Checking Memory Safety of Level 1 Safety-Critical Java Programs using Static-Analysis without Annotations

(1)

Checking Memory Safety of Level 1 Safety-Critical Java Programs using Static-Analysis without Annotations

Chris Marriott

University of York, UK

Thesis Seminar - July 2014

(2)

Outline

1 Introduction

2 Memory safety of safety-critical Java programs

3 SCJ-mSafe: An abstract language for memory-safety checking

4 SCJ-mSafe program analysis

5 Checking SCJ-mSafe programs

6 Experiments and results

7 Conclusion and future work

(3)

Current Section

1 Introduction

(4)

Background and motivation

SCJ is a subset of Java designed for safety-critical applications.

Being developed by The Open Group (JSR-302).

Designed to allow programs to be certified to DO-178B Level A.

SCJ has a new programming paradigm based on missions and handlers:

Level 0 - Cyclic executive with Periodic handlers

Level 1 - Periodic and aperiodic handlers executing concurrently Level 2 - Concurrent missions and real-time threads

We are interested in memory safety of Level 1 SCJ programs (similar in complexity to Ravenscar Ada).

(5)

Hypothesis

Thesis hypothesis

It is possible to produce an automatic static checking technique for valid Level 1 Safety-Critical Java programs to identify possible unsafe uses of memory at the source-code level, without the need for additional user-added annotations.

(6)

Current Section

1 Introduction

(7)

RTSJ and SCJ

RTSJ

Designed to address the limitations found in standard Java for real-time programs.

High-resolution time Scheduling

Real-time threads Asynchronous events Scoped memory model

SCJ

Designed with certification in mind More restricted than RTSJ

New programming paradigm based on missions and handlers Scoped memory model

(8)

SCJ programming paradigm

(9)

Scoped memory model of RTSJ

Immortal memory

Lasts for the entire length of program execution Objects cannot be removed.

No garbage collection Scoped memory

Have a specific lifetime

Areas are cleared out when there are no more schedulable objects executing in them.

Cactus-stack structure with single parent No garbage collection

Usable heap

(10)

Scoped memory model of SCJ

Immortal memory Like in RTSJ Scoped memory

Have a specific lifetime (Mission, Handler, Temporary)

Areas are cleared out at the end of the execution of the paradigm component / runnable object.

No garbage collection No Heap

(11)

SCJ memory model (cont.)

(12)

SCJ memory model (cont.)

Memory safety

A program is memory safe if there are no possible execution paths that lead to the dereference of a reference variable whose associated object resides in a memory area that has been cleared out.

Strict memory model does not ensure memory safety by construction.

Scoped memory introduces the possibility of dangling references.

References must not point down the memory structure.

Any reference down the memory structure is considered a memory-safety violation.

Our definition

A program is memory safe if there are no possible execution paths that may lead to a reference variable pointing to an object in a memory area that is lower in the hierarchy, that is, further away from the immortal memory area.

(13)

Verifying memory safety in RTSJ and SCJ

RTSJ

Restricted programming models [6]

Type systems with memory property annotations [7]

Type systems with ownership relations [2]

Dynamic logic with invariant annotations [1]

Bytecode analysis [9]

SCJ

SCJ annotation checking [10]

Correctness by construction [3]

Model checking [5]

Bytecode analysis [4]

Hardware-based run-time checking [8]

(14)

Current Section

1 Introduction

(15)

Our approach

(16)

Example - SCJ

1 p u b l i c c l a s s M y H a n d l e r e x t e n d s P e r i o d i c E v e n t H a n d l e r {

2 p u b l i c v o i d h a n d l e A s y n c E v e n t () {

3 A a = new A () ;

4 M y R u n n a b l e m y R u n = new M y R u n n a b l e ( a ) ;

5 M a n a g e d M e m o r y . e n t e r P r i v a t e M e m o r y (1 , m y R u n ) ;

6 }

7 c l a s s M y R u n n a b l e i m p l e m e n t s R u n n a b l e {

8 A a F i e l d ;

9

10 p u b l i c M y R u n n a b l e ( A arg ) {

11 a F i e l d = arg ;

12 }

13 p u b l i c v o i d run () {

14 a F i e l d . f i e l d = new O b j e c t () ;

15 }

16 }

17 }

(17)

The SCJ-mSafe language

Designed to ease verification

Defines SCJ programs in a more abstract way Uniform structure

Individual definitions for all SCJ paradigm components Simple commands and expressions

(18)

Overview of translation

Input SCJ program must be well formed and type correct.

No information relevant to memory safety is lost.

Components that do not impact memory safety are abstracted away (side effects are still analysed).

Annotations

Unary/Binary operations InstanceOf comparisons Literals

Assert statements

Each program is described in the same style.

Programs are easier to read and analyse.

Eases formalisation Translation formalised in Z

(19)

Expressions and Commands

Not all SCJ expressions and commands are required in SCJ-mSafe.

Expressions

Important expressions are left expressions.

Expressions with side effects are translated separately.

Commands

Additional commands are included in SCJ-mSafe:

Assignments New instantiations Method invocations

These modify the value of program variables.

Better characterised as commands semantically

(20)

Example - SCJ-mSafe

1 h a n d l e r M y H a n d l e r {

2 f i e l d s { }

3 i n i t { }

4 h a n d l e E v e n t {

5 A a ;

6 N e w I n s t a n c e ( a , Current , A , () ) ; 7 M y R u n n a b l e m y R u n ;

8 N e w I n s t a n c e ( myRun , Current , M y R u n n a b l e , ( a ) ) ;

9 E n t e r P r i v a t e M e m o r y ( m y R u n ) ;

10 }

11 }

(21)

Example - SCJ-mSafe

1 c l a s s M y R u n n a b l e {

2 f i e l d s {

3 A a F i e l d ;

4 }

5 i n i t { }

6 c o n s t r ( arg ) {

8 }

9 m e t h o d run () {

10 N e w I n s t a n c e ( a F i e l d . field , Current , Object , () ) ;

11 }

12 }

(22)

Translation strategy

Functions define the translation from an SCJProgram to an SCJmSafeProgram

Translate : SCJProgram 7→ SCJmSafeProgram

∀ program : dom Translate

| program ∈ WellTypesProgs

• ∃ scjmsafe : SCJmSafeProgram

• (∃ scjSafelet : SCJClass

| scjSafelet ∈ program.classes

∧ scjSafelet.extends = safelet

• scjmsafe.safelet = TranslateSafelet( ...

Compositional translation

TranslateMission(...), TranslateHandler (...), TranslateClass(...), ...

(23)

Translating expressions

Two functions to translate expressions:

TranslateExpression : SCJExpression 7→ Com dom TranslateExpression ⊂ WellTypedExprs

∧ ∀ scjExpr : dom TranslateExpression

• ...

∨ (∃ e1, e2 : SCJExpression

| scjExpr = assignment(e1, e2)

• (let lexpr == ExtractExpression e1

• (let rexpr == ExtractExpression e2

• ...

(TranslateExpression scjExpr =

Seq((TranslateExpression e2), (Asgn(lexpr , rexpr )))))))

a = (b = c); translated to (b = c; a = b;)

(24)

Extracting expressions

ExtractExpression : SCJExpression 7→ Expr dom ExtractExpression ⊂ WellTypedExprs

∧ ∀ scjExpr : dom ExtractExpression

• ...

∨ (∃ e1, e2 : SCJExpression

| scjExpr = assignment(e1, e2)

• ExtractExpression scjExpr = ExtractExpression e1) ...

∨ (∃ name : Name; id : Identifier

| scjExpr = identifier name ∧ id = VariableName name

• ExtractExpression scjExpr = ID id )

(a = (b = c);) 7→ (b = c; a = b;) ExtractExpression(a) = a

ExtractExpression(b = c) = b

(25)

Translating commands

TranslateCommand : SCJCommand 7→ Com dom TranslateCommand ⊂ WellTypedComs

∧ (∀ scjCom : dom TranslateCommand

• ...

∨ (∃ e1 : SCJExpression; c1, c2 : SCJCommand

| scjCom = if (e1, c1, c2)

• TranslateCommand scjCom = Seq((TranslateExpression e1),

(If ((ExtractExpression e1), (TranslateCommand c1), (TranslateCommand c2)))))

if (x) then y else z translated to

Seq(SideEffects(x), If (x ) then Translation(y) else Translation(z))

(26)

Automatic translation

Automatic translation from SCJ to SCJ-mSafe implemented Implementation is based on the formalised translation strategy.

Uses the compiler-tree API to analyse SCJ programs Translation based on tree visitors for individual components Successfully applied to all examples we can find

(27)

Current Section

1 Introduction

(28)

Environment

Allows us to maintain a model of information required to reason about memory safety

Records information about left expressions that reference objects Share relations identify expressions that reference the same object Reference sets describe the set of reference contexts in which objects may reside.

Updated after every command or expression

Used by the inference rules to check for possible violations Worst-case analysis: false-negatives may be raised.

(29)

Environment - Aliasing example

1 ...

2 o1 = new O b j e c t () ; 3 o2 = new O b j e c t () ; 4 a = o1 ;

5 o1 . f i e l d = o2 ;

6 ...

Environment

{a 7→ o1, o1.field 7→ o2}

7→ {o1 7→ {MMem}, o2 7→ {MMem}, a 7→ {MMem}, o1.field 7→ {MMem}}

(30)

Environment - Aliasing example (cont.)

1 ...

2 o1 = new O b j e c t () ; 3 o2 = new O b j e c t () 4 a = o1 ;

5 o1 . f i e l d = o2 ;

6 ...

7 a . f i e l d . var = ...

8 ...

A more precise Environment

{a 7→ o1, o1.field 7→ o2, a.field 7→ o2}

7→ {o1 7→ {MMem}, o2 7→ {MMem}, a 7→ {MMem}, o1.field 7→ {MMem}, a.field 7→ {MMem}}

(31)

Environment - Sets of reference contexts example

Let’s assume that we have a variable a that references an object that resides in IMem:

1 ...

2 O b j e c t o ; 3 if ( x > y ) {

4 o = new O b j e c t () ; 5 } e l s e {

6 M e m o r y A r e a m e m A r e a =

M e m o r y A r e a . g e t M e m o r y A r e a ( a ) ;

7 o = m e m A r e a . n e w I n s t a n c e ( O b j e c t .c l a s s) ;

8 }

9 ...

Environment

{} 7→ {a 7→ {IMem}, memArea 7→ {IMem}, o 7→ {MMem, IMem}}

(32)

Environment - Environment as a function example

Let’s assume that we have two variables o1 and o2 that point to objects that reside in MMem and IMem respectively:

1 ...

2 if ( x > y ) {

3 ref = o1 ;

4 } e l s e {

5 ref = o2 ;

6 }

7 ...

Environment {{ref 7→ o1}

7→ {o1 7→ {MMem}, o2 7→ {IMem}, ref 7→ {MMem}}, {ref 7→ o2}

7→ {o1 7→ {MMem}, o2 7→ {IMem}, ref 7→ {IMem}}

(33)

Environment - formalisation

Share relation

ExprShareRelation == LExpr ↔ LExpr

Reference set

ExprRefSet == LExpr 7→ P RefCon

Environment

Env == {env : ExprShareRelation 7→ ExprRefSet

| ∀ rel : ExprShareRelation; ref : ExprRefSet

| (rel , ref ) ∈ env

• dom(rel^∗∪ (rel^∗)^∼) = dom ref

∧ (∀ e₁, e2: LExpr | e17→ e₂ ∈ (rel^∗∪ (rel^∗)^∼)

• ref e₁ = ref e2)}

(34)

Updating the environment - Assignments

Assignment 1 RHS is a value.

x = 10 Assignment 2

LHS is a variable and RHS is not a value.

x = a Assignment 3

LHS is a field access, and RHS is not a value.

x.y = a Assignment 4

LHS is an array element, and RHS is not a value.

x[y] = a

(35)

Updating the environment - Assignment 1

RHS is a value.

No changes to environment Before

{x 7→ x} 7→ {x 7→ {Prim}}

x = 10 After

{x 7→ x} 7→ {x 7→ {Prim}}

(36)

Updating the environment - Assignment 2

LHS is a variable and RHS is not a value.

Mapping from LHS to RHS added Fields of RHS added as fields of LHS RefCon of LHS is the RefCon of the RHS Before

{x 7→ y , x.field 7→ z} 7→ {x 7→ {PRMem h}, x.field 7→ {MMem}}

x = a

where a resides in MMem and has field b which references c in MMem After

{x 7→ a, x.b 7→ c} 7→ {x 7→ {MMem}, x.b 7→ {MMem}}

(37)

Updating the environment - Assignment 3

LHS is a field access, and RHS is not a value.

Mapping from LHS to RHS added Fields of RHS added as fields of LHS RefCon of LHS is the RefCon of the RHS

Expressions equal to containing object of LHS also updated Before

{x 7→ p, x.y 7→ q, p.y 7→ q}

7→ {x 7→ {PRMem h}, x.y 7→ {PRMem h}, p.y 7→ {PRMem h}}

x.y = a where a resides in MMem and has field b After

{x 7→ p, x.y 7→ a, p.y 7→ a, x.y .b 7→ a.b, p.y .b 7→ a.b, ...}

7→ {x 7→ {PRMem h}, x.y 7→ {MMem}, p.y 7→ {MMem}, x .y .b 7→ {MMem}, p.y .b 7→ {MMem}}

(38)

Updating the environment - Assignment 4

LHS is an array element, and RHS is not a value.

Mapping from LHS to RHS added Fields of RHS added as fields of LHS

RefCon of LHS updated to include the RefCon of the RHS Expressions equal to containing object of LHS also updated Before

{x[Val ] 7→ p, x[Val ] 7→ q}

7→ {x 7→ {MMem}, x[Val ] 7→ {MMem}}

x[y] = a where a resides in IMem After

{x[Val ] 7→ p, x[Val ] 7→ q}

7→ {x 7→ {MMem}, x[Val ] 7→ {IMem, MMem}}

(39)

Method Properties

Methods may be safe in one allocation context, but not another.

We do not restrict methods to a particular context.

Methods are analysed to create a set of parametrised properties for each one.

Properties are generated independently of execution context.

Methods may be unsafe in any context.

At analysis time, we resolve method calls by extracting information from the left expression and the types of arguments.

If more than one method matches the criteria, due to dynamic binding, all are analysed.

(40)

Methods Properties (cont.)

Meta-reference contexts allow us to describe properties independently of parameters.

Example

public void myMethod(A a, A b) { a.x = new customClass();

b.x = a.x;

}

{a.x 7→ b.x} 7→ {a.x 7→ {Current}, b.x 7→ {Erc a.x}}

Methods

Method == Name × Type × seq Dec × Com

× ((LExpr ↔ LExpr ) 7→ (LExpr 7→ P MetaRefCon))

(41)

Automatic analysis

Environment update functions for all SCJ-mSafe components implemented.

Automatic generation of method properties implemented

Program analysis to build and maintain the environment implemented Based on an stub SCJ infrastructure implementation

Successfully applied to all examples we can find

(42)

Current Section

1 Introduction

(43)

Inference rules - Environment

∀(share, ref ) : env •

∀(le₁, refSet₁) : ref • le₁ ∈ staticVars

∧ DominatesLeast(refSet₁) 7→ IMem ∈ Dominates^∗

∧ ∀(le₁, refSet1), (le2, refSet2) : ref • le1 6= le₂ ∧ fieldOf (le₂, le1)

∧ DominatesLeast(refSet₂) 7→ DominatesTop(refSet₁) ∈ Dominates^∗

∧ ∀(le₁, refSet₁) : ref • le1 ∈ localVariable

∧ DominatesLeast(refSet₁) 7→ rc ∈ Dominates^∗ mSafeEnv (env , rc)

(44)

Example - SCJ-mSafe

1 h a n d l e r M y H a n d l e r {

2 f i e l d s { }

3 i n i t { }

4 h a n d l e E v e n t {

5 A a ;

6 N e w I n s t a n c e ( a , Current , A , () ) ; 7 M y R u n n a b l e m y R u n ;

8 N e w I n s t a n c e ( myRun , Current , M y R u n n a b l e , ( a ) ) ; 9 E n t e r P r i v a t e M e m o r y ( m y R u n ) ;

10 }

11 }

(45)

Example - SCJ-mSafe

1 c l a s s M y R u n n a b l e {

2 f i e l d s {

3 A a F i e l d ;

4 }

5 i n i t { }

6 c o n s t r ( arg ) {

8 }

9 m e t h o d run () {

10 N e w I n s t a n c e ( a F i e l d . field , Current , Object , () ) ;

11 }

12 }

(46)

Example (cont.)

Run method properties

=================================

Analysing method ’run’ in class MyRunnable Method properties print-out....

Method Property:

{

(aField.field -> aField.field) }

->

{

(aField.field -> {Current}) }

(47)

Example (cont.)

Environment

{(sequencer .mission.handler .myRun.aField

− > sequencer .mission.handler .a) } − > {

(sequencer − > IMem)

(sequencer .mission− > MMem)

(sequencer .mission.handler − > MMem)

(sequencer .mission.handler .a− > PRMem(MyHandler )) (sequencer .mission.handler .a.field − > PRMem(MyHandler )) (sequencer .mission.handler .myRun− > PRMem(MyHandler )) (sequencer .mission.handler .myRun.aField

− > PRMem(MyHandler ))

(sequencer .mission.handler .myRun.aField .field

− > TPMem(MyHandler , 0)) }

(48)

Example (cont.)

Analysis output (cont.)

Checking to see if field sequencer.mission.handler.myRun.aField.field of sequencer.mission.handler.myRun.aField is safe in current env entry POSSIBLE MEMORY SAFETY VIOLATION - The field

’sequencer.mission.handler.myRun.aField.field’ may reference an object stored in ’TPMem(MyHandler, 0)’ when its containing object

’sequencer.mission.handler.myRun.aField’ resides in ’PRMem(MyHandler)’

(49)

Current Section

1 Introduction

(50)

Tool and experiments

Automatic translation and checking implemented

Applied to CDx, PapaBench, ACCS, Pacemaker, and all case studies published in other approaches.

No need for annotations No need for class duplication All memory-safety violations found

No false-negatives raised in any programs analysed False-negatives raised in other techniques

Memory-safety violation in CDx

(51)

Current Section

1 Introduction

(52)

Conclusions and future work

Contributions

Abstraction technique from SCJ to SCJ-mSafe Identified rules to define memory safety

Formalised the translation and checking techniques in Z

Implemented a tool to automatically translate and check programs Successfully checked examples without annotations or class

duplication

Future work

Identify programming patterns that are always memory safe/unsafe Minimize false negatives

Prove soundness

(53)

Bibliography I

[1] Wolfgang Ahrendt, Thomas Baar, Bernhard Beckert, Wolfram Menzel, and Peter H. Schmitt.

P.h.: The key tool, integrating object oriented design and formal verification. software and systems modeling 4, 2005.

[2] Chandrasekhar Boyapati, Alexandru Salcianu, William Beebee, Jr., and Martin Rinard.

Ownership types for safe region-based memory management in real-time Java.

ACM SIGPLAN Notices, 38(5):324–337, May 2003.

[3] Ana Cavalcanti, Andy J. Wellings, Jim Woodcock, Kun Wei, and Frank Zeyda.

Safety-Critical Java in circus.

In Andy J. Wellings and Anders P. Ravn, editors, Java Technologies for Real-time and Embedded Systems, pages 20–29. ACM, 2011.

(54)

Bibliography II

[4] Andreas E Dalsgaard, Ren´e Rydhof Hansen, and Martin Schoeberl.

Private memory allocation analysis for SCJ.

In Proceedings of Java Technologies for Real-time and Embedded Systems, pages 9–17. ACM, 2012.

[5] K. Havelund and T. Pressburger.

Model checking Java programs using Java pathfinder.

International Journal on Software Tools for Technology Transfer (STTT), 2(4):366–381, 2000.

[6] Jagun Kwon and Andy J. Wellings.

Memory management based on method invocation in RTSJ.

In Robert Meersman, Zahir Tari, and Angelo Corsaro, editors, OTM Workshops, volume 3292 of Lecture Notes in Computer Science, pages 333–345. Springer, 2004.

(55)

Bibliography III

[7] K. Nilsen.

A type system to assure scope safety within Safety-Critical Java modules.

[8] Juan Ricardo Rios and Martin Schoeberl.

Hardware support for safety-critical java scope checks.

In Object/Component/Service-Oriented Real-Time Distributed Computing (ISORC), 2012 IEEE 15th International Symposium on, pages 31–38. IEEE, 2012.

(56)

Bibliography IV

[9] Fridtjof Siebert.

Proving the absence of rtsj related runtime errors through data flow analysis.

In Proceedings of the 4th international workshop on Java technologies for real-time and embedded systems, pages 152–161. ACM, 2006.

[10] D. Tang, A. Plsek, and J. Vitek.

Static checking of Safety-Critical Java annotations.