Static Analysis And Static Analysis And Verification Of Verification Of Drivers Drivers Donn Terry Donn Terry Software Development Engr. Software Development Engr. Microsoft Corporation Microsoft Corporation Vlad Levin Vlad Levin Software Development Software Development Engr. Engr. Microsoft Corporation Microsoft Corporation
61
Embed
Static Analysis And Verification Of Drivers Donn Terry Software Development Engr. Microsoft Corporation Vlad Levin Software Development Engr. Microsoft.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Static Analysis And Static Analysis And Verification Of DriversVerification Of Drivers
Donn TerryDonn TerrySoftware Development Engr.Software Development Engr.Microsoft CorporationMicrosoft Corporation
Vlad LevinVlad LevinSoftware Development Engr. Software Development Engr. Microsoft CorporationMicrosoft Corporation
Session OutlineSession Outline
Static analysis toolsStatic analysis toolsWhat they areWhat they are
The benefits of using themThe benefits of using them
PREPREffast for Drivers (PFD)ast for Drivers (PFD)
Compile-time analysis of the source programCompile-time analysis of the source programLike code inspection, but performed by a toolLike code inspection, but performed by a tool
Compile-time type-checking is a predecessorCompile-time type-checking is a predecessor
Looks for violations of well-defined constraintsLooks for violations of well-defined constraintsProcedure contracts or API contracts Procedure contracts or API contracts
Examples of bugs to be found by Examples of bugs to be found by Static Analysis:Static Analysis:
p = NULL;p = NULL;……f(p);f(p);f()f() requires requires pp to be non-NULLto be non-NULL
Completing the same Irp twice:Completing the same Irp twice: IoCompleteRequest (Irp); IoCompleteRequest (Irp);
... ...
IoCompleteRequest (Irp);IoCompleteRequest (Irp);
Why Static Analysis?Why Static Analysis?
Rule of thumbRule of thumb
A defect that costs $1 to fix on the A defect that costs $1 to fix on the programmer’s desktop costs $100 toprogrammer’s desktop costs $100 tofix once it is incorporated into a complete fix once it is incorporated into a complete program and many thousands of dollarsprogram and many thousands of dollarsif it is identified only after the softwareif it is identified only after the softwarehas been deployed in the fieldhas been deployed in the fieldBuilding a Better Bug Trap – The Economist June 2003Building a Better Bug Trap – The Economist June 2003
Static Analysis Tools For DriversStatic Analysis Tools For Drivers
Two technologies providedTwo technologies providedPFD: Look inside every procedure for possible violationsPFD: Look inside every procedure for possible violations
SDV: Look along paths, cross inter-procedural boundariesSDV: Look along paths, cross inter-procedural boundariesEach is better in some situationsEach is better in some situations
ReadFoo ( PIRP Irp ){ PIRP p = NULL; ... if (status) { Irp = p; }}
ReadFoo ( PIRP Irp ) { ... status = Bar (Irp); if (status) { IoCompleteRequest(Irp); } }
Bar ( PIRP Irp ) { ... IoCompleteRequest(Irp); return STATUS_SUCCESS;}
XXXX
XXXX
Static Analysis Tools For DriversStatic Analysis Tools For Drivers
PREPREffast for Drivers (PFD)ast for Drivers (PFD)Looks at one procedure at a timeLooks at one procedure at a time
For several hundred constraintsFor several hundred constraints
Best for quick checks and early developmentBest for quick checks and early development
Static Driver Verifier (SDV)Static Driver Verifier (SDV)A “compile-time version” of Driver Verifier.A “compile-time version” of Driver Verifier.
Looks along every path, crossingLooks along every path, crossinginter-procedural boundariesinter-procedural boundaries
For a few hundred WDM constraintsFor a few hundred WDM constraints
More under developmentMore under development
Best for deep analysis of full driverBest for deep analysis of full driver
We Can Make It BetterWe Can Make It BetterUse static analysis tools for driversUse static analysis tools for drivers
Push-button technologyPush-button technology
100% path coverage100% path coverageAt no cost (let a computer do it)At no cost (let a computer do it)
At little time (hours versus weeks)At little time (hours versus weeks)
Defects are discovered early Defects are discovered early Even before device hardware is availableEven before device hardware is available
Before designing test casesBefore designing test cases
Often while still codingOften while still coding
Defect reports are easy to useDefect reports are easy to useA direct reference to the defective path (or point)A direct reference to the defective path (or point)in the source code reduces cost of debugging in the source code reduces cost of debugging
How You Debug And Test TodayHow You Debug And Test Today
XXXX
I/OMgr
DLLDLLDriverDriver
????
????
????????
The driver causes a crash – How? Under what scenario? On which path?The driver causes a crash – How? Under what scenario? On which path?It takes time to find out …It takes time to find out …
Is this DLL involved?
XXXX
I/OMgr
DLLDLLDriverDriver
IoCompleteRequest(…)
DriverIoCtl ( Irp ) ????
Now, you knowNow, you know the type of the bug – Yet, the path is cloudythe type of the bug – Yet, the path is cloudyDebug, debug, debug …Debug, debug, debug …
????
Driver Verifier And A Lucky TestDriver Verifier And A Lucky Test
ClassIoCtl ( Irp )
???? ????IoCompleteRequest(…)
IoCompleteRequest(…)
Static Analysis Does Two ThingsStatic Analysis Does Two ThingsFinds a defectFinds a defect
Reveals the pathReveals the path
Without testingWithout testing
Without debuggingWithout debugging
DriverIoCtl ( Irp )
ClassIoCtl ( Irp )
if (status != …) {
IoCompleteRequest( Irp );
}IoCompleteRequest( Irp );}
switch ( … ){
DLLDLLDriverDriver
I/OMgr
XXXX
How About Path Coverage? How About Path Coverage?
One test caseOne test case covers only covers only one pathone path in the driver in the driver
The path remains unrevealed if no defect foundThe path remains unrevealed if no defect found
100 test cases cover < 100 paths? 100 test cases cover < 100 paths?
More test cases -> more duplicationMore test cases -> more duplication
XXXX
I/OMgr
XXXX
XXXXXXXX
weeksweeks
Path Coverage: Testing In ProgressPath Coverage: Testing In Progress
XXXX
XXXXXXXX
weeksweeks
Failure pathsFailure paths
Corner casesCorner cases
““Impossible” pathsImpossible” paths
Path Coverage: Far From CompletePath Coverage: Far From Complete
Static Analysis – How Does It Work?Static Analysis – How Does It Work?
The tool builds an abstract model of a driver and The tool builds an abstract model of a driver and exhaustively inspects execution along all paths exhaustively inspects execution along all paths
The abstract model is simpler: it’s reduced... The abstract model is simpler: it’s reduced...
It’s so much simpler that it’s possible to have it inspected It’s so much simpler that it’s possible to have it inspected (“simulated”) exhaustively(“simulated”) exhaustively
Over-approximation of the driverOver-approximation of the driverThe control part remains the same The control part remains the same
All paths are preserved and treated equally All paths are preserved and treated equally
The data state is over-approximatedThe data state is over-approximatedif argument x is not constrained, assume any value if argument x is not constrained, assume any value
if (x>0) guards the point of interest, keep track of boolean (x>0),if (x>0) guards the point of interest, keep track of boolean (x>0),but not integer value of x: boolean is simpler than integer but not integer value of x: boolean is simpler than integer
Static AnalysisStatic AnalysisNot a silver bulletNot a silver bullet
Does Does notnot replace functional testing replace functional testing
Targets violations of a given set of Targets violations of a given set of well-defined constraintswell-defined constraints
Principal limitationPrincipal limitationIt doesn’t know about every possible errorIt doesn’t know about every possible error
Algorithms are based on source code abstraction Algorithms are based on source code abstraction and heuristicsand heuristics
Which results in both false positives and false negativesWhich results in both false positives and false negatives
It is not a silver bullet…It is not a silver bullet…
It is a useful toolIt is a useful tool
Our Static Tools For DriversOur Static Tools For Drivers
PREPREffast For Drivers (PFD)ast For Drivers (PFD)Lightweight and fast (runs in minutes)Lightweight and fast (runs in minutes)
Easy to use early in development – start earlyEasy to use early in development – start earlyUse on any code that compilesUse on any code that compiles
Limited to a procedure scopeLimited to a procedure scope
Works on any code, C and C++Works on any code, C and C++
Finds many local violationsFinds many local violations
Static Driver Verifier (SDV)Static Driver Verifier (SDV)Extremely deep analysis (runs in hours)Extremely deep analysis (runs in hours)
More useful in the later stages of developmentMore useful in the later stages of developmentRequires complete driverRequires complete driver
Works over the whole driverWorks over the whole driver
Limited to WDM and to C (more planned)Limited to WDM and to C (more planned)
Finds deep bugsFinds deep bugs
A problem has been detected and Windows has been shut down to prevent A problem has been detected and Windows has been shut down to prevent Damage to your Damage to your computer..
If this is the first time you've seen this Stop error screen,If this is the first time you've seen this Stop error screen,restart your computer. If this screen appears again, followrestart your computer. If this screen appears again, followthese steps:these steps:
Check to make sure any new hardware or software is properly installed.Check to make sure any new hardware or software is properly installed.If this is a new installation, ask your hardware or softwareIf this is a new installation, ask your hardware or softwareManufacturer for any Windows updates you might need.Manufacturer for any Windows updates you might need.
If problems continue, disable or remove any newly installed hardwareIf problems continue, disable or remove any newly installed hardwareor software. Disable BIOS memory options such as caching or shadowing.or software. Disable BIOS memory options such as caching or shadowing.If you need to use Safe Mode to remove or disable components, restartIf you need to use Safe Mode to remove or disable components, restartyour computer, press F8 to select Advanced Startup Options, and thenyour computer, press F8 to select Advanced Startup Options, and thenselect Safe Modeselect Safe Mode
Fast (2-5x compile time, usually)Fast (2-5x compile time, usually)
Finds a lot of “inadvertent” errors and some “hard” onesFinds a lot of “inadvertent” errors and some “hard” ones
Works on code that compiles; doesn’t need to runWorks on code that compiles; doesn’t need to run
Some things it can findSome things it can findNull pointer, uninitialized variable (along an unusual path)Null pointer, uninitialized variable (along an unusual path)
Local leaks (memory, resource)Local leaks (memory, resource)
Mismatched parametersMismatched parameters
Forgot to check resultForgot to check result
Format/list mismatchFormat/list mismatch
Misuse of IRQLs (some)Misuse of IRQLs (some)
Various special cases that are easily missed Various special cases that are easily missed (Cancel IRQL, e.g.)(Cancel IRQL, e.g.)
Proper use of callback/function pointersProper use of callback/function pointers
PFD: Driver Specific Resource LeakPFD: Driver Specific Resource Leak
void LeakSample(BOOLEAN Option1)
{
NTSTATUS Status;
KIRQL OldIrql;
BufInfo *pBufInfo;
KeAcquireSpinLock(MyLock,&OldIrql);
//...
if (Option1) {
pBufInfo = ExAllocatePoolWithTag(NonPagedPool,
sizeof(BufInfo), 'fuB_');
if (NULL==pBufInfo) {
return STATUS_NO_MEMORY;
}
//...
KeReleaseSpinLock(MyLock, OldIrql);
return STATUS_SUCCESS;
}
//...
void LeakSample(BOOLEAN Option1)
{
NTSTATUS Status;
KIRQL OldIrql;
BufInfo *pBufInfo;
KeAcquireSpinLock(MyLock,&OldIrql);
//...
if (Option1) {
pBufInfo = ExAllocatePoolWithTag(NonPagedPool,
sizeof(BufInfo), 'fuB_');
if (NULL==pBufInfo) {
return STATUS_NO_MEMORY;
}
//...
KeReleaseSpinLock(MyLock, OldIrql);
return STATUS_SUCCESS;
}
//...
PFD: Driver Specific Resource LeakPFD: Driver Specific Resource Leak
warning 8103: Leaking the resource stored in 'SpinLock:MyLock'.
__in: the parameter is input to the function__in: the parameter is input to the function
__out: the parameter is output from the function__out: the parameter is output from the function
__out_ecount(s): the parameter is a buffer with s elements__out_ecount(s): the parameter is a buffer with s elements
If the parameter p doesn’t contain at least s elements, If the parameter p doesn’t contain at least s elements, PFD will yield a warningPFD will yield a warning
Checks a driver together with librariesChecks a driver together with libraries
Finds deep defects that are hard to repro Finds deep defects that are hard to repro
SDV is not perfectSDV is not perfectOnly one driver (not the entire driver stack)Only one driver (not the entire driver stack)
DDI implementation code is abstracted awayDDI implementation code is abstracted away
Might run out of time Might run out of time
SDV: ExampleSDV: Example
Device DriverInterface
IoCompleteRequest
Driver
Dispatch routine
I/O System
IrpIrp
IrpIrp
SDV: ExampleSDV: Example
XXXX
Device DriverInterface
IoCompleteRequest
Driver
Dispatch routine
I/O System
IrpIrp
IrpIrp IrpIrp
ParPort: A Double Completion BugParPort: A Double Completion BugFrom Windows Server 2003 DDK (build 3677 or earlier)From Windows Server 2003 DDK (build 3677 or earlier)
Stubs for hundredsStubs for hundredsof DDI functionsof DDI functions
IoCreateDevice, …IoCreateDevice, …Device Driver
Interface
I/O Systemmainmain
IoCreateDeviceIoCreateDevice
IoCompleteRequestIoCompleteRequest
Driver
DriverEntryDriverEntry
IRQLIRQL
SDV: DDI Model – SummarySDV: DDI Model – Summary
Captures aspects ofCaptures aspects ofPlug-n-Play life cycle of a driverPlug-n-Play life cycle of a driver
The OS state The OS state
DDI implementationDDI implementation
Covers corner case scenariosCovers corner case scenarios
DDI model must be balanced DDI model must be balanced A more accurate model is biggerA more accurate model is bigger
A bigger model brings more computational A bigger model brings more computational complexity for the engine to cope withcomplexity for the engine to cope with
SDV: Verification EngineSDV: Verification Engine
XXXX
RulesRules
VerificatioVerification n EngineEngine
OS ModelOS Model
library.c
more_code.c
driver.c SDVDDI Rules
DDI Model
Verification Engine
SDV: Verification EngineSDV: Verification Engine
Symbolic model checking of a C programSymbolic model checking of a C program
Symbolically executesSymbolically executesYour driver in the context of the DDI modelYour driver in the context of the DDI model
While looking for rule violationsWhile looking for rule violations
Each and every path of the driver Each and every path of the driver is checkedis checked
How does it cope with computational How does it cope with computational complexity?complexity?
Finds deep bugs not found by testingFinds deep bugs not found by testing1 bug on average for a sample driver in Windows 1 bug on average for a sample driver in Windows Server 2003 DDK-3677Server 2003 DDK-3677
Well tested drivers are often cleanWell tested drivers are often clean
A dozen true bugs in a fresh driver A dozen true bugs in a fresh driver
Low Noise levelLow Noise levelLess than 1 false bug reported per driverLess than 1 false bug reported per driver
2 real bugs for 1 false bug on DDK-3677 samples2 real bugs for 1 false bug on DDK-3677 samples
PerformancePerformanceRuns in a few hoursRuns in a few hours
But may need to run overnightBut may need to run overnight
Static Analysis Tools For DriversStatic Analysis Tools For DriversSummarySummary
PREPREffast for Driversast for Drivers Static Driver VerifierStatic Driver Verifier
AvailabilityAvailability Available nowAvailable now WDM rules are availableWDM rules are available
KMDF rules are plannedKMDF rules are planned for LH Server – preview in for LH Server – preview in Static Analysis Tools Lab Static Analysis Tools Lab
ApplicabilityApplicability C and C++C and C++ C only, up to 50K LOCC only, up to 50K LOC
Issues foundIssues found Local defectsLocal defects
Easy to fixEasy to fix
High volumeHigh volume
Global defectsGlobal defects
Harder to fixHarder to fix
Low volumeLow volume
Development Development CycleCycle
Apply early –Apply early –
““When the driver When the driver compiles”compiles”
Run oftenRun often
Apply later –Apply later –
““When the basic structure of When the basic structure of the driver is in place”the driver is in place”
Run ad hoc or overnightRun ad hoc or overnight
Static Analysis CanStatic Analysis Can
The business caseThe business caseReduce risk of expensive after-deployment bugsReduce risk of expensive after-deployment bugs
Reduce time to marketReduce time to market
Reduce cost of code review and testingReduce cost of code review and testing
Improve code quality Improve code quality
Achieve higher test coverageAchieve higher test coverage
The development case The development case Find/prevent bugs earlierFind/prevent bugs earlier
more directly and obviouslymore directly and obviously
Find/prevent “hard to test” bugsFind/prevent “hard to test” bugs
Make you more efficientMake you more efficient
Use Static Analysis WiselyUse Static Analysis Wisely
It doesn’t know about all possible errorsIt doesn’t know about all possible errors
It doesn’t make testing unnecessary It doesn’t make testing unnecessary
Both false positives and false negatives Both false positives and false negatives can be misleadingcan be misleading
It’s wise to use them as a major part of It’s wise to use them as a major part of your quality strategy your quality strategy
Call To ActionCall To Action
Use these static tools on your driversUse these static tools on your drivers
Learn more about static analysis toolsLearn more about static analysis toolsRead the “PRERead the “PREffast Step-by-Step” paperast Step-by-Step” paper
Read the “Introducing Static Driver Verifier” paperRead the “Introducing Static Driver Verifier” paper
Read the Annotations paperRead the Annotations paper
Try the tools on your drivers or WDK samples Try the tools on your drivers or WDK samples at the lab tomorrowat the lab tomorrow
The lab requires a signed DPAThe lab requires a signed DPA
Send us questionsSend us questions
Give us feedbackGive us feedback
Current Status Of SDV And PFDCurrent Status Of SDV And PFD
Use PFD included in the latest WDKUse PFD included in the latest WDKavailable to youavailable to you
There are four versions of PREThere are four versions of PREffast “out there”ast “out there”Latest one in WDK and previous versions in older DDKsLatest one in WDK and previous versions in older DDKs
Use PFD version 8.0.xxxxxUse PFD version 8.0.xxxxxType “prefast” in a WDK build environmentType “prefast” in a WDK build environmentto view the PFD versionto view the PFD version
Use SDV included in the latest WDKUse SDV included in the latest WDKavailable to youavailable to you
There are two versions of SDV “out there”There are two versions of SDV “out there”Latest one in WDK prereleasesLatest one in WDK prereleases
Use SDV version 1.4.224 or laterUse SDV version 1.4.224 or laterType “staticdv” in a WDK build environment to view the SDV versionType “staticdv” in a WDK build environment to view the SDV version
Additional ResourcesAdditional Resources
Whitepapers on WHDC web siteWhitepapers on WHDC web sitePREPREffast step-by-step ast step-by-step
English: English: http://www.microsoft.com/whdc/DevTools/tools/PREfast_steps.mspxhttp://www.microsoft.com/whdc/DevTools/tools/PREfast_steps.mspxLinks to Chinese and Japanese translations are also available on this pageLinks to Chinese and Japanese translations are also available on this page
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.