Sequoll: A framework for model checking binaries

Multi-criticality real-time systems require protected-mode operating systems with bounded interrupt latencies and guaranteed isolation between components. A tight WCET analysis of such systems requires trustworthy information about loop bounds and infeasible paths. We propose sequoll, a framework for employing model checking of binary code to determine loop counts and infeasible paths, as well as validating manual infeasible path annotations which are often error-prone. We show that sequoll automatically determines many of the loop counts in the Malardalen WCET benchmarks. We also show that sequoll computes loop bounds and validates several infeasible path annotations used to reduce the computed WCET bound of seL4, a high-assurance protected microkernel for multi-criticality systems.

[1]  Andrei Voronkov,et al.  Finding Basic Block and Variable Correspondence , 2005, SAS.

[2]  Franck Cassez,et al.  Timed Games for Computing WCET for Pipelined Processors with Caches , 2011, 2011 Eleventh International Conference on Application of Concurrency to System Design.

[3]  Alexander Metzner,et al.  Why Model Checking Can Improve WCET Analysis , 2004, CAV.

[4]  Helmut Veith,et al.  An Abstract Interpretation-Based Framework for Control Flow Reconstruction from Binaries , 2008, VMCAI.

[5]  Jan Gustafsson,et al.  The Mälardalen WCET Benchmarks: Past, Present And Future , 2010, WCET.

[6]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[7]  Thomas A. Henzinger,et al.  ABC: Algebraic Bound Computation for Loops , 2010, LPAR.

[8]  David W. Binkley,et al.  Program slicing , 2008, 2008 Frontiers of Software Maintenance.

[9]  George Candea,et al.  The S2E Platform: Design, Implementation, and Applications , 2012, TOCS.

[10]  Christoph Cullmann,et al.  Data-Flow Based Detection of Loop Bounds , 2007, WCET.

[11]  Anthony C. J. Fox Directions in ISA Specification , 2012, ITP.

[12]  Mohamed Nassim Seghir,et al.  Integration of a Software Model Checker into Isabelle , 2005, LPAR.

[13]  Jorge A. Navas,et al.  TRACER: A Symbolic Execution Tool for Verification , 2012, CAV.

[14]  Bjorn De Sutter,et al.  ARMor: Fully verified software fault isolation , 2011, 2011 Proceedings of the Ninth ACM International Conference on Embedded Software (EMSOFT).

[15]  Ting Chen,et al.  Efficient detection and exploitation of infeasible paths for software timing analysis , 2006, 2006 43rd ACM/IEEE Design Automation Conference.

[16]  Philippe Herrmann,et al.  Refinement-Based CFG Reconstruction from Unstructured Programs , 2011, VMCAI.

[17]  Magnus O. Myreen,et al.  A Trustworthy Monadic Formalization of the ARMv7 Instruction Set Architecture , 2010, ITP.

[18]  Paul Havlak,et al.  Nesting of reducible and irreducible loops , 1997, TOPL.

[19]  Gernot Heiser,et al.  Operating systems technology for converged ECUs , 2008 .

[20]  Minh Ngoc Ngo,et al.  Detecting large number of infeasible paths through recognizing their patterns , 2007, ESEC-FSE '07.

[21]  Olivier Ly,et al.  The BINCOA Framework for Binary Code Analysis , 2011, CAV.

[22]  Daniel Cordes,et al.  A Fast and Precise Static Loop Analysis Based on Abstract Interpretation, Program Slicing and Polytope Models , 2009, 2009 International Symposium on Code Generation and Optimization.

[23]  Gerard J. M. Smit,et al.  A mathematical approach towards hardware design , 2010, Dynamically Reconfigurable Architectures.

[24]  Gernot Heiser,et al.  Timing Analysis of a Protected Operating System Kernel , 2011, 2011 IEEE 32nd Real-Time Systems Symposium.

[25]  Bernhard Rieder,et al.  Using model checking to derive loop bounds of general loops within ANSI-C applications for measurement based WCET analysis , 2008, 2008 International Workshop on Intelligent Solutions in Embedded Systems.

[26]  Mark N. Wegman,et al.  Efficiently computing static single assignment form and the control dependence graph , 1991, TOPL.

[27]  Robert E. Tarjan Testing flow graph reducibility , 1973, STOC '73.

[28]  Jens Knoop,et al.  r-TuBound: Loop Bounds for WCET Analysis (Tool Paper) , 2012, LPAR.

[29]  Helmut Veith,et al.  Jakstab: A Static Analysis Platform for Binaries , 2008, CAV.

[30]  Gernot Heiser,et al.  Improving interrupt response time in a verifiable protected microkernel , 2012, EuroSys '12.

[31]  Thomas A. Henzinger,et al.  The software model checker B last : Applications to software engineering , 2007 .

[32]  Jan Gustafsson,et al.  Automatic Derivation of Loop Bounds and Infeasible Paths for WCET Analysis Using Abstract Execution , 2006, 2006 27th IEEE International Real-Time Systems Symposium (RTSS'06).

[33]  Thomas W. Reps,et al.  Directed Proof Generation for Machine Code , 2010, CAV.