Solidifying Software Interfaces: Checkable Contracts Thomas Ball Testing, Verification and Measurement Microsoft Research tball

Solidifying Software Solidifying Software Interfaces: Interfaces:

Checkable ContractsCheckable ContractsThomas BallThomas Ball

Testing, Verification and Testing, Verification and MeasurementMeasurement

Microsoft ResearchMicrosoft Researchhttp://research.microsoft.com/http://research.microsoft.com/

~tball/~tball/

The .NET FrameworkThe .NET FrameworkA Once in a Decade ChangeA Once in a Decade Change

19801980 19901990 20002000

Ric

hn

ess

Ric

hn

ess

Win16Win16 Win32Win32COMCOM

MFCMFCComponents

ComponentsServicesServices

APIsAPIs

Windows3.0

Trustworthy Trustworthy CommitmentCommitment

• Microsoft Cultural ShiftMicrosoft Cultural Shift– Thousands of hours spent in security Thousands of hours spent in security

reviews on .NET Framework to datereviews on .NET Framework to date– Foundstone, @Stake security reviewsFoundstone, @Stake security reviews

• ““Hardening” the .NET FrameworkHardening” the .NET Framework• Making Security Easier for CustomersMaking Security Easier for Customers

– Prescriptive Architectural GuidancePrescriptive Architectural Guidance– Feature changes in .NET FrameworkFeature changes in .NET Framework

Tools

Client Application Model

Windows Forms

Web & Service Application Model

ASP.NET Compact Framewo

rk

Yukon

Data Systems Application Model

Presentation

Mobile PC & Devices Application Model

Communication

Command Line

NT Service

System.MessagingSystem.MessagingSystem.DirectoryServicesSystem.DirectoryServicesSystem.Runtime.RemotingSystem.Runtime.Remoting

System.Windows.FormsSystem.Windows.Forms

System.ConsoleSystem.Console

System.ServiceProcessSystem.ServiceProcess

System.Windows.FormsSystem.Windows.Forms System.WebSystem.Web System.Data.SqlSe

rverSystem.Data.SqlServer

HttpWebRequestHttpWebRequestFtpWebListenerFtpWebListener

SslClientStreamSslClientStream

WebClientWebClient

System.NetSystem.Net

NetworkInformationNetworkInformation

SocketsSockets

CacheCache

System.Windows.FormsSystem.Windows.Forms

FormsForms

ControlControl

Print DialogPrint Dialog

DesignDesign

System.Web.UISystem.Web.UI

PagePage

ControlControl

HtmlControlsHtmlControls

MobileControlsMobileControls

WebControlsWebControls

AdaptorsAdaptors

DesignDesign

System.DrawingSystem.Drawing

System.Web.ServicesSystem.Web.Services

Web.ServiceWeb.Service

DescriptionDescription

DiscoveryDiscovery

ProtocolsProtocols

System.TimersSystem.Timers

System.GlobalizationSystem.Globalization

System.SerializationSystem.Serialization

System.ThreadingSystem.Threading

System.TextSystem.Text

System.DesignSystem.Design

SerializationSerialization

CompilerServicesCompilerServices

Base & Application Services

Fundamentals

System.ComponentModelSystem.ComponentModel

System.CodeDomSystem.CodeDom

System.ReflectionSystem.Reflection

System.EnterpriseServicesSystem.EnterpriseServices

System.TransactionsSystem.Transactions

Security

System.Web.SecuritySystem.Web.Security

AccessControlAccessControl

CredentialsCredentials

CryptographyCryptography

System.Web.ConfigurationSystem.Web.Configuration

System.ConfigurationSystem.Configuration

System.ResourcesSystem.Resources

System.ManagementSystem.Management

System.DeploymentSystem.Deployment

System.DiagnosticsSystem.Diagnostics

Configuration Deployment/Management

PortsPorts

InteropServicesInteropServices

System.RuntimeSystem.Runtime

System.IOSystem.IO

System.CollectionsSystem.Collections

GenericGeneric

PermissionsPermissions

PolicyPolicy

PrincipalPrincipal

TokenToken

System.SecuritySystem.Security System.WebSystem.Web

AdministrationAdministration

ManagementManagement

.NET Framework

Data

System.WebSystem.Web

PersonalizationPersonalization

CachingCaching

SessionStateSessionState

System.XmlSystem.Xml

SchemaSchema

SerializationSerialization

XpathXpath

QueryQuery

DataSetDataSet

MappingMapping

ObjectSpacesObjectSpaces

ObjectSpaceObjectSpace

QueryQuery

SchemaSchema

System.DataSystem.Data

SqlClientSqlClient

SqlTypesSqlTypes

SqlXMLSqlXML

OdbcClientOdbcClient

OleDbClientOleDbClient

OracleClientOracleClient

Client

Implementation

API But noBut nocontracts!contracts!

Interfaces Everywhere!Interfaces Everywhere!

• 1111. EXCLUSION OF INCIDENTAL, CONSEQUENTIAL AND . EXCLUSION OF INCIDENTAL, CONSEQUENTIAL AND CERTAIN OTHER DAMAGES. TO THE MAXIMUM EXTENT CERTAIN OTHER DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL IN NO EVENT SHALL MICROSOFT OR ITS SUPPLIERS BE LIABLE FOR ANY MICROSOFT OR ITS SUPPLIERS BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL DAMAGES WHATSOEVERDAMAGES WHATSOEVER (INCLUDING, BUT NOT LIMITED TO, (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS OR CONFIDENTIAL OR OTHER DAMAGES FOR LOSS OF PROFITS OR CONFIDENTIAL OR OTHER INFORMATION, FOR BUSINESS INTERRUPTION, FOR PERSONAL INFORMATION, FOR BUSINESS INTERRUPTION, FOR PERSONAL INJURY, FOR LOSS OF PRIVACY, FOR FAILURE TO MEET ANY INJURY, FOR LOSS OF PRIVACY, FOR FAILURE TO MEET ANY DUTY INCLUDING OF GOOD FAITH OR OF REASONABLE CARE, DUTY INCLUDING OF GOOD FAITH OR OF REASONABLE CARE, FOR NEGLIGENCE, AND FOR ANY OTHER PECUNIARY OR FOR NEGLIGENCE, AND FOR ANY OTHER PECUNIARY OR OTHER LOSS WHATSOEVER) OTHER LOSS WHATSOEVER) ARISING OUT OF OR IN ANY WAY ARISING OUT OF OR IN ANY WAY RELATED TO THE USE OF OR INABILITY TO USE THE RELATED TO THE USE OF OR INABILITY TO USE THE SOFTWARE PRODUCT, SOFTWARE PRODUCT, THE PROVISION OF OR FAILURE TO THE PROVISION OF OR FAILURE TO PROVIDE SUPPORT SERVICES, OR OTHERWISE UNDER OR IN PROVIDE SUPPORT SERVICES, OR OTHERWISE UNDER OR IN CONNECTION WITH ANY PROVISION OF THIS EULA, EVEN IN CONNECTION WITH ANY PROVISION OF THIS EULA, EVEN IN THE EVENT OF THE FAULT, TORT (INCLUDING NEGLIGENCE), THE EVENT OF THE FAULT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, BREACH OF CONTRACT OR BREACH OF STRICT LIABILITY, BREACH OF CONTRACT OR BREACH OF WARRANTY OF MICROSOFT OR ANY SUPPLIER, AND EVEN IF WARRANTY OF MICROSOFT OR ANY SUPPLIER, AND EVEN IF MICROSOFT OR ANY SUPPLIER HAS BEEN ADVISED OF THE MICROSOFT OR ANY SUPPLIER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. POSSIBILITY OF SUCH DAMAGES.

Microsoft Powerpoint EULA Microsoft Powerpoint EULA Point 11Point 11

• 1111. EXCLUSION OF INCIDENTAL, CONSEQUENTIAL AND . EXCLUSION OF INCIDENTAL, CONSEQUENTIAL AND CERTAIN OTHER DAMAGES. TO THE MAXIMUM EXTENT CERTAIN OTHER DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL IN NO EVENT SHALL MICROSOFT OR ITS SUPPLIERS BE LIABLE FOR ANY MICROSOFT OR ITS SUPPLIERS BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL DAMAGES WHATSOEVERDAMAGES WHATSOEVER (INCLUDING, BUT NOT LIMITED TO, (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS OR CONFIDENTIAL OR OTHER DAMAGES FOR LOSS OF PROFITS OR CONFIDENTIAL OR OTHER INFORMATION, FOR BUSINESS INTERRUPTION, FOR PERSONAL INFORMATION, FOR BUSINESS INTERRUPTION, FOR PERSONAL INJURY, FOR LOSS OF PRIVACY, FOR FAILURE TO MEET ANY INJURY, FOR LOSS OF PRIVACY, FOR FAILURE TO MEET ANY DUTY INCLUDING OF GOOD FAITH OR OF REASONABLE CARE, DUTY INCLUDING OF GOOD FAITH OR OF REASONABLE CARE, FOR NEGLIGENCE, AND FOR ANY OTHER PECUNIARY OR FOR NEGLIGENCE, AND FOR ANY OTHER PECUNIARY OR OTHER LOSS WHATSOEVER) OTHER LOSS WHATSOEVER) ARISING OUT OF OR IN ANY WAY ARISING OUT OF OR IN ANY WAY RELATED TO THE USE OF OR INABILITY TO USE THE RELATED TO THE USE OF OR INABILITY TO USE THE SOFTWARE PRODUCTSOFTWARE PRODUCT, , THE PROVISION OF OR FAILURE TO THE PROVISION OF OR FAILURE TO PROVIDE SUPPORT SERVICES, OR OTHERWISE UNDER OR IN PROVIDE SUPPORT SERVICES, OR OTHERWISE UNDER OR IN CONNECTION WITH ANY PROVISION OF THIS EULA, EVEN IN CONNECTION WITH ANY PROVISION OF THIS EULA, EVEN IN THE EVENT OF THE FAULT, TORT (INCLUDING NEGLIGENCE), THE EVENT OF THE FAULT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, BREACH OF CONTRACT OR BREACH OF STRICT LIABILITY, BREACH OF CONTRACT OR BREACH OF WARRANTY OF MICROSOFT OR ANY SUPPLIER, AND EVEN IF WARRANTY OF MICROSOFT OR ANY SUPPLIER, AND EVEN IF MICROSOFT OR ANY SUPPLIER HAS BEEN ADVISED OF THE MICROSOFT OR ANY SUPPLIER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. POSSIBILITY OF SUCH DAMAGES.

The GPLThe GPL• 11.11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE

IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOUQUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. . SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

• 12.12. IN NO EVENTIN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAMPROGRAM AS PERMITTED ABOVE, AS PERMITTED ABOVE, BE LIABLE TO YOU FOR BE LIABLE TO YOU FOR DAMAGESDAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR , INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAMINABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. POSSIBILITY OF SUCH DAMAGES.

• 11.11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOUQUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. . SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

• 12.12. IN NO EVENTIN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAMPROGRAM AS PERMITTED ABOVE, AS PERMITTED ABOVE, BE LIABLE TO YOU FOR BE LIABLE TO YOU FOR DAMAGESDAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR , INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAMINABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. POSSIBILITY OF SUCH DAMAGES.

Is There Is There anyany Program Program ThatThat

Satisfies Its Contract?Satisfies Its Contract?

Informal Contract: Informal Contract: SocketsSockets

the "communication domain" in which communication is to takethe "communication domain" in which communication is to takeplace; see protocols(5).place; see protocols(5).

Sockets of type SOCK_STREAM are full-duplex byte streams,Sockets of type SOCK_STREAM are full-duplex byte streams,similar to pipes. similar to pipes. A stream socket must be in a connectedA stream socket must be in a connectedstate before any data may be sent or received on it. A con-state before any data may be sent or received on it. A con-nection to another socket is created with a connect(2) call.nection to another socket is created with a connect(2) call.Once connected, data may be transferred using read(2V) andOnce connected, data may be transferred using read(2V) andwrite(2V) callswrite(2V) calls or some variant of the send(2) and recv(2) or some variant of the send(2) and recv(2)calls. When a session has been completed a close(2V), maycalls. When a session has been completed a close(2V), maybe performed. Out-of-band data may also be transmitted asbe performed. Out-of-band data may also be transmitted asdescribed in send(2) and received as described in recv(2).described in send(2) and received as described in recv(2).

The communications protocols used to implement a SOCK_STREAMThe communications protocols used to implement a SOCK_STREAMinsure that data is not lost or duplicated. If a piece ofinsure that data is not lost or duplicated. If a piece of

What is an API Contract?What is an API Contract?

• Pre-conditionsPre-conditions– the conditions a client must establish the conditions a client must establish

before calling an APIbefore calling an API– ““A filehandle must be in an open state A filehandle must be in an open state

before you call before you call freadfread””• Post-conditionsPost-conditions

– the conditions an implementation (of an the conditions an implementation (of an API) must establish upon its terminationAPI) must establish upon its termination

– ““If the file is present, If the file is present, fopenfopen returns a returns a filehandle in the open state”filehandle in the open state”

Formalizing ContractsFormalizing Contracts

• Pre/post conditionsPre/post conditions– Eiffel: “design by contract”, integrated Eiffel: “design by contract”, integrated

into languageinto language– JML: pre/post language (in comments)JML: pre/post language (in comments)

• MonitorsMonitors– security automatasecurity automata– SLIC - SLAM’s API rule languageSLIC - SLAM’s API rule language

• ModelsModels– ASML: separate modeling languageASML: separate modeling language

Why are Contracts Why are Contracts Useful?Useful?

• Precision in specification & designPrecision in specification & design• Separation of concernsSeparation of concerns• DocumentationDocumentation• Checking/TestingChecking/Testing

– dynamic (run-time)dynamic (run-time)– static (compile-time)static (compile-time)

• Responsibility, enforceability, Responsibility, enforceability, liability, …liability, …

Why Now?Why Now?

• Specifications are (still) a good idea!Specifications are (still) a good idea!– focus shifted to critical properties rather than focus shifted to critical properties rather than

full correctnessfull correctness• Bug economicsBug economics• Test automation wallTest automation wall• Moore’s lawMoore’s law

– abundant computational resourcesabundant computational resources• Advances in research and technologyAdvances in research and technology

– model checkingmodel checking– program analysisprogram analysis– theorem provingtheorem proving– analysis infrastructuresanalysis infrastructures

OverviewOverview

• SLAM analysis engine SLAM analysis engine – Static Driver VerifierStatic Driver Verifier

• Other contract-checking toolsOther contract-checking tools– Vault (type checking)Vault (type checking)– ESC/Java (theorem proving)ESC/Java (theorem proving)– ESP (dataflow analysis)ESP (dataflow analysis)

Source Code

TestingDevelopment

PreciseAPI Usage Rules

(SLIC)

Software Model Checking

Read forunderstanding

New API rules

Drive testingtools

Defects

100% pathcoverage

Rules

Static Driver VerifierStatic Driver Verifier

SLAM – Software Model SLAM – Software Model CheckingChecking

• SLAM innovationsSLAM innovations– boolean programs: a new model for boolean programs: a new model for

softwaresoftware– model creation (c2bp)model creation (c2bp)– model checking (bebop)model checking (bebop)– model refinement (newton)model refinement (newton)

• SLAM toolkitSLAM toolkit– built on MSR program analysis built on MSR program analysis

infrastructureinfrastructure

SLICSLIC

• Finite state language for stating rulesFinite state language for stating rules– monitors behavior of C codemonitors behavior of C code– temporal safety properties (security temporal safety properties (security

automata)automata)– familiar C syntaxfamiliar C syntax

• Suitable for expressing control-dominated Suitable for expressing control-dominated properties properties – e.g. proper sequence of eventse.g. proper sequence of events– can encode data values inside statecan encode data values inside state

State State Machine for Machine for

LockingLocking

Unlocked Locked

Error

Rel Acq

Acq

Rel

state {state {

enum {Locked,Unlocked} enum {Locked,Unlocked}

s = Unlocked;s = Unlocked;

}}

KeAcquireSpinLockKeAcquireSpinLock.entry {.entry {

if (s==Locked) if (s==Locked) abortabort;;

else s = Locked;else s = Locked;

}}

KeReleaseSpinLockKeReleaseSpinLock.entry {.entry {

if (s==Unlocked) if (s==Unlocked) abortabort;;

else s = Unlocked;else s = Unlocked;

}}

Locking Rule Locking Rule in SLICin SLIC

The SLAM ProcessThe SLAM Process

#include <ntddk.h>

C2BPpredicate abstraction

booleanprogram

Newtonfeasibility

check

Bebopreachability

check

HarnessSLICRule

+

refinementpredicates

errorpath

do {KeAcquireSpinLock();

nPacketsOld = nPackets;

if(request){request = request->Next;KeReleaseSpinLock();nPackets++;

}} while (nPackets != nPacketsOld);

KeReleaseSpinLock();

ExampleExampleDoes this code

obey the locking rule?

do {KeAcquireSpinLock();

if(*){

KeReleaseSpinLock();

}} while (*);

KeReleaseSpinLock();

ExampleExampleModel checking boolean program

(bebop)

U

L

L

L

L

U

L

U

U

U

E

do {KeAcquireSpinLock();

nPacketsOld = nPackets;

if(request){request = request->Next;KeReleaseSpinLock();nPackets++;

}} while (nPackets != nPacketsOld);

KeReleaseSpinLock();

ExampleExampleIs error path feasible

in C program?(newton)

U

L

L

L

L

U

L

U

U

U

E

do {KeAcquireSpinLock();

nPacketsOld = nPackets; b = true;

if(request){request = request->Next;KeReleaseSpinLock();nPackets++; b = b ? false : *;

}} while (nPackets != nPacketsOld); !b

KeReleaseSpinLock();

ExampleExampleAdd new predicateto boolean program

(c2bp)b : (nPacketsOld == nPackets)

U

L

L

L

L

U

L

U

U

U

E

do {KeAcquireSpinLock();

b = true;

if(*){

KeReleaseSpinLock();b = b ? false : *;

}} while ( !b );

KeReleaseSpinLock();

b

b

b

b

ExampleExampleModel checking

refined boolean program

(bebop)

b : (nPacketsOld == nPackets)

U

L

L

L

L

U

L

U

U

U

E

b

b

!b

ExampleExample

do {KeAcquireSpinLock();

b = true;

if(*){

KeReleaseSpinLock();b = b ? false : *;

}} while ( !b );

KeReleaseSpinLock();

b : (nPacketsOld == nPackets)

b

b

b

b

U

L

L

L

L

U

L

U

U

b

b

!b

Model checking refined

boolean program(bebop)

DemoDemo

SLAM StatusSLAM Status• 2000-20012000-2001

– foundations, algorithms, foundations, algorithms, prototypingprototyping

– papers in CAV, PLDI, POPL, papers in CAV, PLDI, POPL, SPIN, TACASSPIN, TACAS

• March 2002March 2002– Bill Gates reviewBill Gates review

• May 2002May 2002– Windows committed to hire Windows committed to hire

two Ph.D.s in model two Ph.D.s in model checking to support Static checking to support Static Driver VerifierDriver Verifier

• July 2002July 2002– running SLAM on 100+ running SLAM on 100+

drivers, 20+ propertiesdrivers, 20+ properties

• September 3, 2002September 3, 2002– made initial release of SDV to made initial release of SDV to

Windows (friends and family)Windows (friends and family)

• April 1, 2003April 1, 2003– made wide release of SDV to made wide release of SDV to

Windows (any internal driver Windows (any internal driver developer)developer)

• September, 2003September, 2003– team of six in Windows team of six in Windows

working on SDVworking on SDV– researchers moving into researchers moving into

“consultant” role“consultant” role

• November, 2003November, 2003– demonstration at Driver demonstration at Driver

Developer ConferenceDeveloper Conference

SLAM ResultsSLAM Results

• Boolean program model has proved itselfBoolean program model has proved itself

• Successful for device driver contractsSuccessful for device driver contracts– control-dominated safety propertiescontrol-dominated safety properties– few boolean variables needed to do proof or few boolean variables needed to do proof or

find real errorsfind real errors

• Counterexample-driven refinementCounterexample-driven refinement– terminates in practiceterminates in practice– incompleteness of theorem prover not an issueincompleteness of theorem prover not an issue

Other Ways to Check Other Ways to Check ContractsContracts

• Type systemsType systems– Vault programming languageVault programming language– type system extended to allow simple pre/posttype system extended to allow simple pre/post

• Theorem provingTheorem proving– ESC/Java checkerESC/Java checker– uses JML specification language (rich pre/post uses JML specification language (rich pre/post

conditions)conditions)

• Dataflow analysisDataflow analysis– ESPESP– uses SLIC-like state machine languageuses SLIC-like state machine language

ConclusionsConclusions

• The technology now exists for The technology now exists for enforcing simple API contracts using enforcing simple API contracts using static analysisstatic analysis

• Rollout/adoptionRollout/adoption– first as out-of-band tools (i.e., SLAM, first as out-of-band tools (i.e., SLAM,

ESP, Fugue)ESP, Fugue)– next as in-band tools (part of next as in-band tools (part of

language/compiler)language/compiler)

Thanks ToThanks ToSoftware Productivity Tools group membersSoftware Productivity Tools group members

– Sriram Rajamani (SLAM)Sriram Rajamani (SLAM)– Rob DeLine, Manuel Fahndrich (Vault/Fugue)Rob DeLine, Manuel Fahndrich (Vault/Fugue)

SLAM summer internsSLAM summer interns– Sagar Chaki, Todd Millstein, Rupak Majumdar (2000)Sagar Chaki, Todd Millstein, Rupak Majumdar (2000)– Satyaki Das, Wes Weimer, Robby (2001)Satyaki Das, Wes Weimer, Robby (2001)– Jakob Lichtenberg, Mayur Naik (2002)Jakob Lichtenberg, Mayur Naik (2002)– Jakob Lichtenberg, Shuvendu Lahiri, Georg Weissenbacher, Fei Xie Jakob Lichtenberg, Shuvendu Lahiri, Georg Weissenbacher, Fei Xie

(2003)(2003)

SLAM VisitorsSLAM Visitors– Giorgio Delzanno, Andreas Podelski, Stefan SchwoonGiorgio Delzanno, Andreas Podelski, Stefan Schwoon

Static Driver Verifier: Windows PartnersStatic Driver Verifier: Windows Partners– Byron Cook, John Henry, Vladimir Levin, Con McGarvey, Bohus Byron Cook, John Henry, Vladimir Levin, Con McGarvey, Bohus

Ondrusek, Abdullah UstunerOndrusek, Abdullah Ustuner