A Gentle Introduction to Program Analysis
|
|
- Kristina Dixon
- 6 years ago
- Views:
Transcription
1 A Gentle Introduction to Program Analysis Işıl Dillig University of Texas, Austin January 21, 2014 Programming Languages Mentoring Workshop 1 / 24
2 What is Program Analysis? Very broad topic, but generally speaking, automated analysis of program behavior 2 / 24
3 What is Program Analysis? Very broad topic, but generally speaking, automated analysis of program behavior Program analysis is about developing algorithms and tools that can analyze other programs 2 / 24
4 What is Program Analysis? Very broad topic, but generally speaking, automated analysis of program behavior Program analysis is about developing algorithms and tools that can analyze other programs prog.c Query Program Analysis Tool 2 / 24
5 Applications of Program Analysis Bug finding. e.g., expose as many assertion failures as possible 3 / 24
6 Applications of Program Analysis Bug finding. e.g., expose as many assertion failures as possible Security. e.g., does an app leak private user data? 3 / 24
7 Applications of Program Analysis Bug finding. e.g., expose as many assertion failures as possible Security. e.g., does an app leak private user data? Verification. e.g., does the program always behave according to its specification? 3 / 24
8 Applications of Program Analysis Bug finding. e.g., expose as many assertion failures as possible Security. e.g., does an app leak private user data? Verification. e.g., does the program always behave according to its specification? Compiler optimizations. e.g., which variables should be kept in registers for fastest memory access? 3 / 24
9 Applications of Program Analysis Bug finding. e.g., expose as many assertion failures as possible Security. e.g., does an app leak private user data? Verification. e.g., does the program always behave according to its specification? Compiler optimizations. e.g., which variables should be kept in registers for fastest memory access? Automatic parallelization. e.g., is it safe to execute different loop iterations on parallel? 3 / 24
10 Dynamic vs. Static Program Analysis Two flavors of program analysis: 4 / 24
11 Dynamic vs. Static Program Analysis Two flavors of program analysis: Dynamic analysis: Analyzes program while it is running 4 / 24
12 Dynamic vs. Static Program Analysis Two flavors of program analysis: Dynamic analysis: Analyzes program while it is running Static analysis: Analyzes source code of the program 4 / 24
13 Dynamic vs. Static Program Analysis Two flavors of program analysis: Dynamic analysis: Analyzes program while it is running Static analysis: Analyzes source code of the program Static + reasons about all executions - less precise Dynamic + more precise - results limited to observed executions 4 / 24
14 Static Analysis Typical static analysis question: Given source code of program P and desired property Q, does P exhibit Q in all possible executions? 5 / 24
15 Static Analysis Typical static analysis question: Given source code of program P and desired property Q, does P exhibit Q in all possible executions? But this question is undecidable! 5 / 24
16 Static Analysis Typical static analysis question: Given source code of program P and desired property Q, does P exhibit Q in all possible executions? But this question is undecidable! This means static analyses are either: 5 / 24
17 Static Analysis Typical static analysis question: Given source code of program P and desired property Q, does P exhibit Q in all possible executions? But this question is undecidable! This means static analyses are either: Unsound: May say program is safe even though it is unsafe 5 / 24
18 Static Analysis Typical static analysis question: Given source code of program P and desired property Q, does P exhibit Q in all possible executions? But this question is undecidable! This means static analyses are either: Unsound: May say program is safe even though it is unsafe Sound, but incomplete: May say program is unsafe even though it is safe 5 / 24
19 Static Analysis Typical static analysis question: Given source code of program P and desired property Q, does P exhibit Q in all possible executions? But this question is undecidable! This means static analyses are either: Unsound: May say program is safe even though it is unsafe Sound, but incomplete: May say program is unsafe even though it is safe Non-terminating: Always gives correct answer when it terminates, but may run forever 5 / 24
20 Static Analysis Typical static analysis question: Given source code of program P and desired property Q, does P exhibit Q in all possible executions? But this question is undecidable! This means static analyses are either: Unsound: May say program is safe even though it is unsafe Sound, but incomplete: May say program is unsafe even though it is safe Non-terminating: Always gives correct answer when it terminates, but may run forever Many static analysis techniques are sound but incomplete. 5 / 24
21 How to design sound static analyses? Key idea: Overapproximate (i.e., abstract) program behavior 6 / 24
22 How to design sound static analyses? Key idea: Overapproximate (i.e., abstract) program behavior 6 / 24
23 How to design sound static analyses? Key idea: Overapproximate (i.e., abstract) program behavior 6 / 24
24 How to design sound static analyses? Key idea: Overapproximate (i.e., abstract) program behavior Bad states outside over-approximation Program safe 7 / 24
25 How to design sound static analyses? Key idea: Overapproximate (i.e., abstract) program behavior Bad states outside over-approximation Program safe Bad states inside over-approximation, but outside P false alarm 7 / 24
26 How to design sound static analyses? Key idea: Overapproximate (i.e., abstract) program behavior Bad states outside over-approximation Program safe Bad states inside over-approximation, but outside P false alarm Goal: Construct abstractions that are precise enough (i.e., few false alarms) and that scale to real programs 7 / 24
27 Examples of Abstractions 8 / 24
28 Examples of Abstractions There is no one size fits all abstraction What information is useful depends on what you want to prove about the program! 8 / 24
29 Examples of Abstractions There is no one size fits all abstraction What information is useful depends on what you want to prove about the program! Application No division-by-zero errors Useful abstraction zero vs. non-zero 8 / 24
30 Examples of Abstractions There is no one size fits all abstraction What information is useful depends on what you want to prove about the program! Application Useful abstraction No division-by-zero errors zero vs. non-zero Data structure verification list, tree, graph,... 8 / 24
31 Examples of Abstractions There is no one size fits all abstraction What information is useful depends on what you want to prove about the program! Application Useful abstraction No division-by-zero errors zero vs. non-zero Data structure verification list, tree, graph,... No out-of-bounds array accesses ranges of integer variables 8 / 24
32 How to Create Sound Abstractions? 9 / 24
33 How to Create Sound Abstractions? Useful theory for understanding how to design sound static analyses is abstract interpretation 9 / 24
34 How to Create Sound Abstractions? Useful theory for understanding how to design sound static analyses is abstract interpretation Seminal 77 paper by Patrick & Radhia Cousot 9 / 24
35 How to Create Sound Abstractions? Useful theory for understanding how to design sound static analyses is abstract interpretation Seminal 77 paper by Patrick & Radhia Cousot Not a specific analysis, but rather a framework for designing sound-by-construction static analyses 9 / 24
36 How to Create Sound Abstractions? Useful theory for understanding how to design sound static analyses is abstract interpretation Seminal 77 paper by Patrick & Radhia Cousot Not a specific analysis, but rather a framework for designing sound-by-construction static analyses Let s look at an example: A static analysis that tracks the sign of each integer variable (e.g., positive, non-negative, zero etc.) 9 / 24
37 First Step: Design An Abstract Domain An abstract domain is just a set of abstract values we want to track in our analysis 10 / 24
38 First Step: Design An Abstract Domain An abstract domain is just a set of abstract values we want to track in our analysis For our example, let s fix the following abstract domain: pos: {x x Z x > 0} zero: {0} neg: {x x Z x < 0} non-neg: {x x Z x 0} 10 / 24
39 First Step: Design An Abstract Domain An abstract domain is just a set of abstract values we want to track in our analysis For our example, let s fix the following abstract domain: pos: {x x Z x > 0} zero: {0} neg: {x x Z x < 0} non-neg: {x x Z x 0} In addition, every abstract domain contains: 10 / 24
40 First Step: Design An Abstract Domain An abstract domain is just a set of abstract values we want to track in our analysis For our example, let s fix the following abstract domain: pos: {x x Z x > 0} zero: {0} neg: {x x Z x < 0} non-neg: {x x Z x 0} In addition, every abstract domain contains: (top): Don t know, represents any value 10 / 24
41 First Step: Design An Abstract Domain An abstract domain is just a set of abstract values we want to track in our analysis For our example, let s fix the following abstract domain: pos: {x x Z x > 0} zero: {0} neg: {x x Z x < 0} non-neg: {x x Z x 0} In addition, every abstract domain contains: (top): Don t know, represents any value (bottom): Represents empty-set 10 / 24
42 Second step: Abstraction and concretization functions Abstraction function (α) maps sets of concrete elements to the most precise value in the abstract domain 11 / 24
43 Second step: Abstraction and concretization functions Abstraction function (α) maps sets of concrete elements to the most precise value in the abstract domain α({2, 10, 0}) = 11 / 24
44 Second step: Abstraction and concretization functions Abstraction function (α) maps sets of concrete elements to the most precise value in the abstract domain α({2, 10, 0}) = non-neg 11 / 24
45 Second step: Abstraction and concretization functions Abstraction function (α) maps sets of concrete elements to the most precise value in the abstract domain α({2, 10, 0}) = non-neg α({3, 99}) = 11 / 24
46 Second step: Abstraction and concretization functions Abstraction function (α) maps sets of concrete elements to the most precise value in the abstract domain α({2, 10, 0}) = non-neg α({3, 99}) = pos 11 / 24
47 Second step: Abstraction and concretization functions Abstraction function (α) maps sets of concrete elements to the most precise value in the abstract domain α({2, 10, 0}) = non-neg α({3, 99}) = pos α({ 3, 2}) = 11 / 24
48 Second step: Abstraction and concretization functions Abstraction function (α) maps sets of concrete elements to the most precise value in the abstract domain α({2, 10, 0}) = non-neg α({3, 99}) = pos α({ 3, 2}) = 11 / 24
49 Second step: Abstraction and concretization functions Abstraction function (α) maps sets of concrete elements to the most precise value in the abstract domain α({2, 10, 0}) = non-neg α({3, 99}) = pos α({ 3, 2}) = Concretization function (γ) maps each abstract value to sets of concrete elements 11 / 24
50 Second step: Abstraction and concretization functions Abstraction function (α) maps sets of concrete elements to the most precise value in the abstract domain α({2, 10, 0}) = non-neg α({3, 99}) = pos α({ 3, 2}) = Concretization function (γ) maps each abstract value to sets of concrete elements γ(pos) = {x x Z x > 0} 11 / 24
51 Lattices and Abstract Domains Concretization function defines partial order on abstract values: 12 / 24
52 Lattices and Abstract Domains Concretization function defines partial order on abstract values: A 1 A 2 iff γ(a 1 ) γ(a 2 ) 12 / 24
53 Lattices and Abstract Domains Concretization function defines partial order on abstract values: A 1 A 2 iff γ(a 1 ) γ(a 2 ) Furthermore, in an abstract domain, every pair of elements has a lub and glb mathematical lattice non-neg neg pos zero 12 / 24
54 Lattices and Abstract Domains Concretization function defines partial order on abstract values: A 1 A 2 iff γ(a 1 ) γ(a 2 ) Furthermore, in an abstract domain, every pair of elements has a lub and glb mathematical lattice non-neg neg pos zero Least upper bound of two elements is called their join useful for reasoning about control flow in programs 12 / 24
55 Almost-Inverses Important property of the abstraction and concretization function is that they are almost inverses: 13 / 24
56 Almost-Inverses Important property of the abstraction and concretization function is that they are almost inverses: A C 13 / 24
57 Almost-Inverses Important property of the abstraction and concretization function is that they are almost inverses: A C C' C A 13 / 24
58 Almost-Inverses Important property of the abstraction and concretization function is that they are almost inverses: A C C' C A This is called a Galois insertion and captures the soundness of the abstraction 13 / 24
59 Step 3: Abstract Semantics Given abstract domain, α, γ, need to define abstract transformers (i.e., semantics) for each statement 14 / 24
60 Step 3: Abstract Semantics Given abstract domain, α, γ, need to define abstract transformers (i.e., semantics) for each statement Describes how statements affect our abstraction 14 / 24
61 Step 3: Abstract Semantics Given abstract domain, α, γ, need to define abstract transformers (i.e., semantics) for each statement Describes how statements affect our abstraction Abstract counter-part of operational semantics rules 14 / 24
62 Step 3: Abstract Semantics Given abstract domain, α, γ, need to define abstract transformers (i.e., semantics) for each statement Describes how statements affect our abstraction Abstract counter-part of operational semantics rules Operational Semantics S: Var Concrete value x = y op z S': Var Concrete value 14 / 24
63 Step 3: Abstract Semantics Given abstract domain, α, γ, need to define abstract transformers (i.e., semantics) for each statement Describes how statements affect our abstraction Abstract counter-part of operational semantics rules Operational Semantics Abstract Semantics S: Var Concrete value A: Var Abstract value x = y op z x = y op z S': Var Concrete value A': Var Abstract value 14 / 24
64 Back to Our Example For our sign analysis, we can define abstract transformer for x = y + z as follows: pos neg zero non-neg pos pos pos pos neg neg neg zero pos neg zero non-neg non-neg pos non-neg non-neg 15 / 24
65 Back to Our Example For our sign analysis, we can define abstract transformer for x = y + z as follows: pos neg zero non-neg pos pos pos pos neg neg neg zero pos neg zero non-neg non-neg pos non-neg non-neg To ensure soundness of static analysis, must prove that abstract semantics faithfully models concrete semantics 15 / 24
66 Putting It All Together P Abstract domain Abstract semantics Fixed-point engine 16 / 24
67 Putting It All Together P Abstract domain Abstract semantics Fixed-point engine 16 / 24
68 Fixed-point Computations Fixed-point computation: Repeated symbolic execution of the program using abstract semantics until our approximation of the program reaches an equilibrium 17 / 24
69 Fixed-point Computations Fixed-point computation: Repeated symbolic execution of the program using abstract semantics until our approximation of the program reaches an equilibrium Least fixed-point: Start with underapproximation and grow the approximation until it stops growing 17 / 24
70 Fixed-point Computations Fixed-point computation: Repeated symbolic execution of the program using abstract semantics until our approximation of the program reaches an equilibrium Least fixed-point: Start with underapproximation and grow the approximation until it stops growing Assuming correctness of your abstract semantics, the least fixed point is an overapproximation of the program! 17 / 24
71 Performing Least Fixed Point Computation Represent program as a control-flow graph x =0 y =1 loop head y <= n exit block branch z =0 z!=0 x = x+1 x = x+y loop end y = y+1 18 / 24
72 Performing Least Fixed Point Computation Represent program as a control-flow graph Want to compute abstract values at every program point x =0 y =1 loop head y <= n exit block branch z =0 z!=0 x = x+1 x = x+y loop end y = y+1 18 / 24
73 Performing Least Fixed Point Computation Represent program as a control-flow graph Want to compute abstract values at every program point Initialize all abstract states to exit block x =0 y =1 loop head y <= n branch z =0 z!=0 x = x+1 x = x+y loop end y = y+1 18 / 24
74 Performing Least Fixed Point Computation Represent program as a control-flow graph Want to compute abstract values at every program point x =0 y =1 loop head Initialize all abstract states to Repeat until no abstract state changes at any program point: exit block y <= n branch z =0 z!=0 x = x+1 x = x+y loop end y = y+1 18 / 24
75 Performing Least Fixed Point Computation Represent program as a control-flow graph Want to compute abstract values at every program point x =0 y =1 loop head Initialize all abstract states to Repeat until no abstract state changes at any program point: exit block y <= n branch z =0 z!=0 Compute abstract state on entry to a basic block B by taking the join of B s predecessors x = x+1 x = x+y loop end y = y+1 18 / 24
76 Performing Least Fixed Point Computation Represent program as a control-flow graph Want to compute abstract values at every program point x =0 y =1 loop head Initialize all abstract states to Repeat until no abstract state changes at any program point: exit block y <= n branch z =0 z!=0 Compute abstract state on entry to a basic block B by taking the join of B s predecessors Symbolically execute each basic block using abstract semantics x = x+1 x = x+y loop end y = y+1 18 / 24
77 An Example x =0 y =1 x = 0; y =0; while(y <= n) { if (z == 0) { x = x+1; } else { x = x + y; } y = y+1 } loop head y <= n exit block branch z =0 z!=0 x = x+1 x = x+y loop end y = y+1 19 / 24
78 An Example x =0 y =1 x = 0; y =0; while(y <= n) { if (z == 0) { x = x+1; } else { x = x + y; } y = y+1 } Is x always non-negative inside the loop? loop head y <= n exit block branch z =0 z!=0 x = x+1 x = x+y loop end y = y+1 19 / 24
79 Fixed-Point Computation x =0 y =1 loop head y <= n exit block branch z =0 z!=0 x = x+1 x = x+y loop end y = y+1 20 / 24
80 Fixed-Point Computation x =0 y =1 loop head y <= n exit block branch z =0 z!=0 x = x+1 x = x+y loop end y = y+1 20 / 24
81 Fixed-Point Computation x = Z, y = x =0 y =1 loop head y <= n exit block branch z =0 z!=0 x = x+1 x = x+y loop end y = y+1 20 / 24
82 Fixed-Point Computation x = Z, y = x = Z, y = P x =0 y =1 loop head y <= n exit block branch z =0 z!=0 x = x+1 x = x+y loop end y = y+1 20 / 24
83 Fixed-Point Computation x = Z, y = x = Z, y = P x =0 y =1 x = Z, y = P loop head y <= n exit block branch z =0 z!=0 x = x+1 x = x+y loop end y = y+1 20 / 24
84 Fixed-Point Computation x = Z, y = x = Z, y = P x =0 y =1 x = Z, y = P loop head y <= n x = Z, y = P exit block branch x = Z, y = P z =0 z!=0 x = Z, y = P x = x+1 x = x+y x = Z, y = P loop end y = y+1 20 / 24
85 Fixed-Point Computation x = Z, y = x = Z, y = P x =0 y =1 x = Z, y = P loop head y <= n x = Z, y = P exit block branch x = Z, y = P z =0 z!=0 x = Z, y = P x = P, y = P x = x+1 x = x+y x = Z, y = P loop end y = y+1 20 / 24
86 Fixed-Point Computation x = Z, y = x = Z, y = P x =0 y =1 x = Z, y = P loop head y <= n x = Z, y = P exit block branch x = Z, y = P z =0 z!=0 x = Z, y = P x = P, y = P x = x+1 x = x+y x = Z, y = P x = P, y = P loop end y = y+1 20 / 24
87 Fixed-Point Computation x = Z, y = x = Z, y = P x =0 y =1 x = Z, y = P loop head y <= n x = Z, y = P exit block branch x = Z, y = P z =0 z!=0 x = Z, y = P x = P, y = P x = x+1 x = x+y x = Z, y = P x = P, y = P x = P, y = P loop end y = y+1 20 / 24
88 Fixed-Point Computation x = Z, y = x = Z, y = P x =0 y =1 x = Z, y = P loop head y <= n x = P, y = P x = Z, y = P exit block branch x = Z, y = P z =0 z!=0 x = Z, y = P x = P, y = P x = x+1 x = x+y x = Z, y = P x = P, y = P x = P, y = P x = P, y = P loop end y = y+1 20 / 24
89 Fixed-Point Computation x = Z, y = x = Z, y = P x =0 y =1 x = NN, y = P loop head y <= n x = P, y = P x = Z, y = P exit block branch x = Z, y = P z =0 z!=0 x = Z, y = P x = P, y = P x = x+1 x = x+y x = Z, y = P x = P, y = P x = P, y = P x = P, y = P loop end y = y+1 20 / 24
90 Fixed-Point Computation x = Z, y = x = Z, y = P x =0 y =1 x = NN, y = P loop head y <= n x = P, y = P x = NN, y = P exit block branch x = NN, y = P z =0 z!=0 x = NN, y = P x = P, y = P x = x+1 x = x+y x = NN, y = P x = P, y = P x = P, y = P x = P, y = P loop end y = y+1 20 / 24
91 Fixed-Point Computation x = Z, y = x = Z, y = P x =0 y =1 x = NN, y = P loop head y <= n x = P, y = P x = NN, y = P exit block branch x = NN, y = P z =0 z!=0 x = NN, y = P x = P, y = P x = x+1 x = x+y x = NN, y = P x = P, y = P x = P, y = P x = P, y = P loop end y = y+1 20 / 24
92 Fixed-Point Computation x = Z, y = x = Z, y = P x =0 y =1 x = NN, y = P loop head y <= n x = P, y = P x = NN, y = P exit block branch x = NN, y = P z =0 z!=0 x = NN, y = P x = P, y = P x = x+1 x = x+y x = NN, y = P x = P, y = P x = P, y = P x = P, y = P loop end y = y+1 20 / 24
93 Fixed-Point Computation x = Z, y = x = Z, y = P x =0 y =1 x = NN, y = P loop head y <= n x = P, y = P x = NN, y = P exit block branch x = NN, y = P z =0 z!=0 x = NN, y = P x = P, y = P x = x+1 x = x+y x = NN, y = P x = P, y = P x = P, y = P x = P, y = P loop end y = y+1 20 / 24
94 Fixed-Point Computation x = Z, y = x = Z, y = P x =0 y =1 Fixed point! x = NN, y = P loop head y <= n x = P, y = P x = NN, y = P exit block branch x = NN, y = P z =0 z!=0 x = NN, y = P x = P, y = P x = x+1 x = x+y x = NN, y = P x = P, y = P x = P, y = P x = P, y = P loop end y = y+1 20 / 24
95 Termination of Fixed Point Computation In this example, we quickly reached least fixed point but does this computation always terminate? 21 / 24
96 Termination of Fixed Point Computation In this example, we quickly reached least fixed point but does this computation always terminate? Yes, assuming abstract domain forms complete lattice 21 / 24
97 Termination of Fixed Point Computation In this example, we quickly reached least fixed point but does this computation always terminate? Yes, assuming abstract domain forms complete lattice This means every subset of elements (including infinite subsets) have a LUB 21 / 24
98 Termination of Fixed Point Computation In this example, we quickly reached least fixed point but does this computation always terminate? Yes, assuming abstract domain forms complete lattice This means every subset of elements (including infinite subsets) have a LUB Unfortunately, many interesting domains do not have this property, so we need widening operators for convergence. 21 / 24
99 Lessons To Take Away Considered only one static analysis approach, but illustrates two key ideas underlying program analysis: 22 / 24
100 Lessons To Take Away Considered only one static analysis approach, but illustrates two key ideas underlying program analysis: Abstraction: Only reason about certain properties of interest 22 / 24
101 Lessons To Take Away Considered only one static analysis approach, but illustrates two key ideas underlying program analysis: Abstraction: Only reason about certain properties of interest Fixed-point computation: Allows us to obtain sound overapproximation of the program 22 / 24
102 Lessons To Take Away Considered only one static analysis approach, but illustrates two key ideas underlying program analysis: Abstraction: Only reason about certain properties of interest Fixed-point computation: Allows us to obtain sound overapproximation of the program But many static analyses also differ in several ways: 22 / 24
103 Lessons To Take Away Considered only one static analysis approach, but illustrates two key ideas underlying program analysis: Abstraction: Only reason about certain properties of interest Fixed-point computation: Allows us to obtain sound overapproximation of the program But many static analyses also differ in several ways: Flow (in)sensitivity: Some analyses only compute facts for the whole program, not for every program point 22 / 24
104 Lessons To Take Away Considered only one static analysis approach, but illustrates two key ideas underlying program analysis: Abstraction: Only reason about certain properties of interest Fixed-point computation: Allows us to obtain sound overapproximation of the program But many static analyses also differ in several ways: Flow (in)sensitivity: Some analyses only compute facts for the whole program, not for every program point Path sensitivity: More precise analyses compute different facts for different program paths 22 / 24
105 Lessons To Take Away Considered only one static analysis approach, but illustrates two key ideas underlying program analysis: Abstraction: Only reason about certain properties of interest Fixed-point computation: Allows us to obtain sound overapproximation of the program But many static analyses also differ in several ways: Flow (in)sensitivity: Some analyses only compute facts for the whole program, not for every program point Path sensitivity: More precise analyses compute different facts for different program paths Analysis direction: Forwards vs. backwards 22 / 24
106 Challenges and Open Problems Many open problems in program analysis 23 / 24
107 Challenges and Open Problems Many open problems in program analysis Precise and scalable heap reasoning 23 / 24
108 Challenges and Open Problems Many open problems in program analysis Precise and scalable heap reasoning Concurrency 23 / 24
109 Challenges and Open Problems Many open problems in program analysis Precise and scalable heap reasoning Concurrency Dealing with open programs 23 / 24
110 Challenges and Open Problems Many open problems in program analysis Precise and scalable heap reasoning Concurrency Dealing with open programs Modular program analysis 23 / 24
111 Challenges and Open Problems Many open problems in program analysis Precise and scalable heap reasoning Concurrency Dealing with open programs Modular program analysis / 24
112 Challenges and Open Problems Many open problems in program analysis Precise and scalable heap reasoning Concurrency Dealing with open programs Modular program analysis... Exciting area with lots of interesting topics to work on! 23 / 24
113 Considering PhD or Postdoc? If you are interested in program analysis or verification, consider applying to UT Austin! 24 / 24
Advanced Programming Methods. Introduction in program analysis
Advanced Programming Methods Introduction in program analysis What is Program Analysis? Very broad topic, but generally speaking, automated analysis of program behavior Program analysis is about developing
More informationStatic Analysis. Systems and Internet Infrastructure Security
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Static Analysis Trent
More informationStatic Analysis by A. I. of Embedded Critical Software
Static Analysis by Abstract Interpretation of Embedded Critical Software Julien Bertrane ENS, Julien.bertrane@ens.fr Patrick Cousot ENS & CIMS, Patrick.Cousot@ens.fr Radhia Cousot CNRS & ENS, Radhia.Cousot@ens.fr
More informationStatic Analysis: Overview, Syntactic Analysis and Abstract Interpretation TDDC90: Software Security
Static Analysis: Overview, Syntactic Analysis and Abstract Interpretation TDDC90: Software Security Ahmed Rezine IDA, Linköpings Universitet Hösttermin 2014 Outline Overview Syntactic Analysis Abstract
More informationLecture 6. Abstract Interpretation
Lecture 6. Abstract Interpretation Wei Le 2014.10 Outline Motivation History What it is: an intuitive understanding An example Steps of abstract interpretation Galois connection Narrowing and Widening
More informationAbstract Interpretation
Abstract Interpretation Ranjit Jhala, UC San Diego April 22, 2013 Fundamental Challenge of Program Analysis How to infer (loop) invariants? Fundamental Challenge of Program Analysis Key issue for any analysis
More informationCS 6110 S14 Lecture 38 Abstract Interpretation 30 April 2014
CS 6110 S14 Lecture 38 Abstract Interpretation 30 April 2014 1 Introduction to Abstract Interpretation At this point in the course, we have looked at several aspects of programming languages: operational
More informationFlow Analysis. Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM
Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful Reading: Sections 1.1-1.5, 2.1 Data-flow analysis (DFA) A framework for statically proving facts about program
More informationAlgebraic Program Analysis
Introduction to Algebraic Program Analysis Zachary Kincaid 1 Thomas Reps 2,3 1 Princeton University 2 University of Wisconsin-Madison 3 GrammaTech, Inc. January 8, 2018 1 Program analysis Design algorithms
More informationStatic Program Analysis Part 1 the TIP language
Static Program Analysis Part 1 the TIP language http://cs.au.dk/~amoeller/spa/ Anders Møller & Michael I. Schwartzbach Computer Science, Aarhus University Questions about programs Does the program terminate
More informationStatic Analysis and Dataflow Analysis
Static Analysis and Dataflow Analysis Static Analysis Static analyses consider all possible behaviors of a program without running it. 2 Static Analysis Static analyses consider all possible behaviors
More informationAutomatic Software Verification
Automatic Software Verification Instructor: Mooly Sagiv TA: Oded Padon Slides from Eran Yahav and the Noun Project, Wikipedia Course Requirements Summarize one lecture 10% one lecture notes 45% homework
More informationThe Apron Library. Bertrand Jeannet and Antoine Miné. CAV 09 conference 02/07/2009 INRIA, CNRS/ENS
The Apron Library Bertrand Jeannet and Antoine Miné INRIA, CNRS/ENS CAV 09 conference 02/07/2009 Context : Static Analysis What is it about? Discover properties of a program statically and automatically.
More informationCSE 403: Software Engineering, Fall courses.cs.washington.edu/courses/cse403/16au/ Static Analysis. Emina Torlak
CSE 403: Software Engineering, Fall 2016 courses.cs.washington.edu/courses/cse403/16au/ Static Analysis Emina Torlak emina@cs.washington.edu Outline What is static analysis? How does it work? Free and
More informationApplications of Program analysis in Model-Based Design
Applications of Program analysis in Model-Based Design Prahlad Sampath (Prahlad.Sampath@mathworks.com) 2018 by The MathWorks, Inc., MATLAB, Simulink, Stateflow, are registered trademarks of The MathWorks,
More informationStructuring an Abstract Interpreter through Value and State Abstractions: EVA, an Evolved Value Analysis for Frama C
Structuring an Abstract Interpreter through Value and State Abstractions: EVA, an Evolved Value Analysis for Frama C David Bühler CEA LIST, Software Safety Lab Frama-C & SPARK Day 2017 May 30th, 2017 David
More informationIterative Program Analysis Abstract Interpretation
Iterative Program Analysis Abstract Interpretation Summary by Ben Riva & Ofri Ziv Soundness Theorem Theorem: If a computation fixed-point is sound, then its least-fixed-point is sound. More precisely,
More informationPrinciples of Program Analysis. Lecture 1 Harry Xu Spring 2013
Principles of Program Analysis Lecture 1 Harry Xu Spring 2013 An Imperfect World Software has bugs The northeast blackout of 2003, affected 10 million people in Ontario and 45 million in eight U.S. states
More informationGlobal Optimization. Lecture Outline. Global flow analysis. Global constant propagation. Liveness analysis. Local Optimization. Global Optimization
Lecture Outline Global Optimization Global flow analysis Global constant propagation Liveness analysis Compiler Design I (2011) 2 Local Optimization Recall the simple basic-block optimizations Constant
More informationThursday, December 23, The attack model: Static Program Analysis
The attack model: Static Program Analysis How making SPA? DFA - Data Flow Analysis CFA - Control Flow Analysis Proving invariance: theorem proving Checking models: model checking Giaco & Ranzato DFA:
More informationStatic Program Analysis CS701
Static Program Analysis CS701 Thomas Reps [Based on notes taken by Aditya Venkataraman on Oct 6th, 2015] Abstract This lecture introduces the area of static program analysis. We introduce the topics to
More informationSymbolic Trajectory Evaluation - A Survey
Automated Verification Symbolic Trajectory Evaluation - A Survey by Mihaela Gheorghiu Department of Computer Science University of Toronto Instructor: Prof. Marsha Chechik January 3, 24 Motivation Simulation
More informationPrinciples of Program Analysis: A Sampler of Approaches
Principles of Program Analysis: A Sampler of Approaches Transparencies based on Chapter 1 of the book: Flemming Nielson, Hanne Riis Nielson and Chris Hankin: Principles of Program Analysis Springer Verlag
More informationHarvard School of Engineering and Applied Sciences CS 152: Programming Languages
Harvard School of Engineering and Applied Sciences CS 152: Programming Languages Lecture 21 Tuesday, April 15, 2014 1 Static program analyses For the last few weeks, we have been considering type systems.
More informationProfile-Guided Program Simplification for Effective Testing and Analysis
Profile-Guided Program Simplification for Effective Testing and Analysis Lingxiao Jiang Zhendong Su Program Execution Profiles A profile is a set of information about an execution, either succeeded or
More informationSimple Overflow. #include <stdio.h> int main(void){ unsigned int num = 0xffffffff;
Simple Overflow 1 #include int main(void){ unsigned int num = 0xffffffff; printf("num is %d bits long\n", sizeof(num) * 8); printf("num = 0x%x\n", num); printf("num + 1 = 0x%x\n", num + 1); }
More informationVerifying the Safety of Security-Critical Applications
Verifying the Safety of Security-Critical Applications Thomas Dillig Stanford University Thomas Dillig 1 of 31 Why Program Verification? Reliability and security of software is a huge problem. Thomas Dillig
More informationAn Introduction to Heap Analysis. Pietro Ferrara. Chair of Programming Methodology ETH Zurich, Switzerland
An Introduction to Heap Analysis Pietro Ferrara Chair of Programming Methodology ETH Zurich, Switzerland Analisi e Verifica di Programmi Universita Ca Foscari, Venice, Italy Outline 1. Recall of numerical
More informationSoftware Security: Vulnerability Analysis
Computer Security Course. Software Security: Vulnerability Analysis Program Verification Program Verification How to prove a program free of buffer overflows? Precondition Postcondition Loop invariants
More informationVerification Overview Testing Theory and Principles Testing in Practice. Verification. Miaoqing Huang University of Arkansas 1 / 80
1 / 80 Verification Miaoqing Huang University of Arkansas Outline 1 Verification Overview 2 Testing Theory and Principles Theoretical Foundations of Testing Empirical Testing Principles 3 Testing in Practice
More informationProgram Static Analysis. Overview
Program Static Analysis Overview Program static analysis Abstract interpretation Data flow analysis Intra-procedural Inter-procedural 2 1 What is static analysis? The analysis to understand computer software
More informationTiming Analysis of Parallel Software Using Abstract Execution
Timing Analysis of Parallel Software Using Abstract Execution Björn Lisper School of Innovation, Design, and Engineering Mälardalen University bjorn.lisper@mdh.se 2014-09-10 EACO Workshop 2014 Motivation
More informationAn Approach to Behavioral Subtyping Based on Static Analysis
TACoS 04 Preliminary Version An Approach to Behavioral Subtyping Based on Static Analysis Francesco Logozzo 1 STIX - École Polytechnique F-91128 Palaiseau, France Abstract In mainstream object oriented
More informationSendmail crackaddr - Static Analysis strikes back
Sendmail crackaddr - Static Analysis strikes back Bogdan Mihaila Technical University of Munich, Germany December 6, 2014 Name Lastname < name@mail.org > ()()()()()()()()()... ()()() 1 / 25 Abstract Interpretation
More informationFunctor abstract domain by example
A Parametric Segmentation Functor for Fully Automatic and Scalable Array Content Analysis Scalability Patrick Cousot, NYU & ENS Radhia Cousot, CNRS & ENS & MSR Francesco Logozzo, MSR Precision // here:
More informationVerasco: a Formally Verified C Static Analyzer
Verasco: a Formally Verified C Static Analyzer Jacques-Henri Jourdan Joint work with: Vincent Laporte, Sandrine Blazy, Xavier Leroy, David Pichardie,... June 13, 2017, Montpellier GdR GPL thesis prize
More informationPrinciples of Software Construction: Objects, Design and Concurrency. Static Analysis. toad Spring 2013
Principles of Software Construction: Objects, Design and Concurrency Static Analysis 15-214 toad Spring 2013 Christian Kästner Charlie Garrod School of Computer Science 2012-13 C Garrod, C Kästner, J Aldrich,
More informationCompiler Structure. Data Flow Analysis. Control-Flow Graph. Available Expressions. Data Flow Facts
Compiler Structure Source Code Abstract Syntax Tree Control Flow Graph Object Code CMSC 631 Program Analysis and Understanding Fall 2003 Data Flow Analysis Source code parsed to produce AST AST transformed
More informationAutomatic Qualification of Abstract Interpretation-based Static Analysis Tools. Christian Ferdinand, Daniel Kästner AbsInt GmbH 2013
Automatic Qualification of Abstract Interpretation-based Static Analysis Tools Christian Ferdinand, Daniel Kästner AbsInt GmbH 2013 2 Functional Safety Demonstration of functional correctness Well-defined
More informationDenotational Semantics. Domain Theory
Denotational Semantics and Domain Theory 1 / 51 Outline Denotational Semantics Basic Domain Theory Introduction and history Primitive and lifted domains Sum and product domains Function domains Meaning
More informationStatic Analysis methods and tools An industrial study. Pär Emanuelsson Ericsson AB and LiU Prof Ulf Nilsson LiU
Static Analysis methods and tools An industrial study Pär Emanuelsson Ericsson AB and LiU Prof Ulf Nilsson LiU Outline Why static analysis What is it Underlying technology Some tools (Coverity, KlocWork,
More informationCritical Analysis of Computer Science Methodology: Theory
Critical Analysis of Computer Science Methodology: Theory Björn Lisper Dept. of Computer Science and Engineering Mälardalen University bjorn.lisper@mdh.se http://www.idt.mdh.se/ blr/ March 3, 2004 Critical
More informationChapter 1. Introduction
1 Chapter 1 Introduction An exciting development of the 21st century is that the 20th-century vision of mechanized program verification is finally becoming practical, thanks to 30 years of advances in
More informationLogic-Flow Analysis of Higher-Order Programs
Logic-Flow Analysis of Higher-Order Programs Matt Might http://matt.might.net/ POPL 2007 Why? Tim Sweeney, POPL 2006 Static array-bounds checking. Example... a[i]... Will 0 i < a.length always hold? 3
More informationSimply-Typed Lambda Calculus
#1 Simply-Typed Lambda Calculus #2 Back to School What is operational semantics? When would you use contextual (small-step) semantics? What is denotational semantics? What is axiomatic semantics? What
More informationCS-XXX: Graduate Programming Languages. Lecture 9 Simply Typed Lambda Calculus. Dan Grossman 2012
CS-XXX: Graduate Programming Languages Lecture 9 Simply Typed Lambda Calculus Dan Grossman 2012 Types Major new topic worthy of several lectures: Type systems Continue to use (CBV) Lambda Caluclus as our
More informationLearning Analysis Strategies for Octagon and Context Sensitivity from Labeled Data Generated by Static Analyses
Noname manuscript No. (will be inserted by the editor) Learning Analysis Strategies for Octagon and Context Sensitivity from Labeled Data Generated by Static Analyses Kihong Heo Hakjoo Oh Hongseok Yang
More informationModule: Future of Secure Programming
Module: Future of Secure Programming Professor Trent Jaeger Penn State University Systems and Internet Infrastructure Security Laboratory (SIIS) 1 Programmer s Little Survey Problem What does program for
More informationModule: Future of Secure Programming
Module: Future of Secure Programming Professor Trent Jaeger Penn State University Systems and Internet Infrastructure Security Laboratory (SIIS) 1 Programmer s Little Survey Problem What does program for
More informationChapter 1 Introduction
Chapter 1 Course INF5906 / autum 2017 Chapter 1 Learning Targets of Chapter. Apart from a motivational introduction, the chapter gives a high-level overview over larger topics covered in the lecture. They
More informationProving liveness. Alexey Gotsman IMDEA Software Institute
Proving liveness Alexey Gotsman IMDEA Software Institute Safety properties Ensure bad things don t happen: - the program will not commit a memory safety fault - it will not release a lock it does not hold
More informationCMPSC 497: Static Analysis
CMPSC 497: Static Analysis Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Page 1 Our Goal In this course,
More informationReasoning about modules: data refinement and simulation
Reasoning about modules: data refinement and simulation David Naumann naumann@cs.stevens-tech.edu Stevens Institute of Technology Naumann - POPL 02 Java Verification Workshop p.1/17 Objectives of talk
More informationA New Abstraction Framework for Affine Transformers
A New Abstraction Framework for Affine Transformers Tushar Sharma and Thomas Reps SAS 17 Motivations Prove Program Assertions Function and loop summaries Sound with respect to bitvectors A NEW ABSTRACTION
More informationCSE Computer Security
CSE 543 - Computer Security Lecture 17 - Language-based security October 25, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ 1 Engineering Disaster? Millions of Bots Compromised applications Programming
More informationIntroduction A Tiny Example Language Type Analysis Static Analysis 2009
Introduction A Tiny Example Language Type Analysis 2009 Michael I. Schwartzbach Computer Science, University of Aarhus 1 Questions About Programs Does the program terminate? How large can the heap become
More informationCompiler Optimisation
Compiler Optimisation 4 Dataflow Analysis Hugh Leather IF 1.18a hleather@inf.ed.ac.uk Institute for Computing Systems Architecture School of Informatics University of Edinburgh 2018 Introduction This lecture:
More informationPrinciples of Software Construction: Objects, Design, and Concurrency (Part 2: Designing (Sub )Systems)
Principles of Software Construction: Objects, Design, and Concurrency (Part 2: Designing (Sub )Systems) More Analysis for Functional Correctness Jonathan Aldrich Charlie Garrod School of Computer Science
More information3.7 Denotational Semantics
3.7 Denotational Semantics Denotational semantics, also known as fixed-point semantics, associates to each programming language construct a well-defined and rigorously understood mathematical object. These
More informationFachgebiet Softwaretechnik, Heinz Nixdorf Institut, Universität Paderborn. 4. Testing
4. vs. Model Checking (usually) means checking the correctness of source code Model Checking means verifying the properties of a model given in some formal (not program code) notation Attention: things
More informationWelcome to Software Analysis and Testing.
Welcome to Software Analysis and Testing. In this course, we will be diving deep into the theory and practice of software analysis, which lies at the heart of many software development processes such as
More informationSelectively Sensitive Static Analysis by Impact Pre-analysis and Machine Learning 2017 년 8 월 허기홍
공학박사학위논문 예비분석과기계학습을이용하여선별적으로정확하게정적분석을하는방법 Selectively Sensitive Static Analysis by Impact Pre-analysis and Machine Learning 2017 년 8 월 서울대학교대학원 컴퓨터공학부 허기홍 예비분석과 기계학습을 이용하여 선별적으로 정확하게 정적분석을 하는 방법 지도교수 이
More informationCertified Memory Usage Analysis
Certified Memory Usage Analysis David Cachera, Thomas Jensen, David Pichardie, Gerardo Schneider IRISA, ENS Cachan Bretagne, France Context Embedded devices (smart cards, mobile phones) memory is limited
More informationProgram Analysis and Verification
Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 12: Interprocedural Analysis + Numerical Analysis Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav 1 Procedural program void main()
More informationProgramming Languages
CSE 230: Winter 2008 Principles of Programming Languages Ocaml/HW #3 Q-A Session Push deadline = Mar 10 Session Mon 3pm? Lecture 15: Type Systems Ranjit Jhala UC San Diego Why Typed Languages? Development
More informationCUTE: A Concolic Unit Testing Engine for C
CUTE: A Concolic Unit Testing Engine for C Koushik Sen Darko Marinov Gul Agha University of Illinois Urbana-Champaign Goal Automated Scalable Unit Testing of real-world C Programs Generate test inputs
More informationPROGRAM ANALYSIS & SYNTHESIS
Lecture 02 Structural Operational Semantics (SOS) PROGRAM ANALYSIS & SYNTHESIS EranYahav 1 Previously static analysis over-approximation of program behavior abstract interpretation abstraction, transformers,
More informationArray Dependence Analysis as Integer Constraints. Array Dependence Analysis Example. Array Dependence Analysis as Integer Constraints, cont
Theory of Integers CS389L: Automated Logical Reasoning Omega Test Işıl Dillig Earlier, we talked aout the theory of integers T Z Signature of T Z : Σ Z : {..., 2, 1, 0, 1, 2,..., 3, 2, 2, 3,..., +,, =,
More informationSoftware Verification : Introduction
Software Verification : Introduction Ranjit Jhala, UC San Diego April 4, 2013 What is Algorithmic Verification? Algorithms, Techniques and Tools to ensure that Programs Don t Have Bugs (What does that
More informationThe DOT Calculus. (Dependent Object Types) Nada Amin. June 18, Scala Days
The DOT Calculus (Dependent Object Types) Nada Amin Scala Days June 18, 2014 1 DOT: Dependent Object Types DOT is a core calculus for path-dependent types. Goals simplify Scala s type system by desugaring
More informationWidening Operator. Fixpoint Approximation with Widening. A widening operator 2 L ˆ L 7``! L is such that: Correctness: - 8x; y 2 L : (y) v (x y)
EXPERIENCE AN INTRODUCTION WITH THE DESIGN TOF A SPECIAL PURPOSE STATIC ANALYZER ABSTRACT INTERPRETATION P. Cousot Patrick.Cousot@ens.fr http://www.di.ens.fr/~cousot Biarritz IFIP-WG 2.3 2.4 meeting (1)
More informationDataflow analysis (ctd.)
Dataflow analysis (ctd.) Available expressions Determine which expressions have already been evaluated at each point. A expression x+y is available at point p if every path from the entry to p evaluates
More informationait: WORST-CASE EXECUTION TIME PREDICTION BY STATIC PROGRAM ANALYSIS
ait: WORST-CASE EXECUTION TIME PREDICTION BY STATIC PROGRAM ANALYSIS Christian Ferdinand and Reinhold Heckmann AbsInt Angewandte Informatik GmbH, Stuhlsatzenhausweg 69, D-66123 Saarbrucken, Germany info@absint.com
More informationCompiler Optimisation
Compiler Optimisation 3 Dataflow Analysis Hugh Leather IF 1.18a hleather@inf.ed.ac.uk Institute for Computing Systems Architecture School of Informatics University of Edinburgh 2018 Introduction Optimisations
More informationStatic Analysis. Xiangyu Zhang
Static Analysis Xiangyu Zhang Intuition Instead of concretely executing the program, let s statically execute/traverse it Instead of producing concrete execution states, let s have abstract state related
More informationSpring 2017 DD2457 Program Semantics and Analysis Lab Assignment 2: Abstract Interpretation
Spring 2017 DD2457 Program Semantics and Analysis Lab Assignment 2: Abstract Interpretation D. Gurov A. Lundblad KTH Royal Institute of Technology 1 Introduction In this lab assignment the abstract machine
More informationHybrid Verification in SPARK 2014: Combining Formal Methods with Testing
IEEE Software Technology Conference 2015 Hybrid Verification in SPARK 2014: Combining Formal Methods with Testing Steve Baird Senior Software Engineer Copyright 2014 AdaCore Slide: 1 procedure Array_Indexing_Bug
More informationBehavioural Equivalences and Abstraction Techniques. Natalia Sidorova
Behavioural Equivalences and Abstraction Techniques Natalia Sidorova Part 1: Behavioural Equivalences p. p. The elevator example once more How to compare this elevator model with some other? The cabin
More informationChapter 15: Information Flow
Chapter 15: Information Flow Definitions Compiler-based mechanisms Execution-based mechanisms Examples Slide #15-1 Overview Basics and background Compiler-based mechanisms Execution-based mechanisms Examples
More informationToward Abstract Interpretation of Program Transformations
Abstract Toward Abstract Interpretation of Program Transformations Developers of program transformations often reason about transformations to assert certain properties of the generated code. We propose
More informationSecure Software Development: Theory and Practice
Secure Software Development: Theory and Practice Suman Jana MW 2:40-3:55pm 415 Schapiro [SCEP] *Some slides are borrowed from Dan Boneh and John Mitchell Software Security is a major problem! Why writing
More informationDataflow Analysis. Xiaokang Qiu Purdue University. October 17, 2018 ECE 468
Dataflow Analysis Xiaokang Qiu Purdue University ECE 468 October 17, 2018 Program optimizations So far we have talked about different kinds of optimizations Peephole optimizations Local common sub-expression
More informationPierce Ch. 3, 8, 11, 15. Type Systems
Pierce Ch. 3, 8, 11, 15 Type Systems Goals Define the simple language of expressions A small subset of Lisp, with minor modifications Define the type system of this language Mathematical definition using
More informationTesting. ECE/CS 5780/6780: Embedded System Design. Why is testing so hard? Why do testing?
Testing ECE/CS 5780/6780: Embedded System Design Scott R. Little Lecture 24: Introduction to Software Testing and Verification What is software testing? Running a program in order to find bugs (faults,
More informationCMPSC 497: Static Analysis
CMPSC 497: Static Analysis Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Page 1 Our Goal In this course,
More informationStatic program checking and verification
Chair of Software Engineering Software Engineering Prof. Dr. Bertrand Meyer March 2007 June 2007 Slides: Based on KSE06 With kind permission of Peter Müller Static program checking and verification Correctness
More informationResource Usage Analysis and its Application to Resource Certification (Part I)
Resource Usage Analysis and its Application to Resource Certification (Part I) Germán Puebla 1 joint work with Elvira Albert 2, Puri Arenas 2, Samir Genaim 2, and Damiano Zanardini 1 1 Technical University
More informationStatic analysis and all that
Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Plan approx. 15 lectures, details see web-page flexible time-schedule,
More informationFailure-Directed Program Trimming
Failure-Directed Program Trimming ABSTRACT Kostas Ferles The University of Texas at Austin, USA kferles@cs.utexas.edu Maria Christakis University of Kent, UK M.Christakis@kent.ac.uk This paper describes
More informationCSE Computer Security (Fall 2006)
CSE 543 - Computer Security (Fall 2006) Lecture 22 - Language-based security November 16, 2006 URL: http://www.cse.psu.edu/~tjaeger/cse543-f06/ 1 The Morris Worm Robert Morris, a 23 doctoral student from
More informationCSCE 548 Building Secure Software Software Analysis Basics
CSCE 548 Building Secure Software Software Analysis Basics Professor Lisa Luo Spring 2018 Previous Class Ø Android Background Ø Two Android Security Problems: 1. Android App Repackaging o Very easy to
More informationTheorem proving. PVS theorem prover. Hoare style verification PVS. More on embeddings. What if. Abhik Roychoudhury CS 6214
Theorem proving PVS theorem prover Abhik Roychoudhury National University of Singapore Both specification and implementation can be formalized in a suitable logic. Proof rules for proving statements in
More informationDuet: Static Analysis for Unbounded Parallelism
Duet: Static Analysis for Unbounded Parallelism Azadeh Farzan and Zachary Kincaid University of Toronto Abstract. Duet is a static analysis tool for concurrent programs in which the number of executing
More informationLecture Notes: Widening Operators and Collecting Semantics
Lecture Notes: Widening Operators and Collecting Semantics 15-819O: Program Analysis (Spring 2016) Claire Le Goues clegoues@cs.cmu.edu 1 A Collecting Semantics for Reaching Definitions The approach to
More informationAnalysis/Bug-finding/Verification for Security
Analysis/Bug-finding/Verification for Security VIJAY GANESH University of Waterloo Winter 2013 Analysis/Test/Verify for Security Instrument code for testing Heap memory: Purify Perl tainting (information
More informationRuntime Checking for Program Verification Systems
Runtime Checking for Program Verification Systems Karen Zee, Viktor Kuncak, and Martin Rinard MIT CSAIL Tuesday, March 13, 2007 Workshop on Runtime Verification 1 Background Jahob program verification
More informationProgramming Languages and Compilers Qualifying Examination. Answer 4 of 6 questions.
Programming Languages and Compilers Qualifying Examination Fall 2017 Answer 4 of 6 questions. GENERAL INSTRUCTIONS 1. Answer each question in a separate book. 2. Indicate on the cover of each book the
More informationModular and Verified Automatic Program Repairs
Modular and Verified Automatic Program Repairs from Francesco Logozzo and Thomas Ball at Microsoft Research, Redmond presenter name(s) removed for FERPA considerations Introduction Your programs will have
More informationStatic verification of program running time
Static verification of program running time CIS 673 course project report Caleb Stanford December 2016 Contents 1 Introduction 2 1.1 Total Correctness is Not Enough.................................. 2
More informationSoftware and Energy-aware Computing Fundamentals of static analysis of software
Software and Energy-aware Computing Fundamentals of static analysis of software John Gallagher Roskilde University ICT-Energy: Energy consumption in future ICT devices Summer School, Aalborg, Denmark,
More information