Upload
peter-breuer
View
64
Download
2
Tags:
Embed Size (px)
DESCRIPTION
Slides for paper "Soundness and Completeness of the NRB verification logic" at OpenCert 2013. See http://www.academia.edu/3772511/Soundness_and_Completeness_of_the_NRB_Verification_Logic for full paper.
Citation preview
Soundness and Completeness of the NRB verification logic
Peter T. BreuerUniversity of Birmingham, UK
Simon J. PickinUniversidad Complutense de Madrid, Spain
Static Analysis of Linux kernel
● NRB logic used in static analysis of LK– Found `sleep-under-spinlock' deadlocks
● Proved no more exist than those found
– v2.6 linux kernel
– Million LOC barrier broken in 2006
● Suitable for distributed computation– Certification on the 'open' model
● Many contributions, repeated at will● Confidence because false result will be found
Who guarantees the guarantor?
● Logic provides guarantees for an analysis● Satisfy obligation to guarantee the logic
Idea of the logic
a b{p} {r}{q}
{s}
{r}
{s}
Sequence a;b can either error in a with s, or complete a normally with q. Code b can either error with s or complete normally with r.
{p} a {Es ∨ Nq} ∧ {q} b {Es ∨ Nr} ⇒ {p} a;b {Es ∨ Nr}
NRB: Strengths and Weaknesses
● Excellent at following control flow– Classical program logics don't really do gotos
● Poor at understanding data (following pointers)– Uses events on traces instead
● Approximate (from above)– gives false alarms for possible breaches of
safety conditions
– Does not miss any real alarms
Technical foundations
● That's what this paper provides for NRB!– Soundness
● An easily comprehensible model in terms of transitions between states
– If you disagree with it you can see why you do ● Axioms of logic are true in the model
– Completeness● Logic is sufficient
– Shows anything shown by model-checking– Symbolic reasoning misses nothing
Completeness & Approximation
● The logic is approximate yet complete?– Model of code contains more transitions than reality
– Logic is complete with respect to model
● If logic says breach of safety condition impossible– Model has no transitions breaching condition
– So in reality, condition is never breached in program
Distributed calculation
● Static analysis with NRB is split up – Function and sub-function units
– Results stored in a decorated syntax tree
– Sub-problem data fully recoverable from tree● Each sub-calculation checkable by any observer
– 'Accountable'
Accountability
● Category-theoretic definition– Calculation tree can be partially stripped down
and partially redone in any order (and each partial result will be the same).
● Even a category-theoretic result ...– Definition means there is a pre-inverse map to
the map forgetting everything about the calculation tree except the ordering between pairs of subtrees (p1,p2)6(p3,p4) ⇔ p16p2,p36p4
Conclusion
● NRB is a logic used in the past for massive static analysis of the Linux kernel
● Gives guarantees on the safety of code● This paper gives technical guarantees on the
reliability and reach of the logic