1 / 15

Extracting Zing Models from C Source Code

Extracting Zing Models from C Source Code. Tomáš Matoušek , Filip Zavoral. Goals. Verification of Windows kernel drivers against rules imposed by the kernel Motivation Drivers are difficult to test Bugs can appear only at special conditions

melba
Download Presentation

Extracting Zing Models from C Source Code

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Extracting Zing Models from C Source Code Tomáš Matoušek, Filip Zavoral

  2. Goals • Verification of Windows kernel driversagainst rules imposed by the kernel • Motivation • Drivers are difficult to test • Bugs can appear only at special conditions • Incorrect behavior in cooperation with the environment • The kernel is complex and concurrent • Technique - model checking • A specification of the kernel API provided to drivers • A model of the driver • Using Zing Model Checker tool

  3. Our Previous Work: Kernel Specifications • DeSpec • Driver Environment Specification Language • An object-oriented specification and modeling language • Allows to • abstract and model kernel API functions and structures • model the kernel’s behavior to drivers • capture various constrains imposed on the driver

  4. DeSpec Example classDEVICE_OBJECT { NTSTATUS IoAttachDevice(instance, object! targetName, out DEVICE_OBJECT attached) requires !Driver.IsLowest; requiresthread.Irql == KIRQL.PASSIVE_LEVEL; { result = choose {NTSTATUS.STATUS_SUCCESS, NTSTATUS.STATUS_INSUF_RESOURCES}; attached = IsSuccessful(result) ? Driver.LowerDevice : null; } void IoDetachDevice(instance) requiresthread.Irql == KIRQL.PASSIVE_LEVEL; static rule forall(DEVICE_OBJECT device) { _.IoAttachDevice(..., out device)::succeeded } corresponds to { device.IoDetachDevice() } globally; }

  5. Zing Example class Fork { Philosopher holder; void PickUp(Philosopher eater) { atomic { select { wait(holder == null) -> holder = eater; } } } void PutDown() { holder = null; } }; class Philosopher { Fork leftFork; Fork rightFork; void Run() { while (true) { leftFork.PickUp(this); rightFork.PickUp(this); leftFork.PutDown(); rightFork.PutDown(); } } };

  6. Model Extractor Implementation • Inputs • Source code of the driver (C language) • Specification of the kernel environment (DeSpec) • Set of rules to be verified (DeSpec) • Process • C code parsing, merging and analysis • Extraction of Zing model from driver source code • Combination of the extracted model with the kernel model • Zing model slicing • Output • Zing model realizing driver’s interactions with the environment • Passed to Zing model checker

  7. Modeling C Language Constructs in Zing • Zing • Object-oriented modeling language • Some C constructs cannot be mapped directly • Major issues: pointers, arrays, pointer arithmetic • Modeling types • Primitive (int, …) • string literal: static array of int • Composite (struct, union) • dynamically allocated value types boxed • Static arrays • Data pointers • Function pointers

  8. Modeling Variables • Address-may-be-taken flag • Variable models • Value • int, float, struct, pointer, address never taken • non-pointer types: mapped directly • data pointers: special methods • DerefGet, DerefSet, AddIntPtr, SubPtrPtr, CmpPtrPtr • Function pointers: integer, indirect call  switch • BoxedValue • int, float, struct, pointer, address may be taken • Box<T> type • StaticArray • static array • multidimensional arrays flattened

  9. Pointer Representation • Data pointer represented by a pair • <target : object, offset : int> • 4 types of pointer targets • Statically allocated storage • Single value • Sequence of values – multi-value • Dynamically allocated storage • Provably single value • Possibly multi-value • Potential multi-values • Static analysis • Represented by expandable Zing array

  10. Example: Pointers to Dynamically Allocated Memory void* p = malloc(size); int* q = p; q += 3; *q = 5; Data type not known prior the first write operation

  11. Example: Static Single- and Multi-value Pointers int t = 1; int *s = &t; int a[5]; int *u = &a[1]; int *v = a; u[2] = 3; v += 4; *v = 6;

  12. Slicing • Goal • To reduce size of the resulting model as much as possible • Slicing criterion: • variables related to the rules selected for verification • Two possibilities • Slice the C program before the extraction • More complex • Needs to deal with pointers (already done by the extraction) • Slice the extracted Zing program • Zing similar to simplified Java • Reuse existing work on Java programs slicing • We go this way

  13. Related Work • Model checking • Zing Model Checker (Microsoft Research) • Bogor Model Checking Framework (SAnToS labs) • SPIN (Bell Labs) • Driver checking • Static Driver Verifier (Microsoft Research) • Model checking based on Boolean programs • Driver Verifier (Microsoft) • Run-time checking • PREfast (Microsoft) • Static analysis, error patterns searching • Java Slicing • JPF, Bogor Framework • Nanda, M. G.: Slicing Concurrent Java Programs

  14. Conclusion & Future Work • DeSpec language • Specifications of the Windows kernel environment • Formalization of rules defined by Driver Development Kit in plain English • Proof of the concept: • A specification of a significant subset of kernel API • Model Extractor • Zing model extraction, dealing with C pointers • Proof of the concept (C to Zing extraction w/o model reduction) • Synchronized priority queue via singly linked list written in C • Intentional errors in implementation revealed in seconds • Correct implementation verified in 31 minutes (3 threads, 9 items in the que) • Future work • Model Extractor improvements • Model size reduction via slicing • Tests on real Window kernel drivers

  15. Extracting Zing Models from C Source Code  Thank you for your attention

More Related