Presentation is loading. Please wait.

Presentation is loading. Please wait.

Bastian Schlich Ansgar Fehnker, Ralf Huuck, and Michael Tapp (National ICT Australia) Automatic Bug Detection in Microcontroller.

Published byDerrick Quinn Modified over 9 years ago

Similar presentations

Presentation on theme: "Bastian Schlich Ansgar Fehnker, Ralf Huuck, and Michael Tapp (National ICT Australia) Automatic Bug Detection in Microcontroller."— Presentation transcript:

1 Bastian Schlich (schlich@embedded.rwth-aachen.de) Ansgar Fehnker, Ralf Huuck, and Michael Tapp (National ICT Australia) Automatic Bug Detection in Microcontroller Software by Static Program Analysis SOFSEM – 28.01.2009

2 Embedded Systems – Bugs are Pain © 2009 Bastian Schlich, Embedded Software Laboratory, RWTH Aachen University2

3 Outline © 2009 Bastian Schlich, Embedded Software Laboratory, RWTH Aachen University3 Microcontroller software [mc]square Goanna Extending Goanna Case Study

4 Microcontroller Software is Different © 2009 Bastian Schlich, Embedded Software Laboratory, RWTH Aachen University4 Often: no operating system Non-ANSI C – Embedded assembly statements – Direct memory access – Hardware-dependent extensions

5 [mc]square: Model Checking Microcontroller Assembly Code © 2009 Bastian Schlich, Embedded Software Laboratory, RWTH Aachen University5 Supports: ATMEL ATmega16, ATmega128, Infineon XC167, Intel C51, PLCs, and ASMs Object code file (assembly code), C file, and CTL formula Functional properties and extra checks (e.g., stack collisions and reserved registers) Sometimes: state-explosion http://www.embedded.rwth- aachen.de/mc_square

6 Goanna Static Analyzer © 2009 Bastian Schlich, Embedded Software Laboratory, RWTH Aachen University6 Analyses C/C++ – Including compiler extensions – Common defects similar to others 100% automatic – No annotations – Scales to millions of lines of code Unsound/incomplete, but practical Uses model checker as engine: NuSMV http://nicta.com.au/research/pr ojects/goanna/

7 C/C++ Program: Syntactical Information © 2009 Bastian Schlich, Embedded Software Laboratory, RWTH Aachen University7 var f,n f=1 n>0 f=f*n n=n-1 1 3 5 6 4 7 n=32 declaration_f declaration_n modified_n modified_f used_n used_n used_f modified_f used_n modified_n pattern matching CFG is a transition system atomic propositions

8 Static Analysis by Model Checking © 2009 Bastian Schlich, Embedded Software Laboratory, RWTH Aachen University8 transition system atomic propositions Kripke Structure + So can we model check syntax? [Schmidt and Steffen 1998]

9 The Way Goanna does It © 2009 Bastian Schlich, Embedded Software Laboratory, RWTH Aachen University9 AG (modified n => EF used n ) used n modified n model checker input language encode

10 NuSMV Encoding © 2009 Bastian Schlich, Embedded Software Laboratory, RWTH Aachen University10 MODULE fun_0(id) VAR location : { line1, line2, line3 ….} DEFINE modified_n := location in { line7, line26} used_n :=location in {line8, line17} next(location) := case location = line1 : {line2}; location = line2 : {line3}; location = line9 : {line10, line14}; … esac SPEC AG (modified_n -> EF used_n) function CFG locations label definition transition relation (CFG) property

11 Type of Checks © 2009 Bastian Schlich, Embedded Software Laboratory, RWTH Aachen University11 Static analysis inspects code automatically for – Memory corruption – Memory leaks – Security vulnerabilities – API rule violation – Coding standards violations Typically does not catch microcontroller specific problems

12 Extending Goanna: ATMEL ATmega16 © 2009 Bastian Schlich, Embedded Software Laboratory, RWTH Aachen University12 Used by, e.g.: automotive, industrial control, security, GPS, and sensor networks Features – 8 bit – 32 registers / 32 I/O registers – 1 kB SRAM, 512 EEPROM, 16 kB flash memory – 2 * 8 bit timers, 1 * 16 bit timer – 21 internal and external interrupts –...

13 Interrupt-Handling Checks (1/2) © 2009 Bastian Schlich, Embedded Software Laboratory, RWTH Aachen University13 Check for correct enabling and disabling of interrupts New patterns for Goanna – signal (deactivate interrupts) – interrupt – fnend – sei – cli

14 Interrupt-Handling Checks (2/2) © 2009 Bastian Schlich, Embedded Software Laboratory, RWTH Aachen University14 Signal ISRs should not enable or disable interrupts Interrupt ISRs should disable interrupts before enabling If Interrupt ISRs disabled interrupts, they should enable them before leaving the ISR Interrupts should not be enabled/disabled twice

15 Timer-Service Check © 2009 Bastian Schlich, Embedded Software Laboratory, RWTH Aachen University15 Checks whether timers are used correctly ATmega16 features 3 timers New patterns for Goanna – timer i – config i

16 Registers-to-Reserved Bits Checks © 2009 Bastian Schlich, Embedded Software Laboratory, RWTH Aachen University16 Checks whether reserved bits are written No real error, but may cause errors in future ATmega16 has 14 registers with reserved bits Global interrupt control register (GICR) – Bits 7...5 enable/disable external interrupts – Bits 4...2 are reserved – Bits 1...0 manage the interrupt vector table

17 Case Study © 2009 Bastian Schlich, Embedded Software Laboratory, RWTH Aachen University17 Automotive task – 4 channel speed measurement – CAN bus communication – 6 additional tasks (information on CAN and LED) ATMEL ATmega 16 + PHILIPS SJA100 CAN controller Programs developed by students in lab courses Code base (24 groups) – 475 files, 439 proper C files, 431 were checked – 97,527 LOC, 203,638 LOC after preprocessing

18 Analysis Statistics © 2009 Bastian Schlich, Embedded Software Laboratory, RWTH Aachen University18 Overall runtime for 431 files: 164 s 0.38 s per file or 1200 LOC per second Max. runtime: 1.84 s

19 Analysis Results © 2009 Bastian Schlich, Embedded Software Laboratory, RWTH Aachen University19 154 errors in the 431 analyzed files – 7 errors in interrupt handling – 4 errors in timer handling – 143 assignments to reserved bits (only by 6/24 groups) Early errors => errors in final version

20 Summary & Future Work © 2009 Bastian Schlich, Embedded Software Laboratory, RWTH Aachen University20 Software for Microcontrollers is special Model checking sometimes suffers from state explosion problem Generic static analysis misses common bugs Specific rules make a difference – Bugs which are hard to find during testing – Bugs which are relevant in the field Try out SAT encodings Extend Goanna with user language for user-defined checks Improve pointer analysis using better memory models

21 Goanna © 2009 Bastian Schlich, Embedded Software Laboratory, RWTH Aachen University21 Blends in Fast Eats bugs

22 [mc]square - Approach © 2009 Bastian Schlich, Embedded Software Laboratory, RWTH Aachen University22 Combines different formal methods Combines explicit and symbolic techniques Tailored simulators – Generate state spaces – Feature accurate models of microcontrollers – Automatically apply abstraction techniques Different counterexample representations Problem: state explosion when checking large programs

23 Static Analysis © 2009 Bastian Schlich, Embedded Software Laboratory, RWTH Aachen University23 Pros: – Fully automatic – Scales to million lines of code – Checks set of expectations – 100% code coverage Cons: – Does not give guarantees – Does not check for functional correctness CODE Static Inspector

24 Goanna: Advanced Features © 2009 Bastian Schlich, Embedded Software Laboratory, RWTH Aachen University24 Pointer alias analysis (points-to sets) (experimental) Summary-based interprocedural analysis (experimental) Interval constraint solving – Array-bounds checking – False-path elimination

25 Syntactical Information © 2009 Bastian Schlich, Embedded Software Laboratory, RWTH Aachen University25 var f,n f=1 n>0 f=f*n n=n-1 1 3 5 6 4 7 n=32 declaration_f declaration_n modified_n modified_f used_n used_n used_f modified_f used_n modified_n CFG is a transition system atomic propositions

Download ppt "Bastian Schlich Ansgar Fehnker, Ralf Huuck, and Michael Tapp (National ICT Australia) Automatic Bug Detection in Microcontroller."

Similar presentations

M ODEL CHECKING -Vasvi Kakkad University of Sydney.

M ODEL CHECKING -Vasvi Kakkad University of Sydney.
Efficient representation for formal verification of PLC programs Vincent Gourcuff, Olivier de Smet and Jean-Marc Faure LURPA – ENS de Cachan.

Efficient representation for formal verification of PLC programs Vincent Gourcuff, Olivier de Smet and Jean-Marc Faure LURPA – ENS de Cachan.
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
UPPAAL Introduction Chien-Liang Chen.

UPPAAL Introduction Chien-Liang Chen.
Programming Types of Testing.

Programming Types of Testing.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
1/1/ / faculty of Electrical Engineering eindhoven university of technology Introduction Part 3: Input/output and co-processors dr.ir. A.C. Verschueren.

1/1/ / faculty of Electrical Engineering eindhoven university of technology Introduction Part 3: Input/output and co-processors dr.ir. A.C. Verschueren.
Blackfin BF533 EZ-KIT Control The O in I/O Activating a FLASH memory “output line” Part 2.

Blackfin BF533 EZ-KIT Control The O in I/O Activating a FLASH memory “output line” Part 2.
Assembly Code Verification Using Model Checking Hao XIAO Singapore University of Technology and Design.

Assembly Code Verification Using Model Checking Hao XIAO Singapore University of Technology and Design.
Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language.

Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language.
Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.

Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.
Eliminating Stack Overflow by Abstract Interpretation John Regehr Alastair Reid Kirk Webb University of Utah.

Eliminating Stack Overflow by Abstract Interpretation John Regehr Alastair Reid Kirk Webb University of Utah.
Inline Assembly Section 1: Recitation 7. In the early days of computing, most programs were written in assembly code. –Unmanageable because No type checking,

Inline Assembly Section 1: Recitation 7. In the early days of computing, most programs were written in assembly code. –Unmanageable because No type checking,
Course Summary. © Katz, 2003 Formal Specifications of Complex Systems-- Real-time 2 Topics (1) Families of specification methods, evaluation criteria.

Course Summary. © Katz, 2003 Formal Specifications of Complex Systems-- Real-time 2 Topics (1) Families of specification methods, evaluation criteria.
Type-Safe Programming in C George Necula EECS Department University of California, Berkeley.

Type-Safe Programming in C George Necula EECS Department University of California, Berkeley.
Checking System Rules Using System-Specific, Programmer- Written Compiler Extensions Dawson Engler, Benjamin Chelf, Andy Chow, Seth Hallem Computer Systems.

Checking System Rules Using System-Specific, Programmer- Written Compiler Extensions Dawson Engler, Benjamin Chelf, Andy Chow, Seth Hallem Computer Systems.
Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space 03-640-760603-640-5358 html://www.cs.tau.ac.il/~msagiv/courses/sem03.html.

Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space html://
MULTIVIE W Checking System Rules Using System-Specific, Program-Written Compiler Extensions Paper: Dawson Engler, Benjamin Chelf, Andy Chou, and Seth Hallem.

MULTIVIE W Checking System Rules Using System-Specific, Program-Written Compiler Extensions Paper: Dawson Engler, Benjamin Chelf, Andy Chou, and Seth Hallem.
1 ES 314 Advanced Programming Lec 2 Sept 3 Goals: Complete the discussion of problem Review of C++ Object-oriented design Arrays and pointers.

1 ES 314 Advanced Programming Lec 2 Sept 3 Goals: Complete the discussion of problem Review of C++ Object-oriented design Arrays and pointers.
Dr. Kimberly E. Newman Hybrid Embedded wk3 Fall 2009.

Dr. Kimberly E. Newman Hybrid Embedded wk3 Fall 2009.

Similar presentations

Ads by Google