part i hunting for bugs
play

Part I. Hunting for Bugs Vadim Mutilin Institute for System - PowerPoint PPT Presentation

Oct 25, 2023 •195 likes •505 views

Part I. Hunting for Bugs Vadim Mutilin Institute for System Programming of the Russian Academy of Sciences 2 Bugs Found for Subsystems 3 Bugs Found for Subsystems 4 5 Bugs Found by CPAchecker 6 Total Bugs Found 7 Top 10 of 35 Rules 8

  1. Part I. Hunting for Bugs Vadim Mutilin Institute for System Programming of the Russian Academy of Sciences

  2. 2

  3. Bugs Found for Subsystems 3

  4. Bugs Found for Subsystems 4

  5. 5

  6. Bugs Found by CPAchecker 6

  7. Total Bugs Found 7

  8. Top 10 of 35 Rules 8

  9. Consequences 9

  10. Consequences (by the tool) 10

  11. On the Error Path? (by the tool) 11

  12. On the Error Path? (for top 10 rules) 12

  13. Part II. ARINC to AADL Sergey Lesovoy Institute for System Programming of the Russian Academy of Sciences

  14. ● Partition & process management ... ● Inter & intra partition communication ... ● etc 17

  15. Architecture Analysis and Design Language (AADL) Example 1. Communicating with intra partition port and global variable Example 2. Communicating with inter partition port 18

  16. ARINC processes “process 1” does not start here Initialization of ARINC entities “process 1“ starts here 19

  17. ARINC processes Solution 1 ● Preliminary Value analysis collecting set of process function pointers ● Inserting function calls explicitly Start “process 1” 20

  18. ARINC processes Solution 2 ● A model with nondeterministic choice Save nondeterministically Call saved pointer 21

  19. ARINC entities Creation of process with name “process 1” and function pointer first_process. Identifier is stored in variable pid Creation of port entity with name “QP1” Identifier is stored in variable QP1 Entering “process 1” 22

  20. ARINC entities Solution pid → {“process 1”, first_function} 23

  21. ARINC entities Solution pid → {“process 1”, first_function} pid → {“process 1”, first_function} QP1 → “QP1” 24

  22. ARINC entities Solution pid → {“process 1”, first_function} pid → {“process 1”, first_function} QP1 → “QP1” current → “process 1” pid → {“process 1”, first_function} QP1 → “QP1” 25

  23. ARINC entities Solution pid → {“process 1”, first_function} pid → {“process 1”, first_function} QP1 → “QP1” current → “process 1” pid → {“process 1”, first_function} QP1 → “QP1” 26

  24. Collect values only on reachable paths 1. The path should be reachable 2. Get the value 27

  25. Collect values only on reachable paths Solution. Refinement Mark as target state (violation) Take the value from Value analysis 28

  26. CPAchecker ARINC2AADL ● ARINC processes ● Solution 1. Preliminary analysis – requires modification of CFA ● Solution 2. Nondeterministic choice – sound for sequential analysis only ● ARINC entities ● Solution. Extension of Value analysis – supports pointers only heuristically ● Generalize for other analyses? ● Collect values on reachable paths ● Value Analysis – supports pointers only heuristically ● Predicate Analysis – how to exclude undefined values? 29

  27. Part III. Topics Institute for System Programming of the Russian Academy of Sciences

  28. Topics (unsorted) ● Collect data values with predicate analysis ● Correctness witness visualization ● Stepwise input program simplification and debugging of CPAchecker ● Type and BnB regions for array encoding in predicate analysis ● CPALockator ● Support for atomic access primitives ● Support for interrupts model ● Shared analysis with refinement ● Support for message passing ● Support for control dependencies ● Checking memsafety properties for multithreaded programs ● Simplifying input source code for the verification (CIL-less) ● Loop iterations abstraction and refinement ● Generation of exploits ● Checking for undefined behavior with symbolic memory graphs ● Local path refinement selection in BAM ● On-demand memory for predicate analysis ● Runtime learning of environment models 31

  29. Thank you! Vadim Mutilin http://linuxtesting.org/project/ldv Institute for System Programming of the Russian Academy of Sciences

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Your Chakra Is Not Aligned Hunting bugs in the Microsoft Edge Script Engine About Me Natalie

Your Chakra Is Not Aligned Hunting bugs in the Microsoft Edge Script Engine About Me Natalie

Your Chakra Is Not Aligned Hunting bugs in the Microsoft Edge Script Engine About Me Natalie Silvanovich AKA natashenka Project Zero member Previously did mobile security on Android and BlackBerry ECMAScript enthusiast

893 views • 39 slides
The Essentials of CAGD Chapter 14: Hunting Geometry Bugs Gerald Farin & Dianne Hansford CRC

The Essentials of CAGD Chapter 14: Hunting Geometry Bugs Gerald Farin & Dianne Hansford CRC

The Essentials of CAGD Chapter 14: Hunting Geometry Bugs Gerald Farin & Dianne Hansford CRC Press, Taylor & Francis Group, An A K Peters Book www.farinhansford.com/books/essentials-cagd 2000 c Farin & Hansford The Essentials

289 views • 8 slides
Defect Detection Thomas Zimmermann The First Bug September 9, 1947 More Bugs More Bugs More

Defect Detection Thomas Zimmermann The First Bug September 9, 1947 More Bugs More Bugs More

Defect Detection Thomas Zimmermann The First Bug September 9, 1947 More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs Facts on Debugging Software bugs are

840 views • 63 slides
Logic Bug Hunting in Chrome on Android Infiltrate 17 April, 2017 Agenda Fuzzing and memory

Logic Bug Hunting in Chrome on Android Infiltrate 17 April, 2017 Agenda Fuzzing and memory

Logic Bug Hunting in Chrome on Android Infiltrate 17 April, 2017 Agenda Fuzzing and memory corruptions Introduction to logic flaws General approach to hunting logic bugs Application in Mobile Pwn2Own 2016 Exploit improvement

1.07k views • 52 slides
Logic Bug Hunting in Chrome on Android CanSecWest 17 March, 2017 Agenda Fuzzing and memory

Logic Bug Hunting in Chrome on Android CanSecWest 17 March, 2017 Agenda Fuzzing and memory

Logic Bug Hunting in Chrome on Android CanSecWest 17 March, 2017 Agenda Fuzzing and memory corruptions Introduction to logic flaws General approach to hunting logic bugs Application in Mobile Pwn2Own 2016 Exploit improvement

963 views • 73 slides
Hunting Manufactures and distributes products that enable the extraction of oil and gas Hunting

Hunting Manufactures and distributes products that enable the extraction of oil and gas Hunting

Hunting Manufactures and distributes products that enable the extraction of oil and gas Hunting PLC Global Footprint 2 2009 Corporate Highlights Completed three acquisitions 47.3m Sale of Hunting Energy France 11.1m Year end

857 views • 37 slides
Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 Why do bugs still happen ?!

Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 Why do bugs still happen ?!

Failure is not an option * A journey through software bugs Philippe Biondi Nov 20 th 2015 / GreHack Failure is not an option * Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 Why do bugs still happen ?! 4 Living with bugs

966 views • 63 slides
Hunting beacons Bartosz Jerzman agenda Part I: HTTP beacon detection Part II: HTTPS beacon

Hunting beacons Bartosz Jerzman agenda Part I: HTTP beacon detection Part II: HTTPS beacon

Hunting beacons Bartosz Jerzman agenda Part I: HTTP beacon detection Part II: HTTPS beacon detection Part III: Lets hunt them early C2 scanning whoami Sysadmin and network defender for the Polish Navy Incident responder

720 views • 52 slides
Compassionate Conservation THINK.CHANGE.DO Is recreational hunting defensible? PART 2 Emeritus

Compassionate Conservation THINK.CHANGE.DO Is recreational hunting defensible? PART 2 Emeritus

Compassionate Conservation THINK.CHANGE.DO Is recreational hunting defensible? PART 2 Emeritus Professor Marc Bekoff & Dr Daniel Ramp Outline of evenings presentations What is compassionate conservation and why do we need it (PART 1)

744 views • 32 slides
Waterfowl Hunting for Beginners by John Martsh R-3 Program Manager Hunting Techniques: Spot and

Waterfowl Hunting for Beginners by John Martsh R-3 Program Manager Hunting Techniques: Spot and

Waterfowl Hunting for Beginners by John Martsh R-3 Program Manager Hunting Techniques: Spot and Stalk Hunting Techniques: Decoying Hunting Techniques: Pass Shooting Gauge Sizes Choke extracted from muzzle Choke lengths and wall diameters

783 views • 29 slides
Artemis Distributed system Hun0ng for Dryad Bugs with Overview Artemis Logs System

Artemis Distributed system Hun0ng for Dryad Bugs with Overview Artemis Logs System

Artemis Distributed system Hun0ng for Dryad Bugs with Overview Artemis Logs System Architecture Data Data collec1on Collec1o n Database View GUI Plugins GUI Plugins Conclusion s Hunting for Bugs with Artemis pptPlex

881 views • 25 slides
BED BUGS HOW TO HELP SOLVE THE PROBLEM WHAT ARE BED BUGS? Bed bugs are parasites that feed on

BED BUGS HOW TO HELP SOLVE THE PROBLEM WHAT ARE BED BUGS? Bed bugs are parasites that feed on

BED BUGS HOW TO HELP SOLVE THE PROBLEM WHAT ARE BED BUGS? Bed bugs are parasites that feed on blood They are reddish-brown in colour An adult bed bug is approximately the size of an apple seed An egg is approximately the size of a

163 views • 15 slides
THE LEGALITY OF TIGER FARMING, TROPHY HUNTING AND CANNED HUNTING UNDER INTERNATIONAL LAW Cecil

THE LEGALITY OF TIGER FARMING, TROPHY HUNTING AND CANNED HUNTING UNDER INTERNATIONAL LAW Cecil

THE LEGALITY OF TIGER FARMING, TROPHY HUNTING AND CANNED HUNTING UNDER INTERNATIONAL LAW Cecil the Lion, Hwange National Park, Zimbabwe, 2013 Yann Prisner-Levyne WILD FAUNA= NATURAL RESOURCES UNDER INTERNATIONAL LAW Principle of permanent

400 views • 21 slides
Indigenous Hunting Rights in British Columbia By: Liam Robertson Broken Down Firearm

Indigenous Hunting Rights in British Columbia By: Liam Robertson Broken Down Firearm

Indigenous Hunting Rights in British Columbia By: Liam Robertson Broken Down Firearm Licensing (Briefly) Hunting on Traditional Territory Hunting off Traditional Territory Applying for a FWID and BCEID Metis Hunting in BC

377 views • 13 slides
1 Bug Triage Regression Testing Decide which bugs to fix Good: rerun the test that failed

1 Bug Triage Regression Testing Decide which bugs to fix Good: rerun the test that failed

What is a bug? Formally, a software defect A Bugs life SUT fails to perform to spec SUT causes something else to fail SUT functions, but does not satisfy Finding and Managing Bugs usability criteria CSE 403 If the

643 views • 3 slides
Partridge driven hunt El Vedat The hunting territory: It is in the middle of Anoia, in

Partridge driven hunt El Vedat The hunting territory: It is in the middle of Anoia, in

TABAKOV TROPHY HUNTING Partridge driven hunt El Vedat The hunting territory: It is in the middle of Anoia, in Catalonia that the hunting area of El Vedat is situated, only 45mn of Barcelona. The territory extends on more than 3000 ha of

385 views • 10 slides
Higher-Order Reverse Topology James Hunter (hunter@math.wisc.edu) University of Wisconsin Logic

Higher-Order Reverse Topology James Hunter (hunter@math.wisc.edu) University of Wisconsin Logic

Overview of theories Second-order parts of higher-order theories Topological definitions A bit of reverse topology Higher-Order Reverse Topology James Hunter (hunter@math.wisc.edu) University of Wisconsin Logic Colloquium 2007 Wroc law

157 views • 14 slides
The Quest for Modern Agile Vikki Read - Senior Software Developer - @vikkiread Alex Wilson -

The Quest for Modern Agile Vikki Read - Senior Software Developer - @vikkiread Alex Wilson -

Hunting Unicorns The Quest for Modern Agile Vikki Read - Senior Software Developer - @vikkiread Alex Wilson - Lead Research Developer - @pr0bablyfine WARNING THIS TALK CONTAINS STRETCHED METAPHORS Where have all the heroes gone? eXtreme

753 views • 28 slides
Chapter 9. Growth through Technological Progress UMSL Max Gillman Max Gillman () 1 / 44 Facts:

Chapter 9. Growth through Technological Progress UMSL Max Gillman Max Gillman () 1 / 44 Facts:

Chapter 9. Growth through Technological Progress UMSL Max Gillman Max Gillman () 1 / 44 Facts: Positive Trend Growth Rate Ramsey (1928) World, economic growth assumed zero. in real GDP growth rate. "Classical": Ricardo, J.S. Mill,

822 views • 44 slides
Value Hunting The Substitution Model Theory of Programming Languages Computer Science Department

Value Hunting The Substitution Model Theory of Programming Languages Computer Science Department

Eval Values Operations Conditionals Sequential Eval Matching Functions Global Names Recursion Value Hunting The Substitution Model Theory of Programming Languages Computer Science Department Wellesley College Eval Values Operations

280 views • 14 slides
Hunt for the Collapse of Semantics in Infinite Abstract Argumentation Frameworks 1 Christof

Hunt for the Collapse of Semantics in Infinite Abstract Argumentation Frameworks 1 Christof

Hunt for the Collapse of Semantics in Infinite Abstract Argumentation Frameworks 1 Christof Spanring Department of Computer Science, University of Liverpool, UK Institute of Information Systems, TU Wien, Austria ICCSW15, September 25, 2015 1

337 views • 18 slides
Hunter Hunter a CMake driven cross-platform package manager for C/C++ projects Daniel Friedrich

Hunter Hunter a CMake driven cross-platform package manager for C/C++ projects Daniel Friedrich

Hunter Hunter a CMake driven cross-platform package manager for C/C++ projects Daniel Friedrich nanosurf AG Hunter is one of many package/dependancy -manager * Buckaroo * Conan * cget * vcpkg * CocoaPods * Homebrew (OSX) * mxxn *

668 views • 10 slides
Zamolodchikov periodicity and integrability Pavel Galashin MIT galashin@mit.edu Hunter College,

Zamolodchikov periodicity and integrability Pavel Galashin MIT galashin@mit.edu Hunter College,

Zamolodchikov periodicity and integrability Pavel Galashin MIT galashin@mit.edu Hunter College, May 7, 2017 Joint work with Pavlo Pylyavskyy 2 2 2 1 1 2 2 3 2 2 2 1 2 Pavel Galashin (MIT) Zamolodchikov periodicity and

1.07k views • 82 slides
The Frontiers of Matter (in 1932) 1 The periodic chart orders the chemical elements according

The Frontiers of Matter (in 1932) 1 The periodic chart orders the chemical elements according

The Frontiers of Matter (in 1932) 1 The periodic chart orders the chemical elements according to their properties. It provides clues to the un- derlying atomic structure. The fundamental particles of the periodic chart are the

733 views • 49 slides

More recommend