SLIDE 1
Formal sound verification
- f
Table Of Contents
- What did we do?
- How did we do it?
- What did we learn?
Formal sound verification of Linuxs USB BP keyboard driver Willem - - PowerPoint PPT Presentation
Formal sound verification of Linuxs USB BP keyboard driver Willem - - PowerPoint PPT Presentation
Formal sound verification of Linuxs USB BP keyboard driver Willem Penninckx Jan Tobias Mhlberg Jan Smans Bart Jacobs Frank Piessens Table Of Contents What did we do? How did we do it? What did we learn? Table Of Contents
SLIDE 2
SLIDE 3
Table Of Contents
- What did we do?
- How did we do it?
- What did we learn?
SLIDE 4
Formal sound verification
Bug hunting Check properties:
- Never crashes
- No race-condition
- API rules
If “green bar”, then verified property always holds
Linux’s USB BP keyboard driver
- Real-world software
- Unbounded number of threads
- Unbounded number of keyboards
toy
SLIDE 5
Table Of Contents
- What did we do?
- How did we do it?
- What did we learn?
SLIDE 6
usbkbd.c input.h usb.h /*@ * PreCond * PostCond @*/ void fun1() { c_code; //@ ghostcode c_code; c_code; } /*@ * preCond * postCond @*/ void input_register(); /*@ * preCond * postCond @*/ void usb_kill_urb(); /*@ * (ghost code) @*/ usb_core.c void usb_kill_urb() { c_code; c_code; c_code; }
Formal API specs
SLIDE 7
usbkbd.c /*@ * PreCond * PostCond @*/ void fun1() { c_code; //@ ghostcode c_code; c_code; } Tool: VeriFast
SLIDE 8
Table Of Contents
- What did we do?
- How did we do it?
- What did we learn?
SLIDE 9
Learned / Conclusions
File Lines C Lines annot usbkbd.c 329 822 API headers / 769 Tool speed ~1 second Bugs found
- Unloading bug
- Synchronization bug
http://people.cs.kuleuven.be/~willem.penninckx/usbkbd/ Possible to combine:
- Soundness
- Unbounded #threads
- Real driver
- API usage rules
Patches are in Linux 3.3
SLIDE 10