Mühlberg and Lüttgen: BLASTing Linux Code

BLASTing Linux Code

Jan Tobias Mühlberg and Gerald Lüttgen
Department of Computer Science, University of York, York YO10 5DD, U.K.

This web site contains additional material regarding the paper "BLASTing Linux Code" presented at FMICS 2006. It currently contains the source code used in our case studies but lacks manual simplifications and temporal safety specifications.

Abstract and Paper

Abstract. Computer programs can only run reliably if the underlying operating system is free of errors. In this paper we evaluate, from a practitioners point of view, the utility of the popular software model checker BLAST for revealing errors in Linux kernel code. The emphasis is on important errors related to memory safety in and locking behaviour of device drivers. Our conducted case studies show that, while BLAST's abstraction and refinement techniques are efficient and powerful, the tool has deficiencies regarding usability and support for analysing pointers, which are likely to prevent kernel developers from using it.

Full paper: blasting_linux_code.pdf (450 kBytes)
BibTeX: blasting_linux_code.bib
Presentation slides: slides.pdf (450 kBytes)

Technical Report: YCS-2007-417.pdf (516 kBytes)
BibTeX: YCS-2007-417.bib

Examples Regarding Memory Safety

Bug d2b0e84d195a341c1cc5b45ec2098ee23bc1fe9d (use-after-free in the I2O driver of Linux 2.6.14, running example for Section 3)
Bug 2d6eac6c4fdaa69656d66c80754d267be233cc3f (use-after-free in an InfiniBand driver of Linux 2.6.14)
Bug d0743a5b7b837334cb414b773529d51de3de0471 (use-after-free in the SCSI subsystem of Linux 2.6.14)
Bug 6968ecfca8822055cfe121214c0786e4eecc038e (NULL-pointer de-reference in the ACPI Video driver of Linux 2.6.14)
Bug abd559b1052e28d8b9c28aabde241f18fa89090b (use of scsi_device pointer after the scsi device was deleted in IEEE1394 driver of Linux 2.6.14)
Bug 3fd1bb9baa394856b112e5edbfd3893d92dd1149 (off-by-one error in a hardware monitoring driver of Linux 2.6.13)
Bug 703b69791369263e1d15f88f3e6aed02c1514fc2 (rather complex example for erroneous pointer arithmetic in a part of the netfilter subsystem of Linux 2.6.14)
Bug 67a69cdd748de32d9991056c207f7ab3798230a5 (double free in a PCI hotplug driver of Linux 2.6.11)

Examples Regarding Locking Properties

Bug d7283d61302798c0c57118e53d7732bec94f8d42 (deadlock condition in the SCSI subsystem of Linux 2.6.14, running example for Section 4)
Bug fe2e17a405a58ec8a7138fee4ebe101858b636e0 (deadlock condition in the SCSI subsystem of Linux 2.6.14)
Bug 910573c7c4aced8fd5f45c334cc67862e3424d92 (deadlock condition in an IEEE1394 driver of Linux 2.6.13)
Bug abd559b1052e28d8b9c28aabde241f18fa89090b (deadlock condition in an IEEE1394 driver of Linux 2.6.14)
Bug 3515d0161d55d2fa1a340932625f94240a68c262 (problem with late initialisation of a spinlock in an IEEE1394 driver of Linux 2.6.13)
Bug f7cfcc72b365dc62cd01e1920f3f0b4e053f7735 (deadlock condition in the network subsystem of Linux 2.6.15)
Bug 8fef8ea2a1f28a7611ad0b8ff7b48ceb38db9535 (deadlock condition in the ext2 file system implementation of Linux 2.6.15 (not using spinlock API in this case))
Bug fa0726854c4f03f9d2d1e00bb3b67a49ce490c32 (race condition in the ext3 file system implementation of of Linux 2.6.11)

Jan Tobias Mühlberg, $Date$