150 likes | 243 Views
Extracting Zing Models from C Source Code. Tomáš Matoušek , Filip Zavoral. Goals. Verification of Windows kernel drivers against rules imposed by the kernel Motivation Drivers are difficult to test Bugs can appear only at special conditions
E N D
Extracting Zing Models from C Source Code Tomáš Matoušek, Filip Zavoral
Goals • Verification of Windows kernel driversagainst rules imposed by the kernel • Motivation • Drivers are difficult to test • Bugs can appear only at special conditions • Incorrect behavior in cooperation with the environment • The kernel is complex and concurrent • Technique - model checking • A specification of the kernel API provided to drivers • A model of the driver • Using Zing Model Checker tool
Our Previous Work: Kernel Specifications • DeSpec • Driver Environment Specification Language • An object-oriented specification and modeling language • Allows to • abstract and model kernel API functions and structures • model the kernel’s behavior to drivers • capture various constrains imposed on the driver
DeSpec Example classDEVICE_OBJECT { NTSTATUS IoAttachDevice(instance, object! targetName, out DEVICE_OBJECT attached) requires !Driver.IsLowest; requiresthread.Irql == KIRQL.PASSIVE_LEVEL; { result = choose {NTSTATUS.STATUS_SUCCESS, NTSTATUS.STATUS_INSUF_RESOURCES}; attached = IsSuccessful(result) ? Driver.LowerDevice : null; } void IoDetachDevice(instance) requiresthread.Irql == KIRQL.PASSIVE_LEVEL; static rule forall(DEVICE_OBJECT device) { _.IoAttachDevice(..., out device)::succeeded } corresponds to { device.IoDetachDevice() } globally; }
Zing Example class Fork { Philosopher holder; void PickUp(Philosopher eater) { atomic { select { wait(holder == null) -> holder = eater; } } } void PutDown() { holder = null; } }; class Philosopher { Fork leftFork; Fork rightFork; void Run() { while (true) { leftFork.PickUp(this); rightFork.PickUp(this); leftFork.PutDown(); rightFork.PutDown(); } } };
Model Extractor Implementation • Inputs • Source code of the driver (C language) • Specification of the kernel environment (DeSpec) • Set of rules to be verified (DeSpec) • Process • C code parsing, merging and analysis • Extraction of Zing model from driver source code • Combination of the extracted model with the kernel model • Zing model slicing • Output • Zing model realizing driver’s interactions with the environment • Passed to Zing model checker
Modeling C Language Constructs in Zing • Zing • Object-oriented modeling language • Some C constructs cannot be mapped directly • Major issues: pointers, arrays, pointer arithmetic • Modeling types • Primitive (int, …) • string literal: static array of int • Composite (struct, union) • dynamically allocated value types boxed • Static arrays • Data pointers • Function pointers
Modeling Variables • Address-may-be-taken flag • Variable models • Value • int, float, struct, pointer, address never taken • non-pointer types: mapped directly • data pointers: special methods • DerefGet, DerefSet, AddIntPtr, SubPtrPtr, CmpPtrPtr • Function pointers: integer, indirect call switch • BoxedValue • int, float, struct, pointer, address may be taken • Box<T> type • StaticArray • static array • multidimensional arrays flattened
Pointer Representation • Data pointer represented by a pair • <target : object, offset : int> • 4 types of pointer targets • Statically allocated storage • Single value • Sequence of values – multi-value • Dynamically allocated storage • Provably single value • Possibly multi-value • Potential multi-values • Static analysis • Represented by expandable Zing array
Example: Pointers to Dynamically Allocated Memory void* p = malloc(size); int* q = p; q += 3; *q = 5; Data type not known prior the first write operation
Example: Static Single- and Multi-value Pointers int t = 1; int *s = &t; int a[5]; int *u = &a[1]; int *v = a; u[2] = 3; v += 4; *v = 6;
Slicing • Goal • To reduce size of the resulting model as much as possible • Slicing criterion: • variables related to the rules selected for verification • Two possibilities • Slice the C program before the extraction • More complex • Needs to deal with pointers (already done by the extraction) • Slice the extracted Zing program • Zing similar to simplified Java • Reuse existing work on Java programs slicing • We go this way
Related Work • Model checking • Zing Model Checker (Microsoft Research) • Bogor Model Checking Framework (SAnToS labs) • SPIN (Bell Labs) • Driver checking • Static Driver Verifier (Microsoft Research) • Model checking based on Boolean programs • Driver Verifier (Microsoft) • Run-time checking • PREfast (Microsoft) • Static analysis, error patterns searching • Java Slicing • JPF, Bogor Framework • Nanda, M. G.: Slicing Concurrent Java Programs
Conclusion & Future Work • DeSpec language • Specifications of the Windows kernel environment • Formalization of rules defined by Driver Development Kit in plain English • Proof of the concept: • A specification of a significant subset of kernel API • Model Extractor • Zing model extraction, dealing with C pointers • Proof of the concept (C to Zing extraction w/o model reduction) • Synchronized priority queue via singly linked list written in C • Intentional errors in implementation revealed in seconds • Correct implementation verified in 31 minutes (3 threads, 9 items in the que) • Future work • Model Extractor improvements • Model size reduction via slicing • Tests on real Window kernel drivers
Extracting Zing Models from C Source Code Thank you for your attention