Software Verification with BLAST

1
Software Verificationwith BLAST

• Thomas A. Henzinger Ranjit Jhala
• Rupak Majumdar
  Grégoire Sutre
• www-cad.eecs.berkeley.edu/tah/blast

UC Berkeley
2
Motivation Reliability Trust

• Reliability (verification)
• Check that the system is bug free
• Low level systems code
• Locking disciplines, API specs,
• Path-sensitive properties

• Trust (certification)
• Questionable code written by unknown vendors
• device drivers, mobile code
• Certificates should be easy to check
• Minimize the Trusted Computing Base

3
BLAST

• Input
• Specification
• e.g. API usage rules
• Client C source code as is
• e.g. Device driver code
• Analysis
• Create abstractions
• Exhaustively search for errors
• Refine based on false error paths
• Until no errors found or a real bug is found
• Output
• Real error traces
• Proofs of Correctness
• Goal Sound/Precise analysis, scaling to 100s
  kloc

4
Abstract-Check-Refine Loop
Abstract
Is model unsafe ?
Check
Refine
Why infeasible ?
Infeasible
5
Example Locking
Example ( ) 1 do lock()
old new 2 if () 3
unlock() new
4 while ( new ! old) 5
unlock () return
Q Is Error Reachable ?
6
Step 1 Search
1
LOCK0
lock() old new
gt
unlock()
Set of predicates LOCK0, LOCK1
7
Step 2 Analyze Counterexample
LOCK0 Æ new1 new
LOCK1 Æ new1 old
LOCK1 Æ new 1 old
LOCK0 Æ new old
LOCK0
Track the predicate new old
LOCK0
8
Step 3 Resume Search
Set of predicates LOCK0, LOCK1, new old
LOCK0 Æ new old
9
Conclusions

• Applications
• Linux/Windows device drivers
• Found bugs in API usage
• Techniques
• Automated Deduction (theorem provers)
• Program Analysis
• Model Checking
• Future Directions
• Checking security properties
• Concurrent software