Towards Scalable Modular C hecking of User-defined P roperties
description
Transcript of Towards Scalable Modular C hecking of User-defined P roperties
![Page 1: Towards Scalable Modular C hecking of User-defined P roperties](https://reader036.fdocuments.in/reader036/viewer/2022070422/56816420550346895dd5dfdb/html5/thumbnails/1.jpg)
Towards Scalable Modular Checking of User-defined Properties
Thomas Ball, MSRBrian Hackett, MozillaShuvendu Lahiri, MSR
Shaz Qadeer, MSRJulien Vanegue, Microsoft
![Page 2: Towards Scalable Modular C hecking of User-defined P roperties](https://reader036.fdocuments.in/reader036/viewer/2022070422/56816420550346895dd5dfdb/html5/thumbnails/2.jpg)
A Decade of C/C++ Tools at Microsoft
PREfix, PREfast/SAL Scalable, 1000s of users
Hardcoded properties and checkersCheckers define semantics of C programs
Static Driver Verifier (SLAM)Allows defining (limited) propertiesAutomated abstraction refinementNo procedure contractsNo ability for user to control false alarms
VCC (Verifying C Compiler) Aimed towards full functional correctness
Procedure contractsNo inferenceRequires expert users
![Page 3: Towards Scalable Modular C hecking of User-defined P roperties](https://reader036.fdocuments.in/reader036/viewer/2022070422/56816420550346895dd5dfdb/html5/thumbnails/3.jpg)
Automatic Inference:Microsoft Buffer Annotation Effort
Code Base
SALinfer
Code Review
Potential Defects
SAL Fixes / Code Fixes
SAL Annotated
CodeManual
Annotations
PREfixPREfast
Windows Vista• mandate: Annotate 100,000 mutable buffers• developers annotated 500,000+ parameters• developers fixed 20,000+ bugs
Office 2007• developers fixed 6,500+ bugs
PREfixPREfast
![Page 4: Towards Scalable Modular C hecking of User-defined P roperties](https://reader036.fdocuments.in/reader036/viewer/2022070422/56816420550346895dd5dfdb/html5/thumbnails/4.jpg)
![Page 5: Towards Scalable Modular C hecking of User-defined P roperties](https://reader036.fdocuments.in/reader036/viewer/2022070422/56816420550346895dd5dfdb/html5/thumbnails/5.jpg)
User Effort and Control
PREfix, PREfast
Static Driver Verifier
VCC
![Page 6: Towards Scalable Modular C hecking of User-defined P roperties](https://reader036.fdocuments.in/reader036/viewer/2022070422/56816420550346895dd5dfdb/html5/thumbnails/6.jpg)
User Effort and Control
PREfix, PREfast
Static Driver Verifier
VCC
HAVOC
![Page 7: Towards Scalable Modular C hecking of User-defined P roperties](https://reader036.fdocuments.in/reader036/viewer/2022070422/56816420550346895dd5dfdb/html5/thumbnails/7.jpg)
Why Another C Verifier?
SDV
Expressiveness + (control-oriented)Precision + (abstract memory)Scalability + (whole program)Automation ++ (push button)Contracts --Users DevelopersProblem Correct API usage
HAVOC
++ (system-specific)
++ (precise)
++ (modular)
+ (inference)
++Auditors
Security audit
VCC
+++ (functional)
++ (precise)
++ (modular)
-- (manual)
++ Verif. Experts
Fully correct TCB
Static Driver Verifier VCCHAVOC
![Page 8: Towards Scalable Modular C hecking of User-defined P roperties](https://reader036.fdocuments.in/reader036/viewer/2022070422/56816420550346895dd5dfdb/html5/thumbnails/8.jpg)
Users and Their Problems
• Developers– Focused on feature development– Check-in gates for quality bar
• Auditors– Focus on large modules– Audit critical properties– External to product group (even test org)
• Verification experts– Advance the state-of-the-art
Static Driver Verifier
VCC
HAVOC
![Page 9: Towards Scalable Modular C hecking of User-defined P roperties](https://reader036.fdocuments.in/reader036/viewer/2022070422/56816420550346895dd5dfdb/html5/thumbnails/9.jpg)
Audit
a methodical examination and reviewof properties of programs
-formal documentation of program properties and
the assumptions under which they hold -
supported by a tool that verifies the consistency of these assertions and assumptions
![Page 10: Towards Scalable Modular C hecking of User-defined P roperties](https://reader036.fdocuments.in/reader036/viewer/2022070422/56816420550346895dd5dfdb/html5/thumbnails/10.jpg)
Code Audit
a methodical examination and reviewof properties of programs
-formal documentation of program properties and
the assumptions under which they hold -
supported by a tool that verifies the consistency of these assertions and assumptions
![Page 11: Towards Scalable Modular C hecking of User-defined P roperties](https://reader036.fdocuments.in/reader036/viewer/2022070422/56816420550346895dd5dfdb/html5/thumbnails/11.jpg)
Formal Code Audit
a methodical examination and reviewof properties of programs
-formal documentation of program properties and
the assumptions under which they hold -
supported by a tool that verifies the consistency of these assertions and assumptions
![Page 12: Towards Scalable Modular C hecking of User-defined P roperties](https://reader036.fdocuments.in/reader036/viewer/2022070422/56816420550346895dd5dfdb/html5/thumbnails/12.jpg)
Measuring Success
• The auditor is satisfied if – she can state the properties that she wants, and – can tolerate the assumptions under which these
properties hold
• A tool supporting code auditing should allow the auditor to reach a satisfactory result as quickly as possible
![Page 13: Towards Scalable Modular C hecking of User-defined P roperties](https://reader036.fdocuments.in/reader036/viewer/2022070422/56816420550346895dd5dfdb/html5/thumbnails/13.jpg)
Formal Code Auditing Scenario
Target: large components– ~100KLOC of lines of codes with
>1000 of procedures
Module– A set of public/entry procedures – A set of private/internal procedures
Specs– Interface specification
• Specs for public methods• Specs for external modules
– Property assertion
Initialize(..);
while(*) {choice= nondet();If (choice == 1){
[assume pre_1] call Public_1(…);
} else if (choice == 2){[assume pre_2]call Public_2(…);
} …}Cleanup(…);
Harness
![Page 14: Towards Scalable Modular C hecking of User-defined P roperties](https://reader036.fdocuments.in/reader036/viewer/2022070422/56816420550346895dd5dfdb/html5/thumbnails/14.jpg)
Desirable Audit Goals
• Find violations– of property assertions– with low false alarms
• Use contracts – Modular checking for scalability– Readable contracts are formal documentation
• Provide high assurance– Formal documentation of assumptions
![Page 15: Towards Scalable Modular C hecking of User-defined P roperties](https://reader036.fdocuments.in/reader036/viewer/2022070422/56816420550346895dd5dfdb/html5/thumbnails/15.jpg)
Functional correctness
Minimizing the trusted computing base
Non-goals of Formal Code Auditing
![Page 16: Towards Scalable Modular C hecking of User-defined P roperties](https://reader036.fdocuments.in/reader036/viewer/2022070422/56816420550346895dd5dfdb/html5/thumbnails/16.jpg)
What about Verified Software?
A solved problem, if cost is not an issue.
The open issue is the engineering cost.
![Page 17: Towards Scalable Modular C hecking of User-defined P roperties](https://reader036.fdocuments.in/reader036/viewer/2022070422/56816420550346895dd5dfdb/html5/thumbnails/17.jpg)
Results (1) : File System Audit
• Used HAVOC to audit popular file system – Resource leaks (reference counts, mutexes)– Data races on files, streams, associated structures– Teardown races on same
• Found 45 bugs– ~250 lines required to specify properties– ~600 lines of manual annotations– ~3000 lines of inferred annotations
• 80 false alarms
HAVOC
![Page 18: Towards Scalable Modular C hecking of User-defined P roperties](https://reader036.fdocuments.in/reader036/viewer/2022070422/56816420550346895dd5dfdb/html5/thumbnails/18.jpg)
Results (2): Security Audit
• Applied HAVOC to 1.3 million lines of Windows (handful of components)
• Properties– ProbeBeforeUse– UserDerefInTry– ProbeInTry– Alloc
• 15 security vulnerabilities (patched)
HAVOC
![Page 19: Towards Scalable Modular C hecking of User-defined P roperties](https://reader036.fdocuments.in/reader036/viewer/2022070422/56816420550346895dd5dfdb/html5/thumbnails/19.jpg)
1. Property specification/instrumentation2. Scalable and transparent inference
3. User supplied annotations
The HAVOC ChallengeHAVOC
Make formal code auditing
a low-cost engineering effort
![Page 20: Towards Scalable Modular C hecking of User-defined P roperties](https://reader036.fdocuments.in/reader036/viewer/2022070422/56816420550346895dd5dfdb/html5/thumbnails/20.jpg)
Microsoft C/C++ Static Analysis Tools
• PREfast/SAL– Included with Visual Studio
• Static Driver Verifier Research Platform– http://research.microsoft.com/slam/
• HAVOC– http://research.microsoft.com/havoc/
• Verifying C Compiler– http://vcc.codeplex.com/
PREfast, SAL
VCC
Static Driver Verifier
HAVOC