cross checking semantic correctness the case of finding
play

Cross-checking Semantic Correctness: The Case of Finding File System - PowerPoint PPT Presentation

Nov 08, 2022 •392 likes •1.25k views

Cross-checking Semantic Correctness: The Case of Finding File System Bugs Changwoo Min , Sanidhya Kashyap, Byoungyoung Lee, Chengyu Song, Taesoo Kim Georgia Institute of Technology School of Computer Science Two promising approaches to make

  1. Cross-checking Semantic Correctness: The Case of Finding File System Bugs Changwoo Min , Sanidhya Kashyap, Byoungyoung Lee, Chengyu Song, Taesoo Kim Georgia Institute of Technology School of Computer Science

  2. Two promising approaches to make bug-free software ● Formal proof require “proof” → – Guarantee high-level invariants (e.g., functional correctness) ● Model checking require “model” → – Check if code fjts with domain model (e.g., locking rules) 2

  3. Two promising approaches to make bug-free software ● Formal proof require “proof” → – Guarantee high-level invariants (e.g., functional correctness) ● Model checking require “model” → – Check if code fjts with domain model (e.g., locking rules) In practice, many software are (already) built without such theories 3

  4. There exist many similar implementations of a program ● File systems: >50 implementations in Linux ● JavaScript: ECMAScript, V8, SpiderMonkey, etc ● POSIX C Library: Gnu Libc, FreeBSD, eLibc, etc Without proof or model, can we leverage these existing implementations? 4

  5. There exist many similar implementations of a program ● File systems: >50 implementations in Linux ● JavaScript: ECMAScript, V8, SpiderMonkey, etc ● POSIX C Library: Gnu Libc, FreeBSD, eLibc, etc Without proof or model, can we leverage these existing implementations? 5

  6. File system bugs are critical 2013-01-07 6

  7. File system bugs are critical 2013-01-07 2014-10-17 7

  8. File system bugs are critical 2013-01-07 2014-10-17 2015-03-19 8

  9. A majority of bugs in fjle systems are hard to detect Memory bugs: Semantic bugs: NULL dereference Use-after-free Incorrect condition check ... 12.6% Incorrect statue update Incorrect argument Incorrect error code ... 87.4% 9

  10. A majority of bugs in fjle systems are hard to detect Memory bugs: Semantic bugs: NULL dereference Use-after-free Incorrect condition check ... 12.6% Incorrect statue update Incorrect argument Incorrect error code ... 87.4% 10

  11. Example of semantic bug: Missing capability check in OCFS2 ocfs2: trusted xattr missing CAP_SYS_ADMIN check Signed-ofg-by: Sanidhya Kashyap <sanidhya@gatech.edu> ... @@ static size_t ocfs2_xattr_trusted_list + if (!capable(CAP_SYS_ADMIN)) + return 0; 11

  12. Example of semantic bug: Missing capability check in OCFS2 ocfs2: trusted xattr missing CAP_SYS_ADMIN check Signed-ofg-by: Sanidhya Kashyap <sanidhya@gatech.edu> ... @@ static size_t ocfs2_xattr_trusted_list + if (!capable(CAP_SYS_ADMIN)) + return 0; Can we fjnd this bug by leveraging other implementations? 12

  13. A majority of fjle system already implemented capability check ocfs2: trusted xattr missing CAP_SYS_ADMIN check ● ext2 Signed-ofg-by: Sanidhya Kashyap <sanidhya@gatech.edu> ... static size_t ext2_xattr_trusted_list() @@ static size_t ocfs2_xattr_trusted_list if (!capable(CAP_SYS_ADMIN)) return 0; + if (!capable(CAP_SYS_ADMIN)) ● ext4 + return 0; static size_t ext4_xattr_trusted_list() if (!capable(CAP_SYS_ADMIN)) return 0; ● XFS static size_t xfs_xattr_put_listent() if ( (fmags & XFS_ATTR_ROOT) && !capable(CAP_SYS_ADMIN)) return 0; ... 13

  14. A majority of fjle system already implemented capability check ocfs2: trusted xattr missing CAP_SYS_ADMIN check ● ext2 Signed-ofg-by: Sanidhya Kashyap <sanidhya@gatech.edu> ... static size_t ext2_xattr_trusted_list() @@ static size_t ocfs2_xattr_trusted_list if (!capable(CAP_SYS_ADMIN)) return 0; + if (!capable(CAP_SYS_ADMIN)) ● ext4 + return 0; static size_t ext4_xattr_trusted_list() if (!capable(CAP_SYS_ADMIN)) return 0; Deviant implementation ● XFS → potential bugs? static size_t xfs_xattr_put_listent() if ( (fmags & XFS_ATTR_ROOT) && !capable(CAP_SYS_ADMIN)) return 0; ... 14

  15. A majority of fjle system already implemented capability check ocfs2: trusted xattr missing CAP_SYS_ADMIN check ● ext2 Signed-ofg-by: Sanidhya Kashyap <sanidhya@gatech.edu> ... static size_t ext2_xattr_trusted_list() @@ static size_t ocfs2_xattr_trusted_list if (!capable(CAP_SYS_ADMIN)) return 0; + if (!capable(CAP_SYS_ADMIN)) ● ext4 + return 0; static size_t ext4_xattr_trusted_list() if (!capable(CAP_SYS_ADMIN)) return 0; Deviant implementation ● XFS → potential bugs? static size_t xfs_xattr_put_listent() if ( (fmags & XFS_ATTR_ROOT) && !capable(CAP_SYS_ADMIN)) A new bug we found return 0; It has been hidden for 6 years ... 15

  16. Case study: Write a page ● Each fjle system defjnes how to write a page ● Semantic of writepage() – Success return locked page → – Failure return unlocked page → ● Document/fjlesystems/vfs.txt specifjes such rule – Hard to detect without domain knowledge What if 99% fjle systems follow above pattern, but not one fjle system? bug? 16

  17. Our approach can reveal such bugs without domain specifjc knowledge ● 52 fjle systems follow the locking rules ● But 2 fjle systems don't (Ceph and AFFS) -------------------------------- fs/ceph/addr.c -------------------------------- index fd5599d..e723482 100644 @@ static int ceph_write_begin + if (r < 0) + page_cache_release(page); + else + *pagep = page; 17

  18. Our approach can reveal such bugs without domain specifjc knowledge ● 52 fjle systems follow the locking rules ● But 2 fjle systems don't (Ceph and AFFS) -------------------------------- fs/ceph/addr.c -------------------------------- index fd5599d..e723482 100644 @@ static int ceph_write_begin + if (r < 0) + page_cache_release(page); + else + *pagep = page; We found 3 bugs in 2 fjle systems Hidden for over 5 years 18

  19. Our approach in fjnding bugs Intuition: Bugs are rare Majority of implementations is correct Idea: Find deviant ones as potential bugs 19

  20. Our approach is promising in fjnding semantic bugs (Example: fjle systems) ● New semantics bugs – 118 new bugs in 54 fjle systems ● Critical bugs – System crash, data corruption, deadlock, etc ● Bugs diffjcult to fjnd – Bugs were hidden for 6.2 years on average ● Various kinds of bugs – Condition check, argument use, return value, locking, etc 20

  21. Technical challenges ● All software are difgerent one way or another – e.g., disk layout in fjle system ● How to compare difgerent implementation? – Q1: Where to start? – Q2: What to compare? – Q3: How to compare? 21

  22. Juxta : the case of fjle system ● All fjle systems should follow VFS API in Linux – e.g., vfs_rename() in each fjle system ● How to compare difgerent fjle systems? – Q1: Where to start? VFS entries in fjle system → – Q2: What to compare? symbolic environment → – Q3: How to compare? statistical comparison → 22

  23. Juxta overview Juxta Statistical Per-Filesystem Path Comparison Path Database File System Symbolic Execution Source Code 23

  24. Juxta overview 7 Checkers Path Condition Argument ... Checker Checker Juxta Statistical Per-Filesystem Path Comparison Path Database File System Symbolic Execution Source Code 24

  25. Comparing multiple fjle systems ● Q1: Where to start? – Identifying semantically similar entry points ● Q2: What to compare? – Building per-path symbolic environment ● Q3: How to compare? – Statistically comparing each path 25

  26. Comparing multiple fjle systems ● Q1: Where to start? – Identifying semantically similar entry points ● Q2: What to compare? – Building per-path symbolic environment ● Q3: How to compare? – Statistically comparing each path 26

  27. Identifying semantically similar entry points ● Linux Virtual File System (VFS) – Use common data structures and behavior (e.g., inode and page cache) – Defjne fjlesystem-specifjc interfaces (e.g., open, rename) 27

  28. Example: inode_operations rename() → struct inode_operations { int (*rename) (struct inode *, ...); int (*create) (struct inode *,...); int (*unlink) (struct inode *,..); int (*mkdir) (struct inode *,...); }; Compare *_rename() to fjnd deviant rename() implementations. 28

  29. Example: inode_operations rename() → struct inode_operations { int (*rename) (struct inode *, ...); btrfs _rename(...); int (*create) (struct inode *,...); ext4 _rename(...); int (*unlink) (struct inode *,..); xfs _vn_rename(…); int (*mkdir) (struct inode *,...); ... }; Compare *_rename() to fjnd deviant rename() implementations. 29

  30. Comparing multiple fjle systems ● Q1: Where to start? – Identifying semantically similar entry points ● Q2: What to compare? – Building per-path symbolic environment ● Q3: How to compare? – Statistically comparing each path 30

  31. Building per-path symbolic environment ● Context/fmow-sensitive symbolic execution – C language level – Build symbolic environment per path (e.g., path cond, return values, side-efgect, function calls) ● Key idea: return-oriented comparison – Error codes represent per-path semantics (e.g., comparing all paths returning EACCES in rename() implementations) 31

  32. Example: Per-path symbolic environment Execution Path Information int foo_rename (int fmag) { if (fmag == RO) return -EACCES; inode fmag = fmag; → kmalloc(…, GFP_NOFS) return SUCCESS; } 32

  33. Example: Per-path symbolic environment Execution Path Information int foo_rename (int fmag) { if (fmag == RO) return -EACCES; inode fmag = fmag; → kmalloc(…, GFP_NOFS) return SUCCESS; } 33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

4. Semantic Processing and Attributed Grammars 1 Semantic Processing The parser checks only the

4. Semantic Processing and Attributed Grammars 1 Semantic Processing The parser checks only the

4. Semantic Processing and Attributed Grammars 1 Semantic Processing The parser checks only the syntactic correctness of a program Tasks of semantic processing Checking context conditions - Declaration rules - Type checking Symbol

402 views • 13 slides
APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, Changwoo Min, Xujie Si,

APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, Changwoo Min, Xujie Si,

APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, Changwoo Min, Xujie Si, Yeongjin Jang, Taesoo Kim, Mayur Naik Georgia Institute of Technology 1 APIs in todays software are plentiful yet complex Example: OpenSSL

923 views • 89 slides
Checking &amp; Spot-Checking the Correctness of Priority Queues Matthew Chu &amp; Sampath Kannan

Checking &amp; Spot-Checking the Correctness of Priority Queues Matthew Chu &amp; Sampath Kannan

Checking &amp; Spot-Checking the Correctness of Priority Queues Matthew Chu &amp; Sampath Kannan (UPenn) Andrew McGregor (UCSD) Memory Checking Memory Checking Your resources: A lot of cheap unreliable memory and a little expensive reliable

1.11k views • 70 slides
Introduction Goal: Use programmers design decisions with automatic checking todetect potential

Introduction Goal: Use programmers design decisions with automatic checking todetect potential

0.5 setgray0 0.5 setgray1 Introduction Goal: Use programmers design decisions with automatic checking todetect potential errors. Extended Static Checking (ESC) tries to prove correctness at compile-time helps finding run-time exceptions

302 views • 11 slides
Semantic Analysis/Checking Symbol tables Semantic analysis: the final part of analysis half of

Semantic Analysis/Checking Symbol tables Semantic analysis: the final part of analysis half of

Semantic Analysis/Checking Symbol tables Semantic analysis: the final part of analysis half of compilation Key data structure during semantic analysis, code generation afterwards comes synthesis half of compilation Stores info about names

215 views • 5 slides
Static program checking and verification Correctness class ArraySet implements Set { class

Static program checking and verification Correctness class ArraySet implements Set { class

Chair of Softw are Engineering Software Engineering Prof. Dr. Bertrand Meyer March 2007 June 2007 Slides: Based on KSE06 With kind permission of Peter Mller Static program checking and verification Correctness class ArraySet

445 views • 18 slides
Compiler Design and Construction Semantic Analysis: Type Checking Slides modified from Louden

Compiler Design and Construction Semantic Analysis: Type Checking Slides modified from Louden

Compiler Design and Construction Semantic Analysis: Type Checking Slides modified from Louden Book, Dr. Scherger, Aho Semantic Analysis What can with do with semantic information for identifier x What kind of value is stored in x ?

649 views • 49 slides
Semantic Similarity MultiJEDI ERC 259234 Semantic Similarity Semantic Similarity Mostly

Semantic Similarity MultiJEDI ERC 259234 Semantic Similarity Semantic Similarity Mostly

SemEval 2014 Task-3 Cross-Level Semantic Similarity MultiJEDI ERC 259234 Semantic Similarity Semantic Similarity Mostly focused on similar types of lexical items Semantic Similarity What if we have different types of inputs? CLSS:

971 views • 47 slides
Interfaces for Runtime Correctness Checking of Parallel Programs Joachim Protze

Interfaces for Runtime Correctness Checking of Parallel Programs Joachim Protze

Interfaces for Runtime Correctness Checking of Parallel Programs Joachim Protze (protze@itc.rwth-aachen.de) Motivation OpenMP 3 introduced tasks (2008) Several data race detection tools for OpenMP tasks popped up just last year How can

384 views • 16 slides
Identifying, Finding and Encoding Semantic Relations Christiane Fellbaum Princeton University

Identifying, Finding and Encoding Semantic Relations Christiane Fellbaum Princeton University

Identifying, Finding and Encoding Semantic Relations Christiane Fellbaum Princeton University Questions What kind of semantic knowledge does the NLP community need? How to represent semantic knowledge? How to expand on our

716 views • 13 slides
Dynamically checking type-correctness of whole programs (work newly in-progress). Stephen Kell

Dynamically checking type-correctness of whole programs (work newly in-progress). Stephen Kell

Dynamically checking type-correctness of whole programs (work newly in-progress). Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge libcrunch . . . p.1/22 Wanted (naive version): check this! if (obj

281 views • 26 slides
Cross-Lingual Semantic Mapping of Authority Files Nadine Steinmetz, and Harald Sack November,

Cross-Lingual Semantic Mapping of Authority Files Nadine Steinmetz, and Harald Sack November,

Cross-Lingual Semantic Mapping of Authority Files Nadine Steinmetz, and Harald Sack November, 26th 2013 Conference on Semantic Web in Libraries SWIB 2013, Hamburg, Germany Motivation Semantic Annotation of Textual Information: Having

754 views • 57 slides
Cross-Domain Semantic Parsing via Paraphrasing Yu Su &amp; Xifeng Yan, EMNLP 2017 presented by

Cross-Domain Semantic Parsing via Paraphrasing Yu Su &amp; Xifeng Yan, EMNLP 2017 presented by

Cross-Domain Semantic Parsing via Paraphrasing Yu Su &amp; Xifeng Yan, EMNLP 2017 presented by Sha Li Semantic Parsing Mapping natural language utterances to logical forms that machines can act upon. Example: Database query Intents and

531 views • 21 slides
Lecture 4-5 : Types Dont prove correctness: just find bugs .. - model checking - light

Lecture 4-5 : Types Dont prove correctness: just find bugs .. - model checking - light

CS6202: Advanced Topics in Rise of Lightweight Formal Methods Rise of Lightweight Formal Methods Programming Languages and Systems Lecture 4-5 : Types Dont prove correctness: just find bugs .. - model checking - light specification and

615 views • 24 slides
Cross-lingual Distributional Profiles of Concepts for Measuring Semantic Distance Saif Mohammad,

Cross-lingual Distributional Profiles of Concepts for Measuring Semantic Distance Saif Mohammad,

Cross-lingual Distributional Profiles of Concepts for Measuring Semantic Distance Saif Mohammad, Iryna Gurevych, Graeme Hirst, and Torsten Zesch University of Toronto &amp; Darmstadt University of Technology Semantic distance SALSA DANCE

609 views • 47 slides
Secure Computation with Low Communication from Cross-checking Dov Gordon (George Mason U.)

Secure Computation with Low Communication from Cross-checking Dov Gordon (George Mason U.)

Secure Computation with Low Communication from Cross-checking Dov Gordon (George Mason U.) Samuel Ranellucci (Unbound Tech) Xiao Wang (MIT &amp; Boston U.) Secure Computation 4 parties each hold private data. They wish to compute C(x 1

414 views • 24 slides
Data Matthew James The central role that peoples health and well -being play in social

Data Matthew James The central role that peoples health and well -being play in social

Health and Welfare Data Matthew James The central role that peoples health and well -being play in social cohesion and community change Proportion of the adjusted health gap explained by differences in social determinants and health risk

745 views • 52 slides
Optimization Algorithms for Data Analysis Stephen Wright University of Wisconsin-Madison Fields

Optimization Algorithms for Data Analysis Stephen Wright University of Wisconsin-Madison Fields

Optimization Algorithms for Data Analysis Stephen Wright University of Wisconsin-Madison Fields Institute, June 2010 Stephen Wright (UW-Madison) Optimization Algorithms for Data Analysis Fields Institute, June 2010 1 / 54 Introduction: Data

659 views • 61 slides
Security, Privacy, Ethics and Sheep Professor Stephen Hailes UCL New Frontiers in IoT UCL New

Security, Privacy, Ethics and Sheep Professor Stephen Hailes UCL New Frontiers in IoT UCL New

Security, Privacy, Ethics and Sheep Professor Stephen Hailes UCL New Frontiers in IoT UCL New Frontiers in IoT UCL q Founded in 1826 as a University for all - inspired by Jeremy Bentham q Establishing a radical, pioneering tradition in

408 views • 38 slides
Personalized Medicine Redefining Cancer Treatment RAMONA BENDIAS, FRIDA BRNFORS Is there a way

Personalized Medicine Redefining Cancer Treatment RAMONA BENDIAS, FRIDA BRNFORS Is there a way

Personalized Medicine Redefining Cancer Treatment RAMONA BENDIAS, FRIDA BRNFORS Is there a way to automatically classify genetic variations based on medical papers? Biology crash course, pt 1 Images:

511 views • 17 slides
Disclosures Aneurysms:Open Repair is the Gold Standard NONE Michael S. Conte MD Division of

Disclosures Aneurysms:Open Repair is the Gold Standard NONE Michael S. Conte MD Division of

4/16/2015 Short Necks, Juxtarenal and Pararenal Disclosures Aneurysms:Open Repair is the Gold Standard NONE Michael S. Conte MD Division of Vascular and Endovascular Surgery UCSF Heart and Vascular Center Continued Evolution of EVAR

573 views • 6 slides
Elodie Laine July 3 rd 2012, JOBIM, Rennes BiMoDyM, Molecular Oncology and Pharmacology Team,

Elodie Laine July 3 rd 2012, JOBIM, Rennes BiMoDyM, Molecular Oncology and Pharmacology Team,

Elodie Laine July 3 rd 2012, JOBIM, Rennes BiMoDyM, Molecular Oncology and Pharmacology Team, Labex LERMIT LBPA, CNRS-ENS de Cachan Biological context 518 protein kinases -2% of the proteome highly conserved through evolution highly oncogenic

686 views • 24 slides
II. Homotopy of Curves on Surfaces Jeff Erickson University of Illinois, Urbana-Champaign The

II. Homotopy of Curves on Surfaces Jeff Erickson University of Illinois, Urbana-Champaign The

One-Dimensional Computational Topology II. Homotopy of Curves on Surfaces Jeff Erickson University of Illinois, Urbana-Champaign The question Given two curves on an orientable surface, are they homotopic? But first... What does

1.54k views • 105 slides
Krivines Classical Realizability from a Categorical Prespective Thomas Streicher (TU

Krivines Classical Realizability from a Categorical Prespective Thomas Streicher (TU

Krivines Classical Realizability from a Categorical Prespective Thomas Streicher (TU Darmstadt) July 2010 The Scenario In Krivines work on Classical Realizability he emphasizes that his notion of realizability is a generalization of

380 views • 26 slides

More recommend