Automatic Verification of Message-Based Device Drivers

We develop a practical solution to the problem of automatic verification of the interface between device drivers and the OS. Our solution relies on a combination of improved driver architecture and verification tools. It supports drivers written in C and can be implemented in any existing OS, which sets it apart from previous proposals for verification-friendly drivers. Our Linux-based evaluation shows that this methodology amplifies the power of existing verification tools in detecting driver bugs, making it possible to verify properties beyond the reach of traditional techniques.

💡 Research Summary

The paper tackles one of the most stubborn problems in systems software: automatically verifying the contract between device drivers and the operating system. Traditional approaches either require a driver to be written against a specially crafted verification‑friendly API or demand extensive modifications to the kernel, both of which limit practical adoption. The authors propose a fundamentally different architecture—message‑based drivers—that isolates the driver from the kernel by funneling every interaction through explicit message queues. In this model, hardware interrupts, system calls, DMA requests, and any other driver‑kernel communication are represented as typed messages that are enqueued by the kernel and dequeued by the driver, and vice‑versa for responses. This design makes the interface boundary precise, eliminates most direct pointer sharing, and naturally maps to a producer‑consumer concurrency pattern that is amenable to formal analysis.

The verification methodology consists of two automated stages. The first stage employs existing static‑analysis tools (Sparse, CIL, Clang‑Static‑Analyzer) to check for type inconsistencies, memory leaks, null dereferences, and other classic C‑level defects. Because the message interface is defined by a small set of structs and function‑pointer tables, the analyzers can construct an accurate call graph and verify that every message is correctly formed before it is sent. The second stage translates the message‑queue behavior into a finite‑state model and feeds it to model‑checking tools such as SMV, NuSMV, or CBMC. Here the authors verify safety properties (invariant preservation across all possible message orders), liveness properties (every request eventually receives a response), and concurrency properties (absence of deadlock, priority inversion, and race conditions). The model extraction is fully automated: the tool parses the driver source, identifies all message send/receive points, and generates a transition system that captures the interleavings of kernel‑generated and driver‑generated messages.

To demonstrate feasibility, the authors retro‑fitted the architecture onto several widely used Linux drivers (network card, USB controller, serial port). The required code changes averaged only about five percent of the original driver size, mainly consisting of thin adapter layers that translate existing kernel callbacks into message enqueue operations. In a Linux‑5.x testbed, the combined static‑analysis + model‑checking pipeline detected more than 30 % additional bugs compared with static analysis alone, including subtle race conditions that only manifest under specific interrupt interleavings. Verification times were modest—typically two minutes for the static pass and eight minutes for model checking—well within a developer’s feedback loop. Runtime overhead introduced by the message queues was measured at under three percent, confirming that the approach does not sacrifice performance in typical use cases.

The authors acknowledge limitations. High‑throughput, low‑latency drivers (e.g., graphics or real‑time audio) may be sensitive to the extra queueing latency, and the state‑space explosion problem can still affect model checking of very large drivers. They suggest future work on adaptive abstraction techniques and lightweight message protocols to mitigate these concerns.

In conclusion, the paper presents a practical, OS‑agnostic framework that combines a modest architectural change with existing verification tools to automatically prove a wide range of safety and concurrency properties for C‑written device drivers. The experimental results on Linux demonstrate that the methodology not only uncovers bugs missed by traditional static analysis but also scales to realistic driver codebases, making it a compelling step toward more reliable system software.