Abstract
This article presents a case study on retrospective verification of the Linux Virtual File System (VFS), which is aimed at checking violations of API usage rules and memory properties. Since VFS maintains dynamic data structures and is written in a mixture of C and inlined assembly, modern software model checkers cannot be applied. Our case study centres around our novel automated software verification tool, the SOCA Verifier, which symbolically executes and analyses compiled code. We describe how this verifier deals with complex features such as memory access, pointer aliasing and computed jumps in the VFS implementation, while reducing manual modelling to a minimum. Our results show that the SOCA Verifier is capable of analysing the complex Linux VFS implementation reliably and efficiently, thereby going beyond traditional testing tools and into niches that current software model checkers do not reach. This testifies to the SOCA Verifier’s suitability as an effective and efficient bug-finding tool during the development of operating system components.
Similar content being viewed by others
References
Barry R (2010) FreeRTOS: A portable, open source, mini real time kernel. http://www.freertos.org/
Ball T, Bounimova E, Cook B, Levin V, Lichtenberg J, McGarvey C, Ondrusek B, Rajamani SK, Ustuner A (2006) Thorough static analysis of device drivers. SIGOPS Oper Syst Rev 40(4): 73–85
Bovet D, Cesati M (2005) Understanding the Linux Kernel. O’Reilly, Sebastopol
Butterfield A, Catháin AÓ (2009) Concurrent models of flash memory device behaviour. In: SBMF ’09. LNCS, vol 5902. Springer, Berlin, pp 70–83
Ball T, Majumdar R, Millstein T, Rajamani SK (2001) Automatic predicate abstraction of C programs. SIGPLAN Notices 36(5): 203–213
Ball T, Rajamani SK (2001) Automatically validating temporal safety properties of interfaces. In: SPIN ’01. LNCS, vol 2057. Springer, Berlin, pp 102–122
Balakrishnan G, Reps T (2006) Recency-abstraction for heap-allocated storage. In: SAS ’06. LNCS, vol 4134. Springer, Berlin, pp 221–239
Balakrishnan G, Reps T, Melski D, Teitelbaum T (2008) WYSINWYX: What you see is not what you execute. In: VSTTE ’08. LNCS, vol 4171. Springer, Berlin, pp 202–213
Chaki S, Clarke E, Groce A, Ouaknine J, Strichman O, Yorav K (2004) Efficient verification of sequential and concurrent C programs. FMSD 25(2-3): 129–166
Cytron R, Ferrante J, Rosen BK, Wegman MN, Zadeck FK (1991) Efficiently computing static single assignment form and the control dependence graph. ACM Trans Program Lang Syst 13(4): 451–490
Cadar C, Ganesh V, Pawlowski PM, Dill DL, Engler DR (2006) EXE: Automatically generating inputs of death. In: CCS ’06. ACM, pp 322–335
Ciardo G, Jones RL, Miner AS, Siminiceanu RI (2006) Logic and stochastic modeling with SMART. Perform Eval 63(6): 578–608
Clarke E, Kroening D, Lerda F (2004) A tool for checking ANSI-C programs. In: TACAS ’04. LNCS, vol 2988. Springer, Berlin, pp 168–176
Corbet J, Rubini A, Kroah-Hartmann G (2005) Linux device drivers, 3rd edn. O’Reilly, Sebastopol
Damchoom K, Butler M (2009) Applying event and machine decomposition to a flash-based filestore in Event-B. In: SBMF ’09. LNCS, vol 5902. Springer, Berlin, pp 134–152
Dutertre B, de Moura L (2006) The Yices SMT solver. Technical Report 01/2006, SRI International, http://yices.csl.sri.com/tool-paper.pdf
D’Silva V, Kroening D, Weissenbacher G (2008) A survey of automated techniques for formal software verification. IEEE Trans Comput-Aided Des Integr Circuits Syst 27(7): 1165–1178
Ferdinand C, Martin F, Cullmann C, Schlickling M, Stein I, Thesing S, Heckmann R (2007) New developments in WCET analysis. In: Program Analysis and Compilation, Theory and Practice. LNCS, vol 4444. Springer, Berlin, pp 12–52
Ferreira MA, Oliveira JN (2009) An integrated formal methods tool-chain and its application to verifying a file system model. In: SBMF ’09. LNCS, vol 5902. Springer, Berlin, pp 153–169
Godefroid P, de Halleux P, Nori AV, Rajamani SK, Schulte W, Tillmann N, Levin MY (2008) Automating software testing using program analysis. IEEE Softw 25(5): 30–37
Godefroid P, Klarlund N, Sen K (2005) DART: Directed automated random testing. In: PLDI ’05. ACM, pp 213–223
Galloway A, Lüttgen G, Mühlberg JT, Siminiceanu R (2009) Model-checking the Linux Virtual File System. In: VMCAI ’09. LNCS, vol 5403. Springer, Berlin, pp 74–88
Gulavani BS, Rajamani SK (2006) Counterexample driven refinement for abstract interpretation. In: TACAS ’06. LNCS, vol 3920. Springer, Berlin, pp 474–488
Henzinger TA, Jhala R, Majumdar R, Necula GC, Sutre G, Weimer W (2002) Temporal-safety proofs for systems code. In: CAV ’02. LNCS, vol. 2402. Springer, Berlin, pp 382–399
Hoare T (2003) The verifying compiler: a grand challenge for computing research. J ACM 50(1): 63–69
Holzmann GJ (2003) The SPIN model checker. Addison-Wesley/Longman, Reading/London
Hynix Semiconductor et al. (2008) Open NAND flash interface specification, revision 2.0. Technical Report, ONFI, http://www.onfi.org
Joshi R, Holzmann GJ (2007) A mini challenge: build a verifiable filesystem. Form Asp Comput 19(2): 269–272
Jhala R, Majumdar R (2005) Path slicing. SIGPLAN Notices 40(6): 38–47
King JC (1976) Symbolic execution and program testing. Commun ACM 19(7): 385–394
Kim M, Kim Y (2009) Concolic testing of the multi-sector read operation for flash memory file system. In: SBMF ’09. LNCS, vol 5902, Springer, Berlin, pp 251–265
Leung A, George L (1999) Static single assignment form for machine code. In: PLDI ’99. ACM, pp 204–214
Mühlberg JT, Lüttgen G (2006) BLASTing Linux code. In: FMICS ’06. LNCS, vol 4346. Springer, Berlin, pp 211–226
Mühlberg JT, Lüttgen G (2010) Symbolic object code analysis. Technical Report 85/2010, Faculty of Information Systems and Applied Computer Sciences, The University of Bamberg, Germany
Mühlberg JT (2009) Model Checking Pointer Safety in Compiled Programs. PhD thesis, Department of Computer Science, University of York
Nethercote N, Seward J (2007) Valgrind: a framework for heavyweight dynamic binary instrumentation. SIGPLAN Notices 42(6): 89–100
Roscoe AW (1994) Model-checking CSP. In: A classical mind: Essays in honour of C. A. R. Hoare. Prentice Hall, Englewood Cliffs, pp 353–378
Sery O (2009) Enhanced property specification and verification in BLAST. In: FASE ’09. LNCS, vol 5503. Springer, Berlin, pp 456–469
Sen K, Marinov D, Agha G (2005) CUTE: a concolic unit testing engine for C. In: ESEC/FSE-13. ACM, pp 263–272
Tool Interface Standard (TIS) Committee (1995) Executable and linking format (ELF) specification version 1.2. Technical Report
Witkowski T, Blanc N, Kroening D, Weissenbacher G (2007) Model checking concurrent Linux device drivers. In: ASE ’07. ACM, pp 501–504
Xie Y, Aiken A (2007) SATURN: a scalable framework for error detection using boolean satisfiability. ACM Trans Program Lang Syst 29(3): 1–43 (article 16)
Yang J, Sar C, Twohey P, Cadar C, Engler DR (2006) Automatically generating malicious disks using symbolic execution. In: Security and Privacy. IEEE, pp 243–257
Yang J, Twohey P, Engler DR, Musuvathi M (2004) Using model checking to find serious file system errors. In: OSDI. USENIX, pp 273–288
Author information
Authors and Affiliations
Corresponding author
Additional information
by Jim Woodcock
An extended abstract of this article has appeared in the proceedings of SBMF 2009: “Formal Methods: Foundations and Applications”, volume 5902 of Lecture Notes in Computer Science, pages 306–320, Springer, 2009.
Rights and permissions
About this article
Cite this article
Mühlberg, J.T., Lüttgen, G. Verifying compiled file system code. Form Asp Comp 24, 375–391 (2012). https://doi.org/10.1007/s00165-011-0198-z
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00165-011-0198-z