37 research outputs found
Automatic Verification of Message-Based Device Drivers
We develop a practical solution to the problem of automatic verification of
the interface between device drivers and the OS. Our solution relies on a
combination of improved driver architecture and verification tools. It supports
drivers written in C and can be implemented in any existing OS, which sets it
apart from previous proposals for verification-friendly drivers. Our
Linux-based evaluation shows that this methodology amplifies the power of
existing verification tools in detecting driver bugs, making it possible to
verify properties beyond the reach of traditional techniques.Comment: In Proceedings SSV 2012, arXiv:1211.587
SMT-Based Refutation of Spurious Bug Reports in the Clang Static Analyzer
We describe and evaluate a bug refutation extension for the Clang Static
Analyzer (CSA) that addresses the limitations of the existing built-in
constraint solver. In particular, we complement CSA's existing heuristics that
remove spurious bug reports. We encode the path constraints produced by CSA as
Satisfiability Modulo Theories (SMT) problems, use SMT solvers to precisely
check them for satisfiability, and remove bug reports whose associated path
constraints are unsatisfiable. Our refutation extension refutes spurious bug
reports in 8 out of 12 widely used open-source applications; on average, it
refutes ca. 7% of all bug reports, and never refutes any true bug report. It
incurs only negligible performance overheads, and on average adds 1.2% to the
runtime of the full Clang/LLVM toolchain. A demonstration is available at {\tt
https://www.youtube.com/watch?v=ylW5iRYNsGA}.Comment: 4 page
Parfait - Designing a Scalable Bug Checker
We present the design of Parfait, a static layered program analysis framework for bug checking, designed for scalability and precision by improving false positive rates and scale to millions of lines of code. The Parfait framework is inherently parallelizable and makes use of demand driven analyses.
In this paper we provide an example of several layers of analyses for buffer overflow, summarize our initial implementation for C, and provide preliminary results.
Results are quantified in terms of correctly-reported, false positive and false negative rates against the NIST SAMATE synthetic benchmarks for C code
SMT-Based False Positive Elimination in Static Program Analysis
Static program analysis for bug detection in large C/C++ projects typically uses a high-level abstraction of the original program under investigation. As a result, so-called false positives are often inevitable, i.e., warnings that are not true bugs. In this work we present a novel abstraction refinement approach to automatically investigate and eliminate such false positives. Central to our approach is to view static analysis as a model checking problem, to iteratively compute infeasible sub-paths of infeasible paths using SMT solvers, and refine our models by adding observer automata to exclude such paths. Based on this new framework we present an implementation of the approach into the static analyzer Goanna and discuss a number of real-life experiments on larger C code projects, demonstrating that we were able to remove most false positives automatically
Measurements or Static Analysis or Both?
To date, measurement-based WCET analysis and
static analysis have largely been seen as being at
odds with each other. We argue that instead they
should be considered complementary, and that the
combination of both represents a promising approach
that provides benefits over either individual
approach. In this paper we discuss in some
detail how we aim to improve on our probabilistic
measurement-based technique by adding static
cache analysis. Specifically we are planning to
make use of recent advances within the functional
languages research community. The objective of
this paper is not to present finished or almost finished
work. Instead we hope to trigger discussion
and solicit feedback from the community in order
to avoid pitfalls experienced by others and to help
focus our research
Summary-Based Inter-Procedural Analysis via Modular Trace Refinement
We propose a generalisation of trace refinement for the verification of inter-procedural programs. Our method is a top-down modular, summary-based approach, and analyses inter-procedural programs by building function summaries on-demand and improving the summaries each time a function is analysed. Our method is sound, and complete relative to the existence of a modular Hoare proof for a non-recursive program. We have implemented a prototype analyser that demonstrates the main features of our approach and yields promising results
Behavioural analysis of an I2C Linux driver
We present an analysis of the behaviour of an I2C Linuxdriver, by means of model checking with the mCRL2 toolset and static analysis with UNO.We have reverse engineered the source code to obtain the structure and interactions of the driver. Based on these results, we have semi-automatically created an mCRL2 model of the behaviour of the driver, on which we have checked mutual exclusion properties. This revealed non-trivial potential errors, like unprotected usage of shared memory variables due to inconsistent locking and disabling/enabling of interrupts. We also applied UNO on the instrumented source code and were able to find the same errors. These defects were confirmed by the developers
Static analysis of device drivers: we can do better!
We argue that the device driver architecture enforced by current operating systems complicates both manual and automatic reasoning about driver behaviour. In particular, it makes it hard and in some cases impossible to statically verify that the driver correctly interacts with the rest of the kernel. This limitation cannot be addressed solely via better verification tools. We maintain that qualitative improvement in the effectiveness of static driver verification must rely on an improved driver architecture, leading to drivers that are easier to write, understand, and verify. To support our claims, we present a device driver architecture, called active drivers, that satisfies these requirements. We outline our methodology for specifying and verifying active driver protocols using existing model checking tools and describe initial experimental results. Ā© 2011 ACM
Evaluation Of An Architectural-Level Approach For Finding Security Vulnerabilities
The cost of security vulnerabilities of a software system is high. As a result,
many techniques have been developed to find the vulnerabilities at development time. Of particular interest are static analysis techniques that can consider all possible executions of a system. But, static analysis can suffer from a large number of false positives.
A recently developed approach, Scoria, is a semi-automated static analysis that requires security architects to annotate the code, typecheck the annotations, extract a hierarchical object graph and write constraints in order to find security vulnerabilities in a system.
This thesis evaluates Scoria on three systems (sizes 6 KLOC, 6 KLOC and
25 KLOC) from different application domains (Android and Web) and confirms that Scoria can find security vulnerabilities in those systems without an excessive number of false positives