Verifying the Safety of Security-Critical Applications
|
|
- Cory Tate
- 5 years ago
- Views:
Transcription
1 Verifying the Safety of Security-Critical Applications Thomas Dillig Stanford University Thomas Dillig 1 of 31
2 Why Program Verification? Reliability and security of software is a huge problem. Thomas Dillig 2 of 31
3 Why Program Verification? Reliability and security of software is a huge problem. Thomas Dillig 2 of 31
4 My Research We want to give guarantees about program behavior, for all possible executions and without running the program. Thomas Dillig 3 of 31
5 Undecidability and Abstraction Recall that deciding any non-trivial property about an arbitrary program is undecidable Thomas Dillig 4 of 31
6 Undecidability and Abstraction Recall that deciding any non-trivial property about an arbitrary program is undecidable Cannot exactly characterize the set of states a program P may be in Thomas Dillig 4 of 31
7 Undecidability and Abstraction Recall that deciding any non-trivial property about an arbitrary program is undecidable Cannot exactly characterize the set of states a program P may be in Solution: Overapproximate program behavior Thomas Dillig 4 of 31
8 Undecidability and Abstraction Error states outside overapproximation Program verified Thomas Dillig 5 of 31
9 Undecidability and Abstraction Error states outside overapproximation Program verified Error states inside overapproximation, but outside P false alarm Thomas Dillig 5 of 31
10 Undecidability and Abstraction Error states outside overapproximation Program verified Error states inside overapproximation, but outside P false alarm Goal: Construct an abstraction precise enough to prove properties about realistic programs Thomas Dillig 5 of 31
11 Our Goal in This Talk Multiple orthogonal issues in constructing precise abstractions Thomas Dillig 6 of 31
12 Our Goal in This Talk Multiple orthogonal issues in constructing precise abstractions This talk: Construct a precise and efficient abstraction that allows automatically proving properties about container-manipulating programs Thomas Dillig 6 of 31
13 Containers Containers General-purpose data structures for inserting, retrieving, removing, and iterating over elements Thomas Dillig 7 of 31
14 Containers Containers General-purpose data structures for inserting, retrieving, removing, and iterating over elements Examples: Array, vector, list, map, set, stack, queue,... Thomas Dillig 7 of 31
15 Containers Containers General-purpose data structures for inserting, retrieving, removing, and iterating over elements Examples: Array, vector, list, map, set, stack, queue,... Widely used; provided by common programming languages Thomas Dillig 7 of 31
16 Containers Containers General-purpose data structures for inserting, retrieving, removing, and iterating over elements Examples: Array, vector, list, map, set, stack, queue,... Widely used; provided by common programming languages Precise static reasoning about containers crucial for successful verification Thomas Dillig 7 of 31
17 Example Modeled after method responsedatacalllist in the telephony module in the Android phone code base void send_data(vector<data*> & data) { list<packet*> packets; } for(int j=0; j < data.size(); j++) { Packet* cur = new Packet(); cur->val = data[j]; packets.push_front(cur); } Data* last = data[data.size()-1]; assert(packets.front()->val == last); Thomas Dillig 8 of 31
18 Example We want to prove that this program will not crash due to an assertion failure in any execution void send_data(vector<data*> & data) { list<packet*> packets; } for(int j=0; j < data.size(); j++) { Packet* cur = new Packet(); cur->val = data[j]; packets.push_front(cur); } Data* last = data[data.size()-1]; assert(packets.front()->val == last); Thomas Dillig 8 of 31
19 Example void send_data(vector<data*> & data) { list<packet*> packets; } for(int j=0; j < data.size(); j++) { Packet* cur = new Packet(); cur->val = data[j]; packets.push_front(cur); } Data* last = data[data.size()-1]; assert(packets.front()->val == last); data Thomas Dillig 8 of 31
20 Example void send_data(vector<data*> & data) { list<packet*> packets; } for(int j=0; j < data.size(); j++) { Packet* cur = new Packet(); cur->val = data[j]; packets.push_front(cur); } Data* last = data[data.size()-1]; assert(packets.front()->val == last); data Thomas Dillig 8 of 31
21 Example void send_data(vector<data*> & data) { list<packet*> packets; } for(int j=0; j < data.size(); j++) { Packet* cur = new Packet(); cur->val = data[j]; packets.push_front(cur); } Data* last = data[data.size()-1]; assert(packets.front()->val == last); data Thomas Dillig 8 of 31
22 Example void send_data(vector<data*> & data) { list<packet*> packets; } for(int j=0; j < data.size(); j++) { Packet* cur = new Packet(); cur->val = data[j]; packets.push_front(cur); } Data* last = data[data.size()-1]; assert(packets.front()->val == last); data Thomas Dillig 8 of 31
23 Example packets data void send_data(vector<data*> & data) { list<packet*> packets; } for(int j=0; j < data.size(); j++) { Packet* cur = new Packet(); cur->val = data[j]; packets.push_front(cur); } Data* last = data[data.size()-1]; assert(packets.front()->val == last); Thomas Dillig 8 of 31
24 Example packets data void send_data(vector<data*> & data) { list<packet*> packets; } for(int j=0; j < data.size(); j++) { Packet* cur = new Packet(); cur->val = data[j]; packets.push_front(cur); } Data* last = data[data.size()-1]; assert(packets.front()->val == last); Thomas Dillig 8 of 31
25 Example packets data void send_data(vector<data*> & data) { list<packet*> packets; } for(int j=0; j < data.size(); j++) { Packet* cur = new Packet(); cur->val = data[j]; packets.push_front(cur); } Data* last = data[data.size()-1]; assert(packets.front()->val == last); Thomas Dillig 8 of 31
26 Example Such assertions are very difficult to prove automatically void send_data(vector<data*> & data) { list<packet*> packets; } for(int j=0; j < data.size(); j++) { Packet* cur = new Packet(); cur->val = data[j]; packets.push_front(cur); } Data* last = data[data.size()-1]; assert(packets.front()->val == last); Thomas Dillig 9 of 31
27 Example Such assertions are very difficult to prove automatically Difficulties: void send_data(vector<data*> & data) { list<packet*> packets; } for(int j=0; j < data.size(); j++) { Packet* cur = new Packet(); cur->val = data[j]; packets.push_front(cur); } Data* last = data[data.size()-1]; assert(packets.front()->val == last); Thomas Dillig 9 of 31
28 Example Such assertions are very difficult to prove automatically Difficulties: Number of elements in data unknown void send_data(vector<data*> & data) { list<packet*> packets; } for(int j=0; j < data.size(); j++) { Packet* cur = new Packet(); cur->val = data[j]; packets.push_front(cur); } Data* last = data[data.size()-1]; assert(packets.front()->val == last); Thomas Dillig 9 of 31
29 Example Such assertions are very difficult to prove automatically Difficulties: Number of elements in data unknown Unknown number of dynamically allocated objects void send_data(vector<data*> & data) { list<packet*> packets; } for(int j=0; j < data.size(); j++) { Packet* cur = new Packet(); cur->val = data[j]; packets.push_front(cur); } Data* last = data[data.size()-1]; assert(packets.front()->val == last); Thomas Dillig 9 of 31
30 The Standard Memory Abstraction packets Standard abstraction: Represent statically unknown number of memory locations using summary locations data Thomas Dillig 10 of 31
31 The Standard Memory Abstraction packets Standard abstraction: Represent statically unknown number of memory locations using summary locations data Thomas Dillig 10 of 31
32 The Standard Memory Abstraction packets Standard abstraction: Represent statically unknown number of memory locations using summary locations Summary location represents multiple run-time locations data Thomas Dillig 10 of 31
33 The Standard Memory Abstraction packets Standard abstraction: Represent statically unknown number of memory locations using summary locations Summary location represents multiple run-time locations data Edge from node A to B Any concrete location in A may point to any concrete location in B Thomas Dillig 10 of 31
34 The Standard Memory Abstraction packets Standard abstraction: Represent statically unknown number of memory locations using summary locations Summary location represents multiple run-time locations data Edge from node A to B Any concrete location in A may point to any concrete location in B a full cross-product Thomas Dillig 10 of 31
35 The Standard Memory Abstraction packets data Standard abstraction: Represent statically unknown number of memory locations using summary locations Summary location represents multiple run-time locations Edge from node A to B Any concrete location in A may point to any concrete location in B a full cross-product assert(packets.front()->val == last)% Thomas Dillig 10 of 31
36 The Challenge No existing technique can prove such assertions automatically Thomas Dillig 11 of 31
37 The Challenge No existing technique can prove such assertions automatically But real programs heavily use containers... Thomas Dillig 11 of 31
38 Our Contribution Heap Analysis Container Reasoning First analysis that is precise enough to automatically prove such properties about containerand heap-manipulating programs in a scalable way Thomas Dillig 12 of 31
39 Our Approach Overarching idea: Symbolic heap abstraction that combines logical formulae with a graph representation to describe contents of containers Thomas Dillig 13 of 31
40 Indexed Locations Key Idea 1: Represent containers with indexed locations Thomas Dillig 14 of 31
41 Indexed Locations Key Idea 1: Represent containers with indexed locations list<packet*> data represented using a single abstract location qualified by index variable Thomas Dillig 14 of 31
42 Indexed Locations Key Idea 1: Represent containers with indexed locations list<packet*> data represented using a single abstract location qualified by index variable Index variable ranges over possible indices of list Thomas Dillig 14 of 31
43 Indexed Locations Key Idea 1: Represent containers with indexed locations list<packet*> data represented using a single abstract location qualified by index variable Index variable ranges over possible indices of list Thomas Dillig 14 of 31
44 Indexed Locations Key Idea 1: Represent containers with indexed locations list<packet*> data represented using a single abstract location qualified by index variable Index variable ranges over possible indices of list Thomas Dillig 14 of 31
45 Example void send_data(vector<data*> & data) { list<packet*> packets; } for(int j=0; j < data.size(); j++) { Packet* cur = new Packet(); cur->val = data[j]; packets.push_front(cur); } Data* last = data[data.size()-1]; assert(packets.front()->val == last); Thomas Dillig 15 of 31
46 Example void send_data(vector<data*> & data) { list<packet*> packets; } for(int j=0; j < data.size(); j++) { Packet* cur = new Packet(); cur->val = data[j]; packets.push_front(cur); } Data* last = data[data.size()-1]; assert(packets.front()->val == last); Statically unknown number of allocations in the loop Thomas Dillig 15 of 31
47 Example void send_data(vector<data*> & data) { list<packet*> packets; } for(int j=0; j < data.size(); j++) { Packet* cur = new Packet(); cur->val = data[j]; packets.push_front(cur); } Data* last = data[data.size()-1]; assert(packets.front()->val == last); Statically unknown number of allocations in the loop α i2 represents all allocations Thomas Dillig 15 of 31
48 Example void send_data(vector<data*> & data) { list<packet*> packets; } for(int j=0; j < data.size(); j++) { Packet* cur = new Packet(); cur->val = data[j]; packets.push_front(cur); } Data* last = data[data.size()-1]; assert(packets.front()->val == last); Statically unknown number of allocations in the loop α i2 represents all allocations For instance, α 0 represents allocation in the first iteration Thomas Dillig 15 of 31
49 Edge Constraints Key Idea 2: Points-to edges are qualified by constraints on index variables. Thomas Dillig 16 of 31
50 Edge Constraints Key Idea 2: Points-to edges are qualified by constraints on index variables. Consider pointer relations between containers a and b. Thomas Dillig 16 of 31
51 Edge Constraints Key Idea 2: Points-to edges are qualified by constraints on index variables. Consider pointer relations between containers a and b. Thomas Dillig 16 of 31
52 Edge Constraints Key Idea 2: Points-to edges are qualified by constraints on index variables. Consider pointer relations between containers a and b. Constraints on points-to edges allow richer relations than cross-product Thomas Dillig 16 of 31
53 Example void send_data(vector<data*> & data) { list<packet*> packets; } for(int j=0; j < data.size(); j++) { Packet* cur = new Packet(); cur->val = data[j]; packets.push_front(cur); } Data* last = data[data.size()-1]; assert(packets.front()->val == last); Thomas Dillig 17 of 31
54 Example void send_data(vector<data*> & data) { list<packet*> packets; } for(int j=0; j < data.size(); j++) { Packet* cur = new Packet(); cur->val = data[j]; packets.push_front(cur); } Data* last = data[data.size()-1]; assert(packets.front()->val == last); Thomas Dillig 17 of 31
55 Example void send_data(vector<data*> & data) { list<packet*> packets; } for(int j=0; j < data.size(); j++) { Packet* cur = new Packet(); cur->val = data[j]; packets.push_front(cur); } Data* last = data[data.size()-1]; assert(packets.front()->val == last); Thomas Dillig 17 of 31
56 We saw how to represent points-to relations in our symbolic heap representation Thomas Dillig 18 of 31
57 We saw how to represent points-to relations in our symbolic heap representation How do we use the information encoded in this abstraction, e.g., to prove the assertion assert(packets.front()->val == last)? Thomas Dillig 18 of 31
58 Load Example Consider packets.front()->val Thomas Dillig 19 of 31
59 Load Example Consider packets.front()->val Determine where front of packets points to i 1 = 0 Thomas Dillig 19 of 31
60 Load Example Consider packets.front()->val Determine where front of packets points to i 1 = 0 What is the value of i 2? Thomas Dillig 19 of 31
61 Load Example Consider packets.front()->val Determine where front of packets points to i 1 = 0 What is the value of i 2? i 2 = size(data) i i 1 < size(data) Thomas Dillig 19 of 31
62 Load Example Consider packets.front()->val Determine where front of packets points to i 1 = 0 What is the value of i 2? i 1.i 1 = 0 i 2 = size(data) i i 1 < size(data) Thomas Dillig 19 of 31
63 Load Example Consider packets.front()->val Determine where front of packets points to i 1 = 0 What is the value of i 2? i 2 = size(data) 1 Thomas Dillig 19 of 31
64 Load Example Consider packets.front()->val Determine where front of packets points to i 1 = 0 What is the value of i 2? i 2 = size(data) 1 Can now prove assertion packets.front()->val == last Thomas Dillig 19 of 31
65 Advantages of Symbolic Heap Indexed locations + constraints on index variables = Precise per-element container reasoning Thomas Dillig 20 of 31
66 Advantages of Symbolic Heap Indexed locations + constraints on index variables = Precise per-element container reasoning Employ machinery from standard logic to: Thomas Dillig 20 of 31
67 Advantages of Symbolic Heap Indexed locations + constraints on index variables = Precise per-element container reasoning Employ machinery from standard logic to: 1 traverse heap references: satisfiability, existential quantifier elimination Thomas Dillig 20 of 31
68 Advantages of Symbolic Heap Indexed locations + constraints on index variables = Precise per-element container reasoning Employ machinery from standard logic to: 1 traverse heap references: satisfiability, existential quantifier elimination 2 analyze updates precisely and uniformly: negation, conjunction Thomas Dillig 20 of 31
69 Advantages of Symbolic Heap Indexed locations + constraints on index variables = Precise per-element container reasoning Employ machinery from standard logic to: 1 traverse heap references: satisfiability, existential quantifier elimination 2 analyze updates precisely and uniformly: negation, conjunction Reduce container reasoning to integer constraints and standard logic operations Thomas Dillig 20 of 31
70 Implementation Implemented heap/container analysis in our Compass program analysis framework for C and C++ programs Thomas Dillig 21 of 31
71 Implementation Implemented heap/container analysis in our Compass program analysis framework for C and C++ programs Analysis requires solving constraints in combined theory of linear integer inequalities and uninterpreted functions used our Mistral SMT solver Thomas Dillig 21 of 31
72 Experiments Analyzed real open-source C and C++ applications using containers Thomas Dillig 22 of 31
73 Experiments Analyzed real open-source C and C++ applications using containers LiteSQL, 16,030 LOC Thomas Dillig 22 of 31
74 Experiments Analyzed real open-source C and C++ applications using containers LiteSQL, 16,030 LOC OpenSSH, 26,615 LOC Thomas Dillig 22 of 31
75 Experiments Analyzed real open-source C and C++ applications using containers LiteSQL, 16,030 LOC OpenSSH, 26,615 LOC Inkscape Widget Library, 37,211 LOC Thomas Dillig 22 of 31
76 Experiments Analyzed real open-source C and C++ applications using containers LiteSQL, 16,030 LOC OpenSSH, 26,615 LOC Inkscape Widget Library, 37,211 LOC DigiKam, 128,318 LOC Thomas Dillig 22 of 31
77 Experiments Analyzed real open-source C and C++ applications using containers LiteSQL, 16,030 LOC OpenSSH, 26,615 LOC Inkscape Widget Library, 37,211 LOC DigiKam, 128,318 LOC Annotated containers provided by the STL and QT libraries Thomas Dillig 22 of 31
78 Application: Memory Safety Ran our verification tool to find all segmentation faults or run-time exceptions caused by: buffer overruns and underruns null dereference errors accessing deleted memory Also checked memory leaks Thomas Dillig 23 of 31
79 First Experiment First Experiment: Represent containers as bags of values using the standard abstraction Thomas Dillig 24 of 31
80 First Experiment First Experiment: Represent containers as bags of values using the standard abstraction Existing tools that analyze programs of this size use this abstraction Thomas Dillig 24 of 31
81 First Experiment First Experiment: Represent containers as bags of values using the standard abstraction Existing tools that analyze programs of this size use this abstraction Cannot track index-to-value correlations, modification to one container element contaminates all others Thomas Dillig 24 of 31
82 Containers as Bags False alarms for standard abstraction Bugs found LiteSQL OpenSSH Inkscape DigiKam Thomas Dillig 25 of 31
83 Containers as Bags False alarms for standard abstraction Bugs found LiteSQL OpenSSH Inkscape DigiKam Conclusion Treating containers as bags leads to unacceptable number of false alarms. Thomas Dillig 25 of 31
84 Second Experiment Second Experiment: Used the techniques described in this talk: indexed locations, symbolic points-to relations Thomas Dillig 26 of 31
85 Second Experiment Second Experiment: Used the techniques described in this talk: indexed locations, symbolic points-to relations Able to track key-value correlations; precise reasoning about heap objects stored in containers Thomas Dillig 26 of 31
86 Containers Modeled as Indexed Locations False alarms for standard abstraction Bugs found False alarms for our abstraction LiteSQL OpenSSH Inkscape DigiKam Thomas Dillig 27 of 31
87 Containers Modeled as Indexed Locations False alarms for standard abstraction Bugs found False alarms for our abstraction LiteSQL OpenSSH Inkscape DigiKam Huge reduction in number of false alarms Thomas Dillig 27 of 31
88 Containers Modeled as Indexed Locations Bugs found False alarms for our abstraction LiteSQL OpenSSH Inkscape DigiKam Analysis reports very few false positives Thomas Dillig 28 of 31
89 Containers Modeled as Indexed Locations Bugs found False alarms for our abstraction m 2.3m 2.3m 8.7m 0 LiteSQL OpenSSH Inkscape DigiKam Cost of the analysis is tractable Thomas Dillig 29 of 31
90 Summary Sound, precise, and automatic technique for verifying real programs that make use of heap allocations and containers Thomas Dillig 30 of 31
91 Summary Sound, precise, and automatic technique for verifying real programs that make use of heap allocations and containers First technique to verify real programs of this size with very few false alarms Thomas Dillig 30 of 31
92 Summary Sound, precise, and automatic technique for verifying real programs that make use of heap allocations and containers First technique to verify real programs of this size with very few false alarms Substantial improvement over the state-of-the art substantially extends class of programs that can be automatically verified Thomas Dillig 30 of 31
93 Related Work Reps, T.W., Sagiv, S., Wilhelm, R.: Static Program Analysis via 3-Valued Logic. In: CAV (2004) Lam, P., Kuncak, V., Rinard, M.: Hob: A tool for verifying data structure consistency. In: Compiler Construction. (2005) Deutsch, A.: Interprocedural may-alias analysis for pointers: Beyond k-limiting. In: PLDI (1994) Yang, H., Lee, O., Berdine, J., Calcagno, C., Cook, B., Distefano, D.. O Hearn, P.: Scalable shape analysis for systems code. In: CAV (2008) Marron, M., Stefanovic, D., Hermenegildo, M., Kapur, D.: Heap Analysis in the Presence of Collection Libraries. In: PASTE. (2007) Thomas Dillig 31 of 31
Symbolic Heap Abstraction with Demand- Driven Axiomatization of Memory Invariants
Symbolic Heap Abstraction with Demand- Driven Axiomatization of Memory Invariants Isil Dillig Department of Computer Science Stanford University isil@cs.stanford.edu Thomas Dillig Department of Computer
More informationSimplifying Loop Invariant Generation Using Splitter Predicates. Rahul Sharma Işil Dillig, Thomas Dillig, and Alex Aiken Stanford University
Simplifying Loop Invariant Generation Using Splitter Predicates Rahul Sharma Işil Dillig, Thomas Dillig, and Alex Aiken Stanford University Loops and Loop Invariants Loop Head x = 0; while( x
More informationStatic Program Analysis CS701
Static Program Analysis CS701 Thomas Reps [Based on notes taken by Aditya Venkataraman on Oct 6th, 2015] Abstract This lecture introduces the area of static program analysis. We introduce the topics to
More informationA Gentle Introduction to Program Analysis
A Gentle Introduction to Program Analysis Işıl Dillig University of Texas, Austin January 21, 2014 Programming Languages Mentoring Workshop 1 / 24 What is Program Analysis? Very broad topic, but generally
More informationScalable Program Analysis Using Boolean Satisfiability: The Saturn Project
Scalable Program Analysis Using Boolean Satisfiability: The Saturn Project Alex Aiken Stanford University Saturn 1 The Idea Verify properties of large systems! Doesn t {SLAM, BLAST, CQual, ESP} already
More informationAutomatic Software Verification
Automatic Software Verification Instructor: Mooly Sagiv TA: Oded Padon Slides from Eran Yahav and the Noun Project, Wikipedia Course Requirements Summarize one lecture 10% one lecture notes 45% homework
More informationLecture 27. Pros and Cons of Pointers. Basics Design Options Pointer Analysis Algorithms Pointer Analysis Using BDDs Probabilistic Pointer Analysis
Pros and Cons of Pointers Lecture 27 Pointer Analysis Basics Design Options Pointer Analysis Algorithms Pointer Analysis Using BDDs Probabilistic Pointer Analysis Many procedural languages have pointers
More informationLecture 20 Pointer Analysis
Lecture 20 Pointer Analysis Basics Design Options Pointer Analysis Algorithms Pointer Analysis Using BDDs Probabilistic Pointer Analysis (Slide content courtesy of Greg Steffan, U. of Toronto) 15-745:
More informationLecture 16 Pointer Analysis
Pros and Cons of Pointers Lecture 16 Pointer Analysis Basics Design Options Pointer Analysis Algorithms Pointer Analysis Using BDDs Probabilistic Pointer Analysis Many procedural languages have pointers
More informationCSE 403: Software Engineering, Fall courses.cs.washington.edu/courses/cse403/16au/ Static Analysis. Emina Torlak
CSE 403: Software Engineering, Fall 2016 courses.cs.washington.edu/courses/cse403/16au/ Static Analysis Emina Torlak emina@cs.washington.edu Outline What is static analysis? How does it work? Free and
More informationHoare logic. A proof system for separation logic. Introduction. Separation logic
Introduction Hoare logic Lecture 6: Examples in separation logic In the previous lecture, we saw how reasoning about pointers in Hoare logic was problematic, which motivated introducing separation logic.
More informationLecture 14 Pointer Analysis
Lecture 14 Pointer Analysis Basics Design Options Pointer Analysis Algorithms Pointer Analysis Using BDDs Probabilistic Pointer Analysis [ALSU 12.4, 12.6-12.7] Phillip B. Gibbons 15-745: Pointer Analysis
More informationFluid Updates: Beyond Strong vs. Weak Updates
Fluid Updates: Beyond Strong vs. Weak Updates Isil Dillig Thomas Dillig Alex Aiken {isil, tdillig, aiken}@cs.stanford.edu Department of Computer Science, Stanford University Abstract. We describe a symbolic
More informationSmall Formulas for Large Programs: On-line Constraint Simplification In Scalable Static Analysis
Small Formulas for Large Programs: On-line Constraint Simplification In Scalable Static Analysis Isil Dillig, Thomas Dillig, Alex Aiken Stanford University Scalability and Formula Size Many program analysis
More informationShape Analysis with Reference Set Dominance
Shape Analysis with Reference Set Dominance Mark Marron 1, Rupak Majumdar 2, Darko Stefanovic 1, and Deepak Kapur 1 1 University of New Mexico, {marron, darko, kapur}@cs.unm.edu 2 University of California
More informationBackward Analysis via Over-Approximate Abstraction and Under-Approximate Subtraction
Backward Analysis via Over-Approximate Abstraction and Under-Approximate Subtraction Alexey Bakhirkin 1 Josh Berdine 2 Nir Piterman 1 1 University of Leicester, Department of Computer Science 2 Microsoft
More informationHoare logic. WHILE p, a language with pointers. Introduction. Syntax of WHILE p. Lecture 5: Introduction to separation logic
Introduction Hoare logic Lecture 5: Introduction to separation logic In the previous lectures, we have considered a language, WHILE, where mutability only concerned program variables. Jean Pichon-Pharabod
More informationHoare logic. Lecture 5: Introduction to separation logic. Jean Pichon-Pharabod University of Cambridge. CST Part II 2017/18
Hoare logic Lecture 5: Introduction to separation logic Jean Pichon-Pharabod University of Cambridge CST Part II 2017/18 Introduction In the previous lectures, we have considered a language, WHILE, where
More informationAdvanced Programming Methods. Introduction in program analysis
Advanced Programming Methods Introduction in program analysis What is Program Analysis? Very broad topic, but generally speaking, automated analysis of program behavior Program analysis is about developing
More informationThe Pointer Assertion Logic Engine
The Pointer Assertion Logic Engine [PLDI 01] Anders Mφller Michael I. Schwartzbach Presented by K. Vikram Cornell University Introduction Pointer manipulation is hard Find bugs, optimize code General Approach
More informationPutting Static Analysis to Work for Verification
Putting Static Analysis to Work for Verification A Case Study Tomasz Dudziak Based on a paper by T. Lev-Ami, T. Reps, M. Sagiv, and R. Wilhelm 23 June 2010 Topic Goal A very capable shape analysis that
More informationAn Abstract Domain for Analyzing Heap-Manipulating Low-Level Software
An Abstract Domain for Analyzing Heap-Manipulating Low-Level Software Sumit Gulwani 1 and Ashish Tiwari 2 1 Microsoft Research, Redmond, WA 98052, sumitg@microsoft.com 2 SRI International, Menlo Park,
More informationEffectively-Propositional Modular Reasoning about Reachability in Linked Data Structures CAV 13, POPL 14 Shachar Itzhaky
Effectively-Propositional Modular Reasoning about Reachability in Linked Data Structures CAV 13, POPL 14 Shachar Itzhaky Anindya Banerjee Neil Immerman Ori Lahav Aleks Nanevski Mooly Sagiv http://www.cs.tau.ac.il/~shachar/afwp.html
More informationBottom-up Context-Sensitive Pointer Analysis for Java
Bottom-up Context-Sensitive Pointer Analysis for Java Yu Feng, Xinyu Wang, Isil Dillig and Thomas Dillig UT Austin 1 What is this talk about? Pointer analysis Given a program variable v, what are the heap
More informationThe Development of Automatically Verifiable Systems using Data Representation Synthesis
The Development of Automatically Verifiable Systems using Data Representation Synthesis Bryce Cronkite-Ratcliff Department of Computer Science, Stanford University brycecr@stanford.edu ABSTRACT We present
More informationHoare Logic and Model Checking
Hoare Logic and Model Checking Kasper Svendsen University of Cambridge CST Part II 2016/17 Acknowledgement: slides heavily based on previous versions by Mike Gordon and Alan Mycroft Introduction In the
More informationStatic Program Analysis Part 1 the TIP language
Static Program Analysis Part 1 the TIP language http://cs.au.dk/~amoeller/spa/ Anders Møller & Michael I. Schwartzbach Computer Science, Aarhus University Questions about programs Does the program terminate
More informationToday Program Analysis for finding bugs, especially security bugs problem specification motivation approaches remaining issues
Finding Bugs Last time Run-time reordering transformations Today Program Analysis for finding bugs, especially security bugs problem specification motivation approaches remaining issues CS553 Lecture Finding
More informationVerification of Low-Level List Manipulation (work in progress)
Verification of Low-Level List Manipulation (work in progress) Kamil Dudka 1,2 Petr Peringer 1 Tomáš Vojnar 1 1 FIT, Brno University of Technology, Czech Republic 2 Red Hat Czech, Brno, Czech Republic
More informationPredator: A Practical Tool for Checking Manipulation of Dynamic Data Structures Using Separation Logic
Predator: A Practical Tool for Checking Manipulation of Dynamic Data Structures Using Separation Logic Kamil Dudka, Petr Peringer, and Tomáš Vojnar FIT, Brno University of Technology, Czech Republic Abstract.
More informationModular Heap Abstraction-Based Memory Leak Detection for Heap-Manipulating Programs
Modular Heap Abstraction-Based Memory Leak Detection for Heap-Manipulating Programs Longming Dong Ji Wang Liqian Chen National University of Defense Technology, Changsha, China 05/12/2012 APSEC 2012 L
More informationBug Finding with Under-approximating Static Analyses. Daniel Kroening, Matt Lewis, Georg Weissenbacher
Bug Finding with Under-approximating Static Analyses Daniel Kroening, Matt Lewis, Georg Weissenbacher Overview Over- vs. underapproximating static analysis Path-based symbolic simulation Path merging Acceleration
More informationHoare Logic and Model Checking
Hoare Logic and Model Checking Kasper Svendsen University of Cambridge CST Part II 2016/17 Acknowledgement: slides heavily based on previous versions by Mike Gordon and Alan Mycroft Pointers Pointers and
More informationStatic Analysis and Dataflow Analysis
Static Analysis and Dataflow Analysis Static Analysis Static analyses consider all possible behaviors of a program without running it. 2 Static Analysis Static analyses consider all possible behaviors
More informationSeparation Logic Tutorial
Separation Logic Tutorial (To appear in Proceedings of ICLP 08) Peter O Hearn Queen Mary, University of London Separation logic is an extension of Hoare s logic for reasoning about programs that manipulate
More informationSoftware Model Checking. Xiangyu Zhang
Software Model Checking Xiangyu Zhang Symbolic Software Model Checking CS510 S o f t w a r e E n g i n e e r i n g Symbolic analysis explicitly explores individual paths, encodes and resolves path conditions
More informationSymbolic Execution. Wei Le April
Symbolic Execution Wei Le 2016 April Agenda What is symbolic execution? Applications History Interal Design: The three challenges Path explosion Modeling statements and environments Constraint solving
More informationMonotonic Abstraction for Programs with Multiply-Linked Structures
Monotonic Abstraction for Programs with Multiply-Linked Structures Parosh Aziz Abdulla 1, Jonathan Cederberg 1, Tomáš Vojnar 2 1 Uppsala University, Sweden. 2 FIT, Brno University of Technology, Czech
More informationHeap Analysis in the Presence of Collection Libraries
Heap Analysis in the Presence of Collection Libraries Unified Memory Analysis: Analyzing Collections Mark Marron, Darko Stefanovic, Manuel Hermenegildo, and Deepak Kapur University of New Mexico Albuquerque,
More informationStatic Analysis: Overview, Syntactic Analysis and Abstract Interpretation TDDC90: Software Security
Static Analysis: Overview, Syntactic Analysis and Abstract Interpretation TDDC90: Software Security Ahmed Rezine IDA, Linköpings Universitet Hösttermin 2014 Outline Overview Syntactic Analysis Abstract
More informationHoare Logic and Model Checking. A proof system for Separation logic. Introduction. Separation Logic
Introduction Hoare Logic and Model Checking In the previous lecture we saw the informal concepts that Separation Logic is based on. Kasper Svendsen University of Cambridge CST Part II 2016/17 This lecture
More informationCSolve: Verifying C With Liquid Types
CSolve: Verifying C With Liquid Types Patrick Rondon, Alexander Bakst, Ming Kawaguchi, and Ranjit Jhala University of California, San Diego {prondon, abakst, mwookawa, jhala@cs.ucsd.edu Abstract. We present
More informationCyclic Abduction of Inductively Defined Safety and Termination Preconditions
Cyclic Abduction of Inductively Defined Safety and Termination Preconditions James Brotherston 1 and Nikos Gorogiannis 2 1 Dept. of Computer Science, University College London 2 Dept. of Computer Science,
More informationFinding and Fixing Bugs in Liquid Haskell. Anish Tondwalkar
Finding and Fixing Bugs in Liquid Haskell Anish Tondwalkar Overview Motivation Liquid Haskell Fault Localization Fault Localization Evaluation Predicate Discovery Predicate Discovery Evaluation Conclusion
More informationPredator: A Practical Tool for Checking Manipulation of Dynamic Data Structures Using Separation Logic
Predator: A Practical Tool for Checking Manipulation of Dynamic Data Structures Using Separation Logic FIT BUT Technical Report Series Kamil Dudka, Petr Peringer, and Tomáš Vojnar Technical Report No.
More informationCUTE: A Concolic Unit Testing Engine for C
CUTE: A Concolic Unit Testing Engine for C Koushik Sen Darko Marinov Gul Agha University of Illinois Urbana-Champaign Goal Automated Scalable Unit Testing of real-world C Programs Generate test inputs
More informationGoal. Overflow Checking in Firefox. Sixgill. Sixgill (cont) Verifier Design Questions. Sixgill: Properties 4/8/2010
Goal Overflow Checking in Firefox Brian Hackett Can we clean a code base of buffer overflows? Keep it clean? Must prove buffer accesses are in bounds Verification: prove a code base has a property Sixgill
More informationFootprint Analysis: A Shape Analysis that Discovers Preconditions
Footprint Analysis: A Shape Analysis that Discovers Preconditions Draft of January 31, 2007 Cristiano Calcagno 1, Dino Distefano 2, Peter W. O Hearn 2, and Hongseok Yang 2 1 Imperial College, London 2
More informationCompositional Resource Invariant Synthesis
Compositional Resource Invariant Synthesis Cristiano Calcagno 1, Dino Distefano 2, and Viktor Vafeiadis 3 1 Imperial College 2 Queen Mary University of London 3 Microsoft Research, Cambridge Abstract.
More informationStatic Program Checking
Bounded Verification Jalloy Automated Software Analysis Group, Institute of Theoretical Informatics Jun.-prof. Mana Taghdiri June 5, 2014 KIT University of the State of Baden-Wuerttemberg and National
More informationInferring Invariants in Separation Logic for Imperative List-processing Programs
Inferring Invariants in Separation Logic for Imperative List-processing Programs Stephen Magill Carnegie Mellon University smagill@cs.cmu.edu Aleksandar Nanevski Harvard University aleks@eecs.harvard.edu
More informationVS 3 : SMT Solvers for Program Verification
VS 3 : SMT Solvers for Program Verification Saurabh Srivastava 1,, Sumit Gulwani 2, and Jeffrey S. Foster 1 1 University of Maryland, College Park, {saurabhs,jfoster}@cs.umd.edu 2 Microsoft Research, Redmond,
More informationCuts from Proofs: A Complete and Practical Technique for Solving Linear Inequalities over Integers
Cuts from Proofs: A Complete and Practical Technique for Solving Linear Inequalities over Integers Isil Dillig, Thomas Dillig, and Alex Aiken Computer Science Department Stanford University Linear Arithmetic
More informationIntroducing C++ to Java Programmers
Introducing C++ to Java Programmers by Kip Irvine updated 2/27/2003 1 Philosophy of C++ Bjarne Stroustrup invented C++ in the early 1980's at Bell Laboratories First called "C with classes" Design Goals:
More informationModular and Verified Automatic Program Repairs
Modular and Verified Automatic Program Repairs from Francesco Logozzo and Thomas Ball at Microsoft Research, Redmond presenter name(s) removed for FERPA considerations Introduction Your programs will have
More informationOverview. Verification with Functions and Pointers. IMP with assertions and assumptions. Proof rules for Assert and Assume. IMP+: IMP with functions
Overview Verification with Functions and Pointers Işıl Dillig The IMP language considered so far does not have many features of realistics PLs Our goal today: Enrich IMP with two features, namely functions
More informationStructuring an Abstract Interpreter through Value and State Abstractions: EVA, an Evolved Value Analysis for Frama C
Structuring an Abstract Interpreter through Value and State Abstractions: EVA, an Evolved Value Analysis for Frama C David Bühler CEA LIST, Software Safety Lab Frama-C & SPARK Day 2017 May 30th, 2017 David
More informationAutomated Software Analysis Techniques For High Reliability: A Concolic Testing Approach. Moonzoo Kim
Automated Software Analysis Techniques For High Reliability: A Concolic Testing Approach Moonzoo Kim Contents Automated Software Analysis Techniques Background Concolic testing process Example of concolic
More informationMEMORY MANAGEMENT TEST-CASE GENERATION OF C PROGRAMS USING BOUNDED MODEL CHECKING
FEDERAL UNIVERSITY OF AMAZONAS INSTITUTE OF COMPUTING GRADUATE PROGRAM IN COMPUTER SCIENCE MEMORY MANAGEMENT TEST-CASE GENERATION OF C PROGRAMS USING BOUNDED MODEL CHECKING Herbert Rocha, Raimundo Barreto,
More informationF-Soft: Software Verification Platform
F-Soft: Software Verification Platform F. Ivančić, Z. Yang, M.K. Ganai, A. Gupta, I. Shlyakhter, and P. Ashar NEC Laboratories America, 4 Independence Way, Suite 200, Princeton, NJ 08540 fsoft@nec-labs.com
More informationLecture Notes on Memory Layout
Lecture Notes on Memory Layout 15-122: Principles of Imperative Computation Frank Pfenning André Platzer Lecture 11 1 Introduction In order to understand how programs work, we can consider the functions,
More informationAn Introduction to Heap Analysis. Pietro Ferrara. Chair of Programming Methodology ETH Zurich, Switzerland
An Introduction to Heap Analysis Pietro Ferrara Chair of Programming Methodology ETH Zurich, Switzerland Analisi e Verifica di Programmi Universita Ca Foscari, Venice, Italy Outline 1. Recall of numerical
More informationPointers. Memory. void foo() { }//return
Pointers Pointers Every location in memory has a unique number assigned to it called it s address A pointer is a variable that holds a memory address A pointer can be used to store an object or variable
More informationName: CIS 341 Final Examination 10 December 2008
Name: CIS 341 Final Examination 10 December 2008 1 /8 2 /12 3 /18 4 /18 5 /14 Total /70 Do not begin the exam until you are told to do so. You have 120 minutes to complete the exam. There are 11 pages
More informationProperty-Directed Shape Analysis
Property-Directed Shape Analysis S. Itzhaky 1, N. Bjørner 2, T. Reps 3,4, M. Sagiv 1, and A. Thakur 3 1 Tel Aviv University, Tel Aviv, Israel 2 Microsoft Research, USA 3 University of Wisconsin Madison,
More informationDifferential program verification
Differential program verification Shuvendu K. Lahiri Research in Software Engineering (RiSE), Microsoft Research Redmond, WA Involved in building static assertion checkers HAVOC [POPL 06, 08, 09, CAV 09,
More informationA Context-Sensitive Memory Model for Verification of C/C++ Programs
A Context-Sensitive Memory Model for Verification of C/C++ Programs Arie Gurfinkel and Jorge A. Navas University of Waterloo and SRI International SAS 17, August 30th, 2017 Gurfinkel and Navas (UWaterloo/SRI)
More informationThe software model checker BLAST
Int J Softw Tools Technol Transfer (2007) 9:505 525 DOI 10.1007/s10009-007-0044-z SPECIAL SECTION FASE 04/ 05 The software model checker BLAST Applications to software engineering Dirk Beyer Thomas A.
More informationBOOGIE. Presentation by Itsik Hefez A MODULAR REUSABLE VERIFIER FOR OBJECT-ORIENTED PROGRAMS MICROSOFT RESEARCH
BOOGIE A MODULAR REUSABLE VERIFIER FOR OBJECT-ORIENTED PROGRAMS MICROSOFT RESEARCH Presentation by Itsik Hefez Introduction Boogie is an intermediate verification language, intended as a layer on which
More informationIntegrating verification in programming languages
Integrating verification in programming languages Thomas Jensen, INRIA Seminar INRIA Rennes, 04/11/2015 Collège de France Chaire Algorithmes, machines et langages x / y Types For division to make sense,
More informationURBiVA: Uniform Reduction to Bit-Vector Arithmetic
URBiVA: Uniform Reduction to Bit-Vector Arithmetic Filip Marić and Predrag Janičić Faculty of Mathematics, Studentski trg 16, 11000 Belgrade, Serbia filip@matf.bg.ac.rs janicic@matf.bg.ac.rs Abstract.
More informationProving liveness. Alexey Gotsman IMDEA Software Institute
Proving liveness Alexey Gotsman IMDEA Software Institute Safety properties Ensure bad things don t happen: - the program will not commit a memory safety fault - it will not release a lock it does not hold
More informationShape Analysis. CS252r Spring 2011
Shape Analysis CS252r Spring 2011 Outline Motivation for shape analysis Three-valued logic Region-based with tracked locations 2 Shape analysis [Wilhelm, Sagiv, and Reps, CC 2000] Shape analysis: static
More informationThe Apron Library. Bertrand Jeannet and Antoine Miné. CAV 09 conference 02/07/2009 INRIA, CNRS/ENS
The Apron Library Bertrand Jeannet and Antoine Miné INRIA, CNRS/ENS CAV 09 conference 02/07/2009 Context : Static Analysis What is it about? Discover properties of a program statically and automatically.
More informationOn partial order semantics for SAT/SMT-based symbolic encodings of weak memory concurrency
On partial order semantics for SAT/SMT-based symbolic encodings of weak memory concurrency Alex Horn and Daniel Kroening University of Oxford April 30, 2015 Outline What s Our Problem? Motivation and Example
More informationPRECISE AND AUTOMATIC VERIFICATION OF CONTAINER-MANIPULATING PROGRAMS
PRECISE AND AUTOMATIC VERIFICATION OF CONTAINER-MANIPULATING PROGRAMS A DISSERTATION SUBMITTED TO THE DEPARTMENT OF COMPUTER SCIENCE AND THE COMMITTEE ON GRADUATE STUDIES OF STANFORD UNIVERSITY IN PARTIAL
More informationEscape Analysis. Applications to ML and Java TM
Escape Analysis. Applications to ML and Java TM Bruno Blanchet INRIA Rocquencourt Bruno.Blanchet@inria.fr December 2000 Overview 1. Introduction: escape analysis and applications. 2. Escape analysis 2.a
More informationRefinements to techniques for verifying shape analysis invariants in Coq
Refinements to techniques for verifying shape analysis invariants in Coq Kenneth Roe The Johns Hopkins University Abstract. The research in this proposal is aimed at creating a theorem proving framework
More informationLanguage Security. Lecture 40
Language Security Lecture 40 (from notes by G. Necula) Prof. Hilfinger CS 164 Lecture 40 1 Lecture Outline Beyond compilers Looking at other issues in programming language design and tools C Arrays Exploiting
More informationSMT-Based Modular Analysis of Sequential Systems Code
SMT-Based Modular Analysis of Sequential Systems Code Shuvendu K. Lahiri Microsoft Research Abstract. In this paper, we describe a few challenges that accompany SMTbased precise verification of systems
More informationInferring Invariants in Separation Logic for Imperative List-processing Programs
Inferring Invariants in Separation Logic for Imperative List-processing Programs Stephen Magill Carnegie Mellon University smagill@cs.cmu.edu Aleksandar Nanevski Harvard University aleks@eecs.harvard.edu
More informationSendmail crackaddr - Static Analysis strikes back
Sendmail crackaddr - Static Analysis strikes back Bogdan Mihaila Technical University of Munich, Germany December 6, 2014 Name Lastname < name@mail.org > ()()()()()()()()()... ()()() 1 / 25 Abstract Interpretation
More informationSeminar in Software Engineering Presented by Dima Pavlov, November 2010
Seminar in Software Engineering-236800 Presented by Dima Pavlov, November 2010 1. Introduction 2. Overview CBMC and SAT 3. CBMC Loop Unwinding 4. Running CBMC 5. Lets Compare 6. How does it work? 7. Conclusions
More informationHybrid Analysis for Partial Order Reduction of Programs with Arrays
Hybrid Analysis for Partial Order Reduction of Programs with Arrays Pavel Parízek Charles University in Prague, Faculty of Mathematics and Physics, Department of Distributed and Dependable Systems Abstract.
More informationCSSV: Towards a Realistic Tool for Statically Detecting All Buffer Overflows in C
CSSV: Towards a Realistic Tool for Statically Detecting All Buffer Overflows in C Nurit Dor, Michael Rodeh, Mooly Sagiv PLDI 2003 DAEDALUS project Vulnerabilities of C programs /* from web2c [strpascalc]
More informationOverview AEG Conclusion CS 6V Automatic Exploit Generation (AEG) Matthew Stephen. Department of Computer Science University of Texas at Dallas
CS 6V81.005 Automatic Exploit Generation (AEG) Matthew Stephen Department of Computer Science University of Texas at Dallas February 20 th, 2012 Outline 1 Overview Introduction Considerations 2 AEG Challenges
More informationEfficiently Reasoning about Programs
Efficiently Reasoning about Programs Neil Immerman College of Computer and Information Sciences University of Massachusetts, Amherst Amherst, MA, USA people.cs.umass.edu/ immerman co-r.e. complete Halt
More informationTVLA: A SYSTEM FOR GENERATING ABSTRACT INTERPRETERS*
TVLA: A SYSTEM FOR GENERATING ABSTRACT INTERPRETERS* Tal Lev-Ami, Roman Manevich, and Mooly Sagiv Tel Aviv University {tla@trivnet.com, {rumster,msagiv}@post.tau.ac.il} Abstract TVLA (Three-Valued-Logic
More informationStatic Program Analysis
Static Program Analysis Thomas Noll Software Modeling and Verification Group RWTH Aachen University https://moves.rwth-aachen.de/teaching/ss-18/spa/ Preliminaries Outline of Lecture 1 Preliminaries Introduction
More informationSoftware Security: Vulnerability Analysis
Computer Security Course. Software Security: Vulnerability Analysis Program Verification Program Verification How to prove a program free of buffer overflows? Precondition Postcondition Loop invariants
More informationSimple Overflow. #include <stdio.h> int main(void){ unsigned int num = 0xffffffff;
Simple Overflow 1 #include int main(void){ unsigned int num = 0xffffffff; printf("num is %d bits long\n", sizeof(num) * 8); printf("num = 0x%x\n", num); printf("num + 1 = 0x%x\n", num + 1); }
More informationCS 267: Automated Verification. Lecture 13: Bounded Model Checking. Instructor: Tevfik Bultan
CS 267: Automated Verification Lecture 13: Bounded Model Checking Instructor: Tevfik Bultan Remember Symbolic Model Checking Represent sets of states and the transition relation as Boolean logic formulas
More informationHarvard School of Engineering and Applied Sciences CS 152: Programming Languages
Harvard School of Engineering and Applied Sciences CS 152: Programming Languages Lecture 19 Tuesday, April 3, 2018 1 Introduction to axiomatic semantics The idea in axiomatic semantics is to give specifications
More informationAlgebraic Program Analysis
Introduction to Algebraic Program Analysis Zachary Kincaid 1 Thomas Reps 2,3 1 Princeton University 2 University of Wisconsin-Madison 3 GrammaTech, Inc. January 8, 2018 1 Program analysis Design algorithms
More informationDuet: Static Analysis for Unbounded Parallelism
Duet: Static Analysis for Unbounded Parallelism Azadeh Farzan and Zachary Kincaid University of Toronto Abstract. Duet is a static analysis tool for concurrent programs in which the number of executing
More informationStatic Analysis by A. I. of Embedded Critical Software
Static Analysis by Abstract Interpretation of Embedded Critical Software Julien Bertrane ENS, Julien.bertrane@ens.fr Patrick Cousot ENS & CIMS, Patrick.Cousot@ens.fr Radhia Cousot CNRS & ENS, Radhia.Cousot@ens.fr
More informationInductive Invariant Generation via Abductive Inference
Inductive Invariant Generation via Abductive Inference Isil Dillig Department of Computer Science College of William & Mary idillig@cs.wm.edu Thomas Dillig Department of Computer Science College of William
More informationCS 161 Computer Security
Wagner Spring 2014 CS 161 Computer Security 1/27 Reasoning About Code Often functions make certain assumptions about their arguments, and it is the caller s responsibility to make sure those assumptions
More informationDeductive Methods, Bounded Model Checking
Deductive Methods, Bounded Model Checking http://d3s.mff.cuni.cz Pavel Parízek CHARLES UNIVERSITY IN PRAGUE faculty of mathematics and physics Deductive methods Pavel Parízek Deductive Methods, Bounded
More informationAutomatic Data Structure Repair using Separation Logic
Automatic Data Structure Repair using Separation Logic Guolong Zheng Quang Loc Le ThanhVu Nguyen Quoc-Sang Phan University of Nebraska-Lincoln {gzheng, tnguyen}@cse.unl.edu Teesside University q.le@tees.ac.uk
More information