Selling an Idea or a Product

Selling an Idea or a Product

This Thistalk talkI Issabout abouthow howto tofind findlots lotsof oferror errorssin inreal realcoe. coe. The Theway waywe weare aregoing goingto todo dothis thisisis aabit bitunusual. unusual. Rather Ratherthan thanundertand undertandwhat whatrules rulesthe thesystemmust systemmustfollow followor orswhat swhatstate stateititisis in, in,both bothof ofwhich whichare arehard. hard. Instead Insteadwe weare aregoing goingto todo doomething omethingmuch mucheasier;

easier;we wewill willinfer infer what rules it believes it must obey and what state it cbelieve it is in and cross check thee what rules it believes it must obey and what state it cbelieve it is in and cross check thee believes believesfor forcontradictions. contradictions. The Thegreat greatthing thingthis thisbuys buysus usisisthat thatnow nowwe wecan canfind findlots lotsof of errors in coe we do no t unederstand. errors in coe we do no t unederstand.

How to find lots of bugs by checking program belief systems Dawson Engler David Chen, Seth Hallem, Ben Chelf, Andy Chou Stanford University Presentedy by Baohua Wu Reduced Reducedto tousing usinggrep grepon onmillions millionsof ofline lineof ofcode, code,or or documentation, documentation,hoping hopingyou youcan canfind findall allcases cases Context: finding OS bugs w/ compilers Systems have many ad hoc correctness rules acquire lock l before modifying x, cli() must be paired with sti(), dont block with interrupts disabled One error = crashed machine If we know rules, can check with extended compiler Rules map to simple source constructs lock_kernel(); GNU C compiler (!de->count) {

Use if compiler extensions to express them Linux printk("free!\n"); return; fs/proc/ inode.c } unlock_kernel(); Lock checker missing unlock! Reduced Reducedto tousing usinggrep grepon onmillions millionsof ofline lineof ofcode, code,or or documentation, documentation,hoping hopingyou youcan canfind findall allcases cases Goal: find as many serious bugs as possible Problem: what are the rules?!?! 100-1000s of rules in 100-1000s of subsystems. To check, must answer: Must a() follow b()? Can foo() fail? Does bar(p) free p? Does lock l protect x? Manually finding rules is hard. So dont. Instead

infer what code believes, cross check for contradiction Intuition: how to find errors without knowing truth? Contradiction. To find lies: cross-examine. Any contradiction is an error. Deviance. To infer correct behavior: if 1 person does X, might be right or a coincidence. If 1000s Specification Specification==checkable checkableredundancy. redundancy. Can Cancross cross check checkcode codeagainst againstitself itselffor forsame sameeffect. effect. Others: Others:that that xxwas not already equal to value. was not already equal to value. Cross-checking program belief systems MUST beliefs: Inferred from acts that imply beliefs code *must* have. x = *p / z; // MUST belief: p not null // MUST: z != 0 unlock(l); // MUST: l acquired x++; // MUST: x not protected by l Check using internal consistency: infer beliefs at

different locations, then cross-check for contradiction MAY beliefs: could be coincidental A(); B(); A(); A(); A(); B(); // code MUST:*may* B() need not Inferred from acts that imply beliefs // be preceded by A() haveB(); B(); // MAY: A() and B() B(); // must be paired Two techniques Internal Consistency Must beliefs Statistical Analysis May beliefs Show Showbecause becauseititisisone oneof ofthe thesimplest simplestpossible possiblecheckers, checkers,and andbecause becauseititfinds finds hundreds hundredsof oferrors.

errors. Trivial consistency: NULL pointers *p implies MUST belief: p is not null A check (p == NULL) implies two MUST beliefs: POST: p is null on true path, not null on false path PRE: p was unknown before check Cross-check these for three different error types. Check-then-use (79 errors, 26 false pos) /* 2.4.1: drivers/isdn/svmb1/capidrv.c */ if(!card) printk(KERN_ERR, capidrv-%d: , card->contrnr) Can Canlook lookfor forredundancy redundancyin ingeneral: general:deadcode deadcodeelim elimisisan anerror errorfinder. finder. Can Canlook look for: for:writes writesnever neverread, read,lock lockacquired acquiredthat thatprotects protectsnothing, nothing, Null pointer fun

Use-then-check: 102 bugs, 4 false /* 2.4.7: drivers/char/mxser.c */ struct mxser_struct *info = tty->driver_data; unsigned flags; if(!tty || !info->xmit_buf) return 0; Contradiction/redundant checks (24 bugs, 10 /* 2.4.7/drivers/video/tdfxfb.c */ false) fb_info.regbase_virt = ioremap_nocache(...); if(!fb_info.regbase_virt) return -ENXIO; fb_info.bufbase_virt = ioremap_nocache(...); /* [META: meant fb_info.bufbase_virt!] */ if(!fb_info.regbase_virt) { iounmap(fb_info.regbase_virt); Can Canlook lookfor forredundancy redundancyin ingeneral: general:deadcode deadcodeelim elimisisan anerror errorfinder. finder. Can Canlook look for: for:writes writesnever neverread, read,lock lockacquired acquiredthat thatprotects protectsnothing. nothing. Redundant Redundanttransition transition means were missing

something with analysis. means were missing something with analysis. Redundancy checking Assume: code supposed to be useful Useless actions = conceptual confusion. Like type systems, high level bugs map to low-level redundancies Identity operations: x = x, 1 * y, x & x, x | /* 2.4.5-ac8/net/appletalk/aarp.c */ x da.s_node = sa.s_node; da.s_net = da.s_net; for(entry=priv->lec_arp_tables[i];entry != NULL; entry=next){ Assignments that are never read: next = entry->next; if () Critical shared Criticalsections sectionsthat thathave haveno noentry); sharedstate, state, lec_arp_remove(priv->lec_arp_tables, contradictory booleans in general look contradictory booleans in general lookat at lec_arp_unlock(priv); deadcode

elim and CSE as error signalers deadcode elim and CSE as error signalers return 0; First Firstpass: pass:mark markall allpointers pointerstreated treatedas asuser userpointers. pointers. Second Secondpass: pass:make makesure sure they theyare arenever neverdereferenced. dereferenced. Internal Consistency: finding security holes Applications are bad: Rule: do not dereference user pointer

One violation = security hole Detect with static analysis if we knew which were bad Big Problem: which are the user pointers??? Soln: forall pointers, cross-check two OS beliefs *p implies safe kernel pointer copyin(p)/copyout(p) implies dangerous user pointer Error: pointer p has both beliefs. Implemented as a two pass global checker

Result: 24 security bugs in Linux, 18 in OpenBSD Marked Markedas astainted taintedbecause becausepassed passedas asthe thefirst firstargument argumentto tocopy_to_user, copy_to_user,which whichisisused used to access potentientially bad user pointers. Does global analysis to detect that the to access potentientially bad user pointers. Does global analysis to detect that the pointer pointerwill willbe bedereferenced dereferencedby byippd_ ippd_ An example Still alive in linux 2.4.4: /* drivers/net/appletalk/ipddp.c:ipddp_ioctl */ case SIOCADDIPDDPRT: return ipddp_create(rt); case SIOCDELIPDDPRT:

return ipddp_delete(rt); case SIOFCINDIPDDPRT: if(copy_to_user(rt, ipddp_find_route(rt), sizeof(struct ipddp_route))) return EFAULT; Tainting marks rt as a tainted pointer, checking warns that rt is passed to a routine that dereferences it 2 other examples in same routine Parameter Parameterfeatures: features:Can Canaaparam parambe benull? null? What Whatare arelegal legalvalues valuesof ofinteger integer parameter Return code: What are allowable error code to return & when? parameter Return code: What are allowable error code to return & when? Execution context: Are interrupts off or on when code runs? When it exits? Execution context: Are interrupts off or on when code runs? When it exits? Does Doesititrun runconcurrently? concurrently? Cross checking beliefs related abstractly Common: multiple implementations of same interface. Beliefs of one implementation can be checked

against those of the others! User pointer (3 errors): If one implementation taints its argument, all others *p, must foo_write(void void *arg,){ bar_write(void *p, void *arg,){ *p = *(int copy_from_user(p, 4); How to tell?arg, Routines assigned to *)arg; same function do something disable(); pointer disable(); do something return 0; enable(); IfIfone onedoes doesititright, right,}we wecan cancross crosscheck checkall: all:ifif return 0; } one onedev devgets getsititright rightwe weare arein ingreat greatshape. shape.

Handling MAY beliefs MUST beliefs: only need a single contradiction MAY beliefs: need many examples to separate fact from coincidence Conceptually: Assume MAY beliefs are MUST beliefs Record every successful check with a check message Every unsuccessful check with an error message Use the test statistic to rank errors based on ratio of checks (n) to errors (err) z(n, err) = ((n-err)/n-p0)/sqrt(p0*(1-p0)/n) Intuition: the most likely errors are those where n Can Cancross-correlate: cross-correlate:free freeisison onerror errorpath, path,has hasdealloc deallocin inname, name,etc, etc, bump bumpup upranking. ranking. Foo Foohas has33errors, errors,and and33checks. checks. Bar, Bar,33checks, checks,one one error. Essentially every passed check implies belief

held, every error error. Essentially every passed check implies belief held, every error== not notheld held Statistical: Deriving deallocation routines Use-after free errors are horrible. Problem: lots of undocumented sub-system free functions Soln: derive behaviorally: pointer p not used after call foo(p) implies MAY belief that foo is a free function Conceptually: Assume all functions free all arguments (in reality: filter functions that have suggestive names) Emit a check message at every call site. Emit an error message at every use bar(p); bar(p); foo(p); foo(p); foo(p); bar(p); *p = x; p = 0; *p = x; *p = x; *p = x; p = 0; Rank errors using z test statistic: z(checks, errors) E.g., foo.z(3, 3) < bar.z(3, 1) so rank bars error first Results: 23 free errors, 11 false positives A bad free error /* drivers/block/cciss.c:cciss_ioctl */ if (iocommand.Direction == XFER_WRITE){ if (copy_to_user(...)) { cmd_free(NULL, c); if (buff != NULL) kfree(buff); return( -EFAULT); } } if (iocommand.Direction == XFER_READ) { if (copy_to_user(...)) { cmd_free(NULL, c); kfree(buff); }

} cmd_free(NULL, c); if (buff != NULL) kfree(buff); Can Canalso alsouse useconsistency: consistency:ififaaroutine routinecalls callsaaroutine routinethat thatfails, fails,then thenititto tocan canfail. fail. Similarly, Similarly,ifif aaroutine routinechecks checksfoo foofor forfailure, failure,but butcalls callsbar, bar,which whichdoes doesnot, not,isisaatype typeerror. error. (In (Inaasense sensecan can use witnesses: take good code and see what it does, reapply to unknown code)

use witnesses: take good code and see what it does, reapply to unknown code) Statistical: deriving routines that can fail Traditional: Use global analysis to track which routines return NULL Problem: false positives when pre-conditions hold, difficult to tell statically (return p->next?) Instead: see how often programmer checks. Rank errors based on number of checks to non-checks. Algorithm: Assume *all* functions can return NULL If pointer checked before use, emit check message If pointer used before check, emit error P = foo(); p = bar(); p = bar(); p = bar(); p = bar(); If(!p) return;If(!p) return;If(!p) return;*p = x; *p = x; Sort errors on *p = based x; *pratio = x; of checks *p = to x; errors Result: 152 bugs, 16 false. The worst bug Starts with weird way of checking failure: /* 2.3.99: ipc/shm.c:1745:map_zero_setup */ if (IS_ERR(shp = seg_alloc(...))) return PTR_ERR(shp); static inline long IS_ERR(const void *ptr) { return (unsigned long)ptr > (unsigned long)-1000L; } So why are we looking for seg_alloc?

/* ipc/shm.c:750:newseg: */ if (!(shp = seg_alloc(...)) return -ENOMEM; id = shm_addid(shp); int ipc_addid(* new) { ... new->cuid = new->uid =; new->gid = new->cgid = ids->entries[id].p = new; Deriving A() must be followed by B() a(); b(); implies MAY belief that a() follows b() Programmer may believe a-b paired, or might be a coincidence. Algorithm: Assume every a-b is a valid pair (reality: prefilter functions that seem to be plausibly paired) Emit check for each path that has a() then b() Emit error for each path that has a() and no b() foo(p, ) check bar(p, ); foo-bar x(); y(); check x-y foo(p, ); error:foo, no bar! Rank errors for each pair using the test statistic z(foo.check, foo.error) = z(2, 1) Results: 23 errors, 11 false positives. Checking derived lock functions Evilest: /*

2.4.1: drivers/sound/trident.c: trident_release: lock_kernel(); card = state->card; dmabuf = &state->dmabuf; VALIDATE_STATE(state); And the award for best effort: /* 2.4.0:drivers/sound/cmpci.c:cm_midi_release: */ lock_kernel(); if (file->f_mode & FMODE_WRITE) { add_wait_queue(&s->midi.owait, &wait); ... if (file->f_flags & O_NONBLOCK) { remove_wait_queue(&s->midi.owait, &wait); set_current_state(TASK_RUNNING); return EBUSY; unlock_kernel(); Summary: Belief Analysis Key ideas: Check code beliefs: find errors without knowing truth. Beliefs code MUST have: Contradictions = errors Beliefs code MAY have: check as MUST beliefs and rank errors by belief confidence Secondary ideas: Check for errors by flagging redundancy. Analyze client code to infer abstract features rather than just implementation. Spec = checkable redundancy. Can use code for same. Simple. Simple. Have Havehad hadfreshman freshmanwrite writethese theseand andpost

postbugs bugsto tolinux linuxgroups. groups. Three Threeparts: parts:start startstate. state. Pattern; Pattern;raw rawcccoede coedeor orwildcards., wildcards.,match matchdoes doesaa transition, transition,callouts. callouts. Scales Scaleswith withsophistication sophisticationof ofanalysis. analysis. Example free checker System Systemwill willkill killvariable, variable,track trackwhen whenassigned assignedto toothers. others. sm free_checker { state decl any_pointer v; decl any_pointer x; start: { kfree(v); } v.freed ; v.freed: { v == x } | { v != x } { /* suppress fp */ } | { v } { err(Use after free!); ; }

start kfree(v) v.freed use(v) error Simple. Simple. Have Havehad hadfreshman freshmanwrite writethese theseand andpost postbugs bugsto tolinux linuxgroups. groups. Three Threeparts: parts:start startstate. state. Pattern, Pattern,match matchdoes doesaatransition, transition,callouts. callouts. Scales Scaleswith with sophistication of analysis. sophistication of analysis. Example inferring free checker sm free_checker { state decl any_pointer v; decl any_pointer x; decl any_fn_call call; decl any_args args; start: { call(v) } { char *n = mc_identifier(call); if(strstr(n, free) || strstr(n, dealloc) || ) {

mc_v_set_state(v, freed); mc_v_set_data(v, n); note(NOTE: %s, n); } }; v.freed: { v == x } | { v != x } { /* suppress fp */ } | { v } { err(Use after free %s!, mc_v_get_data(v)); ; Reduced Reducedto tousing usinggrep grepon onmillions millionsof ofline lineof ofcode, code,or or documentation, documentation,hoping hopingyou youcan canfind findall allcases cases Conclusion Two Techniques: internal consistency statistical analysis Found hundreds of bugs automatically in real system code: Linux OpenBSD

Recently Viewed Presentations

  • Loop Statements

    Loop Statements

    Times New Roman Courier New Blank Presentation VISIO 4 Drawing Chapter 8: Loops, Arrays, Strings Loop Statements Do Loop While Loop For Loop No Slide Title Tricky Aspects of Loops Arrays Array Declaration Array Allocation Array Initialization Accessing Array Elements...
  • Industry trends and challenges - download.microsoft.com

    Industry trends and challenges - download.microsoft.com

    Beyond virtualization. Scale and secure workloads, cost-effectively build a privatecloud, and securely connect to cloud services. Every app, any cloud. Build on an open and scalable web platform that supports applications across premises. Modern workstyle, enabled. Support a mobile and...
  • UF Quest: Student Town Hall - University of Florida

    UF Quest: Student Town Hall - University of Florida

    service learning and civic engagement goals . into theme-based curriculum. ... critical analysis, complex thinking, self-reflection, communication, decision-making, and other foundational content inherent in general education ... students can choose a UF Core 1 course according to their interests.
  • Electric Charge and Coulomb&#x27;s Law - Caswell&#x27;s Physics

    Electric Charge and Coulomb's Law - Caswell's Physics

    This way of writing things will make it easier when we use Gauss' Law and potentials. Coulomb's Law. The negative on the force of gravity implies that it is a "binding" force, meaning that it is attractive.
  • Bienvenue Au Seminaire Regional Sur La Comptabilite De L&#x27;Etat ...

    Bienvenue Au Seminaire Regional Sur La Comptabilite De L'Etat ...

    CONTEXTE DU SEMINAIRE 2/2 Principales caractéristiques des reformes comptables en cours: En plus de la traditionnelle comptabilité budgétaire dite de tiroir-caisse, les Etats doivent tenir une comptabilité générale en droits et obligations constatés Les Etats engagés dans la budgétisation par...
  • Ecosystems of the World Climax Vegetation - the

    Ecosystems of the World Climax Vegetation - the

    Climax Vegetation- the natural vegetation in the last possible stage of vegetation development.. Climax vegetation. is in balance with the . climatic conditions. It should change very little if left undisturbed.
  • English Morphology and Lexicology Shaoguangqing@gmail.com www.windofspring.weebly.com Chapter 3

    English Morphology and Lexicology [email protected] www.windofspring.weebly.com Chapter 3

    English Morphology and Lexicology [email protected] www.windofspring.weebly.com Practice: root and stem individualistic individualist individual dividual dividu Practice: root and stem undesirables undesirable desirable desire Practice: root and stem individualistic individualist individual dividual dividu Practice: root and stem undesirables undesirable desirable desire...
  • State of Florida employee survey of disability

    State of Florida employee survey of disability

    Bathrooms frequently had doors swinging into room (76%) or cabinets under sink (91%) ... Fielding a subset of questions during 2011 on statewide Behavioral Risk Factor Surveillance System. Data brief and meetings with building organizations in state and nationally.