Date post: | 16-Dec-2015 |
Category: |
Documents |
Upload: | esmond-clark |
View: | 212 times |
Download: | 0 times |
1
Thorough Static Analysis of Device Drivers
Byron Cook – Microsoft Research
Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg, Con McGarvey, Bohus Ondrusek, Sriram Rajamani & Abdullah Ustuner
2
Kernel
DD
HW
DDDD
DD
DD
DD
DD
DD DD
DD
DD
DDDD
DD
DDDD
DD
DD
DD
HW
HW
HW
HW
HW
HW
HW
Static Driver Verifier
3
Static Driver Verifier (a.k.a. SDV):
A compile-time correctness checking tool based on deep semantic analysis via symbolic model checking
Now available on the latest Windows DDK beta
Static Driver Verifier
4
Static Driver Verifier
Static Driver Verifier (SDV) is a tool for finding bugs in Windows device drivers:
SDV operates on the driver’s source code
SDV is completely automatic
SDV checks that drivers do not violate a set of “kernel API usage rules”
Attempts to prove the correctness of the driver with the SLAM software model checker
5
Static Driver Verifier
other.h
driver.h
driver.c
Driver sources
SDV XX
XX
6
Static Driver Verifier
7
Static Driver Verifier
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Outline
Introduction to Static Driver Verifier
Static Driver Verifier internals
Conclusion & Discussion
30
Outline
Introduction to Static Driver Verifier
Static Driver Verifier internals
Conclusion & Discussion
31
Static Driver Verifier
other.h
driver.h
driver.c
Driver sources
SDV XX
XX
32
Static Driver Verifier
SDVRules
SLAM
OS model
other.h
driver.h
driver.c XX
XX
Driver sources
33
Static Driver Verifier: Rules
Expressed in an event-based language
Possible events: Function entry Function exit
The code associated with events call the function error() to indicate a violation:
IoCallDriver.entry { if ($2->Tail.Overlay.CurrentStackLocation->MajorFunction ==IRP_MJ_POWER) { error(); } }
34
Static Driver Verifier: Rules
35
Static Driver Verifier
SDVRules
SLAM
OS model
other.h
driver.h
driver.c XX
XX
36
Static Driver Verifier: OS model
Provides the main function
Abstract implementations of kernel APIs (like IoCallDriver)
Models some aspects of the OS state, like the “interrupt request level” (IRQL)
Uses non-deterministic choice
37
Static Driver Verifier: OS model
38
Static Driver Verifier
SDVRules
SLAM
OS model
other.h
driver.h
driver.c XX
XX
39
Static Driver Verifier: SLAM
Symbolic model checker for C
Strategy: throw away as much irrelevant detail from the driver as possible through abstraction search
Algorithm = Predicate Abstraction + Counter-example based refinement + Symbolic reachability for Boolean programs
Simplifying (unsound) assumptions: C unions are ignored Memory layout is not known: pointer arithmetic is largely ignored Coincidental pointer aliasing is ignored, purposeful aliasing is not Functions cannot be called both by name and pointer The OS model does not exercise all paths possible in practice
40
Static Driver Verifier: SLAM
void main(){ int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0;
while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } } g(); }}
Assume that f1, f2, f3 and g do not call AcquireLock or ReleaseLock
41
Static Driver Verifier: SLAM
int locked = 0;
AcquireLock.entry { if (locked==1) { error(); } else { locked=1; }}
ReleaseLock.entry { if (locked==0) { error(); } else { locked=0; }}
42
SLAM
Static Driver Verifier: SLAM
43
Static Driver Verifier: SLAM
SLAM RefineStep
AbstractStep
CheckStep
Driver passes rule
Rule violation foundOS model
Driver sources
Rule
Instrument
Step
44
Static Driver Verifier: SLAM
int locked = 0;
if (locked==1) { error(); } else { locked=1; }
if (locked==0) { error(); } else { locked=0; }
int locked = 0;
AcquireLock.entry { if (locked==1) { error(); } else { locked=1; }}
ReleaseLock.entry { if (locked==0) { error(); } else { locked=0; }}
void AcquireLock(){ ……………}
void ReleaseLock(){ ……………}
void main(){ ……………
void AcquireLock() {
………………}
void ReleaseLock() {
………………}
void main(){ ……………
Are these reachable?
45
Static Driver Verifier: SLAM
SLAM RefineStep
CheckStep
Instrument
Step
Driver passes rule
Rule violation foundOS model
Driver sources
Rule
AbstractStep
46
rst=0;
!rst a = b = c = a<b && b<c rst=1;
void main(){
for(;;) { AcquireLock(); while( ) { f1(); f2(); f3(); if ( ) { ReleaseLock(); } } g(); }}
int a,b,c,rst,cnt; cnt = 0;
Static Driver Verifier: SLAM
* *
State space = 2^(#bits(pc)) + stack
47
Static Driver Verifier: SLAM
SLAM Refine
Step
AbstractStep
Instrument
Step
Driver passes rule
Rule violation foundOS model
Driver sources
Rule
CheckStep
48
Static Driver Verifier: SLAM
Reachable state-
space for steps <1
49
Static Driver Verifier: SLAM
Reachable state-
space for steps <1
Reachable state-space for steps <2 Reachable
state-space for steps <3
50
Static Driver Verifier: SLAM
Reachable state-
space for steps <1
Reachable state-space for steps <2 Reachable
state-space for steps <3
Reachable state-space for
steps <4Reachable
state-space for steps <5
Reachable state-
space for steps <6
51
Static Driver Verifier: SLAM
Reachable state-
space for steps <1
Reachable state-space for steps <2 Reachable
state-space for steps <3
Reachable state-space for
steps <4Reachable
state-space for steps <5
Reachable state-
space for steps <6
Reachable state-space for steps <7
Reachable state-space for steps
<8
52
Static Driver Verifier: SLAM
Reachable state-
space for steps <1
Reachable state-space for steps <2 Reachable
state-space for steps <3
Reachable state-space for
steps <4Reachable
state-space for steps <5
Reachable state-
space for steps <6
Reachable state-space for steps <7
Reachable state-space for steps
<8Reachable state-space for steps
<9State where PC is at a call to error()
53
Static Driver Verifier: SLAM
void main(){
for(;;) { AcquireLock(); while( * ) { f1(); f2(); f3(); if ( * ) { ReleaseLock(); } } g(); }}
54
Static Driver Verifier: SLAM
void main(){
for(;;) { AcquireLock(); while( * ) { f1(); f2(); f3(); if ( * ) { ReleaseLock(); } } g(); }}
55
Static Driver Verifier: SLAM
void main(){
for(;;) { AcquireLock(); while( * ) { f1(); f2(); f3(); if ( * ) { ReleaseLock(); } } g(); }}
56
Static Driver Verifier: SLAM
void main(){
for(;;) { AcquireLock(); while( * ) { f1(); f2(); f3(); if ( * ) { ReleaseLock(); } } g(); }}
57
Static Driver Verifier: SLAM
void main(){
for(;;) { AcquireLock(); while( * ) { f1(); f2(); f3(); if ( * ) { ReleaseLock(); } } g(); }}
58
Static Driver Verifier: SLAM
void main(){
for(;;) { AcquireLock(); while( * ) { f1(); f2(); f3(); if ( * ) { ReleaseLock(); } } g(); }}
59
Static Driver Verifier: SLAM
void main(){
for(;;) { AcquireLock(); while( * ) { f1(); f2(); f3(); if ( * ) { ReleaseLock(); } } g(); }}
60
Static Driver Verifier: SLAM
void main(){
for(;;) { AcquireLock(); while( * ) { f1(); f2(); f3(); if ( * ) { ReleaseLock(); } } g(); }}
61
Static Driver Verifier: SLAM
void main(){
for(;;) { AcquireLock(); while( * ) { f1(); f2(); f3(); if ( * ) { ReleaseLock(); } } g(); }}
62
Static Driver Verifier: SLAM
void main(){
for(;;) { AcquireLock(); while( * ) { f1(); f2(); f3(); if ( * ) { ReleaseLock(); } } g(); }}
63
Static Driver Verifier: SLAM
SLAMAbstract
Step
CheckStep
Instrument
Step
Driver passes rule
Rule violation foundOS model
Driver sources
Rule
RefineStep
64
Static Driver Verifier: SLAM
void main(){ int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0;
while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } } g(); }}
65
Static Driver Verifier: SLAM
void main(){ int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0;
while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } } g(); }}
66
Static Driver Verifier: SLAM
void main(){ int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0;
while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } } g(); }}
67
Static Driver Verifier: SLAM
void main(){ int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0;
while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } } g(); }}
cnt==0
68
Static Driver Verifier: SLAM
void main(){ int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0;
while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } } g(); }}
cnt==0
69
Static Driver Verifier: SLAM
void main(){ int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0;
while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } } g(); }}
cnt==0
70
Static Driver Verifier: SLAM
void main(){ int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0;
while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } } g(); }}
cnt==0
71
Static Driver Verifier: SLAM
void main(){ int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0;
while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } } g(); }}
cnt==0
rst==0
72
Static Driver Verifier: SLAM
void main(){ int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0;
while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } } g(); }}
cnt==0
rst==0
73
Static Driver Verifier: SLAM
void main(){ int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0;
while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } } g(); }}
cnt==0
rst==0
74
Static Driver Verifier: SLAM
void main(){ int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0;
while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } } g(); }}
cnt==0
rst==0
!(rst==0)
75
Static Driver Verifier: SLAM
void main(){ int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0;
while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } } g(); }}
cnt==0
rst==0
!(rst==0)
New predicate to track: main { rst==0 }
76
Static Driver Verifier: SLAM
SLAM Refine
Step
CheckStep
Instrument
Step
Driver passes rule
Rule violation foundOS model
Driver sources
Rule
AbstractStep
77
int a,b,c,rst,cnt; cnt = 0;
void main(){
for(;;) { AcquireLock(); while( ) { f1(); f2(); f3(); if ( ) { ReleaseLock(); } } g(); }}
Static Driver Verifier: SLAM
v0=1;
v0 * v0=0;
State space = 2^(1 + #bits(pc)) + stack
bool v0; // represents rst==0
rst=0;
!rst a = b = c = a<b && b<c rst=1;
78
Static Driver Verifier: SLAM
SLAM Refine
Step
AbstractStep
Instrument
Step
Driver passes rule
Rule violation foundOS model
Driver sources
Rule
CheckStep
79
Static Driver Verifier: SLAM
Reachable state-
space for steps <n
80
Static Driver Verifier: SLAM
Reachable state-
space for steps <n
Reachable state-space
for steps <n+1
Reachable state-space
for steps <n+2
81
Static Driver Verifier: SLAM
Reachable state-
space for steps <n
Reachable state-space
for steps <n+1
Reachable state-space
for steps <n+2
Reachable state-space for
steps <n+3Reachable
state-space for steps <n+4
Reachable state-space for steps <n+5 and
<n+4
82
Static Driver Verifier: SLAM
Reachable state-
space for steps <n
Reachable state-space
for steps <n+1
Reachable state-space
for steps <n+2
Reachable state-space for
steps <n+3Reachable
state-space for steps <n+4
Reachable state-space for steps <n+5 and
<n+4
83
Static Driver Verifier: SLAM
The abstraction contains only the PC and these three state bits locked>0 locked==0 rst==0
Abstracted away Much of f1(), f2(), f3(), g(), cnt, a, b, c Potential values from rst
From this abstraction we can reasons that the original C program is also correct
84
Outline
Introduction to Static Driver Verifier
Static Driver Verifier internals
Conclusion & Discussion
85
Outline
Introduction to Static Driver Verifier
Static Driver Verifier internals
Conclusion & Discussion
86
Conclusion
SDV
A compile-time tool that finds bugs in device drivers
Kernel API usage rules + the SLAM model checker
Released on the latest DDK beta
Subsequent releases will support additional driver models
87
Conclusion
In the paper
More information on how SDV works
More information on what SDV checks, what it doesn’t check, and why.
Data from experiments with SDV on ~100 device drivers
Information about new work to support new driver models
88
Conclusion
What’s next for SDV/SLAM-like tools within Microsoft?
Proving deeper properties about programs that manipulate the heap
SLAM-like tools with better support for concurrency
Liveness properties & termination
Contracts/specifications for additional APIs