Presentation is loading. Please wait.

Presentation is loading. Please wait.

Using Model-Checking to Debug Device Firmware Sanjeev Kumar Microprocessor Research Labs, Intel Kai Li Princeton University.

Published byRosanna Dickerson Modified over 9 years ago

Similar presentations

Presentation on theme: "Using Model-Checking to Debug Device Firmware Sanjeev Kumar Microprocessor Research Labs, Intel Kai Li Princeton University."— Presentation transcript:

1 Using Model-Checking to Debug Device Firmware Sanjeev Kumar Microprocessor Research Labs, Intel Kai Li Princeton University

2 Using Model Checking to Debug Device Firmware2 Programmable Devices Network Card Bus CPU D Mem Disk Network CPU D D D Mem Main CPU Main Memory Move functionality from main CPUs to devices Device firmware is more complex

3 Using Model Checking to Debug Device Firmware3 Firmware for Programmable Devices Difficult to write and debug –Use concurrency Inherently difficult to program correctly –Optimized for high performance Tradeoff program simplicity for performance –Limited debugging support available Firmware reliability is important –Firmware is trusted by the OS –Bugs in firmware can crash the entire machine Model checking is a promising approach

4 Using Model Checking to Debug Device Firmware4 Model Checking Systematically verify properties of concurrent systems Using State-space exploration –Try all possible scheduling options Advantages –Automatic –Produces counter example Disadvantages –Computationally expensive Exponential search Models cannot be too big ModelTest CodeProgram

5 Using Model Checking to Debug Device Firmware5 Using Model Checking to Debug Firmware Extracting models from programs –Manually (by the programmer) –Automatic (using the compiler) Reduces programmer effort Reduces mismatch between program and model Extracting smaller models models –Support for abstraction Discard irrelevant details in the program

6 Using Model Checking to Debug Device Firmware6 Our Work Extract abstract models using a compiler –General compiler techniques Programmer controls the abstraction process –Specifies what needs to be abstracted Compiler performs the abstractions conservatively –Extract models for Spin model checker from programs written in the ESP language –Make practical choices Goal: Debugging and not Verification Used to debug VMMC firmware for a network card –Found 7 bugs that can cause the firmware to deadlock Could not find these bugs without support for abstraction

7 Using Model Checking to Debug Device Firmware7 Related Work Manual Model Extraction –Harmony, RUBIS, Plan 9, Fluke OS Used model checking to debug a subsystem Automatic Model Extraction –Teapot, Promela++, Esterel, Java Pathfinder Domain-specific and general-purpose languages Automatic Extraction + Support for abstraction –Feaver, Lie et. al., Bandera

8 Using Model Checking to Debug Device Firmware8 Outline Background Extracting Abstract Models using a Compiler –From ESP Language –For Spin Model Checker Evaluation: Debugging VMMC Firmware Conclusion and Future Work

9 Using Model Checking to Debug Device Firmware9 ESP: A Language for Programmable Devices pgm1.spin pgmN.spin pgm.C ESP Compiler pgm.ESP help.C Generate Firmware Develop and Test using Model Checker test1.spin testN.spin Goals 1)Easy to program 2)Allow extensive testing 3)Performance

10 Using Model Checking to Debug Device Firmware10 The ESP Language Concurrent language: Processes & Channels –Pure message-passing communication –in, out, alt operations on channels –Channels are synchronous or unbuffered –Processes and channels are static A number of interesting features –Explicit memory management scheme that uses model-checking to ensure safety –Supports dispatch on channels –Efficient and powerful interface to C

11 Using Model Checking to Debug Device Firmware11 Extracting Models for Spin Step 1 : Detailed models [ PLDI’01 ] –Translate each language construct into Spin –Simple translation int, bool, records, arrays, unions If-then-else, while-loops process, channel –Spin does not support Dynamic memory allocation & Pointers Additional bookkeeping necessary to support these Can be used to check local properties –Debug subsystems (1-2 processes) separately –Too big to debug the entire system

12 Using Model Checking to Debug Device Firmware12 Extracting Abstract Models Conservatively Step 2: Abstract models –Necessary to check global properties (like deadlocks) –Drop unnecessary details Depending on the property being verified –Programmer controls the abstraction Abstraction specified by the programmer –Drop variables –Drop fields from records and unions Compiler used the abstraction specified conservatively –Could introduce fast-positive bugs –All bugs in the programs will be present in the extracted model –Involves dealing with a number of tricky cases

13 Using Model Checking to Debug Device Firmware13 Examples $b2: boolean = true;... $b1: boolean = b2; $b2: boolean = true;... $b1: boolean = b2; type recT = #record of { int count; } $r1: recT = {0}; if (b) { r2 = r1; }... r1.count = 5; $r1: recT = {0}; if (b) { r2 = r1; }... r1.count = 5; if :: b1 = true :: b1 = false fi if :: b1 = true :: b1 = false fi if :: r2.count = 5 :: skip fi if :: r2.count = 5 :: skip fi X X X X X Conservative: Use nondeterminism to broaden the state-space searched

14 Using Model Checking to Debug Device Firmware14 Outline Background Extracting Abstract Models using a Compiler Evaluation: Debugging VMMC Firmware Conclusion and Future Work

15 Using Model Checking to Debug Device Firmware15 VMMC High-performance communication –Bypass OS for data transfers Used Myrinet network cards –Gigabit network –33 MHz CPU, 1 MB memory Original VMMC firmware –Implemented in C Several man-years of debugging Still encounter bugs Some involve complex race conditions that are triggered only occasionally Data OS Network Card Application Network

16 Using Model Checking to Debug Device Firmware16 Debugging VMMC Firmware Reimplemented VMMC firmware using ESP Used model checking to debug –Global property of program (deadlocks) –Hard-to-find bugs –Found 7 bugs using abstract models 4 Bugs would cause deadlock during normal operations 3 Bugs would be triggered only by a malicious machine –Could not find these bugs without abstractions No firmware bugs encountered on device –Microbenchmarks –SPLASH2 parallel application suite On a 16-processor SMP cluster

17 Using Model Checking to Debug Device Firmware17 Resource used for Model Checking Spin Mode States Searched (in Millions) CPU Time (in seconds) Memory (in Mbytes) Exhaustive0.3884.0268.35* Partial mode99.714250.0*167.92 Only partial search was possible Even partial searches were effective * Limiting Resource VMMC Firmware

18 Using Model Checking to Debug Device Firmware18 Model extracted from VMMC Firmware FileLines of Code ESP Program453 Abstraction Specification108 Abstract Model Extracted2202 Test Code128 Programmer only write a small amount of Spin Code Program can be rechecked with little effort

19 Using Model Checking to Debug Device Firmware19 Outline Background Extracting Abstract Models using a Compiler Evaluation: Debugging VMMC Firmware Conclusion and Future Work

20 Using Model Checking to Debug Device Firmware20 Conclusions Use compiler to extract abstract models –Evaluation: Debugged VMMC firmware Using compiler to extract models is good –Significantly reduces effort required to model check Abstraction is required –To check global properties like deadlocks Programmer can control the abstraction –Compiler is conservative –Does not require the programmer to be correct Only partial search was possible –Still effective in finding bugs

21 Using Model Checking to Debug Device Firmware21 Future Work Optimizations to reduce size of state space –Eliminating more redundancies Quantify the effectiveness of a partial seach –Estimate the fraction of state-space searched Use type systems to reduce the size of state space that has to be searched

22 Using Model Checking to Debug Device Firmware22 To find out more, Visit http://www.cs.princeton.edu/~skumarhttp://www.cs.princeton.edu/~skumar Questions?

23 Using Model Checking to Debug Device Firmware23 Debug not Verify Several sources of incompleteness and unsoundness remain –Programmer supplied Spin code –Partial model checking The goal is to isolate/reduce the unsound portions of the code

24 Using Model Checking to Debug Device Firmware24 ABCDEF Abcdef Ghijk

Download ppt "Using Model-Checking to Debug Device Firmware Sanjeev Kumar Microprocessor Research Labs, Intel Kai Li Princeton University."

Similar presentations

Operating Systems Components of OS

Operating Systems Components of OS
Data Structures Static and Dynamic.

Data Structures Static and Dynamic.
Reliable and Efficient Programming Abstractions for Sensor Networks Nupur Kothari, Ramki Gummadi (USC), Todd Millstein (UCLA) and Ramesh Govindan (USC)

Reliable and Efficient Programming Abstractions for Sensor Networks Nupur Kothari, Ramki Gummadi (USC), Todd Millstein (UCLA) and Ramesh Govindan (USC)
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Hierarchical Cache Coherence Protocol Verification One Level at a Time through Assume Guarantee Xiaofang Chen, Yu Yang, Michael Delisi, Ganesh Gopalakrishnan.

Hierarchical Cache Coherence Protocol Verification One Level at a Time through Assume Guarantee Xiaofang Chen, Yu Yang, Michael Delisi, Ganesh Gopalakrishnan.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.

A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
Operating Systems Lecture 10 Issues in Paging and Virtual Memory Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard. Zhiqing.

Operating Systems Lecture 10 Issues in Paging and Virtual Memory Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard. Zhiqing.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
ESP: A Language for Programmable Devices Sanjeev Kumar, Yitzhak Mandelbaum, Xiang Yu, Kai Li Princeton University.

ESP: A Language for Programmable Devices Sanjeev Kumar, Yitzhak Mandelbaum, Xiang Yu, Kai Li Princeton University.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
1 Concurrency Specification. 2 Outline 4 Issues in concurrent systems 4 Programming language support for concurrency 4 Concurrency analysis - A specification.

1 Concurrency Specification. 2 Outline 4 Issues in concurrent systems 4 Programming language support for concurrency 4 Concurrency analysis - A specification.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Fast Paths in Concurrent Programs Wen Xu, Princeton University Sanjeev Kumar, Intel Labs. Kai Li, Princeton University.

Fast Paths in Concurrent Programs Wen Xu, Princeton University Sanjeev Kumar, Intel Labs. Kai Li, Princeton University.
Extensibility, Safety and Performance in the SPIN Operating System Department of Computer Science and Engineering, University of Washington Brian N. Bershad,

Extensibility, Safety and Performance in the SPIN Operating System Department of Computer Science and Engineering, University of Washington Brian N. Bershad,
Eliminating Stack Overflow by Abstract Interpretation John Regehr Alastair Reid Kirk Webb University of Utah.

Eliminating Stack Overflow by Abstract Interpretation John Regehr Alastair Reid Kirk Webb University of Utah.
CIS 101: Computer Programming and Problem Solving Lecture 8 Usman Roshan Department of Computer Science NJIT.

CIS 101: Computer Programming and Problem Solving Lecture 8 Usman Roshan Department of Computer Science NJIT.
Static Analysis of Embedded C Code John Regehr University of Utah Joint work with Nathan Cooprider.

Static Analysis of Embedded C Code John Regehr University of Utah Joint work with Nathan Cooprider.
COMP3221: Microprocessors and Embedded Systems Lecture 2: Instruction Set Architecture (ISA) Lecturer: Hui Wu Session.

COMP3221: Microprocessors and Embedded Systems Lecture 2: Instruction Set Architecture (ISA) Lecturer: Hui Wu Session.

Similar presentations

Ads by Google