6 ways to statically find software bugs. Gang Fan
|
|
- Deborah Curtis
- 5 years ago
- Views:
Transcription
1 6 ways to statically find software bugs Gang Fan S
2 Outline S What bugs? S Why statically? S Six ways to find bugs: S Pattern matching S Inconsistency S IFDS S Value flow graph S Backward symbolic analysis S Symbolic execution S Summary Sweet spot Graph Reachability Symbolic + Solver
3 What bugs? S Cause system failure: S Null pointer dereference, double free, use after free S Waste resources. S Resource leak, unused code, S Do not express the genuine intention of developers. S Logical error, misuse of APIs, other mistakes
4 Why statically?
5 No need to run a program
6 Earlier in SDLC
7 Cover more cases
8 Can work overnight
9 Outline S What bugs? S Why statically? S Six ways to find bugs: S Pattern matching S Inconsistency S IFDS S Value flow graph S Backward symbolic analysis S Symbolic execution S Summary Sweet spot Graph Reachability Symbolic + Solver
10 Benefits of Pattern Matching & Inconsistency S Easy to implement S Very consistent. S Scale to large projects. S Very efficient and fast. S Supporting large classes of program problems. S Bug, Style problem, performance down point.
11 Pattern matching S FindBugs: S More than 1 million downloads. S David Hovemeyer, Bill Pugh. S Plugin for Eclipse, Netbeans and more.
12 An bug example
13 Media Findbugs can work with S Class structure and inheritance hierarchy S Linear code scan S Control sensitive S Dataflow
14 Publications: Pattern Matching S David Hovemeyer and William Pugh. Finding bugs is easy, 2004 S Nick Rutar, et al A comparison of Bug Finding Tools for Java, 2004 S Nathaniel Ayewah, et al The Google Findbugs fixit. 2010
15 Pattern: Cloneable Not implemented Correctly
16 Pattern: Dropped Exceptions try { file_operation(); }catch(exception e){ // simply ignored }
17 Pattern: Nullcheck of value previously dereferenced public void func(int a[]){ a[1] = 2; if(a!= NULL){ a[2] = 3; } }
18 Pattern: Equal Objects Must Have equal hashcodes.
19 Outline S What bugs? S Why statically? S Six ways to find bugs: S Pattern matching S Inconsistency S IFDS S Value flow graph S Backward symbolic analysis S Symbolic execution S Summary Sweet spot Graph Reachability Symbolic + Solver
20 Publication: Program Inconsistency S Dawson Engler, David Yu Chen, Seth Hallem, Andy Chou, and Benjamin Chelf. Bugs as deviant behavior: 2001 S Isil Dillig, Thomas Dillig, and Alex Aiken. Static error detection using semantic inconsistency inference, 2007
21 Program inconsistency S Program beliefs are facts implied by code. S Must belief S Extracted from code. S There is no doubt that the programmer hold such belief S Ex: *p è p is non-null S May belief S Observed from code. S May be coincident. S Ex: B() is always called after A()
22 Must belief S Philosophy: If two beliefs contradict, we know that one is an error without knowing which one is the correct belief:
23 S Statistic analysis. May belief
24 Outline S What bugs? S Why statically? S Six ways to find bugs: S Pattern matching S Inconsistency S IFDS S Value flow graph S Backward symbolic analysis S Symbolic execution S Summary Sweet spot Graph Reachability Symbolic + Solver
25 Benefits of IFDS S IFDS is a general framework that can model large classes of problems. S For a distributive problems, the IFDS solution is always precise. S Inter-procedural Context sensitive. S Pure data flow analysis. S Efficient and the performance increases with the development of underlying graph reachability.
26 Publication: IFDS S Thomas Reps, Susan Horwitz, and Mooly Sagiv. Precise interprocedural dataflow analysis via graph reachability, 1995 S Mooly Sagiv, Thomas Reps, and Susan Horwitz. Precise interprocedural dataflow analysis with applications to constant propagation, 1996 S Bodden, E. Inter-procedural data-flow analysis with IFDS/IDE and soot. 2-12
27 IFDS S Inter-procedural Finite Distributive Subset(IFDS) S Originally proposed by Thomas Reps in 1995 S Extended to IDE S Meet-over-all-valid-paths. S CFL-reachability on Exploded Super Graph
28 Valid path
29 CFL-language for valid path S matched ::= matched ( i matched ) i ε S valid ::= valid ( i matched matched S A valid path can be a open path
30 Example: possibly uninitialized variables main() { x = 3; p(x,y); print(y); } Bug? p(a,b){ if(...){ } } return; b =a; p(a,b); printf(b); Bug?
31 Super Graph
32 Transfer function to graph
33
34
35 Outline S What bugs? S Why statically? S Six ways to find bugs: S Pattern matching S Inconsistency S IFDS S Value flow graph S Backward symbolic analysis S Symbolic execution S Summary Sweet spot Graph Reachability Symbolic + Solver
36 Publication: Value flow graph S Bernhard Steffen, Jens Knoop, Oliver Rüthing, The value flow graph: A program representation for optimal program transformations 1990 S Sigmund Cherem, Lonnie Princehouse, and Radu Rugina. Practical memory leak detection using guarded value-flow analysis S Yulei Sui, Ding Ye, and Jingling Xue. Detecting memory leaks statically with full-sparse value-flow analysis, 2014
37 Benefits of Value flow analysis S Sparse representation of program data dependency. S Support infinite value domain. S Compare to IFDS, which only supports Finite domain. S Efficient and the performance increases with the development of underlying graph reachability. S Assisted with SMT solver, it could support even more classes problems.
38 Definition and Uses S Definitions: S A = 1 S B = 2 S Uses: S A*A S B+A int x = 0; /* A */ x = x + y; /* B */ /* 1, some uses of x */ x = 35; /* C */ /* 2, some uses of x2 */ S Static Single Assignment(SSA) S Express def-use relationship explicitly in program code.
39 Use-def / def-use chain S A list structure: def-use (DU) chain S For each definition d compute a chain of uses that d may reach S Is a sparse representation of data flow. S Compute information only at the program points where it is actually used. S Use-def chain S A counterpart of def-use chain S Static Single Assignment(SSA) S Express def-use relationship explicitly in program code.
40 DU chain
41 Merge points
42 SSA
43 DU chain over SSA
44 Value flow graph S Trace value equivalences over the whole program. S VFG: S a = b S a = φ (b,c,d) S r = func(arg1,arg2) where func(p1, p2) return ret.
45 Find bugs with Value flow graph void foo(){ int *p = NULL; other_statements; bar(p); } void bar(int *p){ *p = 2; }
46 Memory leak cannot be detected with a simple VFG int func() { int *p = malloc(); if (p == NULL) return -1; int *q = malloc(); if (q == NULL) return -1; // p is leaked... other code... } free(p); free(q); return 0; Cannot detect this memory leak bug!!!
47 Guarded Value flow graph S Sigmund Cherem, Lonnie Princehouse, and Radu Rugina. Practical memory leak detection using guarded value-flow analysis S Yulei Sui, Ding Ye, and Jingling Xue. Detecting memory leaks statically with full-sparse value-flow analysis, 2014
48 Guarded Value flow graph int func() { int *p = malloc(); if (p == NULL) return -1; int *q = malloc(); if (q == NULL) return -1; // p is leaked... other code... } free(p); free(q); return 0; p!= null && q == null triggers a Memory Leak!!!
49 Outline S What bugs? S Why statically? S Six ways to find bugs: S Pattern matching S Inconsistency S IFDS S Value flow graph S Backward symbolic analysis S Symbolic execution S Summary Sweet spot Graph Reachability Symbolic + Solver
50 Benefits of Symbolic + Solver S Generally path sensitive. S Very precise. S Leverage the power of SMT Solvers and the performance grows with the development of those Solvers. S Could be extended to support inter-procedural analysis
51 Weakest Pre-condition(WP) S Pre-condition Post-condition: S {?}S{R} S A condition P 1 is weaker than P 2 if P 2 à P 1 S Weakest Pre-condition S S: y = x * x, R: y >= 4, S P: x = 100, x = 200, x = 300 S Weaker P: x >= 100: S WP: (x <= 2) U (x >= 2)
52 Backward WP
53 Backward symbolic analysis S Demand-driven S Computes WP backwardly S Explore all paths backwardly
54 Function boundary problem int func(int *p){ /* false */ if(p){ /* p is null */ *p; // a potential NPD /* p is null */ } } int func(int *p){ /* p is null */ *p; /* p is null */ } // a potential NPD
55 Annotation S ESC/Java S LCLint S David Hovemeyer and William Pugh. Finding bugs is easy S David Evans. Static detection of dynamic memory errors S David Evans. Using specifications to check source code S Bag(/* non_null */ int [] input );
56 Other approaches S S S Assisted annotation S Houdini S ICFG S Cormac Flanagan and K. Rustan M. Leino. Houdini, an annotation assistant for esc/java. Marple S Wei Le, Wei Le, and Mary Lou" Soffa. Marple: A demand-driven path-sensitive buffer overflow detector Function summary: S ESP, Snugglebug S S Manuvir Das, Sorin Lerner, and Mark Seigle. Esp: Path-sensitive program verification in polynomial time Satish Chandra, Stephen J. Fink, Manu Sridharan, Snugglebug: A Powerful Approach To Weakest Preconditions
57 Outline S What bugs? S Why statically? S Six ways to find bugs: S Pattern matching S Inconsistency S IFDS S Value flow graph S Backward symbolic analysis S Symbolic execution S Summary Sweet spot Graph Reachability Symbolic + Solver
58 Symbolic Execution S First introduced in 1975 S Very active area of research. S Cristian Cadar, Daniel Dunbar, and Dawson Engler. Klee: Unassisted and automatic generation of high-coverage tests for complex systems programs S P Godefroid, DART: Directed Automated Random Testing S K Sen, CUTE: A Concolic Unit Testing Engine for C S P Godefroid, SAGE: Whitebox Fuzzing for Security Testing. S Corina Pasareanu, et al, Combining Unit-level Symbolic Execution and System-level Concrete Execution for Testing NASA Software
59 Symbolic Execution S Simulating program execution with symbols as arguments S Can take any feasible path S Path condition is a conjunct of constraints on the symbolic input values. S Solution of a path-condition is a test-input that covers the respective path.
60 An Example x = * int bad_abs(int x) { if (x < 0) return x; if (x == 1234) return x; return x; } TRUE x < 0 FALSE x < 0 x 0 return -x TRUE x = 1234 x = 1234 x = -2 test1.out return -x FALSE x 1234 return x 60 x = 1234 test2.out x = 3 test3.out
61 The KLEE project S Using symbolic execution to generate test cases. S Manages to find 10 fatal bugs in well programed and tested project COREUTILS S Better coverage than manual test cases. S Cristian Cadar, Daniel Dunbar, and Dawson Engler. Klee: Unassisted and automatic generation of high-coverage tests for complex systems programs
62 Outline S What bugs? S Why statically? S Six ways to find bugs: S Pattern matching S Inconsistency S IFDS S Value flow graph S Backward symbolic analysis S Symbolic execution S Summary Sweet spot Graph Reachability Symbolic + Solver
63 Summary SMT Solver S Six techniques: S Pattern matching, S Inconsistency, S IFDS, S VFG, S Backward Symbolic analysis, S Symbolic Execution. Implementation Difficulty Hard Complex Precision Precise Scalability 1M+ LoC
64 Inspirations for future research S Path explosion S Ex: Loop, recursive call.. Model Paths with Symbolic Analysis S Overwhelming Solver queries. Assisted constraint generation with DFA. Staged Analysis Framework S Lack of environment information S Ex: Network IO, File Combination of concrete execution with static analysis
65 Summary: 1. Path sensitivity is necessary. 2. Rely heavily on SMT solvers. 3. Should not ignore low hang fruits.
CS Advanced Compiler Design Course Project
CS 744 - Advanced Compiler Design Course Project Timeline: Brief project choice e-mail due May 17 Project proposal due May 31 Progress report e-mail due June 23 Presentations approximately July 19, 21
More informationSoftware Testing CS 408. Lecture 6: Dynamic Symbolic Execution and Concolic Testing 1/30/18
Software Testing CS 408 Lecture 6: Dynamic Symbolic Execution and Concolic Testing 1/30/18 Relevant Papers CUTE: A Concolic Unit Testing Engine for C Koushik Sen, Darko Marinov, Gul Agha Department of
More informationSymbolic and Concolic Execution of Programs
Symbolic and Concolic Execution of Programs Information Security, CS 526 Omar Chowdhury 10/7/2015 Information Security, CS 526 1 Reading for this lecture Symbolic execution and program testing - James
More informationSVF: Interprocedural Static Value-Flow Analysis in LLVM
SVF: Interprocedural Static Value-Flow Analysis in LLVM Yulei Sui Jingling Xue School of Computer Science and Engineering, UNSW Australia Abstract This paper presents SVF, a tool that enables scalable
More informationSymbolic Execution. Wei Le April
Symbolic Execution Wei Le 2016 April Agenda What is symbolic execution? Applications History Interal Design: The three challenges Path explosion Modeling statements and environments Constraint solving
More informationEvaluating and Tuning a Static Analysis to Find Null Pointer Bugs
Evaluating and Tuning a Static Analysis to Find Null Pointer Bugs David Hovemeyer, Jaime Spacco, and William Pugh Dept. of Computer Science University of Maryland College Park, MD 20742 USA {daveho,jspacco,pugh@cs.umd.edu
More informationKLEE: Effective Testing of Systems Programs Cristian Cadar
KLEE: Effective Testing of Systems Programs Cristian Cadar Joint work with Daniel Dunbar and Dawson Engler April 16th, 2009 Writing Systems Code Is Hard Code complexity Tricky control flow Complex dependencies
More informationSnugglebug. Stephen Fink Satish Chandra Manu Sridharan. IBM T. J. Watson Research Center March 28, Work-In-Progress
Snugglebug Work-In-Progress Stephen Fink Satish Chandra Manu Sridharan IBM T. J. Watson Research Center March 28, 2008 What s wrong with current bug finding tools? 1. False positives. Lots of them. Mostly
More informationScalable Program Analysis Using Boolean Satisfiability: The Saturn Project
Scalable Program Analysis Using Boolean Satisfiability: The Saturn Project Alex Aiken Stanford University Saturn 1 The Idea Verify properties of large systems! Doesn t {SLAM, BLAST, CQual, ESP} already
More informationInter-procedural Data-flow Analysis with IFDS/IDE and Soot
Inter-procedural Data-flow Analysis with IFDS/IDE and Soot Eric Bodden Secure Software Engineering Group European Center for Security and Privacy by Design (EC SPRIDE) Technische Universität Darmstadt
More informationSymbolic Execu.on. Suman Jana
Symbolic Execu.on Suman Jana Acknowledgement: Baishakhi Ray (Uva), Omar Chowdhury (Purdue), Saswat Anand (GA Tech), Rupak Majumdar (UCLA), Koushik Sen (UCB) What is the goal? Tes.ng Tes%ng approaches are
More informationSymbolic Execution, Dynamic Analysis
Symbolic Execution, Dynamic Analysis http://d3s.mff.cuni.cz Pavel Parízek CHARLES UNIVERSITY IN PRAGUE faculty of mathematics and physics Symbolic execution Pavel Parízek Symbolic Execution, Dynamic Analysis
More informationStatic Memory Leak Detection Using Full-Sparse Value-Flow Analysis
Static Memory Leak Detection Using Full-Sparse Value-Flow Analysis Yulei Sui, Ding Ye, Jingling Xue School of Computer Science and Engineering University of New South Wales 2052 Australia July 19, 2012
More informationA FLOW-, PATH-, AND CONTEXT-SENSITIVE NULL DEREFERENCE ANALYSIS FOR C PROGRAMS
A FLOW-, PATH-, AND CONTEXT-SENSITIVE NULL DEREFERENCE ANALYSIS FOR C PROGRAMS A THESIS SUBMITTED TO THE COMPUTER SCIENCE DEPARTMENT OF STANFORD UNIVERSITY IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR
More informationChecking System Rules Using System-Specific, Programmer- Written Compiler Extensions
Motivation for using Checking System Rules Using System-Specific, Programmer- Written Compiler Extensions Dawson Engler Benjamin Chelf Andy Chou Seth Hallem 1 Computer Systems Laboratory Stanford University
More informationTesting, Fuzzing, & Symbolic Execution
Testing, Fuzzing, & Symbolic Execution Software Testing The most common way of measuring & ensuring correctness Input 2 Software Testing The most common way of measuring & ensuring correctness Input Observed
More informationImproving Program Testing and Understanding via Symbolic Execution
Improving Program Testing and Understanding via Symbolic Execution Kin-Keung Ma PhD Dissertation Defense December 9 th, 2011 Motivation } Every year, billions of dollars are lost due to software system
More informationOptimizing for Bugs Fixed
Optimizing for Bugs Fixed The Design Principles behind the Clang Static Analyzer Anna Zaks, Manager of Program Analysis Team @ Apple What is This Talk About? LLVM/clang project Overview of the Clang Static
More informationSplint Pre-History. Security Flaws. (A Somewhat Self-Indulgent) Splint Retrospective. (Almost) Everyone Hates Specifications.
(A Somewhat Self-Indulgent) Splint Retrospective Splint Pre-History Pre-history 1973: Steve Ziles algebraic specification of set 1975: John Guttag s PhD thesis: algebraic specifications for abstract datatypes
More informationProgram Verification (6EC version only)
Program Verification (6EC version only) Erik Poll Digital Security Radboud University Nijmegen Overview Program Verification using Verification Condition Generators JML a formal specification language
More informationStatic program checking and verification
Chair of Software Engineering Software Engineering Prof. Dr. Bertrand Meyer March 2007 June 2007 Slides: Based on KSE06 With kind permission of Peter Müller Static program checking and verification Correctness
More informationVerifying the Safety of Security-Critical Applications
Verifying the Safety of Security-Critical Applications Thomas Dillig Stanford University Thomas Dillig 1 of 31 Why Program Verification? Reliability and security of software is a huge problem. Thomas Dillig
More informationCMSC 430 Introduction to Compilers. Fall Symbolic Execution
CMSC 430 Introduction to Compilers Fall 2015 Symbolic Execution Introduction Static analysis is great Lots of interesting ideas and tools Commercial companies sell, use static analysis It all looks good
More informationAutomated Software Analysis Techniques For High Reliability: A Concolic Testing Approach. Moonzoo Kim
Automated Software Analysis Techniques For High Reliability: A Concolic Testing Approach Moonzoo Kim Contents Automated Software Analysis Techniques Background Concolic testing process Example of concolic
More informationSymbolic Execution for Bug Detection and Automated Exploit Generation
Symbolic Execution for Bug Detection and Automated Exploit Generation Daniele Cono D Elia Credits: Emilio Coppa SEASON Lab season-lab.github.io May 27, 2016 1 / 29 Daniele Cono D Elia Symbolic Execution
More informationTesting & Symbolic Execution
Testing & Symbolic Execution Software Testing The most common way of measuring & ensuring correctness Input 2 Software Testing The most common way of measuring & ensuring correctness Input Observed Behavior
More informationAutomatic Software Verification
Automatic Software Verification Instructor: Mooly Sagiv TA: Oded Padon Slides from Eran Yahav and the Noun Project, Wikipedia Course Requirements Summarize one lecture 10% one lecture notes 45% homework
More informationProgram Static Analysis. Overview
Program Static Analysis Overview Program static analysis Abstract interpretation Data flow analysis Intra-procedural Inter-procedural 2 1 What is static analysis? The analysis to understand computer software
More informationSeparation Logic 2: project: Annotation Assistant for Partially Specified Programs plus some high-level observations. Hengle Jiang & John-Paul Ore
Separation Logic 2: project: Annotation Assistant for Partially Specified Programs plus some high-level observations Hengle Jiang & John-Paul Ore 1/30 Recap : Separating Conjunction P Q 2/30 Recap : Frame
More informationn HW7 due in about ten days n HW8 will be optional n No CLASS or office hours on Tuesday n I will catch up on grading next week!
Announcements SMT Solvers, Symbolic Execution n HW7 due in about ten days n HW8 will be optional n No CLASS or office hours on Tuesday n I will catch up on grading next week! n Presentations n Some of
More informationStatic Analysis Basics II
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Static Analysis Basics
More informationSoftware Model Checking. Xiangyu Zhang
Software Model Checking Xiangyu Zhang Symbolic Software Model Checking CS510 S o f t w a r e E n g i n e e r i n g Symbolic analysis explicitly explores individual paths, encodes and resolves path conditions
More informationDirected symbolic execution
Directed symbolic execution Kin-Keung Ma, Khoo Yit Phang, Jeffrey S. Foster, and Michael Hicks Computer Science Department, University of Maryland, College Park {kkma,khooyp,jfoster,mwh}@cs.umd.edu Technical
More informationInstance keys: A technique for sharpening whole-program pointer analyses with intraprocedural information
McGill University School of Computer Science Sable Research Group Instance keys: A technique for sharpening whole-program pointer analyses with intraprocedural information Sable Technical Report No. 2007-8
More informationIC-Cut: A Compositional Search Strategy for Dynamic Test Generation
IC-Cut: A Compositional Search Strategy for Dynamic Test Generation Maria Christakis 1 and Patrice Godefroid 2 1 Department of Computer Science ETH Zurich, Switzerland maria.christakis@inf.ethz.ch 2 Microsoft
More informationAutomatic Generation of Program Specifications
Automatic Generation of Program Specifications Jeremy Nimmer MIT Lab for Computer Science http://pag.lcs.mit.edu/ Joint work with Michael Ernst Jeremy Nimmer, page 1 Synopsis Specifications are useful
More information6. Hoare Logic and Weakest Preconditions
6. Hoare Logic and Weakest Preconditions Program Verification ETH Zurich, Spring Semester 07 Alexander J. Summers 30 Program Correctness There are many notions of correctness properties for a given program
More informationStatically Validating Must Summaries for Incremental Compositional Dynamic Test Generation
Statically Validating Must Summaries for Incremental Compositional Dynamic Test Generation Patrice Godefroid 1, Shuvendu K. Lahiri 1, and Cindy Rubio-González 2 1 Microsoft Research, Redmond, WA, USA 2
More informationNullable Method Detection
Nullable Method Detection Don t Repeat The Mistakes Others Have Already Fixed Manuel Leuenberger Master thesis 13.12.2016 Problem Terms terms = fields.terms(field); TermsEnum termsenum = terms.iterator();
More informationReferences: Thomas A. Henzinger (1996): The theory of hybrid automata In: Annual IEEE Symposium on Logic in Computer Science
Hybrid Systems Modeling In today's fast evolving technologies where the line between analog and digital systems is getting blurred, systems consist of a mix of continuous and discrete components. A discrete
More informationGaps in Static Analysis Tool Capabilities. Providing World-Class Services for World-Class Competitiveness
Gaps in Static Analysis Tool Capabilities 1 Overview Gaps in Static Analysis tools as identified during the evaluation of five (5) commercially available static analysis tools Collaborative effort between
More informationResearch on Fuzz Testing Framework based on Concolic Execution
017 International Conference on Computer Science and Application Engineering (CSAE 017) ISBN: 978-1-60595-505-6 Research on uzz Testing ramework based on Concolic Execution Xiong Xie and Yuhang Chen *
More informationStatic Analysis and Bugfinding
Static Analysis and Bugfinding Alex Kantchelian 09/12/2011 Last week we talked about runtime checking methods: tools for detecting vulnerabilities being exploited in deployment. So far, these tools have
More informationLearning from Executions
Learning from Executions Dynamic analysis for program understanding and software engineering Michael D. Ernst and Jeff H. Perkins November 7, 2005 Tutorial at ASE 2005 Outline What is dynamic analysis?
More informationProgram Analysis and Verification
Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 12: Interprocedural Analysis + Numerical Analysis Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav 1 Procedural program void main()
More informationLecture 6. Abstract Interpretation
Lecture 6. Abstract Interpretation Wei Le 2014.10 Outline Motivation History What it is: an intuitive understanding An example Steps of abstract interpretation Galois connection Narrowing and Widening
More informationDesign and development of Svace static analyzers
Design and development of Svace static analyzers Andrey Belevantsev, Alexey Borodin, Irina Dudina, Valery Ignatiev, Alexey Izbyshev, Sergey Polyakov, Evgeny Velesevich, and Dmitry Zhurikhin Ivannikov Institute
More informationA classic tool: slicing. CSE503: Software Engineering. Slicing, dicing, chopping. Basic ideas. Weiser s approach. Example
A classic tool: slicing CSE503: Software Engineering David Notkin University of Washington Computer Science & Engineering Spring 2006 Of interest by itself And for the underlying representations Originally,
More informationDynamic Software Model Checking
Dynamic Software Model Checking Patrice Godefroid Microsoft Research Page 1 September 2014 Ed Clarke: A man, An idea LASER 2011 summer school (Elba island, Italy) Page 2 September 2014 Ed Clarke: A man,
More informationNo model may be available. Software Abstractions. Recap on Model Checking. Model Checking for SW Verif. More on the big picture. Abst -> MC -> Refine
No model may be available Programmer Software Abstractions Tests Coverage Code Abhik Roychoudhury CS 5219 National University of Singapore Testing Debug Today s lecture Abstract model (Boolean pgm.) Desirable
More informationInterprocedural Analysis. CS252r Fall 2015
Interprocedural Analysis CS252r Fall 2015 Procedures So far looked at intraprocedural analysis: analyzing a single procedure Interprocedural analysis uses calling relationships among procedures Enables
More informationStatic Analysis with Goanna
Static Analysis with Goanna Model checking for large code bases Ansgar Fehnker About Us R&D spin-out redlizards.com 5 years technology research Funded and backed by NICTA 1 Mistakes are made Even good
More informationSegmented Symbolic Analysis
Segmented Symbolic Analysis Wei Le Rochester Institute of Technology One Lomb Memorial Drive, Rochester, NY, USA wei.le@rit.edu Abstract Symbolic analysis is indispensable for software tools that require
More informationSVF: Static Value-Flow Analysis in LLVM
SVF: Static Value-Flow Analysis in LLVM Yulei Sui, Peng Di, Ding Ye, Hua Yan and Jingling Xue School of Computer Science and Engineering The University of New South Wales 2052 Sydney Australia March 18,
More informationIntroduction to CBMC: Part 1
Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Arie Gurfinkel, Sagar Chaki October 2, 2007 Many slides are courtesy of Daniel Kroening Bug Catching with SAT Solvers Main
More informationSimplifying Loop Invariant Generation Using Splitter Predicates. Rahul Sharma Işil Dillig, Thomas Dillig, and Alex Aiken Stanford University
Simplifying Loop Invariant Generation Using Splitter Predicates Rahul Sharma Işil Dillig, Thomas Dillig, and Alex Aiken Stanford University Loops and Loop Invariants Loop Head x = 0; while( x
More informationOverview. Verification with Functions and Pointers. IMP with assertions and assumptions. Proof rules for Assert and Assume. IMP+: IMP with functions
Overview Verification with Functions and Pointers Işıl Dillig The IMP language considered so far does not have many features of realistics PLs Our goal today: Enrich IMP with two features, namely functions
More information4/24/18. Overview. Program Static Analysis. Has anyone done static analysis? What is static analysis? Why static analysis?
Overview Program Static Analysis Program static analysis Abstract interpretation Static analysis techniques 2 What is static analysis? The analysis to understand computer software without executing programs
More informationAdvances in Programming Languages
O T Y H Advances in Programming Languages APL8: ESC/Java2 David Aspinall (including slides by Ian Stark and material adapted from ESC/Java2 tutorial by David Cok, Joe Kiniry and Erik Poll) School of Informatics
More informationEvaluating Research on Software Design and Productivity
Evaluating Research on Software Design and Productivity William Pugh Univ. of Maryland pugh@cs.umd.edu October 31, 2001 Abstract A key barrier to achieving the necessary breakthroughs in software design
More informationA MODULAR AND SYMBOLIC APPROACH TO STATIC PROGRAM ANALYSIS
A MODULAR AND SYMBOLIC APPROACH TO STATIC PROGRAM ANALYSIS A DISSERTATION SUBMITTED TO THE DEPARTMENT OF COMPUTER SCIENCE AND THE COMMITTEE ON GRADUATE STUDIES OF STANFORD UNIVERSITY IN PARTIAL FULFILLMENT
More informationVerifying source code
Software and Systems Verification (VIMIMA01) Verifying source code Akos Hajdu, Istvan Majzik, Zoltan Micskei Budapest University of Technology and Economics Fault Tolerant Systems Research Group Budapest
More informationCompositional Symbolic Execution through Program Specialization
Compositional Symbolic Execution through Program Specialization José Miguel Rojas 1 and Corina Păsăreanu 2 1 Technical University of Madrid, Spain 2 CMU-SV/NASA Ames, Moffett Field, CA, USA BYTECODE 2013
More informationUfo: A Framework for Abstraction- and Interpolation-Based Software Verification
Ufo: A Framework for Abstraction- and Interpolation-Based Software Verification Aws Albarghouthi 1, Yi Li 1, Arie Gurfinkel 2, and Marsha Chechik 1 1 Department of Computer Science, University of Toronto,
More informationMicrosoft SAGE and LLVM KLEE. Julian Cohen Manual and Automatic Program Analysis
Microsoft SAGE and LLVM KLEE Julian Cohen HockeyInJune@isis.poly.edu Manual and Automatic Program Analysis KLEE KLEE [OSDI 2008, Best Paper Award] Based on symbolic execution and constraint solving techniques
More informationA Survey of Search Strategies in the Dynamic Symbolic Execution
A Survey of Search Strategies in the Dynamic Symbolic Execution Yu LIU *, Xu ZHOU a and Wei-Wei GONG b National University of Defense Technology, Changsha, China a zhouxu@nudt.edu.cn, b IssacGong@outlook.com
More informationPSE: Explaining Program Failures via Postmortem Static Analysis
PSE: Explaining Program Failures via Postmortem Static Analysis Roman Manevich Tel Aviv University rumster@tau.ac.il Manu Sridharan University of California - Berkeley manu s@cs.berkeley.edu Stephen Adams,
More informationFindBugs review of Glassfish v2 b09
FindBugs review of Glassfish v2 b09 William Pugh Univ. of Maryland http://www.cs.umd.edu/~pugh/ FindBugs Open source static analysis tool for finding defects in Java programs Analyzes classfiles Generates
More information9/5/17. The Design and Implementation of Programming Languages. Compilation. Interpretation. Compilation vs. Interpretation. Hybrid Implementation
Language Implementation Methods The Design and Implementation of Programming Languages Compilation Interpretation Hybrid In Text: Chapter 1 2 Compilation Interpretation Translate high-level programs to
More informationLecture 5. Data Flow Analysis
Lecture 5. Data Flow Analysis Wei Le 2014.10 Abstraction-based Analysis dataflow analysis: combines model checking s fix point engine with abstract interpretation of data values abstract interpretation:
More informationTracking Pointers with Path and Context Sensitivity for Bug Detection in C Programs. {livshits,
Tracking Pointers with Path and Context Sensitivity for Bug Detection in C Programs {livshits, lam}@cs.stanford.edu 2 Background Software systems are getting bigger Harder to develop Harder to modify Harder
More informationSurvival Techniques for Computer Programs
Survival Techniques for Computer Programs Martin Rinard MIT Computer Science and Artificial Intelligence Laboratory Singapore-MIT Alliance 32 Vassar Street, 32-G744 Cambridge, MA 02139 Abstract Programs
More informationStructuring an Abstract Interpreter through Value and State Abstractions: EVA, an Evolved Value Analysis for Frama C
Structuring an Abstract Interpreter through Value and State Abstractions: EVA, an Evolved Value Analysis for Frama C David Bühler CEA LIST, Software Safety Lab Frama-C & SPARK Day 2017 May 30th, 2017 David
More informationStatic Analysis. Principles of Software System Construction. Jonathan Aldrich. Some slides from Ciera Jaspan
Static Analysis Principles of Software System Jonathan Aldrich Some slides from Ciera Jaspan Find the Bug! Source: Engler et al., Checking System Rules Using System-Specific, Programmer-Written Compiler
More informationCUTE: A Concolic Unit Testing Engine for C
CUTE: A Concolic Unit Testing Engine for C Koushik Sen Darko Marinov Gul Agha University of Illinois Urbana-Champaign Goal Automated Scalable Unit Testing of real-world C Programs Generate test inputs
More informationAppendix to The Health of Software Engineering Research
Appendix to The Health of Software Engineering Research David Lo School of Information Systems Singapore Management University Singapore davidlo@smu.edu.sg Nachiappan Nagappan and Thomas Zimmermann Research
More informationPath-Sensitive Dataflow Analysis with Iterative Refinement
Path-Sensitive Dataflow Analysis with Iterative Refinement Dinakar Dhurjati University of Illinois at Urbana Champaign dhurjati@cs.uiuc.edu Manuvir Das, Yue Yang Center for Software Excellence, Microsoft
More informationDynamic Symbolic Execution using Eclipse CDT
Dynamic Symbolic Execution using Eclipse CDT Andreas Ibing Chair for IT Security TU München Boltzmannstrasse 3, 85748 Garching, Germany Email: andreas.ibing@tum.de Abstract Finding software bugs before
More informationDetection of Static Flaws in Changesets
Graduate Theses and Dissertations Iowa State University Capstones, Theses and Dissertations 2010 Detection of Static Flaws in Changesets Daniel George De Graaf Iowa State University Follow this and additional
More informationPrinciples of Software Construction: Objects, Design and Concurrency. Static Analysis. toad Spring 2013
Principles of Software Construction: Objects, Design and Concurrency Static Analysis 15-214 toad Spring 2013 Christian Kästner Charlie Garrod School of Computer Science 2012-13 C Garrod, C Kästner, J Aldrich,
More informationAnalysis/Bug-finding/Verification for Security
Analysis/Bug-finding/Verification for Security VIJAY GANESH University of Waterloo Winter 2013 Analysis/Test/Verify for Security Instrument code for testing Heap memory: Purify Perl tainting (information
More informationModular Heap Abstraction-Based Memory Leak Detection for Heap-Manipulating Programs
Modular Heap Abstraction-Based Memory Leak Detection for Heap-Manipulating Programs Longming Dong Ji Wang Liqian Chen National University of Defense Technology, Changsha, China 05/12/2012 APSEC 2012 L
More informationSecure Software Development: Theory and Practice
Secure Software Development: Theory and Practice Suman Jana MW 2:40-3:55pm 415 Schapiro [SCEP] *Some slides are borrowed from Dan Boneh and John Mitchell Software Security is a major problem! Why writing
More informationarxiv: v1 [cs.pl] 23 Jan 2012
On Synergy of Metal, Slicing, and Symbolic Execution Jiří Slabý, Jan Strejček, and Marek Trtík arxiv:1201.4719v1 [cs.pl] 23 Jan 2012 Faculty of Informatics, Masaryk University Botanická 68a, 60200 Brno,
More informationSymbolic Execution. Joe Hendrix Galois, Inc SMT Summer School galois
Symbolic Execution Joe Hendrix Galois, Inc SMT Summer School 2015 Galois, Inc We solve hard research problems for clients. Symbolic Execution is a technique for mapping code into logic. is widely used
More informationWanted: Students to participate in a user study
Wanted: Students to participate in a user study Requirements: Know how to use the Eclipse IDE Knowledge in Java development Knowledge of static analysis is not required, but it is a plus Time: 2-3 hours
More informationLessons Learned in Static Analysis Tool Evaluation. Providing World-Class Services for World-Class Competitiveness
Lessons Learned in Static Analysis Tool Evaluation 1 Overview Lessons learned in the evaluation of five (5) commercially available static analysis tools Topics Licensing Performance Measurement Limitations
More informationSimple Overflow. #include <stdio.h> int main(void){ unsigned int num = 0xffffffff;
Simple Overflow 1 #include int main(void){ unsigned int num = 0xffffffff; printf("num is %d bits long\n", sizeof(num) * 8); printf("num = 0x%x\n", num); printf("num + 1 = 0x%x\n", num + 1); }
More informationDemand-Driven Compositional Symbolic Execution
Demand-Driven Compositional Symbolic Execution Saswat Anand 1, Patrice Godefroid 2, and Nikolai Tillmann 2 1 Georgia Institute of Technology saswat@cc.gatech.edu 2 Microsoft Research {pg,nikolait}@microsoft.com
More informationFinding Inconsistencies in Programs with Loops
Finding Inconsistencies in Programs with Loops Temesghen Kahsai 1, Jorge A. Navas 2, Dejan Jovanović 3, Martin Schäf 3 1 Carnegie Mellon University, USA 2 NASA Ames Research Center / SGT, USA 3 SRI International,
More informationStatic Analysis and Dataflow Analysis
Static Analysis and Dataflow Analysis Static Analysis Static analyses consider all possible behaviors of a program without running it. 2 Static Analysis Static analyses consider all possible behaviors
More informationLecture 2: Control Flow Analysis
COM S/CPRE 513 x: Foundations and Applications of Program Analysis Spring 2018 Instructor: Wei Le Lecture 2: Control Flow Analysis 2.1 What is Control Flow Analysis Given program source code, control flow
More informationIntroduction to Machine-Independent Optimizations - 6
Introduction to Machine-Independent Optimizations - 6 Machine-Independent Optimization Algorithms Department of Computer Science and Automation Indian Institute of Science Bangalore 560 012 NPTEL Course
More informationAPISan: Sanitizing API Usages through Semantic Cross-checking
APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, Changwoo Min, Xujie Si, Yeongjin Jang, Taesoo Kim, Mayur Naik Georgia Institute of Technology 1 APIs in today s software are plentiful
More informationCMSC 631 Program Analysis and Understanding. Spring Symbolic Execution
CMSC 631 Program Analysis and Understanding Spring 2013 Symbolic Execution Introduction Static analysis is great Lots of interesting ideas and tools Commercial companies sell, use static analysis It all
More informationStatic and dynamic analysis: synergy and duality
Static and dynamic analysis: synergy and duality Michael Ernst MIT Computer Science & Artificial Intelligence Lab http://pag.csail.mit.edu/~mernst/ PASTE June 7, 2004 Michael Ernst, page 1 Goals Theme:
More informationAutomated Software Testing
Automated Software Testing for the 21 st Century Patrice Godefroid Microsoft Research Page 1 June 2015 Outline Two parts: 1. Some recent advances on automated software testing Technical developments Applications
More informationAdvances in Programming Languages
T O Y H Advances in Programming Languages APL14: Practical tools for Java Correctness David Aspinall (slides originally by Ian Stark) School of Informatics The University of Edinburgh Friday 12 November
More informationPath-sensitive Memory Leak Detector
Path-sensitive Memory Leak Detector Yungbum Jung Programming Research Laboratory Seoul National University ROSAEC 2nd Workshop 1 False Alarm from Tar fopen fclose escape 2 Alarm Explanation void foo(){
More information18-642: Code Style for Compilers
18-642: Code Style for Compilers 9/25/2017 1 Anti-Patterns: Coding Style: Language Use Code compiles with warnings Warnings are turned off or over-ridden Insufficient warning level set Language safety
More information