Thomas Ball
ABSTRACT
Bugs in kernel-level device drivers cause 85% of the system crashes in the Windows XP operating system [44]. One of the sources of these errors is the complexity of the Windows driver API itself: programmers must master a complex set of rules about how to use the driver API in order to create drivers that are good clients of the kernel. We have built a static analysis engine that finds API usage errors in C programs. The Static Driver Verifier tool (SDV) uses this engine to find kernel API usage errors in a driver. SDV includes models of the OS and the environment of the device driver, and over sixty API usage rules. SDV is intended to be used by driver developers "out of the box." Thus, it has stringent requirements: (1) complete automation with no input from the user; (2) a low rate of false errors. We discuss the techniques used in SDV to meet these requirements, and empirical results from running SDV on over one hundred Windows device drivers.
- T. Ball, B. Cook, S. Das, and S. K. Rajamani. Refining approximations in software predicate abstraction. In TACAS 04: Tools and Algorithms for the Construction and Analysis of Systems, pages 388--403, 2004.Google Scholar
Cross Ref
- T. Ball, B. Cook, S. K. Lahiri, and L. Zhang. Zapato: Automatic theorem proving for predicate abstraction refinement. In CAV 04: Computer-Aided Verification, pages 457--461, 2004.Google Scholar
- T. Ball, R. Majumdar, T. Millstein, and S. K. Rajamani. Automatic predicate abstraction of C programs. In PLDI 01: Programming Language Design and Implementation, pages 203--213, 2001. Google ScholarDigital Library
- T. Ball, M. Naik, and S. K. Rajamani. From symptom to cause: Localizing errors in counterexample traces. In POPL 03: Principles of programming languages, pages 97--105, 2003. Google ScholarDigital Library
- T. Ball, A. Podelski, and S. K. Rajamani. Boolean and cartesian abstractions for model checking C programs. In TACAS 01: Tools and Algorithms for Construction and Analysis of Systems, pages 268--283, 2001. Google ScholarDigital Library
- T. Ball, A. Podelski, and S. K. Rajamani. On the relative completeness of abstraction refinement. In TACAS 02: Tools and Algorithms for Construction and Analysis of Systems, pages 158--172, April 2002. Google ScholarDigital Library
- T. Ball and S. K. Rajamani. Bebop: A symbolic model checker for Boolean programs. In SPIN 00: SPIN Workshop, pages 113--130, 2000. Google ScholarDigital Library
- T. Ball and S. K. Rajamani. Automatically validating temporal safety properties of interfaces. In SPIN 01: SPIN Workshop, pages 103--122, 2001. Google ScholarDigital Library
- T. Ball and S. K. Rajamani. Bebop: A path-sensitive interprocedural dataflow engine. In PASTE 01: Workshop on Program Analysis for Software Tools and Engineering, pages 97--103, 2001. Google ScholarDigital Library
- A. Bradley, Z. Manna, and H. Sipma. Linear ranking with reachability. In CAV 05: Computer-Aided Verification, pages 491--504, 2005. Google ScholarDigital Library
- R. E. Bryant. Graph-based algorithms for boolean function manipulation. IEEE Transactions on Computers, C-35(8):677--691, 1986. Google ScholarDigital Library
- W. R. Bush, J. D. Pincus, and D. J. Sielaff. A static analyzer for finding dynamic programming errors. Software-Practice and Experience, 30(7):775--802, June 2000. Google ScholarDigital Library
- S. Chaki, E. Clarke, A. Groce, S. Jha, and H. Veith. Modular verification of software components in c. In ICSE 03: International Conference on Software Engineering, pages 385--395, 2003. Google ScholarDigital Library
- H. Chen, D. Dean, and D. Wagner. Model checking one million lines of c code. In NDSS 04: Network and Distributed System Security Symposium, 2004.Google Scholar
- A. Chou, J. Yang, B. Chelf, S. Hallem, and D. Engler. An empirical study of operating systems errors. In SOSP 01: Symposium on Operating System Principles, pages 73--88, 2001. Google ScholarDigital Library
- E. Clarke, O. Grumberg, S. Jha, Y. Lu, and H. Veith. Counterexample-guided abstraction refinement. In CAV 00: Computer Aided Verification, pages 154--169, 2000. Google ScholarDigital Library
- E. Clarke, D. Kroening, N. Sharygina, and K. Yorav. Predicate abstraction of ANSI-C programs using SAT. Formal Methods in System Design (FMSD), 25:105--127, September-November 2004. Google ScholarDigital Library
- B. Cook and G. Gonthier. Using Stalmårck's algorithm to prove inequalities. In ICFEM 05: Conference on Formal Engineering Methods, pages 330--344, 2005. Google ScholarDigital Library
- B. Cook, D. Kroening, and N. Sharygina. Cogent: Accurate theorem proving for program verification. In CAV 05: Computer-Aided Verification, pages 296--300, 2005. Google ScholarDigital Library
- B. Cook, D. Kroening, and N. Sharygina. Symbolic model checking for asynchronous boolean programs. In SPIN 01: SPIN Workshop, pages 75--90, 2005. Google ScholarDigital Library
- B. Cook, A. Podelski, and A. Rybalchenko. Abstraction refinement for termination. In SAS 05: Static Analysis Symposium, pages 87--101, 2005. Google ScholarDigital Library
- B. Cook, A. Podelski, and A. Rybalchenko. Termination proofs for systems code. In PLDI 06: Programming Language Design and Implementation, 2006. Google ScholarDigital Library
- P. Cousot and R. Cousot. Abstract interpretation: a unified lattice model for the static analysis of programs by construction or approximation of fixpoints. In POPL 77: Principles of Programming Languages, pages 238--252, 1977. Google ScholarDigital Library
- P. Cousot, R. Cousot, J. Feret, L. Mauborgne, A. Miné, D. Monniaux, and X. Rival. The ASTREÉ analyzer. In ESOP 05: European Symposium on Programming, pages 21--30, 2005. Google ScholarDigital Library
- M. Das. Unification-based pointer analysis with directional assignments. In PLDI 00: Programming Language Design and Implementation, pages 35--46, 2000. Google ScholarDigital Library
- M. Das, S. Lerner, and M. Seigle. ESP: Path-sensitive program verification in polynomial time. In PLDI 02: Programming Language Design and Implementation, pages 57--68, June 2002. Google ScholarDigital Library
- R. DeLine and M. Fähndrich. Enforcing high-level protocols in low-level software. In PLDI 01: Programming Language Design and Implementation, pages 59--69, 2001. Google ScholarDigital Library
- D. Detlefs, G. Nelson, and J. B. Saxe. Simplify: A theorem prover for program checking. Technical Report HPL-2003-148, HP Labs, 2003.Google Scholar
- D. Engler, B. Chelf, A. Chou, and S. Hallem. Checking system rules using system-specific, programmer-written compiler extensions. In OSDI 00: Operating System Design and Implementation, pages 1--16. Usenix Association, 2000. Google ScholarDigital Library
- G. Balakrishnan et al. Model checking x86 executables with CodeSurfer/x86 and WPDS++. In CAV 05: Computer-Aided Verification, 2005. Google ScholarDigital Library
- C. Flanagan, K. R. M. Leino, M. Lillibridge, G. Nelson, J. B. Saxe, and R. Stata. Extended static checking for java. In PLDI 02: Programming Language Design and Implementation", pages 234--245, 2002. Google ScholarDigital Library
- K. Fraser, S. Hand, R. Neugebauer, I. Pratt, A. Warfield, and M. Williams. Safe hardware access with the Xen virtual machine monitor. In OASIS'04: Workshop on Operating System and Architectural Support for the on demand IT InfraStructure, June 2004.Google Scholar
- S. Hallem, B. Chelf, Y. Xie, and D. Engler. A system and language for building system-specific, static analyses. In PLDI 02: Programming Language Design and Implementation, pages 69--82, 2002. Google ScholarDigital Library
- T. A. Henzinger, R. Jhala, R. Majumdar, and K. L. McMillan. Abstractions from proofs. In POPL 04: Principles of Programming Languages, pages 232--244, 2004. Google ScholarDigital Library
- T. A. Henzinger, R. Jhala, R. Majumdar, and G. Sutre. Lazy abstraction. In POPL 02: Principles of Programming Languages, pages 58--70, January 2002. Google ScholarDigital Library
- R. P. Kurshan. Computer-aided Verification of Coordinating Processes. Princeton University Press, 1994. Google ScholarDigital Library
- S. Lahiri, T. Ball, and B. Cook. Predicate abstraction via symbolic decision procedures. In CAV 05: Computer-Aided Verification, pages 24--38, 2005. Google ScholarDigital Library
- L. Lamport. Proving the correctness of multiprocess programs. IEEE Transactions on Software Engineering, SE-3(2): 125--143, 1977.Google ScholarDigital Library
- J. R. Larus, T. Ball, M. Das, Rob DeLine, M. Fähndrich, J. Pincus, S. K. Rajamani, and R. Venkatapathy. Righting software. IEEE Software, 21(3):92--100, May/June 2004. Google ScholarDigital Library
- K. R. M. Leino and G. Nelson. An extended static checker for Modula-3. In CC 98: Compiler Construction, pages 302--305, 1998. Google ScholarDigital Library
- G. Necula, S. McPeak, and W. Weimer. CCured: Type-safe retrofitting of legacy code. In POPL 02: Principles of Programming Languages, pages 128--139, January 2002. Google ScholarDigital Library
- S. Qadeer and D. Wu. KISS: keep it simple and sequential. In PLDI 04: Programming Language Design and Implementation, pages 14--24, 2004. Google ScholarDigital Library
- F. B. Schneider. Enforceable security policies. ACM Transactions on Information and System Security, 3(1):30--50, February 2000. Google ScholarDigital Library
- M. M. Swift, B. N. Bershad, and H. M. Levy. Improving the reliability of commodity operating systems. In SOSP 03: Symposium on Operating System Principles, pages 207--222, June 2003. Google ScholarDigital Library
- M. Y. Vardi and P. Wolper. An automata theoretic apporach to automatic program verification. In LICS 86: Logic in Computer Science, pages 332--344. IEEE Computer Society Press, 1996.Google Scholar
Index Terms
- Thorough static analysis of device drivers
Recommendations
Thorough static analysis of device drivers
Proceedings of the 2006 EuroSys conferenceBugs in kernel-level device drivers cause 85% of the system crashes in the Windows XP operating system [44]. One of the sources of these errors is the complexity of the Windows driver API itself: programmers must master a complex set of rules about how ...
Static analysis of device drivers: we can do better!
APSys '11: Proceedings of the Second Asia-Pacific Workshop on SystemsWe argue that the device driver architecture enforced by current operating systems complicates both manual and automatic reasoning about driver behaviour. In particular, it makes it hard and in some cases impossible to statically verify that the driver ...
Proving that programs eventually do something good
POPL '07: Proceedings of the 34th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languagesIn recent years we have seen great progress made in the area of automatic source-level static analysis tools. However, most of today's program verification tools are limited to properties that guarantee the absence of bad events (safety properties). ...
Comments