Cross-checking Semantic Correctness: The Case of Finding File System Bugs

Similar documents
APISan: Sanitizing API Usages through Semantic Cross-checking

Push-button verification of Files Systems via Crash Refinement

EXPLODE: a Lightweight, General System for Finding Serious Storage System Errors. Junfeng Yang, Can Sar, Dawson Engler Stanford University

OCFS2 Mark Fasheh Oracle

*-Box (star-box) Towards Reliability and Consistency in Dropbox-like File Synchronization Services

W4118 Operating Systems. Instructor: Junfeng Yang

Push-Button Verification of File Systems

Push-Button Verification of File Systems

Linux Filesystems and Storage Chris Mason Fusion-io

Ceph. The link between file systems and octopuses. Udo Seidel. Linuxtag 2012

Case study: ext2 FS 1

A Study of Linux File System Evolution

File Systems. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University

File System Consistency. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Coccinelle: Practical Program Transformation for the Linux Kernel. Julia Lawall (Inria/LIP6) June 25, 2018

Caching and reliability

Case study: ext2 FS 1

Lightweight Application-Level Crash Consistency on Transactional Flash Storage

Spiffy: Enabling File-System Aware Storage Applications

APISan: Sanitizing API Usages through Semantic Cross-Checking

CS3210: Crash consistency

File System Case Studies. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

UniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages

PERSISTENCE: FSCK, JOURNALING. Shivaram Venkataraman CS 537, Spring 2019

Verification & Validation of Open Source

CrashMonkey: A Framework to Systematically Test File-System Crash Consistency. Ashlie Martinez Vijay Chidambaram University of Texas at Austin

Understanding Manycore Scalability of File Systems. Changwoo Min, Sanidhya Kashyap, Steffen Maass Woonhak Kang, and Taesoo Kim

Virtual File System. Don Porter CSE 306

File System Consistency

An Overview of The Global File System

Lecture 10: Crash Recovery, Logging

Preventing Use-after-free with Dangling Pointers Nullification

RCU. ò Walk through two system calls in some detail. ò Open and read. ò Too much code to cover all FS system calls. ò 3 Cases for a dentry:

Overlayfs And Containers. Miklos Szeredi, Red Hat Vivek Goyal, Red Hat

VFS, Continued. Don Porter CSE 506

Membrane: Operating System support for Restartable File Systems

Project Quota for Lustre

FS Consistency & Journaling

Toolbox Kernel Korner

<Insert Picture Here> Btrfs Filesystem

Porting ZFS file system to FreeBSD. Paweł Jakub Dawidek

Improving Linux development with better tools

File System Case Studies. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

NFS Version 4 Open Source Project. William A.(Andy) Adamson Center for Information Technology Integration University of Michigan

Pushing the Boundaries of SMB3: Status of the Linux Kernel client and interoperability with Samba

"Secure" Coding Practices Nicholas Weaver

File System Basics. Farmer & Venema. Mississippi State University Digital Forensics 1

Alternatives to Solaris Containers and ZFS for Linux on System z

PJFS (Partitioning, Journaling File System): For Embedded Systems. Ada-Europe 6-June-2006 Greg Gicca

ANNOTATION FOR AUTOMATION: RAPID GENERATION OF FILE SYSTEM TOOLS

Porting ZFS 1) file system to FreeBSD 2)

Using Crash Hoare Logic for Certifying the FSCQ File System

2006/7/22. NTT Data Intellilink Corporation Fernando Luis Vázquez Cao. Copyright(C)2006 NTT Data Intellilink Corporation

Writing Stackable Filesystems

1 / 23. CS 137: File Systems. General Filesystem Design

Toward An Integrated Cluster File System

6.828 Fall 2007 Quiz II Solutions

DenseFS: A Cache-Compact Filesystem

Improving Linux Development with better tools. Andi Kleen. Oct 2013 Intel Corporation

Outline. File Systems. File System Structure. CSCI 4061 Introduction to Operating Systems

Fuse Extension. version Erick Gallesio Université de Nice - Sophia Antipolis 930 route des Colles, BP 145 F Sophia Antipolis, Cedex France

File System Internals. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Files and Directories Filesystems from a user s perspective

Computer Systems Laboratory Sungkyunkwan University

Security features for UBIFS. Richard Weinberger sigma star gmbh

Solros: A Data-Centric Operating System Architecture for Heterogeneous Computing

Linux Filesystems Ext2, Ext3. Nafisa Kazi

OCFS2: Evolution from OCFS. Mark Fasheh Senior Software Developer Oracle Corporation

CSL373/CSL633 Major Exam Solutions Operating Systems Sem II, May 6, 2013 Answer all 8 questions Max. Marks: 56

Network File System (NFS)

Network File System (NFS)

<Insert Picture Here> Filesystem Features and Performance

Filesystem Hierarchy and Permissions

RCU. ò Dozens of supported file systems. ò Independent layer from backing storage. ò And, of course, networked file system support

Advanced file systems: LFS and Soft Updates. Ken Birman (based on slides by Ben Atkin)

Improving Integer Security for Systems with KINT. Xi Wang, Haogang Chen, Zhihao Jia, Nickolai Zeldovich, Frans Kaashoek MIT CSAIL Tsinghua IIIS

Aerie: Flexible File-System Interfaces to Storage-Class Memory [Eurosys 2014] Operating System Design Yongju Song

Scalable Program Analysis Using Boolean Satisfiability: The Saturn Project

Unleashing D* on Android Kernel Drivers. Aravind Machiry

System that permanently stores data Usually layered on top of a lower-level physical storage medium Divided into logical units called files

Tolerating File-System Mistakes with EnvyFS

NAME attr extended attributes on XFS filesystem objects. SYNOPSIS attr [ LRq ] s attrname [ V attrvalue ] pathname

OPERATING SYSTEM TRANSACTIONS

Operating System Concepts Ch. 11: File System Implementation

TxFS: Leveraging File-System Crash Consistency to Provide ACID Transactions

Network File System (NFS)

Checking System Rules Using System-Specific, Programmer- Written Compiler Extensions

Linux Kernel Evolution. OpenAFS. Marc Dionne Edinburgh

Towards Efficient, Portable Application-Level Consistency

EIO: ERROR CHECKING IS OCCASIONALLY CORRECT

File System Case Studies. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

HDFI: Hardware-Assisted Data-flow Isolation

1 / 22. CS 135: File Systems. General Filesystem Design

MC: Meta-level Compilation

Btrfs Current Status and Future Prospects

LINUX KERNEL UPDATES FOR AUTOMOTIVE: LESSONS LEARNED

MultiLanes: Providing Virtualized Storage for OS-level Virtualization on Many Cores

Soft Updates Made Simple and Fast on Non-volatile Memory

Advanced File Systems. CS 140 Feb. 25, 2015 Ali Jose Mashtizadeh

Tolerating Malicious Drivers in Linux. Silas Boyd-Wickizer and Nickolai Zeldovich

Transcription:

Cross-checking Semantic Correctness: The Case of Finding File System Bugs Changwoo Min, Sanidhya Kashyap, Byoungyoung Lee, Chengyu Song, Taesoo Kim Georgia Institute of Technology School of Computer Science

Two promising approaches to make bug-free software Formal proof require proof Guarantee high-level invariants (e.g., functional correctness) Model checking require model Check if code fits with domain model (e.g., locking rules) 2

Two promising approaches to make bug-free software Formal proof require proof Guarantee high-level invariants (e.g., functional correctness) Model checking require model Check if code fits with domain model (e.g., locking rules) In practice, many software are (already) built without such theories 3

There exist many similar implementations of a program File systems: >50 implementations in Linux JavaScript: ECMAScript, V8, SpiderMonkey, etc POSIX C Library: Gnu Libc, FreeBSD, elibc, etc Without proof or model, can we leverage these existing implementations? 4

There exist many similar implementations of a program File systems: >50 implementations in Linux JavaScript: ECMAScript, V8, SpiderMonkey, etc POSIX C Library: Gnu Libc, FreeBSD, elibc, etc Without proof or model, can we leverage these existing implementations? 5

File system bugs are critical 2013-01-07 6

File system bugs are critical 2013-01-07 2014-10-17 7

File system bugs are critical 2013-01-07 2014-10-17 2015-03-19 8

A majority of bugs in file systems are hard to detect Memory bugs: NULL dereference Use-after-free... Semantic bugs: Incorrect condition check Incorrect statue update Incorrect argument Incorrect error code... 12.6% 87.4% 9

A majority of bugs in file systems are hard to detect Memory bugs: NULL dereference Use-after-free... Semantic bugs: Incorrect condition check Incorrect statue update Incorrect argument Incorrect error code... 12.6% 87.4% 10

Example of semantic bug: Missing capability check in OCFS2 ocfs2: trusted xattr missing CAP_SYS_ADMIN check Signed-off-by: Sanidhya Kashyap <sanidhya@gatech.edu>... @@ static size_t ocfs2_xattr_trusted_list + + if (!capable(cap_sys_admin)) return 0; 11

Example of semantic bug: Missing capability check in OCFS2 ocfs2: trusted xattr missing CAP_SYS_ADMIN check Signed-off-by: Sanidhya Kashyap <sanidhya@gatech.edu>... @@ static size_t ocfs2_xattr_trusted_list + + if (!capable(cap_sys_admin)) return 0; Can we find this bug by leveraging other implementations? 12

A majority of file system already implemented capability check ocfs2: trusted xattr missing CAP_SYS_ADMIN check Signed-off-by: Sanidhya Kashyap <sanidhya@gatech.edu>... @@ static size_t ocfs2_xattr_trusted_list + + if (!capable(cap_sys_admin)) return 0; ext2 static size_t ext2_xattr_trusted_list() if (!capable(cap_sys_admin)) return 0; ext4 static size_t ext4_xattr_trusted_list() if (!capable(cap_sys_admin)) return 0; XFS static size_t xfs_xattr_put_listent() if ((flags & XFS_ATTR_ROOT) &&!capable(cap_sys_admin)) return 0; 13...

A majority of file system already implemented capability check ocfs2: trusted xattr missing CAP_SYS_ADMIN check Signed-off-by: Sanidhya Kashyap <sanidhya@gatech.edu>... @@ static size_t ocfs2_xattr_trusted_list + + if (!capable(cap_sys_admin)) return 0; ext2 static size_t ext2_xattr_trusted_list() if (!capable(cap_sys_admin)) return 0; ext4 static size_t ext4_xattr_trusted_list() if (!capable(cap_sys_admin)) return 0; Deviant implementation potential bugs? XFS static size_t xfs_xattr_put_listent() if ((flags & XFS_ATTR_ROOT) &&!capable(cap_sys_admin)) return 0; 14...

A majority of file system already implemented capability check ocfs2: trusted xattr missing CAP_SYS_ADMIN check Signed-off-by: Sanidhya Kashyap <sanidhya@gatech.edu>... @@ static size_t ocfs2_xattr_trusted_list + + if (!capable(cap_sys_admin)) return 0; ext2 static size_t ext2_xattr_trusted_list() if (!capable(cap_sys_admin)) return 0; ext4 static size_t ext4_xattr_trusted_list() if (!capable(cap_sys_admin)) return 0; Deviant implementation potential bugs? XFS static size_t xfs_xattr_put_listent() if ((flags & XFS_ATTR_ROOT) &&!capable(cap_sys_admin)) return 0; A new bug we found It has been hidden for 6 years 15...

Case study: Write a page Each file system defines how to write a page Semantic of writepage() Success return locked page Failure return unlocked page Document/filesystems/vfs.txt specifies such rule Hard to detect without domain knowledge What if 99% file systems follow above pattern, but not one file system? bug? 16

Our approach can reveal such bugs without domain specific knowledge 52 file systems follow the locking rules But 2 file systems don't (Ceph and AFFS) -------------------------------- fs/ceph/addr.c -------------------------------index fd5599d..e723482 100644 @@ static int ceph_write_begin + + + + if (r < 0) page_cache_release(page); else *pagep = page; 17

Our approach can reveal such bugs without domain specific knowledge 52 file systems follow the locking rules But 2 file systems don't (Ceph and AFFS) -------------------------------- fs/ceph/addr.c -------------------------------index fd5599d..e723482 100644 @@ static int ceph_write_begin + + + + if (r < 0) page_cache_release(page); else *pagep = page; We found 3 bugs in 2 file systems Hidden for over 5 years 18

Our approach in finding bugs Intuition: Bugs are rare Majority of implementations is correct Idea: Find deviant ones as potential bugs 19

Our approach is promising in finding semantic bugs (Example: file systems) New semantics bugs Critical bugs System crash, data corruption, deadlock, etc Bugs difficult to find 118 new bugs in 54 file systems Bugs were hidden for 6.2 years on average Various kinds of bugs Condition check, argument use, return value, locking, etc 20

Technical challenges All software are different one way or another e.g., disk layout in file system How to compare different implementation? Q1: Where to start? Q2: What to compare? Q3: How to compare? 21

Juxta: the case of file system All file systems should follow VFS API in Linux e.g., vfs_rename() in each file system How to compare different file systems? Q1: Where to start? VFS entries in file system Q2: What to compare? symbolic environment Q3: How to compare? statistical comparison 22

Juxta overview Juxta Statistical Path Comparison Per-Filesystem Path Database File System Source Code Symbolic Execution 23

Juxta overview 7 Checkers Path Condition Checker Argument Checker... Juxta Statistical Path Comparison Per-Filesystem Path Database File System Source Code Symbolic Execution 24

Comparing multiple file systems Q1: Where to start? Q2: What to compare? Identifying semantically similar entry points Building per-path symbolic environment Q3: How to compare? Statistically comparing each path 25

Comparing multiple file systems Q1: Where to start? Q2: What to compare? Identifying semantically similar entry points Building per-path symbolic environment Q3: How to compare? Statistically comparing each path 26

Identifying semantically similar entry points Linux Virtual File System (VFS) Use common data structures and behavior (e.g., inode and page cache) Define filesystem-specific interfaces (e.g., open, rename) 27

Example: inode_operations rename() struct inode_operations { int (*rename) (struct inode *,...); int (*create) (struct inode *,...); int (*unlink) (struct inode *,..); int (*mkdir) (struct inode *,...); }; Compare *_rename() to find deviant rename() implementations. 28

Example: inode_operations rename() struct inode_operations { int (*rename) (struct inode *,...); int (*create) (struct inode *,...); int (*unlink) (struct inode *,..); int (*mkdir) (struct inode *,...); }; btrfs_rename(...); ext4_rename(...); xfs_vn_rename( );... Compare *_rename() to find deviant rename() implementations. 29

Comparing multiple file systems Q1: Where to start? Q2: What to compare? Identifying semantically similar entry points Building per-path symbolic environment Q3: How to compare? Statistically comparing each path 30

Building per-path symbolic environment Context/flow-sensitive symbolic execution C language level Build symbolic environment per path (e.g., path cond, return values, side-effect, function calls) Key idea: return-oriented comparison Error codes represent per-path semantics (e.g., comparing all paths returning EACCES in rename() implementations) 31

Example: Per-path symbolic environment Execution Path Information int foo_rename(int flag) { if (flag == RO) return -EACCES; inode flag = flag; kmalloc(, GFP_NOFS) return SUCCESS; } 32

Example: Per-path symbolic environment Execution Path Information int foo_rename(int flag) { if (flag == RO) return -EACCES; inode flag = flag; kmalloc(, GFP_NOFS) return SUCCESS; } 33

Example: Per-path symbolic environment int foo_rename(int flag) { if (flag == RO) return -EACCES; Execution Path Information Condition inode flag = flag; kmalloc(, GFP_NOFS) return SUCCESS; } 34 flag:!ro

Example: Per-path symbolic environment int foo_rename(int flag) { if (flag == RO) return -EACCES; inode flag = flag; kmalloc(, GFP_NOFS) return SUCCESS; Execution Path Information Condition flag:!ro Side-effect inode flag = flag } 35

Example: Per-path symbolic environment int foo_rename(int flag) { if (flag == RO) return -EACCES; inode flag = flag; kmalloc(, GFP_NOFS) return SUCCESS; Execution Path Information Condition flag:!ro Side-effect inode flag = flag Call } 36 kmalloc(, GFP_NOFS)

Example: Per-path symbolic environment int foo_rename(int flag) { if (flag == RO) return -EACCES; inode flag = flag; kmalloc(, GFP_NOFS) return SUCCESS; Execution Path Information Condition flag:!ro Side-effect inode flag = flag Call kmalloc(, GFP_NOFS) Return SUCCESS } 37

Constructing path database ext4... btrfs xfs...... 54 file systems (680K LoC) 8 Million paths (300 GB) Took 3 hours to generate on our 80-core machine Per-Filesystem Path Database 38...

Comparing multiple file systems Q1: Where to start? Q2: What to compare? Identifying semantically similar entry points Building per-path symbolic environment Q3: How to compare? Statistically comparing each path 39

Two types of per-path symbolic data ext4_rename... btrfs_rename xfs_rename...... Range data (or symbolic constraint) What is the range of argument for this execution path? e.g., path condition, return value, etc. Occurrences How many times a particular API flag is used? e.g., API argument usage, error handling, etc. 40...

Two types of per-path symbolic data ext4_rename... flag:!ro btrfs_rename... xfs_rename flag:!ro... flag: WO Range data (or symbolic constraint) What is the range of argument for this execution path? e.g., path condition, return value, etc.... Occurrences How many times a particular API flag is used? e.g., API argument usage, error handling, etc. 41

Two types of per-path symbolic data ext4_rename... xfs_rename... f(nofs) btrfs_rename... f(nofs) f(kernel) Range data (or symbolic constraint) What is the range of argument for this execution path? e.g., path condition, return value, etc.... Occurrences How many times a particular API flag is used? e.g., API argument usage, error handling, etc. 42

Two statistical comparison methods For range data Histogram-based comparison Compare range data and find deviant sub-ranges For occurrences Entropy-based comparison Find deviation in event occurrences 43

Histogram-based comparison 1. Represent range data histogram (see our paper) 2. Build a representative histogram average histograms High rank frequently used common patterns (e.g., VFS) Low rank specific implementations of file systems 3. Measure distance between histograms Sum up the sizes of non-overlapping area 44

Example: Path condition checker foo int foo_rename(flag) { if (flag == RO) return -EACCES; } bar int bar_rename(flag) { if (flag == RO) return -EACCES; } cad int cad_rename(flag) { if (flag == WO) return -EACCES; }1 Let's compare *_rename() on -EACCES path 45

Example: Path condition checker foo int foo_rename(flag) { if (flag == RO) return -EACCES; } bar int bar_rename(flag) { if (flag == RO) return -EACCES; } cad int cad_rename(flag) { if (flag == WO) return -EACCES; }1 Let's compare *_rename() on -EACCES path 46

Represent range data histogram foo bar cad 1.0 int foo_rename(flag) { if (flag == RO) return -EACCES; } flag RO WO 1.0 int bar_rename(flag) { if (flag == RO) return -EACCES; } flag RO WO 1.0 int cad_rename(flag) { if (flag == WO) return -EACCES; } flag 47 RO WO

Build a representative histogram foo_rename flag bar_rename flag 1.0 VFS Histogram: vfs_rename RO 1.0 0.7 RO cad_rename flag WO WO /3 1.0 RO WO 48 flag RO 0.3 WO

Build a representative histogram foo_rename flag bar_rename flag 1.0 VFS Histogram: vfs_rename RO Increase commonality 1.0 0.7 RO cad_rename flag WO WO /3 1.0 RO WO 49 flag RO 0.3 WO

Build a representative histogram foo_rename flag bar_rename flag 1.0 VFS Histogram: vfs_rename RO Increase commonality 1.0 0.7 RO cad_rename flag WO WO /3 1.0 RO flag RO 0.3 WO Decrease uncommonality WO 50

Measure distance between histograms foo_rename flag vfs_rename flag 1.0 RO 0.7 RO WO 0.3 WO 51

Measure distance between histograms foo_rename flag vfs_rename flag 1.0 RO 0.7 RO WO 0.3 flag WO 52

Measure distance between histograms foo_rename flag vfs_rename flag 1.0 RO 0.7 RO Non-overlapping regions = 0.3 + 0.3 = 0.6 WO 0.3 flag WO 53

Histogram distance foo_rename flag bar_rename flag 1.0 RO WO 1.0 distance(bar, VFS) = 0.6 RO cad_rename flag distance(foo, VFS) = 0.6 WO 1.0 distance(cad, VFS) = 1.2 RO WO 54

Ranking based on distance Distance cad int foo_rename(flag) { if (flag == RO) return -EACCES; } 1.2 foo int bar_rename(flag) { if (flag == RO) return -EACCES; } 0.6 bar int cad_rename(flag) { if (flag == WO) return -EACCES; }1 Reason 1.0 flag 0.6 55 RO WO Missing check: flag == RO

Ranking based on distance Distance cad foo bar int foo_rename(flag) { if (flag == RO) return -EACCES; } 1.2 1.0 flag int bar_rename(flag) { 0.6 if (flag == RO) return -EACCES; Larger distance } int cad_rename(flag) { if (flag == WO) return -EACCES; }1 Reason 0.6 56 RO WO Missing check: flag == RO more deviant

Ranking based on distance Distance cad foo bar int foo_rename(flag) { if (flag == RO) return -EACCES; } Reason 1.2 int bar_rename(flag) { 0.6 if (flag == RO) return -EACCES; Larger distance } 1.0 flag RO WO Missing check: flag == RO more deviant int cad_rename(flag) { found 59 new if (flag We == WO) 0.6 semantic bugs return -EACCES; using histogram-based comparison }1 57

Two statistical comparison methods For range data Histogram-based comparison Compare range data and find deviant sub-ranges For occurrences Entropy-based comparison Find deviation in event occurrences 58

Entropy-based comparison Find deviation in event occurrence Function argument, return value handling, etc. Shannon Entropy Entropy Event A : Event B 59

Entropy-based comparison Find deviation in event occurrence Function argument, return value handling, etc. Shannon Entropy Entropy 100 : 0 or 0 : 100 Event A : Event B 60

Entropy-based comparison Find deviation in event occurrence Function argument, return value handling, etc. Shannon Entropy 50 : 50 Entropy 100 : 0 or 0 : 100 Event A : Event B 61

Entropy-based comparison Find deviation in event occurrence Function argument, return value handling, etc. Shannon Entropy 50 : 50 Entropy 98:2 or 2:98 100 : 0 or 0 : 100 Event A : Event B 62

Example: Argument checker Inferring API usage patterns e.g., kmalloc() in file system GFP_NOFS to avoid deadlock Without any special knowledge, the argument checker can statically identify incorrect uses of API flags in file systems 63

Calculating entropy of GFP flag usages in file systems VFS entry Entropy GFP_KERNEL GFP_NOFS inode set_acl() 60 40 0.97 file read() 40 60 0.97 file write() 2 98 0.14 64

Calculating entropy of GFP flag usages in file systems VFS entry Entropy GFP_KERNEL GFP_NOFS inode set_acl() 60 40 0.97 file read() 40 60 0.97 file write() 2 98 0.14 65

Ranking based on entropy VFS entry file write() GFP_KERNEL GFP_NOFS Entropy 2 98 0.14 inode set_acl() 60 40 0.97 file read() 40 60 0.97 66

Ranking based on entropy VFS entry file write() GFP_KERNEL 2 GFP_NOFS 98 Entropy 0.14 inode set_acl() 60 40deviant Smaller entropy more 0.97 file read() 0.97 40 60 67

Ranking based on entropy VFS entry file write() GFP_KERNEL 2 GFP_NOFS 98 Entropy 0.14 inode set_acl() 60 40deviant Smaller entropy more 0.97 file read() 0.97 40 60 We found 59 new semantic bugs using entropy-based comparison 68

Specialized Checkers for Specific Types of Semantic Bugs 7 Checkers Histogram-based Entropy-based Path Condition Checker Return Code Checker Argument Checker Lock Checker Function Call Checker Side-effect Checker Error Handling Checker Spec. Generator Juxta Statistical Path Comparison Per-Filesystem Path Database 69

Implementation of Juxta 12K LoC in total Symbolic path explorer 6K lines of C/C++ (Clang 3.6) Tools and library 3K lines of Python Checkers 3K lines of Python VFS entry database Linux kernel 4.0-rc2 70

Evaluation questions How effective is Juxta in finding new bugs? What types of semantic bugs can Juxta find? How complete is Juxta's approach? How effective is Juxta's ranking scheme? 71

Juxta found 118 bugs in 54 file systems Checker # reports # manually verified reports New bugs Return code 573 150 2 Side-effect 389 150 6 Function call 521 100 5 Path condition 470 150 46 56 10 4 Error handling 242 100 47 Lock 131 50 8 2,382 710 118 Argument Total 72

Juxta found 7 types of new semantic bugs Checker # reports # manually verified reports New bugs Return code 573 150 2 Side-effect 389 150 6 Function call 521 100 5 Path condition 470 150 46 56 10 4 Error handling 242 100 47 Lock 131 50 8 2,382 710 118 Argument Total 73

Juxta found most known bugs Test case 21 known file system semantic bugs from PatchDB [Lu:FAST12] Synthesize them to the Linux Kernel 4.0-rc2 Juxta found 19 out of 21 bugs 2 missing bugs incomplete symbolic execution state explosion limited inter-procedural analysis 74

Cumulative # of bugs Juxta's ranking scheme is effective Entropy-based ranking 75

Cumulative # of bugs Juxta's ranking scheme is effective Entropy-based ranking Highest-ranked 76

Cumulative # of bugs Juxta's ranking scheme is effective Entropy-based ranking Highest-ranked Lowest-ranked 77

Cumulative # of bugs Juxta's ranking scheme is effective Entropy-based ranking Highest-ranked Lowest-ranked 78

Cumulative # of bugs Juxta's ranking scheme is effective Entropy-based ranking Highest-ranked Lowest-ranked > 50% of real bugs were found in top 100 79

Limitation Deviations do not always mean bugs Not universally applicable e.g., 24 patches are rejected after developers' review e.g., requirement: multiple existing implementations Symbolic execution is not complete e.g., state explosion, limited inter-procedural analysis 80

Discussion Self-regression e.g., comparing between subsequent versions Cross-layer refactoring promoting common code to VFS in Linux file systems e.g., if all file systems need the same capability check, shall we move such check to the VFS? Potential programs to be checked e.g., C libs, SCSI device drivers, JavaScript engines, etc. 81

Conclusion Cross-checking semantic correctness by comparing and contrasting multiple implementations Juxta: a static tool to find bugs in file systems Seven specialized checkers were developed 118 new semantic bugs found (e.g., ext4, XFS, Ceph, etc.) Our code and database will be released soon 82

Thank you! Changwoo Min changwoo@gatech.edu Sanidhya Kashyap, Byoungyoung Lee, Chengyu Song, Taesoo Kim Georgia Institute of Technology School of Computer Science Questions? 83

Case study: Rename a file Rename() has complex semantics e.g., rename(old_dir/a, new_dir/b) requires 3x3x3x3 combinations for update (e.g., mtime of dir and file) POSIX specification defines subset of such combinations e.g., ctime and mtime of old_dir and new_dir

Compare rename() of existing file systems in Linux Majority follows the POSIX spec Found 6 incorrect implementation (e.g., HPFS) Found inconsistency of undocumented combinations Found 6 potential bugs (e.g., HFS) Hidden Spec. old_dir new_dir file Attribute # Updated FS # Not updated FS ctime 53 1 mtime 53 1 ctime 52 2 mtime 52 2 ctime 48 6 Bugs

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback