Automatic Bug Detection in Microcontroller Software by Static Program Analysis Bastian Schlich ([email protected]) Ansgar Fehnker, Ralf Huuck, and Michael Tapp (National ICT Australia) SOFSEM – 28.01.2009 Embedded Systems – Bugs are Pain © 2009 Bastian Schlich, Embedded Software Laboratory, RWTH Aachen University 2 Outline • • • • • Microcontroller software [mc]square Goanna Extending Goanna Case Study © 2009 Bastian Schlich, Embedded Software Laboratory, RWTH Aachen University 3 Microcontroller Software is Different • Often: no operating system • Non-ANSI C – Embedded assembly statements – Direct memory access – Hardware-dependent extensions © 2009 Bastian Schlich, Embedded Software Laboratory, RWTH Aachen University 4 [mc]square: Model Checking Microcontroller Assembly Code • Supports: ATMEL ATmega16, ATmega128, Infineon XC167, Intel C51, PLCs, and ASMs • Object code file (assembly code), , and CTL formula • Functional properties and extra checks (e.g., stack collisions and reserved registers) • Sometimes: state-explosion • http://www.embedded.rwthaachen.de/mc_square © 2009 Bastian Schlich, Embedded Software Laboratory, RWTH Aachen University 5 Goanna Static Analyzer • Analyses C/C++ – Including compiler extensions – Common defects similar to others • 100% automatic – No annotations – Scales to millions of lines of code • Unsound/incomplete, but practical • Uses model checker as engine: NuSMV • http://nicta.com.au/research/pr ojects/goanna/ © 2009 Bastian Schlich, Embedded Software Laboratory, RWTH Aachen University 6 C/C++ Program: Syntactical Information CFG is a 1 var f,n transition system 2 n=3 declaration_f declaration_n modified_n atomic pattern propositions matching 3 f=1 modified_f 4 n>0 used_n 5 f=f*n used_n used_f modified_f 6 n=n-1 used_n modified_n 7 © 2009 Bastian Schlich, Embedded Software Laboratory, RWTH Aachen University 7 Static Analysis by Model Checking transition system + atomic propositions Kripke Structure So can we model check syntax? [Schmidt and Steffen 1998] © 2009 Bastian Schlich, Embedded Software Laboratory, RWTH Aachen University 8 The Way Goanna does It modifiedn AG (modifiedn => EF usedn) encode encode model checker input language usedn © 2009 Bastian Schlich, Embedded Software Laboratory, RWTH Aachen University 9 NuSMV Encoding MODULE fun_0(id) VAR location : { line1, line2, line3 ….} DEFINE modified_n := location in { line7, line26} used_n :=location in {line8, line17} next(location) := case location = line1 : {line2}; location = line2 : {line3}; location = line9 : {line10, line14}; … esac function CFG locations label definition transition relation (CFG) property SPEC AG (modified_n -> EF used_n) © 2009 Bastian Schlich, Embedded Software Laboratory, RWTH Aachen University 10 Type of Checks • Static analysis inspects code automatically for – Memory corruption – Memory leaks – Security vulnerabilities – API rule violation – Coding standards violations • Typically does not catch microcontroller specific problems © 2009 Bastian Schlich, Embedded Software Laboratory, RWTH Aachen University 11 Extending Goanna: ATMEL ATmega16 • Used by, e.g.: automotive, industrial control, security, GPS, and sensor networks • Features – 8 bit – 32 registers / 32 I/O registers – 1 kB SRAM, 512 EEPROM, 16 kB flash memory – 2 * 8 bit timers, 1 * 16 bit timer – 21 internal and external interrupts – ... © 2009 Bastian Schlich, Embedded Software Laboratory, RWTH Aachen University 12 Interrupt-Handling Checks (1/2) • Check for correct enabling and disabling of interrupts • New patterns for Goanna – signal (deactivate interrupts) – interrupt – fnend – sei – cli © 2009 Bastian Schlich, Embedded Software Laboratory, RWTH Aachen University 13 Interrupt-Handling Checks (2/2) • Signal ISRs should not enable or disable interrupts • Interrupt ISRs should disable interrupts before enabling • If Interrupt ISRs disabled interrupts, they should enable them before leaving the ISR • Interrupts should not be enabled/disabled twice © 2009 Bastian Schlich, Embedded Software Laboratory, RWTH Aachen University 14 Timer-Service Check • Checks whether timers are used correctly • ATmega16 features 3 timers • New patterns for Goanna – timeri – configi • ISR of timer0 should not change config1 or © 2009 Bastian Schlich, Embedded Software Laboratory, RWTH Aachen University 15 Registers-to-Reserved Bits Checks • • • • Checks whether reserved bits are written No real error, but may cause errors in future ATmega16 has 14 registers with reserved bits Global interrupt control register (GICR) – Bits 7...5 enable/disable external interrupts – Bits 4...2 are reserved – Bits 1...0 manage the interrupt vector table • Reserved bits should not be written (checked using © 2009 Bastian Schlich, Embedded Software Laboratory, RWTH Aachen University 16 Case Study • Automotive task – 4 channel speed measurement – CAN bus communication – 6 additional tasks (information on CAN and LED) • ATMEL ATmega 16 + PHILIPS SJA100 CAN controller • Programs developed by students in lab courses • Code base (24 groups) – 475 files, 439 proper C files, 431 were checked – 97,527 LOC, 203,638 LOC after preprocessing © 2009 Bastian Schlich, Embedded Software Laboratory, RWTH Aachen University 17 Analysis Statistics • Overall runtime for 431 files: 164 s • 0.38 s per file or 1200 LOC per second • Max. runtime: 1.84 s © 2009 Bastian Schlich, Embedded Software Laboratory, RWTH Aachen University 18 Analysis Results • 154 errors in the 431 analyzed files – 7 errors in interrupt handling – 4 errors in timer handling – 143 assignments to reserved bits (only by 6/24 groups) • Early errors => errors in final version © 2009 Bastian Schlich, Embedded Software Laboratory, RWTH Aachen University 19 Summary & Future Work • Software for Microcontrollers is special • Model checking sometimes suffers from state explosion problem • Generic static analysis misses common bugs • Specific rules make a difference – Bugs which are hard to find during testing – Bugs which are relevant in the field • Try out SAT encodings • Extend Goanna with user language for user-defined checks • Improve pointer analysis using better memory models © 2009 Bastian Schlich, Embedded Software Laboratory, RWTH Aachen University 20 Goanna • Blends in • Fast • Eats bugs © 2009 Bastian Schlich, Embedded Software Laboratory, RWTH Aachen University 21
© Copyright 2025 Paperzz