Testing Closed-Source Binary Device Drivers with DDT

DDT is a system for testing closed-source binary device drivers against undesired behaviors, like race conditions, memory errors, resource leaks, etc. One can metaphorically think of it as a pesticide against device driver bugs. DDT combines virtualization with a specialized form of symbolic execution to thoroughly exercise tested drivers; a set of modular dynamic checkers identify bug conditions and produce detailed, executable traces for every path that leads to a failure. These traces can be used to easily reproduce and understand the bugs, thus both proving their existence and helping debug them. We applied DDT to several closed-source Microsoft-certified Windows device drivers and discovered 14 serious new bugs. DDT is easy to use, as it requires no access to source code and no assistance from users. We therefore envision DDT being useful not only to developers and testers, but also to consumers who want to avoid running buggy drivers in their OS kernels.

[1]  George C. Necula,et al.  SafeDrive: safe and recoverable extensions using language-based techniques , 2006, OSDI '06.

[2]  Herbert Bos,et al.  Failure Resilience for Device Drivers , 2007, 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'07).

[3]  Archana Ganapathi,et al.  Windows XP Kernel Crash Analysis , 2006, LISA.

[4]  Vitaly Chipounov,et al.  Selective Symbolic Execution , 2009 .

[5]  Brian N. Bershad,et al.  Improving the reliability of commodity operating systems , 2005, TOCS.

[6]  Michael M. Swift,et al.  Protecting Commodity Operating System Kernels from Vulnerable Device Drivers , 2009, 2009 Annual Computer Security Applications Conference.

[7]  George Candea,et al.  Reverse engineering of binary device drivers with RevNIC , 2010, EuroSys '10.

[8]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[9]  Fabrice Bellard,et al.  QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX ATC, FREENIX Track.

[10]  Srikanth Kandula,et al.  Flashback: A Lightweight Extension for Rollback and Deterministic Replay for Software Debugging , 2004, USENIX Annual Technical Conference, General Track.

[11]  Brendan Murphy Automating Software Failure Reporting , 2004, ACM Queue.

[12]  Jian Zhang A path-based approach to the detection of infinite looping , 2001, Proceedings Second Asia-Pacific Conference on Quality Software.

[13]  Margo I. Seltzer,et al.  Dealing with disaster: surviving misbehaved kernel extensions , 1996, OSDI '96.

[14]  Junfeng Yang,et al.  An empirical study of operating systems errors , 2001, SOSP.

[15]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[16]  Martín Abadi,et al.  XFI: software guards for system address spaces , 2006, OSDI '06.

[17]  Xiangyu Zhang,et al.  Efficient program execution indexing , 2008, PLDI '08.

[18]  Samuel T. King,et al.  Debugging Operating Systems with Time-Traveling Virtual Machines (Awarded General Track Best Paper Award!) , 2005, USENIX Annual Technical Conference, General Track.

[19]  Brian N. Bershad,et al.  Recovering device drivers , 2004, TOCS.

[20]  Chi-Keung Luk,et al.  PinOS: a programmable framework for whole-system dynamic instrumentation , 2007, VEE '07.

[21]  Herbert Bos,et al.  Fault isolation for device drivers , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[22]  Koushik Sen,et al.  DART: directed automated random testing , 2005, PLDI '05.

[23]  Brian N. Bershad,et al.  Improving the reliability of commodity operating systems , 2003, SOSP '03.

[24]  George Candea,et al.  Cloud9: a software testing service , 2010, OPSR.

[25]  П. Довгалюк,et al.  Два способа организации механизма полносистемного детерминированного воспроизведения в симуляторе QEMU , 2012 .

[26]  Peter M. Chen,et al.  Execution replay of multiprocessor virtual machines , 2008, VEE '08.

[27]  Dawson R. Engler,et al.  RWset: Attacking Path Explosion in Constraint-Based Test Generation , 2008, TACAS.

[28]  Asim Kadav,et al.  Tolerating hardware device failures in software , 2009, SOSP '09.

[29]  Sriram K. Rajamani,et al.  Thorough static analysis of device drivers , 2006, EuroSys.

[30]  Vikram S. Adve,et al.  LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..

[31]  Miguel Castro,et al.  Fast byte-granularity software fault isolation , 2009, SOSP '09.

[32]  Laurent Réveillère,et al.  Devil: an IDL for hardware programming , 2000, OSDI.

[33]  Dawson R. Engler,et al.  EXE: automatically generating inputs of death , 2006, CCS '06.

[34]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.