Department of Software Engineering Faculty of Mathematics and Physics CHARLES UNIVERSITY IN PRAGUE Czech Republic Extracting Zing Models from C Source Code Tomáš Matoušek, Filip Zavoral
2 Goals Verification of Windows kernel drivers against rules imposed by the kernel Motivation Drivers are difficult to test Bugs can appear only at special conditions Incorrect behavior in cooperation with the environment The kernel is complex and concurrent Technique - model checking A specification of the kernel API provided to drivers A model of the driver Using Zing Model Checker tool
3 Our Previous Work: Kernel Specifications DeSpec Driver Environment Specification Language An object-oriented specification and modeling language Allows to abstract and model kernel API functions and structures model the kernel’s behavior to drivers capture various constrains imposed on the driver
4 DeSpec Example class DEVICE_OBJECT { NTSTATUS IoAttachDevice(instance, object! targetName, out DEVICE_OBJECT attached) requires !Driver.IsLowest; requires thread.Irql == KIRQL.PASSIVE_LEVEL; { result = choose { NTSTATUS.STATUS_SUCCESS, NTSTATUS.STATUS_INSUF_RESOURCES }; attached = IsSuccessful(result) ? Driver.LowerDevice : null; } void IoDetachDevice(instance) requires thread.Irql == KIRQL.PASSIVE_LEVEL; static rule forall(DEVICE_OBJECT device) { _.IoAttachDevice(..., out device)::succeeded } corresponds to { device.IoDetachDevice() } globally; }
Zing Example class Fork { Philosopher holder; void PickUp(Philosopher eater) { atomic { select { wait(holder == null) -> holder = eater; } void PutDown() { holder = null; } }; class Philosopher { Fork leftFork; Fork rightFork; void Run() { while (true) { leftFork.PickUp(this); rightFork.PickUp(this); leftFork.PutDown(); rightFork.PutDown(); } };
6 Model Extractor Implementation Inputs Source code of the driver (C language) Specification of the kernel environment (DeSpec) Set of rules to be verified (DeSpec) Process C code parsing, merging and analysis Extraction of Zing model from driver source code Combination of the extracted model with the kernel model Zing model slicing Output Zing model realizing driver’s interactions with the environment Passed to Zing model checker
7 Modeling C Language Constructs in Zing Zing Object-oriented modeling language Some C constructs cannot be mapped directly Major issues: pointers, arrays, pointer arithmetic Modeling types Primitive (int, …) string literal: static array of int Composite (struct, union) dynamically allocated value types boxed Static arrays Data pointers Function pointers
Modeling Variables Address-may-be-taken flag Variable models Value int, float, struct, pointer, address never taken non-pointer types: mapped directly data pointers: special methods DerefGet, DerefSet, AddIntPtr, SubPtrPtr, CmpPtrPtr Function pointers: integer, indirect call switch BoxedValue int, float, struct, pointer, address may be taken Box type StaticArray static array multidimensional arrays flattened
Pointer Representation Data pointer represented by a pair 4 types of pointer targets Statically allocated storage Single value Sequence of values – multi-value Dynamically allocated storage Provably single value Possibly multi-value Potential multi-values Static analysis Represented by expandable Zing array
10 Example: Pointers to Dynamically Allocated Memory void* p = malloc(size); int* q = p; q += 3; *q = 5; Data type not known prior the first write operation
Example: Static Single- and Multi-value Pointers int t = 1; int *s = &t; int a[5]; int *u = &a[1]; int *v = a; u[2] = 3; v += 4; *v = 6;
12 Slicing Goal To reduce size of the resulting model as much as possible Slicing criterion : variables related to the rules selected for verification Two possibilities Slice the C program before the extraction More complex Needs to deal with pointers (already done by the extraction) Slice the extracted Zing program Zing similar to simplified Java Reuse existing work on Java programs slicing We go this way
13 Related Work Model checking Zing Model Checker (Microsoft Research) Bogor Model Checking Framework (SAnToS labs) SPIN (Bell Labs) Driver checking Static Driver Verifier (Microsoft Research) Model checking based on Boolean programs Driver Verifier (Microsoft) Run-time checking PREfast (Microsoft) Static analysis, error patterns searching Java Slicing JPF, Bogor Framework Nanda, M. G.: Slicing Concurrent Java Programs
14 Conclusion & Future Work DeSpec language Specifications of the Windows kernel environment Formalization of rules defined by Driver Development Kit in plain English Proof of the concept: A specification of a significant subset of kernel API Model Extractor Zing model extraction, dealing with C pointers Proof of the concept (C to Zing extraction w/o model reduction) Synchronized priority queue via singly linked list written in C Intentional errors in implementation revealed in seconds Correct implementation verified in 31 minutes (3 threads, 9 items in the que) Future work Model Extractor improvements Model size reduction via slicing Tests on real Window kernel drivers
Extracting Zing Models from C Source Code 15 Thank you for your attention