200 likes | 297 Views
Towards Scalable Modular C hecking of User-defined P roperties. Thomas Ball, MSR Brian Hackett, Mozilla Shuvendu Lahiri, MSR Shaz Qadeer, MSR Julien Vanegue , Microsoft. A Decade of C/C++ Tools at Microsoft. PREfix , PREfast /SAL Scalable , 1000s of users
E N D
Towards Scalable Modular Checking of User-defined Properties Thomas Ball, MSR Brian Hackett, Mozilla Shuvendu Lahiri, MSR Shaz Qadeer, MSR JulienVanegue, Microsoft
A Decade of C/C++ Tools at Microsoft • PREfix, PREfast/SAL Scalable, 1000s of users • Hardcoded properties and checkers • Checkers define semantics of C programs • Static Driver Verifier (SLAM) • Allows defining (limited) properties • Automated abstraction refinement • No procedure contracts • No ability for user to control false alarms • VCC (Verifying C Compiler) Aimed towards full functional correctness • Procedure contracts • No inference • Requires expert users
Manual Annotations Automatic Inference:Microsoft Buffer Annotation Effort SALinfer PREfix PREfast PREfix PREfast SAL Annotated Code Base Code Potential Defects SAL Fixes / Code Review Code Fixes • Windows Vista • mandate: Annotate 100,000 mutable buffers • developers annotated 500,000+ parameters • developers fixed 20,000+ bugs • Office 2007 • developers fixed 6,500+ bugs
User Effort and Control VCC Static Driver Verifier PREfix, PREfast
User Effort and Control VCC HAVOC Static Driver Verifier PREfix, PREfast
Why Another C Verifier? Static Driver Verifier HAVOC VCC
Users and Their Problems • Developers • Focused on feature development • Check-in gates for quality bar • Auditors • Focus on large modules • Audit critical properties • External to product group (even test org) • Verification experts • Advance the state-of-the-art Static Driver Verifier HAVOC VCC
Audit a methodical examination and review of properties of programs - formal documentation of program properties and the assumptions under which they hold - supported by a tool that verifies the consistency of these assertions and assumptions
Code Audit a methodical examination and review of properties of programs - formal documentation of program properties and the assumptions under which they hold - supported by a tool that verifies the consistency of these assertions and assumptions
Formal Code Audit a methodical examination and review of properties of programs - formal documentation of program properties and the assumptions under which they hold - supported by a tool that verifies the consistency of these assertions and assumptions
Measuring Success • The auditor is satisfied if • she can state the properties that she wants, and • can tolerate the assumptions under which these properties hold • A tool supporting code auditing should allow the auditor to reach a satisfactory result as quickly as possible
Formal Code Auditing Scenario Harness • Initialize(..); • while(*) { • choice= nondet(); • If (choice == 1){ • [assume pre_1] • call Public_1(…); • } else if (choice == 2){ • [assume pre_2] • call Public_2(…); • } … • } • Cleanup(…); Target: large components • ~100KLOC of lines of codes with >1000 of procedures Module • A set of public/entry procedures • A set of private/internal procedures Specs • Interface specification • Specs for public methods • Specs for external modules • Property assertion
Desirable Audit Goals • Find violations • of property assertions • with low false alarms • Use contracts • Modular checking for scalability • Readable contracts are formal documentation • Provide high assurance • Formal documentation of assumptions
Non-goals of Formal Code Auditing Functional correctness Minimizing the trusted computing base
What about Verified Software? A solved problem, if cost is not an issue. The open issue is the engineering cost.
Results (1) : File System Audit HAVOC • Used HAVOC to audit popular file system • Resource leaks (reference counts, mutexes) • Data races on files, streams, associated structures • Teardown races on same • Found 45 bugs • ~250 lines required to specify properties • ~600 lines of manual annotations • ~3000 lines of inferred annotations • 80 false alarms
Results (2): Security Audit • Applied HAVOC to 1.3 million lines of Windows (handful of components) • Properties • ProbeBeforeUse • UserDerefInTry • ProbeInTry • Alloc • 15 security vulnerabilities (patched) HAVOC
The HAVOC Challenge HAVOC Make formal code auditing a low-cost engineering effort 1. Property specification/instrumentation 2. Scalable and transparent inference 3. User supplied annotations
Microsoft C/C++ Static Analysis Tools • PREfast/SAL • Included with Visual Studio • Static Driver Verifier Research Platform • http://research.microsoft.com/slam/ • HAVOC • http://research.microsoft.com/havoc/ • Verifying C Compiler • http://vcc.codeplex.com/ PREfast, SAL Static Driver Verifier HAVOC VCC