One Million (LOC) and Counting: Static Analysis for Errors and Vulnerabilities in the Linux Kernel Source Code
This article describes an analysis tool aimed at the C code of the Linux kernel, having been first described as a prototype (in this forum) in 2004. Its continuing maturation means that it is now capable of treating millions of lines of code in a few hours on very modest platforms. It detects about two uncorrected deadlock situations per thousand C source files or million lines of source code in the Linux kernel, and three accesses to freed memory. In distinction to model-checking techniques, the tool uses a configurable “3-phase” programming logic to perform its analysis. It carries out several different analyses simultaneously.
KeywordsProgram Logic Atomic Proposition Syntax Tree Program Fragment Program Language Design
Unable to display preview. Download preview PDF.
- 2.Cousot, P., Cousot, R.: Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: Proc. 4th ACM Symposium on the Principles of Programming Languages, pp. 238–252 (1977)Google Scholar
- 3.Foster, J.S., Fähndrich, M., Aiken, A.: A Theory of Type Qualifiers. In: Proc. ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 1999), Atlanta, Georgia (May 1999)Google Scholar
- 4.Foster, J.S., Terauchi, T., Aiken, A.: Flow-Sensitive Type Qualifiers. In: Proc. ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 2002), Berlin, Germany, pp. 1–12 (June 2002)Google Scholar
- 5.Johnson, R., Wagner, D.: Finding User/Kernel Pointer Bugs With Type Inference. In: Proc. 13th USENIX Security Symposium, 2004, San Diego, CA, USA, August 9–13 (2004)Google Scholar
- 6.Wagner, D., Foster, J.S., Brewer, E.A., Aiken, A.: A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities. In: Proc. Network and Distributed System Security (NDSS) Symposium 2000, San Diego, CA, USA, February 2-4 (2000)Google Scholar