1. Department of Software Engineering Faculty of Mathematics and Physics CHARLES UNIVERSITY IN PRAGUE Czech Republic Extracting Zing Models from C Source Code Tomáš Matoušek, Filip Zavoral

2. 2 Goals Verification of Windows kernel drivers against rules imposed by the kernel Motivation  Drivers are difficult to test Bugs can appear only at special conditions  Incorrect behavior in cooperation with the environment The kernel is complex and concurrent Technique - model checking  A specification of the kernel API provided to drivers  A model of the driver  Using Zing Model Checker tool

3. 3 Our Previous Work: Kernel Specifications DeSpec  Driver Environment Specification Language  An object-oriented specification and modeling language  Allows to abstract and model kernel API functions and structures model the kernel’s behavior to drivers capture various constrains imposed on the driver

4. 4 DeSpec Example class DEVICE_OBJECT { NTSTATUS IoAttachDevice(instance, object! targetName, out DEVICE_OBJECT attached) requires !Driver.IsLowest; requires thread.Irql == KIRQL.PASSIVE_LEVEL; { result = choose { NTSTATUS.STATUS_SUCCESS, NTSTATUS.STATUS_INSUF_RESOURCES }; attached = IsSuccessful(result) ? Driver.LowerDevice : null; } void IoDetachDevice(instance) requires thread.Irql == KIRQL.PASSIVE_LEVEL; static rule forall(DEVICE_OBJECT device) { _.IoAttachDevice(..., out device)::succeeded } corresponds to { device.IoDetachDevice() } globally; }

5. Zing Example class Fork { Philosopher holder; void PickUp(Philosopher eater) { atomic { select { wait(holder == null) -> holder = eater; } void PutDown() { holder = null; } }; class Philosopher { Fork leftFork; Fork rightFork; void Run() { while (true) { leftFork.PickUp(this); rightFork.PickUp(this); leftFork.PutDown(); rightFork.PutDown(); } };

6. 6 Model Extractor Implementation Inputs  Source code of the driver (C language)  Specification of the kernel environment (DeSpec)  Set of rules to be verified (DeSpec) Process  C code parsing, merging and analysis  Extraction of Zing model from driver source code  Combination of the extracted model with the kernel model  Zing model slicing Output  Zing model realizing driver’s interactions with the environment  Passed to Zing model checker

7. 7 Modeling C Language Constructs in Zing Zing  Object-oriented modeling language  Some C constructs cannot be mapped directly  Major issues: pointers, arrays, pointer arithmetic Modeling types  Primitive (int, …) string literal: static array of int  Composite (struct, union) dynamically allocated value types boxed  Static arrays  Data pointers  Function pointers

8. Modeling Variables Address-may-be-taken flag Variable models  Value int, float, struct, pointer, address never taken non-pointer types: mapped directly data pointers: special methods  DerefGet, DerefSet, AddIntPtr, SubPtrPtr, CmpPtrPtr Function pointers: integer, indirect call  switch  BoxedValue int, float, struct, pointer, address may be taken Box type  StaticArray static array multidimensional arrays flattened

9. Pointer Representation Data pointer represented by a pair  4 types of pointer targets  Statically allocated storage Single value Sequence of values – multi-value  Dynamically allocated storage Provably single value Possibly multi-value Potential multi-values  Static analysis  Represented by expandable Zing array

10. 10 Example: Pointers to Dynamically Allocated Memory void* p = malloc(size); int* q = p; q += 3; *q = 5; Data type not known prior the first write operation

11. Example: Static Single- and Multi-value Pointers int t = 1; int *s = &t; int a[5]; int *u = &a[1]; int *v = a; u[2] = 3; v += 4; *v = 6;

12. 12 Slicing Goal  To reduce size of the resulting model as much as possible  Slicing criterion : variables related to the rules selected for verification Two possibilities  Slice the C program before the extraction More complex Needs to deal with pointers (already done by the extraction)  Slice the extracted Zing program Zing similar to simplified Java Reuse existing work on Java programs slicing We go this way

13. 13 Related Work Model checking  Zing Model Checker (Microsoft Research)  Bogor Model Checking Framework (SAnToS labs)  SPIN (Bell Labs) Driver checking  Static Driver Verifier (Microsoft Research) Model checking based on Boolean programs  Driver Verifier (Microsoft) Run-time checking  PREfast (Microsoft) Static analysis, error patterns searching Java Slicing  JPF, Bogor Framework  Nanda, M. G.: Slicing Concurrent Java Programs

14. 14 Conclusion & Future Work DeSpec language  Specifications of the Windows kernel environment  Formalization of rules defined by Driver Development Kit in plain English  Proof of the concept: A specification of a significant subset of kernel API Model Extractor  Zing model extraction, dealing with C pointers  Proof of the concept (C to Zing extraction w/o model reduction) Synchronized priority queue via singly linked list written in C Intentional errors in implementation revealed in seconds Correct implementation verified in 31 minutes (3 threads, 9 items in the que) Future work  Model Extractor improvements Model size reduction via slicing Tests on real Window kernel drivers

15. Extracting Zing Models from C Source Code 15 Thank you for your attention