Towards Scalable Modular Checking of User-defined Properties

Thomas Ball, MSRBrian Hackett, MozillaShuvendu Lahiri, MSR

Shaz Qadeer, MSRJulien Vanegue, Microsoft

A Decade of C/C++ Tools at Microsoft

PREfix, PREfast/SAL Scalable, 1000s of users

Hardcoded properties and checkersCheckers define semantics of C programs

Static Driver Verifier (SLAM)Allows defining (limited) propertiesAutomated abstraction refinementNo procedure contractsNo ability for user to control false alarms

VCC (Verifying C Compiler) Aimed towards full functional correctness

Procedure contractsNo inferenceRequires expert users

Automatic Inference:Microsoft Buffer Annotation Effort

Code Base

SALinfer

Code Review

Potential Defects

SAL Fixes / Code Fixes

SAL Annotated

CodeManual

Annotations

PREfixPREfast

Windows Vista• mandate: Annotate 100,000 mutable buffers• developers annotated 500,000+ parameters• developers fixed 20,000+ bugs

Office 2007• developers fixed 6,500+ bugs

PREfixPREfast

User Effort and Control

PREfix, PREfast

Static Driver Verifier

VCC

User Effort and Control

PREfix, PREfast

Static Driver Verifier

VCC

HAVOC

Why Another C Verifier?

SDV

Expressiveness + (control-oriented)

Precision + (abstract memory)

Scalability + (whole program)

Automation ++ (push button)

Contracts --Users DevelopersProblem Correct API usage

HAVOC

++ (system-specific)

++ (precise)

++ (modular)

+ (inference)

++Auditors

Security audit

VCC

+++ (functional)

++ (precise)

++ (modular)

-- (manual)

++ Verif. Experts

Fully correct TCB

Static Driver Verifier VCCHAVOC

Users and Their Problems

• Developers– Focused on feature development– Check-in gates for quality bar

• Auditors– Focus on large modules– Audit critical properties– External to product group (even test org)

• Verification experts– Advance the state-of-the-art

Static Driver Verifier

VCC

HAVOC

Audit

a methodical examination and reviewof properties of programs

-formal documentation of program properties and

the assumptions under which they hold -

supported by a tool that verifies the consistency of these assertions and assumptions

Code Audit

a methodical examination and reviewof properties of programs

-formal documentation of program properties and

the assumptions under which they hold -

supported by a tool that verifies the consistency of these assertions and assumptions

Formal Code Audit

a methodical examination and reviewof properties of programs

-formal documentation of program properties and

the assumptions under which they hold -

supported by a tool that verifies the consistency of these assertions and assumptions

Measuring Success

• The auditor is satisfied if – she can state the properties that she wants, and – can tolerate the assumptions under which these

properties hold

• A tool supporting code auditing should allow the auditor to reach a satisfactory result as quickly as possible

Formal Code Auditing Scenario

Target: large components– ~100KLOC of lines of codes with

>1000 of procedures

Module– A set of public/entry procedures – A set of private/internal procedures

Specs– Interface specification

• Specs for public methods• Specs for external modules

– Property assertion

Initialize(..);

while(*) {choice= nondet();If (choice == 1){

[assume pre_1] call Public_1(…);

} else if (choice == 2){[assume pre_2]call Public_2(…);

} …}Cleanup(…);

Harness

Desirable Audit Goals

• Find violations– of property assertions– with low false alarms

• Use contracts – Modular checking for scalability– Readable contracts are formal documentation

• Provide high assurance– Formal documentation of assumptions

Functional correctness

Minimizing the trusted computing base

Non-goals of Formal Code Auditing

What about Verified Software?

A solved problem, if cost is not an issue.

The open issue is the engineering cost.

Results (1) : File System Audit

• Used HAVOC to audit popular file system – Resource leaks (reference counts, mutexes)– Data races on files, streams, associated structures– Teardown races on same

• Found 45 bugs– ~250 lines required to specify properties– ~600 lines of manual annotations– ~3000 lines of inferred annotations

• 80 false alarms

HAVOC

Results (2): Security Audit

• Applied HAVOC to 1.3 million lines of Windows (handful of components)

• Properties– ProbeBeforeUse– UserDerefInTry– ProbeInTry– Alloc

• 15 security vulnerabilities (patched)

HAVOC

1. Property specification/instrumentation2. Scalable and transparent inference

3. User supplied annotations

The HAVOC ChallengeHAVOC

Make formal code auditing

a low-cost engineering effort

Microsoft C/C++ Static Analysis Tools

• PREfast/SAL– Included with Visual Studio

• Static Driver Verifier Research Platform– http://research.microsoft.com/slam/

• HAVOC– http://research.microsoft.com/havoc/

• Verifying C Compiler– http://vcc.codeplex.com/

PREfast, SAL

VCC

Static Driver Verifier

HAVOC