Extracting Zing Models from C Source Code
150 likes | 317 Vues
Extracting Zing Models from C Source Code. Tomáš Matoušek , Filip Zavoral. Goals. Verification of Windows kernel drivers against rules imposed by the kernel Motivation Drivers are difficult to test Bugs can appear only at special conditions
Extracting Zing Models from C Source Code
E N D
Presentation Transcript
Extracting Zing Models from C Source Code Tomáš Matoušek, Filip Zavoral
Goals • Verification of Windows kernel driversagainst rules imposed by the kernel • Motivation • Drivers are difficult to test • Bugs can appear only at special conditions • Incorrect behavior in cooperation with the environment • The kernel is complex and concurrent • Technique - model checking • A specification of the kernel API provided to drivers • A model of the driver • Using Zing Model Checker tool
Our Previous Work: Kernel Specifications • DeSpec • Driver Environment Specification Language • An object-oriented specification and modeling language • Allows to • abstract and model kernel API functions and structures • model the kernel’s behavior to drivers • capture various constrains imposed on the driver
DeSpec Example classDEVICE_OBJECT { NTSTATUS IoAttachDevice(instance, object! targetName, out DEVICE_OBJECT attached) requires !Driver.IsLowest; requiresthread.Irql == KIRQL.PASSIVE_LEVEL; { result = choose {NTSTATUS.STATUS_SUCCESS, NTSTATUS.STATUS_INSUF_RESOURCES}; attached = IsSuccessful(result) ? Driver.LowerDevice : null; } void IoDetachDevice(instance) requiresthread.Irql == KIRQL.PASSIVE_LEVEL; static rule forall(DEVICE_OBJECT device) { _.IoAttachDevice(..., out device)::succeeded } corresponds to { device.IoDetachDevice() } globally; }
Zing Example class Fork { Philosopher holder; void PickUp(Philosopher eater) { atomic { select { wait(holder == null) -> holder = eater; } } } void PutDown() { holder = null; } }; class Philosopher { Fork leftFork; Fork rightFork; void Run() { while (true) { leftFork.PickUp(this); rightFork.PickUp(this); leftFork.PutDown(); rightFork.PutDown(); } } };
Model Extractor Implementation • Inputs • Source code of the driver (C language) • Specification of the kernel environment (DeSpec) • Set of rules to be verified (DeSpec) • Process • C code parsing, merging and analysis • Extraction of Zing model from driver source code • Combination of the extracted model with the kernel model • Zing model slicing • Output • Zing model realizing driver’s interactions with the environment • Passed to Zing model checker
Modeling C Language Constructs in Zing • Zing • Object-oriented modeling language • Some C constructs cannot be mapped directly • Major issues: pointers, arrays, pointer arithmetic • Modeling types • Primitive (int, …) • string literal: static array of int • Composite (struct, union) • dynamically allocated value types boxed • Static arrays • Data pointers • Function pointers
Modeling Variables • Address-may-be-taken flag • Variable models • Value • int, float, struct, pointer, address never taken • non-pointer types: mapped directly • data pointers: special methods • DerefGet, DerefSet, AddIntPtr, SubPtrPtr, CmpPtrPtr • Function pointers: integer, indirect call switch • BoxedValue • int, float, struct, pointer, address may be taken • Box<T> type • StaticArray • static array • multidimensional arrays flattened
Pointer Representation • Data pointer represented by a pair • <target : object, offset : int> • 4 types of pointer targets • Statically allocated storage • Single value • Sequence of values – multi-value • Dynamically allocated storage • Provably single value • Possibly multi-value • Potential multi-values • Static analysis • Represented by expandable Zing array
Example: Pointers to Dynamically Allocated Memory void* p = malloc(size); int* q = p; q += 3; *q = 5; Data type not known prior the first write operation
Example: Static Single- and Multi-value Pointers int t = 1; int *s = &t; int a[5]; int *u = &a[1]; int *v = a; u[2] = 3; v += 4; *v = 6;
Slicing • Goal • To reduce size of the resulting model as much as possible • Slicing criterion: • variables related to the rules selected for verification • Two possibilities • Slice the C program before the extraction • More complex • Needs to deal with pointers (already done by the extraction) • Slice the extracted Zing program • Zing similar to simplified Java • Reuse existing work on Java programs slicing • We go this way
Related Work • Model checking • Zing Model Checker (Microsoft Research) • Bogor Model Checking Framework (SAnToS labs) • SPIN (Bell Labs) • Driver checking • Static Driver Verifier (Microsoft Research) • Model checking based on Boolean programs • Driver Verifier (Microsoft) • Run-time checking • PREfast (Microsoft) • Static analysis, error patterns searching • Java Slicing • JPF, Bogor Framework • Nanda, M. G.: Slicing Concurrent Java Programs
Conclusion & Future Work • DeSpec language • Specifications of the Windows kernel environment • Formalization of rules defined by Driver Development Kit in plain English • Proof of the concept: • A specification of a significant subset of kernel API • Model Extractor • Zing model extraction, dealing with C pointers • Proof of the concept (C to Zing extraction w/o model reduction) • Synchronized priority queue via singly linked list written in C • Intentional errors in implementation revealed in seconds • Correct implementation verified in 31 minutes (3 threads, 9 items in the que) • Future work • Model Extractor improvements • Model size reduction via slicing • Tests on real Window kernel drivers
Extracting Zing Models from C Source Code Thank you for your attention
