Abstract
Software model checkers quickly reach their limits when being applied to verifying pointer safety properties in source code that includes function pointers and inlined assembly. This article introduces a novel technique for checking pointer safety violations, called symbolic object code analysis (SOCA), which is based on bounded symbolic execution, incorporates path-sensitive slicing, and employs the SMT solver Yices as its execution and verification engine. Extensive experimental results of a prototypic SOCA Verifier, using the Verisec suite and almost 10,000 Linux device driver functions as benchmarks, show that SOCA performs competitively to modern source-code model checkers, scales well when applied to real operating systems code and pointer safety issues, and effectively explores niches of pointer-complex software that current software verifiers do not reach.
Similar content being viewed by others
References
Balakrishnan, G., Reps, T.: Recency-abstraction for heap-allocated storage. In: SAS ’06. LNCS, vol. 4134, pp. 221–239. Springer, Berlin (2006)
Balakrishnan, G., Reps, T., Melski, D., Teitelbaum, T.: WYSINWYX: what you see is not what you execute. In: VSTTE ’08. LNCS, vol. 4171, pp. 202–213. Springer, Berlin (2008)
Ball, T., Bounimova, E., Cook, B., Levin, V., Lichtenberg, J., McGarvey, C., Ondrusek, B., Rajamani, S.K., Ustuner, A.: Thorough static analysis of device drivers. SIGOPS Oper. Syst. Rev. 40(4), 73–85 (2006)
Ball, T., Rajamani, S.K.: Automatically validating temporal safety properties of interfaces. In: SPIN ’01. LNCS, vol. 2057, pp. 103–122. Springer, Berlin (2001)
Barry, R.: FreeRTOS: A portable, open source, mini real time kernel (2010) http://www.freertos.org/
Boyer, R.S., Yu, Y.: Automated proofs of object code for a widely used microprocessor. J. ACM 43(1), 166–192 (1996)
Brummayer, R., Biere, A., Lonsing, F.: BTOR: bit-precise modelling of word-level problems for model checking. In: SMT ’08/BPR ’08, pp. 33–38. ACM, New York (2008)
Calcagno, C., Distefano, D., O’Hearn, P., Yang, H.: Compositional shape analysis by means of bi-abduction. SIGPLAN Not. 44(1), 289–300 (2009)
Chou, A., Yang, J., Chelf, B., Hallem, S., Engler, D.R.: An empirical study of operating system errors. In: SOSP ’01, pp. 73–88. ACM, New York (2001)
Clarke, E., Kroening, D., Lerda, F.: A tool for checking ANSI-C programs. In: TACAS ’04. LNCS, vol. 2988, pp. 168–176. Springer, Berlin (2004)
Clarke, E.M., Kroening, D., Sharygina, N., Yorav, K.: SATABS: SAT-based predicate abstraction for ANSI-C. In: TACAS ’05. LNCS, vol. 3440, pp. 570–574. Springer, Berlin (2005)
Cohen, E., Dahlweid, M., Hillebrand, M., Leinenbach, D., Moskal, M., Santen, T., Schulte, W., Tobies, S.: VCC: a practical system for verifying concurrent C. In: TPHOLs ’09. LNCS, vol. 5674, pp. 23–42. Springer, Berlin (2009)
D’Silva, V., Kroening, D., Weissenbacher, G.A.: A survey of automated techniques for formal software verification. IEEE Trans. Comput. Aided Design Integr. Circuits Syst. 27(7), 1165–1178 (2008)
Dutertre, B., de Moura, L.: The Yices SMT solver. Technical Report 01/2006, SRI (2006). http://yices.csl.sri.com/tool-paper.pdf
Flanagan, C., Godefroid, P.: Dynamic partial-order reduction for model checking software. In: POPL ’05, pp. 110–121. ACM, New York (2005)
Godefroid, P., Klarlund, N., Sen, K.: DART: directed automated random testing. In: PLDI ’05, pp. 213–223. ACM, New York (2005)
Godefroid, P., Levin, M.Y., Molnar, D.: Automated whitebox fuzz testing. In: NDSS ’08. Internet Society (ISOC) (2008)
Hansen, T., Schachte, P., Søndergaard, H.: State joining and splitting for the symbolic execution of binaries. In: RV ’09. LNCS, vol. 5779, pp. 76–92. Springer, Berlin (2009)
Henzinger, T.A., Jhala, R., Majumdar, R., Necula, G.C., Sutre, G., Weimer, W.: Temporal-safety proofs for systems code. In: CAV ’02. LNCS, vol. 2402, pp. 526–538. Springer, Berlin (2002)
Horspool, R.N., Marovac, N.: An approach to the problem of detranslation of computer programs. Comput. J. 23(3), 223–229 (1980)
Horwitz, S., Reps, T., Binkley, D.: Interprocedural slicing using dependence graphs. ACM TOPLAS 12(1), 26–60 (1990)
International Organization for Standardization: The C99 standard, ISO/IEC 9899:1999. Technical Report 9899:1999, International Organization for Standardization (1999)
Jacobs, B., Smans, J., Piessens, F.: A quick tour of the VeriFast program verifier. In: APLAS ’10. LNCS, vol. 6461, pp. 304–311. Springer, Berlin (2010)
Jhala, R., Majumdar, R.: Path slicing. SIGPLAN Not. 40(6), 38–47 (2005)
Josh Berdine, C.C., O’Hearn, P.W.: Symbolic execution with separation logic. In: APLAS ’05. LNCS, vol. 3780, pp. 52–68. Springer, Berlin (2005)
Kim, M., Kim, Y.: Concolic testing of the multi-sector read operation for flash memory file system. In: SBMF ’09. LNCS, vol. 5902, pp. 251–265. Springer, Berlin (2009)
Kinder, J., Veith, H.: Precise static analysis of untrusted driver binaries. In: FMCAD ’10, pp. 43–50. IEEE (2010)
King, J.C.: Symbolic execution and program testing. Commun. ACM 19(7), 385–394 (1976)
Korel, B., Laski, J.: Dynamic slicing of computer programs. J. Syst. Softw. 13(3), 187–195 (1990)
Koshy, J.: LibElf: http://wiki.freebsd.org/LibElf (2009)
Kroening, D., Sharygina, N., Tonetta, S., Tsitovich, A., Wintersteiger, C.M.: Loop summarization using abstract transformers. In: ATVA ’08. LNCS, vol. 5311, pp. 111–125. Springer, Berlin (2008)
Kroening, D., Strichman, O.: Decision Procedures, Springer, Berlin (2008)
Ku, K.: Software model-checking: benchmarking and techniques for buffer overflow analysis. Master’s thesis, U. Toronto (2008)
Leung, A., George, L.: Static single assignment form for machine code. In: PLDI ’99, pp. 204–214. ACM, New York (1999)
Leven, P., Mehler, T., Edelkamp, S.: Directed error detection in C++ with the assembly-level model checker StEAM. In: Model Checking Software. LNCS, vol. 2989, pp. 39–56. Springer, Berlin (2004)
Mühlberg, J.T.: Model Checking Pointer Safety in Compiled Programs. PhD thesis, U. York http://etheses.whiterose.ac.uk/841/ (2009)
Mühlberg, J.T., Freitas, L.: Verifying FreeRTOS: from requirements to binary code. In: AVoCS ’11, vol. CS-TR-1272 of Computing Science Technical Reports, Newcastle University. Short paper (2011)
Mühlberg, J.T., Lüttgen, G.: BLASTing Linux code. In: FMICS ’06. LNCS, vol. 4346, pp. 211–226. Springer, Berlin (2006)
Mühlberg, J.T., Lüttgen, G.: Verifying compiled file system code. In: SBMF ’09. LNCS, vol. 5902, pp. 306–320. Springer, Berlin (2009). A full version has been accepted for publication in Springer’s Formal Aspects of Computing journal
Nethercote, N., Seward, J.: Valgrind: a framework for heavyweight dynamic binary instrumentation. SIGPLAN Not. 42(6), 89–100 (2007)
Nielson, F., Nielson, H.R., Hankin, C.: Principles of Program Analysis. Springer, Berlin (1999)
Noll, T., Schlich, B.: Delayed nondeterminism in model checking embedded systems assembly code. In: Hardware and Software: Verification and Testing. LNCS, vol. 4899, pp. 185–201. Springer, Berlin (2008)
Pǎsǎreanu, C.S., Mehlitz, P.C., Bushnell, D.H., Gundy-Burlet, K., Lowry, M., Person, S., Pape, M.: Combining unit-level symbolic execution and system-level concrete execution for testing NASA software. In: ISSTA ’08, pp. 15–26. ACM, New York (2008)
Pǎsǎreanu, C.S., Visser, W.: A survey of new trends in symbolic execution for software testing and analysis. STTT 11(4), 339–353 (2009)
Rational Purify. IBM Corp., http://www.ibm.com/software/awdtools/purify/
Reynolds, J.C.: Separation logic: A logic for shared mutable data structures. In : LICS ’02, pp. 55–74. IEEE (2002)
Rungta, N., Mercer, E.G., Visser, W.: Efficient testing of concurrent programs with abstraction-guided symbolic execution. In: SPIN ’09. LNCS, vol. 5578, pp. 174–191. Springer, Berlin (2009)
Schlich, B., Kowalewski, S.: [mc]square: a model checker for microcontroller code. In: ISOLA ’06, pp. 466–473. IEEE (2006)
Sen, K., Marinov, D., Agha, G.: CUTE: a concolic unit testing engine for C. In: ESEC/FSE-13, pp. 263–272. ACM, New York (2005)
Tool Interface Standards (TIS) Committee: Executable and Linking Format (ELF) specification version 1.2 (1995). http://refspecs.freestandards.org/elf/
Valgrind—debugging and profiling Linux programs. http://valgrind.org/
Visser, W., Havelund, K., Brat, G., Park, S.J., Lerda, F.: Model checking programs. FMSD 10(2), 203–232 (2003)
Weiser, M.: Program slicing. In: ICSE ’81, pp. 439–449. IEEE (1981)
Wilhelm, R., Sagiv, M., Reps, T.: Shape analysis. In: CC ’00. LNCS, vol. 1781, pp. 1–16. Springer, Berlin (2000)
Xie, Y., Aiken, A.: SATURN: a scalable framework for error detection using boolean satisfiability. ACM TOPLAS 29(3), 16 (2007)
Yu, D., Shao, Z.: Verification of safety properties for concurrent assembly code. In: ICFP ’04, pp. 175–188. ACM, New York (2004)
Zhu, H., Hall, P.A.V., May, J.H.R.: Software unit test coverage and adequacy. ACM Comput. Surv. 29, 366–427 (1997)
Zitser, M., Lippmann, R., Leek, T.: Testing static analysis tools using exploitable buffer overflows from open source code. SIGSOFT Softw. Eng. Notes 29(6), 97–106 (2004)
Acknowledgments
We thank Bart Jacobs from KU Leuven and the anonymous reviewers of Software Tools for Technology Transfer and SPIN 2010 for their valuable comments on on this article and the previously published extended abstract, respectively, especially for pointing out some recent related work. We also thank Jim Woodcock and Daniel Kroening for their insightful remarks made at the first author’s PhD examination. This research is partially funded by the Interuniversity Attraction Poles Programme Belgian State, Belgian Science Policy, and by the Research Fund KU Leuven.
Author information
Authors and Affiliations
Corresponding author
Additional information
An extended abstract of this article appeared in the proceedings of SPIN 2010: “Model Checking Software”, volume 6349 of Lecture Notes in Computer Science, pages 4–21, Springer, 2010.
Rights and permissions
About this article
Cite this article
Mühlberg, J.T., Lüttgen, G. Symbolic object code analysis. Int J Softw Tools Technol Transfer 16, 81–102 (2014). https://doi.org/10.1007/s10009-012-0256-8
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10009-012-0256-8