SlideShare a Scribd company logo

Abstract Interpretation meets model checking near the 1000000 LOC mark: Finding errors in the Linux Kernel Source (AVIS '06)

Peter Breuer
Peter Breuer

Slides for presentation on "Abstract Interpretation meets model checking near the 1000000 LOC mark" at 5th International Workshop on Automated Verification of Infinite-State Systems (AVIS'06), Apr 1, 2006. A preprint of the full paper is available at http://www.academia.edu/2494187/Abstract_Interpretation_meets_Model_Checking_near_the_10_6_LOC_mark .

Technology
1 of 23
Download to read offline
Abstract Interpretation meets model checking near the 1000000 LOC mark - Finding errors in the Linux Kernel Source Peter T. Breuer & Simon Pickin Universidad Carlos III de Madrid
Goal • Apply Formal Methods to the Linux kernel • Methods must be ➢ post-hoc ➢ capable of application by non-experts ➢ able to handle 6.5 millions of lines of rapidly changing C code
Analysis Example -Sleep under Spinlock Hunt (SluSH)
Output from SluSH run
What is sleep under spinlock? • Sleep = thread scheduled out of CPU • Spinlock = busy wait for lock release • Two CPUs + two threads waiting on spinlocks = one dead machine
Example of bad code • snd_sb_csp_load() in sb16_csp.c
Another piece of guilty code • Kernel 2.6.12 sound/oss/sequencer.c midi_outc()
Cox owns up
Output summarises liklihoods
Other classes of problems detected • Access (read/write) to kfreed memory • Overflow 4096B of stack • Spinlock under spinlock • Call to function that expects non-NULL parameters with possibly NULL argument • ... – Logic is configured, so new tests can be invented
Example of kfree/access • drivers/scsi/aix7xxx_old.c in kernel 2.6.3
Basic technique
The abstract view
Components of analysis system • Description of statements as logic transformers – p .... p[n-1/n] • Trigger/action system for raising alarms! • Combining logic NRB • Guiding abstract interpretation s to state x x ∈s ∩ p stops dead code evaluation, etc.
Statement Logic - NRB • Single code statement – maintains condition P normally – empty statement cannot return (F) – empty statement cannot break (F)
Sequence logic -NRB • normal exit: traverse A then B • return exit: return from A OR traverse A then return from B • break exit: break from A OR traverse A then break from B
Loop logic -NRB • break from body is only normal exit from while(1) • relax p until it is invariant
Conditional logic -NRB
Programmable trigger/action engine • Three rules handle propagation of call graph and other housekeeping. – a sleep call while the objective function is positive causes output:
Using the analyser • Call with the same arguments as given to the gcc compiler
Limitations • Predicates are restricted to unions of n-cubes • State is not followed well enough: – x = 1; if (x) A else B; ● treated correctly - only A is evaluated – if (x) A else B; if (x) C else D; ● over-abstracted - A;C | A;D | B;C | B;D – possible solution is to push state into the predicates ((x!=0);A | (x==0);B) ; ((x!=0);C | (x==0);D) ● but we can't follow calculation well - quickly get to 
Implication of predicates is decidable • Basic evaluation is C  U Ci of cubes – i.e. U Ci covers C
Summary • A step towards analyses of 100MLoC. – No expertise needed – Fast – Copes with massive amounts of code – Soundly based • Negatives – Not good tracking program state; model checking? – Not yet easy to extend to new problem classes

Recommended

Exploring Petri Net State Spaces
Exploring Petri Net State SpacesExploring Petri Net State Spaces
Exploring Petri Net State Spaces
Universität Rostock
 
A petri-net
A petri-netA petri-net
A petri-net
Omar Al-Sabek
 
Exploiting parallelism opportunities in non-parallel architectures to improve...
Exploiting parallelism opportunities in non-parallel architectures to improve...Exploiting parallelism opportunities in non-parallel architectures to improve...
Exploiting parallelism opportunities in non-parallel architectures to improve...
GreenLSI Team, LSI, UPM
 
Computer network (6)
Computer network (6)Computer network (6)
Computer network (6)
NYversity
 
Petri Nets: Properties, Analysis and Applications
Petri Nets: Properties, Analysis and ApplicationsPetri Nets: Properties, Analysis and Applications
Petri Nets: Properties, Analysis and Applications
Dr. Mohamed Torky
 
ClockSystem: Embedding Time in Smalltalk
ClockSystem: Embedding Time in SmalltalkClockSystem: Embedding Time in Smalltalk
ClockSystem: Embedding Time in Smalltalk
ESUG
 
Object Detection with Tensorflow
Object Detection with TensorflowObject Detection with Tensorflow
Object Detection with Tensorflow
ElifTech
 
GCC LTO
GCC LTOGCC LTO
GCC LTO
Wang Hsiangkai
 

Recommended

Exploring Petri Net State Spaces
Exploring Petri Net State SpacesExploring Petri Net State Spaces
Exploring Petri Net State Spaces
Universität Rostock
 
A petri-net
A petri-netA petri-net
A petri-net
Omar Al-Sabek
 
Exploiting parallelism opportunities in non-parallel architectures to improve...
Exploiting parallelism opportunities in non-parallel architectures to improve...Exploiting parallelism opportunities in non-parallel architectures to improve...
Exploiting parallelism opportunities in non-parallel architectures to improve...
GreenLSI Team, LSI, UPM
 
Computer network (6)
Computer network (6)Computer network (6)
Computer network (6)
NYversity
 
Petri Nets: Properties, Analysis and Applications
Petri Nets: Properties, Analysis and ApplicationsPetri Nets: Properties, Analysis and Applications
Petri Nets: Properties, Analysis and Applications
Dr. Mohamed Torky
 
ClockSystem: Embedding Time in Smalltalk
ClockSystem: Embedding Time in SmalltalkClockSystem: Embedding Time in Smalltalk
ClockSystem: Embedding Time in Smalltalk
ESUG
 
Object Detection with Tensorflow
Object Detection with TensorflowObject Detection with Tensorflow
Object Detection with Tensorflow
ElifTech
 
GCC LTO
GCC LTOGCC LTO
GCC LTO
Wang Hsiangkai
 
Automata
AutomataAutomata
Automata
Jena Catherine Bel D
 
Assembly lab up to 6 up (1)
Assembly lab up to 6 up (1)Assembly lab up to 6 up (1)
Assembly lab up to 6 up (1)
ilias ahmed
 
Lec14 Intro to Computer Engineering by Hsien-Hsin Sean Lee Georgia Tech -- Se...
Lec14 Intro to Computer Engineering by Hsien-Hsin Sean Lee Georgia Tech -- Se...Lec14 Intro to Computer Engineering by Hsien-Hsin Sean Lee Georgia Tech -- Se...
Lec14 Intro to Computer Engineering by Hsien-Hsin Sean Lee Georgia Tech -- Se...
Hsien-Hsin Sean Lee, Ph.D.
 
Building Efficient and Highly Run-Time Adaptable Virtual Machines
Building Efficient and Highly Run-Time Adaptable Virtual MachinesBuilding Efficient and Highly Run-Time Adaptable Virtual Machines
Building Efficient and Highly Run-Time Adaptable Virtual Machines
Guido Chari
 
The Search for Gravitational Waves
The Search for Gravitational WavesThe Search for Gravitational Waves
The Search for Gravitational Waves
inside-BigData.com
 
IIUG 2016 Gathering Informix data into R
IIUG 2016 Gathering Informix data into RIIUG 2016 Gathering Informix data into R
IIUG 2016 Gathering Informix data into R
Kevin Smith
 
[Question Paper] Microprocessor and Microcontrollers (Revised Course) [Septem...
[Question Paper] Microprocessor and Microcontrollers (Revised Course) [Septem...[Question Paper] Microprocessor and Microcontrollers (Revised Course) [Septem...
[Question Paper] Microprocessor and Microcontrollers (Revised Course) [Septem...
Mumbai B.Sc.IT Study
 
2_4 Finite Automata.ppt
2_4 Finite Automata.ppt2_4 Finite Automata.ppt
2_4 Finite Automata.ppt
Ratnakar Mikkili
 
Mit cilk
Mit cilkMit cilk
Mit cilk
Raymond Kung
 
Functional Reactive Programming by Gerold Meisinger
Functional Reactive Programming by Gerold MeisingerFunctional Reactive Programming by Gerold Meisinger
Functional Reactive Programming by Gerold Meisinger
GeroldMeisinger
 
CILK/CILK++ and Reducers
CILK/CILK++ and ReducersCILK/CILK++ and Reducers
CILK/CILK++ and Reducers
Yunming Zhang
 
LTO plugin
LTO pluginLTO plugin
LTO plugin
Wang Hsiangkai
 
Q4.11: Using GCC Auto-Vectorizer
Q4.11: Using GCC Auto-VectorizerQ4.11: Using GCC Auto-Vectorizer
Q4.11: Using GCC Auto-Vectorizer
Linaro
 
Programmable Piplelines
Programmable PiplelinesProgrammable Piplelines
Programmable Piplelines
Syed Zaid Irshad
 
Flip flops & registers
Flip flops & registersFlip flops & registers
Flip flops & registers
Shah Ishtiyaq Mehfooze
 
Model-counting Approaches For Nonlinear Numerical Constraints
Model-counting Approaches For Nonlinear Numerical ConstraintsModel-counting Approaches For Nonlinear Numerical Constraints
Model-counting Approaches For Nonlinear Numerical Constraints
Quoc-Sang Phan
 
Topology hiding Multipath Routing Protocol in MANET
Topology hiding Multipath Routing Protocol in MANETTopology hiding Multipath Routing Protocol in MANET
Topology hiding Multipath Routing Protocol in MANET
Akshay Phalke
 
Hidden Truths in Dead Software Paths
Hidden Truths in Dead Software PathsHidden Truths in Dead Software Paths
Hidden Truths in Dead Software Paths
Ben Hermann
 
Automata
AutomataAutomata
Automata
RabiRehman1
 
SLE2015: Distributed ATL
SLE2015: Distributed ATLSLE2015: Distributed ATL
SLE2015: Distributed ATL
Amine Benelallam
 
A Question Of Interpretation: the role of archivists in an online age
A Question Of Interpretation: the role of archivists in an online ageA Question Of Interpretation: the role of archivists in an online age
A Question Of Interpretation: the role of archivists in an online age
Amanda Hill
 
Supply Chain Project MCD
Supply Chain Project MCDSupply Chain Project MCD
Supply Chain Project MCD
mcdeacon
 

More Related Content

What's hot

Building Efficient and Highly Run-Time Adaptable Virtual Machines
Building Efficient and Highly Run-Time Adaptable Virtual MachinesBuilding Efficient and Highly Run-Time Adaptable Virtual Machines
Building Efficient and Highly Run-Time Adaptable Virtual Machines
Guido Chari
 
IIUG 2016 Gathering Informix data into R
IIUG 2016 Gathering Informix data into RIIUG 2016 Gathering Informix data into R
IIUG 2016 Gathering Informix data into R
Kevin Smith
 
Functional Reactive Programming by Gerold Meisinger
Functional Reactive Programming by Gerold MeisingerFunctional Reactive Programming by Gerold Meisinger
Functional Reactive Programming by Gerold Meisinger
GeroldMeisinger
 
Hidden Truths in Dead Software Paths
Hidden Truths in Dead Software PathsHidden Truths in Dead Software Paths
Hidden Truths in Dead Software Paths
Ben Hermann
 

What's hot (20)

Automata
AutomataAutomata
Automata
 
Assembly lab up to 6 up (1)
Assembly lab up to 6 up (1)Assembly lab up to 6 up (1)
Assembly lab up to 6 up (1)
 
Lec14 Intro to Computer Engineering by Hsien-Hsin Sean Lee Georgia Tech -- Se...
Lec14 Intro to Computer Engineering by Hsien-Hsin Sean Lee Georgia Tech -- Se...Lec14 Intro to Computer Engineering by Hsien-Hsin Sean Lee Georgia Tech -- Se...
Lec14 Intro to Computer Engineering by Hsien-Hsin Sean Lee Georgia Tech -- Se...
 
Building Efficient and Highly Run-Time Adaptable Virtual Machines
Building Efficient and Highly Run-Time Adaptable Virtual MachinesBuilding Efficient and Highly Run-Time Adaptable Virtual Machines
Building Efficient and Highly Run-Time Adaptable Virtual Machines
 
The Search for Gravitational Waves
The Search for Gravitational WavesThe Search for Gravitational Waves
The Search for Gravitational Waves
 
IIUG 2016 Gathering Informix data into R
IIUG 2016 Gathering Informix data into RIIUG 2016 Gathering Informix data into R
IIUG 2016 Gathering Informix data into R
 
[Question Paper] Microprocessor and Microcontrollers (Revised Course) [Septem...
[Question Paper] Microprocessor and Microcontrollers (Revised Course) [Septem...[Question Paper] Microprocessor and Microcontrollers (Revised Course) [Septem...
[Question Paper] Microprocessor and Microcontrollers (Revised Course) [Septem...
 
2_4 Finite Automata.ppt
2_4 Finite Automata.ppt2_4 Finite Automata.ppt
2_4 Finite Automata.ppt
 
Mit cilk
Mit cilkMit cilk
Mit cilk
 
Functional Reactive Programming by Gerold Meisinger
Functional Reactive Programming by Gerold MeisingerFunctional Reactive Programming by Gerold Meisinger
Functional Reactive Programming by Gerold Meisinger
 
CILK/CILK++ and Reducers
CILK/CILK++ and ReducersCILK/CILK++ and Reducers
CILK/CILK++ and Reducers
 
LTO plugin
LTO pluginLTO plugin
LTO plugin
 
Q4.11: Using GCC Auto-Vectorizer
Q4.11: Using GCC Auto-VectorizerQ4.11: Using GCC Auto-Vectorizer
Q4.11: Using GCC Auto-Vectorizer
 
Programmable Piplelines
Programmable PiplelinesProgrammable Piplelines
Programmable Piplelines
 
Flip flops & registers
Flip flops & registersFlip flops & registers
Flip flops & registers
 
Model-counting Approaches For Nonlinear Numerical Constraints
Model-counting Approaches For Nonlinear Numerical ConstraintsModel-counting Approaches For Nonlinear Numerical Constraints
Model-counting Approaches For Nonlinear Numerical Constraints
 
Topology hiding Multipath Routing Protocol in MANET
Topology hiding Multipath Routing Protocol in MANETTopology hiding Multipath Routing Protocol in MANET
Topology hiding Multipath Routing Protocol in MANET
 
Hidden Truths in Dead Software Paths
Hidden Truths in Dead Software PathsHidden Truths in Dead Software Paths
Hidden Truths in Dead Software Paths
 
Automata
AutomataAutomata
Automata
 
SLE2015: Distributed ATL
SLE2015: Distributed ATLSLE2015: Distributed ATL
SLE2015: Distributed ATL
 

Viewers also liked

Introduction to Statutory Interpretation
Introduction to Statutory InterpretationIntroduction to Statutory Interpretation
Introduction to Statutory Interpretation
thorogl01
 
A Project on Supply Chain Management_1
A Project on Supply Chain Management_1A Project on Supply Chain Management_1
A Project on Supply Chain Management_1
Ashok Kond
 
Presentation and analysis and interpretation of data
Presentation and analysis and interpretation of dataPresentation and analysis and interpretation of data
Presentation and analysis and interpretation of data
Lovely Ann Azanza
 
Writing the 'Discussion and Analysis'
Writing the 'Discussion and Analysis'Writing the 'Discussion and Analysis'
Writing the 'Discussion and Analysis'
Aiden Yeh
 
Supply chain management project
Supply chain management projectSupply chain management project
Supply chain management project
Muskan Asnani
 
Correlation and regression
Correlation and regressionCorrelation and regression
Correlation and regression
Khalid Aziz
 

Viewers also liked (13)

A Question Of Interpretation: the role of archivists in an online age
A Question Of Interpretation: the role of archivists in an online ageA Question Of Interpretation: the role of archivists in an online age
A Question Of Interpretation: the role of archivists in an online age
 
Supply Chain Project MCD
Supply Chain Project MCDSupply Chain Project MCD
Supply Chain Project MCD
 
Jagger release 2.0
Jagger release 2.0Jagger release 2.0
Jagger release 2.0
 
Chapter 6 - Introduction to 12 Lead Interpretation
Chapter 6 - Introduction to 12 Lead InterpretationChapter 6 - Introduction to 12 Lead Interpretation
Chapter 6 - Introduction to 12 Lead Interpretation
 
Introduction to Statutory Interpretation
Introduction to Statutory InterpretationIntroduction to Statutory Interpretation
Introduction to Statutory Interpretation
 
Data Interpretation
Data Interpretation Data Interpretation
Data Interpretation
 
Data interpretation
Data interpretationData interpretation
Data interpretation
 
A Project on Supply Chain Management_1
A Project on Supply Chain Management_1A Project on Supply Chain Management_1
A Project on Supply Chain Management_1
 
Presentation and analysis and interpretation of data
Presentation and analysis and interpretation of dataPresentation and analysis and interpretation of data
Presentation and analysis and interpretation of data
 
Writing the 'Discussion and Analysis'
Writing the 'Discussion and Analysis'Writing the 'Discussion and Analysis'
Writing the 'Discussion and Analysis'
 
Supply chain management project
Supply chain management projectSupply chain management project
Supply chain management project
 
Chapter 4 presentation of data
Chapter 4 presentation of dataChapter 4 presentation of data
Chapter 4 presentation of data
 
Correlation and regression
Correlation and regressionCorrelation and regression
Correlation and regression
 

Similar to Abstract Interpretation meets model checking near the 1000000 LOC mark: Finding errors in the Linux Kernel Source (AVIS '06)

Computer Organization1CS1400Feng JiangBoolean al.docx
Computer Organization1CS1400Feng JiangBoolean al.docxComputer Organization1CS1400Feng JiangBoolean al.docx
Computer Organization1CS1400Feng JiangBoolean al.docx
ladonnacamplin
 
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode DetectionEfficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Georg Wicherski
 
Concurrency in Distributed Systems : Leslie Lamport papers
Concurrency in Distributed Systems : Leslie Lamport papersConcurrency in Distributed Systems : Leslie Lamport papers
Concurrency in Distributed Systems : Leslie Lamport papers
Subhajit Sahu
 

Similar to Abstract Interpretation meets model checking near the 1000000 LOC mark: Finding errors in the Linux Kernel Source (AVIS '06) (20)

Detecting Deadlock, Double-Free and Other Abuses in a Million Lines of Linux ...
Detecting Deadlock, Double-Free and Other Abuses in a Million Lines of Linux ...Detecting Deadlock, Double-Free and Other Abuses in a Million Lines of Linux ...
Detecting Deadlock, Double-Free and Other Abuses in a Million Lines of Linux ...
 
Understanding low latency jvm gcs
Understanding low latency jvm gcsUnderstanding low latency jvm gcs
Understanding low latency jvm gcs
 
07 control+structures
07 control+structures07 control+structures
07 control+structures
 
Computer Organization1CS1400Feng JiangBoolean al.docx
Computer Organization1CS1400Feng JiangBoolean al.docxComputer Organization1CS1400Feng JiangBoolean al.docx
Computer Organization1CS1400Feng JiangBoolean al.docx
 
CNIT 127 Ch 2: Stack overflows on Linux
CNIT 127 Ch 2: Stack overflows on LinuxCNIT 127 Ch 2: Stack overflows on Linux
CNIT 127 Ch 2: Stack overflows on Linux
 
Understanding low latency jvm gcs V2
Understanding low latency jvm gcs V2Understanding low latency jvm gcs V2
Understanding low latency jvm gcs V2
 
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode DetectionEfficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode Detection
 
Concurrency in Distributed Systems : Leslie Lamport papers
Concurrency in Distributed Systems : Leslie Lamport papersConcurrency in Distributed Systems : Leslie Lamport papers
Concurrency in Distributed Systems : Leslie Lamport papers
 
Cryptography
CryptographyCryptography
Cryptography
 
127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux
 
CNIT 127: Ch 2: Stack overflows on Linux
CNIT 127: Ch 2: Stack overflows on LinuxCNIT 127: Ch 2: Stack overflows on Linux
CNIT 127: Ch 2: Stack overflows on Linux
 
2017 10 17_quantum_program_v2
2017 10 17_quantum_program_v22017 10 17_quantum_program_v2
2017 10 17_quantum_program_v2
 
L3-.pptx
L3-.pptxL3-.pptx
L3-.pptx
 
k10790 nilesh prajapati control me 6th sem
k10790 nilesh prajapati control me 6th semk10790 nilesh prajapati control me 6th sem
k10790 nilesh prajapati control me 6th sem
 
127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux
 
Using R in remote computer clusters
Using R in remote computer clustersUsing R in remote computer clusters
Using R in remote computer clusters
 
13.ppt
13.ppt13.ppt
13.ppt
 
Pepe Vila - Cache and Syphilis [rooted2019]
Pepe Vila - Cache and Syphilis [rooted2019]Pepe Vila - Cache and Syphilis [rooted2019]
Pepe Vila - Cache and Syphilis [rooted2019]
 
HiPEAC'19 Tutorial on Quantum algorithms using QX - 2019-01-23
HiPEAC'19 Tutorial on Quantum algorithms using QX - 2019-01-23HiPEAC'19 Tutorial on Quantum algorithms using QX - 2019-01-23
HiPEAC'19 Tutorial on Quantum algorithms using QX - 2019-01-23
 
Understanding jvm gc advanced
Understanding jvm gc advancedUnderstanding jvm gc advanced
Understanding jvm gc advanced
 

More from Peter Breuer

More from Peter Breuer (9)

Avoiding Hardware Aliasing
Avoiding Hardware AliasingAvoiding Hardware Aliasing
Avoiding Hardware Aliasing
 
Empirical Patterns in Google Scholar Citation Counts (CyberPatterns 2014)
Empirical Patterns in Google Scholar Citation Counts (CyberPatterns 2014)Empirical Patterns in Google Scholar Citation Counts (CyberPatterns 2014)
Empirical Patterns in Google Scholar Citation Counts (CyberPatterns 2014)
 
Certifying (RISC) Machine Code Safe from Aliasing (OpenCert 2013)
Certifying (RISC) Machine Code Safe from Aliasing (OpenCert 2013)Certifying (RISC) Machine Code Safe from Aliasing (OpenCert 2013)
Certifying (RISC) Machine Code Safe from Aliasing (OpenCert 2013)
 
Tutorial: Formal Methods for Hardware Verification - Overview and Application...
Tutorial: Formal Methods for Hardware Verification - Overview and Application...Tutorial: Formal Methods for Hardware Verification - Overview and Application...
Tutorial: Formal Methods for Hardware Verification - Overview and Application...
 
A Semantic Model for VHDL-AMS (CHARME '97)
A Semantic Model for VHDL-AMS (CHARME '97)A Semantic Model for VHDL-AMS (CHARME '97)
A Semantic Model for VHDL-AMS (CHARME '97)
 
The mixed-signal modelling language VHDL-AMS and its semantics (ICNACSA 1999)
The mixed-signal modelling language VHDL-AMS and its semantics (ICNACSA 1999)The mixed-signal modelling language VHDL-AMS and its semantics (ICNACSA 1999)
The mixed-signal modelling language VHDL-AMS and its semantics (ICNACSA 1999)
 
Higher Order Applicative XML (Monterey 2002)
Higher Order Applicative XML (Monterey 2002)Higher Order Applicative XML (Monterey 2002)
Higher Order Applicative XML (Monterey 2002)
 
Raiding the Noosphere
Raiding the NoosphereRaiding the Noosphere
Raiding the Noosphere
 
Open Source Verification under a Cloud (OpenCert 2010)
Open Source Verification under a Cloud (OpenCert 2010)Open Source Verification under a Cloud (OpenCert 2010)
Open Source Verification under a Cloud (OpenCert 2010)
 

Recently uploaded

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Recently uploaded (20)

GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 

Abstract Interpretation meets model checking near the 1000000 LOC mark: Finding errors in the Linux Kernel Source (AVIS '06)

  • 1. Abstract Interpretation meets model checking near the 1000000 LOC mark - Finding errors in the Linux Kernel Source Peter T. Breuer & Simon Pickin Universidad Carlos III de Madrid
  • 2. Goal • Apply Formal Methods to the Linux kernel • Methods must be ➢ post-hoc ➢ capable of application by non-experts ➢ able to handle 6.5 millions of lines of rapidly changing C code
  • 3. Analysis Example -Sleep under Spinlock Hunt (SluSH)
  • 5. What is sleep under spinlock? • Sleep = thread scheduled out of CPU • Spinlock = busy wait for lock release • Two CPUs + two threads waiting on spinlocks = one dead machine
  • 6. Example of bad code • snd_sb_csp_load() in sb16_csp.c
  • 7. Another piece of guilty code • Kernel 2.6.12 sound/oss/sequencer.c midi_outc()
  • 10. Other classes of problems detected • Access (read/write) to kfreed memory • Overflow 4096B of stack • Spinlock under spinlock • Call to function that expects non-NULL parameters with possibly NULL argument • ... – Logic is configured, so new tests can be invented
  • 11. Example of kfree/access • drivers/scsi/aix7xxx_old.c in kernel 2.6.3
  • 14. Components of analysis system • Description of statements as logic transformers – p .... p[n-1/n] • Trigger/action system for raising alarms! • Combining logic NRB • Guiding abstract interpretation s to state x x ∈s ∩ p stops dead code evaluation, etc.
  • 15. Statement Logic - NRB • Single code statement – maintains condition P normally – empty statement cannot return (F) – empty statement cannot break (F)
  • 16. Sequence logic -NRB • normal exit: traverse A then B • return exit: return from A OR traverse A then return from B • break exit: break from A OR traverse A then break from B
  • 17. Loop logic -NRB • break from body is only normal exit from while(1) • relax p until it is invariant
  • 19. Programmable trigger/action engine • Three rules handle propagation of call graph and other housekeeping. – a sleep call while the objective function is positive causes output:
  • 20. Using the analyser • Call with the same arguments as given to the gcc compiler
  • 21. Limitations • Predicates are restricted to unions of n-cubes • State is not followed well enough: – x = 1; if (x) A else B; ● treated correctly - only A is evaluated – if (x) A else B; if (x) C else D; ● over-abstracted - A;C | A;D | B;C | B;D – possible solution is to push state into the predicates ((x!=0);A | (x==0);B) ; ((x!=0);C | (x==0);D) ● but we can't follow calculation well - quickly get to 
  • 22. Implication of predicates is decidable • Basic evaluation is C  U Ci of cubes – i.e. U Ci covers C
  • 23. Summary • A step towards analyses of 100MLoC. – No expertise needed – Fast – Copes with massive amounts of code – Soundly based • Negatives – Not good tracking program state; model checking? – Not yet easy to extend to new problem classes