05.09.2015 how to cook an automated system for linux driver verification oleg strikov vadim mutilin
TRANSCRIPT
19.04.23
How to Cook an Automated System for Linux Driver Verification
Oleg Strikov
Vadim Mutilin
Oleg A. Strikov <[email protected]>
Vadim S. Mutilin <[email protected]>2 / 1219.04.23
Guinea-pig DAC960PD-Ultra a high
performance three-channel Ultra SCSI disk array controller that uses Intel's i960 32-bit microprocessor
supports disk arrays for RAID levels 0, 1, 5, 0+1, and 5+0
permits data transfer rates across the PCI bus at 132MB/sec
supports Fast-20 data transfer rates of 40MB/sec. per channel
up to 45 drives can be attached to the RAID controller
supports the Global Array Manager
full device driver support for UNIX, Windows, OS/2, NetWare and other operating systems
DAC960
Oleg A. Strikov <[email protected]>
Vadim S. Mutilin <[email protected]>3 / 1219.04.23
Confusing Linux Driver Code
Controller->V1.DualModeMemoryMailboxInterface = false;true
VER
IFIC
ATI
ON
NEE
DED
Oleg A. Strikov <[email protected]>
Vadim S. Mutilin <[email protected]>5 / 1219.04.23
Mixing Up
BLAST
DRIVERSOURCE
VERIFICATION
MODELSINSTRUMENTATION TOOL
Oleg A. Strikov <[email protected]>
Vadim S. Mutilin <[email protected]>6 / 1219.04.23
BLAST???Berkeley
Lazy
Abstraction
Software Verification
Tool
BLAST is a software model checker for C programs.
It uses counterexample-driven automatic abstraction refinement to construct an abstract model which is model checked for safety properties.
Oleg A. Strikov <[email protected]>
Vadim S. Mutilin <[email protected]>7 / 1219.04.23
Real World Example/drivers/block/DAC960.c
No explicit calls to linking-level init procedures(not BLAST acceptable)
Callback interface procedures registration(not BLAST acceptable also)
module_init(DAC960_init_module);module_exit(DAC960_cleanup_module);
ret = pci_register_driver(&DAC960_pci_driver)Extra preprocessing
tools should be coded
Oleg A. Strikov <[email protected]>
Vadim S. Mutilin <[email protected]>8 / 1219.04.23
Conceptual Hack Toolkit
Bash
scri
pti
ng
m
ag
ic
STATUS:
DOUBLE DUTCH
STATUS:
BLAST ACCEPTABLE
Oleg A. Strikov <[email protected]>
Vadim S. Mutilin <[email protected]>9 / 1219.04.23
BLAST SHAMANIC RITUAL
RULE ID0029.CANNOT CALL ALLOC() BEFORE CREATE()
Error found! System is unsafe :-(
Oleg A. Strikov <[email protected]>
Vadim S. Mutilin <[email protected]>10 / 1219.04.23
HOW IT WORKSNATURAL LANGUAGE RULE FORMAL LANGUAGE RULE
ID 0029: Memory regions cannot be allocated from non-existent predecessor pool
TARGET:Prevent potential system crash, connected with incorrect pool subsystem function set usage: dma_pool_alloc() cannot be called before successful creation of pool with dma_pool_create().
Oleg A. Strikov <[email protected]>
Vadim S. Mutilin <[email protected]>11 / 1219.04.23
RESULTS (in progress…)
55 COLLECTED24 beyond the scope of BLAST
15 has been formalized
CURRENT TARGETS SUBSYSTEMS /usr/src/linux/net & /usr/src/linux/drivers/net /usr/src/linux/block & /usr/src/linux/drivers/block /usr/src/linux/drivers/char
Oleg A. Strikov <[email protected]>
Vadim S. Mutilin <[email protected]>12 / 1219.04.23
CONTACTS
OLEG A. STRIKOV [email protected]
VADIM S. MUTILIN [email protected]