Symbolic Execution of Debian Packages Nicolas Jeannerod - - PowerPoint PPT Presentation

Symbolic Execution of Debian Packages

Nicolas Jeannerod nicolas.jeannerod@irif.fr

joint work with Benedikt Becker, Claude Marché Yann Régis-Gianas, Mihaela Sighireanu, Ralf Treinen

IRIF, Université de Paris

September 9, 2019

13th Alpine Verification Meeting

1

Introduction

> CoLiS project: Correctness of Linux Scripts

1

Introduction

> CoLiS project: Correctness of Linux Scripts > Goal: applying formal methods to the quality

assessment of Debian Packages.

1

Introduction

> CoLiS project: Correctness of Linux Scripts > Goal: applying formal methods to the quality

assessment of Debian Packages.

> Debian: operating system. > Packages: way to provide (install, update, remove)

software.

1

Introduction

> CoLiS project: Correctness of Linux Scripts > Goal: applying formal methods to the quality

assessment of Debian Packages.

> Debian: operating system. > Packages: way to provide (install, update, remove)

software.

> Goal (reformulated): making sure that

installing/updating/removing software does not:

> make other softwares unusable, > make the whole computer unusable, > remove your personnal files, > etc.

2

Installing a Software on Debian

• 1. Download the package.

2

Installing a Software on Debian

• 1. Download the package.
• 2. Execute a pre-installation script.

2

Installing a Software on Debian

• 1. Download the package.
• 2. Execute a pre-installation script.
• 3. Unpack static archive.

2

Installing a Software on Debian

• 1. Download the package.
• 2. Execute a pre-installation script.
• 3. Unpack static archive.
• 4. Execute a post-installation script.

2

Installing a Software on Debian

• 1. Download the package.
• 2. Execute a pre-installation script.

> This is a POSIX shell script ran as administrator.

• 3. Unpack static archive.
• 4. Execute a post-installation script.

> This is a POSIX shell script ran as administrator.

2

Installing a Software on Debian

• 1. Download the package.
• 2. Execute a pre-installation script.

> This is a POSIX shell script ran as administrator.

• 3. Unpack static archive.
• 4. Execute a post-installation script.

> This is a POSIX shell script ran as administrator.

POSIX shell:

> scripting language

2

Installing a Software on Debian

• 1. Download the package.
• 2. Execute a pre-installation script.

> This is a POSIX shell script ran as administrator.

• 3. Unpack static archive.
• 4. Execute a post-installation script.

> This is a POSIX shell script ran as administrator.

POSIX shell:

> scripting language > legacy (born in 1971)

2

Installing a Software on Debian

• 1. Download the package.
• 2. Execute a pre-installation script.

> This is a POSIX shell script ran as administrator.

• 3. Unpack static archive.
• 4. Execute a post-installation script.

> This is a POSIX shell script ran as administrator.

POSIX shell:

> scripting language > legacy (born in 1971)

Administrator:

> can do anything

• n the system

2

Installing a Software on Debian

• 1. Download the package.
• 2. Execute a pre-installation script.

> This is a POSIX shell script ran as administrator.

• 3. Unpack static archive.
• 4. Execute a post-installation script.

> This is a POSIX shell script ran as administrator.

POSIX shell:

> scripting language > legacy (born in 1971)

Administrator:

> can do anything

• n the system

Complicated and dangerous

2

Installing a Software on Debian

• 1. Download the package.
• 2. Execute a pre-installation script.

> This is a POSIX shell script ran as administrator.

• 3. Unpack static archive.
• 4. Execute a post-installation script.

> This is a POSIX shell script ran as administrator.

POSIX shell:

> scripting language > legacy (born in 1971)

Administrator:

> can do anything

• n the system

Complicated and dangerous. Formal methods?

3

Our Tools: An Overview

CoLiS Debian Package Report

3

Our Tools: An Overview

CoLiS Debian Package Report Symbolic Engine Shell script Specification

• f the script

3

Our Tools: An Overview

CoLiS Debian Package Report Symbolic Engine Specification

• f the script

Morbig, Morsmall and ColisFromShell S h e l l s c r i p t Colis inter. language

3

Our Tools: An Overview

CoLiS Debian Package Report Symbolic Engine Specification

• f the script

Morbig, Morsmall and ColisFromShell S h e l l s c r i p t Colis inter. language Specifications

• f commands

3

Our Tools: An Overview

CoLiS Debian Package Report Symbolic Engine Specification

• f the script

Morbig, Morsmall and ColisFromShell S h e l l s c r i p t Colis inter. language Specifications

• f commands

SAT solver for specifications SAT?

3

Our Tools: An Overview

CoLiS Debian Package Report Symbolic Engine Specification

• f the script

Morbig, Morsmall and ColisFromShell S h e l l s c r i p t Colis inter. language Specifications

• f commands

SAT solver for specifications SAT?

  Régis-Gianas, J & Treinen SLE 2018     J, Marché & Treinen VSTTE 2017  

Specifications, Feature Trees & Constraints

4

Feature Trees

f g h f g h f g

> Unranked unordered trees;

4

Feature Trees

f g h f g h f g

> Unranked unordered trees; > Good models for the UNIX filesystem;

4

Feature Trees

f g h f g h f g

> Unranked unordered trees; > Good models for the UNIX filesystem; > Shell scripts can be seen as programs that modify

such trees;

4

Feature Trees

f g h f g h f g

> Unranked unordered trees; > Good models for the UNIX filesystem; > Shell scripts can be seen as programs that modify

such trees;

> Constraints will express relations between such

trees.

5

Constraints On Feature Trees

Atom (Informal) Semantics

5

Constraints On Feature Trees

Atom (Informal) Semantics x[f ]y From x’s tree, through f , we go to y’s tree x[f ]↑ In x’s tree, there is no f Ax The root of x’s tree has decoration A

    Aït-Kaci Podelski & Smolka 1992    

5

Constraints On Feature Trees

Atom (Informal) Semantics x[f ]y From x’s tree, through f , we go to y’s tree x[f ]↑ In x’s tree, there is no f Ax The root of x’s tree has decoration A x[F] x’s tree can also use features in F

    Aït-Kaci Podelski & Smolka 1992       Smolka & Treinen 1994  

5

Constraints On Feature Trees

Atom (Informal) Semantics x[f ]y From x’s tree, through f , we go to y’s tree x[f ]↑ In x’s tree, there is no f Ax The root of x’s tree has decoration A x[F] x’s tree can also use features in F x ∼F y x and y’s trees are similar except in F

    Aït-Kaci Podelski & Smolka 1992       Smolka & Treinen 1994  

6

Example Specification: mkdir q/f

∃x, x′, y′· resolve(r, cwd, q, x) ∧ dir(x) ∧ x[f ]↑ ∧ similar(r, r′, cwd, q, x, x′) ∧ x ∼{f } x′ ∧ dir(x′) ∧ x′[f ]y′ ∧ dir(y′) ∧ y′[∅] Success ∃y · resolve(r, cwd, q/f , y) ∧ r . = r′ noresolve(r, cwd, q) ∧ r . = r′ ∃x·resolve(r, cwd, q, x)∧¬dir(x)∧r . = r′ Error

6

Example Specification: mkdir q/f

∃x, x′, y′· resolve(r, cwd, q, x) ∧ dir(x) ∧ x[f ]↑ ∧ similar(r, r′, cwd, q, x, x′) ∧ x ∼{f } x′ ∧ dir(x′) ∧ x′[f ]y′ ∧ dir(y′) ∧ y′[∅] Success ∃y · resolve(r, cwd, q/f , y) ∧ r . = r′ noresolve(r, cwd, q) ∧ r . = r′ ∃x·resolve(r, cwd, q, x)∧¬dir(x)∧r . = r′ Error

6

Example Specification: mkdir q/f

∃x, x′, y′· resolve(r, cwd, q, x) ∧ dir(x) ∧ x[f ]↑ ∧ similar(r, r′, cwd, q, x, x′) ∧ x ∼{f } x′ ∧ dir(x′) ∧ x′[f ]y′ ∧ dir(y′) ∧ y′[∅] Success ∃y · resolve(r, cwd, q/f , y) ∧ r . = r′ noresolve(r, cwd, q) ∧ r . = r′ ∃x·resolve(r, cwd, q, x)∧¬dir(x)∧r . = r′ Error r ∃x q

6

Example Specification: mkdir q/f

∃x, x′, y′· resolve(r, cwd, q, x) ∧ dir(x) ∧ x[f ]↑ ∧ similar(r, r′, cwd, q, x, x′) ∧ x ∼{f } x′ ∧ dir(x′) ∧ x′[f ]y′ ∧ dir(y′) ∧ y′[∅] Success ∃y · resolve(r, cwd, q/f , y) ∧ r . = r′ noresolve(r, cwd, q) ∧ r . = r′ ∃x·resolve(r, cwd, q, x)∧¬dir(x)∧r . = r′ Error r ∃x

(dir)

q

6

Example Specification: mkdir q/f

∃x, x′, y′· resolve(r, cwd, q, x) ∧ dir(x) ∧ x[f ]↑ ∧ similar(r, r′, cwd, q, x, x′) ∧ x ∼{f } x′ ∧ dir(x′) ∧ x′[f ]y′ ∧ dir(y′) ∧ y′[∅] Success ∃y · resolve(r, cwd, q/f , y) ∧ r . = r′ noresolve(r, cwd, q) ∧ r . = r′ ∃x·resolve(r, cwd, q, x)∧¬dir(x)∧r . = r′ Error r ∃x

(dir)

q ⊥ f

6

Example Specification: mkdir q/f

∃x, x′, y′· resolve(r, cwd, q, x) ∧ dir(x) ∧ x[f ]↑ ∧ similar(r, r′, cwd, q, x, x′) ∧ x ∼{f } x′ ∧ dir(x′) ∧ x′[f ]y′ ∧ dir(y′) ∧ y′[∅] Success ∃y · resolve(r, cwd, q/f , y) ∧ r . = r′ noresolve(r, cwd, q) ∧ r . = r′ ∃x·resolve(r, cwd, q, x)∧¬dir(x)∧r . = r′ Error r ∃x

(dir)

q ⊥ f r′ ∃x′ q ∼{q}

6

Example Specification: mkdir q/f

∃x, x′, y′· resolve(r, cwd, q, x) ∧ dir(x) ∧ x[f ]↑ ∧ similar(r, r′, cwd, q, x, x′) ∧ x ∼{f } x′ ∧ dir(x′) ∧ x′[f ]y′ ∧ dir(y′) ∧ y′[∅] Success ∃y · resolve(r, cwd, q/f , y) ∧ r . = r′ noresolve(r, cwd, q) ∧ r . = r′ ∃x·resolve(r, cwd, q, x)∧¬dir(x)∧r . = r′ Error r ∃x

(dir)

q ⊥ f r′ ∃x′ q ∼{q} ∼{f }

6

Example Specification: mkdir q/f

∃x, x′, y′· resolve(r, cwd, q, x) ∧ dir(x) ∧ x[f ]↑ ∧ similar(r, r′, cwd, q, x, x′) ∧ x ∼{f } x′ ∧ dir(x′) ∧ x′[f ]y′ ∧ dir(y′) ∧ y′[∅] Success ∃y · resolve(r, cwd, q/f , y) ∧ r . = r′ noresolve(r, cwd, q) ∧ r . = r′ ∃x·resolve(r, cwd, q, x)∧¬dir(x)∧r . = r′ Error r ∃x

(dir)

q ⊥ f r′ ∃x′

(dir)

q ∼{q} ∼{f }

6

Example Specification: mkdir q/f

∃x, x′, y′· resolve(r, cwd, q, x) ∧ dir(x) ∧ x[f ]↑ ∧ similar(r, r′, cwd, q, x, x′) ∧ x ∼{f } x′ ∧ dir(x′) ∧ x′[f ]y′ ∧ dir(y′) ∧ y′[∅] Success ∃y · resolve(r, cwd, q/f , y) ∧ r . = r′ noresolve(r, cwd, q) ∧ r . = r′ ∃x·resolve(r, cwd, q, x)∧¬dir(x)∧r . = r′ Error r ∃x

(dir)

q ⊥ f r′ ∃x′

(dir)

q ∼{q} ∼{f } ∃y′ f

6

Example Specification: mkdir q/f

∃x, x′, y′· resolve(r, cwd, q, x) ∧ dir(x) ∧ x[f ]↑ ∧ similar(r, r′, cwd, q, x, x′) ∧ x ∼{f } x′ ∧ dir(x′) ∧ x′[f ]y′ ∧ dir(y′) ∧ y′[∅] Success ∃y · resolve(r, cwd, q/f , y) ∧ r . = r′ noresolve(r, cwd, q) ∧ r . = r′ ∃x·resolve(r, cwd, q, x)∧¬dir(x)∧r . = r′ Error r ∃x

(dir)

q ⊥ f r′ ∃x′

(dir)

q ∼{q} ∼{f } ∃y′

(empty dir)

f

Symbolic Execution

7

Symbolic Execution

if [ -e foo ]; then rm foo fi

7

Symbolic Execution

if [ -e foo ]; then rm foo fi In progress r

7

Symbolic Execution

if [ -e foo ]; then rm foo fi Case 1 Success r = r′ ⊥ foo In progress r x foo

7

Symbolic Execution

if [ -e foo ]; then rm foo fi Case 1 Success r = r′ ⊥ foo Case 2 Success r x

(¬dir)

foo r′ ⊥ foo ∼foo Case 3 Error r = r′ x

(dir)

foo

8

Chaining Specifications

mkdir /usr/lib ; mkdir /usr/lib/foo

8

Chaining Specifications

mkdir /usr/lib ; mkdir /usr/lib/foo r1 x1 ⊥ usr lib r′

1

x′

1

y′

1[∅]

usr lib ∼{usr} ∼{lib}

8

Chaining Specifications

mkdir /usr/lib ; mkdir /usr/lib/foo r1 x1 ⊥ usr lib r′

1

x′

1

y′

1[∅]

usr lib ∼{usr} ∼{lib} r2 x2 y2 ⊥ usr lib foo r′

2

x′

2

y′

2

z′

2[∅]

usr lib foo ∼{usr} ∼{lib} ∼{foo}

8

Chaining Specifications

mkdir /usr/lib ; mkdir /usr/lib/foo r1 x1 ⊥ usr lib r′

1

x′

1

y′

1[∅]

usr lib ∼{usr} ∼{lib} r2 x2 y2 ⊥ usr lib foo r′

2

x′

2

y′

2

z′

2[∅]

usr lib foo ∼{usr} ∼{lib} ∼{foo}

8

Chaining Specifications

mkdir /usr/lib ; mkdir /usr/lib/foo r1 x1 ⊥ usr lib x′

1

y′

1[∅]

lib ∼{lib} x2 y2 ⊥ lib foo r′

2

x′

2

y′

2

z′

2[∅]

usr lib foo ∼{lib} ∼{foo} r12 ∼{usr} ∼{usr} usr usr

8

Chaining Specifications

mkdir /usr/lib ; mkdir /usr/lib/foo r1 x1 ⊥ usr lib y′

1[∅]

y2 ⊥ foo r′

2

x′

2

y′

2

z′

2[∅]

usr lib foo ∼{foo} r12 ∼{usr} ∼{usr} x12 usr ∼{lib} ∼{lib} lib lib

8

Chaining Specifications

mkdir /usr/lib ; mkdir /usr/lib/foo r1 x1 ⊥ usr lib r′

2

x′

2

y′

2

z′

2[∅]

usr lib foo r12 ∼{usr} ∼{usr} x12 usr ∼{lib} ∼{lib} y12[∅] lib ∼{foo}

8

Chaining Specifications

mkdir /usr/lib ; mkdir /usr/lib/foo r1 x1 ⊥ usr lib r′

2

x′

2

y′

2

z′

2[∅]

usr lib foo r12 ∼{usr} ∼{usr} x12 usr ∼{lib} ∼{lib} y12[∅] lib ∼{foo} ∼{usr} ∼{lib}

8

Chaining Specifications

mkdir /usr/lib ; mkdir /usr/lib/foo r1 x1 ⊥ usr lib r′

2

x′

2

y′

2[{foo}]

z′

2[∅]

usr lib foo r12 ∼{usr} ∼{usr} x12 usr ∼{lib} ∼{lib} y12[∅] lib ∼{foo} ∼{usr} ∼{lib}

8

Chaining Specifications

mkdir /usr/lib ; mkdir /usr/lib/foo r1 x1 ⊥ usr lib r′

2

x′

2

y′

2[{foo}]

z′

2[∅]

usr lib foo ∼{usr} ∼{lib}

[J & Treinen, IJCAR 2018]

Demo

9

Package Report

10

Installation Scenario

11

An Other Scenario

12

An Execution Case

13

The postrm Script

Conclusion

14

Conclusion

> Demo report accessible from my website:

http://nicolas.jeannerod.fr/

14

Conclusion

> Demo report accessible from my website:

http://nicolas.jeannerod.fr/

> CoLiS project: Correctness of Linux Script. > Webpage: http://colis.irif.fr/ > Tools: https://github.com/colis-anr/

14

Conclusion

> Demo report accessible from my website:

http://nicolas.jeannerod.fr/

> CoLiS project: Correctness of Linux Script. > Webpage: http://colis.irif.fr/ > Tools: https://github.com/colis-anr/ > So far, 148 bugs found and reported to Debian; > Several talks at DebConf;

The Debian maintainers are very enthusiastic!

14

Conclusion

> Demo report accessible from my website:

http://nicolas.jeannerod.fr/

> CoLiS project: Correctness of Linux Script. > Webpage: http://colis.irif.fr/ > Tools: https://github.com/colis-anr/ > So far, 148 bugs found and reported to Debian; > Several talks at DebConf;

The Debian maintainers are very enthusiastic!

> Future work: support more packages > Support more shell constructs, > Add more command specifications, > Improve the constraint solver;

14

Conclusion

> Demo report accessible from my website:

http://nicolas.jeannerod.fr/

> CoLiS project: Correctness of Linux Script. > Webpage: http://colis.irif.fr/ > Tools: https://github.com/colis-anr/ > So far, 148 bugs found and reported to Debian; > Several talks at DebConf;

The Debian maintainers are very enthusiastic!

> Future work: support more packages > Support more shell constructs, > Add more command specifications, > Improve the constraint solver; > Thank you for your attention!