Solidifying Software Interfaces: Checkable Contracts Thomas Ball Testing, Verification and Measurement Microsoft Research

The.NET Framework A Once in a Decade Change PDC 2000 Paradigm ShiftPDC 2000 Paradigm Shift –Web services –Managed Code Richness Win16 Win32 COM MFC Components Services APIs Windows 3.0

Trustworthy Commitment Microsoft Cultural ShiftMicrosoft Cultural Shift –Thousands of hours spent in security reviews on.NET Framework to date security reviews “Hardening” the.NET Framework“Hardening” the.NET Framework Making Security Easier for CustomersMaking Security Easier for Customers –Prescriptive Architectural Guidance –Feature changes in.NET Framework

Tools Client Application Model Windows Forms Web & Service Application Model ASP.NET Compact Framework Yukon Data Systems Application Model Presentation Mobile PC & Devices Application Model Communication Command Line NT Service System.Messaging System.DirectoryServices System.Runtime.Remotin g System.Windows.Forms System.Console System.ServiceProces s System.Windows.Form s System.Web System.Data.SqlServer HttpWebRequest FtpWebListener SslClientStream WebClient System.Net NetworkInformation Sockets Cache System.Windows.Forms Forms Control Print Dialog Design System.Web.UI Page Control HtmlControls MobileControls WebControls Adaptors Design System.Drawing System.Web.Service s Web.Service Description Discovery Protocols System.Timers System.Globalization System.Serialization System.Threading System.Text System.Design Serialization CompilerServices Base & Application Services Fundamentals System.ComponentModel System.CodeDom System.Reflection System.EnterpriseServices System.Transactions Security System.Web. Security AccessControl Credentials Cryptography System.Web.Configuration System.Configuration System.Resources System.Management System.Deployment System.Diagnostics ConfigurationDeployment/Management Ports InteropServices System.Runtime System.IO System.Collections Generic Permissions Policy Principal Token System.Security System.Web Administration Management.NET Framework Data System.Web Personalization Caching SessionState System.Xml Schema Serializatio n Xpath Query DataSet Mapping ObjectSpaces ObjectSpace Query Schema System.Data SqlClient SqlTypes SqlXML OdbcClient OleDbClient OracleClient

Client Implementation API But no contracts! Interfaces Everywhere!

11. EXCLUSION OF INCIDENTAL, CONSEQUENTIAL AND CERTAIN OTHER DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL MICROSOFT OR ITS SUPPLIERS BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS OR CONFIDENTIAL OR OTHER INFORMATION, FOR BUSINESS INTERRUPTION, FOR PERSONAL INJURY, FOR LOSS OF PRIVACY, FOR FAILURE TO MEET ANY DUTY INCLUDING OF GOOD FAITH OR OF REASONABLE CARE, FOR NEGLIGENCE, AND FOR ANY OTHER PECUNIARY OR OTHER LOSS WHATSOEVER) ARISING OUT OF OR IN ANY WAY RELATED TO THE USE OF OR INABILITY TO USE THE SOFTWARE PRODUCT, THE PROVISION OF OR FAILURE TO PROVIDE SUPPORT SERVICES, OR OTHERWISE UNDER OR IN CONNECTION WITH ANY PROVISION OF THIS EULA, EVEN IN THE EVENT OF THE FAULT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, BREACH OF CONTRACT OR BREACH OF WARRANTY OF MICROSOFT OR ANY SUPPLIER, AND EVEN IF MICROSOFT OR ANY SUPPLIER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.11. EXCLUSION OF INCIDENTAL, CONSEQUENTIAL AND CERTAIN OTHER DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL MICROSOFT OR ITS SUPPLIERS BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS OR CONFIDENTIAL OR OTHER INFORMATION, FOR BUSINESS INTERRUPTION, FOR PERSONAL INJURY, FOR LOSS OF PRIVACY, FOR FAILURE TO MEET ANY DUTY INCLUDING OF GOOD FAITH OR OF REASONABLE CARE, FOR NEGLIGENCE, AND FOR ANY OTHER PECUNIARY OR OTHER LOSS WHATSOEVER) ARISING OUT OF OR IN ANY WAY RELATED TO THE USE OF OR INABILITY TO USE THE SOFTWARE PRODUCT, THE PROVISION OF OR FAILURE TO PROVIDE SUPPORT SERVICES, OR OTHERWISE UNDER OR IN CONNECTION WITH ANY PROVISION OF THIS EULA, EVEN IN THE EVENT OF THE FAULT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, BREACH OF CONTRACT OR BREACH OF WARRANTY OF MICROSOFT OR ANY SUPPLIER, AND EVEN IF MICROSOFT OR ANY SUPPLIER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Microsoft Powerpoint EULA Point EXCLUSION OF INCIDENTAL, CONSEQUENTIAL AND CERTAIN OTHER DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL MICROSOFT OR ITS SUPPLIERS BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS OR CONFIDENTIAL OR OTHER INFORMATION, FOR BUSINESS INTERRUPTION, FOR PERSONAL INJURY, FOR LOSS OF PRIVACY, FOR FAILURE TO MEET ANY DUTY INCLUDING OF GOOD FAITH OR OF REASONABLE CARE, FOR NEGLIGENCE, AND FOR ANY OTHER PECUNIARY OR OTHER LOSS WHATSOEVER) ARISING OUT OF OR IN ANY WAY RELATED TO THE USE OF OR INABILITY TO USE THE SOFTWARE PRODUCT, THE PROVISION OF OR FAILURE TO PROVIDE SUPPORT SERVICES, OR OTHERWISE UNDER OR IN CONNECTION WITH ANY PROVISION OF THIS EULA, EVEN IN THE EVENT OF THE FAULT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, BREACH OF CONTRACT OR BREACH OF WARRANTY OF MICROSOFT OR ANY SUPPLIER, AND EVEN IF MICROSOFT OR ANY SUPPLIER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.11. EXCLUSION OF INCIDENTAL, CONSEQUENTIAL AND CERTAIN OTHER DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL MICROSOFT OR ITS SUPPLIERS BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS OR CONFIDENTIAL OR OTHER INFORMATION, FOR BUSINESS INTERRUPTION, FOR PERSONAL INJURY, FOR LOSS OF PRIVACY, FOR FAILURE TO MEET ANY DUTY INCLUDING OF GOOD FAITH OR OF REASONABLE CARE, FOR NEGLIGENCE, AND FOR ANY OTHER PECUNIARY OR OTHER LOSS WHATSOEVER) ARISING OUT OF OR IN ANY WAY RELATED TO THE USE OF OR INABILITY TO USE THE SOFTWARE PRODUCT, THE PROVISION OF OR FAILURE TO PROVIDE SUPPORT SERVICES, OR OTHERWISE UNDER OR IN CONNECTION WITH ANY PROVISION OF THIS EULA, EVEN IN THE EVENT OF THE FAULT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, BREACH OF CONTRACT OR BREACH OF WARRANTY OF MICROSOFT OR ANY SUPPLIER, AND EVEN IF MICROSOFT OR ANY SUPPLIER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

The GPL 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Is There any Program That Satisfies Its Contract?

Informal Contract: Sockets the "communication domain" in which communication is to take place; see protocols(5). Sockets of type SOCK_STREAM are full-duplex byte streams, similar to pipes. A stream socket must be in a connected state before any data may be sent or received on it. A con- nection to another socket is created with a connect(2) call. Once connected, data may be transferred using read(2V) and write(2V) calls or some variant of the send(2) and recv(2) calls. When a session has been completed a close(2V), may be performed. Out-of-band data may also be transmitted as described in send(2) and received as described in recv(2). The communications protocols used to implement a SOCK_STREAM insure that data is not lost or duplicated. If a piece of

What is an API Contract? Pre-conditionsPre-conditions –the conditions a client must establish before calling an API –“A filehandle must be in an open state before you call fread ” Post-conditionsPost-conditions –the conditions an implementation (of an API) must establish upon its termination –“If the file is present, fopen returns a filehandle in the open state”

Formalizing Contracts Pre/post conditionsPre/post conditions –Eiffel: “design by contract”, integrated into language –JML: pre/post language (in comments) MonitorsMonitors –security automata –SLIC - SLAM’s API rule language ModelsModels –ASML: separate modeling language

Why are Contracts Useful? Precision in specification & designPrecision in specification & design Separation of concernsSeparation of concerns DocumentationDocumentation Checking/TestingChecking/Testing –dynamic (run-time) –static (compile-time) Responsibility, enforceability, liability, …Responsibility, enforceability, liability, …

Why Now? Specifications are (still) a good idea!Specifications are (still) a good idea! –focus shifted to critical properties rather than full correctness Bug economicsBug economics Test automation wallTest automation wall Moore’s lawMoore’s law –abundant computational resources Advances in research and technologyAdvances in research and technology –model checking –program analysis –theorem proving –analysis infrastructures

Overview SLAM analysis engineSLAM analysis engine –Static Driver Verifier Other contract-checking toolsOther contract-checking tools –Vault (type checking) –ESC/Java (theorem proving) –ESP (dataflow analysis)

Source Code Testing Development Precise API Usage Rules (SLIC) Software Model Checking Read for understanding New API rules Drive testing tools Defects 100% path coverage Rules Static Driver Verifier

SLAM – Software Model Checking SLAM innovationsSLAM innovations –boolean programs: a new model for software –model creation (c2bp) –model checking (bebop) –model refinement (newton) SLAM toolkitSLAM toolkit –built on MSR program analysis infrastructure

SLIC Finite state language for stating rulesFinite state language for stating rules –monitors behavior of C code –temporal safety properties (security automata) –familiar C syntax Suitable for expressing control-dominated propertiesSuitable for expressing control-dominated properties –e.g. proper sequence of events –can encode data values inside state

State Machine for Locking UnlockedLocked Error Rel Acq Rel state { enum {Locked,Unlocked} enum {Locked,Unlocked} s = Unlocked; } KeAcquireSpinLock.entry { if (s==Locked) abort; if (s==Locked) abort; else s = Locked; else s = Locked;} KeReleaseSpinLock.entry { if (s==Unlocked) abort; if (s==Unlocked) abort; else s = Unlocked; else s = Unlocked;} Locking Rule in SLIC

The SLAM Process #include C2BP predicate abstraction boolean program Newton feasibility check Bebop reachability check Harness SLIC Rule + refinement predicates error path

do { KeAcquireSpinLock(); nPacketsOld = nPackets; if(request){ request = request->Next; KeReleaseSpinLock(); nPackets++; } } while (nPackets != nPacketsOld); KeReleaseSpinLock(); Example Does this code obey the locking rule?

do { KeAcquireSpinLock(); if(*){ KeReleaseSpinLock(); } } while (*); KeReleaseSpinLock(); Example Model checking boolean program (bebop) U L L L L U L U U U E

do { KeAcquireSpinLock(); nPacketsOld = nPackets; if(request){ request = request->Next; KeReleaseSpinLock(); nPackets++; } } while (nPackets != nPacketsOld); KeReleaseSpinLock(); Example Is error path feasible in C program? (newton) U L L L L U L U U U E

do { KeAcquireSpinLock(); nPacketsOld = nPackets; b = true; if(request){ request = request->Next; KeReleaseSpinLock(); nPackets++; b = b ? false : *; } } while (nPackets != nPacketsOld); !b KeReleaseSpinLock(); Example Add new predicate to boolean program (c2bp) b : (nPacketsOld == nPackets) U L L L L U L U U U E

do { KeAcquireSpinLock(); b = true; if(*){ KeReleaseSpinLock(); b = b ? false : *; } } while ( !b ); KeReleaseSpinLock(); b b b b Example Model checking refined boolean program (bebop) b : (nPacketsOld == nPackets) U L L L L U L U U U E b b !b

Example do { KeAcquireSpinLock(); b = true; if(*){ KeReleaseSpinLock(); b = b ? false : *; } } while ( !b ); KeReleaseSpinLock(); b : (nPacketsOld == nPackets) b b b b U L L L L U L U U b b !b Model checking refined boolean program (bebop)

Demo

SLAM Status –foundations, algorithms, prototyping –papers in CAV, PLDI, POPL, SPIN, TACAS March 2002March 2002 –Bill Gates review May 2002May 2002 –Windows committed to hire two Ph.D.s in model checking to support Static Driver Verifier July 2002July 2002 –running SLAM on 100+ drivers, 20+ properties September 3, 2002 –made initial release of SDV to Windows (friends and family) April 1, 2003 –made wide release of SDV to Windows (any internal driver developer) September, 2003 –team of six in Windows working on SDV –researchers moving into “consultant” role November, 2003 –demonstration at Driver Developer Conference

SLAM Results Boolean program model has proved itselfBoolean program model has proved itself Successful for device driver contractsSuccessful for device driver contracts –control-dominated safety properties –few boolean variables needed to do proof or find real errors Counterexample-driven refinementCounterexample-driven refinement –terminates in practice –incompleteness of theorem prover not an issue

Other Ways to Check Contracts Type systemsType systems –Vault programming language –type system extended to allow simple pre/post Theorem provingTheorem proving –ESC/Java checker –uses JML specification language (rich pre/post conditions) Dataflow analysisDataflow analysis –ESP –uses SLIC-like state machine language

Vault By Rob DeLine & Manuel Fahndrich of MSRBy Rob DeLine & Manuel Fahndrich of MSR Vault folds usage rules into programming language’s type systemVault folds usage rules into programming language’s type system –Interface author states usage rules in type signature –Compiler rejects client code if it violates a rule (type error) –Every violation is guaranteed to be found (soundness)

Why a Type-based Approach? Types are widely accepted form of specificationTypes are widely accepted form of specification Specification and code are kept in syncSpecification and code are kept in sync Developers find and fix bugs before execution, when cheapestDevelopers find and fix bugs before execution, when cheapest Programmer understands violations and how to fix themProgrammer understands violations and how to fix them Efficient, scalable analysis doesn’t slow developmentEfficient, scalable analysis doesn’t slow development

Tracked Types and Keys Usage rules talk about individual objectsUsage rules talk about individual objects – –void listen (sock, int) – –void listen (tracked(S) sock, int)[ named -> listening ] Naming: Tracked types give compile-time names (keys) to objectsNaming: Tracked types give compile-time names (keys) to objects Object state: Key can have a symbolic state to model state of the objectObject state: Key can have a symbolic state to model state of the object

Example: Sockets in Vault tracked(S) sock socket (domain, style, int)[ new raw ] void bind (tracked(S) sock, sockaddr)[ raw -> named ] void listen (tracked(S) sock, int)[ named -> listening ] tracked(N) sock accept (tracked(S) sock)[ listening, new ready ] void receive (tracked(S) sock, byte[])[ ready ] void close (tracked(S) sock)[ -S ]

Statically Enforcing Usage Protocols At every program point, Vault compiler computes key setAt every program point, Vault compiler computes key set –Functions and built-in operations (new/free) change key set –Key must be consumed, not “leaked” On each path in function’s body, check:On each path in function’s body, check: –Pre-condition is transformed into post-condition –All proof obligations satisfied Pre-conditions of other function callsPre-conditions of other function calls Primitive operations (memory access, free)Primitive operations (memory access, free) Avoid exponential blow-upAvoid exponential blow-up –Require uniform predicate at join points

Checking Socket Client Code void communicate(sockaddr addr) { tracked(K) sock s = socket(`UNIX, `INET, 0); tracked(K) sock s = socket(`UNIX, `INET, 0); bind(s, addr); bind(s, addr); listen(s, 0); listen(s, 0); while (!shutdown()) { while (!shutdown()) { tracked(J) sock c = accept(s); tracked(J) sock c = accept(s); receive(c, buffer); receive(c, buffer); close(c); close(c); } close(s); close(s);}

Checking Socket Client Code void communicate(sockaddr addr) {{ } tracked(K) sock s = socket(`UNIX, `INET, 0);{ } tracked(K) sock s = socket(`UNIX, `INET, 0);{ } bind(s, addr);{ } bind(s, addr);{ } listen(s, 0);{ } listen(s, 0);{ } while (!shutdown()) {{ } while (!shutdown()) {{ } tracked(J) sock c = accept(s);{ } tracked(J) sock c = accept(s);{ } receive(c, buffer);{ } receive(c, buffer);{ } close(c);{ } close(c);{ } }{ } }{ } close(s);{ } close(s);{ }}

Vault Research With few new abstractions, check many usage rulesWith few new abstractions, check many usage rules –Still imperative programming style –Can handle “real” applications: device drivers –Can check “real” rules that developers commonly violate On-going researchOn-going research –Apply Vault ideas to other languages –Fugue checker for C# uses attribute language to specify rules and works as a plug-in –Plan to release as part of Fxcop

Conclusions The technology now exists for enforcing simple API contracts using static analysisThe technology now exists for enforcing simple API contracts using static analysis Rollout/adoptionRollout/adoption –first as out-of-band tools (i.e., SLAM, ESP, Fugue) –next as in-band tools (part of language/compiler)

Thanks To Software Productivity Tools group members –Sriram Rajamani (SLAM) –Rob DeLine, Manuel Fahndrich (Vault/Fugue) SLAM summer interns –Sagar Chaki, Todd Millstein, Rupak Majumdar (2000) –Satyaki Das, Wes Weimer, Robby (2001) –Jakob Lichtenberg, Mayur Naik (2002) –Jakob Lichtenberg, Shuvendu Lahiri, Georg Weissenbacher, Fei Xie (2003) SLAM Visitors –Giorgio Delzanno, Andreas Podelski, Stefan Schwoon Static Driver Verifier: Windows Partners –Byron Cook, John Henry, Vladimir Levin, Con McGarvey, Bohus Ondrusek, Abdullah Ustuner

Programmer Productivity Research Center (PPRC) Focus on defect prevention and early detectionFocus on defect prevention and early detection Collect information about the development processCollect information about the development process Enable rapid research and tool development with rich infrastructuresEnable rapid research and tool development with rich infrastructures Achieve process automation through technologyAchieve process automation through technology “Technology-based approach to software development” Approach Products that Microsoft ships have been touched by at least one of PPRC tools: 12.5% of bugs fixed in Windows 2003 Server were found with PPRC tools

PPRC Approach TOOLS Collection / Analysis ManagementTransform ations Product Development Stages Cod ing Debugging Testing SE … Distributed Repository Service API ModelsSource Control Test Behavior Binary Symbols Specification Program Information Bug Database Crash Dumps Project Plans Customer Feedback Collect information about development process Analyze information to guide tools Need lots of tools throughout the development process

AST Source Code Analysis Infrastructure Rapid Research and Tool Development … using common infrastructures VULCAN Binary Editing Infrastructure BMAT Binary Matching MaX Magellan Dependency Framework SPA Scalable Program Analysis Higher Abstraction Infrastructure Technologies Defects SLAM PREfix PREfast ESP Fugue Athena Perf BBT IceCAP LOP Coverage BBCOVER SLEUTH INJECTOR Test SCOUT BLENDER SWAT