Symbolic object code analysis

Regular Paper
First Online:
  • 267 Downloads

Abstract

Software model checkers quickly reach their limits when being applied to verifying pointer safety properties in source code that includes function pointers and inlined assembly. This article introduces a novel technique for checking pointer safety violations, called symbolic object code analysis (SOCA), which is based on bounded symbolic execution, incorporates path-sensitive slicing, and employs the SMT solver Yices as its execution and verification engine. Extensive experimental results of a prototypic SOCA Verifier, using the Verisec suite and almost 10,000 Linux device driver functions as benchmarks, show that SOCA performs competitively to modern source-code model checkers, scales well when applied to real operating systems code and pointer safety issues, and effectively explores niches of pointer-complex software that current software verifiers do not reach.

Keywords

Software verification Bounded model checking Program slicing Object code Case study Linux device drivers 
This is a preview of subscription content, log in to check access.

Notes

Acknowledgments

We thank Bart Jacobs from KU Leuven and the anonymous reviewers of Software Tools for Technology Transfer and SPIN 2010 for their valuable comments on on this article and the previously published extended abstract, respectively, especially for pointing out some recent related work. We also thank Jim Woodcock and Daniel Kroening for their insightful remarks made at the first author’s PhD examination. This research is partially funded by the Interuniversity Attraction Poles Programme Belgian State, Belgian Science Policy, and by the Research Fund KU Leuven.

References

  1. 1.
    Balakrishnan, G., Reps, T.: Recency-abstraction for heap-allocated storage. In: SAS ’06. LNCS, vol. 4134, pp. 221–239. Springer, Berlin (2006)Google Scholar
  2. 2.
    Balakrishnan, G., Reps, T., Melski, D., Teitelbaum, T.: WYSINWYX: what you see is not what you execute. In: VSTTE ’08. LNCS, vol. 4171, pp. 202–213. Springer, Berlin (2008)Google Scholar
  3. 3.
    Ball, T., Bounimova, E., Cook, B., Levin, V., Lichtenberg, J., McGarvey, C., Ondrusek, B., Rajamani, S.K., Ustuner, A.: Thorough static analysis of device drivers. SIGOPS Oper. Syst. Rev. 40(4), 73–85 (2006)CrossRefGoogle Scholar
  4. 4.
    Ball, T., Rajamani, S.K.: Automatically validating temporal safety properties of interfaces. In: SPIN ’01. LNCS, vol. 2057, pp. 103–122. Springer, Berlin (2001)Google Scholar
  5. 5.
    Barry, R.: FreeRTOS: A portable, open source, mini real time kernel (2010) http://www.freertos.org/
  6. 6.
    Boyer, R.S., Yu, Y.: Automated proofs of object code for a widely used microprocessor. J. ACM 43(1), 166–192 (1996)CrossRefMATHMathSciNetGoogle Scholar
  7. 7.
    Brummayer, R., Biere, A., Lonsing, F.: BTOR: bit-precise modelling of word-level problems for model checking. In: SMT ’08/BPR ’08, pp. 33–38. ACM, New York (2008)Google Scholar
  8. 8.
    Calcagno, C., Distefano, D., O’Hearn, P., Yang, H.: Compositional shape analysis by means of bi-abduction. SIGPLAN Not. 44(1), 289–300 (2009)CrossRefGoogle Scholar
  9. 9.
    Chou, A., Yang, J., Chelf, B., Hallem, S., Engler, D.R.: An empirical study of operating system errors. In: SOSP ’01, pp. 73–88. ACM, New York (2001)Google Scholar
  10. 10.
    Clarke, E., Kroening, D., Lerda, F.: A tool for checking ANSI-C programs. In: TACAS ’04. LNCS, vol. 2988, pp. 168–176. Springer, Berlin (2004)Google Scholar
  11. 11.
    Clarke, E.M., Kroening, D., Sharygina, N., Yorav, K.: SATABS: SAT-based predicate abstraction for ANSI-C. In: TACAS ’05. LNCS, vol. 3440, pp. 570–574. Springer, Berlin (2005)Google Scholar
  12. 12.
    Cohen, E., Dahlweid, M., Hillebrand, M., Leinenbach, D., Moskal, M., Santen, T., Schulte, W., Tobies, S.: VCC: a practical system for verifying concurrent C. In: TPHOLs ’09. LNCS, vol. 5674, pp. 23–42. Springer, Berlin (2009)Google Scholar
  13. 13.
    D’Silva, V., Kroening, D., Weissenbacher, G.A.: A survey of automated techniques for formal software verification. IEEE Trans. Comput. Aided Design Integr. Circuits Syst. 27(7), 1165–1178 (2008)CrossRefGoogle Scholar
  14. 14.
    Dutertre, B., de Moura, L.: The Yices SMT solver. Technical Report 01/2006, SRI (2006). http://yices.csl.sri.com/tool-paper.pdf
  15. 15.
    Flanagan, C., Godefroid, P.: Dynamic partial-order reduction for model checking software. In: POPL ’05, pp. 110–121. ACM, New York (2005)Google Scholar
  16. 16.
    Godefroid, P., Klarlund, N., Sen, K.: DART: directed automated random testing. In: PLDI ’05, pp. 213–223. ACM, New York (2005)Google Scholar
  17. 17.
    Godefroid, P., Levin, M.Y., Molnar, D.: Automated whitebox fuzz testing. In: NDSS ’08. Internet Society (ISOC) (2008)Google Scholar
  18. 18.
    Hansen, T., Schachte, P., Søndergaard, H.: State joining and splitting for the symbolic execution of binaries. In: RV ’09. LNCS, vol. 5779, pp. 76–92. Springer, Berlin (2009)Google Scholar
  19. 19.
    Henzinger, T.A., Jhala, R., Majumdar, R., Necula, G.C., Sutre, G., Weimer, W.: Temporal-safety proofs for systems code. In: CAV ’02. LNCS, vol. 2402, pp. 526–538. Springer, Berlin (2002)Google Scholar
  20. 20.
    Horspool, R.N., Marovac, N.: An approach to the problem of detranslation of computer programs. Comput. J. 23(3), 223–229 (1980)CrossRefGoogle Scholar
  21. 21.
    Horwitz, S., Reps, T., Binkley, D.: Interprocedural slicing using dependence graphs. ACM TOPLAS 12(1), 26–60 (1990)CrossRefGoogle Scholar
  22. 22.
    International Organization for Standardization: The C99 standard, ISO/IEC 9899:1999. Technical Report 9899:1999, International Organization for Standardization (1999)Google Scholar
  23. 23.
    Jacobs, B., Smans, J., Piessens, F.: A quick tour of the VeriFast program verifier. In: APLAS ’10. LNCS, vol. 6461, pp. 304–311. Springer, Berlin (2010)Google Scholar
  24. 24.
    Jhala, R., Majumdar, R.: Path slicing. SIGPLAN Not. 40(6), 38–47 (2005)CrossRefGoogle Scholar
  25. 25.
    Josh Berdine, C.C., O’Hearn, P.W.: Symbolic execution with separation logic. In: APLAS ’05. LNCS, vol. 3780, pp. 52–68. Springer, Berlin (2005)Google Scholar
  26. 26.
    Kim, M., Kim, Y.: Concolic testing of the multi-sector read operation for flash memory file system. In: SBMF ’09. LNCS, vol. 5902, pp. 251–265. Springer, Berlin (2009)Google Scholar
  27. 27.
    Kinder, J., Veith, H.: Precise static analysis of untrusted driver binaries. In: FMCAD ’10, pp. 43–50. IEEE (2010)Google Scholar
  28. 28.
    King, J.C.: Symbolic execution and program testing. Commun. ACM 19(7), 385–394 (1976)CrossRefMATHGoogle Scholar
  29. 29.
    Korel, B., Laski, J.: Dynamic slicing of computer programs. J. Syst. Softw. 13(3), 187–195 (1990)CrossRefGoogle Scholar
  30. 30.
    Koshy, J.: LibElf: http://wiki.freebsd.org/LibElf (2009)
  31. 31.
    Kroening, D., Sharygina, N., Tonetta, S., Tsitovich, A., Wintersteiger, C.M.: Loop summarization using abstract transformers. In: ATVA ’08. LNCS, vol. 5311, pp. 111–125. Springer, Berlin (2008)Google Scholar
  32. 32.
    Kroening, D., Strichman, O.: Decision Procedures, Springer, Berlin (2008)Google Scholar
  33. 33.
    Ku, K.: Software model-checking: benchmarking and techniques for buffer overflow analysis. Master’s thesis, U. Toronto (2008)Google Scholar
  34. 34.
    Leung, A., George, L.: Static single assignment form for machine code. In: PLDI ’99, pp. 204–214. ACM, New York (1999)Google Scholar
  35. 35.
    Leven, P., Mehler, T., Edelkamp, S.: Directed error detection in C++ with the assembly-level model checker StEAM. In: Model Checking Software. LNCS, vol. 2989, pp. 39–56. Springer, Berlin (2004)Google Scholar
  36. 36.
    Mühlberg, J.T.: Model Checking Pointer Safety in Compiled Programs. PhD thesis, U. York http://etheses.whiterose.ac.uk/841/ (2009)
  37. 37.
    Mühlberg, J.T., Freitas, L.: Verifying FreeRTOS: from requirements to binary code. In: AVoCS ’11, vol. CS-TR-1272 of Computing Science Technical Reports, Newcastle University. Short paper (2011)Google Scholar
  38. 38.
    Mühlberg, J.T., Lüttgen, G.: BLASTing Linux code. In: FMICS ’06. LNCS, vol. 4346, pp. 211–226. Springer, Berlin (2006)Google Scholar
  39. 39.
    Mühlberg, J.T., Lüttgen, G.: Verifying compiled file system code. In: SBMF ’09. LNCS, vol. 5902, pp. 306–320. Springer, Berlin (2009). A full version has been accepted for publication in Springer’s Formal Aspects of Computing journalGoogle Scholar
  40. 40.
    Nethercote, N., Seward, J.: Valgrind: a framework for heavyweight dynamic binary instrumentation. SIGPLAN Not. 42(6), 89–100 (2007)CrossRefGoogle Scholar
  41. 41.
    Nielson, F., Nielson, H.R., Hankin, C.: Principles of Program Analysis. Springer, Berlin (1999)Google Scholar
  42. 42.
    Noll, T., Schlich, B.: Delayed nondeterminism in model checking embedded systems assembly code. In: Hardware and Software: Verification and Testing. LNCS, vol. 4899, pp. 185–201. Springer, Berlin (2008)Google Scholar
  43. 43.
    Pǎsǎreanu, C.S., Mehlitz, P.C., Bushnell, D.H., Gundy-Burlet, K., Lowry, M., Person, S., Pape, M.: Combining unit-level symbolic execution and system-level concrete execution for testing NASA software. In: ISSTA ’08, pp. 15–26. ACM, New York (2008)Google Scholar
  44. 44.
    Pǎsǎreanu, C.S., Visser, W.: A survey of new trends in symbolic execution for software testing and analysis. STTT 11(4), 339–353 (2009)CrossRefGoogle Scholar
  45. 45.
  46. 46.
    Reynolds, J.C.: Separation logic: A logic for shared mutable data structures. In : LICS ’02, pp. 55–74. IEEE (2002)Google Scholar
  47. 47.
    Rungta, N., Mercer, E.G., Visser, W.: Efficient testing of concurrent programs with abstraction-guided symbolic execution. In: SPIN ’09. LNCS, vol. 5578, pp. 174–191. Springer, Berlin (2009)Google Scholar
  48. 48.
    Schlich, B., Kowalewski, S.: [mc]square: a model checker for microcontroller code. In: ISOLA ’06, pp. 466–473. IEEE (2006)Google Scholar
  49. 49.
    Sen, K., Marinov, D., Agha, G.: CUTE: a concolic unit testing engine for C. In: ESEC/FSE-13, pp. 263–272. ACM, New York (2005)Google Scholar
  50. 50.
    Tool Interface Standards (TIS) Committee: Executable and Linking Format (ELF) specification version 1.2 (1995). http://refspecs.freestandards.org/elf/
  51. 51.
    Valgrind—debugging and profiling Linux programs. http://valgrind.org/
  52. 52.
    Visser, W., Havelund, K., Brat, G., Park, S.J., Lerda, F.: Model checking programs. FMSD 10(2), 203–232 (2003)Google Scholar
  53. 53.
    Weiser, M.: Program slicing. In: ICSE ’81, pp. 439–449. IEEE (1981)Google Scholar
  54. 54.
    Wilhelm, R., Sagiv, M., Reps, T.: Shape analysis. In: CC ’00. LNCS, vol. 1781, pp. 1–16. Springer, Berlin (2000)Google Scholar
  55. 55.
    Xie, Y., Aiken, A.: SATURN: a scalable framework for error detection using boolean satisfiability. ACM TOPLAS 29(3), 16 (2007) Google Scholar
  56. 56.
    Yu, D., Shao, Z.: Verification of safety properties for concurrent assembly code. In: ICFP ’04, pp. 175–188. ACM, New York (2004)Google Scholar
  57. 57.
    Zhu, H., Hall, P.A.V., May, J.H.R.: Software unit test coverage and adequacy. ACM Comput. Surv. 29, 366–427 (1997)CrossRefGoogle Scholar
  58. 58.
    Zitser, M., Lippmann, R., Leek, T.: Testing static analysis tools using exploitable buffer overflows from open source code. SIGSOFT Softw. Eng. Notes 29(6), 97–106 (2004)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag 2012

Authors and Affiliations

  1. 1.IBBT-DistriNet, KU Leuven LeuvenBelgium
  2. 2.Software Technologies Research Group University of Bamberg BambergGermany

Personalised recommendations