a brief introduction to static analysis
play

A Brief Introduction to Static Analysis Sam Blackshear March 13, - PowerPoint PPT Presentation

Jun 15, 2023 •103 likes •488 views

A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical problem and how to ignore it An example static analysis What is static analysis used for? Commercial successes Free static analysis tools you should

  1. A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012

  2. Outline A theoretical problem and how to ignore it An example static analysis What is static analysis used for? Commercial successes Free static analysis tools you should use Current research in static analysis 2

  3. An Interesting Problem We’ve written a program P and we want to know... Does P satisfy property of interest φ (for example, P does not dereference a null pointer, all casts in P are safe, ...) Manually verifying that P satisfies φ may be tedious or impractical if P is large or complex Would be great to write a program (or static analysis tool) that can inspect the source code of P and determine if φ holds! 3

  4. An Inconvenient Truth We cannot write such a program; the problem is undecidable in general! Rice’s Theorem (paraphrase): For any nontrivial program property φ , no general automated method can determine whether φ holds for P . Where nontrivial means we can there exists both a program that has property φ and one that does not. So should we give up on writing that program? 4

  5. A Way Out Only if not getting an exact answer bothers us (and it shouldn’t). Key insight: we can abstract the behaviors of the program into a decidable overapproximation or underapproximation , then attempt to prove the property in the abstract version of the program This way, we can have our decidability, but can also make very strong guarantees about the program 5

  6. Analysis Choices A sound static analysis overapproximates the behaviors of the program. A sound static analyzer is guaranteed to identify all violations of our property φ , but may also report some “false alarms”, or violations of φ that cannot actually occur. A complete static analysis underapproximates the behaviors of the program. Any violation of our property φ reported by a complete static analyzer corresponds to an actual violation of φ , but there is no guarantee that all actual violations of φ will be reported Note that when a sound static analyzer reports no errors, our program is guaranteed not to violate φ ! This is a powerful guarantee. As a result, most static analysis tools choose to be sound rather than complete. 6

  7. Visualizing Soundness and Completeness Overapproximate (sound) analysis All program behaviors Underapproximate (complete) analysis 7

  8. Outline A theoretical problem and how to ignore it An example static analysis What is static analysis used for? Commercial successes Free static analysis tools you should use Current research in static analysis 8

  9. An Example Static Analysis : Sign Analysis Classic example: sign analysis! Abstract concrete domain of integer values into abstract domain of signs ( - , 0 , + ) ∪ {⊤ , ⊥} Step 1: Define abstraction function abstract () over integer literals: - abstract ( i ) = - if i < 0 - abstract ( i ) = 0 if i == 0 - abstract (0) = + if i > 0 9

  10. Sign Analysis (continued) Define transfer functions over abstract domain that show how to evaluate expressions in the abstract domain: + + + = + - + - = - 0 + 0 = 0 0 + + = + 0 + - = - . . . + + - = ⊤ (analysis notation for “unknown”) { + , - , 0 , ⊤} + ⊤ = ⊤ { + , - , 0 , ⊤} / 0 = ⊥ (analysis notation for “undefined”) . . . 10

  11. An Example Static Analysis (continued) Now, every integer value and expression has been abstracted into a { + , - , 0 , ⊤ , ⊥} . An exceedingly silly analysis, but even so can be used to: Check for division by zero (as simple as looking for occurrences of ⊥ ) Optimize: store + variables as unsigned integers or 0 ’s as false boolean literals See if (say) a banking program erroneously allows negative account values (see if balance variable is - or ⊤ ) More? 11

  12. Outline A theoretical problem and how to ignore it An example static analysis What is static analysis used for? Commercial successes Free static analysis tools you should use Current research in static analysis 12

  13. What Are Static Analysis Tools Used For? To name a few: Compilers (type checking, optimization) Bugfinding Formal Verification 13

  14. Compilers - Type Checking Most common and practically useful example of static analysis Statically ensure that arithmetic operations are computable (prevent adding an integer to a boolean in C++, for example) Guarantee that functions are called with the correct number/type of arguments Real-world static analysis success story: “undefined variable analysis” to ensure that an undefined variable is never read - Common source of nondeterminism in C; causes nasty bugs - Analysis built in to Java compiler! Statically guarantees that an undefined variable will never be read Object o; o.foo(); Compiler: “Variable o might not have been initialized”! 14

  15. Compilers - Optimization Examples: Machine-aware optimizations: convert x*2 into x + x Loop-invariant code motion: move code out of a loop int a = 7, b = 6, sum, z, i; for (i = 0; i < 25; i++) z = a + b; sum = sum + z + i; Lift z = a + b out of the loop Function inlining - save overhead of procedure call by inserting code for procedure (related: loop unrolling) Many more! 15

  16. Bugfinding Big picture: identify illegal or undesirable language behaviors, see if program can trigger them Null pointer dereference analysis (C, C++, Java . . . ) Buffer overflow analysis: can the program write past the bounds of a buffer? (C, C++, Objective-C) Cast safety analysis: can a cast from one type to another fail? Taint analysis: can a program leak secret data, or use untrusted input in an insecure way? (web application privacy, SQL injection, . . . ) Memory leak analysis: is malloc() called without free() ? (C, C++) Is a heap location that is never read again reachable from the GC roots? (Java) Race condition checking: Can threads interleave in such a way that threads t 1 and t 2 simultaneously access variable x , where at least one access is a write? 16

  17. Formal Verification Given a rigorous complete or partial specification , prove that no possible behavior of the program violates the specification Assertion checking - user writes assert() statements that fail at runtime if assertion evaluates to false. We can use static analysis to prove that an assertion can never fail Given a specification for an algorithm and a formal semantics for the language the program is written in, can prove that the implementation (not just the algorithm!) is correct. Note: giving specification is sometimes harder than checking it! Example: Specification for sorting. How would you define? Takes input ℓ , 0-indexed array of integers, returns ℓ ′ , 0-indexed array of integers, where: 17

  18. Formal Verification Given a rigorous complete or partial specification , prove that no possible behavior of the program violates the specification Assertion checking - user writes assert() statements that fail at runtime if assertion evaluates to false. We can use static analysis to prove that an assertion can never fail Given a specification for an algorithm and a formal semantics for the language the program is written in, can prove that the implementation (not just the algorithm!) is correct. Note: giving specification is sometimes harder than checking it! Example: Specification for sorting. How would you define? Takes input ℓ , 0-indexed array of integers, returns ℓ ′ , 0-indexed array of integers, where: (1) for i in [0, length( ℓ ′ ) - 1) , ℓ ′ [ i ] ≤ ℓ ′ [ i + 1] (obvious) 17

  19. Formal Verification Given a rigorous complete or partial specification , prove that no possible behavior of the program violates the specification Assertion checking - user writes assert() statements that fail at runtime if assertion evaluates to false. We can use static analysis to prove that an assertion can never fail Given a specification for an algorithm and a formal semantics for the language the program is written in, can prove that the implementation (not just the algorithm!) is correct. Note: giving specification is sometimes harder than checking it! Example: Specification for sorting. How would you define? Takes input ℓ , 0-indexed array of integers, returns ℓ ′ , 0-indexed array of integers, where: (1) for i in [0, length( ℓ ′ ) - 1) , ℓ ′ [ i ] ≤ ℓ ′ [ i + 1] (obvious) (2) ℓ ′ is a permutation of ℓ (subtle!) 17

  20. Outline A theoretical problem and how to ignore it An example static analysis What is static analysis used for? Commercial successes Free static analysis tools you should use Current research in static analysis 18

  21. Commercial Successes Astree Coverity Microsoft Static Driver Verifier Java Pathfinder Microsoft Visual C/C++ Static Analyzer 19

  22. Astr´ ee Goal: Prove absence of undefined behavior and runtime errors in C (null pointer dereference, integer, overflow, divide by zero, buffer overflow, . . . ) Developed by INRIA (France), commercial sponsorship by Airbus (aircraft manufacturer) Astr´ ee proved absence of errors for 132,000 lines of flight control software in only 50 minutes! Has also been used to verify absence of runtime errors in docking software used for the International Space Station Over 20 publications on techniques developed/used More information at http://www.astree.ens.fr/ , http://www.absint.com/astree/index.htm 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ? Basic analysis ! Example : Flow analysis ! Increasing precision ! Context -, flow -, and path sensitivity Scaling it up !

527 views • 27 slides
CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu February 1, 2017 Static Analysis Static Analysis is the process of documenting your observations about what identifying characteristics a

575 views • 8 slides
Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting insights at compile time Full branch coverage Terminates Doesnt rely on a test suite Types are static analysis. Lets talk about

784 views • 39 slides
CMSC 430 Introduction to Compilers Fall 2018 Symbolic Execution Introduction Static

CMSC 430 Introduction to Compilers Fall 2018 Symbolic Execution Introduction Static

CMSC 430 Introduction to Compilers Fall 2018 Symbolic Execution Introduction Static analysis is great Lots of interesting ideas and tools Commercial companies sell, use static analysis It all looks good on paper, and in papers

317 views • 27 slides
CMSC 430 Introduction to Compilers Spring 2016 Symbolic Execution Introduction Static

CMSC 430 Introduction to Compilers Spring 2016 Symbolic Execution Introduction Static

CMSC 430 Introduction to Compilers Spring 2016 Symbolic Execution Introduction Static analysis is great Lots of interesting ideas and tools Commercial companies sell, use static analysis #!@? It all looks good on paper, and in

318 views • 28 slides
Introduction to Static Analysis for Assurance John Rushby Computer Science Laboratory SRI

Introduction to Static Analysis for Assurance John Rushby Computer Science Laboratory SRI

Introduction to Static Analysis for Assurance John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby Static Analysis for Assurance: 1 Overview What is static analysis? Examples of some techniques

732 views • 34 slides
1 Analysis Information Where Do Facts Hold? How much information depends on the client

1 Analysis Information Where Do Facts Hold? How much information depends on the client

711? CS711 Advanced Programming Languages Topics in Program Analysis Radu Rugina Fall 2005 CS711 Overview 2 Program Analysis Static vs. Dynamic Static analysis: inspect programs at compile-time Static analysis: Work done at

282 views • 4 slides
Static Analysis Static Analysis they are read? Will the current value of a variable ever be

Static Analysis Static Analysis they are read? Will the current value of a variable ever be

Interesting Questions Interesting Questions Is every statement reachable? Does every non- void method return a value? Compilation 2007 Compilation 2007 Will local variables definitely be assigned before Static Analysis Static

169 views • 13 slides
Static and dynamic verification Software inspections Concerned with analysis of the static

Static and dynamic verification Software inspections Concerned with analysis of the static

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis Software

430 views • 12 slides
Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

I NTELLI D ROID A Targeted Input Generator for the Dynamic Analysis of Android Malware Michelle Y. Wong and David Lie University of Toronto Department of Electrical and Computer Engineering NDSS Symposium 2016 ! ! ! B ACKGROUND Static vs.

1.02k views • 32 slides
Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that

Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that

Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that Martin Steffen IfI UiO Spring 2014 Plan approx. 15 lectures, details see web-page flexible time-schedule, depending on progress/interest

2.15k views • 194 slides
Static and dynamic verification Software inspections Concerned with analysis of the

Static and dynamic verification Software inspections Concerned with analysis of the

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis

310 views • 12 slides
Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Static analysis and all

Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Static analysis and all

Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Plan approx. 15 lectures, details see web-page flexible time-schedule, depending on

938 views • 69 slides
Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis of Programs with Dynamic Memory Mihaela Sighireanu IRIF, University Paris Diderot &amp; CNRS VTSA 2015 1 / 99 Static Analysis Establish

2.15k views • 186 slides
Whats Coverity static analysis ever done for us? Philip Withnall Endless Mobile

Whats Coverity static analysis ever done for us? Philip Withnall Endless Mobile

Whats Coverity static analysis ever done for us? Philip Withnall Endless Mobile philip@tecnocode.co.uk July 30, 2017 MANCHESTER What is static analysis? Compile-time testing of all possible code paths. Whats Coverity static analysis

236 views • 12 slides
Outline t t Why static analysis? t t What is it? Underlying technology t Some

Outline t t Why static analysis? t t What is it? Underlying technology t Some

2005-05-04 Static Analysis methods and tools An industrial study t Pr Emanuelsson Ericsson AB and LiU Prof Ulf Nilsson LiU t itle Outline t t Why static analysis? t t What is it? Underlying technology t Some tools

438 views • 19 slides
FIN 48 Quantifying the unknowable Serious people shortage hits tax departments Sovereign wealth

FIN 48 Quantifying the unknowable Serious people shortage hits tax departments Sovereign wealth

SPONSORED FEATURES: Switzerland Outsourcing: fools gold? Doing business in Malta A Euromoney publication April 2008 The future for double tax treaties Italy revises thin cap rules China issues raft of new tax rules FIN 48 Quantifying

79 views • 4 slides
Dynamic Spyware Analysis M. Egele 1 &amp; C. Kruegel 1 &amp; E. Kirda 1 &amp; H. Yin 2 , 3 &amp; D.

Dynamic Spyware Analysis M. Egele 1 &amp; C. Kruegel 1 &amp; E. Kirda 1 &amp; H. Yin 2 , 3 &amp; D.

Motivation Our Solution System Design &amp; Implementation Evaluation Dynamic Spyware Analysis M. Egele 1 &amp; C. Kruegel 1 &amp; E. Kirda 1 &amp; H. Yin 2 , 3 &amp; D. Song 2 1 Secure Systems Lab Vienna University of Technology 2 Carnegie

773 views • 74 slides
TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones

TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones

TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones William Enck Peter Gilbert Byung-Gon Chun Landon P. Cox Jaeyeon Jung Patrick McDaniel Anmol N. Sheth Presentation by Krzysztof Pawlowski

447 views • 30 slides
Dytan: A Generic Dynamic Taint Analysis Framework James Clause, Wanchun (Paul) Li, and

Dytan: A Generic Dynamic Taint Analysis Framework James Clause, Wanchun (Paul) Li, and

Dytan: A Generic Dynamic Taint Analysis Framework James Clause, Wanchun (Paul) Li, and Alessandro Orso College of Computing Georgia Institute of Technology Partially supported by: NSF awards CCF-0541080 and CCR-0205422 to Georgia Tech, DHS

671 views • 40 slides
0-Knowledge Fuzzing Vincenzo Iozzo vincenzo.iozzo@zynamics.com

0-Knowledge Fuzzing Vincenzo Iozzo vincenzo.iozzo@zynamics.com

0-Knowledge Fuzzing Vincenzo Iozzo vincenzo.iozzo@zynamics.com Disclaimer In this talk you wont see all those formulas, formal definiEon, code snippets and

1.05k views • 71 slides
PROCESSED FOOD WHAT WE DO Processing laboratory for cereals (TROYES-FR) Malt and Beer;

PROCESSED FOOD WHAT WE DO Processing laboratory for cereals (TROYES-FR) Malt and Beer;

IMPACT OF PESTICIDES ON THE QUALITY OF PROCESSED FOOD WHAT WE DO Processing laboratory for cereals (TROYES-FR) Malt and Beer; Bread and analyses on flour according to the French processsing CEB 218 guideline. Processing

346 views • 13 slides
Oy Raita International Ltd Kangaskatu 1:2 53100 Lappeenranta, Finland Tel. +358 40 518 1340

Oy Raita International Ltd Kangaskatu 1:2 53100 Lappeenranta, Finland Tel. +358 40 518 1340

Oy Raita International Ltd Kangaskatu 1:2 53100 Lappeenranta, Finland Tel. +358 40 518 1340 Fax. +358 42 518 1340 History and Mission Environmental business since 1970s International business since 1980s Export/Import business

203 views • 4 slides
Experiences with the Carnegie Mellon Binary Analysis Platform (CMU BAP) Sam L. Thomas, CNRS,

Experiences with the Carnegie Mellon Binary Analysis Platform (CMU BAP) Sam L. Thomas, CNRS,

Experiences with the Carnegie Mellon Binary Analysis Platform (CMU BAP) Sam L. Thomas, CNRS, IRISA sam.thomas@irisa.fr Introduction - what is BAP? Binary analysis framework: For program analysis For (aiding) reverse engineering (plugin

667 views • 29 slides

More recommend