Verifying Compiled File System Code

  • Jan Tobias Mühlberg
  • Gerald Lüttgen
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5902)


This paper presents a case study on retrospective verification of the Linux Virtual File System (VFS), which is aimed at checking for violations of API usage rules and memory properties. Since VFS maintains dynamic data structures and is written in a mixture of C and inlined assembly, modern software model checkers cannot be applied. Our case study centres around our novel verification tool, the SOCA Verifier, which symbolically executes and analyses compiled code. We describe how this verifier deals with complex program features such as memory access, pointer aliasing and computed jumps, while reducing manual modelling to the bare minimum. Our results show that the SOCA Verifier is capable of reliably analysing complex operating system components such as the Linux VFS, thereby going beyond traditional testing tools and into niches that current software model checkers do not reach.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Balakrishnan, G., Reps, T., Melski, D., Teitelbaum, T.: WYSINWYX: What You See Is Not What You eXecute. In: Meyer, B., Woodcock, J. (eds.) VSTTE 2005. LNCS, vol. 4171, pp. 202–213. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  2. 2.
    Ball, T., Bounimova, E., Cook, B., Levin, V., Lichtenberg, J., McGarvey, C., Ondrusek, B., Rajamani, S.K., Ustuner, A.: Thorough static analysis of device drivers. In: EuroSys 2006, USA, vol. 4, pp. 73–85. ACM, New York (2006)CrossRefGoogle Scholar
  3. 3.
    Ball, T., Majumdar, R., Millstein, T., Rajamani, S.K.: Automatic predicate abstraction of C programs. SIGPLAN Not. 36(5), 203–213 (2001)CrossRefGoogle Scholar
  4. 4.
    Ball, T., Rajamani, S.K.: Automatically validating temporal safety properties of interfaces. In: Dwyer, M.B. (ed.) SPIN 2001. LNCS, vol. 2057, pp. 102–122. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  5. 5.
    Bovet, D., Cesati, M.: Understanding the Linux Kernel. O’Reilly, Sebastopol (2005)Google Scholar
  6. 6.
    Chaki, S., Clarke, E., Groce, A., Ouaknine, J., Strichman, O., Yorav, K.: Efficient verification of sequential and concurrent C programs. FMSD 25(2-3), 129–166 (2004)MATHGoogle Scholar
  7. 7.
    Ciardo, G., Jones, R.L., Miner, A.S., Siminiceanu, R.I.: Logic and stochastic modeling with SMART. Perform. Eval. 63(6), 578–608 (2006)CrossRefGoogle Scholar
  8. 8.
    Clarke, E., Kroening, D., Lerda, F.: A tool for checking ANSI-C programs. In: Jensen, K., Podelski, A. (eds.) TACAS 2004. LNCS, vol. 2988, pp. 168–176. Springer, Heidelberg (2004)Google Scholar
  9. 9.
    Cytron, R., Ferrante, J., Rosen, B.K., Wegman, M.N., Zadeck, F.K.: Efficiently computing static single assignment form and the control dependence graph. ACM TOPLAS 13(4), 451–490 (1991)CrossRefGoogle Scholar
  10. 10.
    D’Silva, V., Kroening, D., Weissenbacher, G.: A survey of automated techniques for formal software verification. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 27(7 ), 1165–1178 (2008)CrossRefGoogle Scholar
  11. 11.
    Dutertre, B., de Moura, L.: The Yices SMT solver. Technical Report 01/2006, SRI International (2006),
  12. 12.
    Ferdinand, C., Martin, F., Cullmann, C., Schlickling, M., Stein, I., Thesing, S., Heckmann, R.: New developments in WCET analysis. In: Reps, T., Sagiv, M., Bauer, J. (eds.) Program Analysis and Compilation, Theory and Practice. LNCS, vol. 4444, pp. 12–52. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  13. 13.
    Galloway, A., Lüttgen, G., Mühlberg, J.T., Siminiceanu, R.: Model-checking the Linux Virtual File System. In: Jones, N.D., Müller-Olm, M. (eds.) VMCAI 2009. LNCS, vol. 5403, pp. 74–88. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  14. 14.
    Gulavani, B.S., Rajamani, S.K.: Counterexample driven refinement for abstract interpretation. In: Hermanns, H., Palsberg, J. (eds.) TACAS 2006. LNCS, vol. 3920, pp. 474–488. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  15. 15.
    Henzinger, T.A., Jhala, R., Majumdar, R., Necula, G.C., Sutre, G., Weimer, W.: Temporal-safety proofs for systems code. In: Brinksma, E., Larsen, K.G. (eds.) CAV 2002. LNCS, vol. 2404, p. 526. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  16. 16.
    Hoare, T.: The verifying compiler: A grand challenge for computing research. J. ACM 50(1), 63–69 (2003)Google Scholar
  17. 17.
    Joshi, R., Holzmann, G.J.: A mini challenge: Build a verifiable filesystem. Formal Aspects of Computing 19(2), 269–272 (2007)MATHCrossRefGoogle Scholar
  18. 18.
    Ku, K., Hart, T.E., Chechik, M., Lie, D.: A buffer overflow benchmark for software model checkers. In: ASE 2007, USA, pp. 389–392. ACM, New York (2007)CrossRefGoogle Scholar
  19. 19.
    Leung, A., George, L.: Static single assignment form for machine code. In: PLDI 1999, USA, pp. 204–214. ACM, New York (1999)CrossRefGoogle Scholar
  20. 20.
    Mühlberg, J.T., Lüttgen, G.: BLASTing Linux code. In: Brim, L., Haverkort, B.R., Leucker, M., van de Pol, J. (eds.) FMICS 2006 and PDMC 2006. LNCS, vol. 4346, pp. 211–226. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  21. 21.
    Nethercote, N., Seward, J.: Valgrind: A framework for heavyweight dynamic binary instrumentation. In: PLDI 2007, USA, vol. 42, pp. 89–100. ACM, New York (2007)CrossRefGoogle Scholar
  22. 22.
    Sery, O.: Enhanced property specification and verification in BLAST. In: Chechik, M., Wirsing, M. (eds.) FASE 2009. LNCS, vol. 5503, pp. 456–469. Springer, Heidelberg (2009)Google Scholar
  23. 23.
    Witkowski, T., Blanc, N., Kroening, D., Weissenbacher, G.: Model checking concurrent Linux device drivers. In: ASE 2007, USA, pp. 501–504. ACM, New York (2007)CrossRefGoogle Scholar
  24. 24.
    Xie, Y., Aiken, A.: Saturn: A scalable framework for error detection using boolean satisfiability. ACM TOPLAS 29(3), 16 (2007)CrossRefGoogle Scholar
  25. 25.
    Yang, J., Sar, C., Twohey, P., Cadar, C., Engler, D.R.: Automatically generating malicious disks using symbolic execution. In: Security and Privacy, pp. 243–257. IEEE, Los Alamitos (2006)Google Scholar
  26. 26.
    Yang, J., Twohey, P., Engler, D.R., Musuvathi, M.: Using model checking to find serious file system errors. In: OSDI, pp. 273–288. USENIX (2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Jan Tobias Mühlberg
    • 1
  • Gerald Lüttgen
    • 1
  1. 1.Software Engineering and Programming Languages Research GroupUniversity of BambergBambergGermany

Personalised recommendations