Verification and Validation

Size: px

Start display at page:

Download "Verification and Validation"

Jemima Fields
5 years ago
Views:

2014-2015 Verification and Validation Part I : Extended Static

1 Verification and Validation Part I : Extended Static Analysis Burkhart Wolff Département Informatique Université Paris-Sud / Orsay

2 Static Analysis! We have seen test methods, and proof methods. What else?! Broader term: Static Analysis all techniques that can be done before running and deploying a program; Test generation and symbolic execution methods were classic static checking 19/11/14 B. Wolff - GLA - Static Analysis I 2

3 Static Analysis! Static Analysis : What else? " type checking; simple type; HO-types as in ML; OCaml; Scala (and now even in SWIFT and Java!). Effect types, dependent types, " compiler goodies: Variable initialization; Data-Flow Anomaly -criteria (Whitebox II, 20); Dead Code, Style Patterns... 19/11/14 B. Wolff - GLA - Static Analysis I 3

4 Static Analysis! Static Analysis : What else? " the classic compiler goodies: Lint, Checkstyle -> C FindBugs, PMD -> Java CppCheck -> C++ Splint -> C FxCop, StyleCop -> C# Type Checking; DF-Anomalies; MISRA-C Style Rules checking; dead code, duplicated code, Bad Smells 19/11/14 B. Wolff - GLA - Static Analysis I 4

5 Static Analysis! Static Analysis : What else? " modern targets for compiler-goodies Buffer-Overflow Attacks (SAGE) Memory Leaks (memcheck by Valgrind) Race Conditions (non-synced concurrent access to a resource; SLAM) Dead-locks (SLAM, SDV, FDR) Termination checker... Strong time-bounds (Absynt) 19/11/14 B. Wolff - GLA - Static Analysis I 5

6 Static Analysis : A first Summary! Lots of Methods with the same Goal: More automation, better prediction of real errors (i.e. less false-positives) better explanation of real errors (very difficult) less constraints on the supported language subset ( real C, real Java) trend to dirty languages such as JavaScript 19/11/14 B. Wolff - GLA - Static Analysis I 6

7 Static Analysis : A first Summary! Modern Static Analysis Methods are typically a combination of the following techniques " Data-Flow, Control-flow, Patterns, ( Classics ) " Symbolic Execution ( forward analysis ) " Deductive Verification (wp like, backw. ana. ) " Model-Checking " Abstract Interpretation " Predicate Abstraction, " Interpolant Construction 19/11/14 B. Wolff - GLA - Static Analysis I 7

8 Static Analysis : A first Summary! Modern Static Analysis Methods are typically a combination of the following techniques " Data-Flow, Control-flow, Patterns, ( Classics ) " Symbolic Execution ( forward analysis ) " Deductive Verification (wp like, backw. ana. ) " Model-Checking " Abstract Interpretation " Predicate Abstraction, " Interpolant Construction 19/11/14 B. Wolff - GLA - Static Analysis I 8

9 Static Analysis : A first Summary! Modern Static Analysis Methods are typically a combination of the following techniques " Data-Flow, Control-flow, Patterns, ( Classics ) " Symbolic Execution ( forward analysis ) " Deductive Verification (wp like, backw. ana. ) " Model-Checking } " Abstract Interpretation Strong Point: Has some form of " Predicate Abstraction, Invariant Generation " Interpolant Construction 19/11/14 B. Wolff - GLA - Static Analysis I 9

10 An Example for an Extended Static Checking Method: SAL Annotations! SAL1.0 introduced by Microsoft in VisualStudio 2005, SAL2.0 introduced in VisualStudio 2012 (so: you can buy it!) heavily used in Windows 8 development, particular versions were applied (and are mandatory) for Driver Code ( SAL is a pre-post-invariant C annotation language restricted to the management of ressources, so " valid memory, " In, Out, non-null-ness of parameters, " parameter ranges, and " locks and locking behavior. 19/11/14 B. Wolff - GLA - Static Analysis I 10

11 An Example for an extended Static Checking Method: SAL Annotations! SAL is a pre-post-invariant C annotation language. Technically: " Syntax: A collection of C-preprocessor macros -> ignored for the standard production code generation; annotated code is compiled with THE production code compiler -> but used in the analyzer run during the nightly-build -> analyzer is scalable in peckyness : options allow to control the depth of checking, in order to avoid avalanches of (false positive) warnings which might be unacceptable by developers 19/11/14 B. Wolff - GLA - Static Analysis I 11

12 An Example for an extended Static Checking Method: SAL Annotations! Example: void *memcpy(_out_writes_bytes_all_(s) char *p1, _In_reads_bytes_(s) char *p2, _In_ int s); void *wordcpy(_out_writes_all_(s) DWORD *p1, _In_reads_(s) DWORD *p2, _In_ int s); 19/11/14 B. Wolff - GLA - Static Analysis I 12

13 An Example for an extended Static Checking Method: SAL Annotations! Example: void *memcpy(_out_writes_bytes_all_(s) char *p1, _In_reads_bytes_(s) char *p2, _In_ int s); void *wordcpy(_out_writes_all_(s) DWORD *p1, _In_reads_(s) DWORD *p2, _In_ int s); 19/11/14 B. Wolff - GLA - Static Analysis I 13

14 An Example for an extended Static Checking Method: SAL Annotations! Example: void *memcpy(_out_writes_bytes_all_(s) char *p1, _In_reads_bytes_(s) char *p2, _In_ int s); pre: valid memory with read access until s void *wordcpy(_out_writes_all_(s) DWORD *p1, _In_reads_(s) DWORD *p2, _In_ int s); pre: valid memory with write access until s post-condition implicit: no change of memory except for out parameters... 19/11/14 B. Wolff - GLA - Static Analysis I 14

15 An Example for an extended Static Checking Method: SAL Annotations! Example: // Incorrect void Func1(_In_ int *p1) { if (p1 == NULL) return; } *p1 = 1; // Correct void Func2(_Inout_ PCHAR p1) { if (p1 == NULL) return; } *p1 = 1; 19/11/14 B. Wolff - GLA - Static Analysis I 15

16 An Example for an extended Static Checking Method: SAL Annotations! Example: // Incorrect void Func1(_In_ int *p1) { if (p1 == NULL) return; pre: only read, typing liberal, but legal C } *p1 = 1; // Correct void Func2(_Inout_ PCHAR p1) { if (p1 == NULL) return; pre: read and write typing more strict } *p1 = 1; 19/11/14 B. Wolff - GLA - Static Analysis I 16

17 An Example for an extended Static Checking Method: SAL Annotations! Example: // Incorrect void Func1(_Out_opt_ int *p1) { *p = 1; } pre: only write, maybe NULL // Correct void Func2(_Out_ int *p1) { *p = 1; } pre: only write not NULL 19/11/14 B. Wolff - GLA - Static Analysis I 17

18 An Example for an extended Static Checking Method: SAL Annotations! Example: // Incorrect _When_(return == 0, _Requires_lock_held_(p->cs)) int Func1(_In_ MyData *p, int flag);... a post... pre: requires that lock acquired // Correct _When_(flag == 0, _Requires_lock_held_(p->cs)) int Func2(_In_ MyData *p, int flag);... a post... pre: requires that lock acquired 19/11/14 B. Wolff - GLA - Static Analysis I 18

19 An Example for an extended Static Checking Method: SAL Annotations " Due to heavy machinery (heuristics, patterns, abstract interpretation...) the annotation of loops with invariants is not necessary by the user for the SAL language. The programmer has just to provide contracts. Since 2006, Microsoft annotates the entire Windows and Word code-base with SAL. 19/11/14 B. Wolff - GLA - Static Analysis I 19

20 Dijkstra's Calculus: Summary Verification by Formal Proof "... even if direct use of deductive verification (Hoare, Dijkstra's wp) is difficult and requires specialists, the technique is nowadays used under the hood in many static extended static analysis methods. " extended static analysis: even lack of precision may be acceptable if the method scales... 19/11/14 B. Wolff - GLA - Static Analysis I 20

Secure Programming. An introduction to Splint. Informatics and Mathematical Modelling Technical University of Denmark E

Secure Programming. An introduction to Splint. Informatics and Mathematical Modelling Technical University of Denmark E Secure Programming An introduction to Splint Christian D. Jensen René Rydhof Hansen Informatics and Mathematical Modelling Technical University of Denmark E05-02230 CDJ/RRH (IMM/DTU) Secure Programming