View
219
Download
0
Embed Size (px)
Citation preview
Solidifying Software Solidifying Software Interfaces: Interfaces:
Checkable ContractsCheckable ContractsThomas BallThomas Ball
Testing, Verification and Testing, Verification and MeasurementMeasurement
Microsoft ResearchMicrosoft Researchhttp://research.microsoft.com/http://research.microsoft.com/
~tball/~tball/
The .NET FrameworkThe .NET FrameworkA Once in a Decade ChangeA Once in a Decade Change
19801980 19901990 20002000
Ric
hn
ess
Ric
hn
ess
Win16Win16 Win32Win32COMCOM
MFCMFCComponents
ComponentsServicesServices
APIsAPIs
Windows3.0
Trustworthy Trustworthy CommitmentCommitment
• Microsoft Cultural ShiftMicrosoft Cultural Shift– Thousands of hours spent in security Thousands of hours spent in security
reviews on .NET Framework to datereviews on .NET Framework to date– Foundstone, @Stake security reviewsFoundstone, @Stake security reviews
• ““Hardening” the .NET FrameworkHardening” the .NET Framework• Making Security Easier for CustomersMaking Security Easier for Customers
– Prescriptive Architectural GuidancePrescriptive Architectural Guidance– Feature changes in .NET FrameworkFeature changes in .NET Framework
Tools
Client Application Model
Windows Forms
Web & Service Application Model
ASP.NET Compact Framewo
rk
Yukon
Data Systems Application Model
Presentation
Mobile PC & Devices Application Model
Communication
Command Line
NT Service
System.MessagingSystem.MessagingSystem.DirectoryServicesSystem.DirectoryServicesSystem.Runtime.RemotingSystem.Runtime.Remoting
System.Windows.FormsSystem.Windows.Forms
System.ConsoleSystem.Console
System.ServiceProcessSystem.ServiceProcess
System.Windows.FormsSystem.Windows.Forms System.WebSystem.Web System.Data.SqlSe
rverSystem.Data.SqlServer
HttpWebRequestHttpWebRequestFtpWebListenerFtpWebListener
SslClientStreamSslClientStream
WebClientWebClient
System.NetSystem.Net
NetworkInformationNetworkInformation
SocketsSockets
CacheCache
System.Windows.FormsSystem.Windows.Forms
FormsForms
ControlControl
Print DialogPrint Dialog
DesignDesign
System.Web.UISystem.Web.UI
PagePage
ControlControl
HtmlControlsHtmlControls
MobileControlsMobileControls
WebControlsWebControls
AdaptorsAdaptors
DesignDesign
System.DrawingSystem.Drawing
System.Web.ServicesSystem.Web.Services
Web.ServiceWeb.Service
DescriptionDescription
DiscoveryDiscovery
ProtocolsProtocols
System.TimersSystem.Timers
System.GlobalizationSystem.Globalization
System.SerializationSystem.Serialization
System.ThreadingSystem.Threading
System.TextSystem.Text
System.DesignSystem.Design
SerializationSerialization
CompilerServicesCompilerServices
Base & Application Services
Fundamentals
System.ComponentModelSystem.ComponentModel
System.CodeDomSystem.CodeDom
System.ReflectionSystem.Reflection
System.EnterpriseServicesSystem.EnterpriseServices
System.TransactionsSystem.Transactions
Security
System.Web.SecuritySystem.Web.Security
AccessControlAccessControl
CredentialsCredentials
CryptographyCryptography
System.Web.ConfigurationSystem.Web.Configuration
System.ConfigurationSystem.Configuration
System.ResourcesSystem.Resources
System.ManagementSystem.Management
System.DeploymentSystem.Deployment
System.DiagnosticsSystem.Diagnostics
Configuration Deployment/Management
PortsPorts
InteropServicesInteropServices
System.RuntimeSystem.Runtime
System.IOSystem.IO
System.CollectionsSystem.Collections
GenericGeneric
PermissionsPermissions
PolicyPolicy
PrincipalPrincipal
TokenToken
System.SecuritySystem.Security System.WebSystem.Web
AdministrationAdministration
ManagementManagement
.NET Framework
Data
System.WebSystem.Web
PersonalizationPersonalization
CachingCaching
SessionStateSessionState
System.XmlSystem.Xml
SchemaSchema
SerializationSerialization
XpathXpath
QueryQuery
DataSetDataSet
MappingMapping
ObjectSpacesObjectSpaces
ObjectSpaceObjectSpace
QueryQuery
SchemaSchema
System.DataSystem.Data
SqlClientSqlClient
SqlTypesSqlTypes
SqlXMLSqlXML
OdbcClientOdbcClient
OleDbClientOleDbClient
OracleClientOracleClient
Client
Implementation
API But noBut nocontracts!contracts!
Interfaces Everywhere!Interfaces Everywhere!
• 1111. EXCLUSION OF INCIDENTAL, CONSEQUENTIAL AND . EXCLUSION OF INCIDENTAL, CONSEQUENTIAL AND CERTAIN OTHER DAMAGES. TO THE MAXIMUM EXTENT CERTAIN OTHER DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL IN NO EVENT SHALL MICROSOFT OR ITS SUPPLIERS BE LIABLE FOR ANY MICROSOFT OR ITS SUPPLIERS BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL DAMAGES WHATSOEVERDAMAGES WHATSOEVER (INCLUDING, BUT NOT LIMITED TO, (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS OR CONFIDENTIAL OR OTHER DAMAGES FOR LOSS OF PROFITS OR CONFIDENTIAL OR OTHER INFORMATION, FOR BUSINESS INTERRUPTION, FOR PERSONAL INFORMATION, FOR BUSINESS INTERRUPTION, FOR PERSONAL INJURY, FOR LOSS OF PRIVACY, FOR FAILURE TO MEET ANY INJURY, FOR LOSS OF PRIVACY, FOR FAILURE TO MEET ANY DUTY INCLUDING OF GOOD FAITH OR OF REASONABLE CARE, DUTY INCLUDING OF GOOD FAITH OR OF REASONABLE CARE, FOR NEGLIGENCE, AND FOR ANY OTHER PECUNIARY OR FOR NEGLIGENCE, AND FOR ANY OTHER PECUNIARY OR OTHER LOSS WHATSOEVER) OTHER LOSS WHATSOEVER) ARISING OUT OF OR IN ANY WAY ARISING OUT OF OR IN ANY WAY RELATED TO THE USE OF OR INABILITY TO USE THE RELATED TO THE USE OF OR INABILITY TO USE THE SOFTWARE PRODUCT, SOFTWARE PRODUCT, THE PROVISION OF OR FAILURE TO THE PROVISION OF OR FAILURE TO PROVIDE SUPPORT SERVICES, OR OTHERWISE UNDER OR IN PROVIDE SUPPORT SERVICES, OR OTHERWISE UNDER OR IN CONNECTION WITH ANY PROVISION OF THIS EULA, EVEN IN CONNECTION WITH ANY PROVISION OF THIS EULA, EVEN IN THE EVENT OF THE FAULT, TORT (INCLUDING NEGLIGENCE), THE EVENT OF THE FAULT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, BREACH OF CONTRACT OR BREACH OF STRICT LIABILITY, BREACH OF CONTRACT OR BREACH OF WARRANTY OF MICROSOFT OR ANY SUPPLIER, AND EVEN IF WARRANTY OF MICROSOFT OR ANY SUPPLIER, AND EVEN IF MICROSOFT OR ANY SUPPLIER HAS BEEN ADVISED OF THE MICROSOFT OR ANY SUPPLIER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. POSSIBILITY OF SUCH DAMAGES.
Microsoft Powerpoint EULA Microsoft Powerpoint EULA Point 11Point 11
• 1111. EXCLUSION OF INCIDENTAL, CONSEQUENTIAL AND . EXCLUSION OF INCIDENTAL, CONSEQUENTIAL AND CERTAIN OTHER DAMAGES. TO THE MAXIMUM EXTENT CERTAIN OTHER DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL IN NO EVENT SHALL MICROSOFT OR ITS SUPPLIERS BE LIABLE FOR ANY MICROSOFT OR ITS SUPPLIERS BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL DAMAGES WHATSOEVERDAMAGES WHATSOEVER (INCLUDING, BUT NOT LIMITED TO, (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS OR CONFIDENTIAL OR OTHER DAMAGES FOR LOSS OF PROFITS OR CONFIDENTIAL OR OTHER INFORMATION, FOR BUSINESS INTERRUPTION, FOR PERSONAL INFORMATION, FOR BUSINESS INTERRUPTION, FOR PERSONAL INJURY, FOR LOSS OF PRIVACY, FOR FAILURE TO MEET ANY INJURY, FOR LOSS OF PRIVACY, FOR FAILURE TO MEET ANY DUTY INCLUDING OF GOOD FAITH OR OF REASONABLE CARE, DUTY INCLUDING OF GOOD FAITH OR OF REASONABLE CARE, FOR NEGLIGENCE, AND FOR ANY OTHER PECUNIARY OR FOR NEGLIGENCE, AND FOR ANY OTHER PECUNIARY OR OTHER LOSS WHATSOEVER) OTHER LOSS WHATSOEVER) ARISING OUT OF OR IN ANY WAY ARISING OUT OF OR IN ANY WAY RELATED TO THE USE OF OR INABILITY TO USE THE RELATED TO THE USE OF OR INABILITY TO USE THE SOFTWARE PRODUCTSOFTWARE PRODUCT, , THE PROVISION OF OR FAILURE TO THE PROVISION OF OR FAILURE TO PROVIDE SUPPORT SERVICES, OR OTHERWISE UNDER OR IN PROVIDE SUPPORT SERVICES, OR OTHERWISE UNDER OR IN CONNECTION WITH ANY PROVISION OF THIS EULA, EVEN IN CONNECTION WITH ANY PROVISION OF THIS EULA, EVEN IN THE EVENT OF THE FAULT, TORT (INCLUDING NEGLIGENCE), THE EVENT OF THE FAULT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, BREACH OF CONTRACT OR BREACH OF STRICT LIABILITY, BREACH OF CONTRACT OR BREACH OF WARRANTY OF MICROSOFT OR ANY SUPPLIER, AND EVEN IF WARRANTY OF MICROSOFT OR ANY SUPPLIER, AND EVEN IF MICROSOFT OR ANY SUPPLIER HAS BEEN ADVISED OF THE MICROSOFT OR ANY SUPPLIER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. POSSIBILITY OF SUCH DAMAGES.
The GPLThe GPL• 11.11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE
IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOUQUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. . SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
• 12.12. IN NO EVENTIN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAMPROGRAM AS PERMITTED ABOVE, AS PERMITTED ABOVE, BE LIABLE TO YOU FOR BE LIABLE TO YOU FOR DAMAGESDAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR , INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAMINABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. POSSIBILITY OF SUCH DAMAGES.
• 11.11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOUQUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. . SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
• 12.12. IN NO EVENTIN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAMPROGRAM AS PERMITTED ABOVE, AS PERMITTED ABOVE, BE LIABLE TO YOU FOR BE LIABLE TO YOU FOR DAMAGESDAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR , INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAMINABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. POSSIBILITY OF SUCH DAMAGES.
Is There Is There anyany Program Program ThatThat
Satisfies Its Contract?Satisfies Its Contract?
Informal Contract: Informal Contract: SocketsSockets
the "communication domain" in which communication is to takethe "communication domain" in which communication is to takeplace; see protocols(5).place; see protocols(5).
Sockets of type SOCK_STREAM are full-duplex byte streams,Sockets of type SOCK_STREAM are full-duplex byte streams,similar to pipes. similar to pipes. A stream socket must be in a connectedA stream socket must be in a connectedstate before any data may be sent or received on it. A con-state before any data may be sent or received on it. A con-nection to another socket is created with a connect(2) call.nection to another socket is created with a connect(2) call.Once connected, data may be transferred using read(2V) andOnce connected, data may be transferred using read(2V) andwrite(2V) callswrite(2V) calls or some variant of the send(2) and recv(2) or some variant of the send(2) and recv(2)calls. When a session has been completed a close(2V), maycalls. When a session has been completed a close(2V), maybe performed. Out-of-band data may also be transmitted asbe performed. Out-of-band data may also be transmitted asdescribed in send(2) and received as described in recv(2).described in send(2) and received as described in recv(2).
The communications protocols used to implement a SOCK_STREAMThe communications protocols used to implement a SOCK_STREAMinsure that data is not lost or duplicated. If a piece ofinsure that data is not lost or duplicated. If a piece of
What is an API Contract?What is an API Contract?
• Pre-conditionsPre-conditions– the conditions a client must establish the conditions a client must establish
before calling an APIbefore calling an API– ““A filehandle must be in an open state A filehandle must be in an open state
before you call before you call freadfread””• Post-conditionsPost-conditions
– the conditions an implementation (of an the conditions an implementation (of an API) must establish upon its terminationAPI) must establish upon its termination
– ““If the file is present, If the file is present, fopenfopen returns a returns a filehandle in the open state”filehandle in the open state”
Formalizing ContractsFormalizing Contracts
• Pre/post conditionsPre/post conditions– Eiffel: “design by contract”, integrated Eiffel: “design by contract”, integrated
into languageinto language– JML: pre/post language (in comments)JML: pre/post language (in comments)
• MonitorsMonitors– security automatasecurity automata– SLIC - SLAM’s API rule languageSLIC - SLAM’s API rule language
• ModelsModels– ASML: separate modeling languageASML: separate modeling language
Why are Contracts Why are Contracts Useful?Useful?
• Precision in specification & designPrecision in specification & design• Separation of concernsSeparation of concerns• DocumentationDocumentation• Checking/TestingChecking/Testing
– dynamic (run-time)dynamic (run-time)– static (compile-time)static (compile-time)
• Responsibility, enforceability, Responsibility, enforceability, liability, …liability, …
Why Now?Why Now?
• Specifications are (still) a good idea!Specifications are (still) a good idea!– focus shifted to critical properties rather than focus shifted to critical properties rather than
full correctnessfull correctness• Bug economicsBug economics• Test automation wallTest automation wall• Moore’s lawMoore’s law
– abundant computational resourcesabundant computational resources• Advances in research and technologyAdvances in research and technology
– model checkingmodel checking– program analysisprogram analysis– theorem provingtheorem proving– analysis infrastructuresanalysis infrastructures
OverviewOverview
• SLAM analysis engine SLAM analysis engine – Static Driver VerifierStatic Driver Verifier
• Other contract-checking toolsOther contract-checking tools– Vault (type checking)Vault (type checking)– ESC/Java (theorem proving)ESC/Java (theorem proving)– ESP (dataflow analysis)ESP (dataflow analysis)
Source Code
TestingDevelopment
PreciseAPI Usage Rules
(SLIC)
Software Model Checking
Read forunderstanding
New API rules
Drive testingtools
Defects
100% pathcoverage
Rules
Static Driver VerifierStatic Driver Verifier
SLAM – Software Model SLAM – Software Model CheckingChecking
• SLAM innovationsSLAM innovations– boolean programs: a new model for boolean programs: a new model for
softwaresoftware– model creation (c2bp)model creation (c2bp)– model checking (bebop)model checking (bebop)– model refinement (newton)model refinement (newton)
• SLAM toolkitSLAM toolkit– built on MSR program analysis built on MSR program analysis
infrastructureinfrastructure
SLICSLIC
• Finite state language for stating rulesFinite state language for stating rules– monitors behavior of C codemonitors behavior of C code– temporal safety properties (security temporal safety properties (security
automata)automata)– familiar C syntaxfamiliar C syntax
• Suitable for expressing control-dominated Suitable for expressing control-dominated properties properties – e.g. proper sequence of eventse.g. proper sequence of events– can encode data values inside statecan encode data values inside state
State State Machine for Machine for
LockingLocking
Unlocked Locked
Error
Rel Acq
Acq
Rel
state {state {
enum {Locked,Unlocked} enum {Locked,Unlocked}
s = Unlocked;s = Unlocked;
}}
KeAcquireSpinLockKeAcquireSpinLock.entry {.entry {
if (s==Locked) if (s==Locked) abortabort;;
else s = Locked;else s = Locked;
}}
KeReleaseSpinLockKeReleaseSpinLock.entry {.entry {
if (s==Unlocked) if (s==Unlocked) abortabort;;
else s = Unlocked;else s = Unlocked;
}}
Locking Rule Locking Rule in SLICin SLIC
The SLAM ProcessThe SLAM Process
#include <ntddk.h>
C2BPpredicate abstraction
booleanprogram
Newtonfeasibility
check
Bebopreachability
check
HarnessSLICRule
+
refinementpredicates
errorpath
do {KeAcquireSpinLock();
nPacketsOld = nPackets;
if(request){request = request->Next;KeReleaseSpinLock();nPackets++;
}} while (nPackets != nPacketsOld);
KeReleaseSpinLock();
ExampleExampleDoes this code
obey the locking rule?
do {KeAcquireSpinLock();
if(*){
KeReleaseSpinLock();
}} while (*);
KeReleaseSpinLock();
ExampleExampleModel checking boolean program
(bebop)
U
L
L
L
L
U
L
U
U
U
E
do {KeAcquireSpinLock();
nPacketsOld = nPackets;
if(request){request = request->Next;KeReleaseSpinLock();nPackets++;
}} while (nPackets != nPacketsOld);
KeReleaseSpinLock();
ExampleExampleIs error path feasible
in C program?(newton)
U
L
L
L
L
U
L
U
U
U
E
do {KeAcquireSpinLock();
nPacketsOld = nPackets; b = true;
if(request){request = request->Next;KeReleaseSpinLock();nPackets++; b = b ? false : *;
}} while (nPackets != nPacketsOld); !b
KeReleaseSpinLock();
ExampleExampleAdd new predicateto boolean program
(c2bp)b : (nPacketsOld == nPackets)
U
L
L
L
L
U
L
U
U
U
E
do {KeAcquireSpinLock();
b = true;
if(*){
KeReleaseSpinLock();b = b ? false : *;
}} while ( !b );
KeReleaseSpinLock();
b
b
b
b
ExampleExampleModel checking
refined boolean program
(bebop)
b : (nPacketsOld == nPackets)
U
L
L
L
L
U
L
U
U
U
E
b
b
!b
ExampleExample
do {KeAcquireSpinLock();
b = true;
if(*){
KeReleaseSpinLock();b = b ? false : *;
}} while ( !b );
KeReleaseSpinLock();
b : (nPacketsOld == nPackets)
b
b
b
b
U
L
L
L
L
U
L
U
U
b
b
!b
Model checking refined
boolean program(bebop)
DemoDemo
SLAM StatusSLAM Status• 2000-20012000-2001
– foundations, algorithms, foundations, algorithms, prototypingprototyping
– papers in CAV, PLDI, POPL, papers in CAV, PLDI, POPL, SPIN, TACASSPIN, TACAS
• March 2002March 2002– Bill Gates reviewBill Gates review
• May 2002May 2002– Windows committed to hire Windows committed to hire
two Ph.D.s in model two Ph.D.s in model checking to support Static checking to support Static Driver VerifierDriver Verifier
• July 2002July 2002– running SLAM on 100+ running SLAM on 100+
drivers, 20+ propertiesdrivers, 20+ properties
• September 3, 2002September 3, 2002– made initial release of SDV to made initial release of SDV to
Windows (friends and family)Windows (friends and family)
• April 1, 2003April 1, 2003– made wide release of SDV to made wide release of SDV to
Windows (any internal driver Windows (any internal driver developer)developer)
• September, 2003September, 2003– team of six in Windows team of six in Windows
working on SDVworking on SDV– researchers moving into researchers moving into
“consultant” role“consultant” role
• November, 2003November, 2003– demonstration at Driver demonstration at Driver
Developer ConferenceDeveloper Conference
SLAM ResultsSLAM Results
• Boolean program model has proved itselfBoolean program model has proved itself
• Successful for device driver contractsSuccessful for device driver contracts– control-dominated safety propertiescontrol-dominated safety properties– few boolean variables needed to do proof or few boolean variables needed to do proof or
find real errorsfind real errors
• Counterexample-driven refinementCounterexample-driven refinement– terminates in practiceterminates in practice– incompleteness of theorem prover not an issueincompleteness of theorem prover not an issue
Other Ways to Check Other Ways to Check ContractsContracts
• Type systemsType systems– Vault programming languageVault programming language– type system extended to allow simple pre/posttype system extended to allow simple pre/post
• Theorem provingTheorem proving– ESC/Java checkerESC/Java checker– uses JML specification language (rich pre/post uses JML specification language (rich pre/post
conditions)conditions)
• Dataflow analysisDataflow analysis– ESPESP– uses SLIC-like state machine languageuses SLIC-like state machine language
ConclusionsConclusions
• The technology now exists for The technology now exists for enforcing simple API contracts using enforcing simple API contracts using static analysisstatic analysis
• Rollout/adoptionRollout/adoption– first as out-of-band tools (i.e., SLAM, first as out-of-band tools (i.e., SLAM,
ESP, Fugue)ESP, Fugue)– next as in-band tools (part of next as in-band tools (part of
language/compiler)language/compiler)
Thanks ToThanks ToSoftware Productivity Tools group membersSoftware Productivity Tools group members
– Sriram Rajamani (SLAM)Sriram Rajamani (SLAM)– Rob DeLine, Manuel Fahndrich (Vault/Fugue)Rob DeLine, Manuel Fahndrich (Vault/Fugue)
SLAM summer internsSLAM summer interns– Sagar Chaki, Todd Millstein, Rupak Majumdar (2000)Sagar Chaki, Todd Millstein, Rupak Majumdar (2000)– Satyaki Das, Wes Weimer, Robby (2001)Satyaki Das, Wes Weimer, Robby (2001)– Jakob Lichtenberg, Mayur Naik (2002)Jakob Lichtenberg, Mayur Naik (2002)– Jakob Lichtenberg, Shuvendu Lahiri, Georg Weissenbacher, Fei Xie Jakob Lichtenberg, Shuvendu Lahiri, Georg Weissenbacher, Fei Xie
(2003)(2003)
SLAM VisitorsSLAM Visitors– Giorgio Delzanno, Andreas Podelski, Stefan SchwoonGiorgio Delzanno, Andreas Podelski, Stefan Schwoon
Static Driver Verifier: Windows PartnersStatic Driver Verifier: Windows Partners– Byron Cook, John Henry, Vladimir Levin, Con McGarvey, Bohus Byron Cook, John Henry, Vladimir Levin, Con McGarvey, Bohus
Ondrusek, Abdullah UstunerOndrusek, Abdullah Ustuner