Testing Closed-Source Binary Device Drivers with DDT

Volodymyr Kuznetsov, Vitaly Chipounov, and George CandeaSchool of Computer and Communication Sciences

École Polytechnique Fédérale de Lausanne (EPFL), Switzerland

AbstractDDT is a system for testing closed-source binary de-

vice drivers against undesired behaviors, like race con-ditions, memory errors, resource leaks, etc. One canmetaphorically think of it as a pesticide against devicedriver bugs. DDT combines virtualization with a spe-cialized form of symbolic execution to thoroughly ex-ercise tested drivers; a set of modular dynamic check-ers identify bug conditions and produce detailed, exe-cutable traces for every path that leads to a failure. Thesetraces can be used to easily reproduce and understandthe bugs, thus both proving their existence and helpingdebug them. We applied DDT to several closed-sourceMicrosoft-certified Windows device drivers and discov-ered 14 serious new bugs. DDT is easy to use, as it re-quires no access to source code and no assistance fromusers. We therefore envision DDT being useful not onlyto developers and testers, but also to consumers whowant to avoid running buggy drivers in their OS kernels.

1 IntroductionDevice drivers are one of the least reliable parts of anOS kernel. Drivers and other extensions—which com-prise, for instance, 70% of the Linux operating system—have a reported error rate that is 3-7 times higher than therest of the kernel code [11], making them substantiallymore failure-prone. Not surprisingly, 85% of Windowscrashes are caused by driver failures [27]. Moreover,some drivers are vulnerable to malformed input from un-trusted user-space applications, allowing an attacker toexecute arbitrary code with kernel privilege [5].

It is therefore ironic that most computer users placefull trust in closed-source binary device drivers: theyrun drivers (software that is often outsourced by hard-ware vendors to offshore programmers) inside the ker-nel at the highest privilege levels, yet enjoy a false senseof safety by purchasing anti-virus software and personalfirewalls. Device driver flaws are more dangerous thanapplication vulnerabilities, because device drivers cansubvert the entire system and, by having direct memoryaccess, can be used to overwrite both kernel and applica-tion memory. Recently, a zero-day vulnerability withina driver shipped with all versions of Windows allowed

non-privileged users to elevate their privileges to LocalSystem, leading to complete system compromise [24].

Our goal is to empower users to thoroughly testdrivers before installing and loading them. We wish thatthe Windows pop-up requesting confirmation to installan uncertified driver also offered a “Test Now” button.By clicking that button, the user would launch a thor-ough test of the driver’s binary; this could run locally orbe automatically shipped to a trusted Internet service toperform the testing on behalf of the user. Such function-ality would benefit not only end users, but also the ITstaff charged with managing corporate networks, desk-tops, and servers using proprietary device drivers.

Our work applies to all drivers, including those forwhich source code is not available, thus complementingthe existing body of driver reliability techniques. Thereexist several tools and techniques that can be used tobuild more reliable drivers [14, 23, 1] or to protect thekernel from misbehaving drivers [30], but these are pri-marily aimed at developers who have the driver’s sourcecode. Therefore, these techniques cannot be used (oreven adapted) for the use of consumers on closed-sourcebinary drivers. Our goal is to fill this gap.

We believe that the availability of consumer-side test-ing of device drivers is essential. As of 2004, there were800,000 different kinds of PnP devices at customer sites,with 1,500 devices being added every day [26]. Therewere 31,000 unique drivers, and 9 new drivers were re-leased every day. Each driver had∼3.5 versions in thefield, with 88 new driver versions being released everyday [26]. Faced with an increasing diversity of drivers,consumers (end users and IT specialists alike) need a wayto perform end-to-end testing just before installation.

This paper describes DDT, a device driver testing sys-tem aimed at addressing these needs. DDT uses selectivesymbolic execution to explore the device driver’s exe-cution paths, and checks whether these paths can causeundesired behavior, such as crashing the kernel or over-flowing a buffer. For each suspected case of bad behav-ior, DDT produces a replayable trace of the executionthat led to the bug, providing the consumer irrefutableevidence of the problem. The trace can be re-executedon its own, or inside a debugger.

DDT currently works for Windows device drivers. Weapplied it to six popular binary drivers, finding 14 bugswith relatively little effort. These include race condi-tions, memory bugs, use of unchecked parameters, andresource leaks, all leading to kernel crashes or hangs.Since DDT found bugs in drivers that have successfullypassed Microsoft certification, we believe it could beused to improve the driver certification process.

Our work makes two contributions: (1) The first sys-tem that can thoroughly and automatically test closed-source binary drivers, without access to the correspond-ing hardware device; (2) The concept of fully symbolichardware—including symbolic interrupts—and demon-stration of its use for testing kernel-mode binaries.

The rest of the paper is structured as follows: §2 pro-vides a high-level overview of DDT, §3 describes the de-sign in detail, §4 presents our current DDT prototype forWindows drivers, §5 evaluates DDT on six closed-sourcedevice drivers, §6 discusses limitations of our currentprototype, §7 reviews related work, and §8 concludes.

2 OverviewDDT takes as input a binary device driver and outputsa report of found bugs, along with execution traces foreach bug. The input driver is loaded in its native, un-modified environment, which consists of the OS kerneland the rest of the software stack above it. DDT then ex-ercises automatically the driver along as many code pathsas possible, and checks for undesired properties. Whenan error or misbehavior is detected, DDT logs the detailsof the path exploration along with an executable trace.This can be used for debugging, or merely as evidence toprove the presence of the bug.

DDT has two main components: a set of pluggablebug checkers and a driver exerciser (Figure 1). The ex-erciser is in charge of steering the driver down variousexecution paths—just like a personal trainer, it forces thedriver to exercise all the various ways in which it can run.The dynamic checkers watch the execution and flag un-desired driver behaviors along the executed paths. Whenthey notice a bug, they ask the exerciser to produce in-formation on how to reach that same situation again.

DDT provides a default set of checkers, and this setcan be extended with an arbitrary number of other check-ers for both safety and liveness properties (see §3.1).Currently, DDT detects the following types of bugs:memory access errors, including buffer overflows; raceconditions and deadlocks; incorrectly handled interrupts;accesses to pageable memory when page faults are not al-lowed; memory leaks and other resource leaks; mishan-dled I/O requests (e.g., setting various I/O completionflags incorrectly); any action leading to kernel panic; andincorrect uses of kernel APIs.

applications

libraries

OS kernel

driver

custom VM

DynamicCheckers

Bug x ....Bug y ....

execution trace

execution traceReport

DDT

DriverExerciser symbolic

hardware

010011010011110101001010010010000001010111010011110110010110011011000011

DeviceDriverBinary

Figure 1: DDT’s VM-based architecture.

These default checkers catch the majority of defects inthe field. Ganapathi et al. found that the top driver prob-lems causing crashes in Windows were 45% memory-related (e.g., bad pointers), 15% poorly handled excep-tions, 13% infinite loops, and 3% unexpected traps [15].A Microsoft report [26] found that, often, drivers crashthe system due to not checking for error conditions fol-lowing a call to the kernel. It is hypothesized that this isdue to programmers copy-pasting code from the devicedriver development kit’s succinct examples.

Black-box testing of closed-source binary devicedrivers is difficult and typically has low code coverage.This has two main reasons: First, it is hard to exercise thedriver through the many layers of the software stack thatlie between the driver’s interface and the application in-terface. Second, closed-source programs are notoriouslyhard to test as a black box. The classic approach to test-ing such drivers is to try to produce inputs that exerciseas many paths as possible and (perhaps) check for high-level properties (e.g., absence of kernel crashes) duringthose executions. Considering the wide range of possi-ble inputs and system events that are hard to control (e.g.,interrupts), this approach exercises relatively few paths,thus offering few opportunities to find bugs.

DDT uses selective symbolic execution [10] of thedriver binary to automatically take the driver down asmany paths as possible; the checkers verify desired prop-erties along these paths. Symbolic execution [20, 6, 7]consists of providing a program with symbolic inputs(e.g.,α or β ) instead of concrete ones (e.g., 6 or “abc”),and letting these values propagate as the program exe-cutes, while tracking path constraints (e.g.,β = α + 5).When a symbolic value is used to decide the directionof a conditional branch, symbolic execution explores allfeasible alternatives. On each branch, a suitable pathconstraint is added on the symbolic value to ensure its

set of possible values satisfies the branch condition (e.g.,β < 0 andβ >= 0, respectively). Selective symbolic ex-ecution enables the symbolic execution of one piece ofthe software stack (the device driver, in our case) whilethe rest of the software runs concretely.

A key challenge is keeping the symbolic and the con-crete portions of the execution synchronized. DDT sup-plies the driver with symbolic values on the calls from thekernel to the driver (§3.2) as well as on the returns fromthe hardware to the driver (§3.3), thus enabling an un-derlying symbolic execution engine to steer the driver onthe various possible paths. When the driver returns val-ues to a kernel-originated call, or when the driver callsinto the kernel, parameters and driver are converted sothat execution remains consistent, despite the alternationof symbolic and concrete execution.

DDT’s fully symbolic hardware enables testingdrivers even when the corresponding hardware device isnot available. DDT never calls the actual hardware, butinstead replaces all hardware reads with symbolic val-ues, and discards all writes to hardware. Being able totest a driver without access to the hardware is useful, forexample, for certification companies that cannot buy allthe hardware variants for the drivers they test, or for con-sumers who would rather defer purchasing the device un-til they are convinced the driver is trustworthy.

Symbolic hardware also enables DDT to explorepaths that are hard to test without simulators or spe-cialized hardware. For example, many devices rely oninterrupts to signal completion of operations to the de-vice driver. DDT usessymbolic interruptsto inject suchevents at the various crucial points during the executionof the driver. Symbolic interrupts allow DDT to test dif-ferent code interleavings and detect bugs like the raceconditions described in §5.1.

DDT provides evidence of the bug and the means todebug it: a complete trace of the execution plus concreteinputs and system events that make the driver re-executethe buggy path in a regular, non-DDT environment.

3 DesignWe now present DDT’s design, starting with the types ofbugs DDT looks for (§3.1), an overview of how driversare exercised (§3.2), a description of fully symbolic hard-ware (§3.3), the use of annotations to extend DDT’scapabilities (§3.4), and finally we show how generatedtraces are used to replay bugs and fix them (§3.5).

3.1 Detecting Undesired Behaviors

DDT uses two methods to detect failures along exercisedpaths: dynamic verification done by DDT’s virtual ma-chine (§3.1.1) and failure detection inside the guest OS(§3.1.2). VM-level checks are targeted at properties that

require either instrumentation of driver code instructionsor reasoning about multiple paths at a time. Guest OS-level checks leverage existing stress-testing and verifica-tion tools to catch bugs that require deeper knowledgeof the kernel APIs. Most guest OS-level checks can beperformed at the VM level as well, but it is often moreconvenient to write and deploy OS-level checkers.

3.1.1 Virtual Machine-Level Checks

Memory access verification in DDT is done at the VMlevel. On each memory access, DDT checks whether thedriver has sufficient permissions to access that memory.For the purpose of access verification, DDT treats thefollowing memory regions as accessible to drivers:

• Dynamically allocated memory and buffers;• Buffers passed to the driver, such as network pack-

ets or strings from the Windows registry;• Global kernel variables that are implicitly accessi-

ble to drivers;• Current driver stack (accesses to memory locations

below the stack pointer are prohibited, becausethese locations could be overwritten by an interrupthandler that saves context on the stack);

• Executable image area, i.e., loadable sections of thedriver binary with corresponding permissions;

• Hardware-related memory areas (memory-mappedregisters, DMA memory, or I/O ranges).

In order to track these memory regions, DDT hooksthe kernel API functions and driver entry points. Ev-ery time the hooked functions are called, DDT analyzestheir arguments to determine which memory was grantedto (or revoked from) the driver. The required knowl-edge about specific kernel APIs can be provided throughlightweight API annotations (see §3.4).

Beyond memory safety, DDT’s simultaneous accessto multiple execution paths (by virtue of employing sym-bolic execution) enables the implementation of bug de-tection techniques that reason about the code globally interms of paths, such as infinite loop detection [34].

3.1.2 Guest Operating System-Level Checks

In addition to VM-level checkers, DDT can also reuseoff-the-shelf runtime verification tools. These tools per-form in-guest checking, oblivious to exactly how thedriver is being driven along the observed execution paths.Since these tools are usually written by OS developers(e.g., for driver certification programs, like Microsoft’sWHQL [25]), they can detect errors that require deepknowledge of the OS and its driver API.

When they find a bug, these dynamic tools typicallycrash the system to produce an error report containing

a memory dump. DDT intercepts such premeditatedcrashes and reports the bug information to the user. DDThelps the runtime checkers find more bugs than theywould do under normal concrete execution, because itsymbolically execute the driver along many more paths.

DDT’s modular architecture (Figure 1) allows reusingsuch tools without adaptation or porting. This means thatdriver developers’ custom test suites can also be readilyemployed. Moreover, given DDT’s design, such toolscan be inserted at any level in the software stack, eitherin the form of device drivers or as software applications.

DDT can also automatically leverage kernel asser-tion checks, when they are present. For example, thechecked build version of Windows contains many con-sistency checks—with DDT, these assertions get a betterchance of being exercised along different paths.

3.2 Exercising the Driver: Kernel/Driver Interface

DDT implements selective symbolic execution [10], atechnique for seamless transfer of system state betweensymbolic and concrete phases of execution. DDT ob-taines similar properties to running the entire systemsymbolically, while in fact only running the driver sym-bolically. The transfer of state between phases is gov-erned by a set of conversion hints (see §3.4). Using se-lective symbolic execution enables DDT to execute thedriver within its actual environment, as opposed to re-quiring potentially incomplete models thereof [1, 6].

A typical driver is composed of several entry points.When the OS loads the driver, it calls its main entrypoint, similarly to a shell invoking themain() functionof a program. This entry point registers with the kernelthe driver’s other entry points. For example, a typicaldriver would registeropen, read, write, andcloseentry points, which are then called by the OS when auser-mode application makes use of the driver.

When the kernel calls a driver’s entry point, DDTtransfers system state to a symbolic execution engine. Itconverts entry point arguments, and possibly other partsof concrete system state, to symbolic values, according tothe annotations described in §3.4. For example, when thekernel calls theSendPacket function in a NIC driver,DDT makes the content of the network packet symbolic,to explore all the paths that depend on the packet’s type.

When a driver calls a kernel function, DDT selectsfeasible values (at random) for its symbolic arguments.For example, if the driver calls theAllocatePool func-tion with a symbolic length argument, DDT selects someconcrete valuelen for the length that satisfies currentconstraints. However, this concretization subjects allsubsequent paths to the constraint that length must equallen, and this may disable otherwise-feasible paths. Thus,DDT keeps track of all such concretization-related con-

straints and, if at some point in the future this constraintlimits a choice of paths, DDT backtracks to the point ofconcretization, forks the entire machine state, and repeatsthe kernel call with different feasible concrete values,which could re-enable the presently unexplorable path.

To minimize overhead, DDT does concretization on-demand, i.e., delays it as long as possible by trackingsymbolic values when executing in concrete mode andconcretizing them only when they are actually read. Thisway, symbolic values that are not accessed by concretelyrunning code are never concretized. In particular, all pri-vate driver state and buffers that are treated as opaque bythe kernel end up being preserved in their symbolic form.

3.3 Exercising the Driver: Symbolic Hardware

DDT requires neither real hardware nor hardware modelsto test drivers—instead, DDT uses symbolic hardware.A symbolic device in DDT ignores all writes to its regis-ters and produces symbolic values in response to reads.These symbolic values cause drivers to explore paths thatdepend on the device output.

Symbolic hardware produces symbolic interrupts, i.e.,interrupts with a symbolic arrival time. Reasoning aboutinterrupt arrival symbolically offers similar benefits toreasoning about program inputs symbolically: the major-ity of interrupt arrival times are equivalent to each other,so only one arrival time in each equivalence class needbe produced. If a block of code does not read/write sys-tem state that is also read/written by the interrupt handler,then executing the interrupt handler at any point duringthe execution of that block has the same end result.

Currently, DDT implements a simplified model ofsymbolic interrupts. It symbolically delivers interruptson each crossing of the kernel/driver boundary (i.e., be-fore and after each kernel API call, and before and aftereach driver entry point execution). While not complete,we found that this strategy produces good results, be-cause many important changes in driver state are relatedto crossing the kernel/driver interface.

Symbolic hardware with symbolic interrupts mayforce the driver on paths that are not possible in realitywith correct hardware. For example, a symbolic inter-rupt may be issued after the driver instructed the devicenot to issue interrupts (e.g., by writing a control register).A correctly functioning device will therefore not deliverthat interrupt. The natural solution would be to includethe enabled/disabled interrupts status in the path con-straints, and prevent interrupts from occurring when thisis not possible. However, recent work [19] has shownthat hardware often malfunctions, and that drivers mustbe sufficiently robust to handle such behavior anyway.

More generally, DDT’s ability to test drivers againsthardware failures is important, because chipsets often get

revised without the drivers being suitably updated. Con-sider a device that returns a value used by the driver asan array index. If the driver does not check the bounds (acommon bug [19]) and a revised version of the chipsetlater returns a greater value, then the obsolete drivercould experience an out-of-bounds error.

3.4 Enabling Rich Driver/Environment Interactions

Device drivers run at the bottom of the software stack,sandwiched between the kernel and hardware devices.The layers surrounding a driver are complex, and the dif-ferent classes of device drivers use many different kernelsubsystems. For instance, network, audio, and graphicsdrivers each use different kernel services and interfaces.

One may be tempted to run drivers in isolation forpurposes of testing. Unfortunately, this requires an ab-straction layer between the drivers and the rest of thestack, and building this layer is non-trivial. For exam-ple, testing a network driver would require the testbed toprovide well-formed data structures when returning froma packet allocation function called by the driver.

DDT tests drivers by symbolically executing them inconjunction with the real kernel binary. By using the ac-tual software stack (and thus the real kernel) instead of asimplified abstract model of it, DDT ensures that the de-vice drivers get tested with the exact kernel behavior theywould experience in reality. To this end, DDT needs tomediate the interactions with the layers around the driverin a way that keeps the symbolic execution of the driverconsistent with the concrete execution of the kernel.

DDT performs various conversions between the sym-bolic and concrete domains. In its default mode, in whichno annotations are used, DDT converts symbolic argu-ments passed to kernel functions into legal random con-crete values and uses symbolic hardware, including sym-bolic interrupts. Driver entry point arguments are nottouched. These conversions, however, can be fine-tunedby annotating API functions and driver entry points.

3.4.1 Extending DDT with Interface Annotations

DDT provides ways for developers to encode theirknowledge of the driver/kernel API in annotations thatimprove DDT’s achievable code coverage and bug find-ing abilities. Annotations allow DDT to detect not onlylow-level errors, but also logical bugs. Annotations are aone-time effort on the part of OS developers, testers, or abroader developer community.

The idea of encoding API usage rules in annotationsis often used by model checking tools, with a recent no-table example being SLAM [1]. However, DDT’s anno-tations are lighter weight and substantially easier to writeand keep up-to-date than the API models used by pre-vious tools: preparing DDT annotations for the whole

NDIS API, which consists of 277 exported functions,took about two weeks of on-and-off effort; preparing an-notations for those 54 functions in the WDM API thatwere used by our sound drivers took one day.

DDT annotations are written in C and compiled toLLVM bitcode [22], which is then loaded by DDT at run-time and run in the context of QEMU-translated code,when necessary. The annotation code has direct accessto, and control over, the guest system’s state. Addition-ally, it can use a special API provided by DDT to createsymbolic values and/or manipulate execution state.

The following annotation introduces positive integersymbolic values when the driver reads a configurationparameter from the Windows registry:

1 void NdisReadConfiguration_return(CPU* cpu){2 if(*((PNDIS_STATUS) ARG(cpu, 0)) == 03 && ARG(cpu, 4) == 1) {4 int symb = ddt_new_symb_int();5 if(symb >= 0)6 ((PNDIS_CONFIGURATION_PARAMETER)7 ARG(cpu, 1))->IntegerData = symb;8 else ddt_discard_state();9 }

10 }

This sample annotation function is invoked on thereturn path fromNdisReadConfiguration (hence itsname—line 1). It checks whether the call returned suc-cessfully (line 2) and whether the type of the value isinteger (line 3). It then creates an unconstrained sym-bolic integer value using DDT’s special API (line 4), af-ter which it checks the value (line 5) and discards thepath on whichsymbis not a positive integer (line 8).

DDT annotations fall into four categories:Concrete-to-symbolic conversion hintsapply to

driver entry points’ arguments and to return values fromkernel functions called by the driver. They encode con-tracts about what constitute reasonable arguments or re-turn values. For example, a memory allocation functioncan either return a valid pointer or a null pointer, so theannotation would instruct DDT to try both the originallyreturned concrete pointer, as well as the null-pointer al-ternative. The absence of this kind of conversion hintswill cause DDT not to try all reasonable classes of val-ues, which results solely in decreased coverage, i.e., falsenegatives.

Symbolic-to-concrete conversion hintsspecify theallowed set of values for arguments to kernel API func-tions called by drivers. They include various API usagerules that, if violated, may lead to crashes or data cor-ruption. When a call to such an annotated function oc-curs, DDT verifies that all incorrect argument values areruled out by the constraints on the current path; if not,it flags a potential bug. The absence of such annotationscan lead DDT to concretize arguments into some values

that are consistent with the path constraints (thus feasi-ble in a real execution) but not uncover potential bugs (ifthe values happen to be OK according to the unspecifiedAPI usage rules). In other words, they can lead to falsenegatives, but not to false positives.

Resource allocation hintsspecify whether invokingan entry point or calling a kernel function grants or re-vokes the driver’s access to any memory or other re-sources. This information is used to verify that thedriver accesses only resources that the kernel explicitlyallows it to access. It is also used to verify that all allo-cated resources are freed on exit paths. The absence ofmemory allocation hints can lead to false positives, butcan be avoided, if necessary, by switching to a coarse-grained memory access verification scheme (as used, forinstance, in Microsoft’s Driver Verifier [25]).

Kernel crash handler hook: This annotation informsDDT of the address of the guest kernel’s crash handler, aswell as how to extract the crash information from mem-ory. This annotation enables DDT to intercept all crasheswhen running the kernel concretely, such as the “bluescreen of death” (BSOD) on Windows. This annotationis relied upon in our DDT prototype to cooperate withthe Microsoft Driver Verifier’s dynamic checkers.

3.4.2 Alternative Approaches

We have gone to great lengths to run the drivers in a realenvironment and avoid abstract modeling. Is it worth it?

One classic approach to ensuring device driver qual-ity is stress-testing, which is how Microsoft certifies itsthird-party drivers [25]. However, this does not catch allbugs. As we shall see in the evaluation, even Microsoft-certified drivers shipped with Windows have bugs thatcause the kernel to crash. However, powerful static anal-ysis tools [1] can reason about corner-case conditions byabstracting the driver under test, without actually runningit. Since static analysis does not run any code per se, itrequires modeling the driver’s environment.

We believe environment modeling generally does notscale, because kernels are large and evolve constantly.Modeling the kernel/driver API requires manual effortand is error prone. According to [1], developing around60 API usage rules for testing Windows device driverstook more than three years. It also required many itera-tions of refinement based on false positives found duringevaluation. In the end, the resulting models are only anapproximation of the original kernel code, thus leadingto both false negatives and, more importantly, false pos-itives. A test tool that produces frequent false positivesdiscourages developers from using it.

In contrast, we find DDT’s annotations to be straight-forward and easy to maintain. Moreover, if they are per-ceived by developers as too high of a burden, then DDT

can be used in its default mode, without annotations.Testing device drivers often requires access to either

the physical device or a detailed model of it. For driversthat support several physical devices, testing must be re-peated for each such device. In contrast, symbolic hard-ware enables not only testing drivers without a physicaldevice, but also testing them against hardware bugs orcorner cases that are hard to produce with a real device.

3.5 Verifying and Replaying Bugs

When DDT finishes testing a driver, it produces a de-tailed report containing all the bugs it found. This re-port consists of all faulty execution paths and containsenough information to accurately replay the execution,allowing the bug to be reproduced on the developer’s orconsumer’s machine.

DDT’s bug report is a collection of traces of the ex-ecution paths leading to the bugs. These traces containthe list of program counters of the executed instructionsup to the bug occurrence, all memory accesses done byeach instruction (address and value) and the type of theaccess (read or write). Traces contain information aboutcreation and propagation of all symbolic values and con-straints on branches taken. Each branch instruction hasa flag indicating whether it forked execution or not, thusenabling DDT to subsequently reconstruct an executiontree of the explored paths; each node in the tree cor-responds to a machine state. Finally, DDT associateswith each failed path a set of concrete inputs and sys-tem events (e.g., interrupts) that take the driver along thatpath. The inputs are derived from the symbolic state bysolving the corresponding path constraints [16, 7].

A DDT trace has enough information to replay thebug in the DDT VM. Each trace starts from an ini-tial state (a “hibernated” snapshot of the system) andcontains the exact sequence of instructions and mem-ory accesses leading to the crash or hang. The tracesare self-contained and directly executable. The size ofthese traces rarely exceeds 1 MB per bug, and usu-ally they are much smaller. We believe DDT tracescan easily be adapted to work with existing VM replaytools [13, 29, 21].

DDT also post-processes these traces off-line, to pro-duce a palatable error report. DDT reconstructs the treeof execution paths and, for each leaf state that triggereda bug, it unwinds the execution path by traversing the ex-ecution tree to the root. Then it presents the correspond-ing execution path to the developer. When driver sourcecode is available, DDT-produced execution paths can beautomatically mapped to source code lines and variables,to help developers better visualize the buggy behavior.

For bugs leading to crashes, it is also possible to ex-tract a Windows crash dump that can be analyzed with

WinDbg [25]—since each execution state maintained byDDT is a complete snapshot of the system, this includesthe disk where the OS saved the crash dump. It is alsoworth noting that DDT execution traces can help debug-gers go backwards through the buggy execution.

In theory, DDT traces could be directly executed out-side the VM (e.g., in a debugger) using a natively exe-cuting OS, since the traces constitute slices through thedriver code. The problem, though, is that the physicalhardware would need to be coerced into providing the ex-act same sequence of interrupts as in the trace—perhapsthis could be done with a PCI-based FPGA board thatplays back a trace of interrupts. Another challenge isproviding the same input and return values to kernel callsmade by the driver—here DDT could leverage existinghooking techniques [4, 18] to intercept and modify thesecalls during replay. Finally, replaying on a real machinewould involve triggering asynchronous events at pointsequivalent to those saved in the traces [33].

3.6 Analyzing Bugs

Execution traces produced by DDT can also help under-stand the cause of a bug. For example, if an assertion ofa symbolic condition failed, execution traces can identifyon what symbolic values the condition depended, whenduring the execution were they created, why they werecreated, and what concrete assignment of symbolic val-ues would cause the assertion to fail. An assertion, badpointer access, or a call that crashes the kernel might de-pend indirectly on symbolic values, due to control flow-based dependencies; most such cases are also identifiablein the execution traces.

Based on device specifications provided by hardwarevendors, one can decide whether a bug can only occurwhen a device malfunctions. Say a DDT symbolic devicereturned a value that eventually led to a bug; if the set ofpossible concrete values implied by the constraints onthat symbolic read does not intersect the set of possiblevalues indicated by the specification, then one can safelyconclude that the observed behavior would not have oc-curred unless the hardware malfunctioned.

One could write tools to automate the analysis andclassification of bugs found by DDT, even though do-ing this manually is not hard. They could provideboth user-readable messages, like “driver crashes in low-memory situations,” and detailed technical information,like “AllocateMemory failed at locationpc1 caused anull pointer dereference at some other locationpc2.

4 DDT ImplementationWe now describe our implementation of a DDT proto-type for Windows device drivers (§4.1), which can beused by both developers and consumers to test binary

drivers before installing them. We also show how totrick Windows into accepting DDT’s symbolic hardware(§4.2) and how to identify and exercise the drivers’ entrypoints (§4.3). Although Windows-specific, these tech-niques can be ported to other platforms as well.

4.1 DDT for Microsoft Windows

DDT uses a modified QEMU [2] machine emulator to-gether with a modified version of the Klee symbolic exe-cution engine [6]. DDT can run a complete, unmodified,binary software stack, comprising Windows, the driversto be tested, and all associated applications.

4.1.1 Doing VM-Based Symbolic Execution

QEMU is an open-source machine emulator that sup-ports many different processor architectures, like x86,SPARC, ARM, PowerPC, and MIPS. It emulates theCPU, memory, and devices using dynamic binary trans-lation. QEMU’s support of multiple architectures makesDDT available to more than just x86-based platforms.

DDT embeds an adapted version of Klee. To symbol-ically execute a program, one first compiles it to LLVMbitcode [22], which Klee can then interpret. Klee em-ploys various constraint solving optimizations and cov-erage heuristics, which make it a good match for DDT.

To use Klee, we extended QEMU’s back-end to gener-ate LLVM bitcode. QEMU translates basic blocks fromthe guest CPU instruction set to a QEMU-specific inter-mediate representation—we translate from this interme-diate representation to LLVM on the fly. The generatedLLVM bitcode can be directly interpreted by Klee.

QEMU and Klee have different representations ofprogram state, which have to be kept separate yet syn-chronized. In QEMU, the state is composed of the virtualCPU, VM physical memory, and various virtual devices.We encapsulate this data in Klee memory objects, andmodified QEMU to use Klee’s routines to manipulate theVM’s physical memory. Thus, whenever the state of theCPU is changed (e.g., register written) or a device is ac-cessed (e.g., interrupt controller registers are set), bothQEMU and Klee see it, and Klee can perform symbolicexecution in a consistent environment.

Symbolic execution generates path constraints thatalso have to be synchronized. Since QEMU and Kleekeep a synchronized CPU, device, and memory state, anywrite to the state by one of them will be reflected in thepath constraints kept by Klee. For example, when sym-bolically executing driver code accesses concrete kernelmemory, it sees data consistent with its own execution sofar. Conversely, when concrete code attempts to access asymbolic memory location, that location is automaticallyconcretized, and a corresponding constraint is added to

the current path. Data written by concrete code is seen asconcrete by symbolically running driver code.

4.1.2 Symbolic Execution of Driver Code

QEMU runs in a loop, continuously fetching guest codeblocks, translating them, and running them on the hostCPU or in Klee. When a basic block is fetched, DDTchecks whether the program counter is inside the driverof interest or not. If yes, QEMU generates a blockof LLVM code (or fetches the code from a translationcache) and passes it to Klee; otherwise, it generates x86machine code and sends it to the host processor.

DDT monitors kernel code execution and parses ker-nel data structures to detect driver load attempts. DDTcatches the execution of the OS code responsible for in-voking the load entry point of device drivers. For exam-ple, on Windows XP SP3, DDT monitors attempts to ex-ecute code at address0x805A3990, then parses the stackto fetch the device object. If the name of the driver cor-responds to the one being monitored, DDT further parsesthe corresponding data structures to retrieve the code anddata segment locations of the driver. Parsing the datastructures is done transparently, by probing the virtualaddress space, without causing any side effects (e.g., nopage faults are induced).

When the driver is executed with symbolic inputs,DDT forks execution paths as it encounters conditionalbranches. Forking consists primarily of making a copy ofthe contents of the CPU, the memory, and the devices, tomake it possible to resume the execution from that stateat a later time. In other words, each execution state con-sists conceptually of a complete system snapshot.

4.1.3 Optimizing Symbolic Execution

Since symbolic execution can produce large executiontrees (exponential in the number of branches), DDT im-plements various optimizations to handle the large num-ber of states generated by Klee. Moreover, each state isbig, consisting of the entire physical memory and of thevarious devices (such as the contents of the virtual disk).

DDT uses chained copy-on-write: instead of copyingthe entire state upon an execution fork, DDT creates anempty memory object containing a pointer to the parentobject. All subsequent writes place their values in theempty object, while reads that cannot be resolved locally(i.e., do not “hit” in the object) are forwarded up to theparent. Since quick forking can lead to deep state hierar-chies, we cache each resolved read in the leaf state witha pointer to the target memory object, in order to avoidtraversing long chains of pointers through parent objects.

4.1.4 Symbolic Hardware

For PCI devices, the OS allocates resources (memory,I/O regions, and interrupt line) for the device, as requiredthe device descriptor, prior to loading the driver, and thenwrites the addresses of allocated resources to the device’sregisters. From that point, the device continuously mon-itors all memory accesses on the memory and I/O buses;when an address matches its allocated address range, thedevice handles the access. In QEMU, such accesses arehandled by read/write functions specific to a each virtualdevice. For DDT symbolic devices, the write functionsdiscard their arguments, and the read functions alwaysreturns an unconstrained symbolic value. When DDTdecides to inject a symbolic interrupt, it calls the cor-responding QEMU function to assert the right interruptassigned to the symbolic device by the OS.

The execution of the driver also depends on certainparts of the device descriptor, not just on the device mem-ory and I/O registers. For example, the descriptor maycontain a hardware revision number that triggers slightlydifferent behavior in the driver. Unfortunately, the de-vice descriptor is parsed by the OS when selecting thedriver and allocating device resources, so DDT cannotjust make it symbolic. Instead, as the device drivers al-ways accesses the descriptor through kernel API func-tions, we use annotations to insert appropriately con-strained symbolic results when the driver reads the de-scriptor.

4.2 Fooling the OS into Accepting Symbolic Devices

Hardware buses like PCI and USB support Plug-and-Play, which is a set of mechanisms that modern operatingsystems use to detect insertion and removal of devices.The bus interface notifies the OS of such events. Whenthe OS detects the presence of a new device, it loadsthe corresponding driver. The right driver is selected byreading the vendor and device ID of the inserted device.If the driver is for a PCI device, it will typically need toread the rest of the descriptor, i.e., the size of the registerspace and various I/O ranges.

DDT provides a PCI descriptor for afake devicetotrick the OS into loading the driver to be tested. The fakedevice is an empty “shell” consisting of a descriptor con-taining the vendor and device IDs, as well as resourceinformation. The fake device itself does not implementany logic other than producing symbolic values for readrequests. Support for USB is similar: a USB descriptorpointing to a “shell” device is passed to the code imple-menting the bus, causing the target driver to be loaded.

Hardware descriptors are simple and can be readilyobtained. If the actual hardware is available, the descrip-tors can be read directly from it. If the hardware is notpresent, it is possible to extract the information from pub-

Tested DriverSize of Driver Size of Driver Number of Functions Number of Called Source CodeBinary File Code Segment in Driver Kernel Functions Available ?

Intel Pro/1000 168 KB 120 KB 525 84 NoIntel Pro/100 (DDK) 70 KB 61 KB 116 67 YesIntel 82801AA AC97 39 KB 26 KB 132 32 NoEnsoniq AudioPCI 37 KB 23 KB 216 54 NoAMD PCNet 35 KB 28 KB 78 51 NoRTL8029 18 KB 14 KB 48 37 No

Table 1: Characteristics of Windows drivers used to evaluate DDT.

lic databases of hardware supported on Linux. If this in-formation is not available, it can be extracted from thedriver itself. For example, Windows drivers come witha .inf file specifying the vendor and device IDs of thesupported devices. The device resources (e.g., memoryor interrupt lines) are not directly available in the.inffiles, but can be inferred after the driver is loaded, bywatching for attempts to register the I/O space using OSAPIs. We are working on a technique to automaticallydetermine this information directly from the driver.

4.3 Exercising Driver Entry Points

DDT must detect that the OS has loaded a driver, deter-mine the driver’s entry points, coerce the OS into invok-ing them, and then symbolically execute them.

DDT automatically detects a driver’s entry points bymonitoring attempts of the driver to register such entrypoints with the kernel. Drivers usually export only oneentry point, specified in the driver binary’s file header.Upon invocation by the kernel, this routine fills datastructures with entry point information and calls a reg-istration function (e.g.,NdisMRegisterMiniport fornetwork drivers). In a similar way, DDT intercepts theregistration of interrupt handlers.

DDT uses Microsoft’s Device Path Exerciser as a con-crete workload generator to invoke the entry points ofthe drivers to be tested. Device Path Exerciser is shippedwith the Windows Driver Kit [25] and can be configuredto invoke the entry points of a driver in various ways,testing both normal and error situations.

Each invoked entry point is symbolically executed byDDT. To accomplish this, DDT returns symbolic valueson hardware register reads and, hooks various functionsto inject symbolic data. Since execution can fork onbranches within the driver, the execution can return to theOS through many different paths. To save memory andtime, DDT terminates paths based on user-configurablecriteria (e.g., if the entry point returns with a failure).

DDT attempts to maximize driver coverage usingpluggable heuristics modules. The default heuristic at-tempts to maximize basic block coverage, similar to theone used in EXE [7]. It maintains a global counter foreach basic block, indicating how many times the block

was executed. The heuristic selects for the next execu-tion step the basic block with the smallest value. Thisavoids states that are stuck, for instance, in polling loops(typical of device drivers). Depending on the driver, it ispossible to choose different heuristics dynamically.

DDT tests for concurrency bugs by injecting symbolicinterrupts before and after each kernel function calledby the driver. It asserts the virtual interrupt line, caus-ing QEMU to interrupt the execution of the current codeand to invoke the OS’s interrupt handler. The injectionof symbolic interrupts is activated as soon as the targetdriver registers an interrupt handler for the device.

Drivers may legitimately access the kernel’s datastructures, and this must be taken into account by DDT,to avoid false reports of unauthorized memory accesses.First, drivers access global kernel variables, which mustbe explicitly imported by the driver; DDT scans the cor-responding section of the loaded binary and grants thedriver access to them. Second, private kernel data maybe accessed via inlined functions (for example, NDISdrivers use macros that access kernel-defined private datafields in theNDIS_PACKET data structure). DDT pro-vides annotations for identifying such data structures.

5 EvaluationWe applied DDT to six mature Microsoft-certifieddrivers—DDT found 14 serious bugs (§5.1). We alsomeasured code coverage, and found that DDT achievesgood coverage within minutes (§5.2). All reported mea-surements were done on an Intel 2 GHz Xeon CPU using4 GB of RAM.

5.1 Effectiveness in Finding Bugs

We used DDT to test four network drivers and two soundcard drivers, which use different Windows kernel APIsand are written in both C and C++ (Table 1). All driversare reasonably sized, using tens of API functions; DDTscales well in this regard, mainly due to the fact that itneeds no kernel API models. Most of these drivers havebeen tested by Microsoft as part of the WHQL certifica-tion process [25] and have been in use for many years.

DDT found bugs in all drivers we tested: memoryleaks, memory corruptions, segmentation faults, and race

Tested Driver Bug Type Description

RTL8029 Resource leak Driver does not always callNdisCloseConfigurationwhen initialization failsRTL8029 Memory corruption Driver does not check the range forMaximumMulticastList registry parameterRTL8029 Race condition Interrupt arriving before timer initialization leads to BSODRTL8029 Segmentation fault Crash when getting an unexpected OID inQueryInformationRTL8029 Segmentation fault Crash when getting an unexpected OID inSetInformationAMD PCNet Resource leak Driver does not free memory allocated withNdisAllocateMemoryWithTagAMD PCNet Resource leak Driver does not free packets and buffers on failed initializationEnsoniq AudioPCI Segmentation fault Driver crashes whenExAllocatePoolWithTag returns NULLEnsoniq AudioPCI Segmentation fault Driver crashes whenPcNewInterruptSync failsEnsoniq AudioPCI Race condition Race condition in the initialization routineEnsoniq AudioPCI Race condition Various race conditions with interrupts while playing audioIntel Pro/1000 Memory leak Memory leak on failed initializationIntel Pro/100 (DDK) Kernel crash KeReleaseSpinLock called from DPC routineIntel 82801AA AC97 Race condition During playback, the interrupt handler can cause a BSOD

Table 2: Summary of previously unknown bugs discovered by DDT.

conditions. A summary of these findings is shown in Ta-ble 2, which showsall bug warnings issued by DDT, notjust a subset. In particular, we encountered no false pos-itives during testing.

The first two columns of the table are a direct outputfrom DDT. Additionally, DDT produced execution tracesthat we manually analyzed (as per §3.6) in order to pro-duce the last column of the table, explaining each bug.The analyses took a maximum of 20 minutes per bug.Testing each driver took a maximum of 4 hours, and thistime includes adding missing API annotations and occa-sional debugging of the DDT prototype.

From among all bugs found by DDT, only one was re-lated to improper hardware behavior: it was a subtle racecondition in the RTL8029 driver, occurring right after thedriver registered its interrupt handler, but before it initial-ized the timer routine and enabled interrupts on the de-vice. If the interrupt fires at this point, the interrupt han-dler calls a kernel function to which it passes an uninitial-ized timer descriptor, causing a kernel crash. From theexecution traces produced by DDT it was clear that thebug occurred in the driver interrupt handler routine afterissuing a symbolic interrupt during driver initialization.We checked the address of the interrupt control registerin the device documentation; since the execution tracescontained no writes to that register, we concluded thatthe crash occurred before the driver enabled interrupts.

At the same time, if the device malfunctions and thisbug manifests in the field, it is hard to imagine a way inwhich it could be fixed based on bug reports. It is hardto find this kind of bugs using classic stress-testing tools,even with malfunctioning hardware, because the inter-rupt might not be triggered by the hardware at exactlythe right moment.

Another interesting bug involved memory corruptionafter parsing parameters (obtained from the registry) inthe RTL8029 driver. The driver does not do any boundschecking when reading theMaximumMulticastListpa-

rameter during initialization. Later, the value of this pa-rameter is used as an index into a fixed-size array. If theparameter has a large (or negative) value, memory cor-ruption ensues and leads to a subsequent kernel panic.This explanation was easily obtained by looking at theexecution traces: a faulty memory read was shown at anaddress equal to the sum of the base address returnedby the memory allocator plus an unconstrained symbolicvalue injected when reading the registry.

An example of a common kind of bug is the incor-rect handling of out-of-memory conditions during driverinitialization. In the RTL8029, AMD PCNet, and In-tel Pro/1000 drivers, such conditions lead to resourceleaks: when memory allocation fails, the drivers do notrelease all the resources that were already allocated (heapmemory, packet buffers, configuration handlers, etc.). Inthe Ensoniq AudioPCI driver, failed memory allocationleads to a segmentation fault, because the driver checkswhether the memory allocation failed, but later uses thereturned null pointer on an error handling path, despitethe fact that the initial check failed.

An example of incorrectly used kernel API func-tions is a bug in the Intel Pro/100 driver. Inits DPC (deferred procedure call) routine, the driveruses theNdisReleaseSpinLock function instead ofNdisDprReleaseSpinLock (as it should for spinlocksacquired usingNdisDprAcquireSpinLock). This isspecifically prohibited by Microsoft documentation andin certain conditions can lead to setting the IRQ level tothe wrong value, resulting in a kernel hang or panic.

We tried to find these bugs with the Microsoft DriverVerifier [25] running the driver concretely, but did notfind any of them. Furthermore, since Driver Verifiercrashes by default on the first bug found, looking for thenext bug would typically require first fixing the foundbug. In contrast, DDT finds multiple bugs in one run.

To assess the influence that annotations have onDDT’s effectiveness, we re-tested these drivers with all

0 %

20 %

40 %

60 %

80 %

100 %

0 1 2 3 4 5 6

Bas

ic B

lock

Cov

erag

e (%

)

Running Time (minutes)

RTL8029Intel Pro/100

Intel 82801AA AC97

Figure 2: Relative coverage with time

annotations turned off. We managed to reproduce all therace condition bugs, because their detection does not de-pend on the annotations. We also found the hardware-related bugs, cased by improper checks on hardware reg-isters. However, removing the annotations resulted in de-creased code coverage, so we did not find the memoryleaks and the segmentation faults.

We initially wanted to compare DDT to the MicrosoftSDV tool [1], a state-of-the-art static analysis tool fordrivers. Since SDV requires source code, we used theIntel Pro/100 network card driver, whose source code ap-pears in the Windows Drivers Development Kit. Unfor-tunately, we were not able to test this driver out-of-the-box using SDV, because the driver uses older versions ofthe NDIS API, that SDV cannot exercise. SDV also re-quires special entry point annotations in the source code,which were not present in the Intel Pro/100 driver. We re-sorted to comparing on the sample drivers shipped withSDV itself: SDV found the 8 sample bugs in 12 minutes,while DDT found all of them in 4 minutes.

We additionally injected several synthetic bugs in thesample driver (most of these hang the kernel): a dead-lock, an out-of-order spinlock release, an extra release ofa non-acquired spinlock, a “forgotten” unreleased spin-lock, and a kernel call at the wrong IRQ level. SDV didnot find the first 3 bugs, it found the last 2, and produced1 false positive. DDT found all 5 bugs and no false posi-tives in less than a third of the time that SDV ran.

We conclude that DDT can test drivers that existingtools cannot handle, and can find more subtle bugs inmature device drivers. In the next section, we evaluatethe efficiency of DDT and assess its scalability.

5.2 Efficiency and Scalability

We evaluated DDT on drivers ranging in size from 18KB to 168 KB. In Figure 2 we show how code coverage

0

200

400

600

800

1000

1200

1400

1600

0 1 2 3 4 5 6

Cov

ered

Bas

ic B

lock

s

Running Time (minutes)

RTL8029Intel Pro/100

Intel 82801AA AC97

Figure 3: Absolute coverage with time

(as a fraction of total basic blocks) varied with time fora representative subset of the six drivers we tested. InFigure 3 we show absolute coverage in terms of numberof basic blocks. We ran DDT until no more basic blockswere discovered for some amount of time. In all cases, asmall number of minutes were sufficient to find the bugswe reported. For the network drivers, the workload con-sisted of sending one packet. For the audio drivers, weplayed a small sound file. DDT’s symbolic execution ex-plored paths starting from the exercised entry points. Formore complex drivers, workload can be generated withthe Device Path Exerciser (described in §4).

DDT has reasonable memory requirements. Whiletesting the drivers in Table 1, DDT used at most 4 GBof memory, which is the current prototype’s upper limit.

The coverage graphs show long flat periods of exe-cution during which no new basic blocks are covered.These periods are delimited by the invocation of newentry points. The explanation is that the driver-loadingphase triggers the execution of many new basic blocks,resulting in a first step. Then, more paths are exercisedin it, without covering new blocks. Finally, the executionmoves to another entry point, and so on. Eventually, nonew entry points are exercised, and the curves flatten.

Overall, the results show that high coverage of binarydrivers can be achieved automatically in just a few min-utes. This suggests that DDT can be productively usedeven by end users on their home machines.

6 Discussion

Having seen that DDT is able to automatically find bugsin a reasonable amount of time, we now discuss someof DDT’s limitations (§6.1) and the tradeoffs involved intesting binary drivers instead of their source code (§6.2).

6.1 Limitations

DDT subsumes several powerful driver testing tools, butstill has limitations, which arise both from our designchoices, as well as from technical limitations of thebuilding blocks we use in the DDT prototype.

DDT uses symbolic execution, which is subject tothe path explosion problem [3]. In the worst case, thenumber of states is exponential in the number of coveredbranches, and this can lead to high memory consumptionand long running times for very large drivers. Moreover,solving path constraints at each branch is CPU-intensive.This limits DDT’s ability to achieve good coverage forlarge drivers. We are exploring ways to mitigate thisproblem by running symbolic execution in parallel [12],and we are developing techniques for trimming the largespace of paths to be explored [10]. Any improvements inthe scalability of symbolic execution automatically im-prove DDT’s coverage for very large drivers.

Like any bug finding tool, DDT might have false neg-atives. There are two causes for this: not checking fora specific kind of bug, or not covering a path leadingto the bug. Since DDT can reuse any existing dynamicbug finding tool (by running it inside the virtual machinealong all explored paths) and can be extended with othertypes of checkers, we expect that DDT can evolve overtime into a tool that achieves superior test completeness.

Since DDT does not use real hardware and knows lit-tle about its expected behavior, DDT may find bugs thatcan only be triggered by a malfunctioning device. Eventhough it has been argued that such cases must be han-dled in high-reliability drivers [19], for some domainsthis may be too much overhead. In such cases, these falsepositives can be weeded out by looking at the executiontraces, or by adding device-specific annotations.

Some driver entry points are triggered only when cer-tain conditions hold deep within the execution tree. Forexample, theTransferData entry point in an NDISdriver is typically called when the driver receives apacketand provides some look-ahead data from it tothe kerneland the kernel finds a driver that claims thatpacket. Since the packet contains purely symbolic data,and is concretized randomly when the kernel reads it, thelikelihood of invoking the required handler is low. An-notating the function transmitting the look-ahead data tothe kernel can solve this problem.

While testing drivers with DDT can be completely au-tomated, our current DDT prototype requires some man-ual effort. A developer must provide DDT with PCI de-vice information for the driver’s device, install the driverinside a VM, and configure Microsoft Driver Verifier anda concrete workload generator. Once DDT runs, its out-put is a list of bugs and corresponding execution traces;the developer can optionally analyze the execution tracesto find the cause of the encountered bugs. Even though

this limits DDT’s immediate usefulness to end users,DDT can be used today by hardware vendors to testdrivers before releasing them, by OS vendors to certifydrivers, and by system integrators to test final productsbefore deployment.

DDT does not yet support USB, AGP, and PCI-express devices, partly due to the lack of such supportin QEMU. This limitation prevents DDT from loadingthe drivers, but can be overcome by extending QEMU.

Finally, DDT currently has only a 32-bit implemen-tation. This prevents DDT from using more than 4GB of memory, thus limiting the number of exploredpaths. Although we implemented various optimizations,like swapping out unnecessary states to disk, memory iseventually exhausted. We ported Klee to 64-bit architec-tures and contributed it to the Klee mainline; we intendto port DDT as well.

6.2 Source-Level vs. Binary-Level Testing

DDT is a binary-level testing tool, and this has both ben-efits and drawbacks.

A binary tool can test the end result of a complex buildtool chain. Device drivers are built with special com-pilers and linked to specific libraries. A miscompilation(e.g., a wrong field alignment in the data structures), orlinking problems (e.g., a wrong library version), can bemore easily detected by a binary testing tool.

Binary drivers, however, have meager typing informa-tion. The only types used by binaries are integers andpointers, and it may be possible to infer some types bylooking at the API functions for which we have param-eter information. Nevertheless, it is hard to find type-related bugs that do not result in abnormal operations.For example, a cast of a color value from the framebufferto the wrong size could result in incorrect colors. Suchbugs are more easily detected by source code analyzers.

7 Related WorkTwo main approaches have been taken to improve thesafety and reliability of device drivers. Offline ap-proaches, like testing, concentrate on finding bugs be-fore the driver is shipped. However, thoroughly testinga driver to the point of guaranteeing the absence of bugsis still economically infeasible, so bugs frequently maketheir way to the field. Online approaches aim to pro-tect systems from bugs that are missed during the testingphase, but typically at the expense of runtime overheadand/or modifications to the OS kernel.

Testing device drivers can be done statically or dy-namically. For example, SLAM [1] statically checks thesource code of a device driver for correct Windows APIusage. It uses a form of model checking combined withan abstract representation of the source code, suitable for

the properties to be checked. However, it is subject tofalse positives and false negatives stemming from incom-plete and/or imprecise API models.

Microsoft provides various tools for stress-testing de-vice drivers running in their real environment. For ex-ample, Driver Verifier [25] provides deep testing of run-ning device drivers, but it can miss rarely executed codepaths. DDT combines the power of both static and dy-namic tools: it runs drivers in a real environment, andcombines its own checks with those of the Driver Veri-fier. Moreover, DDT employs fully symbolic hardware,leading to a more thorough exploration.

When testing is not enough, it is possible to contin-uously monitor the drivers at runtime and provide in-formation on the cause of the crashes. For example,Nooks [31] combines in-kernel wrapping and hardware-enforced protection domains to trap common faults andrecover from them. Nooks works with existing drivers,but requires source code and incurs runtime overhead.

SFI [32] and XFI [14] use faster software isola-tion techniques and provide fine grained isolation of thedrivers to protect the kernel from references outside theirlogical protection domain. However, it can only protectagainst memory failures and incurs runtime overhead.XFI can work on binary drivers but still requires debug-ging information for the binaries in order to reliably dis-assemble them. SafeDrive [35] uses developer providedannotations to enforce type-safety constraints and systeminvariants for kernel-mode drivers written in C. Finally,BGI [8] provides byte-granularity memory protection tosandbox kernel extensions. BGI was also able to finddriver bugs that manifest when running the drivers withBGI isolation. However BGI also requires access to thesource code and incurs runtime overhead.

Minix [17] explicitly isolate drivers by running themin distinct address spaces; this approach is suitable formicrokernels. Vino [28] introduces an alternative OSdesign, which combines software fault isolation with alightweight transactional system to protect against largeclasses of problems in kernel extensions.

The idea of replacing reads from hardware with sym-bolic values has been mentioned before [3]. With DDT,we introduce the new concept of fully symbolic hard-ware, which can interact both with concretely runningOSes and with symbolically running device drivers.Fully symbolic hardware can also issue symbolic inter-rupts, enabling the testing of various interleavings of de-vice driver code and interrupt handlers.

Selective symbolic execution was first introducedin [10] and later reused in [9]. DDT shares common ideaswith these, but is also distinguished by several aspects.

First, reverse engineering of a driver with RevNICdoes not require execution to be sound. For example,RevNIC overwrites with unconstrained symbolic values

the concrete parameters passed by the OS to the driver.In contrast, since DDT is a testing tool, it requires the ex-ecution to be sound to avoid false positives. This intro-duces additional requirements on injection of symbolicvalues and on concretization. For example, the concretepacket size must be replaced by a symbolic value con-strained not to be greater than the original value, to avoidbuffer overflows.

Second, DDT introduces the use of lightweight APIannotations to describe the interface between a driverand a kernel. Annotations encode developers’ knowledgeabout a specific kernel API, and help improve code cov-erage as well as detect more logic bugs. Such annotationswere not present in RevNIC.

Third, DDT mixes in-VM instrumentation (bugchecking) with instrumentation from outside the VM.DDT can reuse existing bug-finding tools that run in theguest OS, extending these tools with symbolic executionto work on multiple paths.

Finally, during symbolic execution, RevNIC onlygathers executed LLVM code and traces of device ac-cesses. In contrast, DDT analyzes the execution in orderto track the origin of symbolic values and control flowdependencies through the path leading to a bug. DDTgenerates annotated execution traces and input valuesthat help developers reproduce and understand the bugs.

8 ConclusionWe presented DDT, a tool for testing closed-source bi-nary device drivers against undesired behaviors, like raceconditions, memory errors, and resource leaks. We eval-uated DDT on six mature Windows drivers and found 14serious bugs that can cause a system to freeze or crash.

DDT combines virtualization with selective symbolicexecution to thoroughly exercise tested drivers. A set ofmodular dynamic checkers identify bug conditions andproduce detailed, executable traces for every path thatleads to a failure. We showed how these traces can beused to provide evidence of the found bugs, as well ashelp understand and fix them.

DDT does not require access to source code and needsno assistance from users, thus making it widely applica-ble. We envision DDT being used by IT staff responsiblefor the reliability and security of desktops and servers,by OS vendors and system integrators, as well as by con-sumers who wish to avoid running buggy drivers in theiroperating system kernels.

AcknowledgmentsWe are indebted to our shepherd, Paul Barham, theanonymous USENIX reviewers, and our EPFL col-leagues for their great help in improving our paper.

References

[1] T. Ball, E. Bounimova, B. Cook, V. Levin, J. Lichtenberg,C. McGarvey, B. Ondrusek, S. K. Rajamani, and A. Us-tuner. Thorough static analysis of device drivers. InACMSIGOPS/EuroSys European Conf. on Computer Systems,2006.

[2] F. Bellard. QEMU, a fast and portable dynamic translator.In USENIX Annual Technical Conf., 2005.

[3] P. Boonstoppel, C. Cadar, and D. R. Engler. RWset: At-tacking path explosion in constraint-based test generation.In Intl. Conf. on Tools and Algorithms for the Construc-tion and Analysis of Systems, 2008.

[4] P. P. Bungale and C.-K. Luk. PinOS: a programmableframework for whole-system dynamic instrumentation. InIntl. Conf. on Virtual Execution Environments, 2007.

[5] S. Butt, V. Ganapathy, M. M. Swift, and C.-C. Chang.Protecting commodity operating system kernels from vul-nerable device drivers. InAnnual Computer Security Ap-plications Conf., 2009.

[6] C. Cadar, D. Dunbar, and D. R. Engler. KLEE: Unassistedand automatic generation of high-coverage tests for com-plex systems programs. InSymp. on Operating SystemsDesign and Implementation, 2008.

[7] C. Cadar, V. Ganesh, P. M. Pawlowski, D. L. Dill, andD. R. Engler. EXE: Automatically generating inputs ofdeath. InConf. on Computer and Communication Secu-rity, 2006.

[8] M. Castro, M. Costa, J.-P. Martin, M. Peinado, P. Akri-tidis, A. Donnelly, P. Barham, and R. Black. Fast byte-granularity software fault isolation. InSymp. on Operat-ing Systems Principles, 2009.

[9] V. Chipounov and G. Candea. Reverse engineer-ing of binary device drivers with RevNIC. InACMSIGOPS/EuroSys European Conf. on Computer Systems,2010.

[10] V. Chipounov, V. Georgescu, C. Zamfir, and G. Candea.Selective symbolic execution. InWorkshop on Hot Topicsin Dependable Systems, 2009.

[11] A. Chou, J.-F. Yang, B. Chelf, S. Hallem, and D. Engler.An empirical study of operating systems errors. 2001.

[12] L. Ciortea, C. Zamfir, S. Bucur, V. Chipounov, andG. Candea. Cloud9: A software testing service. InWork-shop on Large Scale Distributed Systems and Middle-ware, 2009.

[13] G. W. Dunlap, D. Lucchetti, P. M. Chen, and M. Fet-terman. Execution replay on multiprocessor virtual ma-chines. InIntl. Conf. on Virtual Execution Environments,2008.

[14] Ú. Erlingsson, M. Abadi, M. Vrable, M. Budiu, and G. C.Necula. XFI: Software guards for system address spaces.In Symp. on Operating Systems Design and Implementa-tion, 2006.

[15] A. Ganapathi, V. Ganapathi, and D. Patterson. WindowsXP kernel crash analysis. 2006.

[16] P. Godefroid, N. Klarlund, and K. Sen. DART: Directedautomated random testing. InConf. on ProgrammingLanguage Design and Implementation, 2005.

[17] J. N. Herder, H. Bos, B. Gras, P. Homburg, and A. S.

Tanenbaum. Fault isolation for device drivers. InIntl.Conf. on Dependable Systems and Networks, 2009.

[18] G. Hoglund and J. Butler.Rootkits: subverting the Win-dows Kernel. Campus Press, 2006.

[19] A. Kadav, M. J. Renzelmann, and M. M. Swift. Toler-ating hardware device failures in software. InSymp. onOperating Systems Principles, 2009.

[20] J. C. King. Symbolic execution and program testing.Communications of the ACM, 1976.

[21] S. T. King, G. W. Dunlap, and P. M. Chen. Debuggingoperating systems with time-traveling virtual machines.In USENIX Annual Technical Conf., 2005.

[22] C. Lattner and V. Adve. LLVM: A compilation frame-work for lifelong program analysis and transformation. InIntl. Symp. on Code Generation and Optimization, 2004.

[23] F. Mérillon, L. Réveillère, C. Consel, R. Marlet, andG. Muller. Devil: An IDL for hardware programming.In Symp. on Operating Systems Design and Implementa-tion, 2000.

[24] Microsoft security advisory #944653:Vulnerability in Macrovision driver.http://www.microsoft.com/technet/security/advisory/944653.mspx.

[25] Microsoft. Windows logo program.http://www.microsoft.com/whdc.

[26] B. Murphy. Automating software failure reporting.ACMQueue, 2(8), 2004.

[27] V. Orgovan and M. Tricker. An introduction to driverquality. Microsoft Windows Hardware EngineeringConf., 2003.

[28] M. Seltzer, Y. Endo, C. Small, and K. Smith. Dealingwith disaster: Surviving misbehaved kernel extensions. InSymp. on Operating Systems Design and Implementation,1996.

[29] S. M. Srinivasan, S. Kandula, C. R. Andrews, andY. Zhou. Flashback: a lightweight extension for roll-back and deterministic replay for software debugging. InUSENIX Annual Technical Conf., 2004.

[30] M. M. Swift, M. Annamalai, B. N. Bershad, and H. M.Levy. Recovering device drivers.ACM Transactions onComputer Systems, 24(4), 2006.

[31] M. M. Swift, B. N. Bershad, and H. M. Levy. Improv-ing the reliability of commodity operating systems.ACMTransactions on Computer Systems, 23(1), 2005.

[32] R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham.Efficient software-based fault isolation. InSymp. on Op-erating Systems Principles, 1993.

[33] B. Xin, W. N. Sumner, and X. Zhang. Efficient programexecution indexing. InConf. on Programming LanguageDesign and Implementation, 2008.

[34] J. Zhang. A path-based approach to the detection of in-finite looping. InAsia-Pacific Conf. on Quality Software,2001.

[35] F. Zhou, J. Condit, Z. Anderson, I. Bagrak, R. Ennals,M. Harren, G. Necula, and E. Brewer. SafeDrive: safe andrecoverable extensions using language-based techniques.In Symp. on Operating Systems Design and Implementa-tion, 2006.