Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Static Driver Verifier Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg, Con McGarvey,

Published byHenry Horn Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Static Driver Verifier Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg, Con McGarvey,"— Presentation transcript:

1 1 Static Driver Verifier Byron Cook – Microsoft Research bycook@microsoft.com Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg, Con McGarvey, Bohus Ondrusek, Sriram Rajamani & Abdullah Ustuner

2 2 DD HW DD HW Windows OS and device drivers Operating System Kernel DD

3 3 Kernel DD HW DD HW Windows OS and device drivers

4 4 Kernel DD HW DD HW Windows OS and device drivers

5 5 Kernel DD HW DD HW Windows OS and device drivers Examples: Outlook mail system HTTP web server Performance monitoring tools VM tools New networking technologies Firewalls Virus protection Drawing tools ………………………

6 6 Kernel DD HW DD HW Windows OS and device drivers

7 7 Kernel DD HW DD HW Windows OS device drivers Fujitsu Nvidia Microsoft Adaptec Nvidia Logitech ADI University student ?????????? Techsoft Epson Intel ?????????? McAfee Creative Sony Microsoft AOL ?????????? Microsoft Symantec Creative Logitech

8 8 Kernel DD HW DD HW Windows OS and device drivers

9 9 Kernel DD HW DD HW Windows OS and device drivers

10 10 Kernel DD HW DD HW Windows OS and device drivers

11 11 Kernel DD HW DD HW Windows OS and device drivers

12 12 Kernel DD HW DD HW Windows OS and device drivers

13 13 Kernel DD HW DD HW Windows OS and device drivers

14 14 Kernel DD HW DD HW Windows OS and device drivers

15 15 Kernel DD HW DD HW Windows OS and device drivers Example: If the driver is passed a PNP request packet with minor function IRP_MN_REMOVE_DEVICE, a driver must call IoDeleteDevice for any device that was previously allocated with IoCreateDevice

16 16 Kernel DD HW DD HW Windows OS and device drivers Example: If the driver is passed a PNP request packet with minor function IRP_MN_REMOVE_DEVICE, a driver must call IoDeleteDevice for any device that was previously allocated with IoCreateDevice Example: While running at raised “interrupt request level” (IRQL), calling KeWaitForSingleObject or KeWaitForMultipleObjects with Kernel-defined dispatcher object(s) to wait for a nonzero interval causes a fatal error. Only driver routines that run in a nonarbitrary thread context at IRQL PASSIVE_LEVEL, such as driver-created threads, the DriverEntry and Reinitialize routines, or Dispatch routines for inherently synchronous I/O operations, such as most device I/O control requests, can safely wait on events, semaphores, mutexes, or timers for a nonzero interval.

17 17 Kernel DD HW DD HW Windows OS and device drivers

18 18 Driver Verifier: A run-time correctness checking tool PREfast: A compile-time correctness checking tool based on shallow pattern search Static Driver Verifier (SDV) : A compile-time correctness checking tool based on deep semantic analysis via symbolic model checking Tools for finding bugs in Windows device drivers

19 19 Driver Verifier: A run-time correctness checking tool PREfast: A compile-time correctness checking tool based on shallow pattern search Static Driver Verifier (SDV) : A compile-time correctness checking tool based on deep semantic analysis via symbolic model checking Tools for finding bugs in Windows device drivers

20 20 Outline Introduction to Windows device drivers Introduction to Static Driver Verifier Static Driver Verifier internals Conclusion & Discussion

21 21 Outline Introduction to Windows device drivers Introduction to Static Driver Verifier Static Driver Verifier internals Conclusion & Discussion

22 22 Static Driver Verifier Static Driver Verifier (SDV) is a tool for finding bugs in Windows device drivers: SDV operates on the driver’s source code SDV is completely automatic SDV checks that drivers do not violate a set of “kernel API usage rules” Attempts to prove the correctness of the driver with the SLAM software model checker

23 23 Static Driver Verifier other.h driver.h driver.c Driver sources SDV X X X X

24 24 Static Driver Verifier

25 25 Static Driver Verifier

26 26

27 27

28 28

29 29

30 30

31 31

32 32

33 33

34 34

35 35

36 36

37 37

38 38

39 39

40 40

41 41

42 42

43 43

44 44

45 45

46 46

47 47 Static Driver Verifier

48 48 Outline Introduction to Windows device drivers Introduction to Static Driver Verifier Static Driver Verifier internals Conclusion & Discussion

49 49 Outline Introduction to Windows device drivers Introduction to Static Driver Verifier Static Driver Verifier internals Conclusion & Discussion

50 50 Static Driver Verifier other.h driver.h driver.c Driver sources SDV X X X X

51 51 Static Driver Verifier SDV Rules SLAM OS model other.h driver.h driver.c X X X X Driver sources

52 52 Static Driver Verifier: Rules Expressed in an event-based language Possible events:  Function entry  Function exit The code associated with events call the function error() to indicate a violation: IoCallDriver.entry { if ($2->Tail.Overlay.CurrentStackLocation->MajorFunction ==IRP_MJ_POWER) { error(); }

53 53 Static Driver Verifier: Rules state { int LowerDriverReturn = 0; bool LowerDriverCalled = 0; bool PerformCheck = 1; } with guard (sdv_main,irp) [PoCallDriver,IoCallDriver].exit[guard $2] { LowerDriverCalled = 1; LowerDriverReturn = $return; } [IoCompleteRequest,IoMarkIrpPending].entry[guard $1] { PerformCheck = 0; } stub_dispatch_end.entry { if ( PerformCheck && LowerDriverCalled && LowerDriverReturn != $1 ) { error “………”; } Our Driver Environment Lower Driver

54 54 Static Driver Verifier: Rules state { int LowerDriverReturn = 0; bool LowerDriverCalled = 0; bool PerformCheck = 1; } with guard (sdv_main,irp) [PoCallDriver,IoCallDriver].exit[guard $2] { LowerDriverCalled = 1; LowerDriverReturn = $return; } [IoCompleteRequest,IoMarkIrpPending].entry[guard $1] { PerformCheck = 0; } stub_dispatch_end.entry { if ( PerformCheck && LowerDriverCalled && LowerDriverReturn != $1 ) { error “………”; } Our Driver Environment Lower Driver

55 55 Static Driver Verifier: Rules state { int LowerDriverReturn = 0; bool LowerDriverCalled = 0; bool PerformCheck = 1; } with guard (sdv_main,irp) [PoCallDriver,IoCallDriver].exit[guard $2] { LowerDriverCalled = 1; LowerDriverReturn = $return; } [IoCompleteRequest,IoMarkIrpPending].entry[guard $1] { PerformCheck = 0; } stub_dispatch_end.entry { if ( PerformCheck && LowerDriverCalled && LowerDriverReturn != $1 ) { error “………”; } Our Driver Environment Lower Driver

56 56 Static Driver Verifier: Rules state { int LowerDriverReturn = 0; bool LowerDriverCalled = 0; bool PerformCheck = 1; } with guard (sdv_main,irp) [PoCallDriver,IoCallDriver].exit[guard $2] { LowerDriverCalled = 1; LowerDriverReturn = $return; } [IoCompleteRequest,IoMarkIrpPending].entry[guard $1] { PerformCheck = 0; } stub_dispatch_end.entry { if ( PerformCheck && LowerDriverCalled && LowerDriverReturn != $1 ) { error “………”; } Our Driver Environment Lower Driver

57 57 Static Driver Verifier: Rules state { int LowerDriverReturn = 0; bool LowerDriverCalled = 0; bool PerformCheck = 1; } with guard (sdv_main,irp) [PoCallDriver,IoCallDriver].exit[guard $2] { LowerDriverCalled = 1; LowerDriverReturn = $return; } [IoCompleteRequest,IoMarkIrpPending].entry[guard $1] { PerformCheck = 0; } stub_dispatch_end.entry { if ( PerformCheck && LowerDriverCalled && LowerDriverReturn != $1 ) { error “………”; } Our Driver Environment Lower Driver

58 58 Static Driver Verifier: Rules state { int LowerDriverReturn = 0; bool LowerDriverCalled = 0; bool PerformCheck = 1; } with guard (sdv_main,irp) [PoCallDriver,IoCallDriver].exit[guard $2] { LowerDriverCalled = 1; LowerDriverReturn = $return; } [IoCompleteRequest,IoMarkIrpPending].entry[guard $1] { PerformCheck = 0; } stub_dispatch_end.entry { if ( PerformCheck && LowerDriverCalled && LowerDriverReturn != $1 ) { error “………”; } Our Driver Environment Lower Driver

59 59 Static Driver Verifier: Rules state { int LowerDriverReturn = 0; bool LowerDriverCalled = 0; bool PerformCheck = 1; } with guard (sdv_main,irp) [PoCallDriver,IoCallDriver].exit[guard $2] { LowerDriverCalled = 1; LowerDriverReturn = $return; } [IoCompleteRequest,IoMarkIrpPending].entry[guard $1] { PerformCheck = 0; } stub_dispatch_end.entry { if ( PerformCheck && LowerDriverCalled && LowerDriverReturn != $1 ) { error “………”; } Our Driver Environment Lower Driver

60 60 Static Driver Verifier: Rules state { int LowerDriverReturn = 0; bool LowerDriverCalled = 0; bool PerformCheck = 1; } with guard (sdv_main,irp) [PoCallDriver,IoCallDriver].exit[guard $2] { LowerDriverCalled = 1; LowerDriverReturn = $return; } [IoCompleteRequest,IoMarkIrpPending].entry[guard $1] { PerformCheck = 0; } stub_dispatch_end.entry { if ( PerformCheck && LowerDriverCalled && LowerDriverReturn != $1 ) { error “………”; } Our Driver Environment Lower Driver

61 61 Static Driver Verifier: Rules state { int LowerDriverReturn = 0; bool LowerDriverCalled = 0; bool PerformCheck = 1; } with guard (sdv_main,irp) [PoCallDriver,IoCallDriver].exit[guard $2] { LowerDriverCalled = 1; LowerDriverReturn = $return; } [IoCompleteRequest,IoMarkIrpPending].entry[guard $1] { PerformCheck = 0; } stub_dispatch_end.entry { if ( PerformCheck && LowerDriverCalled && LowerDriverReturn != $1 ) { error “………”; } Our Driver Environment Lower Driver

62 62 Static Driver Verifier SDV Rules SLAM OS model other.h driver.h driver.c X X X X

63 63 Static Driver Verifier: OS model Provides the main function Abstract implementations of kernel APIs (like IoCallDriver) Models some aspects of the OS state, like the “interrupt request level” (IRQL) Uses non-deterministic choice

64 64 Static Driver Verifier: OS model NTSTATUS IoCreateDevice( IN PDRIVER_OBJECT DriverObject, IN ULONG DeviceExtensionSize, IN PUNICODE_STRING DeviceName OPTIONAL, IN DEVICE_TYPE DeviceType, IN ULONG DeviceCharacterisitcs, IN BOOLEAN Exclusive, OUT PDEVICE_OBJECT * DeviceObject ) { ULONG Choice = nondet(); switch (Choice) { case 0 : (*DeviceObject) = &SDV_devobj2; return STATUS_SUCCESS; case 1 : return STATUS_INSUFFICIENT_RESOURCES; case 2 : return STATUS_OBJECT_NAME_EXISTS; default: return STATUS_OBJECT_NAME_COLLISION; }

65 65 Static Driver Verifier: OS model NTSTATUS IoCreateDevice( IN PDRIVER_OBJECT DriverObject, IN ULONG DeviceExtensionSize, IN PUNICODE_STRING DeviceName OPTIONAL, IN DEVICE_TYPE DeviceType, IN ULONG DeviceCharacterisitcs, IN BOOLEAN Exclusive, OUT PDEVICE_OBJECT * DeviceObject ) { ULONG Choice = nondet(); switch (Choice) { case 0 : (*DeviceObject) = &SDV_devobj2; return STATUS_SUCCESS; case 1 : return STATUS_INSUFFICIENT_RESOURCES; case 2 : return STATUS_OBJECT_NAME_EXISTS; default: return STATUS_OBJECT_NAME_COLLISION; }

66 66 Static Driver Verifier SDV Rules SLAM OS model other.h driver.h driver.c X X X X

67 67 Static Driver Verifier: SLAM Symbolic model checker for C Strategy: throw away as much irrelevant detail from the driver as possible through abstraction search Algorithm = Predicate Abstraction + Counter-example based refinement + Symbolic reachability for Boolean programs Simplifying (unsound) assumptions:  C unions are ignored  Memory layout is not known: pointer arithmetic is largely ignored  Coincidental pointer aliasing is ignored, purposeful aliasing is not  Functions cannot be called both by name and pointer  The OS model does not exercise all paths possible in practice

68 68 Static Driver Verifier: SLAM void main() { int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0; while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } g(); } Assume that f1, f2, f3 and g do not call AcquireLock or ReleaseLock

69 69 Static Driver Verifier: SLAM int locked = 0; AcquireLock.entry { if (locked==1) { error(); } else { locked=1; } ReleaseLock.entry { if (locked==0) { error(); } else { locked=0; }

70 70 SLAM Static Driver Verifier: SLAM

71 71 Static Driver Verifier: SLAM SLAM Refine Step Abstract Step Check Step Driver passes rule Rule violation foundOS model Driver sources Rule Instrumen t Step

72 72 Static Driver Verifier: SLAM int locked = 0; if (locked==1) { error(); } else { locked=1; } if (locked==0) { error(); } else { locked=0; } int locked = 0; AcquireLock.entry { if (locked==1) { error(); } else { locked=1; } ReleaseLock.entry { if (locked==0) { error(); } else { locked=0; } void AcquireLock() { …………… } void ReleaseLock() { …………… } void main() { …………… void AcquireLock() { ……………… } void ReleaseLock() { ……………… } void main() { …………… Are these reachable?

73 73 Static Driver Verifier: SLAM SLAM Refine Step Check Step Instrumen t Step Driver passes rule Rule violation foundOS model Driver sources Rule Abstract Step

74 74 void main() { for(;;) { AcquireLock(); while( ) { f1(); f2(); f3(); if ( ) { ReleaseLock(); } g(); } Static Driver Verifier: SLAM int a,b,c,rst,cnt; cnt = 0; rst=0; !rst a = b = c = a<b && b<c rst=1; * *

75 75 Static Driver Verifier: SLAM void AcquireLock() { if ( ) { error(); } else { } void ReleaseLock() { if ( ) { error(); } else { } locked==1 locked=1; locked==0 locked=0; g1 g1 = 1; g0 = 0; g0 g0 = 1; g1 = 0; bool g0 = 1; // locked==0 bool g1 = 0; // locked==1 int locked = 0; State space = 2^(2 + #bits(pc)) + stack

76 76 Static Driver Verifier: SLAM SLAM Refine Step Abstract Step Instrumen t Step Driver passes rule Rule violation foundOS model Driver sources Rule Check Step

77 77 Static Driver Verifier: SLAM Reachable state-space for steps <1

78 78 Static Driver Verifier: SLAM Reachable state-space for steps <1 Reachable state-space for steps <2 Reachable state-space for steps <3

79 79 Static Driver Verifier: SLAM Reachable state-space for steps <1 Reachable state-space for steps <2 Reachable state-space for steps <3 Reachable state- space for steps <4 Reachable state- space for steps <5 Reachable state-space for steps <6

80 80 Static Driver Verifier: SLAM Reachable state-space for steps <1 Reachable state-space for steps <2 Reachable state-space for steps <3 Reachable state- space for steps <4 Reachable state- space for steps <5 Reachable state-space for steps <6 Reachable state-space for steps <7 Reachable state- space for steps <8

81 81 Static Driver Verifier: SLAM Reachable state-space for steps <1 Reachable state-space for steps <2 Reachable state-space for steps <3 Reachable state- space for steps <4 Reachable state- space for steps <5 Reachable state-space for steps <6 Reachable state-space for steps <7 Reachable state- space for steps <8 Reachable state- space for steps <9 State where PC is at a call to error()

82 82 Static Driver Verifier: SLAM void main() { for(;;) { AcquireLock(); while( * ) { f1(); f2(); f3(); if ( * ) { ReleaseLock(); } g(); }

83 83 Static Driver Verifier: SLAM void main() { for(;;) { AcquireLock(); while( * ) { f1(); f2(); f3(); if ( * ) { ReleaseLock(); } g(); }

84 84 Static Driver Verifier: SLAM void main() { for(;;) { AcquireLock(); while( * ) { f1(); f2(); f3(); if ( * ) { ReleaseLock(); } g(); }

85 85 Static Driver Verifier: SLAM void main() { for(;;) { AcquireLock(); while( * ) { f1(); f2(); f3(); if ( * ) { ReleaseLock(); } g(); }

86 86 Static Driver Verifier: SLAM void main() { for(;;) { AcquireLock(); while( * ) { f1(); f2(); f3(); if ( * ) { ReleaseLock(); } g(); }

87 87 Static Driver Verifier: SLAM void main() { for(;;) { AcquireLock(); while( * ) { f1(); f2(); f3(); if ( * ) { ReleaseLock(); } g(); }

88 88 Static Driver Verifier: SLAM void main() { for(;;) { AcquireLock(); while( * ) { f1(); f2(); f3(); if ( * ) { ReleaseLock(); } g(); }

89 89 Static Driver Verifier: SLAM void main() { for(;;) { AcquireLock(); while( * ) { f1(); f2(); f3(); if ( * ) { ReleaseLock(); } g(); }

90 90 Static Driver Verifier: SLAM void main() { for(;;) { AcquireLock(); while( * ) { f1(); f2(); f3(); if ( * ) { ReleaseLock(); } g(); }

91 91 Static Driver Verifier: SLAM void main() { for(;;) { AcquireLock(); while( * ) { f1(); f2(); f3(); if ( * ) { ReleaseLock(); } g(); }

92 92 Static Driver Verifier: SLAM SLAM Abstract Step Check Step Instrumen t Step Driver passes rule Rule violation foundOS model Driver sources Rule Refine Step

93 93 Static Driver Verifier: SLAM void main() { int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0; while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } g(); }

94 94 Static Driver Verifier: SLAM void main() { int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0; while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } g(); }

95 95 Static Driver Verifier: SLAM void main() { int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0; while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } g(); }

96 96 Static Driver Verifier: SLAM void main() { int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0; while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } g(); } cnt==0

97 97 Static Driver Verifier: SLAM void main() { int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0; while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } g(); } cnt==0

98 98 Static Driver Verifier: SLAM void main() { int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0; while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } g(); } cnt==0

99 99 Static Driver Verifier: SLAM void main() { int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0; while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } g(); } cnt==0

100 100 Static Driver Verifier: SLAM void main() { int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0; while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } g(); } cnt==0 rst==0

101 101 Static Driver Verifier: SLAM void main() { int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0; while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } g(); } cnt==0 rst==0

102 102 Static Driver Verifier: SLAM void main() { int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0; while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } g(); } cnt==0 rst==0

103 103 Static Driver Verifier: SLAM void main() { int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0; while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } g(); } cnt==0 rst==0 !(rst==0)

104 104 Static Driver Verifier: SLAM void main() { int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0; while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } g(); } cnt==0 rst==0 !(rst==0) New predicate to track: main { rst==0 }

105 105 Static Driver Verifier: SLAM void main() { int a,b,c,rst,cnt; cnt = 0; for(;;) { AcquireLock(); rst=0; while(!rst) { a = f1(); b = f2(); c = f3(); if (a<b && b<c) { rst=1; ReleaseLock(); } g(); } cnt==0 rst==0 !(rst==0) New predicate to track: main { rst==0 }

106 106 Static Driver Verifier: SLAM SLAM Refine Step Check Step Instrumen t Step Driver passes rule Rule violation foundOS model Driver sources Rule Abstract Step

107 107 void main() { for(;;) { AcquireLock(); while( ) { f1(); f2(); f3(); if ( ) { ReleaseLock(); } g(); } Static Driver Verifier: SLAM int a,b,c,rst,cnt; cnt = 0; rst=0; !rst a = b = c = a<b && b<c rst=1; bool v0; // represents rst==0 v0=1; v0 * v0=0; State space = 2^(3 + #bits(pc)) + stack

108 108 Static Driver Verifier: SLAM SLAM Refine Step Abstract Step Instrumen t Step Driver passes rule Rule violation foundOS model Driver sources Rule Check Step

109 109 Static Driver Verifier: SLAM Reachable state-space for steps <n

110 110 Static Driver Verifier: SLAM Reachable state-space for steps <n Reachable state-space for steps <n+1 Reachable state-space for steps <n+2

111 111 Static Driver Verifier: SLAM Reachable state-space for steps <n Reachable state-space for steps <n+1 Reachable state-space for steps <n+2 Reachable state- space for steps <n+3 Reachable state- space for steps <n+4 Reachable state- space for steps <n+5 and <n+4

112 112 Static Driver Verifier: SLAM Reachable state-space for steps <n Reachable state-space for steps <n+1 Reachable state-space for steps <n+2 Reachable state- space for steps <n+3 Reachable state- space for steps <n+4 Reachable state- space for steps <n+5 and <n+4

113 113 Static Driver Verifier: SLAM The abstraction contains only the PC and these three state bits  locked==1  locked==0  rst==0 Abstracted away  Much of f1(), f2(), f3(), g(),  cnt,  a, b, c  Potential values from rst From this abstraction we can reasons that the original C program is also correct

114 114 SLAM Driver passes rule Rule violation found Driver sources Rule Static Driver Verifier: SLAM Refine Step Abstract Step Check Step Instrumen t Step OS model Developing using: Pointer analysis Weakest pre-conditions A “symbolic” first-order logic theorem prover with uninterpreted functions Developed using: A lazy first-order logic theorem prover with uninterpreted functions based on a propositional satisfiability solver (SAT) Developed using: CFL-reachability Boolean decision diagrams (BDDs)

115 115 Outline Introduction to Windows device drivers Introduction to Static Driver Verifier Static Driver Verifier internals Conclusion & Discussion

116 116 Outline Introduction to Windows device drivers Introduction to Static Driver Verifier Static Driver Verifier internals Conclusion & Discussion

117 117 Conclusion SDV  A compile-time tool that finds bugs in device drivers  Kernel API usage rules + the SLAM model checker  Released on the current DDK beta  Subsequent releases will support additional driver models

118 118 Conclusion What’s next for SDV-like tools within Microsoft? Proving deeper properties about programs that manipulate the heap  Separation logic (e.g. Smallfoot)  Shape analysis (e.g. TVLA)  Decision procedures for heap structures Concurrency  Boolean programs with threads (e.g. Boppo)  SPIN-like checking for programs (e.g. Zing) Liveness properties & termination  Counterexample-guided refinement for termination (e.g. Terminator) Contracts & specifications

119 119 Discussion Questions? More information available at:  http://www.microsoft.com/whdc/devtools/tools/SDV.mspx  SDV tool & whitepaper  http://www.research.microsoft.com/slam  Pointers to technical papers about SLAM  http://www.research.microsoft.com/~bycook

120 120 Static Driver Verifier Quotes from SDV users:  “This bug would be a really hard bug to find other than with a tool like SDV. There are just too many details to keep track of to have a good chance of finding it.”  “This looks like a bug to me. This is AWESOME!! SDV rocks!”  “These are all real, difficult to discover bugs. Good work!”  “This bug would have been very difficult to find by inspection and it was one of those bugs that would be near-impossible to reproduce…”  “Fixing this bug will definitely stop some unexplainable and hard to debug random system crashes in the future.”

Download ppt "1 Static Driver Verifier Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg, Con McGarvey,"

Similar presentations

Advanced programming tools at Microsoft

Advanced programming tools at Microsoft
The Static Driver Verifier Research Platform

The Static Driver Verifier Research Platform
A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.

A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.

1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.
Exceptional Control Flow Processes Today. Control Flow Processors do only one thing: From startup to shutdown, a CPU simply reads and executes (interprets)

Exceptional Control Flow Processes Today. Control Flow Processors do only one thing: From startup to shutdown, a CPU simply reads and executes (interprets)
Chapter 6: Process Synchronization

Chapter 6: Process Synchronization
1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,

1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,
Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language.

Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani Presented by Yifan Li November 22nd In PLDI 01: Programming Language.
Department of Software Engineering Faculty of Mathematics and Physics CHARLES UNIVERSITY IN PRAGUE Czech Republic Extracting Zing Models from C Source.

Department of Software Engineering Faculty of Mathematics and Physics CHARLES UNIVERSITY IN PRAGUE Czech Republic Extracting Zing Models from C Source.
Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.

Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.
Operating Systems ECE344 Ding Yuan Synchronization (I) -- Critical region and lock Lecture 5: Synchronization (I) -- Critical region and lock.

Operating Systems ECE344 Ding Yuan Synchronization (I) -- Critical region and lock Lecture 5: Synchronization (I) -- Critical region and lock.
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.

Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.
Termination Proofs for Systems Code Andrey Rybalchenko, EPFL/MPI joint work with Byron Cook, MSR and Andreas Podelski, MPI PLDI’2006, Ottawa.

Termination Proofs for Systems Code Andrey Rybalchenko, EPFL/MPI joint work with Byron Cook, MSR and Andreas Podelski, MPI PLDI’2006, Ottawa.
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar [UC Berkeley] Shaz Qadeer [Microsoft Research]

Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar [UC Berkeley] Shaz Qadeer [Microsoft Research]
Synergy: A New Algorithm for Property Checking

Synergy: A New Algorithm for Property Checking
Threads 1 CS502 Spring 2006 Threads CS-502 Spring 2006.

Threads 1 CS502 Spring 2006 Threads CS-502 Spring 2006.
1 Eran Yahav and Mooly Sagiv School of Computer Science Tel-Aviv University Verifying Safety Properties.

1 Eran Yahav and Mooly Sagiv School of Computer Science Tel-Aviv University Verifying Safety Properties.
Predicate Abstraction for Software and Hardware Verification Himanshu Jain Model checking seminar April 22, 2005.

Predicate Abstraction for Software and Hardware Verification Himanshu Jain Model checking seminar April 22, 2005.

Similar presentations

Ads by Google