Checking the Hardware- Software Interface in Spec# Kevin Bierhoff (CMU) Chris Hawblitzel (Microsoft Research)

Slides:



Advertisements
Similar presentations
System Area Network Abhiram Shandilya 12/06/01. Overview Introduction to System Area Networks SAN Design and Examples SAN Applications.
Advertisements

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Department of Computer Science and Engineering University of Washington Brian N. Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
XEN AND THE ART OF VIRTUALIZATION Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, lan Pratt, Andrew Warfield.
ESP: A Language for Programmable Devices Sanjeev Kumar, Yitzhak Mandelbaum, Xiang Yu, Kai Li Princeton University.
EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,
Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.
1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,
1 Module 1 The Windows NT 4.0 Environment. 2  Overview The Microsoft Operating System Family Windows NT Architecture Overview Workgroups and Domains.
Extensibility, Safety and Performance in the SPIN Operating System Brian Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, David Becker, Marc.
Embedded Network Controller with Web Interface Bradley University Department of Electrical & Computer Engineering By: Ed Siok Advisor: Dr. Malinowski.
An overview of JML tools and applications Lilian Burdy Gemplus Yoonsik Cheon, Gary Leavens Iowa Univ. David Cok Kodak Michael Ernst MIT Rustan Leino Microsoft.
File Management Systems
Type-Safe Programming in C George Necula EECS Department University of California, Berkeley.
Extensibility, Safety and Performance in the SPIN Operating System Brian Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,
Programmability with Proof-Carrying Code George C. Necula University of California Berkeley Peter Lee Carnegie Mellon University.
Nooks: an architecture for safe device drivers Mike Swift, The Wild and Crazy Guy, Hank Levy and Susan Eggers.
© 2004, D. J. Foreman 1 CS350 Operating Systems. © 2004, D. J. Foreman 2 Administrivia  Assignments ■ Homework on most chapters ■ Approximately 8 lab.
Extensibility, Safety and Performance in the SPIN Operating System Dave Camarillo.
Students:Gilad Goldman Lior Kamran Supervisor:Mony Orbach Mid-Semester Presentation Spring 2005 Network Sniffer.
Understanding Networks. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.
Chapter 12 File Management Systems
Internet Technologies Networking / Internet Protocols (TCP/IP) Server/Client Software Communication via Ports Web Page Technology Recipe of Web Page Development.

Networking Kevin, Ray, Kelvin, Stephan, Norman, Phil.
JAVA v.s. C++ Programming Language Comparison By LI LU SAMMY CHU By LI LU SAMMY CHU.
Stack Management Each process/thread has two stacks  Kernel stack  User stack Stack pointer changes when exiting/entering the kernel Q: Why is this necessary?
Programming mobile devices Part II Programming Symbian devices with Symbian C++
1 The SpaceWire Internet Tunnel and the Advantages It Provides For Spacecraft Integration Stuart Mills, Steve Parkes Space Technology Centre University.
.NET Framework & C#.
Department of Electrical Engineering Electronics Computers Communications Technion Israel Institute of Technology High Speed Digital Systems Lab. High.
Remus: VM Replication Jeff Chase Duke University.
Midori Life after windows Microsoft Research’s. Singularity  Midori is a stem off of this operating system  A research project started in 2003 to build.
Segmentation & O/S Input/Output Chapter 4 & 5 Tuesday, April 3, 2007.
Presentation of Singularity OS Seminar, winter 2005 by Jacob Munk-Stander November 23 rd, 2005.
Eric Keller, Evan Green Princeton University PRESTO /22/08 Virtualizing the Data Plane Through Source Code Merging.
Xen I/O Overview. Xen is a popular open-source x86 virtual machine monitor – full-virtualization – para-virtualization para-virtualization as a more efficient.
Xen I/O Overview.
A Survey of Dynamic Techniques for Detecting Device Driver Errors Olatunji Ruwase LBA Reading Group 18 th May 2010.
Proof Carrying Code Zhiwei Lin. Outline Proof-Carrying Code The Design and Implementation of a Certifying Compiler A Proof – Carrying Code Architecture.
Can We Make Operating Systems Reliable and Secure? Andrew S. Tanenbaum, Jorrit N. Herder, and Herbert Bos Vrije Universiteit, Amsterdam May 2006 Group.
Increasing Web Server Throughput with Network Interface Data Caching October 9, 2002 Hyong-youb Kim, Vijay S. Pai, and Scott Rixner Rice Computer Architecture.
Writing Systems Software in a Functional Language An Experience Report Iavor Diatchki, Thomas Hallgren, Mark Jones, Rebekah Leslie, Andrew Tolmach.
Safe to the Last Instruction: Automated Verification of a Type-Safe Operating System Jean Yang MIT CSAIL Chris Hawblitzel Microsoft Research.
Introduction to virtualization
A. Frank - P. Weisberg Operating Systems Structure of Operating Systems.
1.4 Open source implement. Open source implement Open vs. Closed Software Architecture in Linux Systems Linux Kernel Clients and Daemon Servers Interface.
Sampling Dynamic Dataflow Analyses Joseph L. Greathouse Advanced Computer Architecture Laboratory University of Michigan University of British Columbia.
Lecture 7 Rootkits Hoglund/Butler (Chapter 5-6). Avoiding detection Two ways rootkits can avoid detection –Modify execution path of operating system to.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 11, 2011.
 The MULTICS system solved problems of external fragmentation and lengthy search times by paging the segments  Solution differs from pure segmentation.
Security Architecture and Design Chapter 4 Part 2 Pages 319 to 357.
Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).
System Programming Basics Cha#2 H.M.Bilal. Operating Systems An operating system is the software on a computer that manages the way different programs.
Language Based Operating Systems by Sean Olson What is a virtual machine? What is managed code? Kernels. Memory and security models. What is a language.
Getting Started with the Kernel. Obtaining the Kernel Source
SDN controllers App Network elements has two components: OpenFlow client, forwarding hardware with flow tables. The SDN controller must implement the network.
Kernel Design & Implementation
Introduction to Operating Systems
Current Generation Hypervisor Type 1 Type 2.
Types for Programs and Proofs
Protection and OS Structure
Effective Data-Race Detection for the Kernel
State your reasons or how to keep proofs while optimizing code
TASK 4 Guideline.
Introduction to Operating Systems
The Design & Implementation of Hyperupcalls
Principles of Programming Languages
Networks II: The OSI Model
Presentation transcript:

Checking the Hardware- Software Interface in Spec# Kevin Bierhoff (CMU) Chris Hawblitzel (Microsoft Research)

Safe OS code, statically typed (?) kernel TCP/IP web server web plug-in single hardware address space Singularity OSTypedUntyped Safe Unsafe ML Java LISP Cassembler network driver... uint mode = csr6.Read32(); mode &= ~(CSR6.SR | CSR6.ST); csr6.Write32(mode); rxRing.Reset(); csr3.Write32(rxRing.BaseAddress.ToUInt32()); txRing.Reset(); csr4.Write32(txRing.BaseAddress.ToUInt32());...

Tulip Network Adaptor host memory csr3 Tulip device entry RX ring ownflags size1size2 buffer1 address buffer2 address entry csr4 csr6

Safe Hardware Interaction Layer... internal void StartRxTxMiiSym() requires RxConfigured && TxConfigured; modifies this.rxStarted, this.txStarted; ensures RxConfigured && TxConfigured && RxStarted && TxStarted; { csr6.Write32( CSR6.MBO | CSR6.HBD | CSR6.PS | (3u << CSR6.TR_ROLL) | CSR6.ST | CSR6.SR ); rxStarted = txStarted = true; }... device csr6 network driver safe code (Spec#) SHIL(Spec#) Spec# = C# + logical annotations

Bug: SHIL pre-condition violated internal void ConfigureHostBus( uint cacheMask, uint busMask, uint cacheAlignment, uint burstLength) requires (RxStarted == false) && (TxStarted == false); requires (cacheMask & ~(CSR0.WIE | CSR0.RLE | CSR0.RME)) == 0; requires busMask == 0 || busMask == CSR0.BAR; requires cacheAlignment >= 0 && cacheAlignment <= 3; requires burstLength == 0 || burstLength == 1 || burstLength == 2 || burstLength == 4 || burstLength == 8 || burstLength == 16 || burstLength == 32; ensures (RxStarted == false) && (TxStarted == false); { csr0.Write32(cacheMask | busMask | (cacheAlignment << CSR0.CAL_ROLL) | (burstLength << CSR0.PBL_ROLL)); } Was violated in original implementation and is now fixed

Buffer ownership kernel network driver TCP/IP web server web plug-in single hardware address space ownflags size1size2 buffer1 address buffer2 address buffer class TulipRxDescriptor {... internal void Buffer1Claim(Packet! packet) requires packet.Full; requires !Buffer1Set; ensures packet.Empty; ensures Buffer1Set {...}... } class TulipRxRing {... internal void GiveToDevice( TulipRxDescriptor! descriptor) requires !descriptor.OwnedByDevice; requires descriptor.Buffer1Set && descriptor.Buffer2Set; ensures descriptor.OwnedByDevice;... {...}... }

Driver, SHIL code size device (200- page doc) csr6 network driver driver code device (200- page doc) csr6 network driver safe code SHIL 1800 lines original coderevised code (5 person-weeks) 1800 lines 1400 lines

Conclusions Static verification tools have improved –automation –data structures, aliasing, objects, concurrency... –(run-time checking also possible) Properties are interconnected –memory safety relies on state Hardware is diverse (and complicated) –packet fragments Incremental approach on existing code Future work: declarative SHIL language ML,Java Spec# LISP Cassembler

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.