Towards safer Concurrent Device Drivers Making Safer Concurrent - - PowerPoint PPT Presentation

towards safer concurrent device drivers
SMART_READER_LITE
LIVE PREVIEW

Towards safer Concurrent Device Drivers Making Safer Concurrent - - PowerPoint PPT Presentation

Jan 03, 2023 269 likes •607 views

Concurrent Device Drivers Martin Ellis Motivation Towards safer Concurrent Device Drivers Making Safer Concurrent Device Drivers. Modeling RMoX Drivers in CSP Previous Work The Problem Our Technique Resource Driver Martin Ellis

slide-1
SLIDE 1

Concurrent Device Drivers Martin Ellis Motivation

Making Safer Concurrent Device Drivers. Previous Work

The Problem Our Technique

Resource Driver Extending CSP generation. Modelling Drivers?

Summary

Towards safer Concurrent Device Drivers

Modeling RMoX Drivers in CSP Martin Ellis

School of Computing University of Kent

Communicating Process Architectures, 2011

slide-2
SLIDE 2

Concurrent Device Drivers Martin Ellis Motivation

Making Safer Concurrent Device Drivers. Previous Work

The Problem Our Technique

Resource Driver Extending CSP generation. Modelling Drivers?

Summary

Outline

1

Motivation Making Safer Concurrent Device Drivers. Previous Work

2

The Problem

3

Our Technique Resource Driver Extending CSP generation.

slide-3
SLIDE 3

Concurrent Device Drivers Martin Ellis Motivation

Making Safer Concurrent Device Drivers. Previous Work

The Problem Our Technique

Resource Driver Extending CSP generation. Modelling Drivers?

Summary

Outline

1

Motivation Making Safer Concurrent Device Drivers. Previous Work

2

The Problem

3

Our Technique Resource Driver Extending CSP generation.

slide-4
SLIDE 4

Concurrent Device Drivers Martin Ellis Motivation

Making Safer Concurrent Device Drivers. Previous Work

The Problem Our Technique

Resource Driver Extending CSP generation. Modelling Drivers?

Summary

The World So Far. . .

We want "safe" and "correct" concurrent device drivers. Device Driver / Kernel interface well understood. Device Driver / Hardware interface less so.

slide-5
SLIDE 5

Concurrent Device Drivers Martin Ellis Motivation

Making Safer Concurrent Device Drivers. Previous Work

The Problem Our Technique

Resource Driver Extending CSP generation. Modelling Drivers?

Summary

Outline

1

Motivation Making Safer Concurrent Device Drivers. Previous Work

2

The Problem

3

Our Technique Resource Driver Extending CSP generation.

slide-6
SLIDE 6

Concurrent Device Drivers Martin Ellis Motivation

Making Safer Concurrent Device Drivers. Previous Work

The Problem Our Technique

Resource Driver Extending CSP generation. Modelling Drivers?

Summary

Existing Techniques

Most previous work done on kernel/driver interfaces. Slam.

Static analysis of Windows drivers. Tried to help provent kernel crashes (BSoD).

DDVERIFY

Static analysis of Linux drivers. Handles concurrent Linux drivers.

Fred Barne’s work on modeling drivers is CSP .

Prove deadlock freedom of RMoX drivers. Only considered the Driver/Kernel interface.

Driver synthesis.

Chinook. Mattias I’Nils’ and Axel Jantsch’s work with ProGram.

slide-7
SLIDE 7

Concurrent Device Drivers Martin Ellis Motivation

Making Safer Concurrent Device Drivers. Previous Work

The Problem Our Technique

Resource Driver Extending CSP generation. Modelling Drivers?

Summary

Device Driver Complexities.

Memory mapped IO vs port mapped IO. Overloaded addresses. Bitfields. Concurrent access.

slide-8
SLIDE 8

Concurrent Device Drivers Martin Ellis Motivation

Making Safer Concurrent Device Drivers. Previous Work

The Problem Our Technique

Resource Driver Extending CSP generation. Modelling Drivers?

Summary

bitfield port 4 8 12 15

rdy parity

data reserved Select and Access ports 4 8 12 15 Register Select

  • 0x200

Access

  • 0x216
slide-9
SLIDE 9

Concurrent Device Drivers Martin Ellis Motivation

Making Safer Concurrent Device Drivers. Previous Work

The Problem Our Technique

Resource Driver Extending CSP generation. Modelling Drivers?

Summary

bitfield port 4 8 12 15

rdy parity

data reserved Select and Access ports 4 8 12 15 Register Select

  • 0x200

Access

  • 0x216
slide-10
SLIDE 10

Concurrent Device Drivers Martin Ellis Motivation

Making Safer Concurrent Device Drivers. Previous Work

The Problem Our Technique

Resource Driver Extending CSP generation. Modelling Drivers?

Summary

Concurrent Access

Placed memory/channels Circumvents parallel usage checking All the usual issues with data aliasing.

slide-11
SLIDE 11

Concurrent Device Drivers Martin Ellis Motivation

Making Safer Concurrent Device Drivers. Previous Work

The Problem Our Technique

Resource Driver Extending CSP generation. Modelling Drivers?

Summary

Outline

1

Motivation Making Safer Concurrent Device Drivers. Previous Work

2

The Problem

3

Our Technique Resource Driver Extending CSP generation.

slide-12
SLIDE 12

Concurrent Device Drivers Martin Ellis Motivation

Making Safer Concurrent Device Drivers. Previous Work

The Problem Our Technique

Resource Driver Extending CSP generation. Modelling Drivers?

Summary

Kernel / Driver interface made of well understood

  • ccam channels.

Hardware / Driver interface made of "magic". Abstract things into nice occam channels.

Kernel Device Driver Hardware

slide-13
SLIDE 13

Concurrent Device Drivers Martin Ellis Motivation

Making Safer Concurrent Device Drivers. Previous Work

The Problem Our Technique

Resource Driver Extending CSP generation. Modelling Drivers?

Summary

Kernel / Driver interface made of well understood

  • ccam channels.

Hardware / Driver interface made of "magic". Abstract things into nice occam channels.

Kernel Device Driver Resource Driver Hardware

slide-14
SLIDE 14

Concurrent Device Drivers Martin Ellis Motivation

Making Safer Concurrent Device Drivers. Previous Work

The Problem Our Technique

Resource Driver Extending CSP generation. Modelling Drivers?

Summary

Resource Driver

So what does the resource driver give us? Primitives for reading registers "correctly" Sanity checks (no use before decleration etc) These runtime checks are slow though.

slide-15
SLIDE 15

Concurrent Device Drivers Martin Ellis Motivation

Making Safer Concurrent Device Drivers. Previous Work

The Problem Our Technique

Resource Driver Extending CSP generation. Modelling Drivers?

Summary

Resource Driver

So what does the resource driver give us? Primitives for reading registers "correctly" Sanity checks (no use before decleration etc) These runtime checks are slow though.

slide-16
SLIDE 16

Concurrent Device Drivers Martin Ellis Motivation

Making Safer Concurrent Device Drivers. Previous Work

The Problem Our Technique

Resource Driver Extending CSP generation. Modelling Drivers?

Summary

Outline

1

Motivation Making Safer Concurrent Device Drivers. Previous Work

2

The Problem

3

Our Technique Resource Driver Extending CSP generation.

slide-17
SLIDE 17

Concurrent Device Drivers Martin Ellis Motivation

Making Safer Concurrent Device Drivers. Previous Work

The Problem Our Technique

Resource Driver Extending CSP generation. Modelling Drivers?

Summary

Extending KRoC

KRoC’s CSP model generation has been extended. Now includes details of variant channels. Number of parameters. Values known known at compile time.

slide-18
SLIDE 18

Concurrent Device Drivers Martin Ellis Motivation

Making Safer Concurrent Device Drivers. Previous Work

The Problem Our Technique

Resource Driver Extending CSP generation. Modelling Drivers?

Summary

Protocol → CSP

  • ccam

PROTOCOL P.RES CASE a; INT b; INT; BYTE : CSP U = (−999) NUMBER = {U} ∪ {0..99} channelres : a.NUMBER | b.NUMBER.NUMBER

slide-19
SLIDE 19

Concurrent Device Drivers Martin Ellis Motivation

Making Safer Concurrent Device Drivers. Previous Work

The Problem Our Technique

Resource Driver Extending CSP generation. Modelling Drivers?

Summary

Protocol → CSP

  • ccam

PROTOCOL P.RES CASE a; INT b; INT; BYTE : CSP U = (−999) NUMBER = {U} ∪ {0..99} channelres : a.NUMBER | b.NUMBER.NUMBER

slide-20
SLIDE 20

Concurrent Device Drivers Martin Ellis Motivation

Making Safer Concurrent Device Drivers. Previous Work

The Problem Our Technique

Resource Driver Extending CSP generation. Modelling Drivers?

Summary

Communication → CSP

  • ccam

PROC x (chan P.RES res!) SEQ res ! a; x res ! b; y; z : CSP X(res) = res.a!(U) → res.b!(U).(U) → SKIP

slide-21
SLIDE 21

Concurrent Device Drivers Martin Ellis Motivation

Making Safer Concurrent Device Drivers. Previous Work

The Problem Our Technique

Resource Driver Extending CSP generation. Modelling Drivers?

Summary

Communication → CSP

  • ccam

PROC x (chan P.RES res!) SEQ res ! a; x res ! b; y; z : CSP X(res) = res.a!(U) → res.b!(U).(U) → SKIP

slide-22
SLIDE 22

Concurrent Device Drivers Martin Ellis Motivation

Making Safer Concurrent Device Drivers. Previous Work

The Problem Our Technique

Resource Driver Extending CSP generation. Modelling Drivers?

Summary

Constant Propagation

  • ccam

PROC x (chan P.RES res!) SEQ res ! a; 42 res ! b; y; z : CSP X(res) = res.a!(42) → res.b!(U).(U) → SKIP

slide-23
SLIDE 23

Concurrent Device Drivers Martin Ellis Motivation

Making Safer Concurrent Device Drivers. Previous Work

The Problem Our Technique

Resource Driver Extending CSP generation. Modelling Drivers?

Summary

Externalising internal choice.

Generated CSP PPORT HANDLERg = (srv.InPResResInDeclare?vv.pa → PPORT HANDLER ⊓ STOP ) (srv.InPResPortInDeclare?vv.pa.pc → PPORT HANDLER ⊓ STOP) (srv.other1 srv.other2 . . . ) ; PPORT HANDLER

slide-24
SLIDE 24

Concurrent Device Drivers Martin Ellis Motivation

Making Safer Concurrent Device Drivers. Previous Work

The Problem Our Technique

Resource Driver Extending CSP generation. Modelling Drivers?

Summary

Externalising internal choice.

"Tweeked" CSP PPORT HANDLERt(RESS, PORTS) = (srv.InPResResInDeclare?vv.pa → PPORT HANDLER(RESS, {pc} PORTS) < I (pa / ∈ RESS)> I STOP) (srv.InPResPortInDeclare?vv.pa.pc → PPORT HANDLER(RESS, {pc} PORTS) < I (pa ∈ RESS) (pc / ∈ PORTS)> I STOP) (srv.other1 srv.other2 . . . ) ; PPORT HANDLER(RESS, PORTS)

slide-25
SLIDE 25

Concurrent Device Drivers Martin Ellis Motivation

Making Safer Concurrent Device Drivers. Previous Work

The Problem Our Technique

Resource Driver Extending CSP generation. Modelling Drivers?

Summary

Refinement

SYSTEM PRES DRIVERt ⊑T SYSTEM PRES DRIVERg

(SYSTEM PRES DRIVERt DEVICE DRIVER) deadlocks?

slide-26
SLIDE 26

Concurrent Device Drivers Martin Ellis Motivation

Making Safer Concurrent Device Drivers. Previous Work

The Problem Our Technique

Resource Driver Extending CSP generation. Modelling Drivers?

Summary

Refinement

SYSTEM PRES DRIVERt ⊑T SYSTEM PRES DRIVERg

(SYSTEM PRES DRIVERt DEVICE DRIVER) deadlocks?

slide-27
SLIDE 27

Concurrent Device Drivers Martin Ellis Motivation

Making Safer Concurrent Device Drivers. Previous Work

The Problem Our Technique

Resource Driver Extending CSP generation. Modelling Drivers?

Summary

And It Works...

This works..."ish" The state space is huge. The NUMBER type has to be narrow.

slide-28
SLIDE 28

Concurrent Device Drivers Martin Ellis Motivation

Making Safer Concurrent Device Drivers. Previous Work

The Problem Our Technique

Resource Driver Extending CSP generation. Modelling Drivers?

Summary

And It Works...

This works..."ish" The state space is huge. The NUMBER type has to be narrow.

slide-29
SLIDE 29

Concurrent Device Drivers Martin Ellis Motivation

Making Safer Concurrent Device Drivers. Previous Work

The Problem Our Technique

Resource Driver Extending CSP generation. Modelling Drivers?

Summary

And It Works...

This works..."ish" The state space is huge. The NUMBER type has to be narrow.

slide-30
SLIDE 30

Concurrent Device Drivers Martin Ellis Motivation

Making Safer Concurrent Device Drivers. Previous Work

The Problem Our Technique

Resource Driver Extending CSP generation. Modelling Drivers?

Summary

Can we write specification for drivers in CSP?

READ = WRITE = 1 DEFINEDSP = (port.InPResPortInDefineRes!0.220 ⊓ port.InPResPortInDefineRes!0.240) → DECLARE.PORTSDSP → RESETDSP → SKIP DECLARE.PORTSDSP = (port.InPResPortInDeclare!0.U.1.6.7.8.WRITE ||| port.InPResPortInDeclare!0.U.1.A.7.8.READ ||| port.InPResPortInDeclare!0.U.2.C.7.8.WRITE ||| port.InPResPortInDeclare!0.U.3.C.7.8.READ ||| port.InPResPortInDeclare!0.U.4.E.7.8.READ) → SKIP RESETDSP = port.write!0.1 → port.setDelay!3 → port.write!0.0 → port.wait!1.#AA.100.3 → SKIP

slide-31
SLIDE 31

Concurrent Device Drivers Martin Ellis Motivation

Making Safer Concurrent Device Drivers. Previous Work

The Problem Our Technique

Resource Driver Extending CSP generation. Modelling Drivers?

Summary

Summary

We can produce nice models of device drivers. We have an issue with state space. How can we model drivers’ expected behaviour? How do we deal with the state space issues in FDR?

slide-32
SLIDE 32

Concurrent Device Drivers Martin Ellis Appendix

For Further Reading

For Further Reading I

Ball, T. and Cook, B. and Levin, V. and Rajamani, S.K. SLAM and Static Driver Verifier: Technology transfer of formal methods inside Microsoft. Springer, 2004. Barnes, F .R.M. and Ritson, C.G. Checking process-oriented operating system behaviour using CSP and refinement. ACM SIGOPS Operating Systems Review, 2010