TemporalSafety Proofs for Systems Code

1
Temporal-Safety Proofs for Systems Code

• Thomas A. Henzinger Ranjit Jhala Rupak
  Majumdar
• George Necula Westley Weimer Grégoire Sutre
• UC Berkeley

2
Reliability Trust

• Reliability (verification)
• Check that the system is bug free
• Low level systems code
• Locking disciplines, interface specs,
• Temporal, path-sensitive properties
• Model checking

• Trust (certification)
• Questionable code written by third parties
• device drivers, mobile code
• Model checkers are buggy (!)
• Simply, efficiently checkable
• avoid redoing verification

3
Our Work

• Verification making model checking scale
• Lazy Abstraction POPL 02
• Certification
• Proof carrying code based mechanism
• PCC requires annotations
• Lazy Abstraction
• Automatically generates annotations
• Provides a small decomposition of the proof
• BLAST
• Verifying/certifying device drivers

4
Verification
5
Verification Abstraction-Refinement
Abstract
Is model unsafe ?
Check
Refine
Why infeasible ?
Infeasible
Kurshan et al, Clarke et al, SLAM,...
6
Model Checking Abstraction

• Partition the state space

• Existentially lift transition relation
  

7
Model Checking Abstraction

• Problem Abstraction too coarse
• Solution Refine abstraction

Init

ERROR STATES
8
Model Checking Abstraction

• Problem Abstraction too coarse
• Solution Refine abstraction

Init

ERROR STATES
9
Abstract Only Where Required

• Abstraction is very expensive
• Why abstract regions that are never visited ?

• On-the-fly abstraction driven by the search

Init
ERROR STATES
10
Refine Only Where Required

• Why be precise everywhere ?
• Dont refine error-free regions

Init
ERROR STATES
ERROR FREE

11
Refine Only Where Required

• Why be precise everywhere ?
• Dont refine error-free regions

• Different precision for different regions
• Local Refinement driven by the search

Init
ERROR STATES
ERROR FREE

12
Benefits of Lazy Abstraction

• Abstract only where required
• Reachable state space maybe very sparse
• Construct the abstraction on-the-fly
• Use greater precision only where required
• Different precisions/abstractions for different
  regions
• Refine locally
• Reuse work from earlier phases
• Batch-oriented ) lose work from previous runs
• Integrate the three phases

13
Example
Example ( ) 1 do lock()
old new 2 if () 3
unlock() new
4 while ( new ! old) 5
unlock () return
Q Is Error Reachable ?
14
ExampleCFA
lock() old new
Example ( ) 1 do lock()
old new 2 if () 3
unlock() new
4 while ( new ! old) 5
unlock () return

15
ExampleCFA
Example ( ) 1 do lock()
old new 2 if () 3
unlock() new
4 while ( new ! old) 5
unlock () return
Q Is Error Reachable ?
16
Step 1 Search
1
LOCK0
lock() old new
gt
unlock()
Set of predicates LOCK0, LOCK1
17
Step 2 Analyze Counterexample
Q When can
States at node n Rn
Err
LOCK0
18
Step 2 Analyze Counterexample
lock() old new
LOCK0 Æ new old
newold
LOCK0
unlock()
19
Step 2 Analyze Counterexample
LOCK0 Æ new1 new
LOCK1 Æ new1 old
LOCK1 Æ new 1 old
LOCK0 Æ new old
LOCK0
Track the predicate new old
LOCK0
20
Step 3 Resume Search
lock() old new
newold
new!old
Set of predicates LOCK0, LOCK1, new old
21
Step 3 Resume Search
Set of predicates LOCK0, LOCK1, new old
LOCK0 Æ new old
22
Predicate Discovery

• Information lost in substitution
• Keep substitutions explicit
• Ask a proof of unsatisfiability
• Pick predicates appearing in proof

23
Local Refinement
Example ( ) 0 if () 6 do
got_lock 0 7 if
() 8 lock()
got_lock 9
if (got_lock) 10
unlock() 11 while
() 1 do lock()
old new 2 if () 3
unlock() new
4 while ( new ! old) 5
unlock () return
6 do got_lock 0 7
if () 8
lock() got_lock
9 if (got_lock) 10
unlock() 11
while ()
1 do lock()
old new 2 if () 3
unlock() new
4 while ( new ! old) 5 unlock ()
return
24
Local Refinement
Search on left subtree not repeated
Different abstractions for subtrees
Refine right subtree only
25
Leaves Covered (Reuse work)
0
Leaves covered Avoid repeating search
when paths merge
LOCK0 Æ
COVERED !
26
Certification
27
What is a Certificate ?

• Proof Carrying Code (PCC)

• Annotations
• Loop invariants, func. Precondition/Postcondition

• Validity of VC guarantees correctness

• Certificate Annotations Proof of VC
• Consumer reconstructs VC, checks proof

28
Annotations VCs

• Annotations
• For each cntrl location q, invariant I(q)
• Verification condition
• Init µ I(q0)

Start set includes initial states
Error location is not reached

• I(qe) false

• For each edge q !op q
• POST(I(q),op) µ I(q)

States closed under post
29
Invariants grow on Trees
1
LOCK0
Ç LOCK0 Æ new old
LOCK0 Æ new old
4
Ç LOCK1 Æ newold
5
LOCK1 Æ newold
Invariants
30
Proving the VC

• Each condition dischargeable automatically
  (Vampyre, CVC )
• Tree yields a small decomposition
• Entire proof can be extracted from model
  checkers data structures

31
BLAST

• Berkeley Lazy Abstraction Software verification
  Tool
• 10K Lines of Ocaml
• Analyze Linux/Windows Device Drivers

LAZY ABSTRACTION
32
BLAST

• All of C modeled except
• Function pointers
• Recursive functions
• Logical Model of memory
• Pointer arithmetic imprecise
• Fragile on heap dependant properties
• Safety checking
• Checks if a given label is reachable in the C
  program
• Monitor automata specified in C

33
Experiments
Prf Size (bytes)
Total Time(sec)
Active Preds
Total Preds
Lines
Program
Pred. Disc. Time(sec)
253
0.01
4.5
5
5
18131
ide.c
Linux Lock 3 state
179
0.01
0.5
2
2
23539
qpmouse.c

0.03
20.93
2
2
17736
aha152x.c

403.33
428.63
4
5
16506
tlan.c
156787
540
1398
45
85
17798
cdaudio.c

1565
2086
37
62
17386
floppy.c
60129
17
395
44
93

fixed

5
64
40
54
12131
kbflter.c
Windows DDK IRP 22 state

165
256
35
48
7619
0.38
10
34
37
fixed

3.34
54
46
57
17372
mouclass.c
102967
519
1980
50
193
61781
parport.c
34
Conclusions

• Lazy Abstraction
• Reachability Tree yields certificate
• Implemented BLAST
• Finds (only) real bugs in large device drivers
• and gives proofs for correct ones !

• Future work
• Smarter abstractions
• Program analysis for model reduction
• Recursive functions

35
BLAST
Berkeley Lazy Abstraction Software Tool
www.eecs.berkeley.edu/tah/blast/