How to Cook an Automated System for Linux Driver Verification Oleg Strikov Vadim Mutilin
Oleg A. Strikov Vadim S. Mutilin 2 / Guinea-pig DAC960PD-Ultra a high performance three-channel Ultra SCSI disk array controller that uses Intel's i bit microprocessor supports disk arrays for RAID levels 0, 1, 5, 0+1, and 5+0 permits data transfer rates across the PCI bus at 132MB/sec supports Fast-20 data transfer rates of 40MB/sec. per channel up to 45 drives can be attached to the RAID controller supports the Global Array Manager full device driver support for UNIX, Windows, OS/2, NetWare and other operating systems DAC960
Oleg A. Strikov Vadim S. Mutilin 3 / Confusing Linux Driver Code Controller->V1.DualModeMemoryMailboxInterface = false; true VERIFICATION NEEDED
Oleg A. Strikov Vadim S. Mutilin 4 / Manuscript
Oleg A. Strikov Vadim S. Mutilin 5 / Mixing Up BLAST DRIVER SOURCE VERIFICATION MODELS INSTRUMENTATION TOOL
Oleg A. Strikov Vadim S. Mutilin 6 / BLAST??? Berkeley Lazy Abstraction Software Verification Tool BLAST is a software model checker for C programs. It uses counterexample-driven automatic abstraction refinement to construct an abstract model which is model checked for safety properties.
Oleg A. Strikov Vadim S. Mutilin 7 / Real World Example /drivers/block/DAC960.c No explicit calls to linking-level init procedures (not BLAST acceptable) Callback interface procedures registration (not BLAST acceptable also) module_init(DAC960_init_module); module_exit(DAC960_cleanup_module); ret = pci_register_driver(&DAC960_pci_driver) Extra preprocessing tools should be coded
Oleg A. Strikov Vadim S. Mutilin 8 / Conceptual Hack Toolkit Bash scripting magic STATUS: DOUBLE DUTCH STATUS: BLAST ACCEPTABLE
Oleg A. Strikov Vadim S. Mutilin 9 / BLAST SHAMANIC RITUAL RULE ID0029. CANNOT CALL ALLOC() BEFORE CREATE() Error found! System is unsafe :-(
Oleg A. Strikov Vadim S. Mutilin 10 / HOW IT WORKS NATURAL LANGUAGE RULE FORMAL LANGUAGE RULE ID 0029: Memory regions cannot be allocated from non-existent predecessor pool TARGET: Prevent potential system crash, connected with incorrect pool subsystem function set usage: dma_pool_alloc() cannot be called before successful creation of pool with dma_pool_create().
Oleg A. Strikov Vadim S. Mutilin 11 / RESULTS (in progress…) 55 COLLECTED 24 beyond the scope of BLAST 15 has been formalized CURRENT TARGETS SUBSYSTEMS /usr/src/linux/net & /usr/src/linux/drivers/net /usr/src/linux/block & /usr/src/linux/drivers/block /usr/src/linux/drivers/char
Oleg A. Strikov Vadim S. Mutilin 12 / CONTACTS OLEG A. STRIKOV VADIM S. MUTILIN