PLDI 2016 Tutorial Automata-Based String Analysis

Size: px

Start display at page:

Download "PLDI 2016 Tutorial Automata-Based String Analysis"

Abigayle Cunningham
6 years ago
Views:

1 PLDI 2016 Tutorial Automata-Based String Analysis Tevfik Bultan, Abdulbaki Aydin, Lucas Bang Verification Laboratory Department of Computer Science

2 Common Usages of Strings } Input validation and sanitization } Database query generation } Formatted data generation } Dynamic code generation 2

3 Symbolic Execution Example 1 public void site_exec(string cmd) { 2 String p = "home/ftp/bin"; 3 int j, sp = cmd.indexof( ); 5 if (sp == -1) { 6 j = cmd.lastindexof( / ); 7 } else { 8 j = cmd.lastindexof( /, sp); 9 } 11 String r = cmd.substring(j); 12 int l = r.length() + p.length(); 14 if (l > 32) { 15 return; 16 } 18 String buf = p + r; 19 boolean t = buf.contains("%n"); 21 if (t == true) { 22 throw new Exception("THREAT"); 23 } 25 execute(buf); 26 return; 27 } 3

4 Model Counting String Constraint Solver INPUT OUTPUT string constraint: C Automata-Based model Counting string constraint solver (ABC) counting function: f c length bound: k # of strings with length k for which C evaluates to true Aydin et al., Automata-based Model Counting for String Constraints. (CAV 15) 4

5 Model Counting String Constraint Solver INPUT OUTPUT string constraint: C Automata-Based model Counting string constraint solver (ABC) counting function: f c length bound: k # of strings with length k for which C evaluates to true Aydin et al., Automata-based Model Counting for String Constraints. (CAV 15) 5

6 String Constraint Language 6

7 Example String Expressions String Expression Constraint Language s.length() length(s) s.isempty() length(s) == 0 Java s.startswith(t,n) s.indexof(t,n) 0 n n s begins(substring(s,n, s ),t) indexof(substring(s,n, s ),t) PHP s.replaceall(p,r) strrpos(s, t) substr_replace(s, t,i,j) strip_tags(s) mysql_real_escape _string(s) replaceall(s,p,r) lastindexof(s,t) substring(s,0,i).t.substring(s,j, s ) replaceall(s,("<a>" "<p>"...),"")...replaceall(s,replaceall(s, \\", \\\\")," ", \ ")... 7

8 Model Counting String Constraint Solver INPUT OUTPUT string constraint: C Automata-Based model Counting string constraint solver (ABC) counting function: f c length bound: k # of strings with length k for which C evaluates to true Aydin et al., Automata-based Model Counting for String Constraints. (CAV 15) 8

9 String Automata Construction C x 01 LEN x = 2 9

10 String Automata Construction C x 01 LEN x = 2 10

11 String Automata Construction C x 01 LEN x = 2 11

12 String Automata Construction C x 01 LEN x = 2 12

13 String Automata Construction C x 01 LEN x = 2 13

14 String Automata Construction C x 01 LEN x = 2 14

15 String Automata Construction C x 01 LEN x = 2 15

16 String Automata Construction C x 01 LEN x = 2 16

17 String Automata Construction C x 01 LEN x = 2 17

18 String Automata Construction C x 01 LEN x = 2 18

19 String Automata Construction C x 01 LEN x = 2 19

20 String Automata Construction C x 01 LEN x = 2 20

21 String Automata Construction C x 01 LEN x = 2 21

22 String Automata Construction C x 01 LEN x = 2 22

23 String Automata Construction C x 01 LEN x = 2 23

24 String Automata Construction C x 01 LEN x = 2 24

25 String Automata Construction C x 01 LEN x = 2 25

26 String Automata Construction C x 01 LEN x = 2 26

27 String Automata Construction C x 01 LEN x = 2 27

28 String Automata Construction C x 01 LEN x = 2 28

29 String Automata Construction C x 01 LEN x = 2 29

30 String Automata Construction C x 01 LEN x = 2 00, 10, 11 30

31 Integer Constraints 31

32 Integer Automata Construction C x = 1 x + y = 1 32

33 Integer Automata Construction C x = 1 x + y = 1 C 9 x + 0 y + 1 = 0 [1 0 1] C? x + y 1 = 0 [1 1 1] 33

34 Integer Automata Construction C x = 1 x + y = 1 C 9 x + 0 y + 1 = 0 [1 0 1] C? x + y 1 = 0 [1 1 1] C 9 C? } Using automata construction techniques described in: C. Bartzis and Tevfik Bultan. Efficient symbolic representations for arithmetic constraints in verification. Int. J. Found. Comput. Sci.,

35 Integer Automata Construction C x = 1 x + y = 1 (111, 010) = ( 1, 2) } Conjunction and disjunction is handled by automata product, negation is handled by automata complement 35

36 Mixing String LIA Constraints 36

37 Mixing String LIA Constraints length s = x x = 2y } We can try to solve using string constraint solving } Integer variables are represented with unary automaton } A H = L Σ H, A K = L λ, A M = L λ, A?M = L λ } A H A OPQRST ; L Σ H L λ } L λ = L λ L λ = L(λ ) } s = abc \, x = 1, y = 2 37

38 Mixing String LIA Constraints length s = x x = 2y } We can do better by using multi-track binary integer automaton } There will be three integer variables: length s, x, y 38

39 Mixing String LIA Constraints length s = x x = 2y } Using automata techniques described in: F. Yu, T. Bultan, O. H. Ibarra. Symbolic String Verification: Combining String Analysis and Size Analysis. TACAS 09 39

40 Mixing String LIA Constraints length s = x x = 2y 40

41 Mixing String LIA Constraints length s = x x = 2y 41

42 Relational String Constraints 42

43 Relational String Constraint Example s = t s t } Single track string automata results in SAT (w/ optimizations) } Assume Σ = {a, b, c} s = t L(A s ) L(A t ) s t L(A s ) L(A t ) a b c a b c a b c a b c 43

44 Relational String Constraint Example s = t s t } Multi-track string automata can keep relations s = t L(A s ) L(A t ) s t L(A s ) L(A t ) a b c a b c a b c a b c (a, a) b, b c, c (a, b) (a, c) b, a b, a c, a c, b 44

45 Relational String Constraint Example s = t s t } Each track represents values of one string variable s = t s t 45

46 Word Equations } Let X (the first track), Y (the second track), be two string variables } λ is the padding symbol X = Y. cc } X = Y. C, X = C. Y, C = X. Y can be precisely represented with multi-track automaton } X = Y. Z is non-linear, can be represented with over- or under-approximation

47 Model Counting String Constraints Solver INPUT OUTPUT string constraint: C Automata-Based model Counting string constraint solver (ABC) counting function: f c length bound: k # of strings with length k for which C evaluates to true Aydin et al., Automata-based Model Counting for String Constraints. (CAV 15) 47

48 ABC Tool Symbolic Execution Tools input constraint bound k SAT/UNSAT f k, #solutions Compilation Automata Construction SMTLIB Parser Formula Transformer Driver Integer Constraint Solver String Constraint Solver Model Counter Formula Optimizer Dependency Analyzer ABC Automata Manipulation Library LIBSTRANGER MONA Mathematica 48

49 Experimental Evaluation } We conducted experiments on 3 benchmark sets } A java benchmark with wide range of string operations } Kaluza Small & Kaluza Big benchmarks for satisfiability check Frequency of Operations Per 1000 Formulas. = LENGTH REPLACEALL, BEGINS SUBSTRING, ENDS CONTAINS, INDEXOF Kausler Kaluza Small Kaluza Big

50 Satisfiability Check Comparison } Compared with CVC4 } Used SMT-lib format of Kaluza benchmarks from CVC4 ABC-CVC4 sat-sat ABC-CVC4 unsat-unsat ABC-CVC4 sat-unsat ABC-CVC4 unsat-sat ABC-CVC4 sat-timeout sat/small sat/big unsat/small unsat/big } Constraint solver performance for Kaluza benchmarks ABC Avg. Time (seconds) CVC4 Avg. Time (seconds) big small

51 Kauser s Benchmark } Extracted from 7 real-world server-side Java applications } Constraints were generated by extracting program path constraints through dynamic symbolic execution } CVC4 1.4 stable version was not able to handle Kauser s benchmark # of satisfiable path constraints Avg. # of BDD Nodes (each 16 bytes) Avg. Running Time (seconds) } Automata representation we use encodes the transition relation as a binary decision diagram 51

52 Model Counting String Constraints Solver INPUT OUTPUT string constraint: C Automata-Based model Counting string constraint solver (ABC) counting function: f c length bound: k # of strings with length k for which C evaluates to true Aydin et al., Automata-based Model Counting for String Constraints. (CAV 15) 52

Automata-based Model Counting for String Constraints. Abdulbaki Aydin, Lucas Bang, Tevfik Bultan

Automata-based Model Counting for String Constraints Abdulbaki Aydin, Lucas Bang, Tevfik Bultan https://vlab.cs.ucsb.edu Model Counting for String Constraints Automata-Based model Counter (ABC) 2 Can you