Presentation is loading. Please wait.

Presentation is loading. Please wait.

Towards Scalable Modular Checking of User-defined Properties Thomas Ball, MSR Brian Hackett, Mozilla Shuvendu Lahiri, MSR Shaz Qadeer, MSR Julien Vanegue,

Published byDuane Jenkins Modified over 8 years ago

Similar presentations

Presentation on theme: "Towards Scalable Modular Checking of User-defined Properties Thomas Ball, MSR Brian Hackett, Mozilla Shuvendu Lahiri, MSR Shaz Qadeer, MSR Julien Vanegue,"— Presentation transcript:

1 Towards Scalable Modular Checking of User-defined Properties Thomas Ball, MSR Brian Hackett, Mozilla Shuvendu Lahiri, MSR Shaz Qadeer, MSR Julien Vanegue, Microsoft

2 A Decade of C/C++ Tools at Microsoft PREfix, PREfast/SAL Scalable, 1000s of users Hardcoded properties and checkers Checkers define semantics of C programs PREfix, PREfast/SAL Scalable, 1000s of users Hardcoded properties and checkers Checkers define semantics of C programs Static Driver Verifier (SLAM) Allows defining (limited) properties Automated abstraction refinement No procedure contracts No ability for user to control false alarms Static Driver Verifier (SLAM) Allows defining (limited) properties Automated abstraction refinement No procedure contracts No ability for user to control false alarms VCC (Verifying C Compiler) Aimed towards full functional correctness Procedure contracts No inference Requires expert users VCC (Verifying C Compiler) Aimed towards full functional correctness Procedure contracts No inference Requires expert users

3 Automatic Inference: Microsoft Buffer Annotation Effort Code Base SALinfer Code Review Potential Defects SAL Fixes/ Code Fixes SAL Annotated Code Manual Annotations PREfix PREfast Windows Vista mandate: Annotate 100,000 mutable buffers developers annotated 500,000+ parameters developers fixed 20,000+ bugs Office 2007 developers fixed 6,500+ bugs PREfix PREfast PREfix PREfast

4

5 User Effort and Control PREfix, PREfast PREfix, PREfast Static Driver Verifier VCC

6 User Effort and Control PREfix, PREfast PREfix, PREfast Static Driver Verifier VCC HAVOC

7 Why Another C Verifier? SDV Expressiveness + (control-oriented) Precision + (abstract memory) Scalability + (whole program) Automation ++ (push button) Contracts -- Users Developers Problem Correct API usage HAVOC ++ (system-specific) ++ (precise) ++ (modular) + (inference) ++ Auditors Security audit VCC +++ (functional) ++ (precise) ++ (modular) -- (manual) ++ Verif. Experts Fully correct TCB Static Driver Verifier VCC HAVOC

8 Users and Their Problems Developers – Focused on feature development – Check-in gates for quality bar Auditors – Focus on large modules – Audit critical properties – External to product group (even test org) Verification experts – Advance the state-of-the-art Static Driver Verifier VCC HAVOC

9 Audit a methodical examination and review of properties of programs - formal documentation of program properties and the assumptions under which they hold - supported by a tool that verifies the consistency of these assertions and assumptions

10 Code Audit a methodical examination and review of properties of programs - formal documentation of program properties and the assumptions under which they hold - supported by a tool that verifies the consistency of these assertions and assumptions

11 Formal Code Audit a methodical examination and review of properties of programs - formal documentation of program properties and the assumptions under which they hold - supported by a tool that verifies the consistency of these assertions and assumptions

12 Measuring Success The auditor is satisfied if – she can state the properties that she wants, and – can tolerate the assumptions under which these properties hold A tool supporting code auditing should allow the auditor to reach a satisfactory result as quickly as possible

13 Formal Code Auditing Scenario Target: large components – ~100KLOC of lines of codes with >1000 of procedures Module – A set of public/entry procedures – A set of private/internal procedures Specs – Interface specification Specs for public methods Specs for external modules – Property assertion Initialize(..); while(*) { choice= nondet(); If (choice == 1){ [assume pre_1] call Public_1(…); } else if (choice == 2){ [assume pre_2] call Public_2(…); } … } Cleanup(…); Harness

14 Desirable Audit Goals Find violations – of property assertions – with low false alarms Use contracts – Modular checking for scalability – Readable contracts are formal documentation Provide high assurance – Formal documentation of assumptions

15 Functional correctness Minimizing the trusted computing base Non-goals of Formal Code Auditing

16 What about Verified Software? A solved problem, if cost is not an issue. The open issue is the engineering cost.

17 Results (1) : File System Audit Used HAVOC to audit popular file system – Resource leaks (reference counts, mutexes) – Data races on files, streams, associated structures – Teardown races on same Found 45 bugs – ~250 lines required to specify properties – ~600 lines of manual annotations – ~3000 lines of inferred annotations 80 false alarms HAVOC

18 Results (2): Security Audit Applied HAVOC to 1.3 million lines of Windows (handful of components) Properties – ProbeBeforeUse – UserDerefInTry – ProbeInTry – Alloc 15 security vulnerabilities (patched) HAVOC

19 1. Property specification/instrumentation 2. Scalable and transparent inference 3. User supplied annotations The HAVOC Challenge HAVOC Make formal code auditing a low-cost engineering effort

20 Microsoft C/C++ Static Analysis Tools PREfast/SAL – Included with Visual Studio Static Driver Verifier Research Platform – http://research.microsoft.com/slam/ http://research.microsoft.com/slam/ HAVOC – http://research.microsoft.com/havoc/ http://research.microsoft.com/havoc/ Verifying C Compiler – http://vcc.codeplex.com/ http://vcc.codeplex.com/ PREfast, SAL PREfast, SAL VCC Static Driver Verifier HAVOC

Download ppt "Towards Scalable Modular Checking of User-defined Properties Thomas Ball, MSR Brian Hackett, Mozilla Shuvendu Lahiri, MSR Shaz Qadeer, MSR Julien Vanegue,"

Similar presentations

Static Analysis for Security

Static Analysis for Security
Advanced programming tools at Microsoft

Advanced programming tools at Microsoft
The Static Driver Verifier Research Platform

The Static Driver Verifier Research Platform
3/27/2017 10:01 PM © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.

3/27/ :01 PM © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.
Demand-driven inference of loop invariants in a theorem prover

Demand-driven inference of loop invariants in a theorem prover
Formal Specifications on Industrial Strength Code: From Myth to Reality Manuvir Das Principal Researcher Center for Software Excellence Microsoft Corporation.

Formal Specifications on Industrial Strength Code: From Myth to Reality Manuvir Das Principal Researcher Center for Software Excellence Microsoft Corporation.
EECE 310: Software Engineering Modular Decomposition, Abstraction and Specifications.

EECE 310: Software Engineering Modular Decomposition, Abstraction and Specifications.
Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.

Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.
Ch-11 Project Execution and Termination. System Testing This involves two different phases with two different outputs First phase is system test planning.

Ch-11 Project Execution and Termination. System Testing This involves two different phases with two different outputs First phase is system test planning.
Using SMT solvers for program analysis Shaz Qadeer Research in Software Engineering Microsoft Research.

Using SMT solvers for program analysis Shaz Qadeer Research in Software Engineering Microsoft Research.
Alan Shaffer, Mikhail Auguston, Cynthia Irvine, Tim Levin The 7th OOPSLA Workshop on Domain-Specific Modeling October 21-22, 2007 Toward a Security Domain.

Alan Shaffer, Mikhail Auguston, Cynthia Irvine, Tim Levin The 7th OOPSLA Workshop on Domain-Specific Modeling October 21-22, 2007 Toward a Security Domain.
A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.

A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Α ϒ ʎ …… Reachability Modulo Theories Akash Lal Shaz Qadeer, Shuvendu Lahiri Microsoft Research.

Α ϒ ʎ …… Reachability Modulo Theories Akash Lal Shaz Qadeer, Shuvendu Lahiri Microsoft Research.
Automated and Modular Refinement Reasoning for Concurrent Programs Collaborators: Chris Hawblitzel (Microsoft) Erez Petrank (Technion) Serdar Tasiran (Koc.

Automated and Modular Refinement Reasoning for Concurrent Programs Collaborators: Chris Hawblitzel (Microsoft) Erez Petrank (Technion) Serdar Tasiran (Koc.
1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,

1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,
Software Construction

Software Construction
Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language.

Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language.
Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.

Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.
Assurance through Enhanced Design Methodology Orlando, FL 5 December 2012 Nirav Davé SRI International This effort is sponsored by the Defense Advanced.

Assurance through Enhanced Design Methodology Orlando, FL 5 December 2012 Nirav Davé SRI International This effort is sponsored by the Defense Advanced.

Similar presentations

Ads by Google