Formal sound verification of Linux’s USB BP keyboard driver Willem Penninckx Jan Tobias Mühlberg Jan Smans Bart Jacobs Frank Piessens
Table Of Contents ● What did we do? ● How did we do it? ● What did we learn?
Table Of Contents ● What did we do? ● How did we do it? ● What did we learn?
Formal sound verification Linux’s USB BP keyboard driver
Formal sound verification ● Real-world software toy Linux’s USB BP keyboard driver
Formal sound verification ● Real-world software toy ● Unbounded number of threads ● Unbounded number of keyboards Linux’s USB BP keyboard driver
Formal sound verification Check properties: ● Never crashes ● No race-condition ● API rules ● Real-world software toy ● Unbounded number of threads ● Unbounded number of keyboards Linux’s USB BP keyboard driver
Formal sound verification Check properties: Bug hunting ● Never crashes ● No race-condition If “green bar”, then ● API rules verified property always holds ● Real-world software toy ● Unbounded number of threads ● Unbounded number of keyboards Linux’s USB BP keyboard driver
Table Of Contents ● What did we do? ● How did we do it? ● What did we learn?
usbkbd.c input.h void input_register(); void fun1() { c_code; usb.h c_code; usb_core.c c_code; } void usb_kill_urb() { void usb_kill_urb(); c_code; c_code; c_code; }
usbkbd.c input.h /*@ Formal * preCond * postCond API @*/ specs void input_register(); void fun1() { c_code; usb.h c_code; /*@ usb_core.c c_code; * preCond } * postCond void @*/ usb_kill_urb() { void usb_kill_urb(); c_code; c_code; /*@ c_code; * (ghost code) } @*/
usbkbd.c input.h /*@ /*@ Formal * preCond * PreCond * postCond API * PostCond @*/ specs @*/ void input_register(); void fun1() { c_code; usb.h //@ ghostcode c_code; /*@ usb_core.c c_code; * preCond } * postCond void @*/ usb_kill_urb() { void usb_kill_urb(); c_code; c_code; /*@ c_code; * (ghost code) } @*/
usbkbd.c /*@ * PreCond * PostCond @*/ void fun1() { c_code; //@ ghostcode c_code; c_code; } Tool: VeriFast
Table Of Contents ● What did we do? ● How did we do it? ● What did we learn?
Learned / Conclusions http://people.cs.kuleuven.be/~willem.penninckx/usbkbd/
Learned / Conclusions Possible to combine: ● Soundness ● Unbounded #threads ● Real driver ● API usage rules http://people.cs.kuleuven.be/~willem.penninckx/usbkbd/
Learned / Conclusions Possible to combine: ● Soundness ● Unbounded #threads ● Real driver ● API usage rules File Lines C Lines annot usbkbd.c 329 822 API headers / 769 http://people.cs.kuleuven.be/~willem.penninckx/usbkbd/
Learned / Conclusions Possible to combine: ● Soundness ● Unbounded #threads ● Real driver ● API usage rules File Lines C Lines annot Tool speed usbkbd.c 329 822 ~1 second API headers / 769 Bugs found http://people.cs.kuleuven.be/~willem.penninckx/usbkbd/
Learned / Conclusions Possible to combine: ● Soundness ● Unbounded #threads ● Real driver ● API usage rules File Lines C Lines annot Tool speed usbkbd.c 329 822 ~1 second API headers / 769 Bugs found ● Unloading bug ● Synchronization bug http://people.cs.kuleuven.be/~willem.penninckx/usbkbd/
Learned / Conclusions Possible to combine: ● Soundness ● Unbounded #threads ● Real driver ● API usage rules File Lines C Lines annot Tool speed usbkbd.c 329 822 ~1 second API headers / 769 Bugs found ● Unloading bug ● Synchronization bug Patches are in Linux 3.3 http://people.cs.kuleuven.be/~willem.penninckx/usbkbd/
Recommend
More recommend
