Post on 26-Dec-2015
19.04.23
How to Cook an Automated System for Linux Driver Verification
Oleg Strikov
Vadim Mutilin
Oleg A. Strikov <oleg.strikov@ispras.ru>
Vadim S. Mutilin <mutilin@ispras.ru>2 / 1219.04.23
Guinea-pig DAC960PD-Ultra a high
performance three-channel Ultra SCSI disk array controller that uses Intel's i960 32-bit microprocessor
supports disk arrays for RAID levels 0, 1, 5, 0+1, and 5+0
permits data transfer rates across the PCI bus at 132MB/sec
supports Fast-20 data transfer rates of 40MB/sec. per channel
up to 45 drives can be attached to the RAID controller
supports the Global Array Manager
full device driver support for UNIX, Windows, OS/2, NetWare and other operating systems
DAC960
Oleg A. Strikov <oleg.strikov@ispras.ru>
Vadim S. Mutilin <mutilin@ispras.ru>3 / 1219.04.23
Confusing Linux Driver Code
Controller->V1.DualModeMemoryMailboxInterface = false;true
VER
IFIC
ATI
ON
NEE
DED
Oleg A. Strikov <oleg.strikov@ispras.ru>
Vadim S. Mutilin <mutilin@ispras.ru>4 / 1219.04.23
Manuscript
Oleg A. Strikov <oleg.strikov@ispras.ru>
Vadim S. Mutilin <mutilin@ispras.ru>5 / 1219.04.23
Mixing Up
BLAST
DRIVERSOURCE
VERIFICATION
MODELSINSTRUMENTATION TOOL
Oleg A. Strikov <oleg.strikov@ispras.ru>
Vadim S. Mutilin <mutilin@ispras.ru>6 / 1219.04.23
BLAST???Berkeley
Lazy
Abstraction
Software Verification
Tool
BLAST is a software model checker for C programs.
It uses counterexample-driven automatic abstraction refinement to construct an abstract model which is model checked for safety properties.
Oleg A. Strikov <oleg.strikov@ispras.ru>
Vadim S. Mutilin <mutilin@ispras.ru>7 / 1219.04.23
Real World Example/drivers/block/DAC960.c
No explicit calls to linking-level init procedures(not BLAST acceptable)
Callback interface procedures registration(not BLAST acceptable also)
module_init(DAC960_init_module);module_exit(DAC960_cleanup_module);
ret = pci_register_driver(&DAC960_pci_driver)Extra preprocessing
tools should be coded
Oleg A. Strikov <oleg.strikov@ispras.ru>
Vadim S. Mutilin <mutilin@ispras.ru>8 / 1219.04.23
Conceptual Hack Toolkit
Bash
scri
pti
ng
m
ag
ic
STATUS:
DOUBLE DUTCH
STATUS:
BLAST ACCEPTABLE
Oleg A. Strikov <oleg.strikov@ispras.ru>
Vadim S. Mutilin <mutilin@ispras.ru>9 / 1219.04.23
BLAST SHAMANIC RITUAL
RULE ID0029.CANNOT CALL ALLOC() BEFORE CREATE()
Error found! System is unsafe :-(
Oleg A. Strikov <oleg.strikov@ispras.ru>
Vadim S. Mutilin <mutilin@ispras.ru>10 / 1219.04.23
HOW IT WORKSNATURAL LANGUAGE RULE FORMAL LANGUAGE RULE
ID 0029: Memory regions cannot be allocated from non-existent predecessor pool
TARGET:Prevent potential system crash, connected with incorrect pool subsystem function set usage: dma_pool_alloc() cannot be called before successful creation of pool with dma_pool_create().
Oleg A. Strikov <oleg.strikov@ispras.ru>
Vadim S. Mutilin <mutilin@ispras.ru>11 / 1219.04.23
RESULTS (in progress…)
55 COLLECTED24 beyond the scope of BLAST
15 has been formalized
CURRENT TARGETS SUBSYSTEMS /usr/src/linux/net & /usr/src/linux/drivers/net /usr/src/linux/block & /usr/src/linux/drivers/block /usr/src/linux/drivers/char
Oleg A. Strikov <oleg.strikov@ispras.ru>
Vadim S. Mutilin <mutilin@ispras.ru>12 / 1219.04.23
CONTACTS
OLEG A. STRIKOV oleg.strikov@ispras.ru
VADIM S. MUTILIN mutilin@ispras.ru