1 / 20

Towards Scalable Modular C hecking of User-defined P roperties

Towards Scalable Modular C hecking of User-defined P roperties. Thomas Ball, MSR Brian Hackett, Mozilla Shuvendu Lahiri, MSR Shaz Qadeer, MSR Julien Vanegue , Microsoft. A Decade of C/C++ Tools at Microsoft. PREfix , PREfast /SAL Scalable , 1000s of users

soleil
Download Presentation

Towards Scalable Modular C hecking of User-defined P roperties

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Towards Scalable Modular Checking of User-defined Properties Thomas Ball, MSR Brian Hackett, Mozilla Shuvendu Lahiri, MSR Shaz Qadeer, MSR JulienVanegue, Microsoft

  2. A Decade of C/C++ Tools at Microsoft • PREfix, PREfast/SAL Scalable, 1000s of users • Hardcoded properties and checkers • Checkers define semantics of C programs • Static Driver Verifier (SLAM) • Allows defining (limited) properties • Automated abstraction refinement • No procedure contracts • No ability for user to control false alarms • VCC (Verifying C Compiler) Aimed towards full functional correctness • Procedure contracts • No inference • Requires expert users

  3. Manual Annotations Automatic Inference:Microsoft Buffer Annotation Effort SALinfer PREfix PREfast PREfix PREfast SAL Annotated Code Base Code Potential Defects SAL Fixes / Code Review Code Fixes • Windows Vista • mandate: Annotate 100,000 mutable buffers • developers annotated 500,000+ parameters • developers fixed 20,000+ bugs • Office 2007 • developers fixed 6,500+ bugs

  4. User Effort and Control VCC Static Driver Verifier PREfix, PREfast

  5. User Effort and Control VCC HAVOC Static Driver Verifier PREfix, PREfast

  6. Why Another C Verifier? Static Driver Verifier HAVOC VCC

  7. Users and Their Problems • Developers • Focused on feature development • Check-in gates for quality bar • Auditors • Focus on large modules • Audit critical properties • External to product group (even test org) • Verification experts • Advance the state-of-the-art Static Driver Verifier HAVOC VCC

  8. Audit a methodical examination and review of properties of programs - formal documentation of program properties and the assumptions under which they hold - supported by a tool that verifies the consistency of these assertions and assumptions

  9. Code Audit a methodical examination and review of properties of programs - formal documentation of program properties and the assumptions under which they hold - supported by a tool that verifies the consistency of these assertions and assumptions

  10. Formal Code Audit a methodical examination and review of properties of programs - formal documentation of program properties and the assumptions under which they hold - supported by a tool that verifies the consistency of these assertions and assumptions

  11. Measuring Success • The auditor is satisfied if • she can state the properties that she wants, and • can tolerate the assumptions under which these properties hold • A tool supporting code auditing should allow the auditor to reach a satisfactory result as quickly as possible

  12. Formal Code Auditing Scenario Harness • Initialize(..); • while(*) { • choice= nondet(); • If (choice == 1){ • [assume pre_1] • call Public_1(…); • } else if (choice == 2){ • [assume pre_2] • call Public_2(…); • } … • } • Cleanup(…); Target: large components • ~100KLOC of lines of codes with >1000 of procedures Module • A set of public/entry procedures • A set of private/internal procedures Specs • Interface specification • Specs for public methods • Specs for external modules • Property assertion

  13. Desirable Audit Goals • Find violations • of property assertions • with low false alarms • Use contracts • Modular checking for scalability • Readable contracts are formal documentation • Provide high assurance • Formal documentation of assumptions

  14. Non-goals of Formal Code Auditing Functional correctness Minimizing the trusted computing base

  15. What about Verified Software? A solved problem, if cost is not an issue. The open issue is the engineering cost.

  16. Results (1) : File System Audit HAVOC • Used HAVOC to audit popular file system • Resource leaks (reference counts, mutexes) • Data races on files, streams, associated structures • Teardown races on same • Found 45 bugs • ~250 lines required to specify properties • ~600 lines of manual annotations • ~3000 lines of inferred annotations • 80 false alarms

  17. Results (2): Security Audit • Applied HAVOC to 1.3 million lines of Windows (handful of components) • Properties • ProbeBeforeUse • UserDerefInTry • ProbeInTry • Alloc • 15 security vulnerabilities (patched) HAVOC

  18. The HAVOC Challenge HAVOC Make formal code auditing a low-cost engineering effort 1. Property specification/instrumentation 2. Scalable and transparent inference 3. User supplied annotations

  19. Microsoft C/C++ Static Analysis Tools • PREfast/SAL • Included with Visual Studio • Static Driver Verifier Research Platform • http://research.microsoft.com/slam/ • HAVOC • http://research.microsoft.com/havoc/ • Verifying C Compiler • http://vcc.codeplex.com/ PREfast, SAL Static Driver Verifier HAVOC VCC

More Related