introduction to static analysis for assurance
play

Introduction to Static Analysis for Assurance John Rushby Computer - PowerPoint PPT Presentation

Jan 09, 2024 •387 likes •732 views

Introduction to Static Analysis for Assurance John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby Static Analysis for Assurance: 1 Overview What is static analysis? Examples of some techniques

  1. Introduction to Static Analysis for Assurance John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby Static Analysis for Assurance: 1

  2. Overview • What is static analysis? • Examples of some techniques • Tradeoffs • Commercial static analyzers • Use in Assurance John Rushby Static Analysis for Assurance: 2

  3. What Does This Program Do? • Context: we have developed a program and want some evidence about what it does and doesn’t do • I’ll call it a program, even though it’s probably an embedded system with multiple software components ◦ That makes use of systems software and libraries ◦ And interacts with hardware We’ll come to these complexities later • Evidence is a pretty strong notion: intended for assurance ◦ Never does certain things ⋆ e.g., a runtime exception ◦ Always does a certain thing ⋆ e.g., delivers a good value to the actuator Weaker notions can be useful for bug finding John Rushby Static Analysis for Assurance: 3

  4. Evidence About Program Behavior • One approach is testing • We generate many tests and observe the program in execution ◦ We are looking at the real thing—that’s good ◦ But how can we get evidence for always and never? ◦ Usually some notion of coverage, but it falls short of evidence • Let’s look at an example John Rushby Static Analysis for Assurance: 4

  5. The Bug That Stopped The Zunes Real time clock sets days to number of days since 1 Jan 1980 year = ORIGINYEAR; /* = 1980 */ while (days > 365) { if (IsLeapYear(year)) { if (days > 366) { days -= 366; year += 1; } else... loops forever on last day of a leap year } else { days -= 365; year += 1; } } Coverage-based testing will find this John Rushby Static Analysis for Assurance: 5

  6. A Hasty Fix while (days > 365) { if (IsLeapYear(year)) { if (days > 365) { days -= 366; year += 1; } } else { days -= 365; year += 1; } } • Fixes the loop but now days can end up as zero • Coverage-based testing might not find this • Boundary condition testing would • But I think the point is clear. . . John Rushby Static Analysis for Assurance: 6

  7. The Problem With Testing • Is that it only samples the set of possible behaviors • And unlike physical systems (where many engineers gained their experience), software systems are discontinuous • There is no sound basis for extrapolating from tested to untested cases • So we need to consider all possible cases. . . how is this possible? • It’s possible with symbolic methods • Cf. x 2 − y 2 = ( x − y )( x + y ) vs. 5*5-3*3 = (5-3)*(5+3) • Static Analysis is about totally automated ways to do this John Rushby Static Analysis for Assurance: 7

  8. The Zune Example Again [days > 0] while (days > 365) { [days > 365] if (*)) { if (days > 365) { [days > 365] days -= 366; [days >= 0] year += 1; } } else { [days > 365] days -= 365; [days > 0] year += 1; } } [days >= 0 and days <= 365] John Rushby Static Analysis for Assurance: 8

  9. Approximations • We were lucky that we could do the previous example with full symbolic arithmetic • Usually, the formulas get bigger and bigger as we accumulate information from loop iterations (we’ll see an example later) • So it’s common to approximate or abstract information to try and keep the formulas manageable • Here, instead of the natural numbers 0, 1, 2, . . . , we could use ◦ zero, small, big ◦ Where big abstracts everything bigger than 365, small is everything from 1 to 365, and zero is 0 ◦ Arithmetic becomes nondeterministic ⋆ e.g., small+small = small | big John Rushby Static Analysis for Assurance: 9

  10. The Zune Example Abstracted [days = small | big] while (days = big) { [days = big] if (*)) { if (days = big ) { [days = big ] days -= big; [days = big | small | zero] year += 1; } } else { [days = big] days -= small; [days = big | small] year += 1; } } [days = small | zero] John Rushby Static Analysis for Assurance: 10

  11. The Zune Example Abstracted Again Suppose we abstracted to { negative, zero, positive } [days = positive] while (days = positive) { [days = positive] if (*)) { if (days = positive ) { [days = positive ] days -= positive; [days = negative | zero | positive] year += 1; } } else { [days = positive] days -= positive; [days = negative | zero | positive] year += 1; } } [days = negative | zero] We’ve lost too much information: have a false alarm that days can go negative (pointer analysis is sometimes this crude) John Rushby Static Analysis for Assurance: 11

  12. We Have To Approximate, But There’s A Price • It’s no accident that we sometimes lose precision • Rice’s Theorem says there are inherent limits on what can be accomplished by automated analysis of programs ◦ Sound (miss no errors) ◦ Complete (no false alarms) ◦ Automatic ◦ Allow arbitrary (unbounded) memory structures ◦ Final results Choose at most 4 of the 5 John Rushby Static Analysis for Assurance: 12

  13. Approximations approximation reachable states Sound approximations include all the behaviors and reachable states of the real system, but are easier to compute John Rushby Static Analysis for Assurance: 13

  14. But Sound Approximations Come with a Price approximation false alarm reachable states May flag an error that is unreachable in the real system: a false positive, or false alarm John Rushby Static Analysis for Assurance: 14

  15. Unsound Approximations Come with a Price, Too underapproximation false reachable states negative Can miss real errors: a false negative John Rushby Static Analysis for Assurance: 15

  16. Predicate Abstraction • The Zune example used data abstraction ◦ A kind of abstract interpretation • Replaces variables of complex data types by simpler (often finite) ones ◦ e.g., integers replaced by { negative, zero, positive } • But sometimes this doesn’t work ◦ Just replaces individual variables ◦ Often its the relationship between variables that matters • Predicate abstraction replaces some relationships (predicates) by Boolean variables John Rushby Static Analysis for Assurance: 16

  17. Another Example start with r unlocked do { lock(r) old = new if (*) { unlock(r) new++ } } while old != new want r to be locked at this point unlock(r) John Rushby Static Analysis for Assurance: 17

  18. Abstracted Example The significant relationship seems to be old == new Replace this by eq , throw away old and new [!locked] do { lock(r) [locked] eq = true [locked, eq] if (*) { unlock(r) [!locked, eq] eq = false [!locked, !eq] } } [locked, eq] or [!locked, !eq] while not eq [locked, eq] unlock(r) John Rushby Static Analysis for Assurance: 18

  19. Yet Another Example z := n; x := 0; y := 0; while (z > 0) { if (*) { x := x+1; z := z-1; } else { y := y+1; z := z-1; } } want y!= 0, given x != z, n > 0 • The invariant needed is x + y + z = n • But neither this nor its fragments appear in the program or the desired property John Rushby Static Analysis for Assurance: 19

  20. Let’s Just Go Ahead First time into the loop [n > 0] z := n; x := 0; y := 0; while (z > 0) { [x = 0, y = 0, z = n] if (*) { x := x+1; z := z-1; [x = 1, y = 0, z = n-1] } else { y := y+1; z := z-1; [x = 0, y = 1, z = n-1] } [x = 1, y = 0, z = n-1] or [x = 0, y = 1, z = n-1] } Next time around the loop we’ll have 4 disjuncts, then 8, then 16, and so on This won’t get us anywhere useful John Rushby Static Analysis for Assurance: 20

  21. Widening the Abstraction • We could try eliminate disjuncts • Look for a conjunction that is implied by each of the disjuncts • One such is [x+y = 1, z = n-1] • Then we’d need to do the same thing with [x+y = 1, z = n-1] or [x = 0, y = 0, z = n] • That gives [x + y + z = n] • There are techniques that can do this automatically • This is where a lot of the research action is John Rushby Static Analysis for Assurance: 21

  22. Tradeoffs • We’re trying to guarantee absence of errors in a certain class • Equivalently, trying to verify properties of a certain class • Terminology is in terms of finding errors TP True Positive: found a real error FP False Positive: false alarm TN True Negative: no error, no alarm—OK FN False Negative: missed error • Then we have Sound: no false negatives Recall: TP/(TP+FN) measures how (un)sound TP+FN is number of real errors Complete: no false alarms Precision: TP/(TP+FP) measures how (in)complete TP+FP is number of alarms John Rushby Static Analysis for Assurance: 22

  23. Tradeoff Space • Basic tradeoff is between soundness and completeness • For assurance, we need soundness ◦ When told there are no errors, there must be none So have to accept false alarms • But the main market for static analysis is bug finding in general-purpose software, where they aim merely to reduce the number of bugs, not to eliminate them • Their general customers will not tolerate many false alarms, so tool vendors give up soundness • Will consider the implications later • Other tradeoffs are possible ◦ Give up full automation: e.g., require user annotation John Rushby Static Analysis for Assurance: 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ? Basic analysis ! Example : Flow analysis ! Increasing precision ! Context -, flow -, and path sensitivity Scaling it up !

527 views • 27 slides
A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical

A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical

A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical problem and how to ignore it An example static analysis What is static analysis used for? Commercial successes Free static analysis tools you should

488 views • 37 slides
CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu February 1, 2017 Static Analysis Static Analysis is the process of documenting your observations about what identifying characteristics a

575 views • 8 slides
Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting insights at compile time Full branch coverage Terminates Doesnt rely on a test suite Types are static analysis. Lets talk about

784 views • 39 slides
Static Assurance with Types Liam OConnor University of Edinburgh LFCS (and UNSW) Term 2 2020

Static Assurance with Types Liam OConnor University of Edinburgh LFCS (and UNSW) Term 2 2020

Static Assurance Phantom Types GADTs Type Families Software System Design and Implementation Static Assurance with Types Liam OConnor University of Edinburgh LFCS (and UNSW) Term 2 2020 1 Static Assurance Phantom Types GADTs Type

1.09k views • 81 slides
CMSC 430 Introduction to Compilers Fall 2018 Symbolic Execution Introduction Static

CMSC 430 Introduction to Compilers Fall 2018 Symbolic Execution Introduction Static

CMSC 430 Introduction to Compilers Fall 2018 Symbolic Execution Introduction Static analysis is great Lots of interesting ideas and tools Commercial companies sell, use static analysis It all looks good on paper, and in papers

317 views • 27 slides
CMSC 430 Introduction to Compilers Spring 2016 Symbolic Execution Introduction Static

CMSC 430 Introduction to Compilers Spring 2016 Symbolic Execution Introduction Static

CMSC 430 Introduction to Compilers Spring 2016 Symbolic Execution Introduction Static analysis is great Lots of interesting ideas and tools Commercial companies sell, use static analysis #!@? It all looks good on paper, and in

318 views • 28 slides
1 Analysis Information Where Do Facts Hold? How much information depends on the client

1 Analysis Information Where Do Facts Hold? How much information depends on the client

711? CS711 Advanced Programming Languages Topics in Program Analysis Radu Rugina Fall 2005 CS711 Overview 2 Program Analysis Static vs. Dynamic Static analysis: inspect programs at compile-time Static analysis: Work done at

282 views • 4 slides
Static Analysis Static Analysis they are read? Will the current value of a variable ever be

Static Analysis Static Analysis they are read? Will the current value of a variable ever be

Interesting Questions Interesting Questions Is every statement reachable? Does every non- void method return a value? Compilation 2007 Compilation 2007 Will local variables definitely be assigned before Static Analysis Static

169 views • 13 slides
Static and dynamic verification Software inspections Concerned with analysis of the static

Static and dynamic verification Software inspections Concerned with analysis of the static

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis Software

430 views • 12 slides
Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

I NTELLI D ROID A Targeted Input Generator for the Dynamic Analysis of Android Malware Michelle Y. Wong and David Lie University of Toronto Department of Electrical and Computer Engineering NDSS Symposium 2016 ! ! ! B ACKGROUND Static vs.

1.02k views • 32 slides
Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that

Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that

Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that Martin Steffen IfI UiO Spring 2014 Plan approx. 15 lectures, details see web-page flexible time-schedule, depending on progress/interest

2.15k views • 194 slides
Static and dynamic verification Software inspections Concerned with analysis of the

Static and dynamic verification Software inspections Concerned with analysis of the

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis

310 views • 12 slides
Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Static analysis and all

Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Static analysis and all

Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Plan approx. 15 lectures, details see web-page flexible time-schedule, depending on

938 views • 69 slides
Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis of Programs with Dynamic Memory Mihaela Sighireanu IRIF, University Paris Diderot &amp; CNRS VTSA 2015 1 / 99 Static Analysis Establish

2.15k views • 186 slides
Whats Coverity static analysis ever done for us? Philip Withnall Endless Mobile

Whats Coverity static analysis ever done for us? Philip Withnall Endless Mobile

Whats Coverity static analysis ever done for us? Philip Withnall Endless Mobile philip@tecnocode.co.uk July 30, 2017 MANCHESTER What is static analysis? Compile-time testing of all possible code paths. Whats Coverity static analysis

236 views • 12 slides
CSE543 - Computer and Network Security Module: Intrusion Detection Professor Trent Jaeger

CSE543 - Computer and Network Security Module: Intrusion Detection Professor Trent Jaeger

382 views • 20 slides
Week 2 Video 3 Diagnostic Metrics Different Methods, Different Measures Today well continue

Week 2 Video 3 Diagnostic Metrics Different Methods, Different Measures Today well continue

Week 2 Video 3 Diagnostic Metrics Different Methods, Different Measures Today well continue our focus on classifiers Later this week well discuss regressors And other methods will get worked in later in the course Last class We

824 views • 38 slides
ECON 950 Winter 2020 Prof. James MacKinnon 10. Performance of Classification Methods For

ECON 950 Winter 2020 Prof. James MacKinnon 10. Performance of Classification Methods For

ECON 950 Winter 2020 Prof. James MacKinnon 10. Performance of Classification Methods For regression methods, it is easy to evaluate performance based on average squared error or average absolute error for the test data. Of course, this only

382 views • 11 slides
Learning Methods: Part 2 CS 760@UW-Madison Goals for the last lecture you should understand the

Learning Methods: Part 2 CS 760@UW-Madison Goals for the last lecture you should understand the

Evaluating Machine Learning Methods: Part 2 CS 760@UW-Madison Goals for the last lecture you should understand the following concepts bias of an estimator learning curves stratified sampling cross validation

542 views • 27 slides
Bloom Filters References A. Broder and M. Mitzenmacher, Network applications of Bloom A.

Bloom Filters References A. Broder and M. Mitzenmacher, Network applications of Bloom A.

2/16/2017 Bloom Filters References A. Broder and M. Mitzenmacher, Network applications of Bloom A. Broder and M. Mitzenmacher, Network applications of Bloom filters: A survey, Internet Mathematics , vol. 1 no. 4, pp. 485-509, 2004. Li

532 views • 22 slides
The presentation will start shortly COVID-19 Health Care Provider Briefing Middlesex and London

The presentation will start shortly COVID-19 Health Care Provider Briefing Middlesex and London

The presentation will start shortly COVID-19 Health Care Provider Briefing Middlesex and London Region April 24, 2020 Welcome Presenter: Dr. Alex Summers Associate Medical Officer of Health Middlesex-London Health Unit Surveillance Report

541 views • 18 slides
Money that is paid in order to free someone who has been captured or kidnapped. -Merriam-Webster

Money that is paid in order to free someone who has been captured or kidnapped. -Merriam-Webster

Ransom : Money that is paid in order to free someone who has been captured or kidnapped. -Merriam-Webster Ransomware : A malware designed to block access to a computer system, files, screen, disk or etc. until the requested amount of money is

338 views • 17 slides
A True Positives Theorem for a Static Race Detector Presentation by Julia Belyakova and Artem

A True Positives Theorem for a Static Race Detector Presentation by Julia Belyakova and Artem

A True Positives Theorem for a Static Race Detector Presentation by Julia Belyakova and Artem Pelenitsyn For CS 7580 (instructor: Jan Vitek), 10/30/2019 A subset of slides is taken from Ilya Sergeys web page Static Analyses for Program

1.11k views • 75 slides

More recommend