Static Driver Verifier: Finding Bugs In Device Drivers At Compile-Time
1 / 88
Title:
Static Driver Verifier: Finding Bugs In Device Drivers At Compile-Time
Description:
A compile-time correctness checking tool based on deep semantic analysis via ... Algorithm = Predicate Abstraction Counter-example based refinement Symbolic ... –
Number of Views:65
Avg rating:3.0/5.0
Title: Static Driver Verifier: Finding Bugs In Device Drivers At Compile-Time
1
Thorough Static Analysis of Device Drivers
Byron Cook Microsoft Research
bycook_at_microsoft.com
- Joint work with Tom Ball, Vladimir Levin, Jakob
Lichtenberg, Con McGarvey, Bohus Ondrusek, Sriram
Rajamani Abdullah Ustuner
2
Static Driver Verifier
HW
DD
Kernel
DD
HW
DD
HW
DD
DD
DD
DD
DD
DD
HW
DD
DD
DD
DD
DD
HW
HW
DD
DD
DD
DD
DD
HW
HW
3
Static Driver Verifier
- Static Driver Verifier (a.k.a. SDV)
- A compile-time correctness checking tool based on
deep semantic analysis via symbolic model
checking - Now available on the latest Windows DDK beta
4
Static Driver Verifier
- Static Driver Verifier (SDV) is a tool for
finding bugs in Windows device drivers - SDV operates on the drivers source code
- SDV is completely automatic
- SDV checks that drivers do not violate a set of
kernel API usage rules - Attempts to prove the correctness of the driver
with the SLAM software model checker
5
Static Driver Verifier
ü
Driver sources
SDV
other.h
driver.h
ü
driver.c
ü
ü
6
Static Driver Verifier
7
Static Driver Verifier
8
(No Transcript)
9
(No Transcript)
10
(No Transcript)
11
(No Transcript)
12
(No Transcript)
13
(No Transcript)
14
(No Transcript)
15
(No Transcript)
16
(No Transcript)
17
(No Transcript)
18
(No Transcript)
19
(No Transcript)
20
(No Transcript)
21
(No Transcript)
22
(No Transcript)
23
(No Transcript)
24
(No Transcript)
25
(No Transcript)
26
(No Transcript)
27
(No Transcript)
28
(No Transcript)
29
Outline
- Introduction to Static Driver Verifier
- Static Driver Verifier internals
- Conclusion Discussion
30
Outline
- Introduction to Static Driver Verifier
- Static Driver Verifier internals
- Conclusion Discussion
31
Static Driver Verifier
ü
Driver sources
SDV
other.h
driver.h
ü
driver.c
ü
ü
32
Static Driver Verifier
ü
SDV
Driver sources
Rules
other.h
driver.h
ü
SLAM
driver.c
OS model
ü
ü
33
Static Driver Verifier Rules
- Expressed in an event-based language
- Possible events
- Function entry
- Function exit
- The code associated with events call the function
error() to indicate a violation - IoCallDriver.entry
- if (2-gtTail.Overlay.CurrentStackLocation-
gtMajorFunction - IRP_MJ_POWER)
- error()
34
Static Driver Verifier Rules
35
Static Driver Verifier
ü
SDV
Rules
other.h
driver.h
ü
SLAM
driver.c
OS model
ü
ü
36
Static Driver Verifier OS model
- Provides the main function
- Abstract implementations of kernel APIs (like
IoCallDriver) - Models some aspects of the OS state, like the
interrupt request level (IRQL) - Uses non-deterministic choice
37
Static Driver Verifier OS model
38
Static Driver Verifier
ü
SDV
Rules
other.h
driver.h
ü
SLAM
driver.c
OS model
ü
ü
39
Static Driver Verifier SLAM
- Symbolic model checker for C
- Strategy throw away as much irrelevant detail
from the driver as possible through abstraction
search - Algorithm Predicate Abstraction
Counter-example based refinement Symbolic
reachability for Boolean programs - Simplifying (unsound) assumptions
- C unions are ignored
- Memory layout is not known pointer arithmetic is
largely ignored - Coincidental pointer aliasing is ignored,
purposeful aliasing is not - Functions cannot be called both by name and
pointer - The OS model does not exercise all paths possible
in practice
40
Static Driver Verifier SLAM
void main() int a,b,c,rst,cnt cnt
0 for() AcquireLock()
rst0 while(!rst) a
f1() b f2() c
f3() if (altb bltc)
rst1 ReleaseLock()
g()
Assume that f1, f2, f3 and g do not call
AcquireLock or ReleaseLock
41
Static Driver Verifier SLAM
int locked 0 AcquireLock.entry if
(locked1) error() else
locked1 ReleaseLock.entry if
(locked0) error() else
locked0
42
Static Driver Verifier SLAM
SLAM
43
Static Driver Verifier SLAM
Driver passes rule
Rule
SLAM
Abstract Step
Driver sources
Check Step
Instrument Step
Refine Step
Rule violation found
OS model
44
Static Driver Verifier SLAM
void AcquireLock()
void ReleaseLock()
void main()
int locked 0 if (locked1)
error() else locked1
if (locked0) error()
else locked0
int locked 0 AcquireLock.entry if
(locked1) error() else
locked1 ReleaseLock.entry
if (locked0) error() else
locked0
void AcquireLock()
void ReleaseLock()
void main()
Are these reachable?
45
Static Driver Verifier SLAM
Driver passes rule
Rule
SLAM
Abstract Step
Driver sources
Check Step
Instrument Step
Refine Step
Rule violation found
OS model
46
Static Driver Verifier SLAM
void main() for()
AcquireLock() while(
) f1()
f2() f3() if (
)
ReleaseLock()
g()
rst0
!rst a b
c altb bltc
rst1
int a,b,c,rst,cnt cnt 0
State space 2(bits(pc)) stack
47
Static Driver Verifier SLAM
Driver passes rule
Rule
SLAM
Abstract Step
Driver sources
Instrument Step
Check Step
Refine Step
Rule violation found
OS model
48
Static Driver Verifier SLAM
Reachable state-space for steps lt1
49
Static Driver Verifier SLAM
Reachable state-space for steps lt1
Reachable state-space for steps lt2
Reachable state-space for steps lt3
50
Static Driver Verifier SLAM
Reachable state-space for steps lt1
Reachable state-space for steps lt2
Reachable state-space for steps lt3
Reachable state-space for steps lt4
Reachable state-space for steps lt5
Reachable state-space for steps lt6
51
Static Driver Verifier SLAM
Reachable state-space for steps lt8
Reachable state-space for steps lt1
Reachable state-space for steps lt2
Reachable state-space for steps lt3
Reachable state-space for steps lt4
Reachable state-space for steps lt5
Reachable state-space for steps lt7
Reachable state-space for steps lt6
52
Static Driver Verifier SLAM
Reachable state-space for steps lt8
Reachable state-space for steps lt9
Reachable state-space for steps lt1
Reachable state-space for steps lt2
Reachable state-space for steps lt3
Reachable state-space for steps lt4
Reachable state-space for steps lt5
Reachable state-space for steps lt7
Reachable state-space for steps lt6
State where PC is at a call to error()
53
Static Driver Verifier SLAM
void main() for()
AcquireLock() while(
) f1() f2()
f3() if (
)
ReleaseLock()
g()
54
Static Driver Verifier SLAM
void main() for()
AcquireLock() while(
) f1() f2()
f3() if (
)
ReleaseLock()
g()
55
Static Driver Verifier SLAM
void main() for()
AcquireLock() while(
) f1() f2()
f3() if (
)
ReleaseLock()
g()
56
Static Driver Verifier SLAM
void main() for()
AcquireLock() while(
) f1() f2()
f3() if (
)
ReleaseLock()
g()
57
Static Driver Verifier SLAM
void main() for()
AcquireLock() while(
) f1() f2()
f3() if (
)
ReleaseLock()
g()
58
Static Driver Verifier SLAM
void main() for()
AcquireLock() while(
) f1() f2()
f3() if (
)
ReleaseLock()
g()
59
Static Driver Verifier SLAM
void main() for()
AcquireLock() while(
) f1() f2()
f3() if (
)
ReleaseLock()
g()
60
Static Driver Verifier SLAM
void main() for()
AcquireLock() while(
) f1() f2()
f3() if (
)
ReleaseLock()
g()
61
Static Driver Verifier SLAM
void main() for()
AcquireLock() while(
) f1() f2()
f3() if (
)
ReleaseLock()
g()
62
Static Driver Verifier SLAM
void main() for()
AcquireLock() while(
) f1() f2()
f3() if (
)
ReleaseLock()
g()
63
Static Driver Verifier SLAM
Driver passes rule
Rule
SLAM
Abstract Step
Driver sources
Check Step
Instrument Step
Refine Step
Rule violation found
OS model
64
Static Driver Verifier SLAM
void main() int a,b,c,rst,cnt cnt
0 for() AcquireLock()
rst0 while(!rst) a
f1() b f2() c
f3() if (altb bltc)
rst1 ReleaseLock()
g()
65
Static Driver Verifier SLAM
void main() int a,b,c,rst,cnt cnt
0 for() AcquireLock()
rst0 while(!rst) a
f1() b f2() c
f3() if (altb bltc)
rst1 ReleaseLock()
g()
66
Static Driver Verifier SLAM
void main() int a,b,c,rst,cnt cnt
0 for() AcquireLock()
rst0 while(!rst) a
f1() b f2() c
f3() if (altb bltc)
rst1 ReleaseLock()
g()
67
Static Driver Verifier SLAM
void main() int a,b,c,rst,cnt cnt
0 for() AcquireLock()
rst0 while(!rst) a
f1() b f2() c
f3() if (altb bltc)
rst1 ReleaseLock()
g()
cnt0
68
Static Driver Verifier SLAM
void main() int a,b,c,rst,cnt cnt
0 for() AcquireLock()
rst0 while(!rst) a
f1() b f2() c
f3() if (altb bltc)
rst1 ReleaseLock()
g()
cnt0
69
Static Driver Verifier SLAM
void main() int a,b,c,rst,cnt cnt
0 for() AcquireLock()
rst0 while(!rst) a
f1() b f2() c
f3() if (altb bltc)
rst1 ReleaseLock()
g()
cnt0
70
Static Driver Verifier SLAM
void main() int a,b,c,rst,cnt cnt
0 for() AcquireLock()
rst0 while(!rst) a
f1() b f2() c
f3() if (altb bltc)
rst1 ReleaseLock()
g()
cnt0
71
Static Driver Verifier SLAM
void main() int a,b,c,rst,cnt cnt
0 for() AcquireLock()
rst0 while(!rst) a
f1() b f2() c
f3() if (altb bltc)
rst1 ReleaseLock()
g()
cnt0
rst0
72
Static Driver Verifier SLAM
void main() int a,b,c,rst,cnt cnt
0 for() AcquireLock()
rst0 while(!rst) a
f1() b f2() c
f3() if (altb bltc)
rst1 ReleaseLock()
g()
cnt0
rst0
73
Static Driver Verifier SLAM
void main() int a,b,c,rst,cnt cnt
0 for() AcquireLock()
rst0 while(!rst) a
f1() b f2() c
f3() if (altb bltc)
rst1 ReleaseLock()
g()
cnt0
rst0
74
Static Driver Verifier SLAM
void main() int a,b,c,rst,cnt cnt
0 for() AcquireLock()
rst0 while(!rst) a
f1() b f2() c
f3() if (altb bltc)
rst1 ReleaseLock()
g()
cnt0
rst0
!(rst0)
75
Static Driver Verifier SLAM
void main() int a,b,c,rst,cnt cnt
0 for() AcquireLock()
rst0 while(!rst) a
f1() b f2() c
f3() if (altb bltc)
rst1 ReleaseLock()
g()
cnt0
rst0
!(rst0)
New predicate to track main rst0
76
Static Driver Verifier SLAM
Driver passes rule
Rule
SLAM
Abstract Step
Driver sources
Check Step
Instrument Step
Refine Step
Rule violation found
OS model
77
Static Driver Verifier SLAM
void main() for()
AcquireLock() while(
) f1()
f2() f3() if (
)
ReleaseLock()
g()
int a,b,c,rst,cnt cnt 0
v01
v0
v00
bool v0 // represents rst0
rst0
!rst a b
c altb bltc
rst1
State space 2(1 bits(pc)) stack
78
Static Driver Verifier SLAM
Driver passes rule
Rule
SLAM
Abstract Step
Driver sources
Instrument Step
Check Step
Refine Step
Rule violation found
OS model
79
Static Driver Verifier SLAM
Reachable state-space for steps ltn
80
Static Driver Verifier SLAM
Reachable state-space for steps ltn
Reachable state-space for steps ltn1
Reachable state-space for steps ltn2
81
Static Driver Verifier SLAM
Reachable state-space for steps ltn
Reachable state-space for steps ltn1
Reachable state-space for steps ltn2
Reachable state-space for steps ltn3
Reachable state-space for steps ltn4
Reachable state-space for steps ltn5 and ltn4
82
Static Driver Verifier SLAM
Reachable state-space for steps ltn
Reachable state-space for steps ltn1
Reachable state-space for steps ltn2
Reachable state-space for steps ltn3
Reachable state-space for steps ltn4
Reachable state-space for steps ltn5 and ltn4
83
Static Driver Verifier SLAM
- The abstraction contains only the PC and these
three state bits - lockedgt0
- locked0
- rst0
- Abstracted away
- Much of f1(), f2(), f3(), g(),
- cnt,
- a, b, c
- Potential values from rst
- From this abstraction we can reasons that the
original C program is also correct
84
Outline
- Introduction to Static Driver Verifier
- Static Driver Verifier internals
- Conclusion Discussion
85
Outline
- Introduction to Static Driver Verifier
- Static Driver Verifier internals
- Conclusion Discussion
86
Conclusion
- SDV
- A compile-time tool that finds bugs in device
drivers - Kernel API usage rules the SLAM model checker
- Released on the latest DDK beta
- Subsequent releases will support additional
driver models
87
Conclusion
- In the paper
- More information on how SDV works
- More information on what SDV checks, what it
doesnt check, and why. - Data from experiments with SDV on 100 device
drivers - Information about new work to support new driver
models
88
Conclusion
- Whats next for SDV/SLAM-like tools within
Microsoft? - Proving deeper properties about programs that
manipulate the heap - SLAM-like tools with better support for
concurrency - Liveness properties termination
- Contracts/specifications for additional APIs
Recommended
CrystalGraphics Presentations
