QM

Document Sample
QM Powered By Docstoc
					    Automatic Formal Verification for
    Operating Systems Code




    Byron Cook – Microsoft Research Cambridge
    bycook@microsoft.com




1
Windows OS and device drivers


       HW
     HW       DD
          DD DD                 DD   HW
    DD DD         DD
 HW     Operating
           DD         DD
    DD    System
       DD Kernel DD
             DD          HW
 HW                  DD
    DD

 2
     HW                               HW
Windows OS and device drivers


       HW       DD
  HW   DD   Kernel
           DD DD    DD   HW
     DD DD         DD
 HW         DD         DD
     DD
        DD    DD    DD     HW
 HW
     DD
                        DD
   HW      DD DD DD
 3
                           HW
Windows OS and device drivers


       HW       DD
  HW   DD   Kernel
           DD DD    DD   HW
     DD DD         DD
 HW         DD         DD
     DD
        DD    DD    DD     HW
 HW
     DD
                        DD
   HW      DD DD DD
 4
                           HW
Windows OS and device drivers


       HW                         DD
   HW             DD         Kernel
                            DD DD    DD   HW
 Examples:DD         DD             DD
 HW web server
   Outlook mail system
   HTTP                        DD       DD
            DD
   Performance monitoring tools
                      DD             DD
  HWnetworking technologies DD              HW
   VM tools
   New
   FirewallsDD
   Virus protection                      DD
   Drawing tools
      HW                   DD DD DD
 5
   ………………………                                HW
Windows OS and device drivers


       HW       DD
  HW   DD   Kernel
           DD DD    DD   HW
     DD DD         DD
 HW         DD         DD
     DD
        DD    DD    DD     HW
 HW
     DD
                        DD
   HW      DD DD DD
 6
                           HW
           device
Windows OS Nvidia drivers                Symantec
                      Fujitsu
        HW
      Nvidia
                                DD             Adaptec


  HW MicrosoftDD        KernelMicrosoft

                       DD DD             DD            HW
        DD DDAOL Microsoft DD             Intel             Adaptec

 HW??????????           DD
                                          Epson
                                                  DD Logitech
         DD Sony            ??????????

                  DD         DD          DD                  HW
 HW Sony               McAfee
                                              Techsoft

         DD                       ??????????           Logitech

              Creative                                 DD
    HW Creative        DD DD DD
 7
                           ??????????    ADI                  HW
                                                     University
                                                      student
Windows OS and device drivers


       HW       DD
  HW   DD   Kernel
           DD DD    DD   HW
     DD DD         DD
 HW         DD         DD
     DD
        DD    DD    DD     HW
 HW
     DD
                        DD
   HW      DD DD DD
 8
                           HW
Windows OS and device drivers


       HW       DD
  HW   DD   Kernel
           DD DD    DD   HW
     DD DD         DD
 HW         DD         DD
     DD
        DD    DD    DD     HW
 HW
     DD
                        DD
   HW      DD DD DD
 9
                           HW
Windows OS and device drivers


       HW       DD
  HW   DD   Kernel
           DD DD    DD   HW
     DD DD         DD
 HW         DD         DD
     DD
        DD    DD    DD     HW
 HW
     DD
                        DD
   HW      DD DD DD
 10
                           HW
Windows OS and device drivers


       HW       DD
  HW   DD   Kernel
           DD DD    DD   HW
     DD DD         DD
 HW         DD         DD
     DD
        DD    DD    DD     HW
 HW
     DD
                        DD
   HW      DD DD DD
 11
                           HW
Windows OS and device drivers


       HW       DD
  HW   DD   Kernel
           DD DD    DD   HW
     DD DD         DD
 HW         DD         DD
     DD
        DD    DD    DD     HW
 HW
     DD
                        DD
   HW      DD DD DD
 12
                           HW
Windows OS and device drivers


       HW       DD
  HW   DD   Kernel
           DD DD    DD   HW
     DD DD         DD
 HW         DD         DD
     DD
        DD    DD    DD     HW
 HW
     DD
                        DD
   HW      DD DD DD
 13
                           HW
Windows OS and device drivers


        HW calling KeWaitForSingleObject or request level”
         Example: While running at raised “interrupt
         (IRQL),                     DD
           KeWaitForMultipleObjects with Kernel-defined dispatcher
      HW          DD         Kernel
           object(s) to wait for a nonzero interval causes a fatal error. Only
                                                DD            HW
           driver routines that run in a nonarbitrary thread context at IRQL
                            DD DD
           PASSIVE_LEVEL, such as driver-created threads, the
           DriverEntry and Reinitialize routines, or Dispatch routines for
          DD DD                              DD
           inherently synchronous I/O operations, such as most device I/O
           control requests, can safely wait on events, semaphores,
 HW        mutexes, or timers for a nonzero interval.
                              DD                         DD
          DD
                     DD                         DD
 HW If the driver is passed aDD request packet with HW
  Example:
          DD IRP_MN_REMOVE_DEVICE, a driver must call
  minor function
                                     PNP

                                                              DD
  IoDeleteDevice for any device that was previously allocated with
  IoCreateDevice
     HW                    DD DD DD
 14
                                                                   HW
Windows OS and device drivers


       HW       DD
  HW   DD   Kernel
           DD DD    DD   HW
     DD DD         DD
 HW         DD         DD
     DD
        DD    DD    DD     HW
 HW
     DD
                        DD
   HW      DD DD DD
 15
                           HW
Today’s subject




 16
Outline


     Introduction to Windows device drivers

     Static Driver Verifier
      Automatic formal verification + properties for device drivers


     Recent plug-ins for Static Driver Verifier:
      SLAyer
      TERMINATOR


     Conclusion & Discussion



17
Outline


     Introduction to Windows device drivers

     Static Driver Verifier
      Automatic formal verification + properties for device drivers


     Recent plug-ins for Static Driver Verifier:
      SLAyer
      TERMINATOR


     Conclusion & Discussion



18
Static Driver Verifier




     Static Driver Verifier (SDV) is a tool for proving correctness and
       finding bugs in Windows device drivers:


       SDV operates on the driver’s source code

       SDV is completely automatic

       SDV checks that drivers do not violate a set of “kernel API usage
       rules”

       Attempts to prove the correctness of the driver with the SLAM
       software model checker


19
Static Driver Verifier




     Driver sources            
                               X
         other.h




                               
           driver.h


              driver.c



                         SDV   X


                               
                               
20
Static Driver Verifier




21
Static Driver Verifier




22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
Static Driver Verifier




44
Static Driver Verifier




     Driver sources            
                               X
         other.h




                               
           driver.h


              driver.c



                         SDV   X


                               
                               
45
Static Driver Verifier




     Driver sources                        
                                           X
         other.h          Rules


                                           
          driver.h


            driver.c



                         SDV
                         OS model
                                    SLAM
                                           X


                                           
                                           
46
Static Driver Verifier: Rules



     Expressed in an event-based language

     Possible events:
      Function entry
      Function exit

     The code associated with events call the function error() to indicate a
     violation:

      IoCallDriver.entry
      {
          if ($2->Tail.Overlay.CurrentStackLocation->MajorFunction
                 ==IRP_MJ_POWER) {
              error();
          }
      }




47
Static Driver Verifier: Rules



     Expressed in an event-based language

     Possible events:
      Function entry
      Function exit

     The code associated with events call the function error() to indicate a
     violation:

      IoCallDriver.entry
      {
          if ($2->Tail.Overlay.CurrentStackLocation->MajorFunction
                 ==IRP_MJ_POWER) {
              error();
          }
      }




48
Static Driver Verifier




                                           
                                           X
     other.h              Rules


                                           
      driver.h


        driver.c



                         SDV
                         OS model
                                    SLAM
                                           X


                                           
                                           
49
Static Driver Verifier: OS model




         Provides the main function

         Abstract implementations of kernel APIs (like
         IoCallDriver)

         Models some aspects of the OS state, like the
         “interrupt request level” (IRQL)

         Uses non-deterministic choice




50
Static Driver Verifier: OS model

      NTSTATUS
      IoCreateDevice(
          IN PDRIVER_OBJECT DriverObject,
          IN ULONG DeviceExtensionSize,
          IN PUNICODE_STRING DeviceName OPTIONAL,
          IN DEVICE_TYPE DeviceType,
          IN ULONG DeviceCharacterisitcs,
          IN BOOLEAN Exclusive,
          OUT PDEVICE_OBJECT * DeviceObject
          )
      {

          ULONG Choice = nondet();

          switch (Choice) {
              case 0 : (*DeviceObject) = &SDV_devobj2;
                       return STATUS_SUCCESS;
              case 1 : return STATUS_INSUFFICIENT_RESOURCES;
              case 2 : return STATUS_OBJECT_NAME_EXISTS;
              default: return STATUS_OBJECT_NAME_COLLISION;
          }
      }

51
Static Driver Verifier: OS model

      NTSTATUS
      IoCreateDevice(
          IN PDRIVER_OBJECT DriverObject,
          IN ULONG DeviceExtensionSize,
          IN PUNICODE_STRING DeviceName OPTIONAL,
          IN DEVICE_TYPE DeviceType,
          IN ULONG DeviceCharacterisitcs,
          IN BOOLEAN Exclusive,
          OUT PDEVICE_OBJECT * DeviceObject
          )
      {

          ULONG Choice = nondet();

          switch (Choice) {
              case 0 : (*DeviceObject) = &SDV_devobj2;
                       return STATUS_SUCCESS;
              case 1 : return STATUS_INSUFFICIENT_RESOURCES;
              case 2 : return STATUS_OBJECT_NAME_EXISTS;
              default: return STATUS_OBJECT_NAME_COLLISION;
          }
      }

52
Static Driver Verifier




                                           
                                           X
     other.h              Rules


                                           
      driver.h


        driver.c



                         SDV
                         OS model
                                    SLAM
                                           X


                                           
                                           
53
Static Driver Verifier: SLAM



     Automatic formal verification engine for safety properties

     Strategy: throw away as much irrelevant detail from the driver as
     possible through abstraction search

     Algorithm: counterexample-guided abstraction refinement
      Find smaller (but less accurate) abstraction of original program
      Try to prove it bug-free
      Refine abstraction on-demand


     Works well when properties are somewhat shallow in nature, and
     programs are 30,000 LOC or less



54
Static Driver Verifier: SLAM

           void main()
           {
               int a,b,c,rst,cnt;
               cnt = 0;
               for(;;) {
                   AcquireLock();
                   rst=0;

                   while(!rst) {
                       a = f1();
                       b = f2();
                       c = f3();
                       if (a<b && b<c) {
                           rst=1;
                           ReleaseLock();   Assume that f1,
                       }                    f2, f3 and g do
                    }                       not call
                    g();                    AcquireLock or
               }                            ReleaseLock
           }
55
Static Driver Verifier: SLAM


                   int locked = 0;


                   AcquireLock.entry {
                       if (locked==1) {
                           error();
                       } else {
                           locked=1;
                       }
                   }

                   ReleaseLock.entry {
                       if (locked==0) {
                           error();
                       } else {
                           locked=0;
                       }
                   }

56
Static Driver Verifier: SLAM




                SLAM
57
Static Driver Verifier: SLAM




           Rule                                   Driver passes rule

                              Abstract
                               Step




                   SLAM
  Driver
 sources
                  Instrumen              Check
                       t                  Step
                     Step


                               Refine
                               Step



       OS model                                  Rule violation found


58
Static Driver Verifier: SLAM



                               int locked = 0;

     void AcquireLock()        AcquireLock.entry
     {                         {
         ……………                     if (locked==1) {
     }                                 error();
                                   } else {
                                       locked=1;
                                   }
         ………………                }
     }      Are these
            reachable?
     void ReleaseLock()        ReleaseLock.entry
     {                         {
         ……………                     if (locked==0) {
     }                                 error();
                                   } else {
                                       locked=0;
                                   }
         ………………                }
     }

     void main()
     {
         ……………
59
Static Driver Verifier: SLAM




           Rule                                   Driver passes rule

                              Abstract
                               Step




                   SLAM
  Driver
 sources
                  Instrumen              Check
                       t                  Step
                     Step


                               Refine
                               Step



       OS model                                  Rule violation found


60
Static Driver Verifier: SLAM


                void main()
                {
                    int a,b,c,rst,cnt;
                    cnt = 0;
                    for(;;) {
                        AcquireLock();
                        rst=0;

                        while(!rst ) {
                                *
                            a = f1();
                            b = f2();
                            c = f3();
                            if (a<b && b<c ) {
                                     *
                                rst=1;
                                ReleaseLock();
                            }
                         }
                         g();
                    }
61              }
Static Driver Verifier: SLAM

                    int g0 = = 0;
                    boollocked1; // locked==0
                    bool g1 = 0; // locked==1
                    void AcquireLock()
                    {
                        if ( locked==1) {
                               g1
                            error();
                        } else {
                             g1 = 1;
                             locked=1;
                             g0 = 0;
                        }
                    }
                    void ReleaseLock()
                    {
                        if ( locked==0) {
                               g0
                            error();
                        } else {
                             g0 = 1;
                             locked=0;
                             g1 = 0;
                        }
                    }          State space = 2^(2 + #bits(pc)) + stack
62
Static Driver Verifier: SLAM




           Rule                                   Driver passes rule

                              Abstract
                               Step




                   SLAM
  Driver
 sources
                  Instrumen              Check
                       t                  Step
                     Step


                               Refine
                               Step



       OS model                                  Rule violation found


63
Static Driver Verifier: SLAM



       Reachable
      state-space
        for steps
           <1




64
Static Driver Verifier: SLAM



       Reachable      Reachable
      state-space    state-space
        for steps   for steps <2
                                     Reachable
           <1                       state-space
                                   for steps <3




65
Static Driver Verifier: SLAM



       Reachable      Reachable
      state-space    state-space
        for steps   for steps <2
                                     Reachable     Reachable state-
           <1                       state-space   space for steps <4
                                   for steps <3
                                                                  Reachable state-
                                                                 space for steps <5



                                          Reachable
                                         state-space
                                           for steps
                                              <6

66
Static Driver Verifier: SLAM



       Reachable      Reachable
      state-space    state-space
        for steps   for steps <2
                                     Reachable     Reachable state-
           <1                       state-space   space for steps <4
                                   for steps <3
                                                                  Reachable state-
                                                                 space for steps <5
           Reachable state-
          space for steps <8
                 Reachable
                state-space
                         Reachable
                         <7
               for stepsstate-space
                          for steps
                             <6

67
Static Driver Verifier: SLAM



       Reachable      Reachable
      state-space    state-space
        for steps   for steps <2
                                     Reachable     Reachable state-
           <1                       state-space   space for steps <4
                                   for steps <3
                                                                  Reachable state-
                                                                 space for steps <5
           Reachable state-
             Reachable
          space for steps <8 state-
                 Reachable
                state-space   Reachable
                               steps <9
            space forstate-space
               for steps <7
                               for steps
                  State where PC is at a call to error()
                                     <6

68
Static Driver Verifier: SLAM


                void main()
                {


                    for(;;) {
                        AcquireLock();


                        while( * ) {
                                f1();
                                f2();
                                f3();
                            if (     *       ) {

                                   ReleaseLock();
                               }
                         }
                         g();
                    }
                }
69
Static Driver Verifier: SLAM


                void main()
                {


                    for(;;) {
                        AcquireLock();


                        while( * ) {
                                f1();
                                f2();
                                f3();
                            if (     *       ) {

                                   ReleaseLock();
                               }
                         }
                         g();
                    }
                }
70
Static Driver Verifier: SLAM


                void main()
                {


                    for(;;) {
                        AcquireLock();


                        while( * ) {
                                f1();
                                f2();
                                f3();
                            if (     *       ) {

                                   ReleaseLock();
                               }
                         }
                         g();
                    }
                }
71
Static Driver Verifier: SLAM


                void main()
                {


                    for(;;) {
                        AcquireLock();


                        while( * ) {
                                f1();
                                f2();
                                f3();
                            if (     *       ) {

                                   ReleaseLock();
                               }
                         }
                         g();
                    }
                }
72
Static Driver Verifier: SLAM


                void main()
                {


                    for(;;) {
                        AcquireLock();


                        while( * ) {
                                f1();
                                f2();
                                f3();
                            if (     *       ) {

                                   ReleaseLock();
                               }
                         }
                         g();
                    }
                }
73
Static Driver Verifier: SLAM


                void main()
                {


                    for(;;) {
                        AcquireLock();


                        while( * ) {
                                f1();
                                f2();
                                f3();
                            if (     *       ) {

                                   ReleaseLock();
                               }
                         }
                         g();
                    }
                }
74
Static Driver Verifier: SLAM


                void main()
                {


                    for(;;) {
                        AcquireLock();


                        while( * ) {
                                f1();
                                f2();
                                f3();
                            if (     *       ) {

                                   ReleaseLock();
                               }
                         }
                         g();
                    }
                }
75
Static Driver Verifier: SLAM


                void main()
                {


                    for(;;) {
                        AcquireLock();


                        while( * ) {
                                f1();
                                f2();
                                f3();
                            if (     *       ) {

                                   ReleaseLock();
                               }
                         }
                         g();
                    }
                }
76
Static Driver Verifier: SLAM


                void main()
                {


                    for(;;) {
                        AcquireLock();


                        while( * ) {
                                f1();
                                f2();
                                f3();
                            if (     *       ) {

                                   ReleaseLock();
                               }
                         }
                         g();
                    }
                }
77
Static Driver Verifier: SLAM


                void main()
                {


                    for(;;) {
                        AcquireLock();


                        while( * ) {
                                f1();
                                f2();
                                f3();
                            if (     *       ) {

                                   ReleaseLock();
                               }
                         }
                         g();
                    }
                }
78
Static Driver Verifier: SLAM




           Rule                                   Driver passes rule

                              Abstract
                               Step




                   SLAM
  Driver
 sources
                  Instrumen              Check
                       t                  Step
                     Step


                               Refine
                               Step



       OS model                                  Rule violation found


79
Static Driver Verifier: SLAM


       void main()
       {
           int a,b,c,rst,cnt;
           cnt = 0;
           for(;;) {
               AcquireLock();
               rst=0;

               while(!rst) {
                   a = f1();
                   b = f2();
                   c = f3();
                   if (a<b && b<c) {
                       rst=1;
                       ReleaseLock();
                   }
                }
                g();
           }
80
       }
Static Driver Verifier: SLAM


       void main()
       {
           int a,b,c,rst,cnt;
           cnt = 0;
           for(;;) {
               AcquireLock();
               rst=0;

               while(!rst) {
                   a = f1();
                   b = f2();
                   c = f3();
                   if (a<b && b<c) {
                       rst=1;
                       ReleaseLock();
                   }
                }
                g();
           }
81
       }
Static Driver Verifier: SLAM


       void main()
       {
           int a,b,c,rst,cnt;
           cnt = 0;
           for(;;) {
               AcquireLock();
               rst=0;

               while(!rst) {
                   a = f1();
                   b = f2();
                   c = f3();
                   if (a<b && b<c) {
                       rst=1;
                       ReleaseLock();
                   }
                }
                g();
           }
82
       }
Static Driver Verifier: SLAM


       void main()
       {
           int a,b,c,rst,cnt;           cnt==0
           cnt = 0;
           for(;;) {
               AcquireLock();
               rst=0;

               while(!rst) {
                   a = f1();
                   b = f2();
                   c = f3();
                   if (a<b && b<c) {
                       rst=1;
                       ReleaseLock();
                   }
                }
                g();
           }
83
       }
Static Driver Verifier: SLAM


       void main()
       {
           int a,b,c,rst,cnt;           cnt==0
           cnt = 0;
           for(;;) {
               AcquireLock();
               rst=0;

               while(!rst) {
                   a = f1();
                   b = f2();
                   c = f3();
                   if (a<b && b<c) {
                       rst=1;
                       ReleaseLock();
                   }
                }
                g();
           }
84
       }
Static Driver Verifier: SLAM


       void main()
       {
           int a,b,c,rst,cnt;           cnt==0
           cnt = 0;
           for(;;) {
               AcquireLock();
               rst=0;

               while(!rst) {
                   a = f1();
                   b = f2();
                   c = f3();
                   if (a<b && b<c) {
                       rst=1;
                       ReleaseLock();
                   }
                }
                g();
           }
85
       }
Static Driver Verifier: SLAM


       void main()
       {
           int a,b,c,rst,cnt;           cnt==0
           cnt = 0;
           for(;;) {
               AcquireLock();
               rst=0;

               while(!rst) {
                   a = f1();
                   b = f2();
                   c = f3();
                   if (a<b && b<c) {
                       rst=1;
                       ReleaseLock();
                   }
                }
                g();
           }
86
       }
Static Driver Verifier: SLAM


       void main()
       {
           int a,b,c,rst,cnt;           cnt==0
           cnt = 0;
           for(;;) {
               AcquireLock();
               rst=0;                            rst==0

               while(!rst) {
                   a = f1();
                   b = f2();
                   c = f3();
                   if (a<b && b<c) {
                       rst=1;
                       ReleaseLock();
                   }
                }
                g();
           }
87
       }
Static Driver Verifier: SLAM


       void main()
       {
           int a,b,c,rst,cnt;           cnt==0
           cnt = 0;
           for(;;) {
               AcquireLock();
               rst=0;                            rst==0

               while(!rst) {
                   a = f1();
                   b = f2();
                   c = f3();
                   if (a<b && b<c) {
                       rst=1;
                       ReleaseLock();
                   }
                }
                g();
           }
88
       }
Static Driver Verifier: SLAM


       void main()
       {
           int a,b,c,rst,cnt;           cnt==0
           cnt = 0;
           for(;;) {
               AcquireLock();
               rst=0;                            rst==0

               while(!rst) {
                   a = f1();
                   b = f2();
                   c = f3();
                   if (a<b && b<c) {
                       rst=1;
                       ReleaseLock();
                   }
                }
                g();
           }
89
       }
Static Driver Verifier: SLAM


       void main()
       {
           int a,b,c,rst,cnt;           cnt==0
           cnt = 0;
           for(;;) {
               AcquireLock();
               rst=0;                            rst==0

               while(!rst) {            !(rst==0)
                   a = f1();
                   b = f2();
                   c = f3();
                   if (a<b && b<c) {
                       rst=1;
                       ReleaseLock();
                   }
                }
                g();
           }
90
       }
Static Driver Verifier: SLAM


       void main()
       {
           int a,b,c,rst,cnt;             cnt==0
           cnt = 0;
           for(;;) {
               AcquireLock();
               rst=0;                              rst==0

               while(!rst) {             !(rst==0)
                   a = f1();
                   b = f2();
                   c = f3();
                   if (a<b && b<c) {
                       rst=1;
                       ReleaseLock();
                   }
                }
                g();
           }               New predicate to track: main { rst==0 }
91
       }
Static Driver Verifier: SLAM




           Rule                                   Driver passes rule

                              Abstract
                               Step




                   SLAM
  Driver
 sources
                  Instrumen              Check
                       t                  Step
                     Step


                               Refine
                               Step



       OS model                                  Rule violation found


92
Static Driver Verifier: SLAM


                void main()
                {
                    int a,b,c,rst,cnt;
                    bool 0;
                    cnt = v0; // represents rst==0
                    for(;;) {
                        AcquireLock();
                        v0=1;
                        rst=0;

                        while(!rst ) {
                               v0
                            a = f1();
                            b = f2();
                            c = f3();
                                         )
                            if (a<b && b<c {
                                      *
                                v0=0;
                                rst=1;
                                ReleaseLock();
                            }
                         }
                         g();
                    }
                }              State space = 2^(3 + #bits(pc)) + stack
93
Static Driver Verifier: SLAM




           Rule                                   Driver passes rule

                              Abstract
                               Step




                   SLAM
  Driver
 sources
                  Instrumen              Check
                       t                  Step
                     Step


                               Refine
                               Step



       OS model                                  Rule violation found


94
Static Driver Verifier: SLAM



       Reachable
      state-space
        for steps
           <n




95
Static Driver Verifier: SLAM



       Reachable     Reachable
      state-space   state-space
        for steps     for steps
                                   Reachable
           <n           <n+1      state-space
                                    for steps
                                      <n+2




96
Static Driver Verifier: SLAM



       Reachable     Reachable
      state-space   state-space
        for steps     for steps
                                   Reachable    Reachable state-
           <n           <n+1      state-space    space for steps
                                    for steps        <n+3
                                      <n+2                         Reachable state-
                                                                    space for steps
                                                                        <n+4

                                                       Reachable state-
                                                        space for steps
                                                       <n+5 and <n+4




97
Static Driver Verifier: SLAM



       Reachable     Reachable
      state-space   state-space
        for steps     for steps
                                   Reachable    Reachable state-
           <n           <n+1      state-space    space for steps
                                    for steps        <n+3
                                      <n+2                         Reachable state-
                                                                    space for steps
                                                                        <n+4

                                                       Reachable state-
                                                        space for steps
                                                       <n+5 and <n+4




98
Static Driver Verifier: SLAM


     The abstraction contains only the PC and these three state bits
      locked==1
      locked==0
      rst==0


     Abstracted away
        Much of f1(), f2(), f3(), g(),
        cnt,
        a, b, c
        Potential values from rst


     From this abstraction we can reasons that the original C program is
     also correct



99
Outline


      Introduction to Windows device drivers

      Static Driver Verifier
       Automatic formal verification + properties for device drivers


      Recent plug-ins for Static Driver Verifier:
       SLAyer
       TERMINATOR


      Conclusion & Discussion



100
Outline


      Introduction to Windows device drivers

      Static Driver Verifier
       Automatic formal verification + properties for device drivers


      Recent plug-ins for Static Driver Verifier:
       SLAyer
       TERMINATOR


      Conclusion & Discussion



101
Outline


      Introduction to Windows device drivers

      Static Driver Verifier
       Automatic formal verification + properties for device drivers


      Recent plug-ins for Static Driver Verifier:
       SLAyer
       TERMINATOR


      Conclusion & Discussion



102
Static Driver Verifier




103
Static Driver Verifier




104
Static Driver Verifier




105
Static Driver Verifier




106
SLAyer




         Abstract interpreter using a domain expressed in
         separation logic

         Searches for uses of lists and other data-structures
         commonly found in OS code

         Joint work with the East London Massive (including many
         Queen Mary people)




  107
SLAyer


         Abstract interpreter using a domain expressed in
         separation logic

         Searches for uses of lists and other data-structures
         commonly found in OS code

         Joint work with the East London Massive (including many
         Queen Mary people)




  108
SLAyer


         Abstract interpreter using a domain expressed in
         separation logic

         Searches for uses of lists and other data-structures
         commonly found in OS code

         Joint work with the East London Massive (including many
         Queen Mary people)




  109
Outline


      Introduction to Windows device drivers

      Static Driver Verifier
       Automatic formal verification + properties for device drivers


      Recent plug-ins for Static Driver Verifier:
       SLAyer
       TERMINATOR


      Conclusion & Discussion



110
Outline


      Introduction to Windows device drivers

      Static Driver Verifier
       Automatic formal verification + properties for device drivers


      Recent plug-ins for Static Driver Verifier:
       SLAyer
       TERMINATOR


      Conclusion & Discussion



111
Properties of interest


      Examples of properties of interest to the kernel team:

        Calls to KeSetEvent(a,b,c) within dispatch routines should only occur at
        below DISPATCH_LEVEL when c=0, and at PASSIVE_LEVEL when c=1.



        When creating devices, AddDevice dispatch routines should hold onto to the device stack pointer that was passed to
        it such that future requests are correctly forwarded down the device stack.



        Each call to KeRaiseIrql should eventually be followed by a call to
        KeLowerIrql.



        “Device driver dispatch routines implement the correct functionality.”


112
Properties of interest


      Examples of properties of interest to the kernel team:

        Calls to KeSetEvent(a,b,c) within dispatch routines should only occur at
        below DISPATCH_LEVEL when c=0, and at PASSIVE_LEVEL when c=1.



        When creating devices, AddDevice dispatch routines should hold onto to the device stack pointer that was passed to
        it such that future requests are correctly forwarded down the device stack.



        Each call to KeRaiseIrql should eventually be followed by a call to
        KeLowerIrql.



        “Device driver dispatch routines implement the correct functionality.”


113
TERMINATOR



       Automatic liveness property prover (via fair termination)

       Finds candidate termination arguments and proves their
       validity

       Uses new method of expressing termination arguments
       that allows for refinement based on failed proof attempts

       Also Joint work with East London Massive (and others)




 114
TERMINATOR




 115
TERMINATOR




 116
Proving




117
Proving




118
Proving




119
Proving




120
Proving




121
Proving




122
Proving




123
Proving




124
Proving




125
Proving




126
Proving




127
Proving




128
Proving




129
Proving




130
Proving




131
Proving




132
Proving




133
Outline


      Introduction to Windows device drivers

      Static Driver Verifier
       Automatic formal verification + properties for device drivers


      Recent plug-ins for Static Driver Verifier:
       SLAyer
       TERMINATOR


      Conclusion & Discussion



134
Outline


      Introduction to Windows device drivers

      Static Driver Verifier
       Automatic formal verification + properties for device drivers


      Recent plug-ins for Static Driver Verifier:
       SLAyer
       TERMINATOR


      Conclusion & Discussion



135
Conclusion



      Windows OS and device drivers
         Device drivers = OS plug-ins = actual functionality
         OS kernel small and usually correct
         100,000 device drivers? 250,000 device drivers? Many incorrect!
         85%+ of crashes in OS (both Windows and Linux) due to drivers
         Correctness problem: interface between OS and device driver




136
Conclusion



      Static Driver Verifier
       A compile-time tool that finds bugs in device drivers
       Kernel API usage rules + the automatic formal verification engines
       Released on the current DDK beta



      SLAM:
       Automatic formal verification engine for safety properties
       Uses abstractions and counterexample-guided refinement




137
Conclusion



      SLAyer
       Automatic formal verification engine supporting more accurate
        model of heap-based data-structures
       Uses abstract interpretation with domain expressed in separation
        logic



      TERMINATOR:
       Automatic formal verification engine supporting liveness (and
        termination)
       Uses new-style of termination arguments that allows for
        counterexample-guided refinement



138
Discussion


      Questions?

      More information available at:

       http://www.microsoft.com/whdc/devtools/tools/SDV.mspx
         More information about Static Driver Verifier

       http://research.microsoft.com/slam
         Pointers to information about SLAM

       http://research.microsoft.com/TERMINATOR
         Pointers to information about TERMINATOR

       http://research.microsoft.com/~bycook
         Pointers to information about me

139

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:8
posted:8/27/2012
language:English
pages:139