/ PSWLAB Checking System Rules Using System-Specific, Programmer-Written Compiler Extensions by D. Engler, B. Chelf, A. Chou, S. Hallem published.

Slides:



Advertisements
Similar presentations
Intermediate Code Generation
Advertisements

Synchronization. How to synchronize processes? – Need to protect access to shared data to avoid problems like race conditions – Typical example: Updating.
Context-Sensitive Interprocedural Points-to Analysis in the Presence of Function Pointers Presentation by Patrick Kaleem Justin.
Programming Languages and Paradigms
R4 Dynamically loading processes. Overview R4 is closely related to R3, much of what you have written for R3 applies to R4 In R3, we executed procedures.
The Assembly Language Level
Chapter 7: User-Defined Functions II
Chapter 7 User-Defined Methods. Chapter Objectives  Understand how methods are used in Java programming  Learn about standard (predefined) methods and.
Chapter 7: User-Defined Functions II Instructor: Mohammad Mojaddam.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
(1) ICS 313: Programming Language Theory Chapter 10: Implementing Subprograms.
CS 326 Programming Languages, Concepts and Implementation Instructor: Mircea Nicolescu Lecture 18.
Chapter 8 Runtime Support. How program structures are implemented in a computer memory? The evolution of programming language design has led to the creation.
Chapter 9. 2 Objectives You should be able to describe: Addresses and Pointers Array Names as Pointers Pointer Arithmetic Passing Addresses Common Programming.
CS 330 Programming Languages 10 / 16 / 2008 Instructor: Michael Eckmann.
G Robert Grimm New York University Extensibility: SPIN and exokernels.
1 Pertemuan 20 Run-Time Environment Matakuliah: T0174 / Teknik Kompilasi Tahun: 2005 Versi: 1/6.
Checking System Rules Using System-Specific, Programmer- Written Compiler Extensions Dawson Engler, Benjamin Chelf, Andy Chow, Seth Hallem Computer Systems.
Run time vs. Compile time
Catriel Beeri Pls/Winter 2004/5 environment 68  Some details of implementation As part of / extension of type-checking: Each declaration d(x) associated.
The environment of the computation Declarations introduce names that denote entities. At execution-time, entities are bound to values or to locations:
MULTIVIE W Checking System Rules Using System-Specific, Program-Written Compiler Extensions Paper: Dawson Engler, Benjamin Chelf, Andy Chou, and Seth Hallem.
1 Run time vs. Compile time The compiler must generate code to handle issues that arise at run time Representation of various data types Procedure linkage.
“A System and Language for Building System-Specific, Static Analyses” CMSC 631 – Fall 2003 Seth Hallem, Benjamin Chelf, Yichen Xie, and Dawson Engler (presented.
Gaurav S. Kc, 1 MC: Meta-level Compilation Extending the Process of Code Compilation with Application-Specific Information.
/ PSWLAB Eraser: A Dynamic Data Race Detector for Multithreaded Programs By Stefan Savage et al 5 th Mar 2008 presented by Hong,Shin Eraser:
Memory Allocation CS Introduction to Operating Systems.
1 Chapter 5: Names, Bindings and Scopes Lionel Williams Jr. and Victoria Yan CSci 210, Advanced Software Paradigms September 26, 2010.
CS3012: Formal Languages and Compilers The Runtime Environment After the analysis phases are complete, the compiler must generate executable code. The.
EE4E. C++ Programming Lecture 1 From C to C++. Contents Introduction Introduction Variables Variables Pointers and references Pointers and references.
Inferring and checking system rules by static analysis William R Wright.
Compiler Construction
C++ Programming: From Problem Analysis to Program Design, Fifth Edition, Fifth Edition Chapter 7: User-Defined Functions II.
Lecture 2 Foundations and Definitions Processes/Threads.
Richard Mancusi - CSCI 297 Static Analysis and Modeling Tools which allows further checking of software systems.
Kernel Locking Techniques by Robert Love presented by Scott Price.
Implementing Subprograms What actions must take place when subprograms are called and when they terminate? –calling a subprogram has several associated.
COMP3190: Principle of Programming Languages
1 Checking System Rules Using System-Specific, Programmer-Written Compiler Extensions Dawson Engler Benjamin Chelf Andy Chou Seth Hallem Stanford University.
RUN-Time Organization Compiler phase— Before writing a code generator, we must decide how to marshal the resources of the target machine (instructions,
CPS4200 Unix Systems Programming Chapter 2. Programs, Processes and Threads A program is a prepared sequence of instructions to accomplish a defined task.
Concepts of programming languages Chapter 5 Names, Bindings, and Scopes Lec. 12 Lecturer: Dr. Emad Nabil 1-1.
Functions Math library functions Function definition Function invocation Argument passing Scope of an variable Programming 1 DCT 1033.
1 Structure of Compilers Lexical Analyzer (scanner) Modified Source Program Parser Tokens Semantic Analysis Syntactic Structure Optimizer Code Generator.
/ PSWLAB Evidence-Based Analysis and Inferring Preconditions for Bug Detection By D. Brand, M. Buss, V. C. Sreedhar published in ICSM 2007.
Checking System Rules Using System-Specific Programmer Written Compiler Extensions Dawson Engler, Benjamin Chelf, Andy Chou and Seth Hallem Presented by:
FILES AND EXCEPTIONS Topics Introduction to File Input and Output Using Loops to Process Files Processing Records Exceptions.
Runtime Environments Chapter 7. Support of Execution  Activation Tree  Control Stack  Scope  Binding of Names –Data object (values in storage) –Environment.
7-Nov Fall 2001: copyright ©T. Pearce, D. Hutchinson, L. Marshall Oct lecture23-24-hll-interrupts 1 High Level Language vs. Assembly.
LINKED LISTS.
Run-Time Environments Presented By: Seema Gupta 09MCA102.
Process Management Deadlocks.
Secure Coding Rules for C++ Copyright © 2016 Curt Hill
Chapter 7: User-Defined Functions II
Source Analysis for Security
YAHMD - Yet Another Heap Memory Debugger
Type Checking Generalizes the concept of operands and operators to include subprograms and assignments Type checking is the activity of ensuring that the.
ITEC 202 Operating Systems
Chapter 3: Using Methods, Classes, and Objects
The HP OpenVMS Itanium® Calling Standard
User-Defined Functions
UNIT V Run Time Environments.
Languages and Compilers (SProg og Oversættere)
Foundations and Definitions
RUN-TIME STORAGE Chuen-Liang Chen Department of Computer Science
Procedure Linkages Standard procedure linkage Procedure has
Dynamic Binary Translators and Instrumenters
In Today’s Class.. General Kernel Responsibilities Kernel Organization
SPL – PS3 C++ Classes.
Presentation transcript:

/ PSWLAB Checking System Rules Using System-Specific, Programmer-Written Compiler Extensions by D. Engler, B. Chelf, A. Chou, S. Hallem published in OSDI 2000 Hong,Shin Checking System Rules Using System-Specific, Programmer-Written Compiler Extensions

/ PSWLAB Contents Introduction Meta-level Compilation Checking Assertion Side-effect Temporal Ordering Enforcing Rules Globally Linux Mutual Exclusion Conclusion Checking System Rules Using System-Specific, Programmer- Written Compiler Extensions 2

/ PSWLAB Introduction 1/4 System software must obey many rules. –e.g. “check user permission before modifying kernel data structures” –A code that does not obey these rules may crash the system. There are several methods to find violations of system rules. –Model checking –Testing –Manual inspection Checking System Rules Using System-Specific, Programmer- Written Compiler Extensions 3

/ PSWLAB Introduction 2/4 Model checking –Pros: rigorous checking –Cons: models are difficult and costly to construct Testing –Pros: working with an actual code –Cons: not scalable, finding the cause of a test failure can be difficult Manual inspection –Pros: easy adapt to ad hoc coding conventions and system rules. –Cons: impossible for complex codes, reliability of manual inspection is erratic Checking System Rules Using System-Specific, Programmer- Written Compiler Extensions 4

/ PSWLAB Introduction 3/4 One possible alternative is to use static compiler analysis to find rule violations. –Models are not needed. –Static analysis can examine much more paths than testing. –Reduces the need to construct numerous test cases  Compilers can be used to enforce system rules because many rules have a straightforward mapping to program source Checking System Rules Using System-Specific, Programmer- Written Compiler Extensions 5

/ PSWLAB Introduction 4/4 Meta-level compilation –Extends compilers with lightweight, system-specific checkers. –System implementers write extensions in a high-level state-machine language, metal. –Using metal, system implementers can specify system rules as code patterns. –The written extensions are dynamically linked into an extensible compiler, xg++. –The extended compiler detects any rule violation in an input code by matching the code to specified patterns Checking System Rules Using System-Specific, Programmer- Written Compiler Extensions 6

/ PSWLAB Meta-level Compilation 1/6 Many system rules describe legal orderings of operations or specific contexts where these operations can or cannot occur. A meta-level compiler extension can check these rules by searching for the corresponding operations and checking that codes obey the given ordering or contextual restrictions. Metal –Compiler extensions are written in a high-level, state-machine language, metal. –xg++ compiler translates each input function into its internal representation, the extensions are applied down every possible execution path in that function Checking System Rules Using System-Specific, Programmer- Written Compiler Extensions 7

/ PSWLAB Meta-level Compilation 2/6 Rule templates “Never/always do X” e.g.Never use floating point in kernel. “Always do X before/after Y” e.g.Always check that user given pointers are not null before using in kernel. “Never do X before/after Y” e.g. Never acquire a lock twice. “In situation X, do Y” e.g. While interrupts are disabled, do not call functions that can sleep. “In situation X, do Y rather than Z” e.g. If code does not share data with interrupt handlers, then use spin locks rather than interrupt disabling Checking System Rules Using System-Specific, Programmer- Written Compiler Extensions 8

/ PSWLAB Meta-level Compilation 3/6 Ex. a metal state-machine to detect (1) when interrupts disabled using cli() are not re-enabled using either sti() or restore_flags() and (2) duplicate enable/disable calls Checking System Rules Using System-Specific, Programmer- Written Compiler Extensions 9 {# inlcude “linux-includes.h” } sm check_interrupts { decl {unsigned} flags ; pat enable = { sti() ; } | {restore_flags(flags) ; } ; pat disable = { cli() ; } ; is_enabled : disable ==> is_disabled | enable ==> {err(“double enable”);}; is_disabled: enable ==> is_enabled | disable ==> {err(“double disable”);}; | $end_of_path$ ==> {err(“exiting w/intr disabled!”);} ; } Variables used in patterns Patterns States

/ PSWLAB Meta-level Compilation 4/ Checking System Rules Using System-Specific, Programmer- Written Compiler Extensions 10 is_ enabled is_ disabled error enable disable enable/ ”double enable” disable/ ”double disable” end of path/ “invalid exit”

/ PSWLAB Meta-level Compilation 5/ Checking System Rules Using System-Specific, Programmer- Written Compiler Extensions 11

/ PSWLAB Meta-level Compilation 6/6 Metal can specify whether a rule should be applied either down all paths (flow sensitive) or linearly through the code (flow insensitive). Caching is used to prune redundant code paths where state- machine instances follow code paths that reach the same state. –The system represents the state of an state-machine as a vector holding the value of its variables. –For each node in the input flow-graph, it records the set of states where it has been visited. –If an state-machine arrives at a node in the same state as a previous instance, the system prunes it Checking System Rules Using System-Specific, Programmer- Written Compiler Extensions 12

/ PSWLAB Checking Assertion Side-effects1/2 We can find incorrect uses of C assert macros using meta – level compilation. Assertions should not have non-debugging effects.  If an assert condition has important side-effects, these will disappear when the assertion is removed and the program will behave incorrectly. If an assertion expression has any assignment operations or function invocations, the assertion may have side-effects.  We can write a metal checker that inspects assertion expressions for side-effects.  In Xok’s ExOS library OS, the extension found 16 violations in 199 assertions Checking System Rules Using System-Specific, Programmer- Written Compiler Extensions 13

/ PSWLAB Checking Assertion Side-effects2/2 { #include } sm Assert flow_insensitive { decl { any } expr, x, y, z ; decl { any_call } any_fcall ; decl { any_args } args ; start: { assert(expr); } ==> {mgk_expr_recurse(expr, in_assert);} ; in_assert: {any_fcall(args)} ==> {err(“func call”);} | {x = y} ==> {err(“assignment”);} | {z++} ==> {err(“post-increment”);} | {z--} ==> {err(“post-decrement”);} ; } Checking System Rules Using System-Specific, Programmer- Written Compiler Extensions 14 apply the extension linearly over input functions metal provides a set of generic types for matching different classes of types a metal procedure call to apply the state-machine to the expression in expr in the in_assert state

/ PSWLAB Temporal Orderings 1/8 Many system operations must (or must not) happen in sequence. This constraints are well-suited for compiler checking since sequences of operations are encoded as literal procedure calls in a code. - Checking copyin/copyout - Checking memory management Checking System Rules Using System-Specific, Programmer- Written Compiler Extensions 15

/ PSWLAB Temporal Ordering 2/8 Checking copyin/copyout Most operating system guard against application corruption of kernel memory by using special routines to check system call input pointers and to move data between user and kernel space. A meta-compilation extension can find errors in such code by finding paths where an application pointer is used before passing through the checking routines Checking System Rules Using System-Specific, Programmer- Written Compiler Extensions 16

/ PSWLAB Temporal Ordering 3/8 At each system call definition, the extension uses a special pattern to find every pointer parameter, which it binds to a tainted state. The only legal operations on a tainted variable are being (1) killed by an assignment or (2) passed as an argument to functions expecting tainted input (e.g. kprintf). A tailored version of this checker for Xok exokernel code found 18 errors from 187 distinct user pointers in the exokernel Checking System Rules Using System-Specific, Programmer- Written Compiler Extensions 17

/ PSWLAB Temporal Ordering 4/8 Checking memory management An extension checks four common rules to check memory management: (1) Since memory allocation can fail, kernel code must check whether the returned pointer is not null before using it. (2) Memory cannot be used after it has been freed. (3) Paths that allocate memory and then abort with an error should typically deallocate this memory before returning. (4) The size of allocated memory cannot be less than the size of the object the assigned pointer holds Checking System Rules Using System-Specific, Programmer- Written Compiler Extensions 18

/ PSWLAB Temporal Ordering 5/8 We can write metal state-machine to check the memory management conditions. –Pointers to allocated storage can be in exactly one of four states: unknown, null, not_null, freed, or okay. –A variable is bound to the unknown state at every allocation site. –When an unknown variable is compared to null, the extension sets the variable’s state on the null path to null and on the non-null path to not_null. –Pointers passed to free transition to the freed state. –The checker only allows dereferences of pointers in not_null state. This extension found 132 errors in Linux Checking System Rules Using System-Specific, Programmer- Written Compiler Extensions 19

/ PSWLAB Temporal Ordering 6/8 sm null_checker { decl {scalar} sz; decl {const int} retv; decl {any_ptr} v1; state decl {any_ptr} v; start, v.all: {((v=(any)malloc(sz))==0)} ==> true=v.null, false=v.not_null | {((v=(any)malloc(sz))!=0)} ==> true=v.not_null, false=v.null; | {v=(any)malloc(sz)} ==> v.unknown ; Checking System Rules Using System-Specific, Programmer- Written Compiler Extensions 20

/ PSWLAB Temporal Ordering 7/8 v.unknown, v.null, v.not_null: {(v==0)} ==> true=v.null, false=v.not_null | {(v!=0)} ==> true=v.not_null, true=v.null ; v.unknown, v.not_null: {return retv;} ==> {if (mgk_int_cst(retv) <0) err(“Error path leak!”);} ; v.null, v.unknown: {*(any *)v} ==> {err(“Using ptr illegally!”);}; v.unknown, v.null, v.not_null: {free(v);} ==> v.freed; v.freed: {free(v)} ==> {err(“Dup free!”);} | {v} ==> {err(“Use after-free!”);} ; v.all: {v = v1 } ==> v.ok ; } Checking System Rules Using System-Specific, Programmer- Written Compiler Extensions 21

/ PSWLAB Temporal Ordering 8/ Checking System Rules Using System-Specific, Programmer- Written Compiler Extensions 22

/ PSWLAB Enforcing Rules Globally 1/6 The extensions described thus far have been implemented as local analyses. Many system rules are context dependent and apply globally across functions in a given call chain. Following two Linux rules are checked by global analysis: -Kernel code cannot call blocking functions with interrupts disabled or while holding a spin lock. -A dynamically loaded kernel module cannot call blocking functions until the module’s reference count has been properly set Checking System Rules Using System-Specific, Programmer- Written Compiler Extensions 23

/ PSWLAB Enforcing Rules Globally 2/6 Computing blocking routines We build a list of possibly blocking functions in three passes. (1)Make a list of blocking functions manually. e.g. kernel memory allocators called without the GFP_ATOMIC flag, routines to move data to or from user space. (2)The metal extension marks a function as a potentially blocking function if the function directly calls blocking functions in the list. (3)Make a global call graph for the entire kernel and perform a depth first traversal over this call graph calculating which routines have any path to a potentially blocking function Checking System Rules Using System-Specific, Programmer- Written Compiler Extensions 24

/ PSWLAB Enforcing Rules Globally 3/6 Checking blocking deadlock A metal extension can check both rules by assuming each routine starts in an enabled state with interrupts enabled and no locks held. As it traverses each global code path, if it hits a statement that disables interrupt, it goes to a disabled state. If it hits a potentially blocking function in a disabled state, it reports the global code path as an error. The extension found real 79 deadlock errors in Linux Checking System Rules Using System-Specific, Programmer- Written Compiler Extensions 25

/ PSWLAB Enforcing Rules Globally 4/ Checking System Rules Using System-Specific, Programmer- Written Compiler Extensions 26 Disable interrupt Block function

/ PSWLAB Enforcing Rules Globally 5/6 Checking module reference counts Linux allows kernel subsystems to be dynamically loaded and unloaded. A module has its reference count tracking the number of kernel subsystems using the module. –A module increment s its reference count during loading (by MOD_INC_USE_COUNT ) –decrements it during unloading ( by MOD_DEC_USE_COUNT ). A module must protect against being unloaded while sleeping by incrementing its reference count before calling a blocking function. An extension can check for load race condition by tracking if a potentially blocking function has been called and flagging subsequent MOD_INC_USE_COUNT Checking System Rules Using System-Specific, Programmer- Written Compiler Extensions 27

/ PSWLAB Enforcing Rules Globally 6/ Checking System Rules Using System-Specific, Programmer- Written Compiler Extensions 28 Block function client must be deallocated!

/ PSWLAB Linux Mutual Exclusion 1/2 The checks for Linux locking conventions are important to avoid deadlock in kernel. Each kernel function must satisfy following conditions: (1) All locks acquired within the function body are released before exiting. (2) No execution paths attempt to lock or unlock the same lock twice. (3)Upon exiting, interrupts are either enabled or restored to their initial state. (4) The “bottom halves” of interrupt handlers are not disabled upon exiting. (5)Interrupt flags are saved before they are restored. We can write metal state-machine to check these conditions Checking System Rules Using System-Specific, Programmer- Written Compiler Extensions 29

/ PSWLAB Linux Mutual Exclusion 2/ Checking System Rules Using System-Specific, Programmer- Written Compiler Extensions 30 &s->lock is not released. hold &s->lock

/ PSWLAB Conclusion 1/1 Systems are pervaded with restrictions of what actions programmers must always or never perform, how they must order events, and which actions are legal in a given context. Programmers make mistakes, and often have only an approximate understanding of important system restrictions. Meta-level compilation makes it easy for implementers to extend compilers with lightweight system-specific checkers. The authors demonstrated meta-level compilation’s power by check real, heavily-used, and test systems Checking System Rules Using System-Specific, Programmer- Written Compiler Extensions 31

/ PSWLAB References [1] Checking System Rules Using System-Specific, Programmer-Written Compiler Extensions by D. Engler et al, OSDI Checking System Rules Using System-Specific, Programmer- Written Compiler Extensions 32

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.