: SLAM The abstraction contains only the PC and these three state bits  locked>0  locked==0  rst==0 Abstracted away  Much of f1(), f2(), f3(), g(),  cnt,  a, b, c  Potential values from rst From this abstraction we can reasons that the original C program is also correct

84 84 Outline Introduction to Static Driver Verifier Static Driver Verifier internals Conclusion & Discussion

85 85 Outline Introduction to Static Driver Verifier Static Driver Verifier internals Conclusion & Discussion

86 86 Conclusion SDV  A compile-time tool that finds bugs in device drivers  Kernel API usage rules + the SLAM model checker  Released on the latest DDK beta  Subsequent releases will support additional driver models

87 87 Conclusion In the paper  More information on how SDV works  More information on what SDV checks, what it doesn’t check, and why.  Data from experiments with SDV on ~100 device drivers  Information about new work to support new driver models

88 88 Conclusion What’s next for SDV/SLAM-like tools within Microsoft? Proving deeper properties about programs that manipulate the heap SLAM-like tools with better support for concurrency Liveness properties & termination Contracts/specifications for additional APIs

Download ppt "1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,"

Similar presentations

Advanced programming tools at Microsoft

Advanced programming tools at Microsoft
The Static Driver Verifier Research Platform

The Static Driver Verifier Research Platform
The SLAM Project: Debugging System Software via Static Analysis

The SLAM Project: Debugging System Software via Static Analysis
The Dafny program verifier

The Dafny program verifier
© 2009 Microsoft Corporation. All rights reserved. Automatic Verification of Heap Manipulation using Separation Logic Josh Berdine with thanks to Byron.

© 2009 Microsoft Corporation. All rights reserved. Automatic Verification of Heap Manipulation using Separation Logic Josh Berdine with thanks to Byron.
A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.

A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Α ϒ ʎ …… Reachability Modulo Theories Akash Lal Shaz Qadeer, Shuvendu Lahiri Microsoft Research.

Α ϒ ʎ …… Reachability Modulo Theories Akash Lal Shaz Qadeer, Shuvendu Lahiri Microsoft Research.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.

1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.
Lecture # 21 Chapter 6 Uptill 6.4. Type System A type system is a collection of rules for assigning type expressions to the various parts of the program.

Lecture # 21 Chapter 6 Uptill 6.4. Type System A type system is a collection of rules for assigning type expressions to the various parts of the program.
Lecture #21 Software Model Checking: predicate abstraction Thomas Ball Testing, Verification and Measurement Microsoft Research.

Lecture #21 Software Model Checking: predicate abstraction Thomas Ball Testing, Verification and Measurement Microsoft Research.
Chair of Software Engineering Software Verification Stephan van Staden Lecture 10: Model Checking.

Chair of Software Engineering Software Verification Stephan van Staden Lecture 10: Model Checking.
Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language.

Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language.
Department of Software Engineering Faculty of Mathematics and Physics CHARLES UNIVERSITY IN PRAGUE Czech Republic Extracting Zing Models from C Source.

Department of Software Engineering Faculty of Mathematics and Physics CHARLES UNIVERSITY IN PRAGUE Czech Republic Extracting Zing Models from C Source.
Verification of parameterised systems

Verification of parameterised systems
Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.

Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.

The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.

Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.

Similar presentations

Ads by Google