One Million (LOC) and Counting: Static Analysis for Errors and Vulnerabilities in the Linux Kernel Source Code

  • Peter T. Breuer
  • Simon Pickin
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4006)


This article describes an analysis tool aimed at the C code of the Linux kernel, having been first described as a prototype (in this forum) in 2004. Its continuing maturation means that it is now capable of treating millions of lines of code in a few hours on very modest platforms. It detects about two uncorrected deadlock situations per thousand C source files or million lines of source code in the Linux kernel, and three accesses to freed memory. In distinction to model-checking techniques, the tool uses a configurable “3-phase” programming logic to perform its analysis. It carries out several different analyses simultaneously.


Program Logic Atomic Proposition Syntax Tree Program Fragment Program Language Design 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Breuer, P.T., Valls, M.G.: Static Deadlock Detection in the Linux Kernel. In: Llamosí, A., Strohmeier, A. (eds.) Ada-Europe 2004. LNCS, vol. 3063, pp. 52–64. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  2. 2.
    Cousot, P., Cousot, R.: Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: Proc. 4th ACM Symposium on the Principles of Programming Languages, pp. 238–252 (1977)Google Scholar
  3. 3.
    Foster, J.S., Fähndrich, M., Aiken, A.: A Theory of Type Qualifiers. In: Proc. ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 1999), Atlanta, Georgia (May 1999)Google Scholar
  4. 4.
    Foster, J.S., Terauchi, T., Aiken, A.: Flow-Sensitive Type Qualifiers. In: Proc. ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 2002), Berlin, Germany, pp. 1–12 (June 2002)Google Scholar
  5. 5.
    Johnson, R., Wagner, D.: Finding User/Kernel Pointer Bugs With Type Inference. In: Proc. 13th USENIX Security Symposium, 2004, San Diego, CA, USA, August 9–13 (2004)Google Scholar
  6. 6.
    Wagner, D., Foster, J.S., Brewer, E.A., Aiken, A.: A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities. In: Proc. Network and Distributed System Security (NDSS) Symposium 2000, San Diego, CA, USA, February 2-4 (2000)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Peter T. Breuer
    • 1
  • Simon Pickin
    • 1
  1. 1.Universidad Carlos III de MadridLeganes, MadridSpain

Personalised recommendations