Lightweight Verification of Array Indexing

Similar documents
Today Program Analysis for finding bugs, especially security bugs problem specification motivation approaches remaining issues

ESC/Java2 extended static checking for Java Erik Poll Radboud University Nijmegen

Principles of Software Construction: Objects, Design, and Concurrency (Part 2: Designing (Sub )Systems)

Intro to Proving Absence of Errors in C/C++ Code

Language Techniques for Provably Safe Mobile Code

Code verification. CSE 331 University of Washington. Michael Ernst

A Type System for Regular Expressions

Lessons Learned in Static Analysis Tool Evaluation. Providing World-Class Services for World-Class Competitiveness

Finite Math Linear Programming 1 May / 7

Semantics and Validation Lecture 1. Informal Introduction

ESC/Java extended static checking for Java Erik Poll, Joe Kiniry, David Cok University of Nijmegen; Eastman Kodak Company

Program Verification (6EC version only)

Leveraging Formal Methods Based Software Verification to Prove Code Quality & Achieve MISRA compliance

Program Analysis Tools

Automatic Generation of Program Specifications

Static program checking and verification

Trust, but Verify. Two-Phase Typing for Dynamic Languages. Panagiotis Vekris, Benjamin Cosman, Ranjit Jhala. University of California, San Diego

CSE 403: Software Engineering, Fall courses.cs.washington.edu/courses/cse403/16au/ Static Analysis. Emina Torlak

Rubicon: Scalable Bounded Verification of Web Applications

Static Analysis methods and tools An industrial study. Pär Emanuelsson Ericsson AB and LiU Prof Ulf Nilsson LiU

Static Analysis in C/C++ code with Polyspace

Simple Overflow. #include <stdio.h> int main(void){ unsigned int num = 0xffffffff;

Honours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui

Software Security: Vulnerability Analysis

Verifying source code

Functional Programming in Coq. Nate Foster Spring 2018

Bug Finding with Under-approximating Static Analyses. Daniel Kroening, Matt Lewis, Georg Weissenbacher

Finding Errors in Multithreaded GUI Applications

Comparing procedure specifications

Decomposition Instead of Self- Composition for Proving the Absence of Timing Channels

Module: Programming Language Security. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

5) Attacker causes damage Different to gaining control. For example, the attacker might quit after gaining control.

Sendmail crackaddr - Static Analysis strikes back

Automatic Qualification of Abstract Interpretation-based Static Analysis Tools. Christian Ferdinand, Daniel Kästner AbsInt GmbH 2013

The Mezzo case. Jonathan Protzenko. François Pottier FSFMA'13. Why design a new programming language?

Differential program verification

Advanced Type System Features Tom Schrijvers. Leuven Haskell User Group

Collaborative Verification of Information Flow for a High-Assurance App Store

CSE Computer Security

Seminar in Software Engineering Presented by Dima Pavlov, November 2010

A Formally-Verified C static analyzer

Management. Software Quality. Dr. Stefan Wagner Technische Universität München. Garching 28 May 2010

Unit 6 - Software Design and Development LESSON 8 QUALITY ASSURANCE

Verasco: a Formally Verified C Static Analyzer

Testing, Debugging, and Verification

ABSTRACT Integers can be represented in programs as either signed or unsigned. Mixing values with different representations can lead to unexpected

StackAnalyzer Proving the Absence of Stack Overflows

Chapter 1 INTRODUCTION SYS-ED/ COMPUTER EDUCATION TECHNIQUES, INC.

Fiji VM Safety Critical Java

The Trouble with Types

Solutions Manual. Data Structures and Algorithms in Java, 5th edition International Student Version. M. T. Goodrich and R.

Verification and Test with Model-Based Design

Hybrid Constraint Solvers

Announcements. Specifications. Outline. Specifications. HW1 is due Thursday at 1:59:59 pm

Automatic Generation of Oracles for Exceptional Behaviors

Leveraging Test Generation and Specification Mining for Automated Bug Detection without False Positives

Verification and Validation

System LAV and Its Applications

Cascade: A Universal Programmer-assisted Type Qualifier Inference Tool

Outline. Introduction Concepts and terminology The case for static typing. Implementing a static type system Basic typing relations Adding context

The Apron Library. Bertrand Jeannet and Antoine Miné. CAV 09 conference 02/07/2009 INRIA, CNRS/ENS

JML tool-supported specification for Java Erik Poll Radboud University Nijmegen

Lecture 4 Searching Arrays

Finding and Fixing Bugs in Liquid Haskell. Anish Tondwalkar

Lecture Notes on Linear Search

Type Systems. Pierce Ch. 3, 8, 11, 15 CSE

Certified Memory Usage Analysis

Verifying the Safety of Security-Critical Applications

Administrivia. ECE/CS 5780/6780: Embedded System Design. Acknowledgements. What is verification?

WHITE PAPER. 10 Reasons to Use Static Analysis for Embedded Software Development

Static Analysis. Systems and Internet Infrastructure Security

Global Optimization. Lecture Outline. Global flow analysis. Global constant propagation. Liveness analysis. Local Optimization. Global Optimization

Static Analysis: Overview, Syntactic Analysis and Abstract Interpretation TDDC90: Software Security

CS 161 Computer Security

Static Analysis of Dynamically Typed Languages made Easy

Why3 A Multi-Prover Platform for Program Verification

On partial order semantics for SAT/SMT-based symbolic encodings of weak memory concurrency

Outline. Analyse et Conception Formelle. Lesson 7. Program verification methods. Disclaimer. The basics. Definition 2 (Specification)

Seminar decision procedures: Certification of SAT and unsat proofs

18-642: Code Style for Compilers

Tutorial 1 Answers. Question 1

Administration. Conditional Statements. Agenda. Syntax. Flow of control. Lab 2 due now on floppy Lab 3 due tomorrow via FTP

Deductive Verification in Frama-C and SPARK2014: Past, Present and Future

University of Palestine. Mid Exam Total Grade: 100

C Source Code Analysis for Memory Safety

ASaP: Annotations for Safe Parallelism in Clang. Alexandros Tzannes, Vikram Adve, Michael Han, Richard Latham

A Gentle Introduction to Program Analysis

CSE Computer Security (Fall 2006)

Integrating verification in programming languages

COS 320. Compiling Techniques

Formal Methods in Software Development

Extended Static Checking for Java

Using Type Annotations to Improve Your Code

CMSC 132: OBJECT-ORIENTED PROGRAMMING II

Bounded Verification of Voting Software

6.828: OS/Language Co-design. Adam Belay

Oracle Developer Studio Code Analyzer

Analysis of Algorithms. 5-Dec-16

Goal. Overflow Checking in Firefox. Sixgill. Sixgill (cont) Verifier Design Questions. Sixgill: Properties 4/8/2010

Advanced Programming Methods. Introduction in program analysis

Transcription:

Lightweight Verification of Array Indexing Martin Kellogg*, Vlastimil Dort**, Suzanne Millstein*, Michael D. Ernst* * University of Washington, Seattle ** Charles University, Prague

The problem: unsafe array indexing In unsafe languages (C): buffer overflow! In managed languages (Java, C#, etc.): exception, program crashes 2

The state of the art Strength of guarantees Practical for developers 3

The state of the art Coq KeY Clousot Strength of guarantees Practical for developers 4

The state of the art Coq KeY Clousot Strength of guarantees Coverity FindBugs Practical for developers 5

The state of the art Strength of guarantees Coq KeY Clousot The Index Checker (this talk) Coverity FindBugs Practical for developers 6

Problems with complex analyses - false positives - annotation burden - complex analyses are hard to predict 7

Problems with complex analyses - false positives bounds checking is hard complex analysis complex analysis harder to implement harder to implement more false positives - annotation burden - complex analyses are hard to predict 8

Problems with complex analyses - false positives bounds checking is hard complex analysis complex analysis harder to implement harder to implement more false positives - annotation burden complex analysis complex annotations - complex analyses are hard to predict 9

Problems with complex analyses - false positives bounds checking is hard complex analysis complex analysis harder to implement harder to implement more false positives - annotation burden complex analysis complex annotations - complex analyses are hard to predict 10

Insight: Fundamental problem is complex analyses! 11

Solve all three problems: Cooperating simple analyses 12

Cooperating simple analyses Solve all three problems: simpler implementation fewer false positives 13

Cooperating simple analyses Solve all three problems: simpler implementation fewer false positives simpler abstractions easier to write annotations 14

Cooperating simple analyses Solve all three problems: simpler implementation fewer false positives simpler abstractions easier to write annotations simpler analysis simpler to predict 15

Proving an array access safe T[] a = ; int i = ;... a[i]... We need to show that: i is an index for a 16

Proving an array access safe T[] a = ; int i = ;... a[i]... We need to show that: i is an index for a i 0 i < a.length 17

Proving an array access safe T[] a = ; int i = ;... a[i]... We need to show that: i is an index for a i 0 A lower bound on i i < a.length An upper bound on i 18

A type system for lower bounds T i -1 i 0 i 1 @LowerBoundUnknown int i @GTENegativeOne int i @NonNegative int i @Positive int i 19

A type system for lower bounds T i -1 i 0 i 1 @LowerBoundUnknown int i @GTENegativeOne int i @NonNegative int i @Positive int i 20

A type system for upper bounds if (i >= 0 && i < a.length) { a[i] =... } 21

A type system for upper bounds if (i >= 0 && i < a.length) { a[i] =... } i < a.length @LTLengthOf( a ) int i 22

Type systems Linear inequalities i < j Minimum lengths a.length > 10 Negative indices i < a.length Lower bounds i 0 Equal lengths a.length = b.length Upper bounds i < a.length 23

Type systems Linear inequalities i < j Minimum lengths a.length > 10 Negative indices i < a.length Lower bounds i 0 Equal lengths a.length = b.length Upper bounds i < a.length 24

A type system for minimum array lengths if (a.length >= 3) { a[2] =...; } 25

A type system for minimum array lengths if (a.length >= 3) { a[2] =...; } a.length i T @MinLen(i) [] a 26

Evaluation Three case studies: Google Guava (two packages) JFreeChart plume-lib Comparison to existing tools: FindBugs, KeY, Clousot 27

Case Studies Guava JFreeChart plume-lib Total Lines of code 10,694 94,233 14,586 119,503 Bugs found 5 64 20 89 Annotations 510 2,938 241 3,689 False positives 138 386 43 567 Java casts 222 2,740 219 3,181 28

Comparison to other tools: confirmed bugs Approach Types Bug finder Verif. w/ solver Abs. interpret. Tool Index Checker FindBugs KeY Clousot True Positives False Negatives Time (100k LoC) 29

Comparison to other tools: confirmed bugs Approach Types Bug finder Verif. w/ solver Abs. interpret. Tool Index Checker FindBugs KeY Clousot True Positives False Negatives Time (100k LoC) ~10 minutes ~1 minute cannot scale ~200 minutes 30

Comparison to other tools: confirmed bugs Approach Types Bug finder Verif. w/ solver Abs. interpret. Tool Index Checker FindBugs KeY Clousot True Positives 18/18 0/18 9/18 16/18 False Negatives 0/18 18/18 1/18 2/18 Time (100k LoC) ~10 minutes ~1 minute cannot scale ~200 minutes 31

Using the Index Checker Distributed with Checker Framework www.checkerframework.org 32

Contributions A methodology: simple, cooperative type systems An analysis: abstractions for array indexing An implementation and evaluation for Java Verifying the absence of array bounds errors in real codebases (and finding bugs in the process!) 33

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback