cross checking semantic correctness the case of finding
play

Cross-checking Semantic Correctness: The Case of Finding File System - PowerPoint PPT Presentation

Nov 08, 2022 •392 likes •1.25k views

Cross-checking Semantic Correctness: The Case of Finding File System Bugs Changwoo Min , Sanidhya Kashyap, Byoungyoung Lee, Chengyu Song, Taesoo Kim Georgia Institute of Technology School of Computer Science Two promising approaches to make

  1. Cross-checking Semantic Correctness: The Case of Finding File System Bugs Changwoo Min , Sanidhya Kashyap, Byoungyoung Lee, Chengyu Song, Taesoo Kim Georgia Institute of Technology School of Computer Science

  2. Two promising approaches to make bug-free software ● Formal proof require “proof” → – Guarantee high-level invariants (e.g., functional correctness) ● Model checking require “model” → – Check if code fjts with domain model (e.g., locking rules) 2

  3. Two promising approaches to make bug-free software ● Formal proof require “proof” → – Guarantee high-level invariants (e.g., functional correctness) ● Model checking require “model” → – Check if code fjts with domain model (e.g., locking rules) In practice, many software are (already) built without such theories 3

  4. There exist many similar implementations of a program ● File systems: >50 implementations in Linux ● JavaScript: ECMAScript, V8, SpiderMonkey, etc ● POSIX C Library: Gnu Libc, FreeBSD, eLibc, etc Without proof or model, can we leverage these existing implementations? 4

  5. There exist many similar implementations of a program ● File systems: >50 implementations in Linux ● JavaScript: ECMAScript, V8, SpiderMonkey, etc ● POSIX C Library: Gnu Libc, FreeBSD, eLibc, etc Without proof or model, can we leverage these existing implementations? 5

  6. File system bugs are critical 2013-01-07 6

  7. File system bugs are critical 2013-01-07 2014-10-17 7

  8. File system bugs are critical 2013-01-07 2014-10-17 2015-03-19 8

  9. A majority of bugs in fjle systems are hard to detect Memory bugs: Semantic bugs: NULL dereference Use-after-free Incorrect condition check ... 12.6% Incorrect statue update Incorrect argument Incorrect error code ... 87.4% 9

  10. A majority of bugs in fjle systems are hard to detect Memory bugs: Semantic bugs: NULL dereference Use-after-free Incorrect condition check ... 12.6% Incorrect statue update Incorrect argument Incorrect error code ... 87.4% 10

  11. Example of semantic bug: Missing capability check in OCFS2 ocfs2: trusted xattr missing CAP_SYS_ADMIN check Signed-ofg-by: Sanidhya Kashyap <sanidhya@gatech.edu> ... @@ static size_t ocfs2_xattr_trusted_list + if (!capable(CAP_SYS_ADMIN)) + return 0; 11

  12. Example of semantic bug: Missing capability check in OCFS2 ocfs2: trusted xattr missing CAP_SYS_ADMIN check Signed-ofg-by: Sanidhya Kashyap <sanidhya@gatech.edu> ... @@ static size_t ocfs2_xattr_trusted_list + if (!capable(CAP_SYS_ADMIN)) + return 0; Can we fjnd this bug by leveraging other implementations? 12

  13. A majority of fjle system already implemented capability check ocfs2: trusted xattr missing CAP_SYS_ADMIN check ● ext2 Signed-ofg-by: Sanidhya Kashyap <sanidhya@gatech.edu> ... static size_t ext2_xattr_trusted_list() @@ static size_t ocfs2_xattr_trusted_list if (!capable(CAP_SYS_ADMIN)) return 0; + if (!capable(CAP_SYS_ADMIN)) ● ext4 + return 0; static size_t ext4_xattr_trusted_list() if (!capable(CAP_SYS_ADMIN)) return 0; ● XFS static size_t xfs_xattr_put_listent() if ( (fmags & XFS_ATTR_ROOT) && !capable(CAP_SYS_ADMIN)) return 0; ... 13

  14. A majority of fjle system already implemented capability check ocfs2: trusted xattr missing CAP_SYS_ADMIN check ● ext2 Signed-ofg-by: Sanidhya Kashyap <sanidhya@gatech.edu> ... static size_t ext2_xattr_trusted_list() @@ static size_t ocfs2_xattr_trusted_list if (!capable(CAP_SYS_ADMIN)) return 0; + if (!capable(CAP_SYS_ADMIN)) ● ext4 + return 0; static size_t ext4_xattr_trusted_list() if (!capable(CAP_SYS_ADMIN)) return 0; Deviant implementation ● XFS → potential bugs? static size_t xfs_xattr_put_listent() if ( (fmags & XFS_ATTR_ROOT) && !capable(CAP_SYS_ADMIN)) return 0; ... 14

  15. A majority of fjle system already implemented capability check ocfs2: trusted xattr missing CAP_SYS_ADMIN check ● ext2 Signed-ofg-by: Sanidhya Kashyap <sanidhya@gatech.edu> ... static size_t ext2_xattr_trusted_list() @@ static size_t ocfs2_xattr_trusted_list if (!capable(CAP_SYS_ADMIN)) return 0; + if (!capable(CAP_SYS_ADMIN)) ● ext4 + return 0; static size_t ext4_xattr_trusted_list() if (!capable(CAP_SYS_ADMIN)) return 0; Deviant implementation ● XFS → potential bugs? static size_t xfs_xattr_put_listent() if ( (fmags & XFS_ATTR_ROOT) && !capable(CAP_SYS_ADMIN)) A new bug we found return 0; It has been hidden for 6 years ... 15

  16. Case study: Write a page ● Each fjle system defjnes how to write a page ● Semantic of writepage() – Success return locked page → – Failure return unlocked page → ● Document/fjlesystems/vfs.txt specifjes such rule – Hard to detect without domain knowledge What if 99% fjle systems follow above pattern, but not one fjle system? bug? 16

  17. Our approach can reveal such bugs without domain specifjc knowledge ● 52 fjle systems follow the locking rules ● But 2 fjle systems don't (Ceph and AFFS) -------------------------------- fs/ceph/addr.c -------------------------------- index fd5599d..e723482 100644 @@ static int ceph_write_begin + if (r < 0) + page_cache_release(page); + else + *pagep = page; 17

  18. Our approach can reveal such bugs without domain specifjc knowledge ● 52 fjle systems follow the locking rules ● But 2 fjle systems don't (Ceph and AFFS) -------------------------------- fs/ceph/addr.c -------------------------------- index fd5599d..e723482 100644 @@ static int ceph_write_begin + if (r < 0) + page_cache_release(page); + else + *pagep = page; We found 3 bugs in 2 fjle systems Hidden for over 5 years 18

  19. Our approach in fjnding bugs Intuition: Bugs are rare Majority of implementations is correct Idea: Find deviant ones as potential bugs 19

  20. Our approach is promising in fjnding semantic bugs (Example: fjle systems) ● New semantics bugs – 118 new bugs in 54 fjle systems ● Critical bugs – System crash, data corruption, deadlock, etc ● Bugs diffjcult to fjnd – Bugs were hidden for 6.2 years on average ● Various kinds of bugs – Condition check, argument use, return value, locking, etc 20

  21. Technical challenges ● All software are difgerent one way or another – e.g., disk layout in fjle system ● How to compare difgerent implementation? – Q1: Where to start? – Q2: What to compare? – Q3: How to compare? 21

  22. Juxta : the case of fjle system ● All fjle systems should follow VFS API in Linux – e.g., vfs_rename() in each fjle system ● How to compare difgerent fjle systems? – Q1: Where to start? VFS entries in fjle system → – Q2: What to compare? symbolic environment → – Q3: How to compare? statistical comparison → 22

  23. Juxta overview Juxta Statistical Per-Filesystem Path Comparison Path Database File System Symbolic Execution Source Code 23

  24. Juxta overview 7 Checkers Path Condition Argument ... Checker Checker Juxta Statistical Per-Filesystem Path Comparison Path Database File System Symbolic Execution Source Code 24

  25. Comparing multiple fjle systems ● Q1: Where to start? – Identifying semantically similar entry points ● Q2: What to compare? – Building per-path symbolic environment ● Q3: How to compare? – Statistically comparing each path 25

  26. Comparing multiple fjle systems ● Q1: Where to start? – Identifying semantically similar entry points ● Q2: What to compare? – Building per-path symbolic environment ● Q3: How to compare? – Statistically comparing each path 26

  27. Identifying semantically similar entry points ● Linux Virtual File System (VFS) – Use common data structures and behavior (e.g., inode and page cache) – Defjne fjlesystem-specifjc interfaces (e.g., open, rename) 27

  28. Example: inode_operations rename() → struct inode_operations { int (*rename) (struct inode *, ...); int (*create) (struct inode *,...); int (*unlink) (struct inode *,..); int (*mkdir) (struct inode *,...); }; Compare *_rename() to fjnd deviant rename() implementations. 28

  29. Example: inode_operations rename() → struct inode_operations { int (*rename) (struct inode *, ...); btrfs _rename(...); int (*create) (struct inode *,...); ext4 _rename(...); int (*unlink) (struct inode *,..); xfs _vn_rename(…); int (*mkdir) (struct inode *,...); ... }; Compare *_rename() to fjnd deviant rename() implementations. 29

  30. Comparing multiple fjle systems ● Q1: Where to start? – Identifying semantically similar entry points ● Q2: What to compare? – Building per-path symbolic environment ● Q3: How to compare? – Statistically comparing each path 30

  31. Building per-path symbolic environment ● Context/fmow-sensitive symbolic execution – C language level – Build symbolic environment per path (e.g., path cond, return values, side-efgect, function calls) ● Key idea: return-oriented comparison – Error codes represent per-path semantics (e.g., comparing all paths returning EACCES in rename() implementations) 31

  32. Example: Per-path symbolic environment Execution Path Information int foo_rename (int fmag) { if (fmag == RO) return -EACCES; inode fmag = fmag; → kmalloc(…, GFP_NOFS) return SUCCESS; } 32

  33. Example: Per-path symbolic environment Execution Path Information int foo_rename (int fmag) { if (fmag == RO) return -EACCES; inode fmag = fmag; → kmalloc(…, GFP_NOFS) return SUCCESS; } 33

Recommend

4. Semantic Processing and Attributed Grammars 1 Semantic Processing The parser checks only the

4. Semantic Processing and Attributed Grammars 1 Semantic Processing The parser checks only the

4. Semantic Processing and Attributed Grammars 1 Semantic Processing The parser checks only the syntactic correctness of a program Tasks of semantic processing Checking context conditions - Declaration rules - Type checking Symbol

402 views • 13 slides
APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, Changwoo Min, Xujie Si,

APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, Changwoo Min, Xujie Si,

APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, Changwoo Min, Xujie Si, Yeongjin Jang, Taesoo Kim, Mayur Naik Georgia Institute of Technology 1 APIs in todays software are plentiful yet complex Example: OpenSSL

923 views • 89 slides
Checking &amp; Spot-Checking the Correctness of Priority Queues Matthew Chu &amp; Sampath Kannan

Checking &amp; Spot-Checking the Correctness of Priority Queues Matthew Chu &amp; Sampath Kannan

Checking &amp; Spot-Checking the Correctness of Priority Queues Matthew Chu &amp; Sampath Kannan (UPenn) Andrew McGregor (UCSD) Memory Checking Memory Checking Your resources: A lot of cheap unreliable memory and a little expensive reliable

1.11k views • 70 slides
Introduction Goal: Use programmers design decisions with automatic checking todetect potential

Introduction Goal: Use programmers design decisions with automatic checking todetect potential

0.5 setgray0 0.5 setgray1 Introduction Goal: Use programmers design decisions with automatic checking todetect potential errors. Extended Static Checking (ESC) tries to prove correctness at compile-time helps finding run-time exceptions

302 views • 11 slides
Semantic Analysis/Checking Symbol tables Semantic analysis: the final part of analysis half of

Semantic Analysis/Checking Symbol tables Semantic analysis: the final part of analysis half of

Semantic Analysis/Checking Symbol tables Semantic analysis: the final part of analysis half of compilation Key data structure during semantic analysis, code generation afterwards comes synthesis half of compilation Stores info about names

215 views • 5 slides
Static program checking and verification Correctness class ArraySet implements Set { class

Static program checking and verification Correctness class ArraySet implements Set { class

Chair of Softw are Engineering Software Engineering Prof. Dr. Bertrand Meyer March 2007 June 2007 Slides: Based on KSE06 With kind permission of Peter Mller Static program checking and verification Correctness class ArraySet

445 views • 18 slides
Compiler Design and Construction Semantic Analysis: Type Checking Slides modified from Louden

Compiler Design and Construction Semantic Analysis: Type Checking Slides modified from Louden

Compiler Design and Construction Semantic Analysis: Type Checking Slides modified from Louden Book, Dr. Scherger, Aho Semantic Analysis What can with do with semantic information for identifier x What kind of value is stored in x ?

649 views • 49 slides
Semantic Similarity MultiJEDI ERC 259234 Semantic Similarity Semantic Similarity Mostly

Semantic Similarity MultiJEDI ERC 259234 Semantic Similarity Semantic Similarity Mostly

SemEval 2014 Task-3 Cross-Level Semantic Similarity MultiJEDI ERC 259234 Semantic Similarity Semantic Similarity Mostly focused on similar types of lexical items Semantic Similarity What if we have different types of inputs? CLSS:

971 views • 47 slides
Interfaces for Runtime Correctness Checking of Parallel Programs Joachim Protze

Interfaces for Runtime Correctness Checking of Parallel Programs Joachim Protze

Interfaces for Runtime Correctness Checking of Parallel Programs Joachim Protze (protze@itc.rwth-aachen.de) Motivation OpenMP 3 introduced tasks (2008) Several data race detection tools for OpenMP tasks popped up just last year How can

384 views • 16 slides
Identifying, Finding and Encoding Semantic Relations Christiane Fellbaum Princeton University

Identifying, Finding and Encoding Semantic Relations Christiane Fellbaum Princeton University

Identifying, Finding and Encoding Semantic Relations Christiane Fellbaum Princeton University Questions What kind of semantic knowledge does the NLP community need? How to represent semantic knowledge? How to expand on our

716 views • 13 slides
Dynamically checking type-correctness of whole programs (work newly in-progress). Stephen Kell

Dynamically checking type-correctness of whole programs (work newly in-progress). Stephen Kell

Dynamically checking type-correctness of whole programs (work newly in-progress). Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge libcrunch . . . p.1/22 Wanted (naive version): check this! if (obj

281 views • 26 slides
Cross-Lingual Semantic Mapping of Authority Files Nadine Steinmetz, and Harald Sack November,

Cross-Lingual Semantic Mapping of Authority Files Nadine Steinmetz, and Harald Sack November,

Cross-Lingual Semantic Mapping of Authority Files Nadine Steinmetz, and Harald Sack November, 26th 2013 Conference on Semantic Web in Libraries SWIB 2013, Hamburg, Germany Motivation Semantic Annotation of Textual Information: Having

754 views • 57 slides
Cross-Domain Semantic Parsing via Paraphrasing Yu Su &amp; Xifeng Yan, EMNLP 2017 presented by

Cross-Domain Semantic Parsing via Paraphrasing Yu Su &amp; Xifeng Yan, EMNLP 2017 presented by

Cross-Domain Semantic Parsing via Paraphrasing Yu Su &amp; Xifeng Yan, EMNLP 2017 presented by Sha Li Semantic Parsing Mapping natural language utterances to logical forms that machines can act upon. Example: Database query Intents and

531 views • 21 slides
Lecture 4-5 : Types Dont prove correctness: just find bugs .. - model checking - light

Lecture 4-5 : Types Dont prove correctness: just find bugs .. - model checking - light

CS6202: Advanced Topics in Rise of Lightweight Formal Methods Rise of Lightweight Formal Methods Programming Languages and Systems Lecture 4-5 : Types Dont prove correctness: just find bugs .. - model checking - light specification and

615 views • 24 slides
Cross-lingual Distributional Profiles of Concepts for Measuring Semantic Distance Saif Mohammad,

Cross-lingual Distributional Profiles of Concepts for Measuring Semantic Distance Saif Mohammad,

Cross-lingual Distributional Profiles of Concepts for Measuring Semantic Distance Saif Mohammad, Iryna Gurevych, Graeme Hirst, and Torsten Zesch University of Toronto &amp; Darmstadt University of Technology Semantic distance SALSA DANCE

609 views • 47 slides
Secure Computation with Low Communication from Cross-checking Dov Gordon (George Mason U.)

Secure Computation with Low Communication from Cross-checking Dov Gordon (George Mason U.)

Secure Computation with Low Communication from Cross-checking Dov Gordon (George Mason U.) Samuel Ranellucci (Unbound Tech) Xiao Wang (MIT &amp; Boston U.) Secure Computation 4 parties each hold private data. They wish to compute C(x 1

414 views • 24 slides
Static Analysis versus Software Model Checking for bug finding Dawson Englers, Madanlal Musuvathi

Static Analysis versus Software Model Checking for bug finding Dawson Englers, Madanlal Musuvathi

Static Analysis versus Software Model Checking for bug finding Dawson Englers, Madanlal Musuvathi Stanford University, CA, USA Presented By: Prateek Agarwal ETH, Zrich Agenda Goal Aim Scope Methodologies used Meta

418 views • 29 slides
Semantic Publications of Charter Corpora (The Case of a Diplomatic Edition of the Complex of Old

Semantic Publications of Charter Corpora (The Case of a Diplomatic Edition of the Complex of Old

Semantic Publications of Charter Corpora (The Case of a Diplomatic Edition of the Complex of Old Russian Charters Moscowitica Ruthenica) Aleksandrs Ivanovs, Aleksey Varfolomeyev Naples, September 30, 2011 Semantic publication:

440 views • 25 slides
Cross-species comparison of GO annotations : advantages and limitations of semantic similarity

Cross-species comparison of GO annotations : advantages and limitations of semantic similarity

Cross-species comparison of GO annotations : advantages and limitations of semantic similarity measures O. Dameron, C. Bettembourg, L. Joret U936 Conceptual modeling of biomedical knowledge Universit de Rennes 1, France

467 views • 44 slides
The Case for Run- -Time Error Checking Time Error Checking The Case for Run Todd Austin

The Case for Run- -Time Error Checking Time Error Checking The Case for Run Todd Austin

Correction The Case for Run- -Time Error Checking Time Error Checking The Case for Run Todd Austin Advanced Computer Architecture Lab University of Michigan Advanced Computer Architecture Lab The Case for Run-Time Correction University of

201 views • 5 slides
Proving Program Correctness The Axiomatic Approach What is Correctness? Correctness:

Proving Program Correctness The Axiomatic Approach What is Correctness? Correctness:

3/10/10 Proving Program Correctness The Axiomatic Approach What is Correctness? Correctness: partial correctness + termination Partial correctness: Program implements its specification 1 3/10/10 Proving Partial Correctness

420 views • 13 slides
What problem did the paper address? Big Picture Problem Proving correctness of communication

What problem did the paper address? Big Picture Problem Proving correctness of communication

Review of Model Checking Large Network Protocol Implementations Madanlal Musuvathi Dawson Engler By Vamsi Kambhampati 7 th March 2006 What problem did the paper address? Big Picture Problem Proving correctness of communication protocols

341 views • 5 slides
Functional Correctness Specification Formal Verification 15-214 Unit Testing Type

Functional Correctness Specification Formal Verification 15-214 Unit Testing Type

Functional Correctness Specification Formal Verification 15-214 Unit Testing Type Checking Statistic Analysis Requirements definition Inspections, Reviews 15-313 Integration/System/Acceptance/Regression/GUI/Bl

608 views • 45 slides
New innovative cross border developments for SMEs The case study Mechatronics Cross Border

New innovative cross border developments for SMEs The case study Mechatronics Cross Border

New innovative cross border developments for SMEs The case study Mechatronics Cross Border Co-operation Best Practice and Future Opportunities from across the European Union, Co. Meath, Ireland, 13 June 2013 Jan Oostenbrink, Deputy

406 views • 11 slides

More recommend