Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

eurosys-slam

VIEWS: 6 PAGES: 88

									    Thorough Static Analysis of Device Drivers




      Byron Cook – Microsoft Research
      bycook@microsoft.com

     Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg, Con
     McGarvey, Bohus Ondrusek, Sriram Rajamani & Abdullah Ustuner


1
Static Driver Verifier


         HW      DD
   HW   DD   Kernel
            DD DD    DD   HW
      DD DD         DD
  HW         DD         DD
      DD
         DD    DD    DD     HW
  HW
      DD
                         DD
    HW      DD DD DD
 2
                            HW
Static Driver Verifier




      Static Driver Verifier (a.k.a. SDV):

         A compile-time correctness checking tool based on
         deep semantic analysis via symbolic model checking

         Now available on the latest Windows DDK beta




 3
Static Driver Verifier




    Static Driver Verifier (SDV) is a tool for finding bugs in Windows
      device drivers:


      SDV operates on the driver’s source code

      SDV is completely automatic

      SDV checks that drivers do not violate a set of “kernel API usage
      rules”

      Attempts to prove the correctness of the driver with the SLAM
      software model checker


4
Static Driver Verifier




    Driver sources             
                               X
        other.h




                               
          driver.h


             driver.c



                         SDV   X


                               
                               
5
Static Driver Verifier




6
Static Driver Verifier




7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Outline




          Introduction to Static Driver Verifier

          Static Driver Verifier internals

          Conclusion & Discussion




29
Outline




          Introduction to Static Driver Verifier

          Static Driver Verifier internals

          Conclusion & Discussion




30
Static Driver Verifier




     Driver sources            
                               X
         other.h




                               
           driver.h


              driver.c



                         SDV   X


                               
                               
31
Static Driver Verifier




     Driver sources                        
                                           X
         other.h          Rules


                                           
          driver.h


            driver.c



                         SDV
                         OS model
                                    SLAM
                                           X


                                           
                                           
32
Static Driver Verifier: Rules



     Expressed in an event-based language

     Possible events:
      Function entry
      Function exit

     The code associated with events call the function error() to indicate a
     violation:

      IoCallDriver.entry
      {
          if ($2->Tail.Overlay.CurrentStackLocation->MajorFunction
                 ==IRP_MJ_POWER) {
              error();
          }
      }




33
Static Driver Verifier: Rules




34
Static Driver Verifier




                                           
                                           X
     other.h              Rules


                                           
      driver.h


        driver.c



                         SDV
                         OS model
                                    SLAM
                                           X


                                           
                                           
35
Static Driver Verifier: OS model




         Provides the main function

         Abstract implementations of kernel APIs (like
         IoCallDriver)

         Models some aspects of the OS state, like the
         “interrupt request level” (IRQL)

         Uses non-deterministic choice




36
Static Driver Verifier: OS model




37
Static Driver Verifier




                                           
                                           X
     other.h              Rules


                                           
      driver.h


        driver.c



                         SDV
                         OS model
                                    SLAM
                                           X


                                           
                                           
38
Static Driver Verifier: SLAM


     Symbolic model checker for C

     Strategy: throw away as much irrelevant detail from the driver as
     possible through abstraction search

     Algorithm = Predicate Abstraction + Counter-example based
     refinement + Symbolic reachability for Boolean programs

     Simplifying (unsound) assumptions:
        C unions are ignored
        Memory layout is not known: pointer arithmetic is largely ignored
        Coincidental pointer aliasing is ignored, purposeful aliasing is not
        Functions cannot be called both by name and pointer
        The OS model does not exercise all paths possible in practice


39
Static Driver Verifier: SLAM

           void main()
           {
               int a,b,c,rst,cnt;
               cnt = 0;
               for(;;) {
                   AcquireLock();
                   rst=0;

                   while(!rst) {
                       a = f1();
                       b = f2();
                       c = f3();
                       if (a<b && b<c) {
                           rst=1;
                           ReleaseLock();   Assume that f1,
                       }                    f2, f3 and g do
                    }                       not call
                    g();                    AcquireLock or
               }                            ReleaseLock
           }
40
Static Driver Verifier: SLAM


                   int locked = 0;


                   AcquireLock.entry {
                       if (locked==1) {
                           error();
                       } else {
                           locked=1;
                       }
                   }

                   ReleaseLock.entry {
                       if (locked==0) {
                           error();
                       } else {
                           locked=0;
                       }
                   }

41
Static Driver Verifier: SLAM




                SLAM
42
Static Driver Verifier: SLAM




           Rule                                   Driver passes rule

                              Abstract
                               Step




                   SLAM
  Driver
 sources
                  Instrumen              Check
                       t                  Step
                     Step


                               Refine
                               Step



       OS model                                  Rule violation found


43
Static Driver Verifier: SLAM



                               int locked = 0;

     void AcquireLock()        AcquireLock.entry
     {                         {
         ……………                     if (locked==1) {
     }                                 error();
                                   } else {
                                       locked=1;
                                   }
         ………………                }
     }      Are these
            reachable?
     void ReleaseLock()        ReleaseLock.entry
     {                         {
         ……………                     if (locked==0) {
     }                                 error();
                                   } else {
                                       locked=0;
                                   }
         ………………                }
     }

     void main()
     {
         ……………
44
Static Driver Verifier: SLAM




           Rule                                   Driver passes rule

                              Abstract
                               Step




                   SLAM
  Driver
 sources
                  Instrumen              Check
                       t                  Step
                     Step


                               Refine
                               Step



       OS model                                  Rule violation found


45
Static Driver Verifier: SLAM


                void main()
                {
                    int a,b,c,rst,cnt;
                    cnt = 0;
                    for(;;) {
                        AcquireLock();
                        rst=0;

                        while(!rst ) {
                               *
                            a = f1();
                            b = f2();
                            c = f3();
                            if (a<b && b<c ) {
                                      *
                                rst=1;
                                ReleaseLock();
                            }
                         }
                         g();
                    }
                }               State space = 2^(#bits(pc)) + stack
46
Static Driver Verifier: SLAM




           Rule                                   Driver passes rule

                              Abstract
                               Step




                   SLAM
  Driver
 sources
                  Instrumen              Check
                       t                  Step
                     Step


                               Refine
                               Step



       OS model                                  Rule violation found


47
Static Driver Verifier: SLAM



       Reachable
      state-space
        for steps
           <1




48
Static Driver Verifier: SLAM



       Reachable      Reachable
      state-space    state-space
        for steps   for steps <2
                                     Reachable
           <1                       state-space
                                   for steps <3




49
Static Driver Verifier: SLAM



       Reachable      Reachable
      state-space    state-space
        for steps   for steps <2
                                     Reachable     Reachable state-
           <1                       state-space   space for steps <4
                                   for steps <3
                                                                  Reachable state-
                                                                 space for steps <5



                                          Reachable
                                         state-space
                                           for steps
                                              <6

50
Static Driver Verifier: SLAM



       Reachable      Reachable
      state-space    state-space
        for steps   for steps <2
                                     Reachable     Reachable state-
           <1                       state-space   space for steps <4
                                   for steps <3
                                                                  Reachable state-
                                                                 space for steps <5
           Reachable state-
          space for steps <8
                 Reachable
                state-space
                         Reachable
                         <7
               for stepsstate-space
                          for steps
                             <6

51
Static Driver Verifier: SLAM



       Reachable      Reachable
      state-space    state-space
        for steps   for steps <2
                                     Reachable     Reachable state-
           <1                       state-space   space for steps <4
                                   for steps <3
                                                                  Reachable state-
                                                                 space for steps <5
           Reachable state-
             Reachable
          space for steps <8 state-
                 Reachable
                state-space   Reachable
                               steps <9
            space forstate-space
               for steps <7
                               for steps
                  State where PC is at a call to error()
                                     <6

52
Static Driver Verifier: SLAM


                void main()
                {


                    for(;;) {
                        AcquireLock();


                        while( * ) {
                                f1();
                                f2();
                                f3();
                            if (     *       ) {

                                   ReleaseLock();
                               }
                         }
                         g();
                    }
                }
53
Static Driver Verifier: SLAM


                void main()
                {


                    for(;;) {
                        AcquireLock();


                        while( * ) {
                                f1();
                                f2();
                                f3();
                            if (     *       ) {

                                   ReleaseLock();
                               }
                         }
                         g();
                    }
                }
54
Static Driver Verifier: SLAM


                void main()
                {


                    for(;;) {
                        AcquireLock();


                        while( * ) {
                                f1();
                                f2();
                                f3();
                            if (     *       ) {

                                   ReleaseLock();
                               }
                         }
                         g();
                    }
                }
55
Static Driver Verifier: SLAM


                void main()
                {


                    for(;;) {
                        AcquireLock();


                        while( * ) {
                                f1();
                                f2();
                                f3();
                            if (     *       ) {

                                   ReleaseLock();
                               }
                         }
                         g();
                    }
                }
56
Static Driver Verifier: SLAM


                void main()
                {


                    for(;;) {
                        AcquireLock();


                        while( * ) {
                                f1();
                                f2();
                                f3();
                            if (     *       ) {

                                   ReleaseLock();
                               }
                         }
                         g();
                    }
                }
57
Static Driver Verifier: SLAM


                void main()
                {


                    for(;;) {
                        AcquireLock();


                        while( * ) {
                                f1();
                                f2();
                                f3();
                            if (     *       ) {

                                   ReleaseLock();
                               }
                         }
                         g();
                    }
                }
58
Static Driver Verifier: SLAM


                void main()
                {


                    for(;;) {
                        AcquireLock();


                        while( * ) {
                                f1();
                                f2();
                                f3();
                            if (     *       ) {

                                   ReleaseLock();
                               }
                         }
                         g();
                    }
                }
59
Static Driver Verifier: SLAM


                void main()
                {


                    for(;;) {
                        AcquireLock();


                        while( * ) {
                                f1();
                                f2();
                                f3();
                            if (     *       ) {

                                   ReleaseLock();
                               }
                         }
                         g();
                    }
                }
60
Static Driver Verifier: SLAM


                void main()
                {


                    for(;;) {
                        AcquireLock();


                        while( * ) {
                                f1();
                                f2();
                                f3();
                            if (     *       ) {

                                   ReleaseLock();
                               }
                         }
                         g();
                    }
                }
61
Static Driver Verifier: SLAM


                void main()
                {


                    for(;;) {
                        AcquireLock();


                        while( * ) {
                                f1();
                                f2();
                                f3();
                            if (     *       ) {

                                   ReleaseLock();
                               }
                         }
                         g();
                    }
                }
62
Static Driver Verifier: SLAM




           Rule                                   Driver passes rule

                              Abstract
                               Step




                   SLAM
  Driver
 sources
                  Instrumen              Check
                       t                  Step
                     Step


                               Refine
                               Step



       OS model                                  Rule violation found


63
Static Driver Verifier: SLAM


       void main()
       {
           int a,b,c,rst,cnt;
           cnt = 0;
           for(;;) {
               AcquireLock();
               rst=0;

               while(!rst) {
                   a = f1();
                   b = f2();
                   c = f3();
                   if (a<b && b<c) {
                       rst=1;
                       ReleaseLock();
                   }
                }
                g();
           }
64
       }
Static Driver Verifier: SLAM


       void main()
       {
           int a,b,c,rst,cnt;
           cnt = 0;
           for(;;) {
               AcquireLock();
               rst=0;

               while(!rst) {
                   a = f1();
                   b = f2();
                   c = f3();
                   if (a<b && b<c) {
                       rst=1;
                       ReleaseLock();
                   }
                }
                g();
           }
65
       }
Static Driver Verifier: SLAM


       void main()
       {
           int a,b,c,rst,cnt;
           cnt = 0;
           for(;;) {
               AcquireLock();
               rst=0;

               while(!rst) {
                   a = f1();
                   b = f2();
                   c = f3();
                   if (a<b && b<c) {
                       rst=1;
                       ReleaseLock();
                   }
                }
                g();
           }
66
       }
Static Driver Verifier: SLAM


       void main()
       {
           int a,b,c,rst,cnt;           cnt==0
           cnt = 0;
           for(;;) {
               AcquireLock();
               rst=0;

               while(!rst) {
                   a = f1();
                   b = f2();
                   c = f3();
                   if (a<b && b<c) {
                       rst=1;
                       ReleaseLock();
                   }
                }
                g();
           }
67
       }
Static Driver Verifier: SLAM


       void main()
       {
           int a,b,c,rst,cnt;           cnt==0
           cnt = 0;
           for(;;) {
               AcquireLock();
               rst=0;

               while(!rst) {
                   a = f1();
                   b = f2();
                   c = f3();
                   if (a<b && b<c) {
                       rst=1;
                       ReleaseLock();
                   }
                }
                g();
           }
68
       }
Static Driver Verifier: SLAM


       void main()
       {
           int a,b,c,rst,cnt;           cnt==0
           cnt = 0;
           for(;;) {
               AcquireLock();
               rst=0;

               while(!rst) {
                   a = f1();
                   b = f2();
                   c = f3();
                   if (a<b && b<c) {
                       rst=1;
                       ReleaseLock();
                   }
                }
                g();
           }
69
       }
Static Driver Verifier: SLAM


       void main()
       {
           int a,b,c,rst,cnt;           cnt==0
           cnt = 0;
           for(;;) {
               AcquireLock();
               rst=0;

               while(!rst) {
                   a = f1();
                   b = f2();
                   c = f3();
                   if (a<b && b<c) {
                       rst=1;
                       ReleaseLock();
                   }
                }
                g();
           }
70
       }
Static Driver Verifier: SLAM


       void main()
       {
           int a,b,c,rst,cnt;           cnt==0
           cnt = 0;
           for(;;) {
               AcquireLock();
               rst=0;                            rst==0

               while(!rst) {
                   a = f1();
                   b = f2();
                   c = f3();
                   if (a<b && b<c) {
                       rst=1;
                       ReleaseLock();
                   }
                }
                g();
           }
71
       }
Static Driver Verifier: SLAM


       void main()
       {
           int a,b,c,rst,cnt;           cnt==0
           cnt = 0;
           for(;;) {
               AcquireLock();
               rst=0;                            rst==0

               while(!rst) {
                   a = f1();
                   b = f2();
                   c = f3();
                   if (a<b && b<c) {
                       rst=1;
                       ReleaseLock();
                   }
                }
                g();
           }
72
       }
Static Driver Verifier: SLAM


       void main()
       {
           int a,b,c,rst,cnt;           cnt==0
           cnt = 0;
           for(;;) {
               AcquireLock();
               rst=0;                            rst==0

               while(!rst) {
                   a = f1();
                   b = f2();
                   c = f3();
                   if (a<b && b<c) {
                       rst=1;
                       ReleaseLock();
                   }
                }
                g();
           }
73
       }
Static Driver Verifier: SLAM


       void main()
       {
           int a,b,c,rst,cnt;           cnt==0
           cnt = 0;
           for(;;) {
               AcquireLock();
               rst=0;                            rst==0

               while(!rst) {            !(rst==0)
                   a = f1();
                   b = f2();
                   c = f3();
                   if (a<b && b<c) {
                       rst=1;
                       ReleaseLock();
                   }
                }
                g();
           }
74
       }
Static Driver Verifier: SLAM


       void main()
       {
           int a,b,c,rst,cnt;             cnt==0
           cnt = 0;
           for(;;) {
               AcquireLock();
               rst=0;                              rst==0

               while(!rst) {             !(rst==0)
                   a = f1();
                   b = f2();
                   c = f3();
                   if (a<b && b<c) {
                       rst=1;
                       ReleaseLock();
                   }
                }
                g();
           }               New predicate to track: main { rst==0 }
75
       }
Static Driver Verifier: SLAM




           Rule                                   Driver passes rule

                              Abstract
                               Step




                   SLAM
  Driver
 sources
                  Instrumen              Check
                       t                  Step
                     Step


                               Refine
                               Step



       OS model                                  Rule violation found


76
Static Driver Verifier: SLAM


                void main()
                {
                    int a,b,c,rst,cnt;
                    bool 0;
                    cnt = v0; // represents rst==0
                    for(;;) {
                        AcquireLock();
                        v0=1;
                        rst=0;

                        while(!rst ) {
                               v0
                            a = f1();
                            b = f2();
                            c = f3();
                                         )
                            if (a<b && b<c {
                                      *
                                v0=0;
                                rst=1;
                                ReleaseLock();
                            }
                         }
                         g();
                    }
                }              State space = 2^(1 + #bits(pc)) + stack
77
Static Driver Verifier: SLAM




           Rule                                   Driver passes rule

                              Abstract
                               Step




                   SLAM
  Driver
 sources
                  Instrumen              Check
                       t                  Step
                     Step


                               Refine
                               Step



       OS model                                  Rule violation found


78
Static Driver Verifier: SLAM



       Reachable
      state-space
        for steps
           <n




79
Static Driver Verifier: SLAM



       Reachable     Reachable
      state-space   state-space
        for steps     for steps
                                   Reachable
           <n           <n+1      state-space
                                    for steps
                                      <n+2




80
Static Driver Verifier: SLAM



       Reachable     Reachable
      state-space   state-space
        for steps     for steps
                                   Reachable    Reachable state-
           <n           <n+1      state-space    space for steps
                                    for steps        <n+3
                                      <n+2                         Reachable state-
                                                                    space for steps
                                                                        <n+4

                                                       Reachable state-
                                                        space for steps
                                                       <n+5 and <n+4




81
Static Driver Verifier: SLAM



       Reachable     Reachable
      state-space   state-space
        for steps     for steps
                                   Reachable    Reachable state-
           <n           <n+1      state-space    space for steps
                                    for steps        <n+3
                                      <n+2                         Reachable state-
                                                                    space for steps
                                                                        <n+4

                                                       Reachable state-
                                                        space for steps
                                                       <n+5 and <n+4




82
Static Driver Verifier: SLAM


     The abstraction contains only the PC and these three state bits
      locked>0
      locked==0
      rst==0


     Abstracted away
        Much of f1(), f2(), f3(), g(),
        cnt,
        a, b, c
        Potential values from rst


     From this abstraction we can reasons that the original C program is
     also correct



83
Outline




          Introduction to Static Driver Verifier

          Static Driver Verifier internals

          Conclusion & Discussion




84
Outline




          Introduction to Static Driver Verifier

          Static Driver Verifier internals

          Conclusion & Discussion




85
Conclusion




     SDV

      A compile-time tool that finds bugs in device drivers

      Kernel API usage rules + the SLAM model checker

      Released on the latest DDK beta

      Subsequent releases will support additional driver models




86
Conclusion




     In the paper

      More information on how SDV works

      More information on what SDV checks, what it doesn’t check, and
       why.

      Data from experiments with SDV on ~100 device drivers

      Information about new work to support new driver models



87
Conclusion




     What’s next for SDV/SLAM-like tools within Microsoft?

       Proving deeper properties about programs that manipulate the heap

       SLAM-like tools with better support for concurrency

       Liveness properties & termination

       Contracts/specifications for additional APIs




88

								
To top