Advertisement

Efficient Formal Verification for the Linux Kernel

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11724)

Abstract

Formal verification of the Linux kernel has been receiving increasing attention in recent years, with the development of many models, from memory subsystems to the synchronization primitives of the real-time kernel. The effort in developing formal verification methods is justified considering the large code-base, the complexity in synchronization required in a monolithic kernel and the support for multiple architectures, along with the usage of Linux on critical systems, from high-frequency trading to self-driven cars. Despite recent developments in the area, none of the proposed approaches are suitable and flexible enough to be applied in an efficient way to a running kernel. Aiming to fill such a gap, this paper proposes a formal verification approach for the Linux kernel, based on automata models. It presents a method to auto-generate verification code from an automaton, which can be integrated into a module and dynamically added into the kernel for efficient on-the-fly verification of the system, using in-kernel tracing features. Finally, a set of experiments demonstrate verification of three models, along with performance analysis of the impact of the verification, in terms of latency and throughput of the system, showing the efficiency of the approach.

Keywords

Verification Linux kernel Automata Testing 

References

  1. 1.
    Akesson, K., Fabian, M., Flordal, H., Malik, R.: Supremica - an integrated environment for verification, synthesis and simulation of discrete event systems. In: 2006 8th International Workshop on Discrete Event Systems, pp. 384–385, July 2006.  https://doi.org/10.1109/WODES.2006.382401
  2. 2.
    Alglave, J., Maranget, L., McKenney, P.E., Parri, A., Stern, A.: Frightening small children and disconcerting grown-ups: concurrency in the Linux Kernel. In: Proceedings of the Twenty-Third International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2018, pp. 405–418. ACM, New York (2018).  https://doi.org/10.1145/3173162.3177156
  3. 3.
    Ball, T., Cook, B., Levin, V., Rajamani, S.K.: Technical Report MSR-TR-2004-08 - SLAM and Static Driver Verifier: Technology Transfer of Formal Methods inside Microsoft - Microsoft Research, January 2004. https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/tr-2004-08.pdf
  4. 4.
    Ball, T., Rajamani, S.K.: The SLAM project: debugging system software via static analysis. In: Proceedings of the 29th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2002, pp. 1–3. ACM, New York (2002).  https://doi.org/10.1145/503272.503274
  5. 5.
    Basler, G., Donaldson, A., Kaiser, A., Kroening, D., Tautschnig, M., Wahl, T.: satabs: a bit-precise verifier for C programs. In: Flanagan, C., König, B. (eds.) TACAS 2012. LNCS, vol. 7214, pp. 552–555. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-28756-5_47CrossRefGoogle Scholar
  6. 6.
    Blackham, B., Shi, Y., Chattopadhyay, S., Roychoudhury, A., Heiser, G.: Timing analysis of a protected operating system kernel. In: Proceedings of the 32nd IEEE Real-Time Systems Symposium (RTSS11), Vienna, Austria, pp. 339–348, November 2011Google Scholar
  7. 7.
    Cassandras, C.G., Lafortune, S.: Introduction to Discrete Event Systems, 2nd edn. Springer, Heidelberg (2010)zbMATHGoogle Scholar
  8. 8.
    Chaki, S., Clarke, E.M., Groce, A., Jha, S., Veith, H.: Modular verification of software components in C. IEEE Trans. Softw. Eng. 30(6), 388–402 (2004).  https://doi.org/10.1109/TSE.2004.22CrossRefGoogle Scholar
  9. 9.
    Chaki, S., Clarke, E., Ouaknine, J., Sharygina, N., Sinha, N.: Concurrent software verification with states, events, and deadlocks. Formal Aspects Comput. 17(4), 461–483 (2005).  https://doi.org/10.1007/s00165-005-0071-zCrossRefzbMATHGoogle Scholar
  10. 10.
    Chishiro, H.: RT-Seed: real-time middleware for semi-fixed-priority scheduling. In: 2016 IEEE 19th International Symposium on Real-Time Distributed Computing (ISORC) (2016)Google Scholar
  11. 11.
    Condliffe, J.: U.S. military drones are going to start running on Linux, July 2014. https://gizmodo.com/u-s-military-drones-are-going-to-start-running-on-linu-1572853572
  12. 12.
    Corbet, J.: The kernel lock validator, May 2006. https://lwn.net/Articles/185666/
  13. 13.
    Corbet, J.: Linux at NASDAQ OMX, October 2010. https://lwn.net/Articles/411064/
  14. 14.
    Corbet, J.: Jump label, October 2010. https://lwn.net/Articles/412072/
  15. 15.
    Cotroneo, D., Di Leo, D., Natella, R., Pietrantuono, R.: A case study on state-based robustness testing of an operating system for the avionic domain. In: Flammini, F., Bologna, S., Vittorini, V. (eds.) SAFECOMP 2011. LNCS, vol. 6894, pp. 213–227. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-24270-0_16CrossRefGoogle Scholar
  16. 16.
    Cotroneo, D., Leo, D.D., Fucci, F., Natella, R.: SABRINE: state-based robustness testing of operating systems. In: Proceedings of the 28th IEEE/ACM International Conference on Automated Software Engineering, ASE 2013, Piscataway, NJ, USA, pp. 125–135. IEEE Press (2013).  https://doi.org/10.1109/ASE.2013.6693073
  17. 17.
    Cucinotta, T., et al.: A real-time service-oriented architecture for industrial automation. IEEE Trans. Ind. Inform. 5(3), 267–277 (2009).  https://doi.org/10.1109/TII.2009.2027013CrossRefGoogle Scholar
  18. 18.
    Dronamraju, S.: Linux kernel documentation - uprobe-tracer: Uprobe-based event tracing, May 2019. https://www.kernel.org/doc/Documentation/trace/uprobetracer.txt
  19. 19.
    Dubey, A., Karsai, G., Abdelwahed, S.: Compensating for timing jitter in computing systems with general-purpose operating systems. In: 2009 IEEE International Symposium on Object/Component/Service-Oriented Real-Time Distributed Computing, pp. 55–62, March 2009.  https://doi.org/10.1109/ISORC.2009.28
  20. 20.
    Ellson, J., Gansner, E., Koutsofios, L., North, S.C., Woodhull, G.: Graphviz—open source graph drawing tools. In: Mutzel, P., Jünger, M., Leipert, S. (eds.) GD 2001. LNCS, vol. 2265, pp. 483–484. Springer, Heidelberg (2002).  https://doi.org/10.1007/3-540-45848-4_57CrossRefzbMATHGoogle Scholar
  21. 21.
    Henzinger, T.A., Jhala, R., Majumdar, R., Sutre, G.: Lazy abstraction. In: Proceedings of the 29th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2002, pp. 58–70. ACM, New York (2002).  https://doi.org/10.1145/503272.503279
  22. 22.
    Hiramatsu, M.: Linux tracing technologies: Kprobe-based event tracing, May 2019. https://www.kernel.org/doc/html/latest/trace/kprobetrace.html
  23. 23.
    Klein, G., et al.: seL4: formal verification of an OS Kernel. In: Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles, SOSP 2009, pp. 207–220. ACM, New York (2009).  https://doi.org/10.1145/1629575.1629596
  24. 24.
    Kroening, D., Tautschnig, M.: CBMC – C bounded model checker. In: Ábrahám, E., Havelund, K. (eds.) TACAS 2014. LNCS, vol. 8413, pp. 389–391. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-642-54862-8_26CrossRefGoogle Scholar
  25. 25.
    Lamport, L.: The temporal logic of actions. ACM Trans. Program. Lang. Syst. 16(3), 872–923 (1994).  https://doi.org/10.1145/177492.177726CrossRefGoogle Scholar
  26. 26.
    Lei, B., Liu, Z., Morisset, C., Li, X.: State based robustness testing for components. Electron. Notes Theoret. Comput. Sci. 260, 173–188 (2010).  https://doi.org/10.1016/j.entcs.2009.12.037CrossRefzbMATHGoogle Scholar
  27. 27.
    Linux Kernel Documentation: Linux tracing technologies, May 2019. https://www.kernel.org/doc/html/latest/trace/index.html
  28. 28.
  29. 29.
    Matni, G., Dagenais, M.: Automata-based approach for kernel trace analysis. In: 2009 Canadian Conference on Electrical and Computer Engineering, pp. 970–973, May 2009.  https://doi.org/10.1109/CCECE.2009.5090273
  30. 30.
    de Oliveira, D.B.: How can we catch problems that can break the preempt\(\_\)rt preemption model? November 2018. https://linuxplumbersconf.org/event/2/contributions/190/
  31. 31.
    de Oliveira, D.B.: Mind the gap between real-time linux and real-time theory, November 2018. https://www.linuxplumbersconf.org/event/2/contributions/75/
  32. 32.
    de Oliveira, D.B.: Companion page: Efficient formal verification for the linux kernel, May 2019. http://bristot.me/efficient-formal-verification-for-the-linux-kernel/
  33. 33.
    de Oliveira, D.B., Cucinotta, T., de Oliveira, R.S.: Untangling the intricacies of thread synchronization in the PREEMPT\(\_\)RT Linux Kernel. In: Proceedings of the IEEE 22nd International Symposium on Real-Time Distributed Computing (ISORC), Valencia, Spain, May 2019Google Scholar
  34. 34.
    de Oliveira, D.B., de Oliveira, R.S.: Timing analysis of the PREEMPT\(\_\)RT Linux kernel. Softw.: Pract. Exp. 46(6), 789–819 (2016).  https://doi.org/10.1002/spe.2333CrossRefGoogle Scholar
  35. 35.
    Phoronix Test Suite: Open-source, automated benchmarking, May 2019. www.phoronix-test-suite.com
  36. 36.
    Poimboeuf, J.: Introducing kpatch: dynamic kernel patching, February 2014. https://www.redhat.com/en/blog/introducing-kpatch-dynamic-kernel-patching
  37. 37.
    Pullum, L.L.: Software Fault Tolerance Techniques and Implementation. Artech House Inc., Norwood (2001)zbMATHGoogle Scholar
  38. 38.
    Rostedt, S.: Secrets of the Ftrace function tracer. Linux Weekly News, January 2010. http://lwn.net/Articles/370423/. Accessed 09 May 2017
  39. 39.
    San Vicente Gutiérrez, C., Usategui San Juan, L., Zamalloa Ugarte, I., Mayoral Vilches, V.: Real-time Linux communications: an evaluation of the Linux communication stack for real-time robotic applications, August 2018. https://arxiv.org/pdf/1808.10821.pdf
  40. 40.
    Shahpasand, R., Sedaghat, Y., Paydar, S.: Improving the stateful robustness testing of embedded real-time operating systems. In: 2016 6th International Conference on Computer and Knowledge Engineering (ICCKE), pp. 159–164, October 2016.  https://doi.org/10.1109/ICCKE.2016.7802133
  41. 41.
    Spear, A., Levy, M., Desnoyers, M.: Using tracing to solve the multicore system debug problem. Computer 45(12), 60–64 (2012).  https://doi.org/10.1109/MC.2012.191CrossRefGoogle Scholar
  42. 42.
    The Linux Foundation: Automotive grade Linux, May 2019. https://www.automotivelinux.org/
  43. 43.
    Witkowski, T., Blanc, N., Kroening, D., Weissenbacher, G.: Model checking concurrent Linux device drivers. In: Proceedings of the Twenty-second IEEE/ACM International Conference on Automated Software Engineering, ASE 2007, pp. 501–504. ACM, New York (2007). https://doi.org/10.1145/1321631.1321719

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.RHEL Platform/Real-time TeamRed Hat, Inc.PisaItaly
  2. 2.RETIS LabScuola Superiore Sant’AnnaPisaItaly
  3. 3.Department of Systems AutomationUFSCFlorianópolisBrazil

Personalised recommendations