B. Figure, . Symbol, . Export, and . Gpl, Detecting Block entry safety hole instances ? This semantic match is focused on possible safety holes 1 virtual check internal 2 virtual check dependancy 3 #include "subtle_deref.ml" 4 @exported depends on !check internal && !check dependancy@ 5 identifier handler

T. *-param,..-<+ and . +>, } 17 @fn uses arg depends on !check dependancy exists@ 18 type T; expression arg, E, val, new val, other val; 19 identifier param, fn; identifier virtual.handler; 20 parameter list [h number] params prec; 21 position p1, p2; expression list [f number] args prec, 12 ) 13 @export def@ 14 identifier exported, pp.15-16

3. .. When, !. Null-35-when, and !. Null, 36 when != IS ERR(E) 37 when != E = other val 38 ( 39 E == NULL 40 | 41 E != NULL 42 | 43 IS ERR(E) 44 | 45 E = other val 46 | 47 E@p2 48 ) 49 . . . when any 50 } 51 // When invalid pointer E2 is returned, it constitutes another 52 // safety hole reported in another category 53 @returned depends on fn uses arg exists@ 54 position fn uses arg.p2; identifier virtual.handler; 55 expression fn uses arg.E; 56 @@ 57 handler(. . .){ 58 . . . 59 return E@p2; 60 } 61 @only pointers depends on fn uses arg && !returned@ 62 type ret T; ret T *pointer global; position fn uses arg.p1, p.65

B. Figure, Detecting subtle Null/INull entry safety hole instances of type possible 1, May return NULL or ERR PTR 2 virtual after start 3 virtual should be static 4 #include "return_null.ml

B. Figure, Detecting Null/INull exit safety hole instances B.4 Range safety holes We present in Figure B.6 the specification implemented in SHAna for identifying kernel API functions that contain a Range exit safety hole. The search, which is performed intraprocedurally, consists of detecting cases where an API function may return a value obtained from userland. 1 #include "range

B. Figure, Detecting Range exit safety hole instances of type possible 32 write trylock@p1 33

{. <+, 35 @ends in lock exists@ 36 expression locked.E1; 37 identifier lock; 38 position locked.p,p1,p2; 39 identifier exported.handler; 40 @@ 41 handler, pp.42-43

S. , E. Symbol, and . Gpl, 6 @exported@ 7 identifier handler

{. <+, 27 @ends disabling exists@ 28 expression locked.E1; 29 identifier lock; 30 position locked.p,p1,p2; 31 identifier exported.handler, pp.34-35

B. Figure, Detecting Intr exit safety hole instances of type possible Examples of semantic matches implemented in SHAna 1 #include "lock_intr

{. <+, 32 @ends locked and disabling exists@ 33 position locked.p,p1,p2; 34 identifier exported.handler; 35 expression locked.E1; identifier lock, pp.38-39

B. Figure, 9: Detecting LockIntr exit safety hole instances of type possible Free safety holes 105

B. Figure, 10 describes the semantic match implementing in SHAna the search for Free exit safety holes. This search, which is performed interprocedurally, is programmed to detect cases where an API might return a pointer to a memory that has been freed with kfree, virtual start 2 virtual after start 3 virtual should be static 4

/. ??????, Make sure you do not confuse static functions 32 @r0 depends on !should be static@ 33 identifier virtual.fn, @@ 35 static fn, p.36

T. Paramsb, && 38 !should be static && !r0) | | (after start && 39 should be static)) exists@ 40 expression E, E0, E1; identifier virtual.fn; 41 parameter list [n] paramsb; type T; 42 identifier i; position p, 37 @fns depends on (start | | (after start .) { 46 . . . when != \(i = E\|&i\), pp.2-43

B. Figure, 10: Detecting Free exit safety hole instances of type possible

A. Arnaud, A. Jean, and F. Et-jean-charles, « Characterization of the Impact of Faulty Drivers on the Robustness of the Linux Kernel, DSN'04: Proceedings of the 2004 International Conference on Dependable Systems and Networks, pp.867-876, 2004.

A. Nathaniel, H. David, J. David, M. John, P. William et al., « Using Static Analysis to Find Bugs, IEEE Software, vol.25, pp.22-29, 2008.

A. Karine and M. Bertrand, « Uncovering Hidden Contracts: The .NET Example, Computer, vol.36, pp.48-55, 2003.

B. Julien, D. Damien, R. Rydhof, H. , J. L. Lawall et al., « A foundation for flow-based program matching: using temporal logic and model checking, POPL '09: Proceedings of the 36th annual ACM SIGPLAN- SIGACT symposium on Principles of programming languages, pp.114-126, 2009.

N. Brian and . Bershad, « The Increasing Irrelevance of IPC Performance for Microkernel- Based Operating Systems, Proceedings of the USENIX Workshop on Micro- Kernels and Other Kernel Architectures, pp.205-211, 1992.

F. Tegawendé and . Bissyandé, « Language-based Approach for Software Specialization, EuroSys Doctoral Symposium, pp.1-2, 2010.

B. Thomas, M. Rupak, M. Todd, and K. R. Et-sriram, Automatic predicate abstraction of C programs, PLDI'01: Proceedings of the ACM SIGPLAN 2001 conference on Programming language design and implementation, pp.203-213, 2001.

W. R. Bush, J. D. Pincus, and D. J. Sielaff, A static analyzer for finding dynamic programming errors, Software: Practice and Experience, vol.4, issue.7, pp.775-802, 2000.
DOI : 10.1002/(SICI)1097-024X(200006)30:7<775::AID-SPE309>3.0.CO;2-H

F. Tegawendé, . Bissyandé, R. Laurent, J. L. Lawall, and M. Gilles, « Diagnosys: automatic generation of a debugging interface to the Linux kernel, ASE'12: Proceedings of 27th IEEE/ACM International Conference on Automated Software Engineering, pp.60-69, 2012.

T. [. Bailey and . Talpey, « The Architecture of Direct Data Placement (DDP) and Remote Direct Memory Access, RDMA) on Internet Protocols ». RFC 4296, 2005.

C. [. Bradley and B. N. Bershad, « The impact of operating system structure on memory system performance, SOSP'93: Proceedings of the fourteenth ACM symposium on Operating systems principles, pp.120-133, 1993.

C. Vitaly and C. George, « Reverse engineering of binary device drivers with RevNIC, EuroSys'10: Proceedings of the 2010 ACM SIGOPS/EuroSys European Conference on Computer Systems, pp.167-180, 2010.

C. Miguel, C. Manuel, M. Jean-philippe, P. Marcus, A. Periklis et al., « Fast bytegranularity software fault isolation, SOSP '09: Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles, pp.45-58, 2009.

C. Domenico, N. Roberto, and R. Stefano, « Assessment and Improvement of Hang Detection in the Linux Operating System, SRDS'09: Proceedings of the 28th IEEE International Symposium on Reliable Distributed Systems, pp.288-294, 2009.

C. «. Jonathan, Injecting faults into the kernel, 2004.

C. Hao and W. David, « MOPS: an infrastructure for examining security properties of software, CCS'02: Proceedings of the 9th ACM conference on Computer and communications security, pp.235-244, 2002.

C. Andy, Y. Junfeng, C. Benjamin, H. Seth, and E. Dawson, « An Empirical Study of Operating Systems Errors, SOSP'01: Proceedings of the 18th ACM Symposium on Operating System Principles, pp.73-88, 2001.

D. Manuvir, L. Sorin, and S. Mark, « ESP: path-sensitive program verification in polynomial time, PLDI'02: Proceedings of the ACM SIGPLAN, 2002.

E. Dawson, C. Benjamin, C. Andy, and H. Seth, « Checking System Rules Using System-Specific, Programmer-Written Compiler Extensions, OSDI'00: Proceedings of the 2000 Symposium on Operating System Design & Implementation, pp.1-16, 2000.

E. Dawson, D. Yu, C. Seth, H. Andy, C. Benjamin et al., « Bugs as deviant behavior: a general approach to inferring errors in systems code, SOSP '01: Proceedings of the eighteenth ACM symposium on Operating systems principles, pp.57-72, 2001.

M. D. Ernst, J. H. Perkins, P. J. Guo, M. Stephen, P. Carlos et al., The Daikon system for dynamic detection of likely invariants, Science of Computer Programming, vol.69, issue.1-3, pp.35-45, 2007.
DOI : 10.1016/j.scico.2007.01.015

E. Yoav, T. Dan, K. Scott, G. Et-dror, and . Feitelson, « Fine grained kernel logging with KLogger: experience and insights, EuroSys'07: Proceedings of the 2007 ACM SIGOPS/EuroSys European Conference on Computer Systems, pp.259-272

. [. Fetzer and X. Zhen, HEALERS: a toolkit for enhancing the robustness and security of existing applications, 2003 International Conference on Dependable Systems and Networks, 2003. Proceedings., pp.317-322, 2003.
DOI : 10.1109/DSN.2003.1209942

]. J. Gra90 and . Gray, « A census of Tandem system availability between, IEEE Transactions on, vol.39, issue.4, pp.409-418, 1985.

H. Hermann, H. Michael, L. Jochen, W. Jean, and S. Sebastian, « The performance of µ-kernel-based systems, SOSP'97: Proceedings of the sixteenth ACM symposium on Operating systems principles, pp.66-77, 1997.

]. C. Hoa69 and . Hoare, « An axiomatic basis for computer programming », Commun. ACM, vol.12, issue.10, pp.576-580, 1969.

M. Huth and M. Ryan, Logic in Computer Science: Modelling and reasoning about systems, 2000.
DOI : 10.1017/CBO9780511810275

J. Rick and . Netperf, A Network Performance Benchmark, version 2

K. Volodymyr, C. Vitaly, and C. George, « Testing Closed- Source Binary Device Drivers with DDT, ATC'10: USENIX Annual Technical Conference, 2010.

K. Michael, The Linux Programming Interface: A Linux and UNIX System Programming Handbook, p.1, 2010.

K. Greg, The Linux Kernel Driver Interface (all your questions answered and then some)

K. Greg, « Driving Me Nuts -Things You Should Never Do in the Kernel, Linux Journal, issue.133, p.9, 2005.

J. L. Lawall, B. Julien, P. Nicolas, R. Rydhof, H. Henrik et al., WYSIWIB: A declarative approach to finding API protocols and bugs in Linux code, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks, pp.43-52, 2009.
DOI : 10.1109/DSN.2009.5270354
URL : https://hal.archives-ouvertes.fr/hal-00941142

J. L. Lawall, B. Julien, P. Nicolas, R. Rydhof, H. Henrik et al., WYSIWIB: exploiting fine-grained program structure in a scriptable API-usage protocol-finding process, Software: Practice and Experience, 2012.
DOI : 10.1002/spe.2102
URL : https://hal.archives-ouvertes.fr/hal-00940320

L. Zhenmin, L. Shan, M. Suvda, and Z. Et-yuanyuan, « CP-Miner: a tool for finding copy-paste and related bugs in operating system code, OSDI'04: Proceedings of the 2004 Symposium on Operating System Design & Implementation, pp.289-302, 2004.

L. Joshua, U. Volkmar, S. Jan, and G. Et-stefan, Unmodified Device Driver Reuse and Improved System Dependability via Virtual Machines, OSDI'04: Proceedings of the 2004 Symposium on Operating System Design & Implementation, pp.17-30, 2004.

L. Zhenmin, Z. «. Yuanyuan, and . Pr-miner, automatically extracting implicit programming rules and detecting violations in large software code », ESEC/FSE-13: Proceedings of the 10th European software engineering conference held jointly with 13th ACM SIGSOFT international symposium on Foundations of software engineering, pp.306-315, 2005.

M. Paul and C. George, « Efficient Testing of Recovery Code Using Fault Injection », ACM Transactions on Computer Systems (TOCS), vol.29, issue.3, 2011.

M. «. Stephan, Model Checking: A Tutorial Overview, MOVEP'00: Proceedings of the 4th Summer School on Modeling and Verification of Parallel Processes, pp.3-38, 2001.

M. Bertrand, Object-Oriented Software Construction, 1988.

M. Charlie, Using Design by Contract in C. OnLamp.com, O'Reilly, 1st édition, 2004.

. Mrc-+-00-]-f, L. Mérillon, C. Réveillère, R. Consel, E. G. Marlet et al., « Devil: An IDL for Hardware Programming, OSDI'00: Proceedings of the 2000 Symposium on Operating System Design & Implementation, pp.17-30, 2000.

M. Aravind, S. Simon, and Z. Willy, « TwinDrivers: semiautomatic derivation of fast and safe hypervisor network drivers from guest OS drivers, ASPLOS'09: Proceedings of the 2009 International Conference on Architectural Support for Programming Languages and Operating Systems, pp.301-312, 2009.

P. Hendrik and K. Wolfgang, « Integrated static analysis for Linux device driver verification, IFM'07: Proceedings of the 6th international conference on Integrated formal methods, pp.518-537, 2007.

P. Yoann, J. L. Lawall, R. Rydhof, H. Gilles, and M. , « Documenting and automating collateral evolutions in Linux device drivers, Eu- roSys'08: Proceedings of the 2008 ACM SIGOPS/EuroSys European Conference on Computer Systems, pp.247-260, 2008.

P. Yoann, J. L. Lawall, and M. Gilles, « Understanding collateral evolution in Linux device drivers, EuroSys'06: Proceedings of the 2006 ACM SIGOPS/EuroSys European Conference on Computer Systems, pp.59-71, 2006.

P. Nicolas, L. Julia, and M. Gilles, « Tracking code patterns over multiple software versions with Herodotos, AOSD'10: Proceedings of the 2010 International Conference on Aspect-Oriented Software Development, pp.169-180, 2010.

P. Nicolas, S. Suman, T. Gaël, C. Christophe, J. Laetitia et al., « Faults in Linux: Ten Years Later, ASPLOS'11: Proceedings of the 2011 International Conference on Architectural Support for Programming Languages and Operating Systems, 2011.

R. Leonid, C. Peter, K. Ihor, L. Etienne, . Sueur et al., « Automatic device driver synthesis with Termite, SOSP'09: Proceedings of the 2009 ACM symposium on Operating systems principles, pp.73-86, 2009.

R. Leonid, C. Peter, K. Ihor, H. Et-gernot, and . Dingo, Taming Device Drivers, EuroSys'09: Proceedings of the 2009 ACM SIGOPS/EuroSys European Conference on Computer Systems, pp.275-288, 2009.

M. Krishna, R. Ananth, G. Suresh, and J. , « Path- Sensitive Inference of Function Precedence Protocols, ICSE '07: Proceedings of the 29th international conference on Software Engineering, pp.240-250, 2007.

R. «. Steven, Debugging the kernel using Ftrace, 2009.

M. M. Swift, B. N. Bershad, and H. M. Levy, « Improving the Reliability of Commodity Operating Systems, SOSP'03: Proceedings of the 2003 ACM symposium on Operating systems principles, pp.207-222, 2003.

S. Henrik, Hunting Bugs with Coccinelle ». Master's thesis, 2008.

T. Reinhard, L. Daniel, S. Julio, and S. Wolfgang, « Feature consistency in compile-time-configurable system software: facing the linux 10,000 feature problem, EuroSys'11: Proceedings of the 2011 ACM SIGOPS/EuroSys European Conference on Computer Systems, pp.47-60, 2011.

T. Lin, Z. Xiaolan, M. Xiao, X. Weiwei, and Z. Et-yuanyuan, « AutoISES: automatically inferring security specifications and detecting violations, SS'08: Proceedings of the 17th USENIX conference on Security symposium, pp.379-394, 2008.

Y. Mao, H. Chen, D. Zhou, X. Wang, N. Zeldovich et al., Software fault isolation with API integrity and multi-principal modules, Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles, SOSP '11
DOI : 10.1145/2043556.2043568

Y. Ding, M. Haohui, X. Weiwei, T. Lin, Z. Yuanyuan et al., Error Diagnosis by Connecting Clues from Run-time Logs, ASPLOS'10: Proceedings of the 2010 International Conference on Architectural Support for Programming Languages and Operating Systems, pp.143-154, 2010.

Y. Ding, P. Soyeon, H. Peng, L. Yang, M. M. Lee et al., « Be conservative: enhancing failure diagnosis with proactive logging, OSDI'12: Proceedings of the 10th USENIX conference on Operating Systems Design and Implementation, pp.293-306, 2012.

[. Ding, Y. Jing, Z. Soyeon, P. Yuanyuan, Z. Et-stefan et al., « Improving software diagnosability via log enhancement, ASPLOS'11: Proceedings of the 2011 International Conference on Architectural Support for Programming Languages and Operating Systems, pp.3-14

Z. Feng, C. Jeremy, A. Zachary, B. Ilya, E. Rob et al., Safe and recoverable extensions using language-based techniques, OSDI'06: Proceedings of the 2006 Symposium on Operating System Design & Implementation, pp.45-60, 2006.