Solidifying Software Interfaces: Checkable Contracts Thomas Ball Testing, Verification and Measurement Microsoft Research http://research.microsoft.com/~tball/ The .NET Framework Richness A Once in a Decade Change Windows 3.0 MFC COM Win32 Win16 1980 1990 2000 Trustworthy Commitment • Microsoft Cultural Shift – Thousands of hours spent in security reviews on .NET Framework to date – Foundstone, @Stake security reviews • “Hardening” the .NET Framework • Making Security Easier for Customers – Prescriptive Architectural Guidance – Feature changes in .NET Framework Tools .NET Framework Client Application Model Windows Forms System.Windows.Form s Web & Service Application Model Data Systems Application Model Yukon Compact Framework System.Data.SqlServer System.Windows.Forms ASP.NET System.Web Mobile PC & Devices Application Model Command Line System.Console NT Service System.ServiceProces s Presentation Communication Data System.Messaging System.Data System.Web.UI SqlClient DataSet Page WebControls Control Adaptors SqlTypes Mapping HtmlControls Design SqlXML ObjectSpaces MobileControls System.Windows.Forms System.DirectoryServices System.Runtime.Remotin g System.Web.Service s Web.Service OdbcClient ObjectSpace Description OleDbClient Query Discovery OracleClient Schema Protocols Forms System.Xml Control Schema Print Dialog Serializatio n Design System.Web Xpath Query Personalization Caching SessionState System.Drawing System.Net HttpWebRequest NetworkInformation FtpWebListener Sockets SslClientStream Cache WebClient Fundamentals Security Base & Application Services System.Timers System.Text System.Globalization System.Design System.Serialization System.IO System.Collections System.CodeDom Serialization System.Reflection InteropServices System.Web.Configuration System.Security AccessControl Ports System.Runtime Configuration Generic System.ComponentModel System.Threading System.Web. Security Deployment/Management System.Web System.Configuration Administration System.Resources Management Permissions Credentials Policy Cryptography Principal System.Management Token System.Deployment System.EnterpriseServices System.Diagnostics CompilerServices System.Transactions Interfaces Everywhere! Client API Implementation But no contracts! Microsoft Powerpoint EULA Point 11 • 11. EXCLUSION OF INCIDENTAL, CONSEQUENTIAL AND CERTAIN OTHER DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL MICROSOFT OR ITS SUPPLIERS BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS OR CONFIDENTIAL OR OTHER INFORMATION, FOR BUSINESS INTERRUPTION, FOR PERSONAL INJURY, FOR LOSS OF PRIVACY, FOR FAILURE TO MEET ANY DUTY INCLUDING OF GOOD FAITH OR OF REASONABLE CARE, FOR NEGLIGENCE, AND FOR ANY OTHER PECUNIARY OR OTHER LOSS WHATSOEVER) ARISING OUT OF OR IN ANY WAY RELATED TO THE USE OF OR INABILITY TO USE THE SOFTWARE PRODUCT, THE PROVISION OF OR FAILURE TO PROVIDE SUPPORT SERVICES, OR OTHERWISE UNDER OR IN CONNECTION WITH ANY PROVISION OF THIS EULA, EVEN IN THE EVENT OF THE FAULT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, BREACH OF CONTRACT OR BREACH OF WARRANTY OF MICROSOFT OR ANY SUPPLIER, AND EVEN IF MICROSOFT OR ANY SUPPLIER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. The GPL • • 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Is There any Program That Satisfies Its Contract? Informal Contract: Sockets the "communication domain" in which communication is to take place; see protocols(5). Sockets of type SOCK_STREAM are full-duplex byte streams, similar to pipes. A stream socket must be in a connected state before any data may be sent or received on it. A connection to another socket is created with a connect(2) call. Once connected, data may be transferred using read(2V) and write(2V) calls or some variant of the send(2) and recv(2) calls. When a session has been completed a close(2V), may be performed. Out-of-band data may also be transmitted as described in send(2) and received as described in recv(2). The communications protocols used to implement a SOCK_STREAM insure that data is not lost or duplicated. If a piece of What is an API Contract? • Pre-conditions – the conditions a client must establish before calling an API – “A filehandle must be in an open state before you call fread” • Post-conditions – the conditions an implementation (of an API) must establish upon its termination – “If the file is present, fopen returns a filehandle in the open state” Formalizing Contracts • Pre/post conditions – Eiffel: “design by contract”, integrated into language – JML: pre/post language (in comments) • Monitors – security automata – SLIC - SLAM’s API rule language • Models – ASML: separate modeling language Why are Contracts Useful? • • • • Precision in specification & design Separation of concerns Documentation Checking/Testing – dynamic (run-time) – static (compile-time) • Responsibility, enforceability, liability, … Why Now? • Specifications are (still) a good idea! – focus shifted to critical properties rather than full correctness • Bug economics • Test automation wall • Moore’s law – abundant computational resources • Advances in research and technology – – – – model checking program analysis theorem proving analysis infrastructures Overview • SLAM analysis engine – Static Driver Verifier • Other contract-checking tools – Vault (type checking) – ESC/Java (theorem proving) – ESP (dataflow analysis) Rules Static Driver Verifier Read for understanding New API rules Development Precise API Usage Rules (SLIC) Defects Drive testing tools Software Model Checking 100% path coverage Source Code Testing SLAM – Software Model Checking • SLAM innovations – – – – boolean programs: a new model for software model creation (c2bp) model checking (bebop) model refinement (newton) • SLAM toolkit – built on MSR program analysis infrastructure SLIC • Finite state language for stating rules – monitors behavior of C code – temporal safety properties (security automata) – familiar C syntax • Suitable for expressing control-dominated properties – e.g. proper sequence of events – can encode data values inside state State Machine for Locking state { enum {Locked,Unlocked} s = Unlocked; } Rel Acq Unlocked Locked Rel Acq Error Locking Rule in SLIC KeAcquireSpinLock.entry { if (s==Locked) abort; else s = Locked; } KeReleaseSpinLock.entry { if (s==Unlocked) abort; else s = Unlocked; } The SLAM Process boolean program #include <ntddk.h> Bebop reachability check error path C2BP predicate abstraction + Harness SLIC Rule refinement predicates Newton feasibility check Example Does this code obey the locking rule? do { KeAcquireSpinLock(); nPacketsOld = nPackets; if(request){ request = request->Next; KeReleaseSpinLock(); nPackets++; } } while (nPackets != nPacketsOld); KeReleaseSpinLock(); Example Model checking boolean program (bebop) do { KeAcquireSpinLock(); U L if(*){ L L KeReleaseSpinLock(); U L U L U U E } } while (*); KeReleaseSpinLock(); Example Is error path feasible in C program? (newton) do { KeAcquireSpinLock(); U L nPacketsOld = nPackets; L L U L U L U U E if(request){ request = request->Next; KeReleaseSpinLock(); nPackets++; } } while (nPackets != nPacketsOld); KeReleaseSpinLock(); Example Add new predicate b : (nPacketsOld == nPackets) to boolean program (c2bp) do { KeAcquireSpinLock(); U L nPacketsOld = nPackets; b = true; L L U L U L U U E if(request){ request = request->Next; KeReleaseSpinLock(); nPackets++; b = b ? false : *; } } while (nPackets != nPacketsOld); !b KeReleaseSpinLock(); Example b : (nPacketsOld == nPackets) do { KeAcquireSpinLock(); U L b = true; b L if(*){ b L b U b L !b U b L U b U E KeReleaseSpinLock(); b = b ? false : *; } } while ( !b ); KeReleaseSpinLock(); Model checking refined boolean program (bebop) Example b : (nPacketsOld == nPackets) do { KeAcquireSpinLock(); U L b = true; b L if(*){ b L b U b L b L b U !b U KeReleaseSpinLock(); b = b ? false : *; } } while ( !b ); KeReleaseSpinLock(); Model checking refined boolean program (bebop) Demo SLAM Status • 2000-2001 – foundations, algorithms, prototyping – papers in CAV, PLDI, POPL, SPIN, TACAS • March 2002 – Bill Gates review • May 2002 – Windows committed to hire two Ph.D.s in model checking to support Static Driver Verifier • July 2002 – running SLAM on 100+ drivers, 20+ properties • September 3, 2002 – made initial release of SDV to Windows (friends and family) • April 1, 2003 – made wide release of SDV to Windows (any internal driver developer) • September, 2003 – team of six in Windows working on SDV – researchers moving into “consultant” role • November, 2003 – demonstration at Driver Developer Conference SLAM Results • Boolean program model has proved itself • Successful for device driver contracts – control-dominated safety properties – few boolean variables needed to do proof or find real errors • Counterexample-driven refinement – terminates in practice – incompleteness of theorem prover not an issue Other Ways to Check Contracts • Type systems – Vault programming language – type system extended to allow simple pre/post • Theorem proving – ESC/Java checker – uses JML specification language (rich pre/post conditions) • Dataflow analysis – ESP – uses SLIC-like state machine language Conclusions • The technology now exists for enforcing simple API contracts using static analysis • Rollout/adoption – first as out-of-band tools (i.e., SLAM, ESP, Fugue) – next as in-band tools (part of language/compiler) Thanks To Software Productivity Tools group members – Sriram Rajamani (SLAM) – Rob DeLine, Manuel Fahndrich (Vault/Fugue) SLAM summer interns – – – – Sagar Chaki, Todd Millstein, Rupak Majumdar (2000) Satyaki Das, Wes Weimer, Robby (2001) Jakob Lichtenberg, Mayur Naik (2002) Jakob Lichtenberg, Shuvendu Lahiri, Georg Weissenbacher, Fei Xie (2003) SLAM Visitors – Giorgio Delzanno, Andreas Podelski, Stefan Schwoon Static Driver Verifier: Windows Partners – Byron Cook, John Henry, Vladimir Levin, Con McGarvey, Bohus Ondrusek, Abdullah Ustuner