Sound Formal Verification of Linux’s USB BP Keyboard Driver

  • Willem Penninckx
  • Jan Tobias Mühlberg
  • Jan Smans
  • Bart Jacobs
  • Frank Piessens
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7226)


Case studies on formal software verification can be divided into two categories: while (i) unsound approaches may miss errors or report false-positive alarms due to coarse abstractions, (ii) sound approaches typically do not handle certain programming constructs like concurrency and/or suffer from scalability issues. This paper presents a case study on successfully verifying the Linux USB BP keyboard driver. Our verification approach is (a) sound, (b) takes into account dynamic memory allocation, complex API rules and concurrency, and (c) is applied on a real kernel driver which was not written with verification in mind. We employ VeriFast, a software verifier based on separation logic. Besides showing that it is possible to verify this device driver, we identify the parts where the verification went smoothly and the parts where the verification approach requires further research to be carried out.


Model Check Device Driver Bound Model Check Separation Logic Sound Formal 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Ball, T., Bounimova, E., Cook, B., Levin, V., Lichtenberg, J., McGarvey, C., Ondrusek, B., Rajamani, S.K., Ustuner, A.: Thorough static analysis of device drivers. SIGOPS Oper. Syst. Rev. 40(4), 73–85 (2006)CrossRefGoogle Scholar
  2. 2.
    Berdine, J., Calcagno, C., Cook, B., Distefano, D., O’Hearn, P., Wies, T., Yang, H.: Shape Analysis for Composite Data Structures. In: Damm, W., Hermanns, H. (eds.) CAV 2007. LNCS, vol. 4590, pp. 178–192. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  3. 3.
    Bornat, R., Calcagno, C., O’Hearn, P., Parkinson, M.: Permission accouting in separation logic. In: POPL (2005)Google Scholar
  4. 4.
    Chou, A., Yang, J., Chelf, B., Hallem, S., Engler, D.R.: An empirical study of operating system errors. In: SOSP 2001, pp. 73–88. ACM, New York (2001)CrossRefGoogle Scholar
  5. 5.
    Clarke, E., Grumberg, O., Jha, S., Lu, Y., Veith, H.: Counterexample-guided abstraction refinement for symbolic model checking. J. ACM 50(5), 752–794 (2003)MathSciNetCrossRefGoogle Scholar
  6. 6.
    Cohen, E., Dahlweid, M., Hillebrand, M., Leinenbach, D., Moskal, M., Santen, T., Schulte, W., Tobies, S.: VCC: A Practical System for Verifying Concurrent C. In: Berghofer, S., Nipkow, T., Urban, C., Wenzel, M. (eds.) TPHOLs 2009. LNCS, vol. 5674, pp. 23–42. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  7. 7.
    Gotsman, A., Berdine, J., Cook, B., Rinetzky, N., Sagiv, M.: Local Reasoning for Storable Locks and Threads. In: Shao, Z. (ed.) APLAS 2007. LNCS, vol. 4807, pp. 19–37. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  8. 8.
    Heiser, G., Elphinstone, K., Kuz, I., Klein, G., Petters, S.M.: Towards trustworthy computing systems: taking microkernels to the next level. SIGOPS Oper. Syst. Rev. 41, 3–11 (2007)CrossRefGoogle Scholar
  9. 9.
    Henzinger, T.A., Jhala, R., Majumdar, R., Necula, G.C., Sutre, G., Weimer, W.: Temporal-Safety Proofs for Systems Code. In: Brinksma, E., Larsen, K.G. (eds.) CAV 2002. LNCS, vol. 2404, pp. 526–538. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  10. 10.
    Hoare, C.A.R.: An axiomatic basis for computer programming. Communications of the ACM 12(10), 576–580 and 583 (1969)zbMATHCrossRefGoogle Scholar
  11. 11.
    Jacobs, B., Smans, J., Philippaerts, P., Vogels, F., Penninckx, W., Piessens, F.: VeriFast: A Powerful, Sound, Predictable, Fast Verifier for C and Java. In: Bobaru, M., Havelund, K., Holzmann, G.J., Joshi, R. (eds.) NFM 2011. LNCS, vol. 6617, pp. 41–55. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  12. 12.
    Kim, M., Kim, Y.: Concolic Testing of the Multi-sector Read Operation for Flash Memory File System. In: Oliveira, M.V.M., Woodcock, J. (eds.) SBMF 2009. LNCS, vol. 5902, pp. 251–265. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  13. 13.
    Mühlberg, J.T., Lüttgen, G.: Blasting Linux Code. In: Brim, L., Haverkort, B.R., Leucker, M., van de Pol, J. (eds.) FMICS and PDMC 2006. LNCS, vol. 4346, pp. 211–226. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  14. 14.
    Mühlberg, J.T., Lüttgen, G.: Verifying Compiled File System Code. In: Oliveira, M.V.M., Woodcock, J. (eds.) SBMF 2009. LNCS, vol. 5902, pp. 306–320. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  15. 15.
    Post, H., Sinz, C., Küchlin, W.: Towards automatic software model checking of thousands of Linux modules – a case study with Avinux. Softw. Test. Verif. Reliab. 19, 155–172 (2009)CrossRefGoogle Scholar
  16. 16.
    Reynolds, J.C.: Separation logic: A logic for shared mutable data structures. In: LICS 2002, pp. 55–74. IEEE, Washington (2002)Google Scholar
  17. 17.
    Vogels, F., Jacobs, B., Piessens, F., Smans, J.: Annotation Inference for Separation Logic Based Verifiers. In: Bruni, R., Dingel, J. (eds.) FMOODS/FORTE 2011. LNCS, vol. 6722, pp. 319–333. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  18. 18.
    Witkowski, T., Blanc, N., Kroening, D., Weissenbacher, G.: Model checking concurrent Linux device drivers. In: ASE 2007, pp. 501–504. ACM, New York (2007)CrossRefGoogle Scholar
  19. 19.
    Yang, H., Lee, O., Berdine, J., Calcagno, C., Cook, B., Distefano, D., O’Hearn, P.: Scalable Shape Analysis for Systems Code. In: Gupta, A., Malik, S. (eds.) CAV 2008. LNCS, vol. 5123, pp. 385–398. Springer, Heidelberg (2008)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Willem Penninckx
    • 1
  • Jan Tobias Mühlberg
    • 1
  • Jan Smans
    • 1
  • Bart Jacobs
    • 1
  • Frank Piessens
    • 1
  1. 1.IBBT-DistriNetKU LeuvenLeuvenBelgium

Personalised recommendations