finding software bugs using active automata learning
play

Finding Software Bugs Using Active Automata Learning Frits - PowerPoint PPT Presentation

Oct 19, 2023 •365 likes •1.15k views

Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Finding Software Bugs Using Active Automata Learning Frits Vaandrager Radboud University Nijmegen RV 2018, Limassol, November 2018

  1. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Finding Software Bugs Using Active Automata Learning Frits Vaandrager Radboud University Nijmegen RV 2018, Limassol, November 2018 Frits Vaandrager Finding Bugs Using Automata Learning

  2. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Outline Introduction to Model Learning 1 Applications 2 Theory & Tools for Model Learning 3 Conclusions and Future Work 4 Frits Vaandrager Finding Bugs Using Automata Learning

  3. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Research Question Frits Vaandrager Finding Bugs Using Automata Learning

  4. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Research Question We assume SUT behaves deterministically and can be reset. Frits Vaandrager Finding Bugs Using Automata Learning

  5. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Machine Learning in General Frits Vaandrager Finding Bugs Using Automata Learning

  6. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Learning Regular Languages Frits Vaandrager Finding Bugs Using Automata Learning

  7. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Regular Languages and Congruences Definition The equivalence relation ∼ L on Σ ∗ induced by a language L ⊆ Σ ∗ : ∀ w ∈ Σ ∗ : u · w ∈ L ⇔ v · w ∈ L u ∼ L v iff This relation is a right-congruence with respect to concatenation: ∀ u , v , w ∈ Σ ∗ : u ∼ L v ⇒ u · w ∼ L v · w Theorem (Myhill-Nerode, 1958) Language L is regular iff ∼ L has finitely equivalence classes. Frits Vaandrager Finding Bugs Using Automata Learning

  8. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Visualisation Consider the regular language a ( a | b ) ∗ b Frits Vaandrager Finding Bugs Using Automata Learning

  9. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Visualisation Consider the regular language a ( a | b ) ∗ b Frits Vaandrager Finding Bugs Using Automata Learning

  10. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Hankel Matrix Frits Vaandrager Finding Bugs Using Automata Learning

  11. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Hankel Matrix Frits Vaandrager Finding Bugs Using Automata Learning

  12. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Hankel Matrix Frits Vaandrager Finding Bugs Using Automata Learning

  13. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Hankel Matrix Frits Vaandrager Finding Bugs Using Automata Learning

  14. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Hankel Matrix Frits Vaandrager Finding Bugs Using Automata Learning

  15. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Hankel Matrix Frits Vaandrager Finding Bugs Using Automata Learning

  16. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Hankel Matrix u ∼ L v iff rows of u and v in Hankel matrix for L have the same color Frits Vaandrager Finding Bugs Using Automata Learning

  17. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Hankel Matrix u ∼ L v iff rows of u and v in Hankel matrix for L have the same color Language L is regular iff its Hankel matrix contains a finite number of distinct rows, i.e., colors Frits Vaandrager Finding Bugs Using Automata Learning

  18. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Hankel Matrix u ∼ L v iff rows of u and v in Hankel matrix for L have the same color Language L is regular iff its Hankel matrix contains a finite number of distinct rows, i.e., colors The number of states in the smallest DFA for L equals the number of colors in the Hankel matrix Frits Vaandrager Finding Bugs Using Automata Learning

  19. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work What is the FSM for this Hankel Matrix? Frits Vaandrager Finding Bugs Using Automata Learning

  20. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work What is the FSM for this Hankel Matrix? Frits Vaandrager Finding Bugs Using Automata Learning

  21. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Solution Colors of rows in Hankel matrix give us the states. Access strings and one-letter extensions allow us to determine transitions. Column for empty suffix gives us the accepting states. Frits Vaandrager Finding Bugs Using Automata Learning

  22. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work What if Hankel Matrix is Incomplete? Problem to color such a matrix is NP-hard! Frits Vaandrager Finding Bugs Using Automata Learning

  23. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Minimally Adequate Teacher (Angluin) string MQ +/- Learner Teacher hypothesis EQ y/n, counterexample Learner asks membership queries and equivalence queries Frits Vaandrager Finding Bugs Using Automata Learning

  24. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Angluin’s L ∗ Algorithm Frits Vaandrager Finding Bugs Using Automata Learning

  25. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Black Box Checking (Peled, Vardi & Yannakakis) MQ SUL TQs CT EQ Learner Teacher Learner: Formulate hypotheses Conformance Tester (CT): Test correctness hypotheses Frits Vaandrager Finding Bugs Using Automata Learning

  26. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Black Box Checking (Peled, Vardi & Yannakakis) MQ SUL TQs CT EQ Learner Teacher Learner: Formulate hypotheses Conformance Tester (CT): Test correctness hypotheses Model learning and conformance testing two sides of same coin! Frits Vaandrager Finding Bugs Using Automata Learning

  27. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Implements MAT framework for DFAs and Mealy machines Frits Vaandrager Finding Bugs Using Automata Learning

  28. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work A Theory of Mappers (FMSD, 2015) Frits Vaandrager Finding Bugs Using Automata Learning

  29. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work A Theory of Mappers (cnt) Formally, a mapper can be viewed as a transducer (deterministic Mealy machine). A mapper A induces an abstraction operation α A and a concretization operator γ A . Theorem For a mapper A and nondeterministic Mealy machines M and H , α A ( M ) ≤ H iff M ≤ γ A ( H ) . (modulo a minor technical condition) Frits Vaandrager Finding Bugs Using Automata Learning

  30. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Our Research Method Frits Vaandrager Finding Bugs Using Automata Learning

  31. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work EMV Protocol (Aarts et al, 2013) EMV = Europay/Mastercard/Visa Compatibility between smartcards and terminals SEPA requires EMV compliance EMV standard has > 700 pages Learning took at most 1500 membership queries, less than 30 minutes Useful for fingerprinting cards Frits Vaandrager Finding Bugs Using Automata Learning

  32. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work E.dentifier2 (WOOT’14) Frits Vaandrager Finding Bugs Using Automata Learning

  33. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work State Machines for Old and New E.dentifier2 Frits Vaandrager Finding Bugs Using Automata Learning

  34. Introduction to Model Learning Applications Theory & Tools for Model Learning Conclusions and Future Work Bugs in Protocol Implementations Standard violations found in implementations of major protocols: TLS (Usenix Security’15) TCP (CAV’16) SSH (Spin’17) Frits Vaandrager Finding Bugs Using Automata Learning

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 Why do bugs still happen ?!

Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 Why do bugs still happen ?!

Failure is not an option * A journey through software bugs Philippe Biondi Nov 20 th 2015 / GreHack Failure is not an option * Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 Why do bugs still happen ?! 4 Living with bugs

966 views • 63 slides
1 Bug Triage Regression Testing Decide which bugs to fix Good: rerun the test that failed

1 Bug Triage Regression Testing Decide which bugs to fix Good: rerun the test that failed

What is a bug? Formally, a software defect A Bugs life SUT fails to perform to spec SUT causes something else to fail SUT functions, but does not satisfy Finding and Managing Bugs usability criteria CSE 403 If the

643 views • 3 slides
Finding Bugs Last time Run-time reordering transformations Today Program Analysis for

Finding Bugs Last time Run-time reordering transformations Today Program Analysis for

Finding Bugs Last time Run-time reordering transformations Today Program Analysis for finding bugs, especially security bugs problem specification motivation approaches remaining issues CS553 Lecture Finding Bugs 2

461 views • 8 slides
CALF: Categorical Automata Learning Framework Matteo Sammartino Alexandra Silva Gerco van

CALF: Categorical Automata Learning Framework Matteo Sammartino Alexandra Silva Gerco van

CALF: Categorical Automata Learning Framework Matteo Sammartino Alexandra Silva Gerco van Heerdt May 23, 2017 1 / 61 Active automata learning Active automata learning algorithms learn an automaton describing the behaviour of a system by

768 views • 61 slides
Active automata learning Based on: Bernhard Steffen, Falk Howar und Maik Merten: Introduction to

Active automata learning Based on: Bernhard Steffen, Falk Howar und Maik Merten: Introduction to

Active automata learning Based on: Bernhard Steffen, Falk Howar und Maik Merten: Introduction to Active Automata Learning from a Practical Perspective. SFM 2011: 256-296. Motivation We want to apply model-based techniques. But: often

1.85k views • 167 slides
A practical introduction to active automata learning Bernhard Steffen, Falk Howar, Maik Merten TU

A practical introduction to active automata learning Bernhard Steffen, Falk Howar, Maik Merten TU

A practical introduction to active automata learning Bernhard Steffen, Falk Howar, Maik Merten TU Dortmund SFM2011 Maik Merten, learning technology 1 Overview Motivation Introduction to active automata learning Practical aspects in

1.11k views • 84 slides
Active Automata Learning: From DFA to Interface Programs and Beyond or From Languages to Program

Active Automata Learning: From DFA to Interface Programs and Beyond or From Languages to Program

Active Automata Learning: From DFA to Interface Programs and Beyond or From Languages to Program Executions or (more technically) The Power of Counterexample Analysis Bernhard Steffen, Falk Howar, Malte Isberner TU Dortmund /CMU B. Steffen

962 views • 71 slides
1 Example Bugs Type Qualifiers [Shankar, et al 01] Idea null dereference Add tainted and

1 Example Bugs Type Qualifiers [Shankar, et al 01] Idea null dereference Add tainted and

Finding Bugs Problem Last time What is a bug? a path in the code that causes a run-time exception Alias/Pointer analysis a path through the code that causes incorrect results Today Issues Program Analysis for finding bugs,

214 views • 4 slides
Finding and Understanding Bugs in Software Model Checkers Chengyu Zhang , Ting Su, Yichen Yan,

Finding and Understanding Bugs in Software Model Checkers Chengyu Zhang , Ting Su, Yichen Yan,

Finding and Understanding Bugs in Software Model Checkers Chengyu Zhang , Ting Su, Yichen Yan, Fuyuan Zhang, Geguang Pu, Zhendong Su Software Model Checking 2 Software Model Checking P 3 Software Model Checking P 4 Software

1.41k views • 114 slides
Defect Detection Thomas Zimmermann The First Bug September 9, 1947 More Bugs More Bugs More

Defect Detection Thomas Zimmermann The First Bug September 9, 1947 More Bugs More Bugs More

Defect Detection Thomas Zimmermann The First Bug September 9, 1947 More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs Facts on Debugging Software bugs are

840 views • 63 slides
Software has bugs To find them , we use testing and code reviews ! But some bugs are still

Software has bugs To find them , we use testing and code reviews ! But some bugs are still

Software has bugs To find them , we use testing and code reviews ! But some bugs are still missed Rare features Rare circumstances Nondeterminism Static analysis Can analyze all possible runs of a program An explosion

597 views • 25 slides
B uchi Automata and their Application to Software Verification Finite Automata Theory and

B uchi Automata and their Application to Software Verification Finite Automata Theory and

B uchi Automata and their Application to Software Verification Finite Automata Theory and Formal Languages Wolfgang Ahrendt 22nd April 2013 B uchi Automata: TMV027/DIT321 / GU 130423 1 / 25 Motivating Temporal Logic? But How to

832 views • 64 slides
Agenda Intro to Active Learning Activity Design Resources for Active Learning Lunch with Active

Agenda Intro to Active Learning Activity Design Resources for Active Learning Lunch with Active

Agenda Intro to Active Learning Activity Design Resources for Active Learning Lunch with Active Learning Veterans Wrap Up Introduction to Active Learning What is active learning? Brainstorm your ideas with your group and generate a

855 views • 42 slides
Multi-Task Active Learning Yi Zhang Outline Active Learning Multi-Task Active Learning

Multi-Task Active Learning Yi Zhang Outline Active Learning Multi-Task Active Learning

Multi-Task Active Learning Yi Zhang Outline Active Learning Multi-Task Active Learning Linguistic Annotations (ACL 08) Image Classification (CVPR 08) Current Work and Discussions Constraint-Driven Active Learning

945 views • 47 slides
Finding variability bugs in Linux Iago Abal Rivas IT Universitetet i Kbenhavn Joint work with

Finding variability bugs in Linux Iago Abal Rivas IT Universitetet i Kbenhavn Joint work with

Finding variability bugs in Linux Iago Abal Rivas IT Universitetet i Kbenhavn Joint work with Andrzej Wsowski and Claus Brabrand FOSD Meeting 2014 1 / 28 Agenda 40 variability bugs in Linux: A Qualitative Study (10m) Method Example

540 views • 36 slides
ACTIVE 1. WELCOME and JUMPING IN LEARNING 1. WHAT IS ACTIVE LEARNING? la Carte 1.

ACTIVE 1. WELCOME and JUMPING IN LEARNING 1. WHAT IS ACTIVE LEARNING? la Carte 1.

ACTIVE 1. WELCOME and JUMPING IN LEARNING 1. WHAT IS ACTIVE LEARNING? la Carte 1. CONSTRUCTING our TEACHING CHALLENGES in a low tech 1. ORCHESTRATION environment 1. SHOW-AND-TELL Selma Hamdani Psychology / DALC / Neuroscience

836 views • 50 slides
Avoiding Dead States in Query Learning of Regular Tree Languages Frank Drewes work

Avoiding Dead States in Query Learning of Regular Tree Languages Frank Drewes work

Frank Drewes Query Learning of Regular Tree Languages Dresden, 11/10 2005 Avoiding Dead States in Query Learning of Regular Tree Languages Frank Drewes work done in collaboration with Johanna H ogberg 1 Frank Drewes Query

340 views • 19 slides
Some remarks on Bisimulation and Coinduction Davide Sangiorgi University of Bologna Email:

Some remarks on Bisimulation and Coinduction Davide Sangiorgi University of Bologna Email:

Some remarks on Bisimulation and Coinduction Davide Sangiorgi University of Bologna Email: Davide.Sangiorgi@cs.unibo.it http://www.cs.unibo.it/sangio/ Edinburgh, April 2012 The 91 Turing Award to Arthur John Robin Gorell Milner page 1

746 views • 56 slides
A compact proof of decidability for regular expression equivalence ITP 2012 Princeton, USA

A compact proof of decidability for regular expression equivalence ITP 2012 Princeton, USA

A compact proof of decidability for regular expression equivalence A compact proof of decidability for regular expression equivalence ITP 2012 Princeton, USA Andrea Asperti Department of Computer Science University of Bologna 25/08/2011 A

726 views • 33 slides
Stream automata are coalgebras Vincenzo Ciancia Joint work with Yde Venema Institute for Logic,

Stream automata are coalgebras Vincenzo Ciancia Joint work with Yde Venema Institute for Logic,

Stream automata are coalgebras Vincenzo Ciancia Joint work with Yde Venema Institute for Logic, Language and Computation University of Amsterdam Tallin - March 31, 2012 1 Motivation Deterministic finite automata are a prime example of

542 views • 38 slides
Analysis of patterns and minimal embeddings of non-Markovian sequences

Analysis of patterns and minimal embeddings of non-Markovian sequences

Analysis of patterns and minimal embeddings of non-Markovian sequences Manuel.Lladser@Colorado.EDU Department of Applied Mathematics University of Colorado Boulder AofA - April 13 2008 1 NOTATION & TERMINOLOGY. A is a finite alphabet A

456 views • 30 slides
Compiler Construction Lecture 4: Lexical analysis in the real world 2020-01-17 Michael Engel

Compiler Construction Lecture 4: Lexical analysis in the real world 2020-01-17 Michael Engel

Compiler Construction Lecture 4: Lexical analysis in the real world 2020-01-17 Michael Engel Includes material by Jan Christian Meyer Overview NFA to DFA conversion Subset construction algorithm DFA state minimization:

535 views • 40 slides
C4.1 Pumping Lemma Regular NFAs Languages Automata & Regular Formal Languages

C4.1 Pumping Lemma Regular NFAs Languages Automata & Regular Formal Languages

Theory of Computer Science March 30, 2020 C4. Regular Languages: Pumping Lemma, Closure Properties and Decidability Theory of Computer Science C4. Regular Languages: Pumping Lemma, Closure Properties C4.1 Pumping Lemma and Decidability

282 views • 9 slides
Reverse Mathematics and Field Extensions Preliminary Report ois Dorais, Jeff Hirst 1 , Paul

Reverse Mathematics and Field Extensions Preliminary Report ois Dorais, Jeff Hirst 1 , Paul

Reverse Mathematics and Field Extensions Preliminary Report ois Dorais, Jeff Hirst 1 , Paul Shafer Franc Appalachian State University Boone, NC These slides are available at: www.mathsci.appstate.edu/jlh April 1, 2012 ASL 2012 North

146 views • 10 slides

More recommend