SLIDE 1
Formal sound verification
- f
Table Of Contents
- What did we do?
- How did we do it?
- What did we learn?
Formal sound verification of Linuxs USB BP keyboard driver Willem - - PowerPoint PPT Presentation
Formal sound verification of Linuxs USB BP keyboard driver Willem - - PowerPoint PPT Presentation
Formal sound verification of Linuxs USB BP keyboard driver Willem Penninckx Jan Tobias Mhlberg Jan Smans Bart Jacobs Frank Piessens Table Of Contents What did we do? How did we do it? What did we learn? Table Of Contents
SLIDE 2
SLIDE 3
Table Of Contents
- What did we do?
- How did we do it?
- What did we learn?
SLIDE 4
Formal sound verification
Linux’s USB BP keyboard driver
SLIDE 5
Formal sound verification
Linux’s USB BP keyboard driver
- Real-world software
toy
SLIDE 6
Formal sound verification
Linux’s USB BP keyboard driver
- Real-world software
- Unbounded number of threads
- Unbounded number of keyboards
toy
SLIDE 7
Formal sound verification
Check properties:
- Never crashes
- No race-condition
- API rules
Linux’s USB BP keyboard driver
- Real-world software
- Unbounded number of threads
- Unbounded number of keyboards
toy
SLIDE 8
Formal sound verification
Bug hunting Check properties:
- Never crashes
- No race-condition
- API rules
If “green bar”, then verified property always holds
Linux’s USB BP keyboard driver
- Real-world software
- Unbounded number of threads
- Unbounded number of keyboards
toy
SLIDE 9
Table Of Contents
- What did we do?
- How did we do it?
- What did we learn?
SLIDE 10
usbkbd.c input.h usb.h void fun1() { c_code; c_code; c_code; } void input_register(); void usb_kill_urb(); usb_core.c void usb_kill_urb() { c_code; c_code; c_code; }
SLIDE 11
usbkbd.c input.h usb.h void fun1() { c_code; c_code; c_code; } /*@ * preCond * postCond @*/ void input_register(); /*@ * preCond * postCond @*/ void usb_kill_urb(); /*@ * (ghost code) @*/ usb_core.c void usb_kill_urb() { c_code; c_code; c_code; }
Formal API specs
SLIDE 12
usbkbd.c input.h usb.h /*@ * PreCond * PostCond @*/ void fun1() { c_code; //@ ghostcode c_code; c_code; } /*@ * preCond * postCond @*/ void input_register(); /*@ * preCond * postCond @*/ void usb_kill_urb(); /*@ * (ghost code) @*/ usb_core.c void usb_kill_urb() { c_code; c_code; c_code; }
Formal API specs
SLIDE 13
usbkbd.c /*@ * PreCond * PostCond @*/ void fun1() { c_code; //@ ghostcode c_code; c_code; } Tool: VeriFast
SLIDE 14
Table Of Contents
- What did we do?
- How did we do it?
- What did we learn?
SLIDE 15
Learned / Conclusions
http://people.cs.kuleuven.be/~willem.penninckx/usbkbd/
SLIDE 16
Learned / Conclusions
http://people.cs.kuleuven.be/~willem.penninckx/usbkbd/ Possible to combine:
- Soundness
- Unbounded #threads
- Real driver
- API usage rules
SLIDE 17
Learned / Conclusions
File Lines C Lines annot usbkbd.c 329 822 API headers / 769 http://people.cs.kuleuven.be/~willem.penninckx/usbkbd/ Possible to combine:
- Soundness
- Unbounded #threads
- Real driver
- API usage rules
SLIDE 18
Learned / Conclusions
File Lines C Lines annot usbkbd.c 329 822 API headers / 769 Tool speed ~1 second Bugs found http://people.cs.kuleuven.be/~willem.penninckx/usbkbd/ Possible to combine:
- Soundness
- Unbounded #threads
- Real driver
- API usage rules
SLIDE 19
Learned / Conclusions
File Lines C Lines annot usbkbd.c 329 822 API headers / 769 Tool speed ~1 second Bugs found
- Unloading bug
- Synchronization bug
http://people.cs.kuleuven.be/~willem.penninckx/usbkbd/ Possible to combine:
- Soundness
- Unbounded #threads
- Real driver
- API usage rules
SLIDE 20
Learned / Conclusions
File Lines C Lines annot usbkbd.c 329 822 API headers / 769 Tool speed ~1 second Bugs found
- Unloading bug
- Synchronization bug
http://people.cs.kuleuven.be/~willem.penninckx/usbkbd/ Possible to combine:
- Soundness
- Unbounded #threads
- Real driver
- API usage rules