Automated Tools for Software Reliability

1
Automated Tools for Software Reliability

• Suhabe Bugrara
• suhabe_at_stanford.edu
• Stanford University

2
Problem

• 80 of development cost on identifying and
  correcting defects
• Software errors cost US economy 60 billion
  annually (0.6 of GDP)

3
Manual Testing

• Traditional approach to quality assurance
• Expensive
• Time consuming
• Not systematic
• Difficult to quantify effectiveness of test suite
• Cannot make any guarantees about reliability
• Insufficient for safety critical systems

4
Automated Tools

• Programs to find defects in programs
• Automated
• Systematic
• Easy to quantify effectiveness
• Provide guarantees about reliability
• Sometimes expensive (for now)
• Sometimes time consuming (for now)

5
Program Analyzers
Complete
Incomplete
Undecidable
Decidable
Sound

• Reports all errors
• Reports no false alarms

• Reports all errors
• May report false alarms

Decidable
Decidable
Unsound

• May not report all errors
• May report false alarms

• May not report all errors
• Reports no false alarms

6
Static Driver Verifier

• Program analyzer for API usage rules
• Developed by Microsoft Research
• Applied to device drivers in Windows
• Sound reports all possible errors
• Incomplete may report false alarms

7
SDV Overview

• Write API usage rule specification
• Instrument program with usage checks
• Abstract program
• Check abstraction for errors
• If error found, see if error is false alarm
• If false alarm, refine abstraction
• If not false alarm, report error as bug

8
(No Transcript)
9
(No Transcript)
10
API Usage Rules

• Ex. locks are alternatingly acquired and released

11
API Usage Rules

• Ex. locks are alternatingly acquired and released
• Expressed as finite state machine
• States locked, unlocked,error
• Transitions acquire(), release()

12
API Usage Rules

• Ex. locks are alternatingly acquired and released
• Expressed as finite state machine
• States locked, unlocked,error
• Transitions acquire(), release()

acquire()
locked
unlocked
release()
acquire()
release()
error
13
state enum Unlocked0 Locked1 state
Unlocked KeAcquireSpinLock.return if (state
Locked) error() else state
Locked KeReleaseSpinLock.return if (!(state
Locked)) error() else state
Unlocked
14
enum Unlocked0, Locked1 state
Unlocked void KeAcquireSpinLock_return() if
(state Locked) error() else state
Locked void KeReleaseSpinLock_return() if
(!(state Locked)) error() else state
Unlocked
15
(No Transcript)
16
1 void example() 2 do 3
KeAcquireSpinLock() 4 5 nPacketsOld
nPackets 6 req devExt-gtWLHV 7 if (req
req-gtstatus) 8 devExt-gtWLHV
req-gtNext 9 KeReleaseSpinLock() 10 11 i
rp req-gtirp 12 if (req-gtstatus gt 0)
13 irp-gtIoS.Status SUCCCESS 14 irp-gtI
oS.Info req-gtStatus 15 else
16 irp-gtIoS.Status FAIL 17 irp-gtIoS.I
nfo req-gtStatus 18 19 SmartDevFreeBlock
(req) 20 IoCompleteRequest(irp) 21 nPacket
s 22 23 while (nPackets!nPacketsOld) 2
4 KeReleaseSpinLock() 25 26
17
(No Transcript)
18
enum Unlocked0, Locked1 state
Unlocked void KeAcquireSpinLock_return() if
(state Locked) error() else state
Locked void KeReleaseSpinLock_return() if
(!(state Locked)) error() else state
Unlocked
19
1 void example() 2 do 3
KeAcquireSpinLock() 4 KeAcquireSpinLock_retur
n() 5 nPacketsOld nPackets 6 req
devExt-gtWLHV 7 if (req req-gtstatus)
8 devExt-gtWLHV req-gtNext 9 KeReleaseSpin
Lock() 10 KeReleaseSpinLock_return() 11 ir
p req-gtirp 12 if (req-gtstatus gt 0)
13 irp-gtIoS.Status SUCCCESS 14 irp-gtI
oS.Info req-gtStatus 15 else
16 irp-gtIoS.Status FAIL 17 irp-gtIoS.I
nfo req-gtStatus 18 19 SmartDevFreeBlock
(req) 20 IoCompleteRequest(irp) 21 nPacket
s 22 23 while (nPackets!nPacketsOld) 2
4 KeReleaseSpinLock() 25 KeReleaseSpinLock_retu
rn() 26
Program A
20
(No Transcript)
21
SDV Abstraction

• Construct abstraction B of original program A
• Over-approximates reachability
• If error() is reachable in A,
• then it is also reachable in B
• This characteristic makes SDV sound
• If error() is reachable in B,
• then it may not be reachable in A
• This characteristic makes SDV incomplete
• Check abstraction B for any errors

22
Reachable States
Abstraction B
real bug!
error
Original A
Sound If A has error, then B has error
23
Reachable States
false alarm!
Abstraction B
error
Original A
Incomplete If B has error, then A may not have
error
24
bool b1 b1 false Abstract state Locked
with b1 void KeAcquireSpinLock_return() if
(b1) error() else b1 true void
KeReleaseSpinLock_return() if (!(b1))
error() else b1 false
25
1 void example() 2 do 3
4 KeAcquireSpinLock_return() 5 6 7
if (SdvMakeChoice()) 8 9 10 KeRel
easeSpinLock_return() 11 12 if
(SdvMakeChoice()) 13 14 15
else 16 17 18 19 20 2
1 22 23 while (SdvMakeChoice()) 24
25 KeReleaseSpinLock_return() 26
Program B
26
(No Transcript)
27
1 void example() 2 do 3
4 KeAcquireSpinLock_return() 5 6 7
if (SdvMakeChoice()) 8 9 10 KeRel
easeSpinLock_return() 11 12 if
(SdvMakeChoice()) 13 14 15
else 16 17 18 19 20 2
1 22 23 while (SdvMakeChoice()) 24
25 KeReleaseSpinLock_return() 26
Error trace found!
28
1 void example() 2 do 3
KeAcquireSpinLock() 4 KeAcquireSpinLock_retur
n() 5 nPacketsOld nPackets 6 req
devExt-gtWLHV 7 if (req req-gtstatus)
8 devExt-gtWLHV req-gtNext 9 KeReleaseSpin
Lock() 10 KeReleaseSpinLock_return() 11 ir
p req-gtirp 12 if (req-gtstatus gt 0)
13 irp-gtIoS.Status SUCCCESS 14 irp-gtI
oS.Info req-gtStatus 15 else
16 irp-gtIoS.Status FAIL 17 irp-gtIoS.I
nfo req-gtStatus 18 19 SmartDevFreeBlock
(req) 20 IoCompleteRequest(irp) 21 nPacket
s 22 23 while (nPackets!nPacketsOld) 2
4 KeReleaseSpinLock() 25 KeReleaseSpinLock_retu
rn() 26
But, no bug in original program!
29
(No Transcript)
30
1 void example() 2 do 3
4 KeAcquireSpinLock_return() 5 b2
false 6 7 if (SdvMakeChoice())
8 9 10 KeReleaseSpinLock_return()
11 12 if (SdvMakeChoice())
13 14 15 else
16 17 18 19 20 21
b2 !b2 ? true SdvMakeChoice() 22 23
while (b2) 24 25 KeReleaseSpinLock_return()
26
Program C
31
Reachable States
Abstraction B
error
Refined C
Original A
false alarm no longer reported!
32
SDV Summary

• Write API usage rule specification
• Instrument program with usage checks
• Abstract program
• Check abstraction for errors
• If error found, see if error is false alarm
• If false alarm, refine abstraction
• If not false alarm, report error as bug

33
Soundness

• Assume memory safety
• No buffer/integer overflows
• Safe memory management
• No null pointer dereferences
• Oversimplified harness
• Use stubs to model calls into OS procedures
• Stubs may not represent all behavior

34
Research Challenges in Verification

• Eliminate assumption of memory safety
• Eliminate false alarms
• Scale to the entire operating system
• Verify more complicated properties
• prove consistency of file system data structures

35
Program Analyzers
Complete
Incomplete
Undecidable
Decidable
Sound

• Reports all errors
• Reports no false alarms

• Reports all errors
• May report false alarms

Decidable
Decidable
Unsound

• May not report all errors
• May report false alarms

• May not report all errors
• Reports no false alarms

36
EXE

• Automatically generate test cases that explore
  important program paths
• Developed by Dawson Englers group
• Bug finding tool
• Unsound may not report all errors
• Complete never reports false alarms

37
int bad_abs (int x) if (x lt 0) return
x if (x 12345678) return x return
x
38
int bad_abs (int x) if (x lt 0) return
x if (x 12345678) return x return
x
39
int bad_abs (int x) if (x lt 0) return
x if (x 12345678) return x return
x
(x gt INT_MIN) (x lt INT_MAX) (x lt 0)
(ret -x) find a solution using an automatic
constraint solver x -1
40
int bad_abs (int x) if (x lt 0) return
x if (x 12345678) return x return
x
(x gt INT_MIN) (x lt INT_MAX) (x gt 0)
(x 12345678) (ret -x) find a solution
using an automatic constraint solver x
12345678
41
int bad_abs (int x) if (x lt 0) return
x if (x 12345678) return x return
x
(x gt INT_MIN) (x lt INT_MAX) (x gt 0)
(x ! 12345678) (ret x) find a solution
using an automatic constraint solver x 4
42
int bad_abs (int x) if (x lt 0) return
x if (x 12345678) return x return
x
EXE automatically generated test cases for each
path x -1 x 12345678 x 4
43
int bad_abs (int x) if (x lt 0) return
x if (x 12345678) return x return
x
44
1 int symbolic_bad_abs (int x)
2 add_constraints(x gt INT_MIN, x lt
INT_MAX) 3 ret new symbol 4 5 if (fork()
child) 6 add_constraints(x lt 0, ret
-x) 7 return ret 8 //(x gt INT_MIN) (x
lt INT_MAX) (x lt 0) (ret -x) 9 else
10 add_constraints(x gt 0) 11 12 if (fork()
child) 13 add_constraints(x 12345678,
ret -x) 14 return ret 15 //(x gt INT_MIN)
(x lt INT_MAX) (x gt 0) (x 12345678)
16 // (ret -x) 17 else
18 add_constraints(x ! 12345678) 19 20 add_
constraints(ret x) 21 return ret 22 //(x gt
INT_MIN) (x lt INT_MAX) (x gt 0) (x !
12345678) 23 (ret x) 24
45
1 int main (void) 2 unsigned i, t, a4
1, 3, 5, 2 3 make_symbolic(i) 4 5 if (i gt
4) 6 exit(0) 7 8 char p (char ) a i
4 9 p p 1 10 11 t ap 12 13 t
t / ai 14 15 if (t 2) 16 assert(i
1) 17 else 18 assert(i 3) 19
46
(No Transcript)
47
Review

• Why does SDV produce false alarms and EXE
  doesnt?
• Why use SDV, then?

48
Saturn

• Large-scale program verification
• Developed by Alex Aikens group
• Sound reports all errors
• Incomplete may report false alarms
• Gives guarantees of reliability on systems as
  large as the Linux kernel with over 6.2 million
  lines of code

49
Program Analyzers
Complete
Incomplete
Undecidable
Decidable
Sound

• Reports all errors
• Reports no false alarms

• Reports all errors
• May report false alarms

Decidable
Decidable
Unsound

• May not report all errors
• May report false alarms

• May not report all errors
• Reports no false alarms

50
Unchecked User Pointer Dereferences

• Security property of operating systems
• Two types of pointers in operating systems
• kernel pointer pointer created by the operating
  system
• user pointer pointer created by a user
  application and passed to the operating system
  via an entry point such as a system call
• Must check that a user pointer points into
  userspace before dereferencing it

51
Unchecked User PointerDereferences

• 1 static ssize_t read_port(, char __user
  buf, )
• 2 unsigned long i ppos
• 3 char __user tmp buf
• 4
• 5 if (!access_ok(..,buf,...)) //check
• 6 return -EFAULT
• 7
• 8 while (count-- gt 0 i lt 65536)
• 9 if (__put_user(inb(i),tmp) lt 0)
  //deref
• 10 return -EFAULT
• 11 i
• 12 tmp
• 13
• 14
• 15 ppos i
• 16 return tmp-buf
• 17

52
Security Vulnerability

• Malicious user could
• Take control of the operating system
• Overwrite kernel data structures
• Read sensitive data out of kernel memory
• Crash machine by corrupting data

53
Verifying the Security Property

• Eliminate the need for annotations
• Eliminate false positives
• Provide guarantee that no security
  vulnerabilities of this kind are present

54
Security Verifier

• Design a sound and incomplete verifier to prove
  statically that no unchecked user pointer
  dereferences exist

55
Security Verifier

• Compute set of facts at each program point
• States user, checked, error
• Facts are pairs of locations and states
• (v,user) signifies that v is a user pointer
• Verify that program never in error state

56
Security Verifier

• Pointer is in user state if created by user
  application
• Pointer is in checked state if access_ok applied
• Pointer is in error state if dereferenced when
• Pointer is in user state, AND
• Pointer is NOT in checked state

57
Example
1 int sys_call (int u, int cmd) //u is user
pointer 2 int x 3 4 if (cmd 1) 5 if
(!access_ok(u)) //check u 6 return
ERR 7 8 9 10 if (cmd 1) 11 x
u //dereference u 12
58
One Possible Approach
1 int sys_call (int u, int cmd) 2 int
x 3 4 if (cmd 1) 5 if (!access_ok(u))
6 return ERR 7 8 9 10 if (cmd
1) 11 x u 12
(u,user)
(u,user)
(u,user)
(u,user) (u,checked)
(u,user) lost precision!
(u,user) (u,error) emit warning!
, but, procedure does not contain any
vulnerabilities!
59
Path Sensitivity

• Ability to reason about branch correlations
• Important for reducing false positive rate
• Programs use substantial amount of branch
  correlation in practice

60
Example
1 int sys_call (int u, int cmd) //u is user
pointer 2 int x 3 4 if (cmd 1) 5 if
(!access_ok(u)) //check u 6 return
ERR 7 8 9 10 if (cmd 1) 11 x
u //dereference u 12
61
Path Sensitivity
1 int sys_call (int u, int cmd) //u is user
pointer 2 int x 3 4 if (cmd 1) 5 if
(!access_ok(u)) //check u 6 return
ERR 7 8 9 10 if (cmd 1) 11 x
u //dereference u 12
Valid Path
62
Path Sensitivity
1 int sys_call (int u, int cmd) //u is user
pointer 2 int x 3 4 if (cmd 1) 5 if
(!access_ok(u)) //check u 6 return
ERR 7 8 9 10 if (cmd 1) 11 x
u //dereference u 12
Valid Path
63
Path Sensitivity
1 int sys_call (int u, int cmd) //u is user
pointer 2 int x 3 4 if (cmd 1) 5 if
(!access_ok(u)) //check u 6 return
ERR 7 8 9 10 if (cmd 1) 11 x
u //dereference u 12
Valid Path
64
Path Sensitivity
1 int sys_call (int u, int cmd) //u is user
pointer 2 int x 3 4 if (cmd 1) 5 if
(!access_ok(u)) //check u 6 return
ERR 7 8 9 10 if (cmd 1) 11 x
u //dereference u 12
Invalid Path!
65
Path Sensitive Analysis
1 int sys_call (int u, int cmd) 2 int
x 3 4 if (cmd 1) 5 if (!access_ok(u))
6 return ERR 7 8 9 10 if (cmd
1) 11 x u 12
(u,user) ? true
(u,user) ? true
(u,user) ? true
(u,user) ? true (u,checked) ? cmd 1
(u,user) ? true (u,checked) ? cmd 1
(u,user) ? true (u,checked) ? cmd
1 (u,error) ? cmd 1 !(cmd 1)
true ? false
66
Design of Saturn Security Verifier

• Generate summary of behavior for each procedure
  with respect to calling context
• Apply summary of callee at call site in caller
• Repeatedly generate and apply summaries until a
  fixed point is reached

67
Experimental Setup

• Implemented verifier for unchecked user pointer
  dereferences
• Applied verifier to Linux 2.6.17.1 built for x86
  architecture
• 6.4 million lines of code
• Analyzed in 6 hours over 50 node cluster

68
Results

• 91,543 procedures
• 154 (.17) of procedures time out
• 627 system call parameters
• 867,544 dereferences
• 15,452 (1.8) of dereferences time out

69
Results

• Verified automatically
• 620 out of 627 system call arguments (99)
• 851,914 out of 852,092 dereferences (99.96)
• Warnings
• 7 warnings on system call arguments
• 278 warnings on dereferences
• 20 annotations required to verify

70
Saturn Other Analyses

• Null pointer dereferences bug finder
• Found hundreds of bugs in systems code
• Isil Dillig, Thomas Dillig, and Alex Aiken.
  Static Error Detection Using Semantic
  Inconsistency Inference, PLDI 2007
• Buffer overflow
• Safe casting
• Integer overflow
• Locking
• Safe memory management

71
Other Tools

• BLAST
• CQual
• Metal
• Daikon
• Vault
• ESP
• ESPX
• MOPS
• DART

• Prefast
• Failure Oblivious Computing

• CSSV
• Alloy
• eXplode
• Chord
• TVLA
• CCured
• Clouseau
• STeP
• Prefix

72
References

• A. Aiken et al. An Overview of the Saturn
  Project. PASTE 2007
• T. Ball et al. Thorough Static Analysis of Device
  Drivers. EuroSys 2006
• C. Cadar et al. EXE Automatically Generating
  Inputs of Death. CCS 2006
• C. Cadar et al. Execution Generated Test Cases
  How to Make Systems Code Crash Itself. SPIN 2006
• B. Hackett et al. Modular Checking for Buffer
  Overflows in the Large. ICSE 2006.
• J. Yang et al. Automatically generating malicious
  disks using symbolic execution. IEEE Security and
  Privacy 2006
• Software Errors Cost U.S. Economy 59.5 Billion
  Annually. NIST 2002. http//www.nist.gov/public_af
  fairs/releases/n02-10.htm