Slides for presentation on "Abstract Interpretation meets model checking near the 1000000 LOC mark" at 5th International Workshop on Automated Verification of Infinite-State Systems (AVIS'06), Apr 1, 2006. A preprint of the full paper is available at http://www.academia.edu/2494187/Abstract_Interpretation_meets_Model_Checking_near_the_10_6_LOC_mark .
HTML Injection Attacks: Impact and Mitigation Strategies
Abstract Interpretation meets model checking near the 1000000 LOC mark: Finding errors in the Linux Kernel Source (AVIS '06)
1. Abstract Interpretation meets model
checking near the 1000000 LOC
mark
- Finding errors in the Linux Kernel
Source
Peter T. Breuer & Simon Pickin
Universidad Carlos III de Madrid
2. Goal
•
Apply
Formal Methods
to the
Linux kernel
•
Methods must be
➢ post-hoc
➢ capable of application by non-experts
➢ able to handle 6.5 millions of lines of
rapidly changing C code
5. What is sleep under spinlock?
• Sleep = thread scheduled out of CPU
• Spinlock = busy wait for lock release
• Two CPUs
+ two threads waiting on spinlocks
= one dead machine
10. Other classes of problems detected
• Access (read/write) to kfreed memory
• Overflow 4096B of stack
• Spinlock under spinlock
• Call to function that expects non-NULL
parameters with possibly NULL argument
• ...
– Logic is configured, so new tests can be invented
14. Components of analysis system
• Description of statements as logic transformers
– p .... p[n-1/n]
• Trigger/action system for raising alarms!
• Combining logic NRB
• Guiding abstract interpretation s to state x
x ∈s ∩ p
stops dead code evaluation, etc.
16. Sequence logic -NRB
• normal exit: traverse A then B
• return exit: return from A
OR traverse A then return from B
• break exit: break from A
OR traverse A then break from B
17. Loop logic -NRB
• break from body is only normal exit from while(1)
• relax p until it
is invariant
19. Programmable trigger/action engine
• Three rules handle propagation of call graph and
other housekeeping.
– a sleep call while the objective function is
positive causes output:
21. Limitations
• Predicates are restricted to unions of n-cubes
• State is not followed well enough:
– x = 1; if (x) A else B;
● treated correctly - only A is evaluated
– if (x) A else B; if (x) C else D;
● over-abstracted - A;C | A;D | B;C | B;D
– possible solution is to push state into the
predicates
((x!=0);A | (x==0);B) ; ((x!=0);C | (x==0);D)
● but we can't follow calculation well - quickly get
to
23. Summary
• A step towards analyses of 100MLoC.
– No expertise needed
– Fast
– Copes with massive amounts of code
– Soundly based
• Negatives
– Not good tracking program state; model
checking?
– Not yet easy to extend to new problem classes