Vulnerability Analysis (III): Sta8c Analysis
|
|
- Naomi Nelson
- 5 years ago
- Views:
Transcription
1 Computer Security Course. Vulnerability Analysis (III): Sta8c Analysis Slide credit: Vijay D Silva
2 1 Efficiency of Symbolic Execu8on 2 A Sta8c Analysis Analogy 3 Syntac8c Analysis 4 Seman8cs- Based Analysis
3 1 Efficiency of Symbolic Execu8on 2 A Sta8c Analysis Analogy 3 Syntac8c Analysis 4 Seman8cs- Based Analysis
4 Quiz: Branches and Paths F 1F F 2F T 1T T 2T Suppose we want to know if there is a feasible path to the loca8on ERR in this program. Suppose we generate one path predicate for each path through this program. How many path predicates are generated? nf F n T nt ERR
5 Quiz: Branches and Paths F 1F F 2F T 1T T 2T Suppose we want to know if there is a feasible path to the loca8on ERR in this program. Suppose we generate one path predicate for each path through this program. How many path predicates are generated? nf F n T nt 2 n ERR
6 Quiz: Branches and Paths F 1F F 2F T 1T T 2T Suppose we want to know if there is a feasible path to the loca8on ERR in this program. Suppose we generate one path predicate for each path through this program. How many path predicates are generated? nf F n ERR T nt 2 n Number of predicates can be exponen&al in the number of branches.
7 Quiz: Loops and Paths This is the structure of a program with a simple loop. Suppose the error loca8on is in block 3. How many path predicates are generated?
8 Quiz: Loops and Paths This is the structure of a program with a simple loop. Suppose the error loca8on is in block 3. How many path predicates are generated?
9 Quiz: Loops and Paths This is the structure of a program with a simple loop. Suppose the error loca8on is in block 3. How many path predicates are generated? A loop can generate an infinite number of path predicates Number of path predicates is finite only if the program terminates
10 Independence of Variables How many paths to the asser8on?
11 Independence of Variables How many paths to the asser8on? 4
12 Independence of Variables How many paths to the asser8on? 4 The second branch does not affect the asser8on. How many paths without the second branch?
13 Independence of Variables How many paths to the asser8on? 4 The second branch does not affect the asser8on. How many paths without the second branch? 2
14 Independence of Variables How many paths to the asser8on? 4 The second branch does not affect the asser8on. How many paths without the second branch? 2 Including all statements on a path leads to larger constraints than necessary Data dependencies can be used to prune paths and simplify constraints
15 Structure of Formulas The path predicate for this asser8on viola8on involves bit- vector mul8plica8on Reasoning about mul8plica8on of variables is computa8onally expensive (think of mul8plier circuits) ERR
16 Structure of Formulas ERR The path predicate for this asser8on viola8on involves bit- vector mul8plica8on Reasoning about mul8plica8on of variables is computa8onally expensive (think of mul8plier circuits) Only need to show an upper bound on y Imprecise reasoning can be more efficient and enough
17 Challenges for Symbolic Execu8on Control Path explosion due to branches and loops Redundant explora&on of same path prefixes Search strategy determines if vulnerabili8es are found Data Algorithmic complexity of arithme8c and string reasoning Constraint explosion because of irrelevant variables and opera8ons Memory modeling is labor intensive but necessary How can we address these issues?
18 1 Efficiency of Symbolic Execu8on 2 Sta8c Analysis by Analogy 3 Syntac8c Analysis 4 Seman8cs- Based Analysis
19 Single Program Execu8on Moscone Center SODA Hall
20 Bo\lenecks for Dynamic Analysis Weather Traffic Roads Terrain... Informa8on Overload Route Explosion
21 Bo\lenecks for Dynamic Analysis Weather Traffic Roads Terrain... Informa8on Overload Data Route Explosion Control
22 Sta8c Analysis Loss of informa8on allows for more efficient computa8on of some answers Sta8c analysis algorithms operate directly on abstract representa8ons For example, we can analyze all possible road- routes without even siang in a car
23 Sta8c Analysis Loss of informa8on allows for more efficient computa8on of some answers Sta8c analysis algorithms operate directly on abstract representa8ons For example, we can analyze all possible road- routes without even siang in a car
24 Sta8c Analysis Loss of informa8on allows for more efficient computa8on of some answers Sta8c analysis algorithms operate directly on abstract representa8ons For example, we can analyze all possible road- routes without even siang in a car
25 Sta8c Analysis Loss of informa8on allows for more efficient computa8on of some answers Sta8c analysis algorithms operate directly on abstract representa8ons For example, we can analyze all possible road- routes without even siang in a car
26 Sta8c Analysis Some ques8ons can be answered efficiently. Can we drive, on land, from Melboure to Hobart? Not enough informa8on to answer ques8ons about traffic, terrain, the weather, routes from Melbourne to Sydney etc.
27 1 Efficiency of Symbolic Execu8on 2 A Sta8c Analysis Analogy 3 Syntac8c Analysis 4 Seman8cs- Based Analysis
28 Sta8c Analysis A sta&c analysis is one that does not execute the program. A syntac&c analysis uses the code text but does not interpret statements A seman&c analysis interprets statements and updates facts based on statements in the code
29 Syntac8c Example: Op8onal Arguments The system call open() has op8onal arguments Typical mistake: Result: file has random permissions To detect this problem: Look for oflag == O_CREAT without mode argument
30 Syntac8c Example: Calling Conven8ons Goal: confine a process to a jail in the filesystem Use chroot() to change the filesystem root for a process Problem: chroot() does not itself change the current working directory Result: fopen may refer to a file outside the jail Detec8on: look for pa\erns matching the specifica8on
31 Syntac8c Example: Name Confusion source: Squashing Bugs with Sta&c Analysis, William Pugh, 2006 flags is a parameter, this.flags is a field Problem: check does not prevent null dereference Result: Poten8al Null Pointer Dereference Detec8on: find similar names on code paths where security- relevant condi8ons are checked
32 Quiz Can you iden8fy the problems in the following code? (all taken from well tested, produc8on sojware) source: Squashing Bugs with Sta&c Analysis, William Pugh, 2006
33 Syntac8c Analysis Specify Error Pa\erns Parse Program Error paierns: Heuris8cally observed common error pa\erns in prac8ce Detect Pa\erns Prune False Alarms Parsing: generates data structure used for error detec8on Detec&on: match pa\ern against program representa8on Pruning: Used to eliminate common false alarms
34 Error Pa\ern Types Error Type Examples Typos API Usage Copy- Paste Iden8fier confusion = vs ==, &x vs. x, missing/extra semi- colons chroot, mul8ple locking, etc. variable names/increments not updated global and local variables, fields and parameters
35 Pa\ern Representa8on and Detec8on Representa3on String Parse Tree Control Flow Graphs Types of Algorithms Subsequence mining, edit distance, matching Pa\ern matching, Automata algorithms, sub- graph isomorphism
36 1 Efficiency of Symbolic Execu8on 2 A Sta8c Analysis Analogy 3 Syntac8c Analysis 4 Seman8cs- Based Analysis
37 Example Program Entry How can we automa8cally check if the error loca8on is reachable in this program? Exit Err An analysis must reason about control flow branches a loop data increment, decrement comparisons with 0
38 Abstrac8ng Data Entry Only track relevant proper8es of x x<=0 x!=0 x>=0 x<0 x==0 x>0 Exit Err
39 Abstrac8ng Data Entry Only track relevant proper8es of x x can have any value x<=0 x!=0 x>=0 x<0 x==0 x>0 Exit Err
40 Abstrac8ng Data Entry Only track relevant proper8es of x x can have any value x<=0 x!=0 x>=0 Exit Err x<0 x==0 x>0 false no value is feasible
41 Sign Analysis Entry Analysis: update data about x based on control flow x<=0 x!=0 x>=0 x<0 x==0 x>0 false Exit Err
42 Sign Analysis Entry Analysis: update data about x based on control flow x<=0 x!=0 x>=0 x<0 x==0 x>0 false Exit Err Assuming arbitrary ini8aliza8on, anything can be about x
43 Sign Analysis Entry Analysis: update data about x based on control flow x==0 x<=0 x!=0 x>=0 x<0 x==0 x>0 false Exit Err The assignment updates the fact about x
44 Sign Analysis Entry Analysis: update data about x based on control flow x==0 x==0 x<=0 x!=0 x>=0 x<0 x==0 x>0 false Exit Err The condi8on does not affect x so the fact flows through
45 Sign Analysis Entry Analysis: update data about x based on control flow x==0 x==0 x<=0 x!=0 x>=0 x<0 x<0 x==0 x>0 false Exit Err Loss of precision! We cannot write x==- 1 so we approximate it by x<0
46 Sign Analysis Entry Analysis: update data about x based on control flow x==0 x==0 x<=0 x!=0 x>=0 x<0 x>0 x<0 x==0 x>0 false Exit Err
47 Sign Analysis Entry Analysis: update data about x based on control flow x==0 x==0 x<=0 x!=0 x>=0? x<0 x>0 x<0 x==0 x>0 false Exit Err At the join point x is either strictly posi8ve or strictly nega8ve
48 Sign Analysis Entry Analysis: update data about x based on control flow x==0 x==0 x<=0 x!=0 x>=0? x<0 x>0 x<0 x==0 x>0 false Exit Err At the join point x is either strictly posi8ve or strictly nega8ve
49 Sign Analysis Entry Analysis: update data about x based on control flow x==0 x==0 x<=0 x!=0 x>=0 x!=0 x<0 x>0 x<0 x==0 x>0 false Exit Err At the join point x is either strictly posi8ve or strictly nega8ve
50 Sign Analysis Entry Analysis: update data about x based on control flow x==0 x==0 x<=0 x!=0 x>=0 x!=0 x<0 x!=0 x>0 Exit Err x<0 x==0 x>0 false
51 Sign Analysis Entry Analysis: update data about x based on control flow x==0 x==0 x<=0 x!=0 x>=0 x!=0 x<0 x!=0 x>0 x!=0 Exit Err x<0 x==0 x>0 false
52 Sign Analysis Entry Analysis: update data about x based on control flow x==0 x==0 x<=0 x!=0 x>=0 x!=0 x<0 x!=0 x>0 x!=0 Exit x<0 x==0 x>0 false The condi8onal restricts x Err x<0
53 Sign Analysis Entry Analysis: update data about x based on control flow x==0 x==0 x<=0 x!=0 x>=0 x!=0 x<0 x!=0 x>0 x!=0 Exit Err x<0 x<0 x==0 x>0 false The analysis concludes that it may be possible to reach Err with x<0
54 Sign Analysis vs. Symbolic Execu8on Entry Compare the sign analysis to symbolic execu8on x!=0 x==0 x==0 x!=0 x<0 x>0 Exit x!=0 Data was not precisely represented Some variables were ignored Control flow paths were joined It is not clear if there is an error It is not clear which path leads to the error Err x<0
55 Sign Analysis vs. Symbolic Execu8on Entry Compare the sign analysis to symbolic execu8on x!=0 x==0 x==0 x!=0 x<0 x>0 Exit x!=0 Err x<0 Data was not precisely represented Some variables were ignored Control flow paths were joined It is not clear if there is an error It is not clear which path leads to the error Problem: no informa8on about y
56 Zero Propaga8on Entry Suppose we only track if y is zero or not y!=0 false Exit Err
57 Zero Propaga8on Entry Suppose we only track if y is zero or not y!=0 false Exit Err
58 Quiz: Zero Propaga8on Entry Suppose we only track if y is zero or not Can you fill in the blanks for the first steps of the analysis???? y!=0? Exit? Err false
59 Zero Propaga8on Entry Suppose we only track if y is zero or not Can you fill in the blanks for the first steps of the analysis? y!=0 y!=0 y!=0 Exit Err false
60 Zero Propaga8on Entry Suppose we only track if y is zero or not Can you fill in the blanks for the first steps of the analysis? y!=0 y!=0 y!=0 Exit false A loop head is also a join- point Err
61 Zero Propaga8on Entry Suppose we only track if y is zero or not Can you fill in the blanks for the first steps of the analysis? y!=0 y!=0 y!=0 Exit false A loop head is also a join- point Err
62 Zero Propaga8on Entry Suppose we only track if y is zero or not Can you fill in the blanks for the first steps of the analysis? y!=0 y!=0 y!=0 Exit Err false Since the loop head was updated, what follows may change.
63 Zero Propaga8on Entry Suppose we only track if y is zero or not Can you fill in the blanks for the first steps of the analysis? y!=0 y!=0 y!=0 Exit Err false Since the loop head was updated, what follows may change. In this case, the update does not change the result of the analysis.
64 Zero Propaga8on Entry Suppose we only track if y is zero or not Can you fill in the blanks for the first steps of the analysis? y!=0 y!=0 y!=0 Exit Err false When propaga8on does not change the results, a fixed point is reached.
65 Sign Analysis vs. Zero Propaga8on Entry Sign analysis and zero propaga8on both report that the error may be reached. Each analysis ignores one variable. y!=0 Can we do be\er by tracking both variables at the same 8me? y!=0 Exit Err
66 A Product Analysis x==0 Entry x>=0 x<=0 x!=0 x>=0 x<0 x==0 x>0 x>=0 y!=0 x>=0 false x>=0 false y!=0 Exit Err x<0
67 A Product Analysis x==0 Entry x>=0 x<=0 x!=0 x>=0 x<0 x==0 x>0 x>=0 y!=0 x>=0 false x>=0 false y!=0 Exit Err x<0 Product analysis does not yield more informa8on (in this case) than running both separately
68 A Product Analysis x==0 Entry x>=0 x<=0 x!=0 x>=0 x<0 x==0 x>0 x>=0 y!=0 x>=0 false Exit Err x<0 x>=0 false y!=0 Problem: Correla8on between x and y is lost at this joint point. Analysis is path insensi&ve.
69 Disjunc8ve Refinement Entry Disjunc8ve refinement allows disjunc8ons of facts x>=0 x>=0 y!=0 join x>=0 y!=0 x<0 = x>=0 x<0 y!=0 or instead of Exit Err x<0
70 Analysis with Disjunc8ve Refinement Entry x==0 x==0 y!=0 x==0 x<0 y!=0 x>0 Exit Ini8al steps are the same Err
71 Analysis with Disjunc8ve Refinement Entry x==0 x==0 y!=0 x==0 x<0 y!=0 x>0 or x<0 x>0 y!=0 Join is now disjunc8on Exit Err
72 Analysis with Disjunc8ve Refinement Entry x==0 x==0 y!=0 x==0 x<0 y!=0 x>0 or x<0 x>0 y!=0 x>0 x<0 y!=0 Exit Err More precise informa8on propagated ajer join
73 Analysis with Disjunc8ve Refinement Entry x>=0 x==0 x>=0 y!=0 x>=0 y!=0 x>0 or x>0 y!=0 x>0 y!=0 Exit Err false Result of final analysis. Asser8on is not violated.
74 1 Analysis Frameworks 2 Types of Analyses 3 Precision 4 Summary of Program Analysis
75 1 Analysis Frameworks a b c d Laaces Transformers Systems of Equa8ons Solving Equa8ons
76 1 Analysis Frameworks a b c d Laaces Transformers Systems of Equa8ons Solving Equa8ons
77 States, Transi8ons, Execu8ons
78 States, Transi8ons, Execu8ons States values of local and global variables, program counter, stack, heap pc i a[0] a[1] a[2] a[3] a[4] d 1 0 undef undef undef undef
79 States, Transi8ons, Execu8ons States values of local and global variables, program counter, stack, heap Control Data pc i a[0] a[1] a[2] a[3] a[4] d 1 0 undef undef undef undef
80 States, Transi8ons, Execu8ons States Transi8ons values of local and global variables, program counter, stack, heap state changes pc d b i a[0] 1 0 a[i]=0 0 0 a[1] undef 0 a[2] undef undef a[3] undef undef a[4] undef undef
81 States, Transi8ons, Execu8ons States Transi8ons values of local and global variables, program counter, stack, heap state changes pc d b Control i a[0] a[1] 1 0 undef a[i]= Data a[2] undef undef a[3] undef undef a[4] undef undef
82 States, Transi8ons, Execu8ons States Transi8ons Execu8ons values of local and global variables, program counter, stack, heap state changes Sequence of state changes pc a b c d b i a[0] undef undef i=0 undef a[i]=0 0 ++i 0 a[i]=0 0 0 a[1] undef undef undef undef 0 a[2] undef undef undef undef undef a[3] undef undef undef undef undef a[4] undef undef undef undef undef
83 Control and Data in Programs Variables Statements Control flow have values, define state modify values, define transi8ons on data modify program counter, define control transi8ons States Variables Execu8ons Execu8ons Transi8ons Statements Control Flow
84 Architecture of a Sta8c Analyzer The behavior of a program can be approximated by separately approxima8ng variable values, statements and control flow. Variables Laace Execu8ons Sta8c Analyzer Statements Control Flow Transformers System of Equa8ons
85 Laaces in Sta8c Analysis x<=0 x!=0 x>=0 top x<0 x==0 x>0 false Even false Odd bot Signs posi8ve/nega8ve/zero cannot represent non- zero values no rela8onships between variables Parity even or odd cannot represent values no rela8onships between variables Constants a single value cannot represent more values: x==3 x==4 no rela8onships between variables
86 The Interval Laace [INT_MIN, 0] [INT_MIN, - 1] [INT_MIN, INT_MAX] [- 1,1] [- 2,- 1] [- 1,0] [0,1] [1,2] [- 1,- 1] [0,0] [1,1] [] [0,INT_MAX] [1,INT_MAX] a An interval is a pair [a,b] with a <= b min(a,c) a c a There is a par&al order between intervals a max(a,c) c b c b b d max(b,d) d The join is the smallest enclosing interval min(b,d) b d The meet is the largest shared interval
87 Loss of Informa8on in the Interval Laace [INT_MIN, 0] [INT_MIN, INT_MAX] [0,INT_MAX] Intervals are useful for tracking the range of variables. They lose informa8on about concrete values. [INT_MIN, - 1] [- 1,1] [1,INT_MAX] Arbitrary sets {1,5}, {1,3,5} {1,2,4,5} are represented by [1,5] [- 2,- 1] [- 1,0] [0,1] [1,2] [- 1,- 1] [0,0] [1,1] [] Union Rela8ons [1,3] join [6,7] = [1,7] includes values 4 and 5 x=y can only be wri\en as x:[int_min,int_max], y:[int_min,int_max]
88 Laace in a Sta8c Analyzer Laace A laace is a set with a par&al order for comparing elements a least upper bound called join a greatest lower bound called meet Transformers Sta8c Analyzer Propaga8on In sta8c analysis laace elements abstract states order is used to check if results change meet and join are used at branch and join points Most analyses use only meet or only join
89 1 Analysis Frameworks a b c d Laaces Transformers Systems of Equa8ons Solving Equa8ons
90 Sign Analysis Transformers x>=0 x = x + 1; x>0 A transformer (or transfer func&on) describes how a statement modifies laace elements d in f d out x = 0; x = x+1; if (x > 4) x<=0 x!=0 x>=0 x<=0 x!=0 x>=0 x<=0 x!=0 x>=0 x<0 x==0 x>0 x<0 x==0 x>0 x<0 x==0 x>0 false false false
91 Interval Analysis Transformers Statement Transformer Loss of Precision x = x+3 a b a+3 b+3 No loss of precision x=2*x a 2a b mul8ples of 2 in [2a,2b] 2b [3,4] is transformed to [6,8] and includes 7, which is not a mul8ple of 2 if (x<=4) a b INT_MIN 4 a min(b,4)* No loss of precision if (x==y) a x c max(a,c) x y y b d min(b,d)* Cannot express that x and y must have the same value, not just bounds * [a,b] means False when a>b.
Approach starts with GEN and KILL sets
b -Advanced-DFA Review of Data Flow Analysis State Propaga+on Computer Science 5-6 Fall Prof. L. J. Osterweil Material adapted from slides originally prepared by Prof. L. A. Clarke A technique for determining
More informationFounda'ons of So,ware Engineering. Sta$c analysis (1/2) Claire Le Goues
Founda'ons of So,ware Engineering Sta$c analysis (1/2) Claire Le Goues 1 Two fundamental concepts Abstrac'on. Elide details of a specific implementa$on. Capture seman$cally relevant details; ignore the
More informationques4ons? Midterm Projects, etc. Path- Based Sta4c Analysis Sta4c analysis we know Example 11/20/12
Midterm Grades and solu4ons are (and have been) on Moodle The midterm was hard[er than I thought] grades will be scaled I gave everyone a 10 bonus point (already included in your total) max: 98 mean: 71
More informationInstructor: Randy H. Katz hap://inst.eecs.berkeley.edu/~cs61c/fa13. Fall Lecture #7. Warehouse Scale Computer
CS 61C: Great Ideas in Computer Architecture Everything is a Number Instructor: Randy H. Katz hap://inst.eecs.berkeley.edu/~cs61c/fa13 9/19/13 Fall 2013 - - Lecture #7 1 New- School Machine Structures
More informationSta$c Analysis Dataflow Analysis
Sta$c Analysis Dataflow Analysis Roadmap Overview. Four Analysis Examples. Analysis Framework Soot. Theore>cal Abstrac>on of Dataflow Analysis. Inter- procedure Analysis. Taint Analysis. Overview Sta>c
More informationCS101: Fundamentals of Computer Programming. Dr. Tejada www-bcf.usc.edu/~stejada Week 1 Basic Elements of C++
CS101: Fundamentals of Computer Programming Dr. Tejada stejada@usc.edu www-bcf.usc.edu/~stejada Week 1 Basic Elements of C++ 10 Stacks of Coins You have 10 stacks with 10 coins each that look and feel
More informationFix- point engine in Z3. Krystof Hoder Nikolaj Bjorner Leonardo de Moura
μz Fix- point engine in Z3 Krystof Hoder Nikolaj Bjorner Leonardo de Moura Mo?va?on Horn EPR applica?ons (Datalog) Points- to analysis Security analysis Deduc?ve data- bases and knowledge bases (Yago)
More informationSta$c Single Assignment (SSA) Form
Sta$c Single Assignment (SSA) Form SSA form Sta$c single assignment form Intermediate representa$on of program in which every use of a variable is reached by exactly one defini$on Most programs do not
More informationProgram Verification (Rosen, Sections 5.5)
Program Verification (Rosen, Sections 5.5) TOPICS Program Correctness Preconditions & Postconditions Program Verification Assignments Composition Conditionals Loops Proofs about Programs Why study logic?
More informationProofs about Programs
Proofs about Programs Program Verification (Rosen, Sections 5.5) TOPICS Program Correctness Preconditions & Postconditions Program Verification Assignment Statements Conditional Statements Loops Composition
More informationCondi(onals and Loops
Condi(onals and Loops 1 Review Primi(ve Data Types & Variables int, long float, double boolean char String Mathema(cal operators: + - * / % Comparison: < > = == 2 A Founda(on for Programming any program
More informationCSE 473: Ar+ficial Intelligence
CSE 473: Ar+ficial Intelligence Search Instructor: Luke Ze=lemoyer University of Washington [These slides were adapted from Dan Klein and Pieter Abbeel for CS188 Intro to AI at UC Berkeley. All CS188 materials
More informationSQLite with a Fine-Toothed Comb. John Regehr Trust-in-So1 / University of Utah
SQLite with a Fine-Toothed Comb John Regehr Trust-in-So1 / University of Utah Feasible states for a system we care about No execu
More informationCS 188: Ar)ficial Intelligence
CS 188: Ar)ficial Intelligence Search Instructors: Pieter Abbeel & Anca Dragan University of California, Berkeley [These slides were created by Dan Klein and Pieter Abbeel for CS188 Intro to AI at UC Berkeley
More informationCode Genera*on for Control Flow Constructs
Code Genera*on for Control Flow Constructs 1 Roadmap Last *me: Got the basics of MIPS CodeGen for some AST node types This *me: Do the rest of the AST nodes Introduce control flow graphs Scanner Parser
More informationLecture 4: Build Systems, Tar, Character Strings
CIS 330:! / / / / (_) / / / / _/_/ / / / / / \/ / /_/ / `/ \/ / / / _/_// / / / / /_ / /_/ / / / / /> < / /_/ / / / / /_/ / / / /_/ / / / / / \ /_/ /_/_/_/ _ \,_/_/ /_/\,_/ \ /_/ \ //_/ /_/ Lecture 4:
More informationCS 61C: Great Ideas in Computer Architecture Func%ons and Numbers
CS 61C: Great Ideas in Computer Architecture Func%ons and Numbers 9/11/12 Instructor: Krste Asanovic, Randy H. Katz hcp://inst.eecs.berkeley.edu/~cs61c/sp12 Fall 2012 - - Lecture #8 1 New- School Machine
More informationDesign Principles & Prac4ces
Design Principles & Prac4ces Robert France Robert B. France 1 Understanding complexity Accidental versus Essen4al complexity Essen%al complexity: Complexity that is inherent in the problem or the solu4on
More informationWhat is Search For? CS 188: Ar)ficial Intelligence. Constraint Sa)sfac)on Problems Sep 14, 2015
CS 188: Ar)ficial Intelligence Constraint Sa)sfac)on Problems Sep 14, 2015 What is Search For? Assump)ons about the world: a single agent, determinis)c ac)ons, fully observed state, discrete state space
More informationSec$on 2: Specifica)on, ADTs, RI WITH MATERIAL FROM MANY
Sec$on 2: Specifica)on, ADTs, RI WITH MATERIAL FROM MANY Agenda Announcements HW1: due today at 23:59 pm Don t forget to commit/push your changes THIS INCLUDES TAGGING YOUR FINAL VERSION Abstract data
More informationObjec+ves. Review. Basics of Java Syntax Java fundamentals. What are quali+es of good sooware? What is Java? How do you compile a Java program?
Objec+ves Basics of Java Syntax Java fundamentals Ø Primi+ve data types Ø Sta+c typing Ø Arithme+c operators Ø Rela+onal operators 1 Review What are quali+es of good sooware? What is Java? Ø Benefits to
More informationDocumen(ng code, Javadoc, Defensive Programming, Asserts, Excep(ons & Try/Catch
Documen(ng code, Javadoc, Defensive Programming, Asserts, Excep(ons & Try/Catch 1 Most important reason to comment A) To summarize the code B) To explain how the code works C) To mark loca(ons that need
More informationLecture 2. White- box Tes2ng and Structural Coverage (see Amman and Offut, Chapter 2)
Lecture 2 White- box Tes2ng and Structural Coverage (see Amman and Offut, Chapter 2) White- box Tes2ng (aka. Glass- box or structural tes2ng) An error may exist at one (or more) loca2on(s) Line numbers
More informationCompiler Optimization Intermediate Representation
Compiler Optimization Intermediate Representation Virendra Singh Associate Professor Computer Architecture and Dependable Systems Lab Department of Electrical Engineering Indian Institute of Technology
More informationDeformable Part Models
Deformable Part Models References: Felzenszwalb, Girshick, McAllester and Ramanan, Object Detec@on with Discrimina@vely Trained Part Based Models, PAMI 2010 Code available at hkp://www.cs.berkeley.edu/~rbg/latent/
More informationData Flow Analysis. Suman Jana. Adopted From U Penn CIS 570: Modern Programming Language Implementa=on (Autumn 2006)
Data Flow Analysis Suman Jana Adopted From U Penn CIS 570: Modern Programming Language Implementa=on (Autumn 2006) Data flow analysis Derives informa=on about the dynamic behavior of a program by only
More informationProgramming Languages and Techniques (CIS120)
Programming Languages and Techniques (CIS120) Lecture 21 October 21 st, 2015 Transi@on to Java Announcements HW5: GUI & Paint Due Tomorrow, October 22 nd at 11:59pm HW6: Java Programming (Pennstagram)
More information{HEADSHOT} In this lesson, we will look at the process that enables to leverage this source of real- world tes;ng data.
{HEADSHOT} Despite our best efforts, even a9er extensive tes;ng, we as so9ware developers rarely put out bug- free code. In this lesson, we will look at a type of debugging technique used throughout the
More informationMacro Assembler. Defini3on from h6p://www.computeruser.com
The Macro Assembler Macro Assembler Defini3on from h6p://www.computeruser.com A program that translates assembly language instruc3ons into machine code and which the programmer can use to define macro
More informationModules and Representa/on Invariants
Modules and Representa/on Invariants COS 326 David Walker Princeton University slides copyright 2017 David Walker permission granted to reuse these slides for non-commercial educa/onal purposes LAST TIME
More informationReview. Asser%ons. Some Per%nent Ques%ons. Asser%ons. Page 1. Automated Tes%ng. Path- Based Tes%ng. But s%ll need to look at execu%on results
Review Asser%ons Computer Science 521-621 Fall 2011 Prof. L. J. Osterweil Material adapted from slides originally prepared by Prof. L. A. Clarke Dynamic Tes%ng Execute program on real data and compare
More informationLecture 2: Memory in C
CIS 330:! / / / / (_) / / / / _/_/ / / / / / \/ / /_/ / `/ \/ / / / _/_// / / / / /_ / /_/ / / / / /> < / /_/ / / / / /_/ / / / /_/ / / / / / \ /_/ /_/_/_/ _ \,_/_/ /_/\,_/ \ /_/ \ //_/ /_/ Lecture 2:
More informationWriting a Fraction Class
Writing a Fraction Class So far we have worked with floa0ng-point numbers but computers store binary values, so not all real numbers can be represented precisely In applica0ons where the precision of real
More informationCSc 120. Introduc/on to Computer Programming II. 02: Problem Decomposi1on and Program Development. Adapted from slides by Dr.
CSc 120 Introduc/on to Computer Programming II Adapted from slides by Dr. Saumya Debray 02: Problem Decomposi1on and Program Development A common student lament "I have this big programming assignment.
More informationEvalua&ng Secure Programming Knowledge
Evalua&ng Secure Programming Knowledge Ma6 Bishop, UC Davis Jun Dai, Cal State Sacramento Melissa Dark, Purdue University Ida Ngambeki, Purdue University Phillip Nico, Cal Poly San Luis Obispo Minghua
More informationCS 267: Automated Verification. Lecture 18, Part 2: Data Model Analysis for Web Applications. Instructor: Tevfik Bultan
CS 267: Automated Verification Lecture 18, Part 2: Data Model Analysis for Web Applications Instructor: Tevfik Bultan Web Application Depability 2 Web Application Depability 3 Web Application Depability
More informationLecture 2. White- box Tes2ng and Structural Coverage (see Amman and Offut, Chapter 2)
Lecture 2 White- box Tes2ng and Structural Coverage (see Amman and Offut, Chapter 2) White- box Tes2ng (aka. Glass- box or structural tes2ng) An error may exist at one (or more) loca2on(s) Line numbers
More informationCompila(on /15a Lecture 6. Seman(c Analysis Noam Rinetzky
Compila(on 0368-3133 2014/15a Lecture 6 Seman(c Analysis Noam Rinetzky 1 You are here Source text txt Process text input characters Lexical Analysis tokens Annotated AST Syntax Analysis AST Seman(c Analysis
More informationUsing Classical Planners for Tasks with Con5nuous Ac5ons in Robo5cs
Using Classical Planners for Tasks with Con5nuous Ac5ons in Robo5cs Stuart Russell Joint work with Siddharth Srivastava, Lorenzo Riano, Pieter Abbeel Using Classical Planners for Tasks with Con5nuous Ac5ons
More informationSpa$al Analysis and Modeling (GIST 4302/5302) Guofeng Cao Department of Geosciences Texas Tech University
Spa$al Analysis and Modeling (GIST 4302/5302) Guofeng Cao Department of Geosciences Texas Tech University Class Outlines Spatial Point Pattern Regional Data (Areal Data) Continuous Spatial Data (Geostatistical
More informationBBM 101 Introduc/on to Programming I Fall 2014, Lecture 5. Aykut Erdem, Erkut Erdem, Fuat Akal
BBM 101 Introduc/on to Programming I Fall 2014, Lecture 5 Aykut Erdem, Erkut Erdem, Fuat Akal 1 Today Itera/on Control Loop Statements for, while, do- while structures break and con/nue Some simple numerical
More informationCSSE232 Computer Architecture I. Datapath
CSSE232 Computer Architecture I Datapath Class Status Reading Sec;ons 4.1-3 Project Project group milestone assigned Indicate who you want to work with Indicate who you don t want to work with Due next
More informationSign & Magnitude vs 2 s Complement ( Signed Integer Representa:ons)
Sign & Magnitude vs 2 s Complement ( Signed Integer Representa:ons) Overview Unsigned Integers Representa:on (review) binary Signed Integers Representa:on sign & magnitude (S&M) 2 s complement (2 sc) arithme:c
More informationCSE Compilers. Reminders/ Announcements. Lecture 15: Seman9c Analysis, Part III Michael Ringenburg Winter 2013
CSE 401 - Compilers Lecture 15: Seman9c Analysis, Part III Michael Ringenburg Winter 2013 Winter 2013 UW CSE 401 (Michael Ringenburg) Reminders/ Announcements Project Part 2 due Wednesday Midterm Friday
More informationECS 165B: Database System Implementa6on Lecture 14
ECS 165B: Database System Implementa6on Lecture 14 UC Davis April 28, 2010 Acknowledgements: por6ons based on slides by Raghu Ramakrishnan and Johannes Gehrke, as well as slides by Zack Ives. Class Agenda
More informationAutoma'c Test Genera'on
Automa'c Test Genera'on First, about Purify Paper about Purify (and PurifyPlus) posted How do you monitor reads and writes: insert statements before and a?er reads, writes in code can s'll be done with
More informationRaceMob: Crowdsourced Data Race Detec,on
RaceMob: Crowdsourced Data Race Detec,on Baris Kasikci, Cris,an Zamfir, and George Candea School of Computer & Communica3on Sciences Data Races to shared memory loca,on By mul3ple threads At least one
More informationCS: Formal Methods in Software Engineering
CS:5810 Formal Methods in So7ware Engineering Sets and Rela
More informationDocument Databases: MongoDB
NDBI040: Big Data Management and NoSQL Databases hp://www.ksi.mff.cuni.cz/~svoboda/courses/171-ndbi040/ Lecture 9 Document Databases: MongoDB Marn Svoboda svoboda@ksi.mff.cuni.cz 28. 11. 2017 Charles University
More informationObjec0ves. Gain understanding of what IDA Pro is and what it can do. Expose students to the tool GUI
Intro to IDA Pro 31/15 Objec0ves Gain understanding of what IDA Pro is and what it can do Expose students to the tool GUI Discuss some of the important func
More informationLING 581: Advanced Computa7onal Linguis7cs. Lecture Notes April 16th
LING 581: Advanced Computa7onal Linguis7cs Lecture Notes April 16th Administrivia Factoid Ques-on Answering homework did you submit your simula.on? Seman7cs New topic! We want computers to be able to understand
More informationCOSC 111: Computer Programming I. Dr. Bowen Hui University of Bri>sh Columbia Okanagan
COSC 111: Computer Programming I Dr. Bowen Hui University of Bri>sh Columbia Okanagan 1 First half of course SoEware examples From English to Java Template for building small programs Exposure to Java
More informationRoadmap. The Interface CSE351 Winter Frac3onal Binary Numbers. Today s Topics. Floa3ng- Point Numbers. What is ?
The Hardware/So@ware Interface CSE351 Winter 013 Floa3ng- Point Numbers Roadmap C: car *c = malloc(sizeof(car)); c->miles = 100; c->gals = 17; float mpg = get_mpg(c); free(c); Assembly language: Machine
More informationA System for Genera/ng Sta/c Analyzers for Machine Instruc/ons (TSL)
Seminar on A System for Genera/ng Sta/c Analyzers for Machine Instruc/ons (TSL) Junghee Lim, Univ. of Wisconsin Madison, USA and Thomas Reps, GrammaTech, USA Presenter : Anand Ramkumar S Universitat des
More informationBits, Bytes, and Integers
Bits, Bytes, and Integers B&O Readings: 2.1-2.3 CSE 361: Introduc=on to Systems So@ware Instructor: I- Ting Angelina Le e Note: these slides were originally created by Markus Püschel at Carnegie Mellon
More informationAgenda. Address vs. Value Consider memory to be a single huge array. Review. Pointer Syntax. Pointers 9/9/12
Agenda CS 61C: Great Ideas in Computer Architecture Introduc;on to C, Part II Instructors: Krste Asanovic Randy H. Katz hep://inst.eecs.berkeley.edu/~cs61c/f12 Review Pointers Administrivia Arrays Technology
More informationStatic Program Analysis CS701
Static Program Analysis CS701 Thomas Reps [Based on notes taken by Aditya Venkataraman on Oct 6th, 2015] Abstract This lecture introduces the area of static program analysis. We introduce the topics to
More informationArray Basics: Outline
Array Basics: Outline More Arrays (Savitch, Chapter 7) TOPICS Array Basics Arrays in Classes and Methods Programming with Arrays Searching and Sorting Arrays Multi-Dimensional Arrays Static Variables and
More informationGENG2140 Lecture 4: Introduc4on to Excel spreadsheets. A/Prof Bruce Gardiner School of Computer Science and SoDware Engineering 2012
GENG2140 Lecture 4: Introduc4on to Excel spreadsheets A/Prof Bruce Gardiner School of Computer Science and SoDware Engineering 2012 Credits: Nick Spadaccini, Chris Thorne Introduc4on to spreadsheets Used
More informationTowards Provably Secure and Correct Systems. Avik Chaudhuri
Towards Provably Secure and Correct Systems Avik Chaudhuri Systems we rely on Opera
More informationBenjamin Holland, Ganesh Ram Santhanam, Payas Awadhutkar, and Suresh Kothari {bholland, gsanthan, payas,
Statically-informed Dynamic Analysis Tools to Detect Algorithmic Complexity Vulnerabilities 16th IEEE Interna,onal Working Conference on Source Code Analysis and Manipula,on (SCAM 2016) October 2, 2016
More information2/18/14. Uses for Discrete Math in Computer Science. What is discrete? Why Study Discrete Math? Sets and Functions (Rosen, Sections 2.1,2.2, 2.
Why Study Discrete Math? Sets and Functions (Rosen, Sections 2.1,2.2, 2.3) TOPICS Discrete math Set Definition Set Operations Tuples Digital computers are based on discrete units of data (bits). Therefore,
More informationMACRO NOTES DOCUMENTATION
MACRO NOTES DOCUMENTATION 1 The NIH Image manual, appendix A provides a descrip;on of the macro language and menu by menu explana;on of the commands 2 Reference card - this comes as a macro/text file with
More informationCon$nuous Integra$on Development Environment. Kovács Gábor
Con$nuous Integra$on Development Environment Kovács Gábor kovacsg@tmit.bme.hu Before we start anything Select a language Set up conven$ons Select development tools Set up development environment Set up
More informationIntroduc)on to Computer Networks
Introduc)on to Computer Networks COSC 4377 Lecture 7 Spring 2012 February 8, 2012 Announcements HW3 due today Start working on HW4 HW5 posted In- class student presenta)ons No TA office hours this week
More informationDecision making for autonomous naviga2on. Anoop Aroor Advisor: Susan Epstein CUNY Graduate Center, Computer science
Decision making for autonomous naviga2on Anoop Aroor Advisor: Susan Epstein CUNY Graduate Center, Computer science Overview Naviga2on and Mobile robots Decision- making techniques for naviga2on Building
More informationLISP: LISt Processing
Introduc)on to Racket, a dialect of LISP: Expressions and Declara)ons LISP: designed by John McCarthy, 1958 published 1960 CS251 Programming Languages Spring 2017, Lyn Turbak Department of Computer Science
More informationLecture 1 Introduc-on
Lecture 1 Introduc-on What would you get out of this course? Structure of a Compiler Op9miza9on Example 15-745: Introduc9on 1 What Do Compilers Do? 1. Translate one language into another e.g., convert
More informationStatic Analysis. Systems and Internet Infrastructure Security
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Static Analysis Trent
More informationUNIT V: CENTRAL PROCESSING UNIT
UNIT V: CENTRAL PROCESSING UNIT Agenda Basic Instruc1on Cycle & Sets Addressing Instruc1on Format Processor Organiza1on Register Organiza1on Pipeline Processors Instruc1on Pipelining Co-Processors RISC
More informationRV: A Run'me Verifica'on Framework for Monitoring, Predic'on and Mining
RV: A Run'me Verifica'on Framework for Monitoring, Predic'on and Mining Patrick Meredith Grigore Rosu University of Illinois at Urbana Champaign (UIUC) Run'me Verifica'on, Inc. (joint work with Dongyun
More informationVisualizing Logical Dependencies in SWRL Rule Bases
Visualizing Logical Dependencies in SWRL Rule Bases Saeed Hassanpour, Mar:n J. O Connor and Amar K. Das Stanford Center for Biomedical Informa:cs Research MSOB X215, 251 Campus Drive, Stanford, California,
More informationLast Time. integer/float/string. import math math.sqrt() math.pi. Python Programming, 2/e 2
1 Last Time integer/float/string import math math.sqrt() math.pi Python Programming, 2/e 2 Extra Ques:on from Lab 2 Using loops and two print statements, have Python print out the following: * * * * *
More informationJUnit tes)ng. Elisa Turrini
JUnit tes)ng Elisa Turrini Automated Tes)ng Code that isn t tested doesn t work Code that isn t regression tested suffers from code rot (breaks eventually) If it is not automated it is not done! Boring
More informationComputer Networks. Shyam Gollakota
Computer Networks Shyam Gollakota Topic Some bits will be received in error due to noise. What can we do? Detect errors with codes» Correct errors with codes» Retransmit lost frames Later Reliability is
More informationFunc%ons (Math) Func%on Defini%ons. Func%ons (Computer Sciences) Func%on = mappings or transforma%ons Math examples:
Func%ons (Math) Functions and Sequences (Rosen, Chapter.-.) TOPICS Functions Cartesian Products Sequences Geometric Progressions Func%on = mappings or transforma%ons Math examples: f(x) = x f(x) = x +
More informationCS161 Midterm 1 Review
CS161 Midterm 1 Review Midterm 1: March 4, 18:3020:00 Same room as lecture Security Analysis and Threat Model Basic security properties CIA Threat model A. We want perfect security B. Security is about
More informationWays to implement a language
Interpreters Implemen+ng PLs Most of the course is learning fundamental concepts for using PLs Syntax vs. seman+cs vs. idioms Powerful constructs like closures, first- class objects, iterators (streams),
More informationComputer Systems: A Programmer s Perspec4ve. Have a tour of computer system at first... Chapter 1
Computer Systems: A Programmer s Perspec4ve Have a tour of computer system at first... Chapter 1 1 Computer System Runs the sojware and manages the hardware RISC vs CISC ADDRESS BUS DATA BUS SOFTWARE HARDWARE
More informationOutline. Review: Assembly/Machine Code View. Processor State (x86-64, Par2al) Condi2on Codes (Explicit Se^ng: Compare) Condi2on Codes (Implicit Se^ng)
Outline Machine- Level Representa2on: Control CSCI 2021: Machine Architecture and Organiza2on Pen- Chung Yew Department Computer Science and Engineering University of Minnesota Control: Condi2on codes
More informationAdvanced branch predic.on algorithms. Ryan Gabrys Ilya Kolykhmatov
Advanced branch predic.on algorithms Ryan Gabrys Ilya Kolykhmatov Context Branches are frequent: 15-25 % A branch predictor allows the processor to specula.vely fetch and execute instruc.ons down the predicted
More informationCS 521/621 Course Overview: Sta5c and Dynamic Analyses
CS 521/621 Course Overview: Sta5c and Dynamic Analyses Last 5me What did we talk about? Why is it important to study soeware engineering? Just like cars US automobile industry used to be very complacent
More informationCompila(on (Semester A, 2013/14)
Compila(on 0368-3133 (Semester A, 2013/14) Lecture 4: Syntax Analysis (Top- Down Parsing) Modern Compiler Design: Chapter 2.2 Noam Rinetzky Slides credit: Roman Manevich, Mooly Sagiv, Jeff Ullman, Eran
More informationSendmail crackaddr - Static Analysis strikes back
Sendmail crackaddr - Static Analysis strikes back Bogdan Mihaila Technical University of Munich, Germany December 6, 2014 Name Lastname < name@mail.org > ()()()()()()()()()... ()()() 1 / 25 Abstract Interpretation
More informationIntroduc)on to C++ CS 16: Solving Problems with Computers I Lecture #2
Introduc)on to C++ CS 16: Solving Problems with Computers I Lecture #2 Ziad Matni Dept. of Computer Science, UCSB A Word About Registra>on for CS16 FOR THOSE OF YOU NOT YET REGISTERED: There s a LONG waitlist
More informationEDAN65: Compilers, Lecture 13 Run;me systems for object- oriented languages. Görel Hedin Revised:
EDAN65: Compilers, Lecture 13 Run;me systems for object- oriented languages Görel Hedin Revised: 2014-10- 13 This lecture Regular expressions Context- free grammar ATribute grammar Lexical analyzer (scanner)
More informationPending Issues. Opera,ng Systems and Networks. Network Lecture 3: Link Layer (1) Where we are in the Course. Scope of the Link Layer
Opera,ng Systems and Networks Network Lecture 3: Link Layer (1) Adrian Perrig Network Security Group ETH Zürich Pending Issues Earlier pos,ng of lecture slides Answering student ques,ons Project 1 is out
More information(Func&onal (Programming (in (Scheme)))) Jianguo Lu
(Func&onal (Programming (in (Scheme)))) Jianguo Lu 1 Programming paradigms Func&onal No assignment statement No side effect Use recursion Logic OOP AOP 2 What is func&onal programming It is NOT what you
More informationHow a computer runs a program. Binary Representa8on and Opera8ons on Binary Data. Opera8ng System 9/17/13. You can view binary file contents
Consider the following type defini8on and variable declara8ons: struct persont { struct persont p1; char name[32]; int age; struct persont people[40] float heart_rate; }; (1) What type is each of the following
More informationBBM 101 Introduc/on to Programming I Fall 2014, Lecture 3. Aykut Erdem, Erkut Erdem, Fuat Akal
BBM 101 Introduc/on to Programming I Fall 2014, Lecture 3 Aykut Erdem, Erkut Erdem, Fuat Akal 1 Today Introduc/on to Programming Basic Concepts Developing Algorithms Crea
More informationArray Basics: Outline
Array Basics: Outline More Arrays (Savitch, Chapter 7) TOPICS Array Basics Arrays in Classes and Methods Programming with Arrays Searching and Sorting Arrays Multi-Dimensional Arrays Static Variables and
More informationAutoma'c, Efficient, and General Repair of So8ware Defects using Lightweight Program Analyses
Automa'c, Efficient, and General Repair of So8ware Defects using Lightweight Program Analyses Disserta'on Proposal Claire Le Goues September 22, 2010 So8ware Errors Are Expensive Everyday, almost 300 bugs
More informationPrinciples of Programming Languages
Principles of Programming Languages h"p://www.di.unipi.it/~andrea/dida2ca/plp- 14/ Prof. Andrea Corradini Department of Computer Science, Pisa Lesson 11! Syntax- Directed Transla>on The Structure of the
More informationLab 8: Firewalls & Intrusion Detec6on Systems
Lab 8: Firewalls & Intrusion Detec6on Systems Fengwei Zhang Wayne State University CSC Course: Cyber Security Prac6ce 1 Firewall & IDS Firewall A device or applica6on that analyzes packet headers and enforces
More informationSQL- Updates, Asser0ons and Views
SQL- Updates, Asser0ons and Views Data Defini0on, Constraints, and Schema Changes Used to CREATE, DROP, and ALTER the descrip0ons of the tables (rela0ons) of a database CREATE TABLE In SQL2, can use the
More informationProcessor Architecture
ECPE 170 Jeff Shafer University of the Pacific Processor Architecture 2 Lab Schedule Ac=vi=es Assignments Due Today Wednesday Apr 24 th Processor Architecture Lab 12 due by 11:59pm Wednesday Network Programming
More informationIden%fying Defunct DAGs in RPL dra7- goyal- roll- defunct- dags- 00. Mukul Goyal University of Wisconsin Milwaukee
Iden%fying Defunct DAGs in RPL dra7- goyal- roll- defunct- dags- 00 Mukul Goyal University of Wisconsin Milwaukee Main Idea Need a mechanism that allows a node to iden;fy defunct DAGs and delete the state
More informationComputer Programming-I. Developed by: Strawberry
Computer Programming-I Objec=ve of CP-I The course will enable the students to understand the basic concepts of structured programming. What is programming? Wri=ng a set of instruc=ons that computer use
More informationUnderstanding Opera.onal Rou.ng (part II) Geoffrey Xie Naval Postgraduate School
Understanding Opera.onal Rou.ng (part II) Geoffrey Xie Naval Postgraduate School July 6, 2011 Route Aggrega.on Child Route Unallocated Child Prefix: e.g., 10.1.33.0/24 19.1.1.2 Aggregate Route 10.1.1.0/24
More informationLecture 10: Potpourri: Enum / struct / union Advanced Unix #include function pointers
....... \ \ \ / / / / \ \ \ \ / \ / \ \ \ V /,----' / ^ \ \.--..--. / ^ \ `--- ----` / ^ \. ` > < / /_\ \. ` / /_\ \ / /_\ \ `--' \ /. \ `----. / \ \ '--' '--' / \ / \ \ / \ / / \ \ (_ ) \ (_ ) / / \ \
More information