Automatic Predicate Abstraction of C Programs

1. Thomas Ball, Rupak Majumdar, Todd Millstein, Sriram K. Rajamani In PLDI 01: Programming Language Design and Imple- mentation, 2001 AutomaticPredicateAbstractionofCPrograms Presented by Yifan Li (yl2774@columbia.edu) November 22nd

2. “Can software help programmers write better software?”

3. Outline • What is model checking • Why it is important • Current state of the art • Challenges in applying model checking to C programs • SLAM project

4. Outline • What is model checking • Why it is important • Current state of the art • Challenges in applying model checking to C programs • SLAM project

5. ModelChecking • A specific technique of formal verification • Given a model of a system, test automatically whether this model meets a given specification

6. FormalVerification • Formal Verification  Formal verification is the act of proving or disproving the correctness of intended algorithms underlying a system with respect to a certain formal specification or property • To help mathematically prove the correctness of a software or hardware system

7. The Model checking problem • Let M be a Kripke structure (i.e., state-transition graph) • Let f be a formula of temporal logic (i.e., the specification) • Find all states s of M such that M,s ├f

8. A typical model checking system Figure 1. A typical model checking system

9. Kripke Structure • A Kripke structure is a type of nondeterministic finite state machine  proposed by Saul Kripke, used in model checking Let the set of atomic propositions AP = {p,q}. p and q can model arbitrary boolean properties of the system that the Kripke structure is modelling M may produce a path ρ = s1,s2,s1,s2,s3, s3,s3,... (potentially infinite) Figure 2. Kripke Structure

10. How to model-check • Basic Procedure: • Describe the system as a finite state model • Express properties in temporal logic • Formal Verification by automatic exhaustive search over the state space • Use a model checker to check properties

11. Temporal logic • Used to describe any system of rules for representing propositions in terms of time • Statements in temporal logic: "I am alwayshungry“ "I will eventually be hungry“ "I will be hungryuntil I eat something“ • Temporal logics describe the ordering of events in time without introducing time explicitly. • The meaning of a temporal logic formula is determined with respect to a labeled state-transition graph or Kripke structure.

12. Abstraction of model • What if the model is infinite-like? Using abstraction • Any effort to model check software must first construct an abstract model of the software • Predicate Abstraction- A promising approach to construct abstractions automatically (which will be covered later)

13. What is a model checker A model checker is a software tool that • given a description of a Kripke model M ... • ... and a property φ • decides whether M ├ φ • returns “yes” if the property is satisfied, • otherwise returns “no”, and provides a counterexample

14. What is a model checker Figure 3. The model Checker

15. Outline • What is model checking • Why it is important • Current state of the art • Challenges in applying model checking to C programs • SLAM project

16. Why it is important • software bugs are so common that their cost to the American economy alone is $60 billion a year or about 0.6% of gross domestic product (NIST)

17. Why it is important? Some errors in software systems are expensive: • Space Mission Failed: A bug caused 370-million dollar failure in 1996, which is $514 to $686 million in 2010 (Flight 501) While some are pretty annoying: • “Bill Gates: 5% of Windows Machines Crash More Than Twice A Day”

18. Outline • What is model checking • Why it is important • Current state of the art • Challenges in applying model checking to C programs • SLAM project

19. A wide Variety of model checkers Name a few: For C programs: • BLAST (Berkeley) • CMBC (Carnegie Mellon) • CPA checker(U of Passau, Germany) • SLAM(Microsoft Research) Others: • SPIN (Bell Lab, System Software Award-2001)

20. SLAM • “software (specifications), programming languages, abstraction, and model checking” • SLAM is a program-analysis engine of the SDV tool used to check if clients of an API follow the API’s statefulusage rules • SLAM toolkit, include C2BP, BEBOP, NEWTON is the analysis engine of the SDV tool

21. SLAM2 • The improved version of SLAM • With under 4% false alarms

22. SDV Static Driver Verifier (SDV): • Compile-time verification tool • Ships with Windows 7 Driver Kit (WDK) • Less than 4% false alarms on real drivers • Supports many driver APIs (WDM, KMDF, NDIS, …) • Uses SLAM as the verification engine • Based on CEGAR loop • Boolean abstraction of input C programs • API-specific components: • environment model • API rules in SLIC language

23. Precise API Usage Rules (SLIC) Defects 100% path coverage StaticDriverVerifier Rules Static Driver Verifier Environment model Driver’s Source Code in C Figure 4. SDV

24. Usage • SDV 2.0 is applied as an automatic and required quality gate for Windows 7 device drivers • SLAM is distributed as part of the Windows Driver Development Kit

25. Outline • What is model checking • Why it is important • Current state of the art • Challenges in applying model checking to C programs • SLAM project

26. Challenges in applying model checking to C program • Pointers (alias problem) • Procedures( signature) • unknown values (*) • Lots of predicate states

27. Outline • What is model checking • Why it is important • Current state of the art • Challenges in applying model checking to C program • SLAM project

28. SLAMProject Instrumented C program P’ C2BP Boolean Program BP(E,P’) SLIC C Program P Bebop No, refine the Predicate, gen- erate new BP Error Path Feasible Yes, An error found Program Bug Figure 5. The SLAM realization of CEGAR loop

29. CEGAR • In theory, counterexample-guided abstraction refinement (CEGAR) uses spurious counterexamples to refine overapproximations so as to eliminate provably false alarms

30. SLIC • SLIC: Specification Language for Interface Checking • SLIC is a subset of the C language augmented with elements that identify the events of interest. • Next slide, an example of a SLIC language and the instructed C program based on that

31. Figure 6. To check that a spinlock cannot be acquired without it first being released, and that a spinlock cannot be released twice

32. Figure 7. The BP of the instructed C program. The first and second iterations of Bebop and Newton

33. Example 2 Figure 8. Slic Specification for Proper Usage of Spin Locks, and (b) Its Compilation into C Code.

34. Figure 9. (a) A snippet of device driver code P, and (b) program P0 resulting from instrumentation of program P due to Slic specification in Figure 8

35. Figure 10. The C code of the Slic specification from Figure 1(b) compiled by C2bp into a boolean program.

36. Figure 11. The two boolean programs created while checking the code from Figure 9 (b)

37. How well it works • Experience of SLAM works on device drivers that have hundred's or thousand’s lines of codes

38. How well it works • There are true errors found in the device driver when running SLAM on them

39. Conclusion • Slam toolkit outcomes the challenges in applying model checking to C programs • Slam is appropriate to use on large scale C programs and on device drivers written in C • The SDV tool has already been used in model checking device drivers for Windows 7 before they come to market

40. References • Measure the buying power of US dollar at different times http://www.measuringworth.com/ppowerus/ • Bill Gates Talk http://www.osnews.com/story/4122/Bill_Gates_5_Of_Windows_Machines_Crash_More_Than_Twice_A_Day • Symbolic Model Checking http://www.cse.iitd.ernet.in/~sak/courses/foav/nusvm-iitd-1.pdf • Building a better bug-trap http://www.economist.com/node/1841081 • The SLAM project http://research.microsoft.com/en-us/projects/slam/

41. Thank you!