1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research [email protected]...

1

Thorough Static Analysis of Device Drivers

Byron Cook – Microsoft Research

[email protected]

Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg, Con McGarvey, Bohus Ondrusek, Sriram Rajamani & Abdullah Ustuner

2

Kernel

DD

HW

DDDD

DD

DD

DD

DD

DD DD

DD

DD

DDDD

DD

DDDD

DD

DD

DD

HW

HW

HW

HW

HW

HW

HW

Static Driver Verifier

3

Static Driver Verifier (a.k.a. SDV):

A compile-time correctness checking tool based on deep semantic analysis via symbolic model checking

Now available on the latest Windows DDK beta


4


Static Driver Verifier (SDV) is a tool for finding bugs in Windows device drivers:

SDV operates on the driver’s source code

SDV is completely automatic

SDV checks that drivers do not violate a set of “kernel API usage rules”

Attempts to prove the correctness of the driver with the SLAM software model checker

5


other.h

driver.h

driver.c

Driver sources

SDV XX

XX

6


7


29

Outline

Introduction to Static Driver Verifier

Static Driver Verifier internals

Conclusion & Discussion

30

Outline




31


other.h

driver.h

driver.c

Driver sources

SDV XX

XX

32


SDVRules

SLAM

OS model

other.h

driver.h

driver.c XX

XX

Driver sources

33

Static Driver Verifier: Rules

Expressed in an event-based language

Possible events: Function entry Function exit

The code associated with events call the function error() to indicate a violation:

IoCallDriver.entry { if ($2->Tail.Overlay.CurrentStackLocation->MajorFunction ==IRP_MJ_POWER) { error(); } }

34

Static Driver Verifier: Rules

35


SDVRules

SLAM

OS model

other.h

driver.h

driver.c XX

XX

36

Static Driver Verifier: OS model

Provides the main function

Abstract implementations of kernel APIs (like IoCallDriver)

Models some aspects of the OS state, like the “interrupt request level” (IRQL)

Uses non-deterministic choice

37

Static Driver Verifier: OS model

38


SDVRules

SLAM

OS model

other.h

driver.h

driver.c XX

XX

39

Static Driver Verifier: SLAM

Symbolic model checker for C

Strategy: throw away as much irrelevant detail from the driver as possible through abstraction search

Algorithm = Predicate Abstraction + Counter-example based refinement + Symbolic reachability for Boolean programs

Simplifying (unsound) assumptions: C unions are ignored Memory layout is not known: pointer arithmetic is largely ignored Coincidental pointer aliasing is ignored, purposeful aliasing is not Functions cannot be called both by name and pointer The OS model does not exercise all paths possible in practice

40


void main(){ int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0;

while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } } g(); }}

Assume that f1, f2, f3 and g do not call AcquireLock or ReleaseLock

41


int locked = 0;

AcquireLock.entry { if (locked==1) { error(); } else { locked=1; }}

ReleaseLock.entry { if (locked==0) { error(); } else { locked=0; }}

42

SLAM


43


SLAM RefineStep

AbstractStep

CheckStep

Driver passes rule

Rule violation foundOS model

Driver sources

Rule

Instrument

Step

44


int locked = 0;

if (locked==1) { error(); } else { locked=1; }

if (locked==0) { error(); } else { locked=0; }

int locked = 0;

AcquireLock.entry { if (locked==1) { error(); } else { locked=1; }}

ReleaseLock.entry { if (locked==0) { error(); } else { locked=0; }}

void AcquireLock(){ ……………}

void ReleaseLock(){ ……………}

void main(){ ……………

void AcquireLock() {

………………}

void ReleaseLock() {

………………}

void main(){ ……………

Are these reachable?

45


SLAM RefineStep

CheckStep

Instrument

Step

Driver passes rule


Driver sources

Rule

AbstractStep

46

rst=0;

!rst a = b = c = a<b && b<c rst=1;

void main(){

for(;;) { AcquireLock(); while( ) { f1(); f2(); f3(); if ( ) { ReleaseLock(); } } g(); }}

int a,b,c,rst,cnt; cnt = 0;


* *

State space = 2^(#bits(pc)) + stack

47


SLAM Refine

Step

AbstractStep

Instrument

Step

Driver passes rule


Driver sources

Rule

CheckStep

48


Reachable state-

space for steps <1

49


Reachable state-

space for steps <1

Reachable state-space for steps <2 Reachable

state-space for steps <3

50


Reachable state-

space for steps <1



Reachable state-space for

steps <4Reachable


Reachable state-

space for steps <6

51


Reachable state-

space for steps <1




steps <4Reachable


Reachable state-

space for steps <6

Reachable state-space for steps <7

Reachable state-space for steps

<8

52


Reachable state-

space for steps <1




steps <4Reachable


Reachable state-

space for steps <6

Reachable state-space for steps <7

Reachable state-space for steps

<8Reachable state-space for steps

<9State where PC is at a call to error()

53


void main(){

for(;;) { AcquireLock(); while( * ) { f1(); f2(); f3(); if ( * ) { ReleaseLock(); } } g(); }}

54


void main(){


55


void main(){


56


void main(){


57


void main(){


58


void main(){


59


void main(){


60


void main(){


61


void main(){


62


void main(){


63


SLAMAbstract

Step

CheckStep

Instrument

Step

Driver passes rule


Driver sources

Rule

RefineStep

64




65




66




67




cnt==0

68




cnt==0

69




cnt==0

70




cnt==0

71




cnt==0

rst==0

72




cnt==0

rst==0

73




cnt==0

rst==0

74




cnt==0

rst==0

!(rst==0)

75




cnt==0

rst==0

!(rst==0)

New predicate to track: main { rst==0 }

76


SLAM Refine

Step

CheckStep

Instrument

Step

Driver passes rule


Driver sources

Rule

AbstractStep

77

int a,b,c,rst,cnt; cnt = 0;

void main(){

for(;;) { AcquireLock(); while( ) { f1(); f2(); f3(); if ( ) { ReleaseLock(); } } g(); }}


v0=1;

v0 * v0=0;

State space = 2^(1 + #bits(pc)) + stack

bool v0; // represents rst==0

rst=0;

!rst a = b = c = a<b && b<c rst=1;

78


SLAM Refine

Step

AbstractStep

Instrument

Step

Driver passes rule


Driver sources

Rule

CheckStep

79


Reachable state-

space for steps <n

80


Reachable state-

space for steps <n

Reachable state-space

for steps <n+1


for steps <n+2

81


Reachable state-

space for steps <n


for steps <n+1


for steps <n+2


steps <n+3Reachable

state-space for steps <n+4

Reachable state-space for steps <n+5 and

<n+4

82


Reachable state-

space for steps <n


for steps <n+1


for steps <n+2


steps <n+3Reachable

state-space for steps <n+4

Reachable state-space for steps <n+5 and

<n+4

83


The abstraction contains only the PC and these three state bits locked>0 locked==0 rst==0

Abstracted away Much of f1(), f2(), f3(), g(), cnt, a, b, c Potential values from rst

From this abstraction we can reasons that the original C program is also correct

84

Outline




85

Outline




86

Conclusion

SDV

A compile-time tool that finds bugs in device drivers

Kernel API usage rules + the SLAM model checker

Released on the latest DDK beta

Subsequent releases will support additional driver models

87

Conclusion

In the paper

More information on how SDV works

More information on what SDV checks, what it doesn’t check, and why.

Data from experiments with SDV on ~100 device drivers

Information about new work to support new driver models

88

Conclusion

What’s next for SDV/SLAM-like tools within Microsoft?

Proving deeper properties about programs that manipulate the heap

SLAM-like tools with better support for concurrency

Liveness properties & termination

Contracts/specifications for additional APIs

1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research [email protected]...

Documents

Transcript of 1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research [email protected]...