Presentation is loading. Please wait.

Presentation is loading. Please wait.

Temporal-Safety Proofs for Systems Code Thomas A. Henzinger Ranjit Jhala Rupak Majumdar George Necula Westley Weimer Grégoire Sutre UC Berkeley.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Temporal-Safety Proofs for Systems Code Thomas A. Henzinger Ranjit Jhala Rupak Majumdar George Necula Westley Weimer Grégoire Sutre UC Berkeley."— Presentation transcript:

1 Temporal-Safety Proofs for Systems Code Thomas A. Henzinger Ranjit Jhala Rupak Majumdar George Necula Westley Weimer Grégoire Sutre UC Berkeley

2 2 Reliability & Trust Reliability (verification): Check that the system is “bug free” Low level systems code Locking disciplines, interface specs, … Temporal, path-sensitive properties Model checking Trust (certification): Questionable code written by third parties: device drivers, mobile code Model checkers are buggy (!) Simply, efficiently checkable avoid redoing verification

3 3 Our Work Verification: making model checking scale Lazy Abstraction [POPL ’02] Certification: Proof carrying code based mechanism PCC requires annotations Lazy Abstraction: Automatically generates annotations Provides a small decomposition of the proof BLAST Verifying/certifying device drivers

4 4 Verification

5 5 Verification: Abstraction-Refinement Abstract Explanation YES (Trace) BUG Feasible ??? Check Refine NO SAFE Seed Abstraction Program Abstraction Infeasible Why infeasible ? Is model unsafe ? [Kurshan et al, Clarke et al, SLAM,...]

6 6 Model Checking & Abstraction ERROR STATES Init Existentially lift transition relation Partition the state space

7 7 ERROR STATES Init Model Checking & Abstraction Problem: Abstraction too coarse Solution: Refine abstraction

8 8 ERROR STATES Init Model Checking & Abstraction Problem: Abstraction too coarse Solution: Refine abstraction

9 9 Abstract Only Where Required ERROR STATES Init Abstraction is very expensive Why abstract regions that are never visited ? Reachable States On-the-fly abstraction: driven by the search

10 10 Refine Only Where Required Why be precise everywhere ? Don ’ t refine error-free regions ERROR STATES Init ERROR FREE

11 11 Refine Only Where Required Why be precise everywhere ? Don ’ t refine error-free regions Different precision for different regions Local Refinement : driven by the search ERROR STATES Init ERROR FREE

12 12 Benefits of Lazy Abstraction Abstract only where required Reachable state space maybe very sparse Construct the abstraction on-the-fly Use greater precision only where required Different precisions/abstractions for different regions Refine locally Reuse work from earlier phases Batch-oriented ) lose work from previous runs Integrate the three phases

13 13 Example Q: Is Error Reachable ? Example ( ) { 1: do { lock(); old = new; 2: if (*) { 3: unlock(); new ++; } 4: } while ( new != old); 5: unlock (); return; } unlock()lock() unlock()

14 14 Example ( ) { 1: do { lock(); old = new; 2: if (*) { 3: unlock(); new ++; } 4: } while ( new != old); 5: unlock (); return; } Example:CFA lock(); old = new [>][>] [>][>] [new==old] [new!=old] 2 1 3 4 5 ret unlock() new++ unlock()

15 15 Example:CFA Q: Is Error Reachable ? 2 1 3 4 5 ret unlock()lock() unlock() Example ( ) { 1: do { lock(); old = new; 2: if (*) { 3: unlock(); new ++; } 4: } while ( new != old); 5: unlock (); return; }

16 16 Step 1: Search Set of predicates: LOCK=0, LOCK=1 1 LOCK=0 3 LOCK=1 lock(); old = new [>][>] unlock() 5 LOCK=0 unlock() new++ [new==old] 4 LOCK=0 2 LOCK=1 Err LOCK=0 lock(); old = new [>][>] [>][>] [new==old] [new!=old] 2 1 3 4 5 ret unlock() new++ unlock()

17 17 Q: When can: Step 2: Analyze Counterexample 1 LOCK=0 2 LOCK=1 3 4 LOCK=0 5 Err LOCK=0 n Err ops States that can = PRE (,ops) Err R n Æ PRE (,ops) =  ? Err States at node n = R n

18 18 Step 2: Analyze Counterexample 1 LOCK=0 2 LOCK=1 3 4 LOCK=0 5 Err LOCK=0 lock(); old = new [new==old] unlock() LOCK=0 LOCK=0 Æ new = old [>][>] unlock(); new++ LOCK=1 Æ new+1 = old lock(); old = new [>][>] [>][>] [new==old] [new!=old] 2 1 3 4 5 ret unlock() new++ unlock() LOCK=0 Æ new+1 = new R n Æ PRE (,ops) =  ? Err

19 19 Step 2: Analyze Counterexample 1 LOCK=0 2 LOCK=1 3 4 LOCK=0 5 Err LOCK=0 LOCK=0 Æ new = old LOCK=0 Æ new+1 = new LOCK=1 Æ new+1 = old Track the predicate: new = old lock(); old = new [>][>] [>][>] [new==old] [new!=old] 2 1 3 4 5 ret unlock() new++ unlock()

20 20 Step 3: Resume Search 1 LOCK=0 lock(); old = new [new==old] ? 5 [new!=old] 1 LOCK=0 Æ : new = old µ LOCK =0 Set of predicates: LOCK=0, LOCK=1, new = old 3 LOCK=1 Æ new = old [>][>] unlock() new++ 4 LOCK=0 Æ : new = old 2 LOCK=1 Æ new = old lock(); old = new [>][>] [>][>] [new==old] [new!=old] 2 1 3 4 5 ret unlock() new++ unlock()

21 21 Step 3: Resume Search 1 LOCK=0 2 LOCK=1 Æ new = old 3 4 LOCK=0 Æ : new = old ? 51 LOCK=0 Æ : new = old 4 LOCK=1 Æ new=old 51 ? ret LOCK=0Æ new=old ERROR Unreachable Set of predicates: LOCK=0, LOCK=1, new = old lock(); old = new [>][>] [>][>] [new==old] [new!=old] 2 1 3 4 5 ret unlock() new++ unlock()

22 22 Predicate Discovery Information lost in substitution Keep substitutions explicit Ask a proof of unsatisfiability Pick predicates appearing in proof 1 LOCK=0 2 LOCK=1 3 4 LOCK=0 5 Err LOCK=0 lock(); old = new [>][>] unlock(); new++ [new==old] unlock() LOCK=0 Æ new+1 = new

23 23 Example ( ) { 0: if (*) { 6: do { got_lock = 0; 7: if (*) { 8: lock(); got_lock ++; } 9: if (got_lock) { 10: unlock(); } 11: } while (*) ; } 1: do { lock(); old = new; 2: if (*) { 3: unlock(); new ++; } 4: } while ( new != old); 5: unlock (); return; } Local Refinement 1: do { lock(); old = new; 2: if (*) { 3: unlock(); new ++; } 4: } while ( new != old); 5: unlock (); return; } 9 8 7 11 10 6 0 2 1 3 4 5 ret 6: do { got_lock = 0; 7: if (*) { 8: lock(); got_lock ++; } 9: if (got_lock) { 10: unlock(); } 11: } while (*) ; }

24 24 Local Refinement [>][>] 1 LOCK=0 0 6 [>][>] Err 0 7 9 8 11 10 6 2 1 3 4 5 ret Refine right subtree only Different abstractions for subtrees Search on left subtree not repeated

25 25 Leaves Covered (Reuse work) 0 LOCK=0 1 6 1 1 1 LOCK=0 Æ … COVERED ! Leaves covered: Avoid repeating search when paths merge 0 7 9 8 11 10 6 2 1 3 4 5 ret

26 26 Certification

27 27 What is a Certificate ? Proof Carrying Code (PCC) Program + Spec Annotations VC Generator Verification Condition Annotations: Loop invariants, func. Precondition/Postcondition Certificate: Annotations + Proof of VC Consumer reconstructs VC, checks proof Validity of VC guarantees correctness

28 28 Annotations For each cntrl location q, invariant I(q) Verification condition Init µ I(q 0 ) Annotations & VCs Start set includes initial states Error location is not reached States closed under post I(q  ) = false For each edge q ! op q’ : POST (I(q),op) µ I(q’)

29 29 Ç LOCK=0 Æ : new = old Invariants grow on Trees 1 4 5 LOCK=0 2 3 LOCK=1 Æ new = old LOCK=0 Æ : new = old Ç LOCK=1 Æ new=old LOCK=1 Æ new=old LOCK=0 Æ : new = old 1 LOCK=0 2 LOCK=1 Æ new = old 3 4 ? 51 LOCK=0 Æ : new = old 4 LOCK=1 Æ new=old 5 1 ? ret LOCK=0 Æ new=old Reachability Tree Invariants covered

30 30 Proving the VC Each condition dischargeable automatically (Vampyre, CVC … ) Tree yields a small decomposition Entire proof can be extracted from model checker ’ s data structures

31 31 BLAST LAZY ABSTRACTION Berkeley Lazy Abstraction Software verification Tool 10K Lines of Ocaml Analyze Linux/Windows Device Drivers CIL (C ! CFA) REGION STRUCTURE BDD Engine (Boolean ops) Simplify (Post # ) Vampyre (focus)

32 32 BLAST All of C modeled except: Function pointers Recursive functions “ Logical ” Model of memory Pointer arithmetic imprecise Fragile on heap dependant properties Safety checking: Checks if a given label is reachable in the C program Monitor automata specified in C

33 33 Experiments 10296751919805019361781 parport.c 3.3454465717372 mouclass.c 76190.38103437 [fixed] 1652563548 564405412131 kbflter.c 60129173954493 [fixed] 15652086376217386 floppy.c 1567875401398458517798 cdaudio.c 403.33428.634516506 tlan.c 0.0320.932217736 aha152x.c 1790.010.52223539 qpmouse.c 2530.014.55518131 ide.c Prf Size (bytes) Pred. Disc. Time(sec) Total Time(sec) Active Preds Total Preds LinesProgram Linux Lock 3 state Windows DDK IRP 22 state

34 34 Conclusions Lazy Abstraction Reachability Tree yields certificate Implemented BLAST Finds (only) real bugs in large device drivers … and gives proofs for correct ones !  Future work:  Smarter abstractions  Program analysis for model reduction  Recursive functions  …

35 35 BLAST www.eecs.berkeley.edu/~tah/blast/ Berkeley Lazy Abstraction Software * Tool

Download ppt "Temporal-Safety Proofs for Systems Code Thomas A. Henzinger Ranjit Jhala Rupak Majumdar George Necula Westley Weimer Grégoire Sutre UC Berkeley."

Similar presentations

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.
Demand-driven inference of loop invariants in a theorem prover

Demand-driven inference of loop invariants in a theorem prover
Abstraction in Model Checking Nishant Sinha. Model Checking Given a: –Finite transition system M –A temporal property p The model checking problem: –Does.

Abstraction in Model Checking Nishant Sinha. Model Checking Given a: –Finite transition system M –A temporal property p The model checking problem: –Does.
The Dafny program verifier

The Dafny program verifier
Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.

Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.
Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.

Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.
50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.

50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.
Lecture #21 Software Model Checking: predicate abstraction Thomas Ball Testing, Verification and Measurement Microsoft Research.

Lecture #21 Software Model Checking: predicate abstraction Thomas Ball Testing, Verification and Measurement Microsoft Research.
Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI.

Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Introducing BLAST Software Verification John Gallagher CS4117.

Introducing BLAST Software Verification John Gallagher CS4117.
Software Verification with BLAST Tom Henzinger Ranjit Jhala Rupak Majumdar.

Software Verification with BLAST Tom Henzinger Ranjit Jhala Rupak Majumdar.
Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language.

Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language.
BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.

BLAST-A Model Checker for C Developed by Thomas A. Henzinger (EPFL) Rupak Majumdar (UC Los Angeles) Ranjit Jhala (UC San Diego) Dirk Beyer (Simon Fraser.
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.

The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.

Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.
Termination Proofs for Systems Code Andrey Rybalchenko, EPFL/MPI joint work with Byron Cook, MSR and Andreas Podelski, MPI PLDI’2006, Ottawa.

Termination Proofs for Systems Code Andrey Rybalchenko, EPFL/MPI joint work with Byron Cook, MSR and Andreas Podelski, MPI PLDI’2006, Ottawa.
Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.

Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.
Permissive Interfaces Tom Henzinger Ranjit Jhala Rupak Majumdar.

Permissive Interfaces Tom Henzinger Ranjit Jhala Rupak Majumdar.
Software Verification with Blast Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, George Necula, Grégoire Sutre, Wes Weimer UC Berkeley.

Software Verification with Blast Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, George Necula, Grégoire Sutre, Wes Weimer UC Berkeley.

Similar presentations

Ads by Google