Towards Scalable Modular Checking of User-defined Properties Thomas Ball, MSR Brian Hackett, Mozilla...
-
Upload
duane-jenkins -
Category
Documents
-
view
217 -
download
0
Transcript of Towards Scalable Modular Checking of User-defined Properties Thomas Ball, MSR Brian Hackett, Mozilla...
Towards Scalable Modular Checking of User-defined Properties
Thomas Ball, MSRBrian Hackett, MozillaShuvendu Lahiri, MSR
Shaz Qadeer, MSRJulien Vanegue, Microsoft
A Decade of C/C++ Tools at Microsoft
PREfix, PREfast/SAL Scalable, 1000s of users
Hardcoded properties and checkersCheckers define semantics of C programs
Static Driver Verifier (SLAM)Allows defining (limited) propertiesAutomated abstraction refinementNo procedure contractsNo ability for user to control false alarms
VCC (Verifying C Compiler) Aimed towards full functional correctness
Procedure contractsNo inferenceRequires expert users
Automatic Inference:Microsoft Buffer Annotation Effort
Code Base
SALinfer
Code Review
Potential Defects
SAL Fixes / Code Fixes
SAL Annotated
CodeManual
Annotations
PREfixPREfast
Windows Vista• mandate: Annotate 100,000 mutable buffers• developers annotated 500,000+ parameters• developers fixed 20,000+ bugs
Office 2007• developers fixed 6,500+ bugs
PREfixPREfast
Why Another C Verifier?
SDV
Expressiveness + (control-oriented)
Precision + (abstract memory)
Scalability + (whole program)
Automation ++ (push button)
Contracts --Users DevelopersProblem Correct API usage
HAVOC
++ (system-specific)
++ (precise)
++ (modular)
+ (inference)
++Auditors
Security audit
VCC
+++ (functional)
++ (precise)
++ (modular)
-- (manual)
++ Verif. Experts
Fully correct TCB
Static Driver Verifier VCCHAVOC
Users and Their Problems
• Developers– Focused on feature development– Check-in gates for quality bar
• Auditors– Focus on large modules– Audit critical properties– External to product group (even test org)
• Verification experts– Advance the state-of-the-art
Static Driver Verifier
VCC
HAVOC
Audit
a methodical examination and reviewof properties of programs
-formal documentation of program properties and
the assumptions under which they hold -
supported by a tool that verifies the consistency of these assertions and assumptions
Code Audit
a methodical examination and reviewof properties of programs
-formal documentation of program properties and
the assumptions under which they hold -
supported by a tool that verifies the consistency of these assertions and assumptions
Formal Code Audit
a methodical examination and reviewof properties of programs
-formal documentation of program properties and
the assumptions under which they hold -
supported by a tool that verifies the consistency of these assertions and assumptions
Measuring Success
• The auditor is satisfied if – she can state the properties that she wants, and – can tolerate the assumptions under which these
properties hold
• A tool supporting code auditing should allow the auditor to reach a satisfactory result as quickly as possible
Formal Code Auditing Scenario
Target: large components– ~100KLOC of lines of codes with
>1000 of procedures
Module– A set of public/entry procedures – A set of private/internal procedures
Specs– Interface specification
• Specs for public methods• Specs for external modules
– Property assertion
Initialize(..);
while(*) {choice= nondet();If (choice == 1){
[assume pre_1] call Public_1(…);
} else if (choice == 2){[assume pre_2]call Public_2(…);
} …}Cleanup(…);
Harness
Desirable Audit Goals
• Find violations– of property assertions– with low false alarms
• Use contracts – Modular checking for scalability– Readable contracts are formal documentation
• Provide high assurance– Formal documentation of assumptions
What about Verified Software?
A solved problem, if cost is not an issue.
The open issue is the engineering cost.
Results (1) : File System Audit
• Used HAVOC to audit popular file system – Resource leaks (reference counts, mutexes)– Data races on files, streams, associated structures– Teardown races on same
• Found 45 bugs– ~250 lines required to specify properties– ~600 lines of manual annotations– ~3000 lines of inferred annotations
• 80 false alarms
HAVOC
Results (2): Security Audit
• Applied HAVOC to 1.3 million lines of Windows (handful of components)
• Properties– ProbeBeforeUse– UserDerefInTry– ProbeInTry– Alloc
• 15 security vulnerabilities (patched)
HAVOC
1. Property specification/instrumentation2. Scalable and transparent inference
3. User supplied annotations
The HAVOC ChallengeHAVOC
Make formal code auditing
a low-cost engineering effort
Microsoft C/C++ Static Analysis Tools
• PREfast/SAL– Included with Visual Studio
• Static Driver Verifier Research Platform– http://research.microsoft.com/slam/
• HAVOC– http://research.microsoft.com/havoc/
• Verifying C Compiler– http://vcc.codeplex.com/
PREfast, SAL
VCC
Static Driver Verifier
HAVOC