Automatic formal verification for Windows device drivers - PowerPoint PPT Presentation
1 / 120
Title:
Automatic formal verification for Windows device drivers
Description:
Only driver routines that run in a nonarbitrary thread context at IRQL ... and it was one of those bugs that would be near-impossible to reproduce... – PowerPoint PPT presentation
Number of Views:70
Avg rating:3.0/5.0
Title: Automatic formal verification for Windows device drivers
1
Automatic formal verification for Windows device
drivers
Byron Cook bycook_at_microsoft.com
2
Windows OS and device drivers
HW
Operating System Kernel
DD
HW
DD
HW
DD
DD
DD
DD
DD
HW
DD
DD
DD
DD
DD
DD
HW
HW
DD
DD
HW
HW
3
Windows OS and device drivers
HW
DD
Kernel
DD
HW
DD
HW
DD
DD
DD
DD
DD
DD
HW
DD
DD
DD
DD
DD
HW
HW
DD
DD
DD
DD
DD
HW
HW
4
Windows OS and device drivers
HW
DD
Kernel
DD
HW
DD
HW
DD
DD
DD
DD
DD
DD
HW
DD
DD
DD
DD
DD
HW
HW
DD
DD
DD
DD
DD
HW
HW
5
Windows OS and device drivers
HW
DD
Kernel
DD
HW
DD
HW
DD
DD
DD
DD
DD
DD
HW
DD
DD
DD
DD
DD
HW
HW
DD
DD
DD
DD
DD
HW
HW
6
Windows OS and device drivers
HW
DD
Kernel
DD
HW
DD
HW
DD
DD
DD
DD
DD
DD
HW
DD
DD
DD
DD
DD
HW
HW
DD
DD
DD
DD
DD
HW
HW
7
Windows OS and device drivers
HW
DD
Kernel
DD
HW
DD
HW
DD
DD
DD
DD
DD
DD
HW
DD
DD
- Example While running at raised interrupt
request level (IRQL), calling KeWaitForSingleObje
ct or KeWaitForMultipleObjects with
Kernel-defined dispatcher object(s) to wait for a
nonzero interval causes a fatal error. Only
driver routines that run in a nonarbitrary thread
context at IRQL PASSIVE_LEVEL, such as
driver-created threads, the DriverEntry and
Reinitialize routines, or Dispatch routines for
inherently synchronous I/O operations, such as
most device I/O control requests, can safely wait
on events, semaphores, mutexes, or timers for a
nonzero interval.
DD
DD
DD
HW
HW
DD
DD
DD
DD
DD
HW
HW
8
Windows OS and device drivers
HW
DD
Kernel
DD
HW
DD
HW
DD
DD
DD
DD
DD
DD
HW
DD
DD
DD
DD
DD
HW
HW
DD
DD
DD
DD
DD
HW
HW
9
Windows OS and device drivers
HW
DD
Kernel
DD
HW
DD
HW
DD
DD
DD
DD
DD
DD
HW
DD
DD
DD
DD
DD
HW
HW
DD
DD
DD
DD
DD
HW
HW
10
Windows OS and device drivers
HW
DD
Kernel
DD
- Examples
- Outlook mail system
- HTTP web server
- Performance monitoring tools
- VM tools
- New networking technologies
- Firewalls
- Virus protection
- Drawing tools
HW
DD
HW
DD
DD
DD
DD
DD
DD
HW
DD
DD
DD
DD
DD
HW
HW
DD
DD
DD
DD
DD
HW
HW
11
Windows OS and device drivers
HW
DD
Kernel
DD
HW
DD
HW
DD
DD
DD
DD
DD
DD
HW
DD
DD
DD
DD
DD
HW
HW
DD
DD
DD
DD
DD
HW
HW
12
Windows OS and device drivers
HW
DD
Kernel
DD
HW
DD
HW
DD
DD
DD
DD
DD
DD
HW
DD
DD
DD
DD
DD
HW
HW
DD
DD
DD
DD
DD
HW
HW
13
Windows OS and device drivers
HW
DD
Kernel
DD
HW
DD
HW
DD
DD
DD
DD
DD
DD
HW
DD
DD
DD
DD
DD
HW
HW
DD
DD
DD
DD
DD
HW
HW
14
Windows OS and device drivers
HW
DD
Kernel
DD
HW
DD
HW
DD
DD
DD
DD
DD
DD
HW
DD
DD
DD
DD
DD
HW
HW
DD
DD
DD
DD
DD
HW
HW
15
Windows OS and device drivers
HW
DD
Kernel
DD
HW
DD
HW
DD
DD
DD
DD
DD
DD
HW
DD
DD
DD
DD
DD
HW
HW
DD
DD
DD
DD
DD
HW
HW
16
Windows OS device drivers
Nvidia
Symantec
Fujitsu
HW
DD
Nvidia
Kernel
Adaptec
DD
HW
Microsoft
Microsoft
DD
HW
DD
DD
DD
DD
DD
Adaptec
Intel
Microsoft
AOL
DD
HW
Epson
DD
Logitech
??????????
DD
??????????
DD
DD
Sony
DD
HW
HW
Techsoft
McAfee
DD
Sony
??????????
Logitech
DD
DD
Creative
DD
DD
HW
HW
ADI
University student
??????????
Creative
17
Windows OS device drivers
Nvidia
Symantec
Fujitsu
HW
DD
Nvidia
Kernel
Adaptec
DD
HW
Microsoft
Microsoft
DD
HW
DD
DD
DD
DD
DD
Adaptec
Intel
Microsoft
AOL
DD
HW
Epson
DD
Logitech
??????????
DD
??????????????????????????????
DD
DD
Sony
DD
HW
HW
Techsoft
McAfee
DD
Sony
??????????
Logitech
DD
DD
Creative
DD
DD
HW
HW
ADI
University student
??????????
Creative
18
Static Driver Verifier
- Static Driver Verifier (SDV) is a formal
verification tool for finding bugs in Windows
device drivers - SDV operates on the drivers source code
- SDV is completely automatic
- SDV checks that drivers do not violate a set of
kernel API usage rules - Attempts to prove the correctness of the driver
with the SLAM software model checker
19
Static Driver Verifier
- Static Driver Verifier (SDV) is a formal
verification tool for finding bugs in Windows
device drivers - SDV operates on the drivers source code
- SDV is completely automatic
- SDV checks that drivers do not violate a set of
kernel API usage rules - Attempts to prove the correctness of the driver
with the SLAM software model checker
20
Static Driver Verifier
ü
Driver sources
SDV
other.h
driver.h
ü
driver.c
ü
ü
21
Static Driver Verifier
22
Static Driver Verifier
23
(No Transcript)
24
(No Transcript)
25
(No Transcript)
26
(No Transcript)
27
(No Transcript)
28
(No Transcript)
29
(No Transcript)
30
(No Transcript)
31
(No Transcript)
32
(No Transcript)
33
(No Transcript)
34
(No Transcript)
35
(No Transcript)
36
(No Transcript)
37
(No Transcript)
38
(No Transcript)
39
(No Transcript)
40
(No Transcript)
41
(No Transcript)
42
(No Transcript)
43
(No Transcript)
44
Static Driver Verifier
- SDV beta is now available on the Windows device
driver development kit (DDK) - This bug would be a really hard bug to find
other than with a tool like SDV. There are just
too many details to keep track of to have a good
chance of finding it. - This looks like a bug to me. This is AWESOME!!
SDV rocks! - These are all real, difficult to discover bugs.
Good work! - This bug would have been very difficult to find
by inspection and it was one of those bugs that
would be near-impossible to reproduce - Fixing this bug will definitely stop some
unexplainable and hard to debug random system
crashes in the future.
45
Outline
- Introduction to Static Driver Verifier
- Static Driver Verifier internals
- Conclusion Discussion
46
Outline
- Introduction to Static Driver Verifier
- Static Driver Verifier internals
- Conclusion Discussion
47
Static Driver Verifier
ü
Driver sources
SDV
other.h
driver.h
ü
driver.c
ü
ü
48
Static Driver Verifier
ü
SDV
Driver sources
Rules
other.h
driver.h
ü
SLAM
driver.c
OS model
ü
ü
49
Static Driver Verifier Rules
- Expressed in an event-based language
- Possible events
- Function entry
- Function exit
- The code associated with events call the function
error() to indicate a violation - IoCallDriver.entry
- if (2-gtTail.Overlay.CurrentStackLocation-
gtMajorFunction - IRP_MJ_POWER)
- error()
50
Static Driver Verifier Rules
state int LowerDriverReturn 0 bool
LowerDriverCalled 0 bool PerformCheck
1 with guard (sdv_main,irp) PoCallDriver,IoCa
llDriver.exitguard 2 LowerDriverCalled
1 LowerDriverReturn return IoComple
teRequest,IoMarkIrpPending.entryguard 1
PerformCheck 0 stub_dispatch_end.entry
if ( PerformCheck LowerDriverCalled
LowerDriverReturn ! 1 )
error
Environment
Our Driver
Lower Driver
51
Static Driver Verifier Rules
state int LowerDriverReturn 0 bool
LowerDriverCalled 0 bool PerformCheck
1 with guard (sdv_main,irp) PoCallDriver,IoCa
llDriver.exitguard 2 LowerDriverCalled
1 LowerDriverReturn return IoComple
teRequest,IoMarkIrpPending.entryguard 1
PerformCheck 0 stub_dispatch_end.entry
if ( PerformCheck LowerDriverCalled
LowerDriverReturn ! 1 )
error
Environment
Our Driver
Lower Driver
52
Static Driver Verifier Rules
state int LowerDriverReturn 0 bool
LowerDriverCalled 0 bool PerformCheck
1 with guard (sdv_main,irp) PoCallDriver,IoCa
llDriver.exitguard 2 LowerDriverCalled
1 LowerDriverReturn return IoComple
teRequest,IoMarkIrpPending.entryguard 1
PerformCheck 0 stub_dispatch_end.entry
if ( PerformCheck LowerDriverCalled
LowerDriverReturn ! 1 )
error
Environment
Our Driver
Lower Driver
53
Static Driver Verifier Rules
state int LowerDriverReturn 0 bool
LowerDriverCalled 0 bool PerformCheck
1 with guard (sdv_main,irp) PoCallDriver,IoCa
llDriver.exitguard 2 LowerDriverCalled
1 LowerDriverReturn return IoComple
teRequest,IoMarkIrpPending.entryguard 1
PerformCheck 0 stub_dispatch_end.entry
if ( PerformCheck LowerDriverCalled
LowerDriverReturn ! 1 )
error
Environment
Our Driver
Lower Driver
54
Static Driver Verifier Rules
state int LowerDriverReturn 0 bool
LowerDriverCalled 0 bool PerformCheck
1 with guard (sdv_main,irp) PoCallDriver,IoCa
llDriver.exitguard 2 LowerDriverCalled
1 LowerDriverReturn return IoComple
teRequest,IoMarkIrpPending.entryguard 1
PerformCheck 0 stub_dispatch_end.entry
if ( PerformCheck LowerDriverCalled
LowerDriverReturn ! 1 )
error
Environment
Our Driver
Lower Driver
55
Static Driver Verifier Rules
state int LowerDriverReturn 0 bool
LowerDriverCalled 0 bool PerformCheck
1 with guard (sdv_main,irp) PoCallDriver,IoCa
llDriver.exitguard 2 LowerDriverCalled
1 LowerDriverReturn return IoComple
teRequest,IoMarkIrpPending.entryguard 1
PerformCheck 0 stub_dispatch_end.entry
if ( PerformCheck LowerDriverCalled
LowerDriverReturn ! 1 )
error
Environment
Our Driver
Lower Driver
56
Static Driver Verifier Rules
state int LowerDriverReturn 0 bool
LowerDriverCalled 0 bool PerformCheck
1 with guard (sdv_main,irp) PoCallDriver,IoCa
llDriver.exitguard 2 LowerDriverCalled
1 LowerDriverReturn return IoComple
teRequest,IoMarkIrpPending.entryguard 1
PerformCheck 0 stub_dispatch_end.entry
if ( PerformCheck LowerDriverCalled
LowerDriverReturn ! 1 )
error
Environment
Our Driver
Lower Driver
57
Static Driver Verifier Rules
state int LowerDriverReturn 0 bool
LowerDriverCalled 0 bool PerformCheck
1 with guard (sdv_main,irp) PoCallDriver,IoCa
llDriver.exitguard 2 LowerDriverCalled
1 LowerDriverReturn return IoComple
teRequest,IoMarkIrpPending.entryguard 1
PerformCheck 0 stub_dispatch_end.entry
if ( PerformCheck LowerDriverCalled
LowerDriverReturn ! 1 )
error
Environment
Our Driver
Lower Driver
58
Static Driver Verifier Rules
state int LowerDriverReturn 0 bool
LowerDriverCalled 0 bool PerformCheck
1 with guard (sdv_main,irp) PoCallDriver,IoCa
llDriver.exitguard 2 LowerDriverCalled
1 LowerDriverReturn return IoComple
teRequest,IoMarkIrpPending.entryguard 1
PerformCheck 0 stub_dispatch_end.entry
if ( PerformCheck LowerDriverCalled
LowerDriverReturn ! 1 )
error
Environment
Our Driver
Lower Driver
59
Static Driver Verifier
ü
SDV
Rules
other.h
driver.h
ü
SLAM
driver.c
OS model
ü
ü
60
Static Driver Verifier OS model
- Provides the main function
- Abstract implementations of kernel APIs (like
IoCallDriver) - Models some aspects of the OS state, like the
interrupt request level (IRQL) - Uses non-deterministic choice
61
Static Driver Verifier OS model
NTSTATUS IoCreateDevice( IN PDRIVER_OBJECT
DriverObject, IN ULONG DeviceExtensionSize,
IN PUNICODE_STRING DeviceName OPTIONAL, IN
DEVICE_TYPE DeviceType, IN ULONG
DeviceCharacterisitcs, IN BOOLEAN Exclusive,
OUT PDEVICE_OBJECT DeviceObject )
ULONG Choice SdvChoice() switch (Choice)
case 0 (DeviceObject)
SDV_devobj2 return
STATUS_SUCCESS case 1 return
STATUS_INSUFFICIENT_RESOURCES case 2
return STATUS_OBJECT_NAME_EXISTS
default return STATUS_OBJECT_NAME_COLLISION
62
Static Driver Verifier OS model
NTSTATUS IoCreateDevice( IN PDRIVER_OBJECT
DriverObject, IN ULONG DeviceExtensionSize,
IN PUNICODE_STRING DeviceName OPTIONAL, IN
DEVICE_TYPE DeviceType, IN ULONG
DeviceCharacterisitcs, IN BOOLEAN Exclusive,
OUT PDEVICE_OBJECT DeviceObject )
ULONG Choice SdvChoice() switch (Choice)
case 0 (DeviceObject)
SDV_devobj2 return
STATUS_SUCCESS case 1 return
STATUS_INSUFFICIENT_RESOURCES case 2
return STATUS_OBJECT_NAME_EXISTS
default return STATUS_OBJECT_NAME_COLLISION
63
Static Driver Verifier
ü
SDV
Rules
other.h
driver.h
ü
SLAM
driver.c
OS model
ü
ü
64
Static Driver Verifier SLAM
- Symbolic model checker for C
- Strategy throw away as much irrelevant detail
from the driver as possible through abstraction
search - Algorithm Predicate Abstraction
Counter-example based refinement Symbolic
reachability for Boolean programs - Simplifying (unsound) assumptions
- C unions are ignored
- Memory layout is not known pointer arithmetic is
largely ignored - Coincidental pointer aliasing is ignored,
purposeful aliasing is not - Functions cannot be called both by name and
pointer - The OS model does not exercise all paths possible
in practice
65
Static Driver Verifier SLAM
void main() int a,b,c,rst,cnt cnt
0 for() AcquireLock()
rst0 while(!rst) a
f1() b f2() c
f3() if (altb bltc)
rst1 ReleaseLock()
g()
Assume that f1, f2, f3 and g do not call
AcquireLock or ReleaseLock
66
Static Driver Verifier SLAM
int locked 0 AcquireLock.entry if
(locked1) error() else
locked1 ReleaseLock.entry if
(locked0) error() else
locked0
67
Static Driver Verifier SLAM
SLAM
68
Static Driver Verifier SLAM
Driver passes rule
Rule
SLAM
Abstract Step
Driver sources
Check Step
Instrument Step
Refine Step
Rule violation found
OS model
69
Static Driver Verifier SLAM
void AcquireLock()
void ReleaseLock()
void main()
int locked 0 if (locked1)
error() else locked1
if (locked0) error()
else locked0
int locked 0 AcquireLock.entry if
(locked1) error() else
locked1 ReleaseLock.entry
if (locked0) error() else
locked0
void AcquireLock()
void ReleaseLock()
void main()
Are these reachable?
70
Static Driver Verifier SLAM
Driver passes rule
Rule
SLAM
Abstract Step
Driver sources
Check Step
Instrument Step
Refine Step
Rule violation found
OS model
71
Static Driver Verifier SLAM
void main() for()
AcquireLock() while(
) f1()
f2() f3() if (
)
ReleaseLock()
g()
int a,b,c,rst,cnt cnt 0
rst0 !rst
a b c
altb bltc rst1
72
Static Driver Verifier SLAM
void AcquireLock() if ( )
error() else
void ReleaseLock() if ( )
error() else
bool g0 1 // locked0 bool g1 0 //
locked1
int locked 0
locked1
locked1 locked0
locked0
g1 g1 1
g0 0 g0
g0 1 g1 0
State space 2(2 bits(pc)) stack
73
Static Driver Verifier SLAM
Driver passes rule
Rule
SLAM
Abstract Step
Driver sources
Instrument Step
Check Step
Refine Step
Rule violation found
OS model
74
Static Driver Verifier SLAM
Reachable state-space for steps lt1
75
Static Driver Verifier SLAM
Reachable state-space for steps lt1
Reachable state-space for steps lt2
Reachable state-space for steps lt3
76
Static Driver Verifier SLAM
Reachable state-space for steps lt1
Reachable state-space for steps lt2
Reachable state-space for steps lt3
Reachable state-space for steps lt4
Reachable state-space for steps lt5
Reachable state-space for steps lt6
77
Static Driver Verifier SLAM
Reachable state-space for steps lt8
Reachable state-space for steps lt1
Reachable state-space for steps lt2
Reachable state-space for steps lt3
Reachable state-space for steps lt4
Reachable state-space for steps lt5
Reachable state-space for steps lt7
Reachable state-space for steps lt6
78
Static Driver Verifier SLAM
Reachable state-space for steps lt8
Reachable state-space for steps lt9
Reachable state-space for steps lt1
Reachable state-space for steps lt2
Reachable state-space for steps lt3
Reachable state-space for steps lt4
Reachable state-space for steps lt5
Reachable state-space for steps lt7
Reachable state-space for steps lt6
State where PC is at a call to error()
79
Static Driver Verifier SLAM
void main() for()
AcquireLock() while(
) f1() f2()
f3() if (
)
ReleaseLock()
g()
80
Static Driver Verifier SLAM
void main() for()
AcquireLock() while(
) f1() f2()
f3() if (
)
ReleaseLock()
g()
81
Static Driver Verifier SLAM
void main() for()
AcquireLock() while(
) f1() f2()
f3() if (
)
ReleaseLock()
g()
82
Static Driver Verifier SLAM
void main() for()
AcquireLock() while(
) f1() f2()
f3() if (
)
ReleaseLock()
g()
83
Static Driver Verifier SLAM
void main() for()
AcquireLock() while(
) f1() f2()
f3() if (
)
ReleaseLock()
g()
84
Static Driver Verifier SLAM
void main() for()
AcquireLock() while(
) f1() f2()
f3() if (
)
ReleaseLock()
g()
85
Static Driver Verifier SLAM
void main() for()
AcquireLock() while(
) f1() f2()
f3() if (
)
ReleaseLock()
g()
86
Static Driver Verifier SLAM
void main() for()
AcquireLock() while(
) f1() f2()
f3() if (
)
ReleaseLock()
g()
87
Static Driver Verifier SLAM
void main() for()
AcquireLock() while(
) f1() f2()
f3() if (
)
ReleaseLock()
g()
88
Static Driver Verifier SLAM
void main() for()
AcquireLock() while(
) f1() f2()
f3() if (
)
ReleaseLock()
g()
89
Static Driver Verifier SLAM
Driver passes rule
Rule
SLAM
Abstract Step
Driver sources
Check Step
Instrument Step
Refine Step
Rule violation found
OS model
90
Static Driver Verifier SLAM
void main() int a,b,c,rst,cnt cnt
0 for() AcquireLock()
rst0 while(!rst) a
f1() b f2() c
f3() if (altb bltc)
rst1 ReleaseLock()
g()
91
Static Driver Verifier SLAM
void main() int a,b,c,rst,cnt cnt
0 for() AcquireLock()
rst0 while(!rst) a
f1() b f2() c
f3() if (altb bltc)
rst1 ReleaseLock()
g()
92
Static Driver Verifier SLAM
void main() int a,b,c,rst,cnt cnt
0 for() AcquireLock()
rst0 while(!rst) a
f1() b f2() c
f3() if (altb bltc)
rst1 ReleaseLock()
g()
93
Static Driver Verifier SLAM
void main() int a,b,c,rst,cnt cnt
0 for() AcquireLock()
rst0 while(!rst) a
f1() b f2() c
f3() if (altb bltc)
rst1 ReleaseLock()
g()
cnt0
94
Static Driver Verifier SLAM
void main() int a,b,c,rst,cnt cnt
0 for() AcquireLock()
rst0 while(!rst) a
f1() b f2() c
f3() if (altb bltc)
rst1 ReleaseLock()
g()
cnt0
95
Static Driver Verifier SLAM
void main() int a,b,c,rst,cnt cnt
0 for() AcquireLock()
rst0 while(!rst) a
f1() b f2() c
f3() if (altb bltc)
rst1 ReleaseLock()
g()
cnt0
96
Static Driver Verifier SLAM
void main() int a,b,c,rst,cnt cnt
0 for() AcquireLock()
rst0 while(!rst) a
f1() b f2() c
f3() if (altb bltc)
rst1 ReleaseLock()
g()
cnt0
97
Static Driver Verifier SLAM
void main() int a,b,c,rst,cnt cnt
0 for() AcquireLock()
rst0 while(!rst) a
f1() b f2() c
f3() if (altb bltc)
rst1 ReleaseLock()
g()
cnt0
rst0
98
Static Driver Verifier SLAM
void main() int a,b,c,rst,cnt cnt
0 for() AcquireLock()
rst0 while(!rst) a
f1() b f2() c
f3() if (altb bltc)
rst1 ReleaseLock()
g()
cnt0
rst0
99
Static Driver Verifier SLAM
void main() int a,b,c,rst,cnt cnt
0 for() AcquireLock()
rst0 while(!rst) a
f1() b f2() c
f3() if (altb bltc)
rst1 ReleaseLock()
g()
cnt0
rst0
100
Static Driver Verifier SLAM
void main() int a,b,c,rst,cnt cnt
0 for() AcquireLock()
rst0 while(!rst) a
f1() b f2() c
f3() if (altb bltc)
rst1 ReleaseLock()
g()
cnt0
rst0
!(rst0)
101
Static Driver Verifier SLAM
void main() int a,b,c,rst,cnt cnt
0 for() AcquireLock()
rst0 while(!rst) a
f1() b f2() c
f3() if (altb bltc)
rst1 ReleaseLock()
g()
cnt0
rst0
!(rst0)
New predicate to track main rst0
102
Static Driver Verifier SLAM
void main() int a,b,c,rst,cnt cnt
0 for() AcquireLock()
rst0 while(!rst) a
f1() b f2() c
f3() if (altb bltc)
rst1 ReleaseLock()
g()
cnt0
rst0
!(rst0)
New predicate to track main rst0
103
Static Driver Verifier SLAM
Driver passes rule
Rule
SLAM
Abstract Step
Driver sources
Check Step
Instrument Step
Refine Step
Rule violation found
OS model
104
Static Driver Verifier SLAM
void main() for()
AcquireLock() while(
) f1()
f2() f3() if (
)
ReleaseLock()
g()
int a,b,c,rst,cnt cnt 0
rst0 !rst
a b c
altb bltc rst1
bool v0 // represents rst0
v01 v0
v00
State space 2(3 bits(pc)) stack
105
Static Driver Verifier SLAM
Driver passes rule
Rule
SLAM
Abstract Step
Driver sources
Instrument Step
Check Step
Refine Step
Rule violation found
OS model
106
Static Driver Verifier SLAM
Reachable state-space for steps ltn
107
Static Driver Verifier SLAM
Reachable state-space for steps ltn
Reachable state-space for steps ltn1
Reachable state-space for steps ltn2
108
Static Driver Verifier SLAM
Reachable state-space for steps ltn
Reachable state-space for steps ltn1
Reachable state-space for steps ltn2
Reachable state-space for steps ltn3
Reachable state-space for steps ltn4
Reachable state-space for steps ltn5 and ltn4
109
Static Driver Verifier SLAM
Reachable state-space for steps ltn
Reachable state-space for steps ltn1
Reachable state-space for steps ltn2
Reachable state-space for steps ltn3
Reachable state-space for steps ltn4
Reachable state-space for steps ltn5 and ltn4
110
Static Driver Verifier SLAM
- The abstraction contains only the PC and these
three state bits - locked1
- locked0
- rst0
- Abstracted away
- Much of f1(), f2(), f3(), g(),
- cnt,
- a, b, c
- Potential values from rst
- From this abstraction we can reasons that the
original C program is also correct
111
Static Driver Verifier SLAM
- Developing using
- Pointer analysis
- Weakest pre-conditions
- A symbolic first-order logic theorem prover
with uninterpreted functions
Instrument Step
- Developed using
- A lazy first-order logic theorem prover with
uninterpreted functions based on a propositional
satisfiability solver (SAT)
- Developed using
- CFL-reachability
- Boolean decision diagrams (BDDs)
OS model
112
Static Driver Verifier SLAM
- Soup of combined techniques, tools, ideas, etc
- Abstraction (justified in the literature by a
simulation-relation argument) - First-order logic to propositional logic
- C programs to Boolean programs
- BDDs for propositional logic with quantifiers
- CFL-reachability / pushdown automata
- SAT-solving for propositional logic
- Decision procedures for congruence closure and
linear arithmetic - Nelson-Oppen style combination of decision
procedures with axiom instantiation - Proof-generation within automatic theorem provers
- Axioms specifying a logic (of sorts) for pure C
expressions - Pointer analysis
- Weakest preconditions
- Symbolic simulation
- etc
113
Outline
- Introduction to Static Driver Verifier
- Static Driver Verifier internals
- Conclusion Discussion
114
Outline
- Introduction to Static Driver Verifier
- Static Driver Verifier internals
- Conclusion Discussion
115
Conclusion
- SDV
- An automatic formal verification tool that finds
bugs in device drivers - Kernel API usage rules the SLAM model checker
- Beta release available (but only interesting if
you write device drivers)
116
Conclusion
- Whats next for SDV-like tools within Microsoft?
- More work on formal API specifications
(contracts). - Liveness termination properties
117
Conclusion
- Whats next for SDV-like tools within Microsoft?
- Application of SLAM-like checkers to additional
software - Better handling of loops
- Better handling of deep heap structures
118
Conclusion
- Whats next for SDV-like tools within Microsoft?
- Boogie/Spec Extended Static Checking
- Based on classic verification condition
generation - Separation logic or shape analysis?
119
Conclusion
- Whats next for SDV-like tools within Microsoft?
- Concurrency
- Zing (explicit-state model checking for
asynchronous programs) - Extending the SLAM approach to modeling
asynchronous threads
120
Discussion
- Questions?
- More information available at
- http//www.microsoft.com/whdc/devtools/tools/SDV.m
spx - http//www.microsoft.com/slam
- Pointers to technical papers about SLAM
- Pointers to people involved in the project
- http//www.microsoft.com/bycook
- About me
Recommended
CrystalGraphics Presentations
