Department of Software EngineeringFaculty of Mathematics and Physics

CHARLES UNIVERSITY IN PRAGUE

Czech Republic

Extracting Zing Models from C Source Code

Tomáš Matoušek, Filip Zavoral

2

Goals

• Verification of Windows kernel driversagainst rules imposed by the kernel

• Motivation Drivers are difficult to test

• Bugs can appear only at special conditions Incorrect behavior in cooperation with the environment

• The kernel is complex and concurrent

• Technique - model checking A specification of the kernel API provided to drivers A model of the driver Using Zing Model Checker tool

3

Our Previous Work: Kernel Specifications

• DeSpec

Driver Environment Specification Language

An object-oriented specification and modeling language

Allows to• abstract and model kernel API functions and structures• model the kernel’s behavior to drivers• capture various constrains imposed on the driver

4

DeSpec Exampleclass DEVICE_OBJECT

{

NTSTATUS IoAttachDevice(instance, object! targetName, out DEVICE_OBJECT attached)

requires !Driver.IsLowest;

requires thread.Irql == KIRQL.PASSIVE_LEVEL;

{

result = choose { NTSTATUS.STATUS_SUCCESS, NTSTATUS.STATUS_INSUF_RESOURCES };

attached = IsSuccessful(result) ? Driver.LowerDevice : null;

}

void IoDetachDevice(instance)

requires thread.Irql == KIRQL.PASSIVE_LEVEL;

static rule

forall(DEVICE_OBJECT device)

{

_.IoAttachDevice(..., out device)::succeeded

}

corresponds to

{

device.IoDetachDevice()

}

globally;

}

Zing Example

class Fork { Philosopher holder; void PickUp(Philosopher eater) {

atomic { select { wait(holder == null) -> holder = eater; }

} } void PutDown() {

holder = null; }};class Philosopher { Fork leftFork; Fork rightFork; void Run() {

while (true) { leftFork.PickUp(this); rightFork.PickUp(this); leftFork.PutDown(); rightFork.PutDown();}

}};

6

Model Extractor Implementation

• Inputs Source code of the driver (C language) Specification of the kernel environment (DeSpec) Set of rules to be verified (DeSpec)

• Process C code parsing, merging and analysis Extraction of Zing model from driver source code Combination of the extracted model with the kernel model Zing model slicing

• Output Zing model realizing driver’s interactions with the environment Passed to Zing model checker

7

Modeling C Language Constructs in Zing

• Zing Object-oriented modeling language Some C constructs cannot be mapped directly Major issues: pointers, arrays, pointer arithmetic

• Modeling types Primitive (int, …)

• string literal: static array of int Composite (struct, union)

• dynamically allocated value types boxed Static arrays Data pointers Function pointers

Modeling Variables

• Address-may-be-taken flag

• Variable models Value

• int, float, struct, pointer, address never taken• non-pointer types: mapped directly• data pointers: special methods

DerefGet, DerefSet, AddIntPtr, SubPtrPtr, CmpPtrPtr

• Function pointers: integer, indirect call switch BoxedValue

• int, float, struct, pointer, address may be taken• Box<T> type

StaticArray• static array• multidimensional arrays flattened

Pointer Representation

• Data pointer represented by a pair <target : object, offset : int>

• 4 types of pointer targets Statically allocated storage

• Single value• Sequence of values – multi-value

Dynamically allocated storage• Provably single value• Possibly multi-value

• Potential multi-values Static analysis Represented by expandable Zing array

10

Example: Pointers to Dynamically Allocated Memory

void* p = malloc(size);

int* q = p;

q += 3;

*q = 5;

0

Pointer p

D

Pointer p

0

Pointer p

D

0

Pointer q

D

0D

3

Pointer q

D

0

Pointer p

D

3

Pointer q

D

null

Memory m

Memory m

null

Memory m

null

Memory m

Array_of_int

5

Data type not known prior the first write operation

Example: Static Single- and Multi-value Pointers

int t = 1;

int *s = &t;

int a[5];

int *u

= &a[1];

int *v = a;

u[2] = 3;

v += 4;

*v = 6;

12

Slicing

• Goal To reduce size of the resulting model as much as possible Slicing criterion:

• variables related to the rules selected for verification

• Two possibilities Slice the C program before the extraction

• More complex• Needs to deal with pointers (already done by the extraction)

Slice the extracted Zing program• Zing similar to simplified Java • Reuse existing work on Java programs slicing• We go this way

13

Related Work

• Model checking Zing Model Checker (Microsoft Research) Bogor Model Checking Framework (SAnToS labs) SPIN (Bell Labs)

• Driver checking Static Driver Verifier (Microsoft Research)

• Model checking based on Boolean programs Driver Verifier (Microsoft)

• Run-time checking PREfast (Microsoft)

• Static analysis, error patterns searching

• Java Slicing JPF, Bogor Framework Nanda, M. G.: Slicing Concurrent Java Programs

14

Conclusion & Future Work

• DeSpec language Specifications of the Windows kernel environment Formalization of rules defined by Driver Development Kit in plain English Proof of the concept:

• A specification of a significant subset of kernel API

• Model Extractor Zing model extraction, dealing with C pointers Proof of the concept (C to Zing extraction w/o model reduction)

• Synchronized priority queue via singly linked list written in C

• Intentional errors in implementation revealed in seconds

• Correct implementation verified in 31 minutes (3 threads, 9 items in the que)

• Future work Model Extractor improvements

• Model size reduction via slicing

• Tests on real Window kernel drivers

Extracting Zing Models from C Source Code

15

Thank you for your attention