field sensitive unreachability and non cyclicity analysis
play

Field-Sensitive Unreachability and Non-Cyclicity Analysis Enrico - PowerPoint PPT Presentation

Jan 18, 2023 •499 likes •776 views

Field-Sensitive Unreachability and Non-Cyclicity Analysis Enrico Scapin and Fausto Spoto Dipartimento di Informatica - University of Verona (Italy) BYTECODE/ETAPS 2013 Scapin and Spoto (univr.it) Unreachability & Non-Cyclicity Analysis

  1. Field-Sensitive Unreachability and Non-Cyclicity Analysis Enrico Scapin and Fausto Spoto Dipartimento di Informatica - University of Verona (Italy) BYTECODE/ETAPS 2013 Scapin and Spoto (univr.it) Unreachability & Non-Cyclicity Analysis BYTECODE’13 1 / 15

  2. Static Analysis Static Analysis Definition Static analysis consists in building compile-time techniques in order to prove properties of programs before actually running them. Shape Analyses try to understand how the program execution manipulates the heap. e.g., sharing analysis determines if two variables might be bound to overlapping data structures. reachability analysis determines if exists a path in memory that links two variables. cyclicity analysis determines if a variable is bound to a cyclical data structure. Scapin and Spoto (univr.it) Unreachability & Non-Cyclicity Analysis BYTECODE’13 2 / 15

  3. State of the Art State of the Art Reachability and Cyclicity, state of the art: Stefano Rossignoli and Fausto Spoto, "Detecting non-cyclicity by abstract compilation into boolean functions". In: VMCAI’06 Samir Genaim and Damiano Zanardini, "Reachability-based Acyclicity Analysis by Abstract Interpretation". In: CoRR’12 Ðurica Nikolić and Fausto Spoto, "Reachability Analysis of Program Varibles". In: IJCAR’12 x.next=y; This assignment makes x cyclical if and only if y reaches x. Scapin and Spoto (univr.it) Unreachability & Non-Cyclicity Analysis BYTECODE’13 3 / 15

  4. State of the Art State of the Art Reachability and Cyclicity, state of the art: Stefano Rossignoli and Fausto Spoto, "Detecting non-cyclicity by abstract compilation into boolean functions". In: VMCAI’06 Samir Genaim and Damiano Zanardini, "Reachability-based Acyclicity Analysis by Abstract Interpretation". In: CoRR’12 Ðurica Nikolić and Fausto Spoto, "Reachability Analysis of Program Varibles". In: IJCAR’12 x.next=y; This assignment makes x cyclical if and only if y reaches x. We defined a state as σ = � ρ, µ � , where: Heap Environment l1 l2 ... ρ maps variables x y to locations; µ ρ l1 l2 Element Element ... µ binds locations value next value next to objects. tikzpicture tikzpicture ... Scapin and Spoto (univr.it) Unreachability & Non-Cyclicity Analysis BYTECODE’13 3 / 15

  5. State of the Art State of the Art Reachability and Cyclicity, state of the art: Stefano Rossignoli and Fausto Spoto, "Detecting non-cyclicity by abstract compilation into boolean functions". In: VMCAI’06 Samir Genaim and Damiano Zanardini, "Reachability-based Acyclicity Analysis by Abstract Interpretation". In: CoRR’12 Ðurica Nikolić and Fausto Spoto, "Reachability Analysis of Program Varibles". In: IJCAR’12 x.next=y; This assignment makes x cyclical if and only if y reaches x. We defined a state as σ = � ρ, µ � , where: Heap Environment l1 l2 ... ρ maps variables x y to locations; µ ρ l1 l2 Element Element ... µ binds locations value next value next to objects. tikzpicture tikzpicture ... Scapin and Spoto (univr.it) Unreachability & Non-Cyclicity Analysis BYTECODE’13 3 / 15

  6. Scenario Scenario Given the following Java instructions, while(x!= null) x=x.next; Does the loop halt? Scapin and Spoto (univr.it) Unreachability & Non-Cyclicity Analysis BYTECODE’13 4 / 15

  7. Scenario Scenario Given the following Java instructions, while(x!= null) x=x.next; Does the loop halt? Assuming ρ ( x ) = l 1 before starting the loop. Heap l1 l2 l3 l4 The loop o1 o2 o3 tikzpicture o4 terminates in 3 Element Element Element Element iterations! value next value next value next value next tikzpicture tikzpicture tikzpicture tikzpicture Scapin and Spoto (univr.it) Unreachability & Non-Cyclicity Analysis BYTECODE’13 4 / 15

  8. Scenario Scenario Given the following Java instructions, while(x!= null) x=x.next; Does the loop halt? Assuming ρ ( x ) = l 1 before starting the loop. Heap l1 l2 l3 l4 o1 o2 o3 tikzpicture o4 The loop does Element Element Element Element not terminate! value next value next value next value next tikzpicture tikzpicture tikzpicture tikzpicture It depends on the cyclicity of variable x. Scapin and Spoto (univr.it) Unreachability & Non-Cyclicity Analysis BYTECODE’13 4 / 15

  9. Properties Can we refine them? Yes, by developing a field-sensitive analysis! while(x!= null) x.next=y; x=x.next; Goal For each program point, maintain a set of static fields F such that a program property holds. Scapin and Spoto (univr.it) Unreachability & Non-Cyclicity Analysis BYTECODE’13 5 / 15

  10. Properties Can we refine them? Yes, by developing a field-sensitive analysis! while(x!= null) x.next=y; x=x.next; Goal For each program point, maintain a set of static fields F such that a program property holds. We introduce the concept of path P as a tuple of fields linking two locations inside the heap µ . Heap l1 l2 l3 l4 e.g., ℓ 1 � P µ ℓ 4 o1 o2 o3 tikzpicture o4 Element Element Element Element with P = value next value next value next value next � El . next , El . next , El . next � tikzpicture tikzpicture tikzpicture tikzpicture Scapin and Spoto (univr.it) Unreachability & Non-Cyclicity Analysis BYTECODE’13 5 / 15

  11. Properties Field-sensitive properties Let F : set of all fields; L σ ( x ) : set of all locations reachable from x . Unreachability for each path from x to y in state σ , the fields in F are not part of that path. � x � P � ≡ x � � F ∀P ⊆ F σ y = ⇒ P ∩ F = ∅ σ y Non-cyclicity for each cycle reachable from x in state σ , the fields in F are not part of the cycle. � � F � ℓ � P � ∀ ℓ ∈ L σ ( x ) , ∀P ⊆ F µ ℓ ⇒ P ∩ F = ∅ ≡ x � σ Scapin and Spoto (univr.it) Unreachability & Non-Cyclicity Analysis BYTECODE’13 6 / 15

  12. Abstract Interpretation Abstract Interpretation In order to make our analysis computable, we use the general framework of Abstract Interpretation. Scapin and Spoto (univr.it) Unreachability & Non-Cyclicity Analysis BYTECODE’13 7 / 15

  13. Abstract Interpretation Concrete and Abstract Domains Σ - set of all states V - set of all variables F - set of all program fields Concrete domain: C = ℘ (Σ) Abstract domain: A = ℘ ( V × V × ℘ ( F )) ∪ ℘ ( V × ℘ ( F )) Concretization map γ : A → C  �  � ∀ a � � F b ∈ I , ∃ F ′ ⊆ F . a � � F ′ σ b ∧ F ⊆ F ′ � � ∧    �  γ ( I ∈ A ) = σ ∈ Σ � � F ∈ I , ∃ F ′ ⊆ F . c � ∧ F ⊆ F ′ � � � � � � F ′ ∀ c �  �    σ � Our properties are under-approximated by the information in I . Scapin and Spoto (univr.it) Unreachability & Non-Cyclicity Analysis BYTECODE’13 8 / 15

  14. Methodology Methodology 1 Program Under Analysis class Element{ private Object value; private Element prec , next; public Element(Object value ){ this.value=value; } public Element(Object value , Element prec ){ this.value=value; this.prec=prec; prec.next=this; } } public class MWexample{ public static void main(String [] args ){ Element top = new Element(new Integer (0)); for(int i=1;i <=3;i++) top = new Element(new Integer(i),top); } } Scapin and Spoto (univr.it) Unreachability & Non-Cyclicity Analysis BYTECODE’13 9 / 15

  15. Methodology Methodology 2 Java Bytecode invokespecial #1 <Object/<init >()V> 1 Program Under Analysis aload_0 aload_1 putfield #2 Element.value: Object aload_0 class Element{ aload_2 private Object value; putfield #3 Element.prec: Element private Element prec , next; aload_2 aload_0 public Element(Object value ){ putfield #4 Element.next: Element this.value=value; return } public Element(Object value, Element prec) { this.value=value; this.prec=prec; prec.next=this; } } public class MWexample{ public static void main(String [] args ){ Element top = new Element(new Integer (0)); for(int i=1;i <=3;i++) top = new Element(new Integer(i),top); } } Scapin and Spoto (univr.it) Unreachability & Non-Cyclicity Analysis BYTECODE’13 9 / 15

  16. Methodology Methodology 2 Java Bytecode invokespecial #1 <Object/<init >()V> 1 Program Under Analysis aload_0 aload_1 putfield #2 Element.value: Object aload_0 class Element{ aload_2 private Object value; putfield #3 Element.prec: Element private Element prec , next; aload_2 aload_0 public Element(Object value ){ putfield #4 Element.next: Element this.value=value; return } public Element(Object value, Element prec) { this.value=value; 3 Control Flow Graph this.prec=prec; prec.next=this; call java . lang . Object . � init � () : void } } public class MWexample{ load 0 Element load 1 Object public static void main(String [] args ){ putfield Element . value : Object catch Element top = new Element(new Integer (0)); throw java . lang . Throwable for(int i=1;i <=3;i++) load 0 Element top = new Element(new Integer(i),top); load 2 Element putfield Element . prec : Element } } load 2 Element load 0 Element putfield Element . next : Element return void Scapin and Spoto (univr.it) Unreachability & Non-Cyclicity Analysis BYTECODE’13 9 / 15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

From Object Fields to Local Variables: a Practical Approach to Field-Sensitive Analysis Elvira

From Object Fields to Local Variables: a Practical Approach to Field-Sensitive Analysis Elvira

From Object Fields to Local Variables: a Practical Approach to Field-Sensitive Analysis Elvira Albert (1) , Puri Arenas (1) , Samir Genaim (1) , an Puebla (2) and Diana Ram rez (2) Germ (1) Complutense University of Madrid (2) Technical

1.27k views • 77 slides
Context-sensitive Analysis Attribute Grammar And Type Checking cs5363 1 Context-Sensitive

Context-sensitive Analysis Attribute Grammar And Type Checking cs5363 1 Context-Sensitive

Context-sensitive Analysis Attribute Grammar And Type Checking cs5363 1 Context-Sensitive Analysis To understand the input computation, a compiler/interpreter need to discover The types of values stored in each variable The types

576 views • 39 slides
Improving Acute Compartment Syndrome diagnostic technology with an Ion-Sensitive Field Effect

Improving Acute Compartment Syndrome diagnostic technology with an Ion-Sensitive Field Effect

Improving Acute Compartment Syndrome diagnostic technology with an Ion-Sensitive Field Effect Transistor Will Bacon, Mark Austin, Kelsey Murphy, &amp; Alex Goodman Client: Dr. Christopher Doro Advisor: Professor Jeremy Rogers 2 Acute

151 views • 14 slides
A6: Sensitive Data Exposure A6 Sensitive Data Exposure Sensitive data stored or transmitted

A6: Sensitive Data Exposure A6 Sensitive Data Exposure Sensitive data stored or transmitted

A6: Sensitive Data Exposure A6 Sensitive Data Exposure Sensitive data stored or transmitted insecurely Failure to protect all sensitive data Usernames, passwords, password hashes, credit-card information, identity info Session

415 views • 17 slides
Some Cyclicity and Opacity Effects in the Prosody of Two Different Clitic Classes in New-

Some Cyclicity and Opacity Effects in the Prosody of Two Different Clitic Classes in New-

Some Cyclicity and Opacity Effects in the Prosody of Two Different Clitic Classes in New- tokavian Variants Malgorzata E. Cavar and Damir Cavar EMU and ILIT 1 Sunday, November 13, 11 Agenda Prepositions and their complements

487 views • 30 slides
CS711 Advanced Programming Languages Pointer Analysis Overview and Flow-Sensitive Analysis Radu

CS711 Advanced Programming Languages Pointer Analysis Overview and Flow-Sensitive Analysis Radu

CS711 Advanced Programming Languages Pointer Analysis Overview and Flow-Sensitive Analysis Radu Rugina 8 Sep 2005 Pointer Analysis Informally: determine where pointers (or references) in the program may point to. Significant amount of

339 views • 21 slides
On the quasi-cyclicity and linearity of the Gray image of a code over a Galois ring H.

On the quasi-cyclicity and linearity of the Gray image of a code over a Galois ring H.

On the quasi-cyclicity and linearity of the Gray image of a code over a Galois ring H. Tapia-Recillas (*)/ C.A. L opez-Andrade U.A.Metropolitana-I / U.A. Puebla MEXICO (htr@xanum.uam.mx / calopez@cs.buap.mx) oquio Latino-Americano de

789 views • 55 slides
Estrous Cyclicity of Mic ice During Sim imulated Weightlessness Eric Moyer, Yuli Talyansky,

Estrous Cyclicity of Mic ice During Sim imulated Weightlessness Eric Moyer, Yuli Talyansky,

https://ntrs.nasa.gov/search.jsp?R=20170011558 2018-07-15T07:05:11+00:00Z Estrous Cyclicity of Mic ice During Sim imulated Weightlessness Eric Moyer, Yuli Talyansky, Ryan Scott, Joseph Tash, Lane Christenson, Joshua Alwood, April Ronca

324 views • 10 slides
Cyclicity of Nilpotent Centers Douglas S. Shafer April 21, 2015 Collaborator and Computer

Cyclicity of Nilpotent Centers Douglas S. Shafer April 21, 2015 Collaborator and Computer

Cyclicity of Nilpotent Centers Douglas S. Shafer April 21, 2015 Collaborator and Computer Algebra Tools This research was done in collaboration with Isaac A. Garc a Lleida, Spain Focus quantities computed using: M ATHEMATICA 8.0A

868 views • 45 slides
From Dalvik Bytecode Analysis to Leak Detection in Android Applications Alexandre Bartel, Eric

From Dalvik Bytecode Analysis to Leak Detection in Android Applications Alexandre Bartel, Eric

FlowDroid Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware T aint Analysis for Android Apps From Dalvik Bytecode Analysis to Leak Detection in Android Applications Alexandre Bartel, Eric Bodden, Steven Artz, Siegfried

620 views • 45 slides
Parallel Flow-Sensitive Pointer Analysis by Graph-Rewriting Vaivaswatha Nagaraj R. Govindarajan

Parallel Flow-Sensitive Pointer Analysis by Graph-Rewriting Vaivaswatha Nagaraj R. Govindarajan

Parallel Flow-Sensitive Pointer Analysis by Graph-Rewriting Vaivaswatha Nagaraj R. Govindarajan Indian Institute of Science, Bangalore PACT 2013 PACT'13 2 Outline Introduction Background Flow-sensitive graph-rewriting formulation

1.06k views • 74 slides
Introduction to Galois Representations Applications Plan for today Serres Cyclicity NATO

Introduction to Galois Representations Applications Plan for today Serres Cyclicity NATO

Dipartim. Mat. &amp; Fis. Universit` a Roma Tre Introduction to Galois Representations Applications Plan for today Serres Cyclicity NATO ASI, Ohrid 2014 Conjecture Lang Trotter Conjecture Arithmetic of Hyperelliptic Curves for trace of

726 views • 31 slides
E E S S P P . Escola Polit` ecnica Superior . Universitat de Lleida The center cyclicity

E E S S P P . Escola Polit` ecnica Superior . Universitat de Lleida The center cyclicity

. . E E S S P P . Escola Polit` ecnica Superior . Universitat de Lleida The center cyclicity of the Lorenz, Chen and L u systems Isaac A. Garc a AQTDE2019 (Castro Urdiales, June 17-21, 2019) Isaac A. Garc a The center

663 views • 27 slides
Making k- Object-Sensitive Pointer Analysis More Precise with Still k -Limiting Tian Tan , Yue Li

Making k- Object-Sensitive Pointer Analysis More Precise with Still k -Limiting Tian Tan , Yue Li

Making k- Object-Sensitive Pointer Analysis More Precise with Still k -Limiting Tian Tan , Yue Li and Jingling Xue SAS 2016 September, 2016 1 A New Pointer Analysis for Object-Oriented Programs 2 Pointer Analysis Determine which

965 views • 70 slides
Cache, Trigger, Impersonate: Enabling Context-Sensitive Honeyclient Analysis On-the- Wire By

Cache, Trigger, Impersonate: Enabling Context-Sensitive Honeyclient Analysis On-the- Wire By

Cache, Trigger, Impersonate: Enabling Context-Sensitive Honeyclient Analysis On-the- Wire By Teryl Taylor , Kevin Z. Snow, Nathan Otterness and Fabian Monrose University of North Carolina at Chapel Hill Motivation PU Internet Get

686 views • 34 slides
Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal and Wenke Lee College of Computing Georgia Institute of Technology Agenda l Background l Defeating Automated Malware Analysis Host

1.28k views • 28 slides
Sampling from Databases CompSci 590.02 Instructor: AshwinMachanavajjhala Lecture 2 : 590.02

Sampling from Databases CompSci 590.02 Instructor: AshwinMachanavajjhala Lecture 2 : 590.02

Sampling from Databases CompSci 590.02 Instructor: AshwinMachanavajjhala Lecture 2 : 590.02 Spring 13 1 Recap Given a set of elements, random sampling when number of elements N is known is easy if you have random access to any arbitrary

1.03k views • 34 slides
Mat 2170 Lab 14 Week 14 ArrayList Class Generic Types Wrapper ArrayList Class Classes

Mat 2170 Lab 14 Week 14 ArrayList Class Generic Types Wrapper ArrayList Class Classes

Mat 2170 Week 14 ArrayList Class Week14 Mat 2170 Lab 14 Week 14 ArrayList Class Generic Types Wrapper ArrayList Class Classes Search Spring 2014 Student Responsibilities Mat 2170 Week 14 ArrayList Class Week14 EXAM Thursday,

325 views • 21 slides
CS 225 Data Structures Oc October 28 28 Ha Hashing Analysis G G Carl Evans Running g

CS 225 Data Structures Oc October 28 28 Ha Hashing Analysis G G Carl Evans Running g

CS 225 Data Structures Oc October 28 28 Ha Hashing Analysis G G Carl Evans Running g Times The expected number of probes for find(key) under SUHA Linear Probing: Successful: (1 + 1/(1-)) Unsuccessful: (1 + 1/(1-)) 2

611 views • 22 slides
Elements of Floating-point Arithmetic Sanzheng Qiao Department of Computing and Software

Elements of Floating-point Arithmetic Sanzheng Qiao Department of Computing and Software

Floating-point Numbers Sources of Errors Stability of an Algorithm Sensitiviy of a Problem Fallacies Summary Elements of Floating-point Arithmetic Sanzheng Qiao Department of Computing and Software McMaster University September, 2011

1.62k views • 140 slides
CPSC 121: Models of Computation Unit 12 Sets and Functions Based on slides by Patrice Belleville

CPSC 121: Models of Computation Unit 12 Sets and Functions Based on slides by Patrice Belleville

CPSC 121: Models of Computation Unit 12 Sets and Functions Based on slides by Patrice Belleville and Steve Wolfman PART 1 SETS Unit 12: Sets and Functions 2 What is a Set? A set is an unordered collection of objects. The objects in a set

797 views • 32 slides
LIEF: Library to Instrument Executable Formats Table of Contents Introduction Architecture Demo

LIEF: Library to Instrument Executable Formats Table of Contents Introduction Architecture Demo

Romain Thomas - rthomas@quarkslab.com LIEF: Library to Instrument Executable Formats Table of Contents Introduction Architecture Demo Conclusion About Romain Thomas - Security engineer at Quarkslab Working on obfuscation and software

614 views • 27 slides
Approximate Query Service on Autonomous IoT Cameras Mengwei Xu 1 , Xiwen Zhang 2 , Yunxin Liu 3

Approximate Query Service on Autonomous IoT Cameras Mengwei Xu 1 , Xiwen Zhang 2 , Yunxin Liu 3

Approximate Query Service on Autonomous IoT Cameras Mengwei Xu 1 , Xiwen Zhang 2 , Yunxin Liu 3 Gang Huang 1 , Xuanzhe Liu 1 , Felix Xiaozhu Lin 2 1 Peking University, 2 Purdue University, 3 Microsoft Research, 1 Video Analytics is a Killer App

984 views • 39 slides
The elf in ELF use 0-day to cheat all disassemblers david942j @ CyberSEC 2019 1 . 1 This talk

The elf in ELF use 0-day to cheat all disassemblers david942j @ CyberSEC 2019 1 . 1 This talk

The elf in ELF use 0-day to cheat all disassemblers david942j @ CyberSEC 2019 1 . 1 This talk Tricks to cheat disassemblers objdump, readelf, IDA Pro, etc. 2 . 1 IDA Pro The best tool for reverse-engineering Take it as examples in this

1.16k views • 60 slides

More recommend