1,639 research outputs found
Time Partitioning in Goblint: Extending region analysis with happens-before information
Seadmedraiverite ehk ohjurite paralleelne olemus muudab\n\rnendest vigade leidmise inimese jaoks väga keeruliseks. Staatiline analüsaator\n\rGoblint üritab automaatselt verifitseerida, et ohjuris puuduvad andmejooksud.\n\rSealjuures on suureks väljakutseks analüüsi täpsus. Käesolev töö arendab edasi\n\rGoblinti regioonianalüüsi, mis võimaldab arvesse võtta valdkonnale eriomaseid\n\rhappens-before tagatisi. Väljapakutud täienduse implementeerimise ning\n\rmuudatuste mõju analüüsimise aluseks on võetud Linuxi ohjurite alamhulk. Me\n\rnäitame, et mainitud edasiarendus suurendab Goblinti täpsust character tüüpi\n\rohjurite analüüsimisel.The concurrent nature of device drivers makes them notoriously\n\rdifficult to manually debug. Goblint, a static analysis framework tries to\n\rautomatically verify the inexistence of data races. The key challenge in doing\n\rthat is the precision of the analysis. This paper proposes an enhancement to the region analysis of Goblint to incorporate domain-specific happens-before\n\rguarantees. The proposed addition is implemented and evaluated on the Goblint benchmark suite. We show that the given enhancement increases the precision of Goblint when analysing character drivers
Klever: Verification Framework for Critical Industrial C Programs
Automatic software verification tools help to find hard-to-detect faults in
programs checked against specified requirements non-interactively. Besides,
they can prove program correctness formally under certain assumptions. These
capabilities are vital for verification of critical industrial programs like
operating system kernels and embedded software. However, such programs can
contain hundreds or thousands of KLOC that prevent obtaining valuable
verification results in any reasonable time when checking non-trivial
requirements. Also, existing tools do not provide widely adopted means for
environment modeling, specification of requirements, verification of many
versions and configurations of target programs, and expert assessment of
verification results. In this paper, we present the Klever software
verification framework, designed to reduce the effort of applying automatic
software verification tools to large and critical industrial C programs.Comment: 53 page
Domain-Type-Guided Refinement Selection Based on Sliced Path Prefixes
Abstraction is a successful technique in software verification, and
interpolation on infeasible error paths is a successful approach to
automatically detect the right level of abstraction in counterexample-guided
abstraction refinement. Because the interpolants have a significant influence
on the quality of the abstraction, and thus, the effectiveness of the
verification, an algorithm for deriving the best possible interpolants is
desirable. We present an analysis-independent technique that makes it possible
to extract several alternative sequences of interpolants from one given
infeasible error path, if there are several reasons for infeasibility in the
error path. We take as input the given infeasible error path and apply a
slicing technique to obtain a set of error paths that are more abstract than
the original error path but still infeasible, each for a different reason. The
(more abstract) constraints of the new paths can be passed to a standard
interpolation engine, in order to obtain a set of interpolant sequences, one
for each new path. The analysis can then choose from this set of interpolant
sequences and select the most appropriate, instead of being bound to the single
interpolant sequence that the interpolation engine would normally return. For
example, we can select based on domain types of variables in the interpolants,
prefer to avoid loop counters, or compare with templates for potential loop
invariants, and thus control what kind of information occurs in the abstraction
of the program. We implemented the new algorithm in the open-source
verification framework CPAchecker and show that our proof-technique-independent
approach yields a significant improvement of the effectiveness and efficiency
of the verification process.Comment: 10 pages, 5 figures, 1 table, 4 algorithm
Vulnerability detection in device drivers
Tese de doutoramento, Informática (Ciência da Computação), Universidade de Lisboa, Faculdade de Ciências, 2017The constant evolution in electronics lets new equipment/devices to be regularly made available on the market, which has led to the situation where common operating systems (OS) include many device drivers(DD) produced by very diverse manufactures. Experience has shown that the development of DD is error prone, as a majority of the OS crashes can be attributed to flaws in their implementation. This thesis addresses the challenge of designing methodologies and tools to facilitate the detection of flaws in DD, contributing to decrease the errors in this kind of software, their impact in the OS stability, and the security threats caused by them. This is especially relevant because it can help developers to improve the quality of drivers during their implementation or when they are integrated into a system. The thesis work started by assessing how DD flaws can impact the correct execution of the Windows OS. The employed approach used a statistical analysis to obtain the list of kernel functions most used by the DD, and then automatically generated synthetic drivers that introduce parameter errors when calling a kernel function, thus mimicking a faulty interaction. The experimental results showed that most targeted functions were ineffective in the defence of the incorrect parameters. A reasonable number of crashes and a small number of hangs were observed suggesting a poor error containment capability of these OS functions. Then, we produced an architecture and a tool that supported the automatic injection of network attacks in mobile equipment (e.g., phone), with the objective of finding security flaws (or vulnerabilities) in Wi-Fi drivers. These DD were selected because they are of easy access to an external adversary, which simply needs to create malicious traffic to exploit them, and therefore the flaws in their implementation could have an important impact. Experiments with the tool uncovered a previously unknown vulnerability that causes OS hangs, when a specific value was assigned to the TIM element in the Beacon frame. The experiments also revealed a potential implementation problem of the TCP-IP stack by the use of disassociation frames when the target device was associated and authenticated with a Wi-Fi access point. Next, we developed a tool capable of registering and instrumenting the interactions between a DD and the OS. The solution used a wrapper DD around the binary of the driver under test, enabling full control over the function calls and parameters involved in the OS-DD interface. This tool can support very diverse testing operations, including the log of system activity and to reverse engineer the driver behaviour. Some experiments were performed with the tool, allowing to record the insights of the behaviour of the interactions between the DD and the OS, the parameter values and return values. Results also showed the ability to identify bugs in drivers, by executing tests based on the knowledge obtained from the driver’s dynamics. Our final contribution is a methodology and framework for the discovery of errors and vulnerabilities in Windows DD by resorting to the execution of the drivers in a fully emulated environment. This approach is capable of testing the drivers without requiring access to the associated hardware or the DD source code, and has a granular control over each machine instruction. Experiments performed with Off the Shelf DD confirmed a high dependency of the correctness of the parameters passed by the OS, identified the precise location and the motive of memory leaks, the existence of dormant and vulnerable code.A constante evolução da eletrónica tem como consequência a disponibilização regular no mercado de novos equipamentos/dispositivos, levando a uma situação em que os sistemas operativos (SO) mais comuns incluem uma grande quantidade de gestores de dispositivos (GD) produzidos por diversos fabricantes. A experiência tem mostrado que o desenvolvimento dos GD é sujeito a erros uma vez que a causa da maioria das paragens do SO pode ser atribuída a falhas na sua implementação. Esta tese centra-se no desafio da criação de metodologias e ferramentas que facilitam a deteção de falhas nos GD, contribuindo para uma diminuição nos erros neste tipo de software, o seu impacto na estabilidade do SO, e as ameaças de segurança por eles causadas. Isto é especialmente relevante porque pode ajudar a melhorar a qualidade dos GD tanto na sua implementação como quando estes são integrados em sistemas. Este trabalho inicia-se com uma avaliação de como as falhas nos GD podem levar a um funcionamento incorreto do SO Windows. A metodologia empregue usa uma análise estatística para obter a lista das funções do SO que são mais utilizadas pelos GD, e posteriormente constrói GD sintéticos que introduzem erros nos parâmetros passados durante a chamada às funções do SO, e desta forma, imita a integração duma falta. Os resultados das experiências mostraram que a maioria das funções testadas não se protege eficazmente dos parâmetros incorretos. Observou-se a ocorrência de um número razoável de paragens e um pequeno número de bloqueios, o que sugere uma pobre capacidade das funções do SO na contenção de erros. Posteriormente, produzimos uma arquitetura e uma ferramenta que suporta a injeção automática de ataques em equipamentos móveis (e.g., telemóveis), com o objetivo de encontrar falhas de segurança (ou vulnerabilidades) em GD de placas de rede Wi-Fi. Estes GD foram selecionados porque são de fácil acesso a um atacante remoto, o qual apenas necessita de criar tráfego malicioso para explorar falhas na sua implementação podendo ter um impacto importante. As experiências realizadas com a ferramenta revelaram uma vulnerabilidade anteriormente desconhecida que provoca um bloqueio no SO quando é atribuído um valor específico ao campo TIM da mensagem de Beacon. As experiências também revelaram um potencial problema na implementação do protocolo TCP-IP no uso das mensagens de desassociação quando o dispositivo alvo estava associado e autenticado com o ponto de acesso Wi-Fi. A seguir, desenvolvemos uma ferramenta com a capacidade de registar e instrumentar as interações entre os GD e o SO. A solução usa um GD que envolve o código binário do GD em teste, permitindo um controlo total sobre as chamadas a funções e aos parâmetros envolvidos na interface SO-GD. Esta ferramenta suporta diversas operações de teste, incluindo o registo da atividade do sistema e compreensão do comportamento do GD. Foram realizadas algumas experiências com esta ferramenta, permitindo o registo das interações entre o GD e o SO, os valores dos parâmetros e os valores de retorno das funções. Os resultados mostraram a capacidade de identificação de erros nos GD, através da execução de testes baseados no conhecimento da dinâmica do GD. A nossa contribuição final é uma metodologia e uma ferramenta para a descoberta de erros e vulnerabilidades em GD Windows recorrendo à execução do GD num ambiente totalmente emulado. Esta abordagem permite testar GD sem a necessidade do respetivo hardware ou o código fonte, e possuí controlo granular sobre a execução de cada instrução máquina. As experiências realizadas com GD disponíveis comercialmente confirmaram a grande dependência que os GD têm nos parâmetros das funções do SO, e identificaram o motivo e a localização precisa de fugas de memória, a existência de código não usado e vulnerável
Efficient Formal Verification for the Linux Kernel
Formal verification of the Linux kernel has been receiving increasing attention in recent years, with the development of many models, from memory subsystems to the synchronization primitives of the real-time kernel. The effort in developing formal verification methods is justified considering the large code-base, the complexity in synchronization required in a monolithic kernel and the support for multiple architectures, along with the usage of Linux on critical systems, from high-frequency trading to self-driven cars. Despite recent developments in the area, none of the proposed approaches are suitable and flexible enough to be applied in an efficient way to a running kernel. Aiming to fill such a gap, this paper proposes a formal verification approach for the Linux kernel, based on automata models. It presents a method to auto-generate verification code from an automaton, which can be integrated into a module and dynamically added into the kernel for efficient on-the-fly verification of the system, using in-kernel tracing features. Finally, a set of experiments demonstrate verification of three models, along with performance analysis of the impact of the verification, in terms of latency and throughput of the system, showing the efficiency of the approach
Identifying Native Applications with High Assurance
The work described in this paper investigates the problem
of identifying and deterring stealthy malicious processes on
a host. We point out the lack of strong application iden-
tication in main stream operating systems. We solve the
application identication problem by proposing a novel iden-
tication model in which user-level applications are required
to present identication proofs at run time to be authenti-
cated by the kernel using an embedded secret key. The se-
cret key of an application is registered with a trusted kernel
using a key registrar and is used to uniquely authenticate
and authorize the application. We present a protocol for
secure authentication of applications. Additionally, we de-
velop a system call monitoring architecture that uses our
model to verify the identity of applications when making
critical system calls. Our system call monitoring can be
integrated with existing policy specication frameworks to
enforce application-level access rights. We implement and
evaluate a prototype of our monitoring architecture in Linux
as device drivers with nearly no modication of the ker-
nel. The results from our extensive performance evaluation
shows that our prototype incurs low overhead, indicating the
feasibility of our model
Evidence-enabled verification for the Linux kernel
Formal verification of large software has been an elusive target, riddled with problems of low accuracy and high computational complexity. With growing dependence on software in embedded and cyber-physical systems where vulnerabilities and malware can lead to disasters, an efficient and accurate verification has become a crucial need. The verification should be rigorous, computationally efficient, and automated enough to keep the human effort within reasonable limits, but it does not have to be completely automated. The automation should actually enable and simplify human cross-checking which is especially important when the stakes are high. Unfortunately, formal verification methods work mostly as automated black boxes with very little support for cross-checking.
This thesis is about a different way to approach the software verification problem. It is about creating a powerful fusion of automation and human intelligence by incorporating algorithmic innovations to address the major challenges to advance the state of the art for accurate and scalable software verification where complete automation has remained intractable. The key is a mathematically rigorous notion of verification-critical evidence that the machine abstracts from software to empower human to reason with. The algorithmic innovation is to discover the patterns the developers have applied to manage complexity and leverage them. A pattern-based verification is crucial because the problem is intractable otherwise. We call the overall approach Evidence-Enabled Verification (EEV).
This thesis presents the EEV with two challenging applications: (1) EEV for Lock/Unlock Pairing to verify the correct pairing of mutex lock and spin lock with their corresponding unlocks on all feasible execution paths, and (2) EEV for Allocation/Deallocation Pairing to verify the correct pairing of memory allocation with its corresponding deallocations on all feasible execution paths. We applied the EEV approach to verify recent versions of the Linux kernel. The results include a comparison with the state-of-the-art Linux Driver Verification (LDV) tool, effectiveness of the proposed visual models as verification-critical evidence, representative examples of verification, the discovered bugs, and limitations of the proposed approach
DBT-5: An Open-Source TPC-E Implementation for Global Performance Measurement of Computer Systems
TPC-E is the new benchmark approved by the TPC council. It is designed to exercise a brokerage firm workload, which is representative of current On-Line Transaction Processing workloads. In this paper we present DBT-5, a fair usage open-source implementation of the TPC-E benchmark. In addition to reporting about the design and implementation of the tool, experimental results from a system running database engine are also described. The significance of this work is that it provides an environment where recent innovations in the OLTP workload field can be evaluated
A Formally Verified NAT Stack
Prior work proved a stateful NAT network function to be semantically correct, crash-free, and memory safe. Their toolchain verifies the network function code while assuming the underlying kernel-bypass framework, drivers, operating system, and hardware to be correct. We extend the toolchain to verify the kernel-bypass framework and a NIC driver in the context of the NAT. We uncover bugs in both the framework and the driver. Our code is publicly available
- …