Detecting Block entry safety hole instances ? This semantic match is focused on possible safety holes 1 virtual check internal 2 virtual check dependancy 3 #include "subtle_deref.ml" 4 @exported depends on !check internal && !check dependancy@ 5 identifier handler ,
} 17 @fn uses arg depends on !check dependancy exists@ 18 type T; expression arg, E, val, new val, other val; 19 identifier param, fn; identifier virtual.handler; 20 parameter list [h number] params prec; 21 position p1, p2; expression list [f number] args prec, 12 ) 13 @export def@ 14 identifier exported, pp.15-16 ,
36 when != IS ERR(E) 37 when != E = other val 38 ( 39 E == NULL 40 | 41 E != NULL 42 | 43 IS ERR(E) 44 | 45 E = other val 46 | 47 E@p2 48 ) 49 . . . when any 50 } 51 // When invalid pointer E2 is returned, it constitutes another 52 // safety hole reported in another category 53 @returned depends on fn uses arg exists@ 54 position fn uses arg.p2; identifier virtual.handler; 55 expression fn uses arg.E; 56 @@ 57 handler(. . .){ 58 . . . 59 return E@p2; 60 } 61 @only pointers depends on fn uses arg && !returned@ 62 type ret T; ret T *pointer global; position fn uses arg.p1, p.65 ,
Detecting subtle Null/INull entry safety hole instances of type possible 1, May return NULL or ERR PTR 2 virtual after start 3 virtual should be static 4 #include "return_null.ml ,
Detecting Null/INull exit safety hole instances B.4 Range safety holes We present in Figure B.6 the specification implemented in SHAna for identifying kernel API functions that contain a Range exit safety hole. The search, which is performed intraprocedurally, consists of detecting cases where an API function may return a value obtained from userland. 1 #include "range ,
Detecting Range exit safety hole instances of type possible 32 write trylock@p1 33 ,
35 @ends in lock exists@ 36 expression locked.E1; 37 identifier lock; 38 position locked.p,p1,p2; 39 identifier exported.handler; 40 @@ 41 handler, pp.42-43 ,
6 @exported@ 7 identifier handler ,
27 @ends disabling exists@ 28 expression locked.E1; 29 identifier lock; 30 position locked.p,p1,p2; 31 identifier exported.handler, pp.34-35 ,
Detecting Intr exit safety hole instances of type possible Examples of semantic matches implemented in SHAna 1 #include "lock_intr ,
32 @ends locked and disabling exists@ 33 position locked.p,p1,p2; 34 identifier exported.handler; 35 expression locked.E1; identifier lock, pp.38-39 ,
9: Detecting LockIntr exit safety hole instances of type possible Free safety holes 105 ,
10 describes the semantic match implementing in SHAna the search for Free exit safety holes. This search, which is performed interprocedurally, is programmed to detect cases where an API might return a pointer to a memory that has been freed with kfree, virtual start 2 virtual after start 3 virtual should be static 4 ,
Make sure you do not confuse static functions 32 @r0 depends on !should be static@ 33 identifier virtual.fn, @@ 35 static fn, p.36 ,
&& 38 !should be static && !r0) | | (after start && 39 should be static)) exists@ 40 expression E, E0, E1; identifier virtual.fn; 41 parameter list [n] paramsb; type T; 42 identifier i; position p, 37 @fns depends on (start | | (after start .) { 46 . . . when != \(i = E\|&i\), pp.2-43 ,
10: Detecting Free exit safety hole instances of type possible ,
« Characterization of the Impact of Faulty Drivers on the Robustness of the Linux Kernel, DSN'04: Proceedings of the 2004 International Conference on Dependable Systems and Networks, pp.867-876, 2004. ,
« Using Static Analysis to Find Bugs, IEEE Software, vol.25, pp.22-29, 2008. ,
« Uncovering Hidden Contracts: The .NET Example, Computer, vol.36, pp.48-55, 2003. ,
« A foundation for flow-based program matching: using temporal logic and model checking, POPL '09: Proceedings of the 36th annual ACM SIGPLAN- SIGACT symposium on Principles of programming languages, pp.114-126, 2009. ,
« The Increasing Irrelevance of IPC Performance for Microkernel- Based Operating Systems, Proceedings of the USENIX Workshop on Micro- Kernels and Other Kernel Architectures, pp.205-211, 1992. ,
« Language-based Approach for Software Specialization, EuroSys Doctoral Symposium, pp.1-2, 2010. ,
Automatic predicate abstraction of C programs, PLDI'01: Proceedings of the ACM SIGPLAN 2001 conference on Programming language design and implementation, pp.203-213, 2001. ,
A static analyzer for finding dynamic programming errors, Software: Practice and Experience, vol.4, issue.7, pp.775-802, 2000. ,
DOI : 10.1002/(SICI)1097-024X(200006)30:7<775::AID-SPE309>3.0.CO;2-H
« Diagnosys: automatic generation of a debugging interface to the Linux kernel, ASE'12: Proceedings of 27th IEEE/ACM International Conference on Automated Software Engineering, pp.60-69, 2012. ,
« The Architecture of Direct Data Placement (DDP) and Remote Direct Memory Access, RDMA) on Internet Protocols ». RFC 4296, 2005. ,
« The impact of operating system structure on memory system performance, SOSP'93: Proceedings of the fourteenth ACM symposium on Operating systems principles, pp.120-133, 1993. ,
« Reverse engineering of binary device drivers with RevNIC, EuroSys'10: Proceedings of the 2010 ACM SIGOPS/EuroSys European Conference on Computer Systems, pp.167-180, 2010. ,
« Fast bytegranularity software fault isolation, SOSP '09: Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles, pp.45-58, 2009. ,
« Assessment and Improvement of Hang Detection in the Linux Operating System, SRDS'09: Proceedings of the 28th IEEE International Symposium on Reliable Distributed Systems, pp.288-294, 2009. ,
Injecting faults into the kernel, 2004. ,
« MOPS: an infrastructure for examining security properties of software, CCS'02: Proceedings of the 9th ACM conference on Computer and communications security, pp.235-244, 2002. ,
« An Empirical Study of Operating Systems Errors, SOSP'01: Proceedings of the 18th ACM Symposium on Operating System Principles, pp.73-88, 2001. ,
« ESP: path-sensitive program verification in polynomial time, PLDI'02: Proceedings of the ACM SIGPLAN, 2002. ,
« Checking System Rules Using System-Specific, Programmer-Written Compiler Extensions, OSDI'00: Proceedings of the 2000 Symposium on Operating System Design & Implementation, pp.1-16, 2000. ,
« Bugs as deviant behavior: a general approach to inferring errors in systems code, SOSP '01: Proceedings of the eighteenth ACM symposium on Operating systems principles, pp.57-72, 2001. ,
The Daikon system for dynamic detection of likely invariants, Science of Computer Programming, vol.69, issue.1-3, pp.35-45, 2007. ,
DOI : 10.1016/j.scico.2007.01.015
« Fine grained kernel logging with KLogger: experience and insights, EuroSys'07: Proceedings of the 2007 ACM SIGOPS/EuroSys European Conference on Computer Systems, pp.259-272 ,
HEALERS: a toolkit for enhancing the robustness and security of existing applications, 2003 International Conference on Dependable Systems and Networks, 2003. Proceedings., pp.317-322, 2003. ,
DOI : 10.1109/DSN.2003.1209942
« A census of Tandem system availability between, IEEE Transactions on, vol.39, issue.4, pp.409-418, 1985. ,
« The performance of µ-kernel-based systems, SOSP'97: Proceedings of the sixteenth ACM symposium on Operating systems principles, pp.66-77, 1997. ,
« An axiomatic basis for computer programming », Commun. ACM, vol.12, issue.10, pp.576-580, 1969. ,
Logic in Computer Science: Modelling and reasoning about systems, 2000. ,
DOI : 10.1017/CBO9780511810275
A Network Performance Benchmark, version 2 ,
« Testing Closed- Source Binary Device Drivers with DDT, ATC'10: USENIX Annual Technical Conference, 2010. ,
The Linux Programming Interface: A Linux and UNIX System Programming Handbook, p.1, 2010. ,
The Linux Kernel Driver Interface (all your questions answered and then some) ,
« Driving Me Nuts -Things You Should Never Do in the Kernel, Linux Journal, issue.133, p.9, 2005. ,
WYSIWIB: A declarative approach to finding API protocols and bugs in Linux code, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks, pp.43-52, 2009. ,
DOI : 10.1109/DSN.2009.5270354
URL : https://hal.archives-ouvertes.fr/hal-00941142
WYSIWIB: exploiting fine-grained program structure in a scriptable API-usage protocol-finding process, Software: Practice and Experience, 2012. ,
DOI : 10.1002/spe.2102
URL : https://hal.archives-ouvertes.fr/hal-00940320
« CP-Miner: a tool for finding copy-paste and related bugs in operating system code, OSDI'04: Proceedings of the 2004 Symposium on Operating System Design & Implementation, pp.289-302, 2004. ,
Unmodified Device Driver Reuse and Improved System Dependability via Virtual Machines, OSDI'04: Proceedings of the 2004 Symposium on Operating System Design & Implementation, pp.17-30, 2004. ,
automatically extracting implicit programming rules and detecting violations in large software code », ESEC/FSE-13: Proceedings of the 10th European software engineering conference held jointly with 13th ACM SIGSOFT international symposium on Foundations of software engineering, pp.306-315, 2005. ,
« Efficient Testing of Recovery Code Using Fault Injection », ACM Transactions on Computer Systems (TOCS), vol.29, issue.3, 2011. ,
Model Checking: A Tutorial Overview, MOVEP'00: Proceedings of the 4th Summer School on Modeling and Verification of Parallel Processes, pp.3-38, 2001. ,
Object-Oriented Software Construction, 1988. ,
Using Design by Contract in C. OnLamp.com, O'Reilly, 1st édition, 2004. ,
« Devil: An IDL for Hardware Programming, OSDI'00: Proceedings of the 2000 Symposium on Operating System Design & Implementation, pp.17-30, 2000. ,
« TwinDrivers: semiautomatic derivation of fast and safe hypervisor network drivers from guest OS drivers, ASPLOS'09: Proceedings of the 2009 International Conference on Architectural Support for Programming Languages and Operating Systems, pp.301-312, 2009. ,
« Integrated static analysis for Linux device driver verification, IFM'07: Proceedings of the 6th international conference on Integrated formal methods, pp.518-537, 2007. ,
« Documenting and automating collateral evolutions in Linux device drivers, Eu- roSys'08: Proceedings of the 2008 ACM SIGOPS/EuroSys European Conference on Computer Systems, pp.247-260, 2008. ,
« Understanding collateral evolution in Linux device drivers, EuroSys'06: Proceedings of the 2006 ACM SIGOPS/EuroSys European Conference on Computer Systems, pp.59-71, 2006. ,
« Tracking code patterns over multiple software versions with Herodotos, AOSD'10: Proceedings of the 2010 International Conference on Aspect-Oriented Software Development, pp.169-180, 2010. ,
« Faults in Linux: Ten Years Later, ASPLOS'11: Proceedings of the 2011 International Conference on Architectural Support for Programming Languages and Operating Systems, 2011. ,
« Automatic device driver synthesis with Termite, SOSP'09: Proceedings of the 2009 ACM symposium on Operating systems principles, pp.73-86, 2009. ,
Taming Device Drivers, EuroSys'09: Proceedings of the 2009 ACM SIGOPS/EuroSys European Conference on Computer Systems, pp.275-288, 2009. ,
« Path- Sensitive Inference of Function Precedence Protocols, ICSE '07: Proceedings of the 29th international conference on Software Engineering, pp.240-250, 2007. ,
Debugging the kernel using Ftrace, 2009. ,
« Improving the Reliability of Commodity Operating Systems, SOSP'03: Proceedings of the 2003 ACM symposium on Operating systems principles, pp.207-222, 2003. ,
Hunting Bugs with Coccinelle ». Master's thesis, 2008. ,
« Feature consistency in compile-time-configurable system software: facing the linux 10,000 feature problem, EuroSys'11: Proceedings of the 2011 ACM SIGOPS/EuroSys European Conference on Computer Systems, pp.47-60, 2011. ,
« AutoISES: automatically inferring security specifications and detecting violations, SS'08: Proceedings of the 17th USENIX conference on Security symposium, pp.379-394, 2008. ,
Software fault isolation with API integrity and multi-principal modules, Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles, SOSP '11 ,
DOI : 10.1145/2043556.2043568
Error Diagnosis by Connecting Clues from Run-time Logs, ASPLOS'10: Proceedings of the 2010 International Conference on Architectural Support for Programming Languages and Operating Systems, pp.143-154, 2010. ,
« Be conservative: enhancing failure diagnosis with proactive logging, OSDI'12: Proceedings of the 10th USENIX conference on Operating Systems Design and Implementation, pp.293-306, 2012. ,
« Improving software diagnosability via log enhancement, ASPLOS'11: Proceedings of the 2011 International Conference on Architectural Support for Programming Languages and Operating Systems, pp.3-14 ,
Safe and recoverable extensions using language-based techniques, OSDI'06: Proceedings of the 2006 Symposium on Operating System Design & Implementation, pp.45-60, 2006. ,