TESLA: temporally enhanced system logic assertions

Large, complex, rapidly evolving pieces of software such as operating systems are notoriously difficult to prove correct. Developers instead describe expected behaviour through assertions and check actual behaviour through testing. However, many dynamic safety properties cannot be validated this way as they are temporal: they depend on events in the past or future and are not easily expressed in assertions. TESLA is a description, analysis, and validation tool that allows systems programmers to describe expected temporal behaviour in low-level languages such as C. Temporal assertions can span the interfaces between libraries and even languages. TESLA exposes run-time behaviour using program instrumentation, illuminating coverage of complex state machines and detecting violations of specifications. We apply TESLA to complex software, including an OpenSSL security API, the FreeBSD Mandatory Access Control framework, and GNUstep's rendering engine. With performance allowing "always-on" availability, we demonstrate that existing systems can benefit from richer dynamic analysis without being re-written for amenability to a complete formal analysis.

[1]  Bryan Cantrill,et al.  Dynamic Instrumentation of Production Systems , 2004, USENIX Annual Technical Conference, General Track.

[2]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[3]  George Neville-Neil,et al.  The Design and Implementation of the FreeBSD Operating System , 2014 .

[4]  Robert N. M. Watson,et al.  A decade of OS access-control extensibility , 2013, CACM.

[5]  Margaret Martonosi,et al.  Concurrent predicates: a debugging technique for every parallel programmer , 2013, PACT 2013.

[6]  George C. Necula,et al.  Mining Temporal Specifications for Error Detection , 2005, TACAS.

[7]  Xinsong Wu,et al.  Static Analysis of a Class of Memory Leaks in TrustedBSD MAC Framework , 2009, ISPEC.

[8]  Julia L. Lawall,et al.  Finding Error Handling Bugs in OpenSSL Using Coccinelle , 2010, 2010 European Dependable Computing Conference.

[9]  James Cheney,et al.  Proceedings of the third ACM SIGPLAN workshop on Programming languages and analysis for security , 2008 .

[10]  Andrew Warfield,et al.  Tralfamadore: unifying source code and execution experience , 2009, EuroSys '09.

[11]  Thomas A. Henzinger,et al.  The software model checker Blast , 2007, International Journal on Software Tools for Technology Transfer.

[12]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[13]  Kevin W. Hamlen,et al.  Aspect-oriented in-lined reference monitors , 2008, PLAS '08.

[14]  Xiao Ma,et al.  MUVI: automatically inferring multi-variable access correlations and detecting related semantic and concurrency bugs , 2007, SOSP.

[15]  Sriram K. Rajamani,et al.  The SLAM project: debugging system software via static analysis , 2002, POPL '02.

[16]  Vikram S. Adve,et al.  LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..

[17]  Nicholas Nethercote,et al.  Valgrind: a framework for heavyweight dynamic binary instrumentation , 2007, PLDI '07.

[18]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[19]  John H. Baldwin Locking in the Multithreaded FreeBSD Kernel , 2002, BSDCon.

[20]  Thomas A. Henzinger,et al.  The software model checker B last : Applications to software engineering , 2007 .

[21]  Harish Patil,et al.  Pin: building customized program analysis tools with dynamic instrumentation , 2005, PLDI '05.

[22]  D. E. Bell,et al.  Secure Computer Systems : Mathematical Foundations , 2022 .

[23]  Luis Daniel Benavides Navarro,et al.  Debugging and Testing Middleware with Aspect-Based Control-Flow and Causal Patterns , 2008, Middleware.

[24]  Angela Demke Brown,et al.  Comprehensive kernel instrumentation via dynamic binary translation , 2012, ASPLOS XVII.

[25]  George C. Necula,et al.  Temporal-Safety Proofs for Systems Code , 2002, CAV.

[26]  Shigeru Chiba,et al.  A dynamic aspect-oriented system for OS kernels , 2006, GPCE '06.

[27]  William R. Harris,et al.  Declarative, Temporal, and Practical Programming with Capabilities , 2013, 2013 IEEE Symposium on Security and Privacy.

[28]  Carl Staelin,et al.  lmbench: Portable Tools for Performance Analysis , 1996, USENIX Annual Technical Conference.

[29]  David A. Wagner,et al.  Model Checking One Million Lines of C Code , 2004, NDSS.

[30]  David Chisnall A New Objective-C Runtime: from Research to Production , 2012, ACM Queue.

[31]  Thomas R. G. Green,et al.  Cognitive dimensions of notations , 1990 .

[32]  Margaret Martonosi,et al.  Starchart: Hardware and software optimization using recursive partitioning regression trees , 2013, Proceedings of the 22nd International Conference on Parallel Architectures and Compilation Techniques.

[33]  Pierre Wolper,et al.  An Automata-Theoretic Approach to Automatic Program Verification (Preliminary Report) , 1986, LICS.

[34]  Andreas Podelski,et al.  Termination proofs for systems code , 2006, PLDI '06.

[35]  David A. Wagner,et al.  MOPS: an infrastructure for examining security properties of software , 2002, CCS '02.