Jia-Ju Bai,Yu-Ping Wang,Shi-Min Hu

DOI: https://doi.org/10.1016/j.jss.2017.06.004

IF: 3.5

2017-01-01

Journal of Systems and Software

Abstract:In a modern operating system, device drivers acquire system resources to work. The acquired resources should be explicitly released by the drivers, because the operating system never reclaims them. Moreover, improper resource release can cause system crashes or hangs. Thus resource release is very important to driver reliability. However, according to our study on Linux driver mailing lists, many applied patches involve the modifications of resource release. Thus current resource management in drivers is not reliable enough. In this paper, we propose a novel approach named AutoRR, which can automatically and reliably release resources based on dynamic analysis. To identify resource handling operations, we use the dynamic specification-mining technique to mine resource acquiring and releasing functions. During execution, we maintain a resource-state list by intercepting the mined functions. If the driver fails to release acquired resources, AutoRR will report bugs and call corresponding releasing functions to safely release the resources. Dynamic analyses of resource dependency, allocation hierarchy, error handling form and releasing time are performed to avoid introducing new bugs when releasing resources. The evaluation on 12 Linux drivers shows that 40 detected bugs are all successfully and safely tolerated, and the overhead is only 7.84%. (C) 2017 Published by Elsevier Inc.

Jia-Ju Bai,Hu-Qiu Liu,Yu-Ping Wang,Shi-Min Hu

DOI: https://doi.org/10.1109/apsec.2014.66

2014-01-01

Abstract:Device drivers usually invoke functions to allocate resources for managing hardware devices and communicating with the kernel, and these resources should be released by functions when the work is finished. Thus allocating functions and releasing functions must be invoked in pairs. However, many developers ignore this vital rule, and some allocated resources are not released in time, which may cause resource related problems like deadlocks and memory leak. For improving the resource management of device drivers, we propose an approach named Pair Dyn to check these paired functions during runtime. When the driver runs, Pair Dyn records the runtime information of allocating functions such as key parameters and return value, and dynamically detects whether the relevant releasing functions are invoked to free allocated resources during runtime. Before the driver exits, Pair Dyn automatically attempts to invoke the related releasing functions which are lacked in runtime, in order to free the allocated resources of the operation system. We have implemented Pair Dyn with the LLVM compiler infrastructure, and make the evaluation with four real device drivers in Linux version 3.10.1. The experimental result shows that with the low extra overhead, Pair Dyn can provide effective runtime checking for allocate-release paired functions. Moreover, 9 potential bugs are found in the four drivers, which are all fixed automatically before exiting. Finally, no manual modification of the source code is needed with Pair Dyn.

Hao Yue,Keyi Xing,Hesuan Hu,Weimin Wu,Hongye Su

DOI: https://doi.org/10.1016/j.ins.2018.02.043

IF: 8.1

2018-01-01

Information Sciences

Abstract:Blockage and deadlock are undesirable in an automated manufacturing system (AMS). Thus, addressing these issues is essential to ensure smooth production evolution via system supervisory control. If an AMS contains unreliable resources which may break down unexpectedly, then the situation is complicated and problems become challenging. This work investigates the robust supervision for such AMSs from the perspective of management and control of resource allocation. The ultimate goal of this study is to develop a controller for allocating buffer space, such that any failure does not propagate through blocking to stall the rest of the system. In other words, the continual production of every part type not requiring any of the failed resources must be guaranteed at all time. We propose a supervisory control policy that satisfies the above desired property by using formal tools of automata and Petri nets. The policy relaxes the assumption made in previous work that each part type requires at most one failure-prone resource in the predefined production route. Meanwhile, the policy execution and implementation do not need any central buffers. We also present a survey and some comparative studies of various approaches in the literature about robust supervision for deadlock resolution in AMSs.

Jia-Ju Bai,Yu-Ping Wang,Hu-Qiu Liu,Shi-Min Hu

DOI: https://doi.org/10.1016/j.infsof.2016.01.018

IF: 3.9

2016-01-01

Information and Software Technology

Abstract:Context: Device drivers often call specific kernel interface functions in pairs to allocate and release resources, and these functions can be called as paired functions. But due to poor documentation and carelessness, developers sometimes misuse paired functions in drivers, which causes resource-usage violations.Objective: Many dynamic approaches have been proposed to mine API rules and check resource usage for user-mode applications, but they are rarely applied to kernel-mode device drivers due to their designs. Meanwhile, most existing dynamic approaches lack systematic mechanisms to cover error handling code, which limits their availability and scalability. Our goal is to improve dynamic analysis to solve these problems.Method: In this paper, we propose PairCheck, a novel approach for mining and checking paired functions in device drivers, using three techniques. Firstly, we design a characteristic fault injection framework to generate test cases, which simulates occasional errors and covers most error handling code with little effort. Secondly, complete runtime information is recorded through call interception during test-case execution. Thirdly, we mine and check paired functions based on collected runtime information, name patterns and statistical analysis.Result: To validate the availability of PairCheck, we evaluate it on 11 Linux Ethernet card drivers. PairCheck mines 37 and 43 real paired functions in Linux 3.1.1 and 3.17.2, respectively. With these mined paired functions, it finds 10 violations in Linux 3.1.1 which have been fixed in 3.17.2, and 35 new violations in 3.17.2. The replies from developers indicate the false positive rate is low. Compared to normal execution, code coverage increases by 8.3% on average.Conclusion: Our work shows that it is possible to precisely mine API rules of resource usage by using characteristic fault injection. The mined rules are useful for improving the reliability of device drivers. (C) 2016 Elsevier B.V. All rights reserved.

Huamao Wu,Yuan Chen,Yajin Zhou,Yifei Wang,Lubo Zhang

DOI: https://doi.org/10.1109/dac56929.2023.10247974

2023-01-01

Abstract:Driver-originated vulnerabilities are well-known threats to modern monolithic kernels. However, existing driver isolation solutions either rely on Intel-only or newly-introduced CPU features (e.g., Intel VMFUNC, ARM MTE), or suffer from performance issues, making them unsuitable for existing ARM-based devices. In this work, we leverage a common hardware feature, named hardware watchpoint, to achieve lightweight driver isolation for off-the-shelf ARM devices. Specifically, we utilize watchpoints to prevent the possibly compromised driver from corrupting the rest kernel’s state arbitrarily. We implement a prototype for ARM64 Linux. The security analysis and performance evaluation show the efficiency and practicality of our solution.

Jia-Ju Bai,Hu-Qiu Liu,Yu-Ping Wang,Shi-Min Hu

DOI: https://doi.org/10.1109/compsac.2015.24

2015-01-01

Abstract:Device drivers often suffer from much more bugs than the kernel, so testing device drivers becomes more and more important and necessary. In software testing, runtime tracing is an important technique to monitor real executing procedures of the program. Meanwhile, runtime information can also assist the programmer to make more accurate analysis of the program, like verifying the correctness of code execution and detecting bugs. However, due to kernel-mode execution and high complexity of kernel code, completely tracing drivers is hard, which causes real execution paths can not be clearly identified. In order to provide more powerful support for software testing of device drivers, we propose a method named Driver Trace, to do complete runtime tracing at the function level. Driver Trace utilizes instrumentation technique for runtime tracing, which is implemented based on LLVM compiler infrastructure. When the target driver works, Driver Trace records complete runtime information of function calls, like function names, return values and parameter pointers, and the information is recorded in a log file for future analysis. We have successfully implemented Driver Trace on 10 real device drivers in Linux 3.16.4 and made the evaluation as well. The experimental results show that Driver Trace provides an effective method of runtime tracing for device drivers with the modest overhead. Moreover, using an automated analysis of the runtime information recorded by Driver Trace, we also find 6 violations about resource usages in these 10 device drivers.

Hong-zhou Chen,Xue-zeng Pan,Ling-di Ping,Kui-jun Lu,Xiao-ping Chen

DOI: https://doi.org/10.1631/jzus.a0720083

2008-01-01

Abstract:Programs take on changing behavior at runtime in a simultaneous multithreading (SMT) environment. How reasonably common resources are distributed among the threads significantly determines the throughput and fairness performance in SMT processors. Existing resource distribution methods either mainly rely on the front-end fetch policy, or make distribution decisions according to the limited information from the pipeline. It is difficult for them to efficiently catch the various resource requirements of the threads. This work presents a spatially triggered dissipative resource distribution (SDRD) policy for SMT processors. Its two parts, the self-organization mechanism that is driven by the real-time instructions per cycle (IPC) performance and the introduction of chaos that tries to control the diversity of trial resource distributions, work together to supply sustaining resource distribution optimization for changing program behavior. Simulation results show that SDRD with fine-grained diversity controlling is more effective than that with a coarse-grained one. And SDRD benefits much from its two well-coordinated parts, providing potential fairness gains as well as good throughput gains. Meanings and settings of important SDRD parameters are also discussed.

Jia-Ju Bai,Yu-Ping Wang,Shi-Min Hu

DOI: https://doi.org/10.1145/3168809

2018-01-01

Abstract:Original device drivers are often passive in common operating systems, and they should correctly handle synchronization when concurrently invoked by multiple external threads. However, many concurrency bugs have occurred in drivers due to incautious synchronization. To solve concurrency problems, active driver is proposed to replace original passive driver. An active driver has its own thread and does not need to handle synchronization, thus the occurrence probability of many concurrency bugs can be effectively reduced. But previous approaches of active driver have some limitations. The biggest limitation is that original passive driver code needs to be manually rewritten. In this paper, we propose a practical approach, AutoPA, to automatically generate efficient active driver from original passive driver code. AutoPA uses function analysis and code instrumentation to perform automated driver generation, and it uses an improved active driver architecture to reduce performance degradation. We have evaluated AutoPA on 20 Linux drivers. The results show that AutoPA can automatically and successfully generate usable active drivers from original driver code. And generated active drivers can work normally with or without the synchronization primitives in original driver code. To check the effect of AutoPA on driver reliability, we perform fault injection testing on the generated active drivers, and find that all injected concurrency faults are well tolerated and the drivers can work normally. And the performance of generated active drivers is not obviously degraded compared to original passive drivers.

Qiu-Liang Chen,Jia-Ju Bai,Zu-Ming Jiang,Julia Lawall,Shi-Min Hu

DOI: https://doi.org/10.1109/saner.2019.8668017

2019-01-01

Abstract:Data races are often hard to detect in device drivers, due to the non-determinism of concurrent execution. According to our study of Linux driver patches that fix data races, more than 38% of patches involve a pattern that we call inconsistent lock protection. Specifically, if a variable is accessed within two concurrently executed functions, the sets of locks held around each access are disjoint, at least one of the locksets is non-empty, and at least one of the involved accesses is a write, then a data race may occur.In this paper, we present a runtime analysis approach, named DILP, to detect data races caused by inconsistent lock protection in device drivers. By monitoring driver execution, DILP collects the information about runtime variable accesses and executed functions. Then after driver execution, DILP analyzes the collected information to detect and report data races caused by inconsistent lock protection. We evaluate DILP on 12 device drivers in Linux 4.16.9, and find 25 real data races.

Qian Wu,Guangtai Liang,Qianxiang Wang,Tao Xie,Hong Mei

DOI: https://doi.org/10.1109/ASE.2011.6100058

2011-01-01

Abstract:ABSTRACTSoftware systems commonly use resources such as network connections or external file handles. Once finish using the resources, the software systems must release these resources by explicitly calling specific resource-releasing API methods. Failing to release resources properly could result in resource leaks or even outright system failures. Existing verification techniques could analyze software systems to detect defects related to failing to release resources. However, these techniques require resource-releasing specifications for specifying which API method acquires/releases certain resources, and such specifications are not well documented in practice, due to the large amount of manual effort required to document them. To address this issue, we propose an iterative mining approach, called RRFinder, to automatically mining resource-releasing specifications for API libraries in the form of (resource-acquiring, resource-releasing) API method pairs. RRFinder first identifies resource-releasing API methods, for which RRFinder then identifies the corresponding resource-acquiring API methods. To identify resource-releasing API methods, RRFinder performs an iterative process including three steps: model-based prediction, call-graph-based propagation, and class-hierarchy-based propagation. From heterogeneous information (e.g., source code, natural language), the model-based prediction employs a classification model to predict the likelihood that an API method is a resource-releasing method. The call-graph-based and class-hierarchy-based propagation propagates the likelihood information across methods. We evaluated RRFinder on eight open source libraries, and the results show that RRFinder achieved an average recall of 94.0% with precision of 86.6% in mining resource-releasing specifications, and the mined specifications are useful in detecting resource leak defects.

Jia-Ju Bai,Julia Lawall,Qiu-Liang Chen,Shi‐Min Hu

2019-01-01

Abstract:In Linux device drivers, use-after-free (UAF) bugs can cause system crashes and serious security problems. According to our study of Linux kernel commits, 42% of the driver commits fixing use-after-free bugs involve driver concurrency. We refer to these use-after-free bugs as concurrency use-after-free bugs. Due to the non-determinism of concurrent execution, concurrency use-after-free bugs are often more difficult to reproduce and detect than sequential use-after-free bugs. In this paper, we propose a practical static analysis approach named DCUAF, to effectively detect concurrency use-after-free bugs in Linux device drivers. DCUAF combines a local analysis analyzing the source code of each driver with a global analysis statistically analyzing the local results of all drivers, forming a local-global analysis, to extract the pairs of driver interface functions that may be concurrently executed. Then, with these pairs, DCUAF performs a summary-based lockset analysis to detect concurrency use-after-free bugs. We have evaluated DCUAF on the driver code of Linux 4.19, and found 640 real concurrency use-after-free bugs. We have randomly selected 130 of the real bugs and reported them to Linux kernel developers, and 95 have been confirmed.

蒋文杰,陈文智

DOI: https://doi.org/10.3969/j.issn.1001-182X.2006.06.018

2006-01-01

Abstract:This paper explains the framework of the RTEMS--an embedded real time operation system. and emphasizes on the design of device driver.

Jia-Ju Bai,Qiu-Liang Chen,Zu-Ming Jiang,Julia Lawall,Shi-Min Hu

DOI: https://doi.org/10.1109/tse.2021.3138735

IF: 7.4

2022-01-01

IEEE Transactions on Software Engineering

Abstract:Data races are often hard to detect in device drivers. According to our study of Linux driver patches that fix data races, about 39% of patches involve a pattern that we call inconsistent locking discipline. Specifically, if a variable is accessed within two concurrently executed functions, the sets of locks held around each access are disjoint, at least one of the locksets is non-empty, and at least one of the involved accesses is a write, then a data race may occur. In this paper, we present a hybrid static-dynamic analysis approach, named SDILP, to detect data races caused by inconsistent locking discipline in device drivers. SDILP has a dynamic lockset analysis to detect data races at runtime, and a static lockset analysis to detect more data races based on the dynamic-analysis results. It also performs a static taint analysis to reduce the number of variable accesses monitored by the dynamic analysis. Compared to our previous dynamic approach DILP (Chen et al., 2019), introducing static analysis allows SDILP to achieve better performance and find more data races. We evaluate SDILP on 12 drivers in Linux 5.4, and find 117 real data races, 50 of which have been confirmed by driver developers.

engineering, electrical & electronic,computer science, software engineering

Hu-Qiu Liu,Jia-Ju Bai,Yu-Ping Wang,Shi-Min Hu

DOI: https://doi.org/10.1109/apsec.2014.67

2014-01-01

Abstract:Kernel extension functions are provided as interfaces for drivers to manage devices and resources, and there are many implicit rules about their usages. One of the most important rules is that many functions should be called in pairs. That is to say, when an error occurs in a function, the driver should call related functions to handle it and release the acquired resources before returning, and we name these functions between normal execution paths and error handling paths as paired functions. However, many developers are unaware of them, which causes lots of bugs. Therefore, it is highly significant to automatically extract paired functions and detect violations for drivers. This paper proposes an efficient tool named BP-Miner, which can extract paired functions from binary code of driver modules and detect violations for error handling in drivers with extracted paired functions. BP-Miner constructs control flow graph (CFG) based on basic blocks of binary code, and locates potential execution paths to extract paired functions. We have evaluated BP-Miner with Linux drivers 2.6.38 and 3.13.0-rc7. 76 bugs are reported by BP-Miner in 2.6.38 which have been fixed in the current latest version 3.13.0-rc7. BP-Miner spends about 90 minutes handling 3653 module files for 3.13.0-rc7, and 859 violations have been detected with 1167 extracted paired functions. As it works on the binary code, it can be utilized to check close-source drivers.

Huan WANG,Jun-jie MAO,Dan WANG,Yu CHEN

DOI: https://doi.org/10.11896/j.issn.1002-137X.2017.04.009

2017-01-01

Abstract:Device drivers is an important factor affecting the applicability of the operating system.Considering the large cost of completely developing a device driver,reusing existing device drivers in the operating system became the preferred method for improving the applicability of operating system.Reuse of device driver process is essentially a target environment set up process of device drivers,reusing a device driver does not need to implement all of the kernel services.Code dependency analysis could recognize the dependency between device driver and kernel service.Device driver environment can be built by code dependency analysis technology automatically.Through reusing the e1000 network adapter driver,the feasibility of this method was proved.

Chao Ma,Peng Zhao,Shi-min Hu

DOI: https://doi.org/10.1109/tce.2012.6311358

2012-01-01

IEEE Transactions on Consumer Electronics

Abstract:A great number of consumer electronic devices have emerged in recent years. To support these devices, many device drivers have been developed. These device drivers usually work in operating systems. Improper concurrency management causes lots of device driver bugs and the drivers' failures often lead to operating system crashes. Various approaches have been proposed to solve this problem, some of which use serialization to avoid the concurrency faults. However, these methods need to rewrite all the device drivers. This paper proposes SerialDriver, a new architecture to solve the concurrency faults of device drivers based on serialization. The proposed SerialDriver is composed of three components: an interface adapter, a message queue and a request processing thread. With the help of the interface adapter, SerialDriver gets rid of the need for reimplementing device drivers. In SerialDriver, requests from kernel threads to a device driver are placed in a message queue. The request processing thread of SerialDriver delivers these requests to the device driver sequentially. Extensive evaluation results show that SerialDriver serializes requests for a device driver successfully and the overhead incurred by SerialDriver is acceptable(1).

Sidney Amani,Peter Chubb,Alastair F. Donaldson,Alexander Legg,Leonid Ryzhyk,Yanjin Zhu

DOI: https://doi.org/10.4204/EPTCS.102.3

2012-11-27

Abstract:We develop a practical solution to the problem of automatic verification of the interface between device drivers and the OS. Our solution relies on a combination of improved driver architecture and verification tools. It supports drivers written in C and can be implemented in any existing OS, which sets it apart from previous proposals for verification-friendly drivers. Our Linux-based evaluation shows that this methodology amplifies the power of existing verification tools in detecting driver bugs, making it possible to verify properties beyond the reach of traditional techniques.

Operating Systems,Software Engineering

Yu Wang,Fengjuan Gao,Linzhang Wang,Tingting Yu,Ke Wang,Jianhua Zhao,Xuandong Li

2023-05-29

Abstract:Interrupt-driven programs are widely deployed in safety-critical embedded systems to perform hardware and resource dependent data operation tasks. The frequent use of interrupts in these systems can cause race conditions to occur due to interactions between application tasks and interrupt handlers (or two interrupt handlers). Numerous program analysis and testing techniques have been proposed to detect races in multithreaded programs. Little work, however, has addressed race condition problems related to hardware interrupts. In this paper, we present SDRacer, an automated framework that can detect, validate and repair race conditions in interrupt-driven embedded software. It uses a combination of static analysis and symbolic execution to generate input data for exercising the potential races. It then employs virtual platforms to dynamically validate these races by forcing the interrupts to occur at the potential racing points. Finally, it provides repair candidates to eliminate the detected races. We evaluate SDRacer on nine real-world embedded programs written in C language. The results show that SDRacer can precisely detect and successfully fix race conditions.

Software Engineering

Jia-Ju Bai,Tuo Li,Kangjie Lu,Shi-Min Hu

2021-01-01

Abstract:Direct Memory Access (DMA) is a popular mechanism for improving hardware I/O performance, and it has been widely used by many existing device drivers. However, DMA accesses can be unsafe, from two aspects. First, without proper synchronization of DMA buffers with hardware registers and CPU cache, the buffer data stored in CPU cache and hardware registers can be inconsistent, which can cause unexpected hardware behaviors. Second, a malfunctioning or untrusted hardware device can write bad data into system memory, which can trigger security bugs (such as buffer overflow and invalid-pointer access), if the driver uses the data without correct validation. To detect unsafe DMA accesses, some key challenges need to be solved. For example, because each DMA access is implemented as a regular variable access in the driver code, identifying DMA accesses is difficult. In this paper, we propose a static-analysis approach named SADA, to automatically and accurately detect unsafe DMA accesses in device drivers. SADA consists of three basic steps. First, SADA uses a field-based alias analysis to identify DMA accesses, according to the information of DMA-buffer creation. Second, SADA uses a flow-sensitive and patternbased analysis to check the safety of each DMA access, to detect possible unsafe DMA accesses. Finally, SADA uses an SMT solver to validate the code-path condition of each possible unsafe DMA access, to drop false positives. We have evaluated SADA on the driver code of Linux 5.6, and found 284 real unsafe DMA accesses. Among them, we highlight that 121 can trigger buffer-overflow bugs and 36 can trigger invalid-pointer accesses causing arbitrary read or write. We have reported these unsafe DMA accesses to Linux driver developers, and 105 of them have been confirmed.

Yang Sun,Christopher M. Poskitt,Xiaodong Zhang,Jun Sun

DOI: https://doi.org/10.1145/3597503.3639151

2024-01-04

Abstract:Autonomous driving systems (ADSs) integrate sensing, perception, drive control, and several other critical tasks in autonomous vehicles, motivating research into techniques for assessing their safety. While there are several approaches for testing and analysing them in high-fidelity simulators, ADSs may still encounter additional critical scenarios beyond those covered once they are deployed on real roads. An additional level of confidence can be established by monitoring and enforcing critical properties when the ADS is running. Existing work, however, is only able to monitor simple safety properties (e.g., avoidance of collisions) and is limited to blunt enforcement mechanisms such as hitting the emergency brakes. In this work, we propose REDriver, a general and modular approach to runtime enforcement, in which users can specify a broad range of properties (e.g., national traffic laws) in a specification language based on signal temporal logic (STL). REDriver monitors the planned trajectory of the ADS based on a quantitative semantics of STL, and uses a gradient-driven algorithm to repair the trajectory when a violation of the specification is likely. We implemented REDriver for two versions of Apollo (i.e., a popular ADS), and subjected it to a benchmark of violations of Chinese traffic laws. The results show that REDriver significantly improves Apollo's conformance to the specification with minimal overhead.

Software Engineering