soundness and completeness of the nrb verification logic (opencert 2013)
DESCRIPTION
Slides for paper "Soundness and Completeness of the NRB verification logic" at OpenCert 2013. See http://www.academia.edu/3772511/Soundness_and_Completeness_of_the_NRB_Verification_Logic for full paper.TRANSCRIPT
Soundness and Completeness of the NRB verification logic
Peter T. BreuerUniversity of Birmingham, UK
Simon J. PickinUniversidad Complutense de Madrid, Spain
Static Analysis of Linux kernel
● NRB logic used in static analysis of LK– Found `sleep-under-spinlock' deadlocks
● Proved no more exist than those found
– v2.6 linux kernel
– Million LOC barrier broken in 2006
● Suitable for distributed computation– Certification on the 'open' model
● Many contributions, repeated at will● Confidence because false result will be found
Who guarantees the guarantor?
● Logic provides guarantees for an analysis● Satisfy obligation to guarantee the logic
Idea of the logic
a b{p} {r}{q}
{s}
{r}
{s}
Sequence a;b can either error in a with s, or complete a normally with q. Code b can either error with s or complete normally with r.
{p} a {Es ∨ Nq} ∧ {q} b {Es ∨ Nr} ⇒ {p} a;b {Es ∨ Nr}
NRB: Strengths and Weaknesses
● Excellent at following control flow– Classical program logics don't really do gotos
● Poor at understanding data (following pointers)– Uses events on traces instead
● Approximate (from above)– gives false alarms for possible breaches of
safety conditions
– Does not miss any real alarms
Technical foundations
● That's what this paper provides for NRB!– Soundness
● An easily comprehensible model in terms of transitions between states
– If you disagree with it you can see why you do ● Axioms of logic are true in the model
– Completeness● Logic is sufficient
– Shows anything shown by model-checking– Symbolic reasoning misses nothing
Completeness & Approximation
● The logic is approximate yet complete?– Model of code contains more transitions than reality
– Logic is complete with respect to model
● If logic says breach of safety condition impossible– Model has no transitions breaching condition
– So in reality, condition is never breached in program
Distributed calculation
● Static analysis with NRB is split up – Function and sub-function units
– Results stored in a decorated syntax tree
– Sub-problem data fully recoverable from tree● Each sub-calculation checkable by any observer
– 'Accountable'
Accountability
● Category-theoretic definition– Calculation tree can be partially stripped down
and partially redone in any order (and each partial result will be the same).
● Even a category-theoretic result ...– Definition means there is a pre-inverse map to
the map forgetting everything about the calculation tree except the ordering between pairs of subtrees (p1,p2)6(p3,p4) ⇔ p16p2,p36p4
Conclusion
● NRB is a logic used in the past for massive static analysis of the Linux kernel
● Gives guarantees on the safety of code● This paper gives technical guarantees on the
reliability and reach of the logic