SlideShare a Scribd company logo

Fast and Precise Symbolic Analysis of Concurrency Bugs in Device Drivers

Pantazis Deligiannis
Pantazis Deligiannis

Finding data races in Linux device drivers

Technology
1 of 29
Download to read offline
Fast and Precise Symbolic Analysis of Concurrency Bugs in Device Drivers Pantazis Deligiannis Alastair Donaldson Zvonimir Rakamarić Intel — June 2015
Concurrency errors, such as data races, make device drivers hard to develop and debug without automated tool support
Whoop, a new fully automated tool that: - statically analyses drivers for data races - exploits any found race-freedom guarantees to achieve a sound partial-order reduction and accelerate bug-finding using Corral Corral is an industrial strength bug-finder for device drivers from Microsoft that is used as the backend of the Static Driver Verifier Our approach
We applied Whoop on 16 drivers from the Linux 4.0 kernel: - block, char, ethernet, nfc, usb and watchdog (250 — 7300 LoC) - detected some potential races (but requires domain expertise to confirm) - using Whoop we significantly accelerated Corral (1.5-20x) !! Results sneak-peek
Boogie IVL code, instrumented with yields Data Race Reports No Errors (Under Given Bounds) WHOOP Error Traces Z3 Chauffeur SMACK Linux driver source code in C Boogie IVL code llvm-IR Linux Environmental Model Instrumentation Sequentialization Invariant Generation Boogie Verification Engine CORRAL A. Translation Phase B. Symbolic Lockset Analysis Phase C. Bug-Finding Phase Clang / LLVM entry point information New tools: Whoop and Chauffeur The rest: industrial-strength tools that are robust and battle-proven via their use in many complex software projects
Input: - Linux driver source code in C - Linux environmental model (used to “close” the driver) Boogie IVL code, instrumented with yields Data Race Reports No Errors (Under Given Bounds) WHOOP Error Traces Z3 Chauffeur SMACK Linux driver source code in C Boogie IVL code llvm-IR Linux Environmental Model Instrumentation Sequentialization Invariant Generation Boogie Verification Engine CORRAL A. Translation Phase B. Symbolic Lockset Analysis Phase C. Bug-Finding Phase Clang / LLVM entry point information
Chauffeur: - Clang frontend that traverses the driver AST and identifies all entry points - outputs related information in an XML file (to be parsed and used by Whoop) Boogie IVL code, instrumented with yields Data Race Reports No Errors (Under Given Bounds) WHOOP Error Traces Z3 Chauffeur SMACK Linux driver source code in C Boogie IVL code llvm-IR Linux Environmental Model Instrumentation Sequentialization Invariant Generation Boogie Verification Engine CORRAL A. Translation Phase B. Symbolic Lockset Analysis Phase C. Bug-Finding Phase Clang / LLVM entry point information
Clang/LLVM: - compiles the C source code (and the model) into LLVM-IR - preserves function calls (e.g. locks/unlocks) — we do not need to track them separately - also preserves debugging information so we can map errors back to source code Boogie IVL code, instrumented with yields Data Race Reports No Errors (Under Given Bounds) WHOOP Error Traces Z3 Chauffeur SMACK Linux driver source code in C Boogie IVL code llvm-IR Linux Environmental Model Instrumentation Sequentialization Invariant Generation Boogie Verification Engine CORRAL A. Translation Phase B. Symbolic Lockset Analysis Phase C. Bug-Finding Phase Clang / LLVM entry point information
SMACK: - translates the LLVM-IR into the Boogie intermediate verification language - leverages LLVM pointer-alias analyses to efficiently model the heap manipulation operations of C programs Boogie IVL code, instrumented with yields Data Race Reports No Errors (Under Given Bounds) WHOOP Error Traces Z3 Chauffeur SMACK Linux driver source code in C Boogie IVL code llvm-IR Linux Environmental Model Instrumentation Sequentialization Invariant Generation Boogie Verification Engine CORRAL A. Translation Phase B. Symbolic Lockset Analysis Phase C. Bug-Finding Phase Clang / LLVM entry point information
SMACK uses a split-memory model that: - soundly partitions memory locations into non-overlapping equivalence classes that do not alias to achieve scalability - is based on memory regions, which are maps of integers that model the heap — distinct memory regions denote disjoint sections of the heap - we leverage this knowledge to guide and optimise Whoop Boogie IVL code, instrumented with yields Data Race Reports No Errors (Under Given Bounds) WHOOP Error Traces Z3 Chauffeur SMACK Linux driver source code in C Boogie IVL code llvm-IR Linux Environmental Model Instrumentation Sequentialization Invariant Generation Boogie Verification Engine CORRAL A. Translation Phase B. Symbolic Lockset Analysis Phase C. Bug-Finding Phase Clang / LLVM entry point information
Whoop is based on symbolic pairwise lockset analysis, a novel technique for data race analysis in device drivers Boogie IVL code, instrumented with yields Data Race Reports No Errors (Under Given Bounds) WHOOP Error Traces Z3 Chauffeur SMACK Linux driver source code in C Boogie IVL code llvm-IR Linux Environmental Model Instrumentation Sequentialization Invariant Generation Boogie Verification Engine CORRAL A. Translation Phase B. Symbolic Lockset Analysis Phase C. Bug-Finding Phase Clang / LLVM entry point information
Lightweight race detection method: - proposed in the context of Eraser (TOCS’97), a dynamic data race detector — key idea: - track the set of locks that are consistently used to protect a memory location during program execution - if that lockset ever becomes empty, the analysis reports a potential race on that memory location - this is because an empty lockset suggests that a memory location may be accessed simultaneously by two or more threads Lockset analysis
T1 CLST2 LSA warning: access to A may not be protected compute set intersection at access points T2 { } CLST1 { } Program { M, N } lock (M); lock (N); write (A); unlock (N); write (A); unlock (M); { M, N } { M, N } { M, N } { M, N } { M } { M } { M } { M, N } { M, N } { M } { M } { } lock (M); write (A); unlock (M); write (A); { M } { M } { } { } { M } { M } { M } { } Initial
Advantages of lockset analysis: - easy to implement, lightweight, has the potential to scale well (in contrast with happens-before based analysis) Limitations of lockset analysis: - imprecision (a violation of locking discipline is not always a race) - code coverage in dynamic tools is limited by execution paths that are explored - to counter the latter, we apply lockset analysis in a static context
For a given driver: - we consider every pair of entry points that can potentially execute concurrently - for each pair we use symbolic verification to check if it is possible for a pair to race on a shared memory location - we soundly model the effects of any other entry point by over-approximating the driver shared state Symbolic pairwise lockset analysis
For a given pair of entry points: - we instrument each entry point with additional state to record locksets (for lockset analysis) - we attempt to verify a sequential program that executes the instrumented entry points in sequence, and then … - we assert, for each shared location, that the locksets for each entry point with respect to this location have a non-empty intersection Symbolic verification
1. Initialise current locksets, read and write sets to empty for each entry point in the pair 2. Foreach shared variable s initialise the lockset of s to the set of all possible locks 3. Call entry point T 4. Call entry point U 5. Assert that for each shared variable s, if s is written by T and accessed by U, or if s is written by U and accessed by T, then the lockset of s in T and the lockset of s in U must have at least one common lock (non-empty intersection) Sequentialisation
Boogie IVL code, instrumented with yields Data Race Reports No Errors (Under Given Bounds) WHOOP Error Traces Z3 Chauffeur SMACK Linux driver source code in C Boogie IVL code llvm-IR Linux Environmental Model Instrumentation Sequentialization Invariant Generation Boogie Verification Engine CORRAL A. Translation Phase B. Symbolic Lockset Analysis Phase C. Bug-Finding Phase Clang / LLVM entry point information Invariant generation: - procedure summaries (for scalability) - loop invariants - we use Houdini (built in Boogie) — given a generated set of candidate invariants it finds the inductive invariants
Boogie IVL code, instrumented with yields Data Race Reports No Errors (Under Given Bounds) WHOOP Error Traces Z3 Chauffeur SMACK Linux driver source code in C Boogie IVL code llvm-IR Linux Environmental Model Instrumentation Sequentialization Invariant Generation Boogie Verification Engine CORRAL A. Translation Phase B. Symbolic Lockset Analysis Phase C. Bug-Finding Phase Clang / LLVM entry point information Verification: - each instrumented pair is send to Boogie - Boogie generates VC’s and feeds them to Z3 - verification implies race-freedom - counter-example denotes a potential race
- the Linux kernel can serialise calls to entry points, thus forcing them to run in sequence instead of an interleaved manner (e.g. RTNL) - Whoop exploits this knowledge and does not create pairs for entry points that are mutually serialised by the kernel - ongoing manual effort (requires domain expertise) Kernel imposed serialisation
- Whoop is “soundy”: aims to perform a sound analysis, but suffers from some known sources of unsoundness - we assume that the formal parameters of an entry point do not alias, and thus cannot race - we rely on the soundness of our best-effort environmental model - we inherit potential unsoundness from the tools we use (e.g. integers in SMACK) Assumptions
- can be imprecise as it inherits the limitations of lockset analysis - uses over-approximation, can lead to false alarms - does not check for dynamically created locks or locks from external libraries - we currently do not handle interrupt handlers in special way, we just assume they execute concurrently at all times - we over-approximate lock-free data structures - we perform static analysis and, thus, need to close the environment Limitations of Whoop
Boogie IVL code, instrumented with yields Data Race Reports No Errors (Under Given Bounds) WHOOP Error Traces Z3 Chauffeur SMACK Linux driver source code in C Boogie IVL code llvm-IR Linux Environmental Model Instrumentation Sequentialization Invariant Generation Boogie Verification Engine CORRAL A. Translation Phase B. Symbolic Lockset Analysis Phase C. Bug-Finding Phase Clang / LLVM entry point information Accelerating Corral: - Whoop is sound but imprecise - we exploit any race-freedom guarantees from phase B to speedup precise bug- finding with Corral (in this work we only consider races as bugs)
Boogie IVL code, instrumented with yields Data Race Reports No Errors (Under Given Bounds) WHOOP Error Traces Z3 Chauffeur SMACK Linux driver source code in C Boogie IVL code llvm-IR Linux Environmental Model Instrumentation Sequentialization Invariant Generation Boogie Verification Engine CORRAL A. Translation Phase B. Symbolic Lockset Analysis Phase C. Bug-Finding Phase Clang / LLVM entry point information Accelerating Corral: - Corral is a bounded symbolic verifier for Boogie - sequentialises the driver using a context-switch bound - attempts to prove bounded (in terms of number of loop iterations and recursion depth) sequential reachability of a bug in a goal-directed, lazy fashion to postpone state-space explosion when analysing a large program
Boogie IVL code, instrumented with yields Data Race Reports No Errors (Under Given Bounds) WHOOP Error Traces Z3 Chauffeur SMACK Linux driver source code in C Boogie IVL code llvm-IR Linux Environmental Model Instrumentation Sequentialization Invariant Generation Boogie Verification Engine CORRAL A. Translation Phase B. Symbolic Lockset Analysis Phase C. Bug-Finding Phase Clang / LLVM entry point information Default sequentialisation: - By default, and assuming no race-freedom guarantees, Whoop instruments a yield after each shared memory access of each entry point, and after every lock and unlock operation - Whoop then sends this instrumented program to Corral, which explores all possible thread interleavings up to a pre-defined bound
- The default sequentialisation can explode! - our solution: if thanks to Whoop we know that a given statement that accesses shared memory cannot be involved in a data race, then we do not instrument a yield after this statement - this tames the sequentialisation and can greatly speedup Corral Sound partial-order reduction
We applied Whoop on 16 drivers from the Linux 4.0 kernel: - block, char, ethernet, nfc, usb and watchdog (250 — 7300 LoC) - detected some potential races (but requires domain expertise to confirm) - using Whoop we significantly accelerated Corral (1.5-20x) !! Evaluation
The symbols +, o and x, represent a context-switch bound of 2, 5 and 9, respectively
Thanks! http://www.doc.ic.ac.uk/~pd1113/ p.deligiannis@imperial.ac.uk https://github.com/pdeligia

Recommended

Linux cnc overview
Linux cnc overviewLinux cnc overview
Linux cnc overviewNylon
 
Practical file
Practical filePractical file
Practical filerajeevkr35
 
Pipeline stalling in vhdl
Pipeline stalling in vhdlPipeline stalling in vhdl
Pipeline stalling in vhdlSai Malleswar
 
Writing c code for the 8051
Writing c code for the 8051Writing c code for the 8051
Writing c code for the 8051Quản Minh Tú
 
VLSI & E-CAD Lab Manual
VLSI & E-CAD Lab ManualVLSI & E-CAD Lab Manual
VLSI & E-CAD Lab ManualAmairullah Khan Lodhi
 
8051 programming skills using EMBEDDED C
8051 programming skills using EMBEDDED C8051 programming skills using EMBEDDED C
8051 programming skills using EMBEDDED CAman Sharma
 
Verilog HDL
Verilog HDLVerilog HDL
Verilog HDLMantra VLSI
 
Basics of digital verilog design(alok singh kanpur)
Basics of digital verilog design(alok singh kanpur)Basics of digital verilog design(alok singh kanpur)
Basics of digital verilog design(alok singh kanpur)Alok Singh
 

Recommended

Linux cnc overview
Linux cnc overviewLinux cnc overview
Linux cnc overviewNylon
 
Practical file
Practical filePractical file
Practical filerajeevkr35
 
Pipeline stalling in vhdl
Pipeline stalling in vhdlPipeline stalling in vhdl
Pipeline stalling in vhdlSai Malleswar
 
Writing c code for the 8051
Writing c code for the 8051Writing c code for the 8051
Writing c code for the 8051Quản Minh Tú
 
VLSI & E-CAD Lab Manual
VLSI & E-CAD Lab ManualVLSI & E-CAD Lab Manual
VLSI & E-CAD Lab ManualAmairullah Khan Lodhi
 
8051 programming skills using EMBEDDED C
8051 programming skills using EMBEDDED C8051 programming skills using EMBEDDED C
8051 programming skills using EMBEDDED CAman Sharma
 
Verilog HDL
Verilog HDLVerilog HDL
Verilog HDLMantra VLSI
 
Basics of digital verilog design(alok singh kanpur)
Basics of digital verilog design(alok singh kanpur)Basics of digital verilog design(alok singh kanpur)
Basics of digital verilog design(alok singh kanpur)Alok Singh
 
VHDL Programs
VHDL ProgramsVHDL Programs
VHDL ProgramsA B Shinde
 
Chapter 7 8051 programming in c
Chapter 7 8051 programming in cChapter 7 8051 programming in c
Chapter 7 8051 programming in cAbdelrahman Elewah
 
Solution manual 8051 microcontroller by mazidi
Solution manual 8051 microcontroller by mazidiSolution manual 8051 microcontroller by mazidi
Solution manual 8051 microcontroller by mazidiMuhammad Abdullah
 
ECAD lab manual
ECAD lab manualECAD lab manual
ECAD lab manualDr. Swaminathan Kathirvel
 
Lab9500
Lab9500Lab9500
Lab9500Manjeet Rana
 
LinuxCNC 入門簡介
LinuxCNC 入門簡介LinuxCNC 入門簡介
LinuxCNC 入門簡介roboard
 
Digital design with Systemc
Digital design with SystemcDigital design with Systemc
Digital design with SystemcMarc Engels
 
Vulnerabilities analysis of fault and Trojan attacks in FSM
Vulnerabilities analysis of fault and Trojan attacks in FSMVulnerabilities analysis of fault and Trojan attacks in FSM
Vulnerabilities analysis of fault and Trojan attacks in FSMKurra Gopi
 
Digital System Design Lab Report - VHDL ECE
Digital System Design Lab Report - VHDL ECEDigital System Design Lab Report - VHDL ECE
Digital System Design Lab Report - VHDL ECERamesh Naik Bhukya
 
Digital system design lab manual
Digital system design lab manualDigital system design lab manual
Digital system design lab manualSanthosh Poralu
 
Programs of VHDL
Programs of VHDLPrograms of VHDL
Programs of VHDLRkrishna Mishra
 
VHdl lab report
VHdl lab reportVHdl lab report
VHdl lab reportJinesh Kb
 
PLD's
PLD'sPLD's
PLD'sanishgoel
 
branch ins 8051
branch ins 8051branch ins 8051
branch ins 8051VJ Aiswaryadevi
 
e CAD lab manual
e CAD lab manuale CAD lab manual
e CAD lab manualAmairullah Khan Lodhi
 
Experiment write-vhdl-code-for-realize-all-logic-gates
Experiment write-vhdl-code-for-realize-all-logic-gatesExperiment write-vhdl-code-for-realize-all-logic-gates
Experiment write-vhdl-code-for-realize-all-logic-gatesRicardo Castro
 
Session1
Session1Session1
Session1omarAbdelrhman2
 
6 arithmetic logic inst and prog
6 arithmetic logic inst and prog6 arithmetic logic inst and prog
6 arithmetic logic inst and progChannabasappa Kudarihal
 
5 addressing modes
5 addressing modes5 addressing modes
5 addressing modesChannabasappa Kudarihal
 
VLSI Design Flow
VLSI Design FlowVLSI Design Flow
VLSI Design FlowA B Shinde
 
Introduction to armv8 aarch64
Introduction to armv8 aarch64Introduction to armv8 aarch64
Introduction to armv8 aarch64Yi-Hsiu Hsu
 
Introduction to the rapid prototyping with python and linux for embedded systems
Introduction to the rapid prototyping with python and linux for embedded systemsIntroduction to the rapid prototyping with python and linux for embedded systems
Introduction to the rapid prototyping with python and linux for embedded systemsNaohiko Shimizu
 

More Related Content

What's hot

Chapter 7 8051 programming in c
Chapter 7 8051 programming in cChapter 7 8051 programming in c
Chapter 7 8051 programming in cAbdelrahman Elewah
 
Solution manual 8051 microcontroller by mazidi
Solution manual 8051 microcontroller by mazidiSolution manual 8051 microcontroller by mazidi
Solution manual 8051 microcontroller by mazidiMuhammad Abdullah
 
LinuxCNC 入門簡介
LinuxCNC 入門簡介LinuxCNC 入門簡介
LinuxCNC 入門簡介roboard
 
Digital design with Systemc
Digital design with SystemcDigital design with Systemc
Digital design with SystemcMarc Engels
 
Vulnerabilities analysis of fault and Trojan attacks in FSM
Vulnerabilities analysis of fault and Trojan attacks in FSMVulnerabilities analysis of fault and Trojan attacks in FSM
Vulnerabilities analysis of fault and Trojan attacks in FSMKurra Gopi
 
Digital System Design Lab Report - VHDL ECE
Digital System Design Lab Report - VHDL ECEDigital System Design Lab Report - VHDL ECE
Digital System Design Lab Report - VHDL ECERamesh Naik Bhukya
 
Digital system design lab manual
Digital system design lab manualDigital system design lab manual
Digital system design lab manualSanthosh Poralu
 
VHdl lab report
VHdl lab reportVHdl lab report
VHdl lab reportJinesh Kb
 
Experiment write-vhdl-code-for-realize-all-logic-gates
Experiment write-vhdl-code-for-realize-all-logic-gatesExperiment write-vhdl-code-for-realize-all-logic-gates
Experiment write-vhdl-code-for-realize-all-logic-gatesRicardo Castro
 
VLSI Design Flow
VLSI Design FlowVLSI Design Flow
VLSI Design FlowA B Shinde
 

What's hot (20)

VHDL Programs
VHDL ProgramsVHDL Programs
VHDL Programs
 
Chapter 7 8051 programming in c
Chapter 7 8051 programming in cChapter 7 8051 programming in c
Chapter 7 8051 programming in c
 
Solution manual 8051 microcontroller by mazidi
Solution manual 8051 microcontroller by mazidiSolution manual 8051 microcontroller by mazidi
Solution manual 8051 microcontroller by mazidi
 
ECAD lab manual
ECAD lab manualECAD lab manual
ECAD lab manual
 
Lab9500
Lab9500Lab9500
Lab9500
 
LinuxCNC 入門簡介
LinuxCNC 入門簡介LinuxCNC 入門簡介
LinuxCNC 入門簡介
 
Digital design with Systemc
Digital design with SystemcDigital design with Systemc
Digital design with Systemc
 
Vulnerabilities analysis of fault and Trojan attacks in FSM
Vulnerabilities analysis of fault and Trojan attacks in FSMVulnerabilities analysis of fault and Trojan attacks in FSM
Vulnerabilities analysis of fault and Trojan attacks in FSM
 
Digital System Design Lab Report - VHDL ECE
Digital System Design Lab Report - VHDL ECEDigital System Design Lab Report - VHDL ECE
Digital System Design Lab Report - VHDL ECE
 
Digital system design lab manual
Digital system design lab manualDigital system design lab manual
Digital system design lab manual
 
Programs of VHDL
Programs of VHDLPrograms of VHDL
Programs of VHDL
 
VHdl lab report
VHdl lab reportVHdl lab report
VHdl lab report
 
PLD's
PLD'sPLD's
PLD's
 
branch ins 8051
branch ins 8051branch ins 8051
branch ins 8051
 
e CAD lab manual
e CAD lab manuale CAD lab manual
e CAD lab manual
 
Experiment write-vhdl-code-for-realize-all-logic-gates
Experiment write-vhdl-code-for-realize-all-logic-gatesExperiment write-vhdl-code-for-realize-all-logic-gates
Experiment write-vhdl-code-for-realize-all-logic-gates
 
Session1
Session1Session1
Session1
 
6 arithmetic logic inst and prog
6 arithmetic logic inst and prog6 arithmetic logic inst and prog
6 arithmetic logic inst and prog
 
5 addressing modes
5 addressing modes5 addressing modes
5 addressing modes
 
VLSI Design Flow
VLSI Design FlowVLSI Design Flow
VLSI Design Flow
 

Viewers also liked

Introduction to armv8 aarch64
Introduction to armv8 aarch64Introduction to armv8 aarch64
Introduction to armv8 aarch64Yi-Hsiu Hsu
 
Introduction to the rapid prototyping with python and linux for embedded systems
Introduction to the rapid prototyping with python and linux for embedded systemsIntroduction to the rapid prototyping with python and linux for embedded systems
Introduction to the rapid prototyping with python and linux for embedded systemsNaohiko Shimizu
 
Device Tree for Dummies (ELC 2014)
Device Tree for Dummies (ELC 2014)Device Tree for Dummies (ELC 2014)
Device Tree for Dummies (ELC 2014)Thomas Petazzoni
 
Device tree support on arm linux
Device tree support on arm linuxDevice tree support on arm linux
Device tree support on arm linuxChih-Min Chao
 
Pointers in c
Pointers in cPointers in c
Pointers in cMohd Arif
 
Arm device tree and linux device drivers
Arm device tree and linux device driversArm device tree and linux device drivers
Arm device tree and linux device driversHoucheng Lin
 
Linux Porting to a Custom Board
Linux Porting to a Custom BoardLinux Porting to a Custom Board
Linux Porting to a Custom BoardPatrick Bellasi
 
Building Embedded Linux Full Tutorial for ARM
Building Embedded Linux Full Tutorial for ARMBuilding Embedded Linux Full Tutorial for ARM
Building Embedded Linux Full Tutorial for ARMSherif Mousa
 

Viewers also liked (11)

Introduction to armv8 aarch64
Introduction to armv8 aarch64Introduction to armv8 aarch64
Introduction to armv8 aarch64
 
Introduction to the rapid prototyping with python and linux for embedded systems
Introduction to the rapid prototyping with python and linux for embedded systemsIntroduction to the rapid prototyping with python and linux for embedded systems
Introduction to the rapid prototyping with python and linux for embedded systems
 
Device Tree for Dummies (ELC 2014)
Device Tree for Dummies (ELC 2014)Device Tree for Dummies (ELC 2014)
Device Tree for Dummies (ELC 2014)
 
Device tree
Device treeDevice tree
Device tree
 
Interview preparation workshop
Interview preparation workshopInterview preparation workshop
Interview preparation workshop
 
Device tree support on arm linux
Device tree support on arm linuxDevice tree support on arm linux
Device tree support on arm linux
 
Pointers in c
Pointers in cPointers in c
Pointers in c
 
Arm device tree and linux device drivers
Arm device tree and linux device driversArm device tree and linux device drivers
Arm device tree and linux device drivers
 
Linux Internals - Interview essentials 4.0
Linux Internals - Interview essentials 4.0Linux Internals - Interview essentials 4.0
Linux Internals - Interview essentials 4.0
 
Linux Porting to a Custom Board
Linux Porting to a Custom BoardLinux Porting to a Custom Board
Linux Porting to a Custom Board
 
Building Embedded Linux Full Tutorial for ARM
Building Embedded Linux Full Tutorial for ARMBuilding Embedded Linux Full Tutorial for ARM
Building Embedded Linux Full Tutorial for ARM
 

Similar to Fast and Precise Symbolic Analysis of Concurrency Bugs in Device Drivers

Mitigating overflows using defense in-depth. What can your compiler do for you?
Mitigating overflows using defense in-depth. What can your compiler do for you?Mitigating overflows using defense in-depth. What can your compiler do for you?
Mitigating overflows using defense in-depth. What can your compiler do for you?Javier Tallón
 
Virtual platform
Virtual platformVirtual platform
Virtual platformsean chen
 
Linux binary analysis and exploitation
Linux binary analysis and exploitationLinux binary analysis and exploitation
Linux binary analysis and exploitationDharmalingam Ganesan
 
Introduction to synchronous programming langauges
Introduction to synchronous programming langaugesIntroduction to synchronous programming langauges
Introduction to synchronous programming langaugesAkshar Desai
 
emips_overview_apr08
emips_overview_apr08emips_overview_apr08
emips_overview_apr08Neil Pittman
 
Code Red Security
Code Red SecurityCode Red Security
Code Red SecurityAmr Ali
 
Cisco Router Security
Cisco Router SecurityCisco Router Security
Cisco Router Securitykktamang
 
POLYMER MODIFIED AND NEAT BITUMINOUS MIXES USING WARM MIX ASPHALT FOR PAVING ...
POLYMER MODIFIED AND NEAT BITUMINOUS MIXES USING WARM MIX ASPHALT FOR PAVING ...POLYMER MODIFIED AND NEAT BITUMINOUS MIXES USING WARM MIX ASPHALT FOR PAVING ...
POLYMER MODIFIED AND NEAT BITUMINOUS MIXES USING WARM MIX ASPHALT FOR PAVING ...AnilKumar109331
 
Thesis_presentation ctm tk sha.ppt
Thesis_presentation ctm tk sha.pptThesis_presentation ctm tk sha.ppt
Thesis_presentation ctm tk sha.pptKavitaChhajed
 
Thesis_presentation.ppt
Thesis_presentation.pptThesis_presentation.ppt
Thesis_presentation.pptMohdIshaq24
 
Thesis presentation of college iit ppt.ppt
Thesis presentation of college iit ppt.pptThesis presentation of college iit ppt.ppt
Thesis presentation of college iit ppt.pptAmanJohnTudu
 
Thesis_presentation.ppt
Thesis_presentation.pptThesis_presentation.ppt
Thesis_presentation.pptNishant Kumar
 
Fast and Precise Symbolic Analysis of Concurrency Bugs in Device Drivers
Fast and Precise Symbolic Analysis of Concurrency Bugs in Device DriversFast and Precise Symbolic Analysis of Concurrency Bugs in Device Drivers
Fast and Precise Symbolic Analysis of Concurrency Bugs in Device DriversPantazis Deligiannis
 
CAN Networks
CAN NetworksCAN Networks
CAN Networksjdholly
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationOlehLevytskyi1
 
Mykhailo Zarai "Be careful when dealing with C++" at Rivne IT Talks
Mykhailo Zarai "Be careful when dealing with C++" at Rivne IT TalksMykhailo Zarai "Be careful when dealing with C++" at Rivne IT Talks
Mykhailo Zarai "Be careful when dealing with C++" at Rivne IT TalksVadym Muliavka
 
managing your network environment
managing your network environmentmanaging your network environment
managing your network environmentscooby_doo
 
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...Malachi Jones
 

Similar to Fast and Precise Symbolic Analysis of Concurrency Bugs in Device Drivers (20)

Mitigating overflows using defense in-depth. What can your compiler do for you?
Mitigating overflows using defense in-depth. What can your compiler do for you?Mitigating overflows using defense in-depth. What can your compiler do for you?
Mitigating overflows using defense in-depth. What can your compiler do for you?
 
Virtual platform
Virtual platformVirtual platform
Virtual platform
 
Linux binary analysis and exploitation
Linux binary analysis and exploitationLinux binary analysis and exploitation
Linux binary analysis and exploitation
 
Introduction to synchronous programming langauges
Introduction to synchronous programming langaugesIntroduction to synchronous programming langauges
Introduction to synchronous programming langauges
 
emips_overview_apr08
emips_overview_apr08emips_overview_apr08
emips_overview_apr08
 
Code Red Security
Code Red SecurityCode Red Security
Code Red Security
 
Cisco Router Security
Cisco Router SecurityCisco Router Security
Cisco Router Security
 
POLYMER MODIFIED AND NEAT BITUMINOUS MIXES USING WARM MIX ASPHALT FOR PAVING ...
POLYMER MODIFIED AND NEAT BITUMINOUS MIXES USING WARM MIX ASPHALT FOR PAVING ...POLYMER MODIFIED AND NEAT BITUMINOUS MIXES USING WARM MIX ASPHALT FOR PAVING ...
POLYMER MODIFIED AND NEAT BITUMINOUS MIXES USING WARM MIX ASPHALT FOR PAVING ...
 
Thesis_presentation ctm tk sha.ppt
Thesis_presentation ctm tk sha.pptThesis_presentation ctm tk sha.ppt
Thesis_presentation ctm tk sha.ppt
 
Thesis_presentation.ppt
Thesis_presentation.pptThesis_presentation.ppt
Thesis_presentation.ppt
 
Thesis presentation of college iit ppt.ppt
Thesis presentation of college iit ppt.pptThesis presentation of college iit ppt.ppt
Thesis presentation of college iit ppt.ppt
 
Thesis_presentation.ppt
Thesis_presentation.pptThesis_presentation.ppt
Thesis_presentation.ppt
 
Fast and Precise Symbolic Analysis of Concurrency Bugs in Device Drivers
Fast and Precise Symbolic Analysis of Concurrency Bugs in Device DriversFast and Precise Symbolic Analysis of Concurrency Bugs in Device Drivers
Fast and Precise Symbolic Analysis of Concurrency Bugs in Device Drivers
 
Provisioning the IoT
Provisioning the IoTProvisioning the IoT
Provisioning the IoT
 
CAN Networks
CAN NetworksCAN Networks
CAN Networks
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
 
Mykhailo Zarai "Be careful when dealing with C++" at Rivne IT Talks
Mykhailo Zarai "Be careful when dealing with C++" at Rivne IT TalksMykhailo Zarai "Be careful when dealing with C++" at Rivne IT Talks
Mykhailo Zarai "Be careful when dealing with C++" at Rivne IT Talks
 
managing your network environment
managing your network environmentmanaging your network environment
managing your network environment
 
Ceh v5 module 03 scanning
Ceh v5 module 03 scanningCeh v5 module 03 scanning
Ceh v5 module 03 scanning
 
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
 

Recently uploaded

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 

Recently uploaded (20)

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 

Fast and Precise Symbolic Analysis of Concurrency Bugs in Device Drivers

  • 1. Fast and Precise Symbolic Analysis of Concurrency Bugs in Device Drivers Pantazis Deligiannis Alastair Donaldson Zvonimir Rakamarić Intel — June 2015
  • 2. Concurrency errors, such as data races, make device drivers hard to develop and debug without automated tool support
  • 3. Whoop, a new fully automated tool that: - statically analyses drivers for data races - exploits any found race-freedom guarantees to achieve a sound partial-order reduction and accelerate bug-finding using Corral Corral is an industrial strength bug-finder for device drivers from Microsoft that is used as the backend of the Static Driver Verifier Our approach
  • 4. We applied Whoop on 16 drivers from the Linux 4.0 kernel: - block, char, ethernet, nfc, usb and watchdog (250 — 7300 LoC) - detected some potential races (but requires domain expertise to confirm) - using Whoop we significantly accelerated Corral (1.5-20x) !! Results sneak-peek
  • 5. Boogie IVL code, instrumented with yields Data Race Reports No Errors (Under Given Bounds) WHOOP Error Traces Z3 Chauffeur SMACK Linux driver source code in C Boogie IVL code llvm-IR Linux Environmental Model Instrumentation Sequentialization Invariant Generation Boogie Verification Engine CORRAL A. Translation Phase B. Symbolic Lockset Analysis Phase C. Bug-Finding Phase Clang / LLVM entry point information New tools: Whoop and Chauffeur The rest: industrial-strength tools that are robust and battle-proven via their use in many complex software projects
  • 6. Input: - Linux driver source code in C - Linux environmental model (used to “close” the driver) Boogie IVL code, instrumented with yields Data Race Reports No Errors (Under Given Bounds) WHOOP Error Traces Z3 Chauffeur SMACK Linux driver source code in C Boogie IVL code llvm-IR Linux Environmental Model Instrumentation Sequentialization Invariant Generation Boogie Verification Engine CORRAL A. Translation Phase B. Symbolic Lockset Analysis Phase C. Bug-Finding Phase Clang / LLVM entry point information
  • 7. Chauffeur: - Clang frontend that traverses the driver AST and identifies all entry points - outputs related information in an XML file (to be parsed and used by Whoop) Boogie IVL code, instrumented with yields Data Race Reports No Errors (Under Given Bounds) WHOOP Error Traces Z3 Chauffeur SMACK Linux driver source code in C Boogie IVL code llvm-IR Linux Environmental Model Instrumentation Sequentialization Invariant Generation Boogie Verification Engine CORRAL A. Translation Phase B. Symbolic Lockset Analysis Phase C. Bug-Finding Phase Clang / LLVM entry point information
  • 8. Clang/LLVM: - compiles the C source code (and the model) into LLVM-IR - preserves function calls (e.g. locks/unlocks) — we do not need to track them separately - also preserves debugging information so we can map errors back to source code Boogie IVL code, instrumented with yields Data Race Reports No Errors (Under Given Bounds) WHOOP Error Traces Z3 Chauffeur SMACK Linux driver source code in C Boogie IVL code llvm-IR Linux Environmental Model Instrumentation Sequentialization Invariant Generation Boogie Verification Engine CORRAL A. Translation Phase B. Symbolic Lockset Analysis Phase C. Bug-Finding Phase Clang / LLVM entry point information
  • 9. SMACK: - translates the LLVM-IR into the Boogie intermediate verification language - leverages LLVM pointer-alias analyses to efficiently model the heap manipulation operations of C programs Boogie IVL code, instrumented with yields Data Race Reports No Errors (Under Given Bounds) WHOOP Error Traces Z3 Chauffeur SMACK Linux driver source code in C Boogie IVL code llvm-IR Linux Environmental Model Instrumentation Sequentialization Invariant Generation Boogie Verification Engine CORRAL A. Translation Phase B. Symbolic Lockset Analysis Phase C. Bug-Finding Phase Clang / LLVM entry point information
  • 10. SMACK uses a split-memory model that: - soundly partitions memory locations into non-overlapping equivalence classes that do not alias to achieve scalability - is based on memory regions, which are maps of integers that model the heap — distinct memory regions denote disjoint sections of the heap - we leverage this knowledge to guide and optimise Whoop Boogie IVL code, instrumented with yields Data Race Reports No Errors (Under Given Bounds) WHOOP Error Traces Z3 Chauffeur SMACK Linux driver source code in C Boogie IVL code llvm-IR Linux Environmental Model Instrumentation Sequentialization Invariant Generation Boogie Verification Engine CORRAL A. Translation Phase B. Symbolic Lockset Analysis Phase C. Bug-Finding Phase Clang / LLVM entry point information
  • 11. Whoop is based on symbolic pairwise lockset analysis, a novel technique for data race analysis in device drivers Boogie IVL code, instrumented with yields Data Race Reports No Errors (Under Given Bounds) WHOOP Error Traces Z3 Chauffeur SMACK Linux driver source code in C Boogie IVL code llvm-IR Linux Environmental Model Instrumentation Sequentialization Invariant Generation Boogie Verification Engine CORRAL A. Translation Phase B. Symbolic Lockset Analysis Phase C. Bug-Finding Phase Clang / LLVM entry point information
  • 12. Lightweight race detection method: - proposed in the context of Eraser (TOCS’97), a dynamic data race detector — key idea: - track the set of locks that are consistently used to protect a memory location during program execution - if that lockset ever becomes empty, the analysis reports a potential race on that memory location - this is because an empty lockset suggests that a memory location may be accessed simultaneously by two or more threads Lockset analysis
  • 13. T1 CLST2 LSA warning: access to A may not be protected compute set intersection at access points T2 { } CLST1 { } Program { M, N } lock (M); lock (N); write (A); unlock (N); write (A); unlock (M); { M, N } { M, N } { M, N } { M, N } { M } { M } { M } { M, N } { M, N } { M } { M } { } lock (M); write (A); unlock (M); write (A); { M } { M } { } { } { M } { M } { M } { } Initial
  • 14. Advantages of lockset analysis: - easy to implement, lightweight, has the potential to scale well (in contrast with happens-before based analysis) Limitations of lockset analysis: - imprecision (a violation of locking discipline is not always a race) - code coverage in dynamic tools is limited by execution paths that are explored - to counter the latter, we apply lockset analysis in a static context
  • 15. For a given driver: - we consider every pair of entry points that can potentially execute concurrently - for each pair we use symbolic verification to check if it is possible for a pair to race on a shared memory location - we soundly model the effects of any other entry point by over-approximating the driver shared state Symbolic pairwise lockset analysis
  • 16. For a given pair of entry points: - we instrument each entry point with additional state to record locksets (for lockset analysis) - we attempt to verify a sequential program that executes the instrumented entry points in sequence, and then … - we assert, for each shared location, that the locksets for each entry point with respect to this location have a non-empty intersection Symbolic verification
  • 17. 1. Initialise current locksets, read and write sets to empty for each entry point in the pair 2. Foreach shared variable s initialise the lockset of s to the set of all possible locks 3. Call entry point T 4. Call entry point U 5. Assert that for each shared variable s, if s is written by T and accessed by U, or if s is written by U and accessed by T, then the lockset of s in T and the lockset of s in U must have at least one common lock (non-empty intersection) Sequentialisation
  • 18. Boogie IVL code, instrumented with yields Data Race Reports No Errors (Under Given Bounds) WHOOP Error Traces Z3 Chauffeur SMACK Linux driver source code in C Boogie IVL code llvm-IR Linux Environmental Model Instrumentation Sequentialization Invariant Generation Boogie Verification Engine CORRAL A. Translation Phase B. Symbolic Lockset Analysis Phase C. Bug-Finding Phase Clang / LLVM entry point information Invariant generation: - procedure summaries (for scalability) - loop invariants - we use Houdini (built in Boogie) — given a generated set of candidate invariants it finds the inductive invariants
  • 19. Boogie IVL code, instrumented with yields Data Race Reports No Errors (Under Given Bounds) WHOOP Error Traces Z3 Chauffeur SMACK Linux driver source code in C Boogie IVL code llvm-IR Linux Environmental Model Instrumentation Sequentialization Invariant Generation Boogie Verification Engine CORRAL A. Translation Phase B. Symbolic Lockset Analysis Phase C. Bug-Finding Phase Clang / LLVM entry point information Verification: - each instrumented pair is send to Boogie - Boogie generates VC’s and feeds them to Z3 - verification implies race-freedom - counter-example denotes a potential race
  • 20. - the Linux kernel can serialise calls to entry points, thus forcing them to run in sequence instead of an interleaved manner (e.g. RTNL) - Whoop exploits this knowledge and does not create pairs for entry points that are mutually serialised by the kernel - ongoing manual effort (requires domain expertise) Kernel imposed serialisation
  • 21. - Whoop is “soundy”: aims to perform a sound analysis, but suffers from some known sources of unsoundness - we assume that the formal parameters of an entry point do not alias, and thus cannot race - we rely on the soundness of our best-effort environmental model - we inherit potential unsoundness from the tools we use (e.g. integers in SMACK) Assumptions
  • 22. - can be imprecise as it inherits the limitations of lockset analysis - uses over-approximation, can lead to false alarms - does not check for dynamically created locks or locks from external libraries - we currently do not handle interrupt handlers in special way, we just assume they execute concurrently at all times - we over-approximate lock-free data structures - we perform static analysis and, thus, need to close the environment Limitations of Whoop
  • 23. Boogie IVL code, instrumented with yields Data Race Reports No Errors (Under Given Bounds) WHOOP Error Traces Z3 Chauffeur SMACK Linux driver source code in C Boogie IVL code llvm-IR Linux Environmental Model Instrumentation Sequentialization Invariant Generation Boogie Verification Engine CORRAL A. Translation Phase B. Symbolic Lockset Analysis Phase C. Bug-Finding Phase Clang / LLVM entry point information Accelerating Corral: - Whoop is sound but imprecise - we exploit any race-freedom guarantees from phase B to speedup precise bug- finding with Corral (in this work we only consider races as bugs)
  • 24. Boogie IVL code, instrumented with yields Data Race Reports No Errors (Under Given Bounds) WHOOP Error Traces Z3 Chauffeur SMACK Linux driver source code in C Boogie IVL code llvm-IR Linux Environmental Model Instrumentation Sequentialization Invariant Generation Boogie Verification Engine CORRAL A. Translation Phase B. Symbolic Lockset Analysis Phase C. Bug-Finding Phase Clang / LLVM entry point information Accelerating Corral: - Corral is a bounded symbolic verifier for Boogie - sequentialises the driver using a context-switch bound - attempts to prove bounded (in terms of number of loop iterations and recursion depth) sequential reachability of a bug in a goal-directed, lazy fashion to postpone state-space explosion when analysing a large program
  • 25. Boogie IVL code, instrumented with yields Data Race Reports No Errors (Under Given Bounds) WHOOP Error Traces Z3 Chauffeur SMACK Linux driver source code in C Boogie IVL code llvm-IR Linux Environmental Model Instrumentation Sequentialization Invariant Generation Boogie Verification Engine CORRAL A. Translation Phase B. Symbolic Lockset Analysis Phase C. Bug-Finding Phase Clang / LLVM entry point information Default sequentialisation: - By default, and assuming no race-freedom guarantees, Whoop instruments a yield after each shared memory access of each entry point, and after every lock and unlock operation - Whoop then sends this instrumented program to Corral, which explores all possible thread interleavings up to a pre-defined bound
  • 26. - The default sequentialisation can explode! - our solution: if thanks to Whoop we know that a given statement that accesses shared memory cannot be involved in a data race, then we do not instrument a yield after this statement - this tames the sequentialisation and can greatly speedup Corral Sound partial-order reduction
  • 27. We applied Whoop on 16 drivers from the Linux 4.0 kernel: - block, char, ethernet, nfc, usb and watchdog (250 — 7300 LoC) - detected some potential races (but requires domain expertise to confirm) - using Whoop we significantly accelerated Corral (1.5-20x) !! Evaluation
  • 28. The symbols +, o and x, represent a context-switch bound of 2, 5 and 9, respectively