This paper describes our experience with symbolic model checking in an industrial setting. We have proved that the initial boot code running in data centers at Amazon Web Services is memory safe, an essential step in establishing the security of any data center. Standard static analysis tools cannot be easily used on boot code without modification owing to issues not commonly found in higher-level code, including memory-mapped device interfaces, byte-level memory access, and linker scripts. This paper describes automated solutions to these issues and their implementation in the C Bounded Model Checker (CBMC). CBMC is now the first source-level static analysis tool to extract the memory layout described in a linker script for use in its analysis.

中文翻译：

---

来自 AWS 数据中心的模型检查启动代码

本文描述了我们在工业环境中进行符号模型检查的经验。我们已经证明，在 Amazon Web Services 的数据中心中运行的初始启动代码是内存安全的，这是建立任何数据中心安全性的重要步骤。由于在高级代码中不常见的问题，包括内存映射设备接口、字节级内存访问和链接器脚本，标准静态分析工具不能轻易地在不修改的情况下用于引导代码。本文描述了这些问题的自动化解决方案及其在 C 有界模型检查器 (CBMC) 中的实现。CBMC 现在是第一个源代码级静态分析工具，用于提取链接描述文件中描述的内存布局以用于其分析。