preventing bugs with pluggable type checking
play

Preventing bugs with pluggable type checking Michael Ernst University - PowerPoint PPT Presentation

Oct 09, 2022 •248 likes •561 views

print( @Readonly Object x) { List< @NonNull String> lst; } Preventing bugs with pluggable type checking Michael Ernst University of Washington Joint work with Mahmood Ali and Matthew Papi Motivation java.lang.NullPointerException

  1. print( @Readonly Object x) { List< @NonNull String> lst; … } Preventing bugs with pluggable type checking Michael Ernst University of Washington Joint work with Mahmood Ali and Matthew Papi

  2. Motivation java.lang.NullPointerException

  3. Java’s type checking is too weak • Type checking prevents many bugs int i = “hello”; // type error • Type checking doesn’t prevent enough bugs System.console().readLine(); ⇒ NullPointerException Collections.emptyList().add(“One”); ⇒ UnsupportedOperationException

  4. Some errors are silent Date date = new Date(0); myMap.put(date, “Java Epoch”); date.setYear(70); myMap.put(date, “Linux Epoch”); ⇒ Corrupted map dbStatement.executeQuery(userInput); ⇒ UnsupportedOperationException Equality tests, initialization, data formatting, …

  5. Solution: Pluggable type systems • Design a type system to solve a specific problem • Write type qualifiers in your code (or, type inference) @Immutable Date date = new Date(0); date.setTime(70); // compile-time error • Type checker warns about violations (bugs) % javac -processor NullnessChecker MyFile.java MyFile.java:149: dereference of possibly-null reference bb2 allVars = bb2.vars; ^

  6. Outline • Type qualifiers • Pluggable type checkers • Writing your own checker • Conclusion

  7. Type qualifiers • Java 7 annotation syntax @Untainted String query; List<@NonNull String> strings; myGraph = (@Immutable Graph) tmpGraph; class UnmodifiableList<T> implements @Readonly List<@Readonly T> {} • Backward ‐ compatible : compile with any Java compiler List</*@NonNull*/ String> strings;

  8. Benefits of type qualifiers • Improve documentation • Find bugs in programs • Guarantee the absence of errors • Aid compilers and analysis tools • Reduce the need for assertions and run ‐ time checks

  9. Outline • Type qualifiers • Pluggable type checkers • Writing your own checker • Conclusion

  10. Sample checkers • @NonNull : null dereference • @Interned : incorrect equality tests • @Immutable : incorrect mutation and side ‐ effects • Many other simple checkers – Security: encryption, tainting, access control – Encoding: SQL, URL, ASCII/Unicode • Under construction: – CMU, ETH Zurich, MIT, Radboud U., U. of Buenos Aires, U. of California at Los Angeles, U. of Saarland, U. of Washington, U. of Wisconsin, Washington State U., …...

  11. Nullness and mutation demo

  12. Checkers are effective • Scales to > 200,000 LOC • Each checker found errors in each code base it ran on – Verified by a human and fixed

  13. Comparison: other Nullness tools Null pointer errors False Annotations warnings written Found Missed Checker framework 8 0 4 35 FindBugs 0 8 1 0 Jlint 0 8 8 0 PMD 0 8 0 0 • Checking a 4KLOC program • False warnings are suppressed via an annotation or assertion

  14. Checkers are featureful • Full type systems: inheritance, overriding, etc. • Generics (type polymorphism) – Also qualifier polymorphism • Flow ‐ sensitive type qualifier inference • Qualifier defaults • Warning suppression

  15. Checkers are usable • Integrated with toolchain • javac, Ant, Eclipse, Netbeans • Few false positives • Annotations are not too verbose – @NonNull : 1 per 75 lines – @Interned : 124 annotations in 220KLOC revealed 11 bugs – Possible to annotate part of program – Fewer annotations in new code – Inference tools: nullness, mutability

  16. What a checker guarantees • The program satisfies the type property – There are no bugs (of particular varieties) • Caveat: only for code that is checked – Native methods – Reflection – Code compiled without the pluggable type checker – Suppressed warnings • Indicates what code a human should analyze • Checking part of a program is still useful

  17. Annotating libraries • Each checker includes JDK annotations – Typically, only for signatures, not bodies – Finds errors in clients, but not in the library itself • Inference tools for annotating new libraries

  18. Outline • Type qualifiers • Pluggable type checkers • Writing your own checker • Conclusion

  19. SQL injection attack • Server code bug: SQL query constructed using unfiltered user input query = “SELECT * FROM users ” + “WHERE name=‘” + userInput + “’;”; • User inputs: a’ or ‘t’=‘t • Result: query ⇒ SELECT * FROM users WHERE name=‘a’ or ‘t’=‘t’; • Query returns information about all users

  20. Tainting checker @TypeQualifier @SubtypeOf(Unqualified.class) @ImplicitFor(trees = {STRING_LITERAL}) public @interface Untainted { } To use it: 1. Write @Untainted in your program List getPosts(@Untainted String category) { … } 2. Compile your program javac -processor BasicChecker -Aquals=Untainted MyProgram.java

  21. Tainting checker demo

  22. Defining a type system @TypeQualifier public @interface NonNull { }

  23. Defining a type system 1. Type qualifier hierarchy 2. Type introduction rules 3. Other type rules @TypeQualifier public @interface NonNull { }

  24. Defining a type system 1. Type qualifier hierarchy 2. Type introduction rules 3. Other type rules @TypeQualifier @SubtypeOf( Nullable.class ) public @interface NonNull { }

  25. Defining a type system 1. Type qualifier hierarchy new Date() 2. Type introduction rules “hello ” + getName() Boolean.TRUE 3. Other type rules @TypeQualifier @SubtypeOf( Nullable.class ) @ImplicitFor(trees={ NEW_CLASS, PLUS, BOOLEAN_LITERAL, ... } ) public @interface NonNull { }

  26. Defining a type system 1. Type qualifier hierarchy synchronized(expr) { … 2. Type introduction rules } 3. Other type rules Warn if expr may be null void visitSynchronized(SynchronizedTree node) { ExpressionTree expr = node.getExpression(); AnnotatedTypeMirror type = getAnnotatedType(expr); if (! type.hasAnnotation(NONNULL)) checker.report(Result.failure(...), expr); }

  27. Outline • Type qualifiers • Pluggable type checkers • Writing your own checker • Conclusion

  28. Research results • First practical system for pluggable types – This lack held back research and practice • Significant case studies led to: – new type systems – new insights about old ones • Linear ‐ time inference algorithm • See paper “Practical pluggable types for Java” (in ISSTA 2008)

  29. My other research Making it easier (and more fun!) to create reliable software Security : – Finding and exploiting web vulnerabilities – Automatically patching vulnerabilities – Quantitative information ‐ flow Programming languages : – Type systems: immutability, canonicalization – Type inference: abstractions, polymorphism, immutability Testing : – Creating complex test inputs – Generating unit tests from system tests – Classifying test behavior More : Reproducing in ‐ field failures; combined static & dynamic analysis; analysis of version history; refactoring; …

  30. Contributions • Checker Framework for creating type checkers – Featureful, effective, easy to use, scalable • Prevent bugs at compile time • Create custom type ‐ checkers • Download: http://pag.csail.mit.edu/jsr308

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Preventing errors before they happen: Lightweight verification via pluggable type-checking

Preventing errors before they happen: Lightweight verification via pluggable type-checking

print( @Readonly Object x) { List&lt; @NonNull String&gt; lst; } Preventing errors before they happen: Lightweight verification via pluggable type-checking Michael D. Ernst University of Washington (Seattle, WA, USA) University of Buenos

600 views • 48 slides
Pluggable type systems reconsidered ISSTA 2018 Impact Paper Award for Practical Pluggable

Pluggable type systems reconsidered ISSTA 2018 Impact Paper Award for Practical Pluggable

Pluggable type systems reconsidered ISSTA 2018 Impact Paper Award for Practical Pluggable Types for Java Michael D. Ernst University of Washington https://checkerframework.org/ Optional Type Checking int x = &quot;hello world&quot;;

628 views • 60 slides
Practical pluggable types via the Checker Framework Matthew Papi, Mahmood Ali, Telmo Correa Jr.,

Practical pluggable types via the Checker Framework Matthew Papi, Mahmood Ali, Telmo Correa Jr.,

void print( @Readonly Object x) { List&lt; @NonNull String&gt; lst; } Practical pluggable types via the Checker Framework Matthew Papi, Mahmood Ali, Telmo Correa Jr., Jeff Perkins, Michael Ernst MIT Problem 1: Javas type checking Type

801 views • 37 slides
Type checking COMP 520 Fall 2010 Type checking (2) The type checker has severals tasks:

Type checking COMP 520 Fall 2010 Type checking (2) The type checker has severals tasks:

COMP 520 Fall 2010 Type checking (1) Type checking COMP 520 Fall 2010 Type checking (2) The type checker has severals tasks: determine the types of all expressions; check that values and variables are used correctly; and resolve

631 views • 30 slides
Preventing Security Bugs Through Software Design Christoph Kern, Google xtof@google.com The

Preventing Security Bugs Through Software Design Christoph Kern, Google xtof@google.com The

Preventing Security Bugs Through Software Design Christoph Kern, Google xtof@google.com The Same Bugs, Over and Over Again... SQL-injection, XSS, XSRF, etc -- OWASP Top 10 Root cause Inherently bug-prone APIs Developers are

313 views • 28 slides
Type Checking General properties of type systems Types in programming languages

Type Checking General properties of type systems Types in programming languages

Outline Type Checking General properties of type systems Types in programming languages Notation for type rules Logical rules of inference Common type rules 2 Static Checking Static Checking (Cont.) Refers to

896 views • 10 slides
Building and Using Pluggable Type-Checkers Werner M. Dietl Joint work with: Stephanie Dietzel,

Building and Using Pluggable Type-Checkers Werner M. Dietl Joint work with: Stephanie Dietzel,

Building and Using Pluggable Type-Checkers Werner M. Dietl Joint work with: Stephanie Dietzel, Michael D. Ernst, Kvan Mulu, and Todd W. Schiller 1 Software still has errors 2 Static type systems 0 errors, Crashes 0 warnings Source

624 views • 29 slides
Type Reconstruction and Polymorphism 1 Type Checking and Type Reconstruction We now come to the

Type Reconstruction and Polymorphism 1 Type Checking and Type Reconstruction We now come to the

Type Reconstruction and Polymorphism 1 Type Checking and Type Reconstruction We now come to the question of type checking and type reconstruction. Given , t and T , check whether t : T Type checking: Given and t , find a type T

518 views • 28 slides
Type Checking Grammar Rule Semantic Rule var-decl id : type-exp Insert (id.name, type-exp .

Type Checking Grammar Rule Semantic Rule var-decl id : type-exp Insert (id.name, type-exp .

Type Checking Grammar Rule Semantic Rule var-decl id : type-exp Insert (id.name, type-exp . type ) type-exp int type-exp . type := integer type-exp bool type-exp . type := boolean type-exp 1 array type-exp 1 . type := [num] of

613 views • 7 slides
Inser&amp;ng Inten&amp;onal Bugs for Model Checking Assurance

Inser&amp;ng Inten&amp;onal Bugs for Model Checking Assurance

Inser&amp;ng Inten&amp;onal Bugs for Model Checking Assurance Thomas L. Rodeheffer and Ramakrishna Kotla Microso? Research, Silicon Valley The Problem

163 views • 14 slides
Hindley-Milner Type Checking Automatic Type Inference What can be inferred about type of f or x

Hindley-Milner Type Checking Automatic Type Inference What can be inferred about type of f or x

CSE340 Principles of Programming Languages Hindley-Milner Type Checking Automatic Type Inference What can be inferred about type of f or x from this definition? f(x) = x Automatic Type Inference f(x) = x f is a function that takes a single

1.31k views • 73 slides
Type checking and normalisation James Chapman - University of Nottingham My thesis Type

Type checking and normalisation James Chapman - University of Nottingham My thesis Type

Type checking and normalisation James Chapman - University of Nottingham My thesis Type checking in Haskell Epigram language - McBride/McKinna Big-step normalisation for simple types, formalised in Agda Big-step normalisation for

978 views • 36 slides
Defect Detection Thomas Zimmermann The First Bug September 9, 1947 More Bugs More Bugs More

Defect Detection Thomas Zimmermann The First Bug September 9, 1947 More Bugs More Bugs More

Defect Detection Thomas Zimmermann The First Bug September 9, 1947 More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs Facts on Debugging Software bugs are

840 views • 63 slides
Chapter 4: Type Checking Aarne Ranta Slides for the book Implementing Programming Languages.

Chapter 4: Type Checking Aarne Ranta Slides for the book Implementing Programming Languages.

Chapter 4: Type Checking Aarne Ranta Slides for the book Implementing Programming Languages. An Introduction to Compilers and Interpreters, College Publications, 2012. Checking that a program makes sense Traditional notions of type

1.04k views • 68 slides
INF5110 Compiler Construction Types and type checking Spring 2016 1 / 43 Outline 1. Types

INF5110 Compiler Construction Types and type checking Spring 2016 1 / 43 Outline 1. Types

INF5110 Compiler Construction Types and type checking Spring 2016 1 / 43 Outline 1. Types and type checking Intro Various types and their representation Equality of types Type checking 2 / 43 Outline 1. Types and type checking Intro

1.11k views • 43 slides
Introduction to Model Checking Debdeep Mukhopadhyay IIT Madras How good can you fight bugs?

Introduction to Model Checking Debdeep Mukhopadhyay IIT Madras How good can you fight bugs?

Introduction to Model Checking Debdeep Mukhopadhyay IIT Madras How good can you fight bugs? Comprising of three parts Formal Verification techniques consist of three parts: 1. A framework for modeling systems some kind of

799 views • 53 slides
CSE 447 Natural Language Processing Winter 2018 Introduction Yejin Choi Slides adapted from

CSE 447 Natural Language Processing Winter 2018 Introduction Yejin Choi Slides adapted from

CSE 447 Natural Language Processing Winter 2018 Introduction Yejin Choi Slides adapted from Dan Klein, Luke Zettlemoyer What is NLP? Fundamental goal: deep understand of broad language Not just string processing or keyword matching

828 views • 47 slides
Distributed Systems Protection &amp; Security Paul Krzyzanowski pxk@cs.rutgers.edu Except as

Distributed Systems Protection &amp; Security Paul Krzyzanowski pxk@cs.rutgers.edu Except as

Distributed Systems Protection &amp; Security Paul Krzyzanowski pxk@cs.rutgers.edu Except as otherwise noted, the content of this presentation is licensed under the Creative Commons Attribution 2.5 License. You need to get into a vault Try

1.35k views • 79 slides
CS 188: Artificial Intelligence Language Pieter Abbeel UC Berkeley Slides from Dan Klein

CS 188: Artificial Intelligence Language Pieter Abbeel UC Berkeley Slides from Dan Klein

CS 188: Artificial Intelligence Language Pieter Abbeel UC Berkeley Slides from Dan Klein What is NLP? Fundamental goal: analyze and process human language, broadly, robustly, accurately End systems that we want to build:

275 views • 8 slides
&quot;Secure&quot; Coding Practices Nicholas Weaver based on David Wagners slides from Sp 2016

&quot;Secure&quot; Coding Practices Nicholas Weaver based on David Wagners slides from Sp 2016

Computer Science 161 Fall 2016 Nicholas Weaver &quot;Secure&quot; Coding Practices Nicholas Weaver based on David Wagners slides from Sp 2016 1 Administrivia Computer Science 161 Fall 2016 Nicholas Weaver 2 Computer Science 161 Fall

732 views • 61 slides
1 After the first cesarean After the first cesarean Risks for abnormal placentation

1 After the first cesarean After the first cesarean Risks for abnormal placentation

Disclosures No financial disclosures LEADING THE QUEST FOR HEALTH No off-label use of medications Nulliparous Term Singleton Vertex (NTSV): Is Healthy People 2020 Goal Possible? Kimberly D. Gregory MD, MPH Vice Chair Womens

339 views • 22 slides
Case Example 1: Profitability of using sexed semen: A s tatic and deterministic simulation

Case Example 1: Profitability of using sexed semen: A s tatic and deterministic simulation

Case Example 1: Profitability of using sexed semen: A s tatic and deterministic simulation Different kinds of simulation Friday: Simherd: This morning: SimFlock This afternoon: Sexed semen model Sexed Semen Economics Budgetting:

373 views • 25 slides
Going off the grid Benjamin Recht University of California, Berkeley Joint work with Badri

Going off the grid Benjamin Recht University of California, Berkeley Joint work with Badri

Going off the grid Benjamin Recht University of California, Berkeley Joint work with Badri Bhaskar Parikshit Shah Gonnguo Tang imaging astronomy seismology spectroscopy k X c j e i 2 f j t x ( t ) = DOA Estimation j =1 Sampling GPS

955 views • 40 slides
Compiler-based Extraction of Event Arrival Functions for Real-Time Systems Analysis Dominic

Compiler-based Extraction of Event Arrival Functions for Real-Time Systems Analysis Dominic

Compiler-based Extraction of Event Arrival Functions for Real-Time Systems Analysis Dominic Oehlert Selma Saidi Heiko Falk Institute of Embedded Systems Hamburg University of Technology firstname.surname@tuhh.de 30th Euromicro Conference on

963 views • 77 slides

More recommend