machine learning guided selectively unsound static
play

Machine-Learning-Guided SelectivelyUnsoundStaticAnalysis Kihong Heo - PowerPoint PPT Presentation

Aug 16, 2022 •176 likes •421 views

1 Machine-Learning-Guided SelectivelyUnsoundStaticAnalysis Kihong Heo Hakjoo Oh Kwangkeun Yi Seoul National University Korea University Seoul National University 26 May 2017 ICSE'17 @ Buenos Aires 2 Goal False Positive

  1. 1 Machine-Learning-Guided� Selectively�Unsound�Static�Analysis Kihong Heo Hakjoo Oh Kwangkeun Yi Seoul National University Korea University Seoul National University 26 May 2017 ICSE'17 @ Buenos Aires

  2. 2 Goal False Positive Uniformly Sound Uniformly Unsound False Negative

  3. 3 Goal False Positive Uniformly Sound Uniformly Selectively Unsound Unsound False Negative

  4. 4 Selectively Unsound Analysis • Selectively apply unsound strategies • e.g.) unrolling loops, skipping lib calls while(e){ C } if(e){ C } A;lib();B; A;B; program states program states program states false positive false negative error states error states error states Uniformly Sound Selectively Unsound Uniformly Unsound

  5. 5 Example • Sound bu ff er-overrun analyzer with interval domain • soundly analyze all the loops str = "hello world"; for(i=0; !str[i]; i++)// buffer access 1 skip; size = positive_input(); for(i=0; i<size; i++) skip; ... = str[i]; // buffer access 2

  6. str.size: [12, 12] 6 i: [0, +oo] size: [0, +oo] i: [0, +oo] Example • Sound bu ff er-overrun analyzer with interval domain • soundly analyze all the loops str = "hello world"; for(i=0; !str[i]; i++)// buffer access 1 skip; size = positive_input(); for(i=0; i<size; i++) skip; ... = str[i]; // buffer access 2

  7. 7 Example • Uniformly unsound bu ff er-overrun analyzer • unsoundly unroll all the loops str = "hello world"; i = 0; if (!str[i]) // buffer access 1 skip; size = positive_input(); i = 0; if (i < size) skip; ... = str[i]; // buffer access 2

  8. i: [0, 0] 8 i: [0, 0] Example • Uniformly unsound bu ff er-overrun analyzer • unsoundly unroll all the loops str = "hello world"; i = 0; if (!str[i]) // buffer access 1 skip; size = positive_input(); i = 0; if (i < size) skip; ... = str[i]; // buffer access 2

  9. 9 Example • Selectively unsound bu ff er-overrun analyzer • unsoundly unroll only harmless loops str = "hello world"; i = 0; if(!str[i]) // buffer access 1 skip; size = positive_input(); for(i = 0; i < size; i++) skip; ... = str[i]; // buffer access 2

  10. i: [0, 0] 10 i: [0, +oo] Example • Selectively unsound bu ff er-overrun analyzer • unsoundly unroll only harmless loops str = "hello world"; i = 0; if(!str[i]) // buffer access 1 skip; size = positive_input(); for(i = 0; i < size; i++) skip; ... = str[i]; // buffer access 2

  11. 11 0 40 60 80 0 25 50 75 100 25 0 100 75 50 25 0 50 75 100 20 Performance • Experiments with 2 analyzers & open source SW • Taint: 106 format string bugs / 13 programs • Interval: 138 bu ff er overrun bugs / 23 programs Taint Analysis Interval Analysis FPR FNR FPR FNR e e m e e m e e m e e m n v n v n v n v r r r r i i i i i i i i o o o t o t l t l l t l e e e e c c c c f f f f s s e i s s e i e i e i n n n n a a a a l l l l e e e U U e U U B B B B S S S S

  12. 12 Setting F ∈ Pgm × Π → A • Find a set of targets for unsound strategies π ∈ Π • loops to analyze unsoundly ( ) Π = 2 Loop • library calls to analyze unsoundly ( ) Π = 2 Lib • Selectively apply unsound strategies to p ∈ π

  13. 13 Codebase Training Data Generation Machine Learning Training Data Inferring Harmless Unsoundness Training Harmless Unsoundness Test Program Classifier System Overview F π

  14. 14 Training Data Generation • Given a codebase w/ known bugs + a sound static analyzer • Collect precision-decreasing yet harmless pgm components • e.g.) unrolling a loop reduces only FP but retains all TP training pgm loop 1 loop 1 loop 1 loop 1 if 1 if 2 loop 2 loop 2 loop 2 loop 2 loop 3 if 3 … loop 3 loop 3 loop 3 ... ... ... ... ... loop n loop n if n loop n loop n # true alarms 3 4 5 5 5 # false alarms 3 10 5 10 8

  15. 15 Features & Learning • Encode each program component as a feature vector f(x) = <f 1 (x), f 2 (x), …, f n (x)> f(loop 1 ) = <1, 0, …, 1> f(loop 2 ) = <0, 1, …, 1> f(lib 1 ) = <0, 1, …, 0> f(lib 2 ) = <1, 1, …, 1> • Derive a classifier using an o ff -the-shelf algorithm • e.g.) SVM

  16. 16 Features • 22 features for loops Feature Property Type Description Null Syntactic Binary Whether the loop condition contains nulls or not Const Syntactic Binary Whether the loop condition contains constants or not Array Syntactic Binary Whether the loop condition contains array accesses or not Conjunction Syntactic Binary Whether the loop condition contains && or not IdxSingle Syntactic Binary Whether the loop condition contains an index for a single array in the loop IdxMulti Syntactic Binary Whether the loop condition contains an index for multiple arrays in the loop IdxOutside Syntactic Binary Whether the loop condition contains an index for an array outside of the loop InitIdx Syntactic Binary Whether an index is initialized before the loop Exit Syntactic Numeric The (normalized) number of exits in the loop Size Syntactic Numeric The (normalized) size of the loop ArrayAccess Syntactic Numeric The (normalized) number of array accesses in the loop ArithInc Syntactic Numeric The (normalized) number of arithmetic increments in the loop PointerInc Syntactic Numeric The (normalized) number of pointer increments in the loop Prune Semantic Binary Whether the loop condition prunes the abstract state or not Input Semantic Binary Whether the loop condition is determined by external inputs GVar Semantic Binary Whether global variables are accessed in the loop condition FinInterval Semantic Binary Whether a variable has a finite interval value in the loop condition FinArray Semantic Binary Whether a variable has a finite size of array in the loop condition FinString Semantic Binary Whether a variable has a finite string in the loop condition LCSize Semantic Binary Whether a variable has an array of which the size is a left-closed interval LCOffset Semantic Binary Whether a variable has an array of which the offset is a left-closed interval #AbsLoc Semantic Numeric The (normalized) number of abstract locations accessed in the loop Const Syntactic Binary Whether the parameters contain constants or not

  17. 17 Features • 15 features for library calls Feature Property Type Description #AbsLoc Semantic Numeric The (normalized) number of abstract locations accessed in the loop Null Syntactic Binary Whether the loop condition contains nulls or not Const Syntactic Binary Whether the parameters contain constants or not Void Syntactic Binary Whether the return type is void or not Int Syntactic Binary Whether the return type is int or not CString Syntactic Binary Whether the function is declared in string.h or not InsideLoop Syntactic Binary Whether the function is called in a loop or not #Args Syntactic Numeric The (normalized) number of arguments DefParam Semantic Binary Whether a parameter are defined in a loop or not UseRet Semantic Binary Whether the return value is used in a loop or not UptParam Semantic Binary Whether a parameter is update via the library call Escape Semantic Binary Whether the return value escapes the caller GVar Semantic Binary Whether a parameters points to a global variable Input Semantic Binary Whether a parameters are determined by external inputs FinInterval Semantic Binary Whether a parameter have a finite interval value #AbsLoc Semantic Numeric The (normalized) number of abstract locations accessed in the arguments #ArgString Semantic Numeric The (normalized) number of string arguments

  18. 18 Winning Features • Interval analysis • loops iterating on finite strings • library calls that return integers or manipulate strings str = “hello world”; for (p = str; *p; p++) ... int r = lib1(); lib2(str1, str2);

  19. 19 Winning Features • Interval analysis • loops iterating on finite strings • library calls that return integers or manipulate strings str = “hello world”; finite string for (p = str; *p; p++) ... array access ptr increment int r = lib1(); return integer lib2(str1, str2); str manipulation

  20. 20 Winning Features • Taint analysis • library calls not propagating user inputs r1 = random(); r3 = fread(fd,buf,len) r2 = strlen(s) r4 = recv(s,len,flags)

  21. 21 Winning Features • Taint analysis • library calls not propagating user inputs # arguments, # arguments, #abs. locations #abs. locations r1 = random(); r3 = fread(fd,buf,len) < r2 = strlen(s) r4 = recv(s,len,flags)

  22. 22 Summary • First selectively unsound static analysis • more e ff ective than uniformly sound / unsound ones • systematic way to tune unsoundness by ML program states program states program states Selectively Unsound Sound Uniformly Unsound

  23. 23 Summary • First selectively unsound static analysis • more e ff ective than uniformly sound / unsound ones • systematic way to tune unsoundness by ML program states program states program states Selectively Unsound Sound Uniformly Unsound Thank you

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A tour of machine learning ... guided by a complete amateur Thomas Dullien, Google Topics

A tour of machine learning ... guided by a complete amateur Thomas Dullien, Google Topics

A tour of machine learning ... guided by a complete amateur Thomas Dullien, Google Topics to cover 1. Logistic regression 2. Word embeddings 3. t-SNE 4. Deep Networks (and some transfer learning) 5. Hidden Markov Models for sequence

1k views • 60 slides
Oracle Guided Synthesis of Machine Learning Models Sanjit A. Seshia Professor EECS, UC

Oracle Guided Synthesis of Machine Learning Models Sanjit A. Seshia Professor EECS, UC

Oracle Guided Synthesis of Machine Learning Models Sanjit A. Seshia Professor EECS, UC Berkeley Publication: Towards Verified Artificial Intelligence, S. A. Seshia, D. Sadigh, and S. S. Sastry, June 2016. Dagstuhl Seminar March 20, 2018

345 views • 12 slides
for Active Learning Guided Inquiry Learning The POGIL Project Process Oriented, Guided

for Active Learning Guided Inquiry Learning The POGIL Project Process Oriented, Guided

Innovative Teaching Methods for Active Learning Guided Inquiry Learning The POGIL Project Process Oriented, Guided Inquiry Learning Developed in college Chemistry classrooms (1994), has since expanded to other fields and into high

489 views • 10 slides
When Malware is Packin Heat; Limits of Machine Learning Classifiers Based on Static Analysis

When Malware is Packin Heat; Limits of Machine Learning Classifiers Based on Static Analysis

When Malware is Packin Heat; Limits of Machine Learning Classifiers Based on Static Analysis Features Hojjat Aghakhani , Fabio Gri*, Francesco Mecca, Mar0na Lindorfer, Stefano Ortolani, Davide Balzaro*, Giovanni Vigna, Christopher Kruegel

1.01k views • 53 slides
Compositional Static Race Detection at Scale, without False Positives Ilya Sergey Joint work

Compositional Static Race Detection at Scale, without False Positives Ilya Sergey Joint work

Compositional Static Race Detection at Scale, without False Positives Ilya Sergey Joint work with Sam Blackshear, Peter OHearn, Nikos Gorogiannis Key Messages Static analyses for concurrency can be made scalable and precise . Unsound

827 views • 80 slides
A True Positives Theorem for a Static Race Detector Nikos Gorogiannis Peter OHearn Ilya

A True Positives Theorem for a Static Race Detector Nikos Gorogiannis Peter OHearn Ilya

A True Positives Theorem for a Static Race Detector Nikos Gorogiannis Peter OHearn Ilya Sergey Key Messages Unsound (and incomplete) static analyses can be principled , satisfying meaningful theorems that help to understand their

688 views • 44 slides
The Unsound Mind and the Law: A Presentation of Forensic Psychiatry The Unsound Mind and the Law:

The Unsound Mind and the Law: A Presentation of Forensic Psychiatry The Unsound Mind and the Law:

[PDF] The Unsound Mind and the Law: A Presentation of Forensic Psychiatry (Classic Reprint) (Paperback) The Unsound Mind and the Law: A Presentation of Forensic Psychiatry The Unsound Mind and the Law: A Presentation of Forensic Psychiatry

277 views • 3 slides
An Exercise in An Exercise in Machine Learning Machine Learning

An Exercise in An Exercise in Machine Learning Machine Learning

An Exercise in An Exercise in Machine Learning Machine Learning http://www.cs.iastate.edu/~cs573x/bbsilab.html Machine Learning Software Preparing Data Building Classifiers Interpreting Results Machine Learning Software

496 views • 26 slides
Machine Learning By Alex Scarlatos What is Machine Learning? Machine Learning is the process by

Machine Learning By Alex Scarlatos What is Machine Learning? Machine Learning is the process by

Machine Learning By Alex Scarlatos What is Machine Learning? Machine Learning is the process by which computers can be trained through observation, rather than being explicitly programmed. Basically, a program is given input and adjusts its

556 views • 17 slides
Web Analytics Is Computational Advertising Statistics or Machine Learning? Static or Dynamic?

Web Analytics Is Computational Advertising Statistics or Machine Learning? Static or Dynamic?

Web Analytics Is Computational Advertising Statistics or Machine Learning? Static or Dynamic? Ram Akella University of California (Berkeley and Santa Cruz) and Stanford University akella@ischool.berkeley.edu, akella@soe.ucsc.edu

1k views • 73 slides
Static (Software) Analysis Dagstuhl 16172: Machine Learning for Dynamic Software Analysis Reiner

Static (Software) Analysis Dagstuhl 16172: Machine Learning for Dynamic Software Analysis Reiner

Static (Software) Analysis Dagstuhl 16172: Machine Learning for Dynamic Software Analysis Reiner Hhnle Software Engineering Group Department of Computer Science Technische Universitt Darmstadt http://www.se.tu-darmstadt.de/

239 views • 23 slides
Machine Learning: Study of algorithms that improve their performance P at some task T

Machine Learning: Study of algorithms that improve their performance P at some task T

Machine Learning 10-601 Tom M. Mitchell Machine Learning Department Carnegie Mellon University January 12, 2015 Today: Readings: What is machine learning? The Discipline of ML Decision tree learning Mitchell, Chapter 3

872 views • 29 slides
Coverage-Guided Fuzzing Dynamic Static Smart Coverage Structure Algorithms Security

Coverage-Guided Fuzzing Dynamic Static Smart Coverage Structure Algorithms Security

Coverage-Guided Fuzzing Dynamic Static Smart Coverage Structure Algorithms Security Testing Andreas Zeller, Saarland University Our Goal We want to cause the program to fail We have seen random (unstructured) input

868 views • 69 slides
Traditional Machine Learning: Unsupervised Learning Juhan Nam Traditional Machine Learning

Traditional Machine Learning: Unsupervised Learning Juhan Nam Traditional Machine Learning

GCT634/AI613: Musical Applications of Machine Learning (Fall 2020) Traditional Machine Learning: Unsupervised Learning Juhan Nam Traditional Machine Learning Pipeline in Classification Tasks A set of hand-designed audio features are selected

398 views • 26 slides
CS 335 Machine Learning What is Machine Learning? Dan Sheldon Spring 2019 What is Machine

CS 335 Machine Learning What is Machine Learning? Dan Sheldon Spring 2019 What is Machine

1/22/19 CS 335 Machine Learning What is Machine Learning? Dan Sheldon Spring 2019 What is Machine Learning? A Simple Task: Recognize Obama How do you program a computer to Recognize faces? Recommend movies? Decide which web

581 views • 5 slides
Machine Learning Machine Learning: algorithms that use experience to improve their

Machine Learning Machine Learning: algorithms that use experience to improve their

Machine Learning Machine Learning: algorithms that use experience to improve their performance We use machine learning in situations where it is very challenging (or impossible) to define the rules by hand: e.g. face detection

1.04k views • 28 slides
Neural networks and Reinforcement learning review CS 540 Yingyu Liang Neural Networks Outline

Neural networks and Reinforcement learning review CS 540 Yingyu Liang Neural Networks Outline

Neural networks and Reinforcement learning review CS 540 Yingyu Liang Neural Networks Outline Building unit: neuron Linear perceptron Non-linear perceptron The power/limit of a single perceptron Learning of a single

479 views • 27 slides
Loop Series and Bethe Variational Bounds in Attractive Graphical Models Erik Sudderth

Loop Series and Bethe Variational Bounds in Attractive Graphical Models Erik Sudderth

Loop Series and Bethe Variational Bounds in Attractive Graphical Models Erik Sudderth Electrical Engineering &amp; Computer Science University of California, Berkeley Martin Wainwright Joint work with Alan Willsky Loopy BP and Spatial

900 views • 32 slides
Iterative Optimization in the Polyhedral Model: Part I, One-Dimensional Time Louis-Noel Pouchet,

Iterative Optimization in the Polyhedral Model: Part I, One-Dimensional Time Louis-Noel Pouchet,

Iterative Optimization in the Polyhedral Model: Part I, One-Dimensional Time Louis-Noel Pouchet, Cedric Bastoul, Albert Cohen and Nicolas Vasilache Presented by: Tom St. John Dept of Computer &amp; Information Sciences University of Delaware

702 views • 41 slides
Susan Elliot Sim, Steve Easterbrook, Richard Holt Presenters: Josh Philip

Susan Elliot Sim, Steve Easterbrook, Richard Holt Presenters: Josh Philip

Susan Elliot Sim, Steve Easterbrook, Richard Holt Presenters: Josh Philip and Jan Gorzny Summary - Benchmarking Definition: Set of tests to compare performance of different

330 views • 10 slides
Welcome We will begin at 7:30 p.m. CT Situational leadership Goals for Learn to identify the

Welcome We will begin at 7:30 p.m. CT Situational leadership Goals for Learn to identify the

Welcome We will begin at 7:30 p.m. CT Situational leadership Goals for Learn to identify the level of 1 today support and direction your team members need. Be able to choose a management 2 treatment based on your team members needs.

334 views • 19 slides
For audio, please make sure to also join the call. To view a copy of this license, visit

For audio, please make sure to also join the call. To view a copy of this license, visit

This work is licensed under the Creative Commons Attribution-Non Commercial 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/4.0/ or send a letter to Creative Commons, PO Box 1866, Mountain

438 views • 30 slides
HACKING DIGITAL LEADERSHIP Insights on how to achieve success from 40 Digital Leaders 40 DIGITAL

HACKING DIGITAL LEADERSHIP Insights on how to achieve success from 40 Digital Leaders 40 DIGITAL

James BRETT HACKING DIGITAL LEADERSHIP Insights on how to achieve success from 40 Digital Leaders 40 DIGITAL LEADERS 400 YEARS In 20 MINUTES LEADERSHIP IS HARD! HACKING = SMART 400 YEARS In 20 MINUTES 400 YEARS In 20 MINUTES OUR PATH

275 views • 23 slides
Modelling and Simulation and Wargaming to support concept development of Autonomous Systems in

Modelling and Simulation and Wargaming to support concept development of Autonomous Systems in

Modelling and Simulation and Wargaming to support concept development of Autonomous Systems in Harbour Protection Lucia Gazzaneo David Solarna Alberto Tremori Arnau Carrera Vias Pilar Caamao Sobrino Wayne Buck London IT 2 EC 2020, 28

429 views • 28 slides

More recommend