and its Use in Software Analysis Florian Zuleger, TU Vienna FMCAD, - - PowerPoint PPT Presentation

and its use in software analysis
SMART_READER_LITE
LIVE PREVIEW

and its Use in Software Analysis Florian Zuleger, TU Vienna FMCAD, - - PowerPoint PPT Presentation

Dec 13, 2023 353 likes •513 views

On the Concept of Variable Roles and its Use in Software Analysis Florian Zuleger, TU Vienna FMCAD, Portland, 23.10.2013 Joint work with Yulia Demyanova, Helmut Veith, TU Vienna Variable Roles Intuitively, variable roles are patterns of how

slide-1
SLIDE 1

On the Concept of Variable Roles and its Use in Software Analysis

Florian Zuleger, TU Vienna FMCAD, Portland, 23.10.2013 Joint work with Yulia Demyanova, Helmut Veith, TU Vienna

slide-2
SLIDE 2

Variable Roles

Intuitively, variable roles are patterns of how variables are used by programmers

2 Florian Zuleger

  • Ex. 1

int i = 0; while (i < n) { a[i] = 0; i++; } i is a loop iterator i is an array index

  • Ex. 2

int x = 2 * y; x, y are linear variables

  • Ex. 3

int x = y << 1; x, y are bitvectors

  • Ex. 4

int i = getchar(); i is a character

  • Ex. 5

int i = open(path, flags); i is a file descriptor

slide-3
SLIDE 3

Outline

  • 1. Choice and Formalisation
  • 2. Experimental Validation
  • 3. Discussion: Uses of Variable Roles

Florian Zuleger 3

slide-4
SLIDE 4

Florian Zuleger 4

Variable Role Informal Definition

SYNT CONST not assigned any value in the program CONST ASSIGN assigned only numeric literals or CONST ASSIGN variables COUNTER

  • nly incremented/decremented or assigned zero

LINEAR assigned only linear combinations of LINEAR variables BOOL assigned only zero, one, BOOL variables or boolean expressions INPUT variable is passed to a function by reference at least one BRANCH COND

  • ccurs in the condition of if statement at least once

BITVECTOR

  • ccurs in a bitwise operation or assigned the

result of a bitwise operation at least once UNRESOLVED assigned the value of a pointer dereference CHAR assigned only character literals, CHAR variables or initialised in a specific library function (e.g. getchar) LOOP ITERATOR

  • ccurs in the condition of the loop iterator

and must be assigned in the loop body

slide-5
SLIDE 5

Choice and Formalisation

  • Roles were chosen studying 5.2 KLOC code from

Cbench benchmark (standard C programs):

– Goal: find the smallest set of roles to classify every

  • ccurring variable

– Restriction to the types int, float, and char

  • Standard dataflow analysis serves as

1) definition and 2) algorithm to compute variable roles.

Florian Zuleger 5

slide-6
SLIDE 6

Role Definition: Example

LINEAR: greatest fixed point Iterations: 0:{x,y,n} 1:{y,n} 2:{n} BITVECTOR: one pass “all variables in bitvector

  • perations”: {x}

Florian Zuleger 6

int n=0; int y=x; while(x){ n=n+1; x=x&(x-1); }

slide-7
SLIDE 7

Implementation

  • Prototype built on top of clang
  • Flow-insensitive analysis

(analysis requires only the AST)

  • Trade-of between cost and precision:

– Interprocedural analysis – No pointer analysis implemented

  • Systematic study of (syntactic) usage patterns of

variables

Florian Zuleger 7

slide-8
SLIDE 8

Outline

  • 1. Choice and Formalisation
  • 2. Experimental Validation
  • 3. Discussion: Uses of Variable Roles

Florian Zuleger 8

slide-9
SLIDE 9

Experiment

How to validate that our definition of variable roles is useful?

Opportunity:

  • SVCOMP (Competition on Software Verification)

contains files in different categories

  • Files classified by human expert

Experiment: Can the relative frequencies of the variable roles replace the human expert in the classification of the files into competition categories?

Florian Zuleger 9

slide-10
SLIDE 10

Florian Zuleger 10

loop iterator array index unresolved assignment bitvector input counter branch condition boolean flag 10 20 30 40 50 60 70 80 90

SVCOMP'13 benchmark

loop iterator array index unresolved assignment bitvector input counter branch condition boolean flag

slide-11
SLIDE 11

Experiment: Results

  • Multiclass vector support machine
  • Output: probability of membership in category
  • Random selection of training set

Florian Zuleger 11

Training set (% of all files) Correct classification (in %)

  • 1. probability

1.+2. probability 90 84.06 97.10 80 85.19 94.07 70 83.80 92.02 60 80.23 92.02 50 81.40 91.46

slide-12
SLIDE 12

Outline

  • 1. Choice and Formalisation
  • 2. Experimental Validation
  • 3. Discussion: Uses of Variable Roles

Florian Zuleger 12

slide-13
SLIDE 13

Variable Roles in Program Analysis

Reviewer: „How can variable roles help to avoid plane crashes?“ Many program analysis tools treat a program as a formula and program analysis as constraint solving → tools work the same for obfuscated code?? Our vision: variable roles enable a systematic study

  • f heuristics in program anlaysis and help to

understand the strength of program analysis tools

Florian Zuleger 13

slide-14
SLIDE 14

Envisioned Uses of Variable Roles

  • Program analysis tools: selection of predicates
  • r abstract domains guided by variable roles

(e.g. in ASTREÉ)

  • Quantitative characteristics on software

verification benchmarks → Explaining the results

  • Building a portfolio-solver

Florian Zuleger 14

slide-15
SLIDE 15

Conclusion

Variable Roles have predictive power. Work in progress, your feedback is very welcome! Future Work:

  • Extract roles from variable names / comments
  • Explore connection to types

Florian Zuleger 15