Splitting the Control Flow with Boolean Flags Axel Simon Ecole - - PowerPoint PPT Presentation

Splitting the Control Flow with Boolean Flags

Axel Simon ´ Ecole Normale Sup´ erieure, Paris, France A.Simon@ens.fr July 2008

Axel Simon Splitting the Control Flow with Boolean Flags

Good States are Usually Convex

Declare C variable int array[12];.

11

i

1 2 3 4 5 6 7 8 9 10

Access array[i] within bound if 0 ≤ i and i ≤ 11.

Axel Simon Splitting the Control Flow with Boolean Flags

Good States are Usually Convex

Declare C variable int array[s]; where s is any int.

i

1 2 3 4 5 6 7 8 9 s-1

Access array[i] within bound if 0 ≤ i and i ≤ s − 1.

Axel Simon Splitting the Control Flow with Boolean Flags

Good States are Usually Convex

Declare C variable int array[s]; where s is any int.

i

1 2 3 4 5 6 7 8 9 s-1

Access array[i] within bound if 0 ≤ i and i ≤ s − 1. Observations:

◮ One conjunction of linear inequalities is sufficient.

Axel Simon Splitting the Control Flow with Boolean Flags

Good States are Usually Convex

Declare C variable int array[s]; where s is any int.

i

1 2 3 4 5 6 7 8 9 s-1

Access array[i] within bound if 0 ≤ i and i ≤ s − 1. Observations:

◮ One conjunction of linear inequalities is sufficient. ◮ Such a conjunction defines a convex polyhedron.

Axel Simon Splitting the Control Flow with Boolean Flags

Good States are Usually Convex

Declare C variable int array[s]; where s is any int.

i

1 2 3 4 5 6 7 8 9 s-1

Access array[i] within bound if 0 ≤ i and i ≤ s − 1. Observations:

◮ One conjunction of linear inequalities is sufficient. ◮ Such a conjunction defines a convex polyhedron. ◮ Verification often possible by inferring a single polyhedron.

Axel Simon Splitting the Control Flow with Boolean Flags

Domain of Convex Polyhedra

◮ Properties are expressed over abstract variables X

◮ e.g. value of p is expressed by xp ∈ X ◮ let

x = x1, . . . xn and {x1, . . . xn} = X

Axel Simon Splitting the Control Flow with Boolean Flags

Domain of Convex Polyhedra

◮ Properties are expressed over abstract variables X

◮ e.g. value of p is expressed by xp ∈ X ◮ let

x = x1, . . . xn and {x1, . . . xn} = X

◮ The domain of convex polyhedra PolyX , ⊑, ⊔, ⊓:

IneqX : the set of linear inequalities a · x ≤ c,

• a ∈ Zn, c ∈ Z.

PolyX : subsets of Qn that can be delimited by finite sets of I ⊂ IneqX [ [ a · x ≤ c] ]: subspace of Qn that satisfies a · x ≤ c P1 ⊑ P2: entailment; P1 ⊆ P2 P1 ⊔ P2: join; closure of the convex hull of P1 and P2. P1 ⊓ P2: meet; for instance P1 ⊓ P2 := P1 ∩ P2

Axel Simon Splitting the Control Flow with Boolean Flags

Example: Division by Zero

Let −9 ≤ d ≤ 9 in abstract state P and execute:

int r=MAX_INT; if (d!=0) r=v/d;

Task: Verify that d is not zero when dividing.

Axel Simon Splitting the Control Flow with Boolean Flags

Example: Division by Zero

Let −9 ≤ d ≤ 9 in abstract state P and execute:

int r=MAX_INT; if (d!=0) r=v/d;

Task: Verify that d is not zero when dividing.

◮ Model d!=0 by P′ = (P ⊓ [

[d ≤ −1] ]) ⊔ (P ⊓ [ [d ≥ 1] ]).

◮ Approximation results in −9 ≤ d ≤ 9 in P′. ◮ Cannot prove v/d correct using P′.

Axel Simon Splitting the Control Flow with Boolean Flags

Example: Division by Zero

Let −9 ≤ d ≤ 9 in abstract state P and execute:

int r=MAX_INT; if (d!=0) r=v/d;

Task: Verify that d is not zero when dividing.

◮ Model d!=0 by P′ = (P ⊓ [

[d ≤ −1] ]) ⊔ (P ⊓ [ [d ≥ 1] ]).

◮ Approximation results in −9 ≤ d ≤ 9 in P′. ◮ Cannot prove v/d correct using P′. ◮ One solution: Do not join the states P ⊓ [

[d ≤ −1] ] and P ⊓ [ [d ≥ 1] ] until after the division (trace partitioning).

◮ Partitioning the traces: when to split and when to join?

Axel Simon Splitting the Control Flow with Boolean Flags

One Polyhedron and one Boolean Flag

Idea: add a Boolean flag f to the states that are to be separated. Let P− = P ⊓ [ [{d ≤ −1, f = 0}] ] and P+ = P ⊓ [ [{d ≥ 1, f = 1}] ].

Axel Simon Splitting the Control Flow with Boolean Flags

One Polyhedron and one Boolean Flag

Idea: add a Boolean flag f to the states that are to be separated. Let P− = P ⊓ [ [{d ≤ −1, f = 0}] ] and P+ = P ⊓ [ [{d ≥ 1, f = 1}] ]. Analyze v/d using the state P′ = P− ⊔ P+:

1

• 9

f d

• 5
• 1

1 5 9 P P -

+

d=0

Axel Simon Splitting the Control Flow with Boolean Flags

One Polyhedron and one Boolean Flag

Idea: add a Boolean flag f to the states that are to be separated. Let P− = P ⊓ [ [{d ≤ −1, f = 0}] ] and P+ = P ⊓ [ [{d ≥ 1, f = 1}] ]. Analyze v/d using the state P′ = P− ⊔ P+:

1

• 9

f d

• 5
• 1

1 5 9 P P -

+

d=0

◮ Division by zero possible if P′ ⊓ [

[d = 0] ] = ∅.

Axel Simon Splitting the Control Flow with Boolean Flags

One Polyhedron and one Boolean Flag

Idea: add a Boolean flag f to the states that are to be separated. Let P− = P ⊓ [ [{d ≤ −1, f = 0}] ] and P+ = P ⊓ [ [{d ≥ 1, f = 1}] ]. Analyze v/d using the state P′ = P− ⊔ P+:

1

• 9

f d

• 5
• 1

1 5 9 P P -

+

d=0

◮ Division by zero possible if P′ ⊓ [

[d = 0] ] = ∅.

◮ Since d integral, we can conclude that P′ ∩ [

[d = 0] ] ∩ Zn = ∅.

Axel Simon Splitting the Control Flow with Boolean Flags

The Main Observation

Let P1, P2 ∈ PolyX and let P = (P1 ⊓ [ [f = 0] ]) ⊔ (P2 ⊓ [ [f = 1] ]). Then:

◮ P1 and P2 can be recovered from P if

◮ ⊓ satisfies P1 ⊓ P2 = S s.th. S ∩ Zn = P1 ∩ P2 ∩ Zn, ◮ P1 and P2 are bounded.

◮ Otherwise a loss of information may occur.

1

• 9

f d

• 5
• 1

1 5 9 P P -

+

d=0

Axel Simon Splitting the Control Flow with Boolean Flags

The Main Observation

Let P1, P2 ∈ PolyX and let P = (P1 ⊓ [ [f = 0] ]) ⊔ (P2 ⊓ [ [f = 1] ]). Then:

◮ P1 and P2 can be recovered from P if

◮ ⊓ satisfies P1 ⊓ P2 = S s.th. S ∩ Zn = P1 ∩ P2 ∩ Zn, ◮ P1 and P2 are bounded.

◮ Otherwise a loss of information may occur. E.g.: d ≥ −9:

1

• 9

f d

• 5
• 1

1 5 P P -

+

d=0 10

Axel Simon Splitting the Control Flow with Boolean Flags

Using Boolean Flags instead of Reanalyzing a Path

Separating two states using a Boolean flag

◮ is conceptually simpler, ◮ still need to decide where to split, ◮ but joining paths is automatic.

Axel Simon Splitting the Control Flow with Boolean Flags

Using Boolean Flags instead of Reanalyzing a Path

Separating two states using a Boolean flag

◮ is conceptually simpler, ◮ still need to decide where to split, ◮ but joining paths is automatic.

Complexity: Polyhedra with integral tightening can express any Boolean function. Examples over two variables:

1 1 x y x⋀y 1 1 x y x⊕y 1 1 x y x⇒y 1 1 x y x⋁y

Axel Simon Splitting the Control Flow with Boolean Flags

Using Boolean Flags instead of Reanalyzing a Path

Separating two states using a Boolean flag

◮ is conceptually simpler, ◮ still need to decide where to split, ◮ but joining paths is automatic.

Complexity: Polyhedra with integral tightening can express any Boolean function. Examples over two variables:

1 1 x y x⋀y 1 1 x y x⊕y 1 1 x y x⇒y 1 1 x y x⋁y

Indeed, deciding if P ∩ Zn = ∅ is NP-complete. [Schrijver86]

Axel Simon Splitting the Control Flow with Boolean Flags

Using Polyhedral Sub-Domains

Reduce the complexity by using sub-domains of Z-polyhedra, e.g.:

Axel Simon Splitting the Control Flow with Boolean Flags

Using Polyhedral Sub-Domains

Reduce the complexity by using sub-domains of Z-polyhedra, e.g.: Octagons [Mine06]: Restrict IneqX to ±x ± y ≤ c, c ∈ Z.

◮ Modifying the closure yields Z-Octagons and a

decision procedure for 2-SAT. [Bagnara08]

Axel Simon Splitting the Control Flow with Boolean Flags

Using Polyhedral Sub-Domains

Reduce the complexity by using sub-domains of Z-polyhedra, e.g.: Octagons [Mine06]: Restrict IneqX to ±x ± y ≤ c, c ∈ Z.

◮ Modifying the closure yields Z-Octagons and a

decision procedure for 2-SAT. [Bagnara08] TVPI [Simon02]: Restrict IneqX to ax + by ≤ c.

◮ Emptiness test for TVPI system over Zn is

NP-complete [Lagarias85]. Approximation via Planar Integer Hull algorithm [Harvey99].

Axel Simon Splitting the Control Flow with Boolean Flags

Using Polyhedral Sub-Domains

Reduce the complexity by using sub-domains of Z-polyhedra, e.g.: Octagons [Mine06]: Restrict IneqX to ±x ± y ≤ c, c ∈ Z.

◮ Modifying the closure yields Z-Octagons and a

decision procedure for 2-SAT. [Bagnara08] TVPI [Simon02]: Restrict IneqX to ax + by ≤ c.

◮ Emptiness test for TVPI system over Zn is

NP-complete [Lagarias85]. Approximation via Planar Integer Hull algorithm [Harvey99]. Polyhedra with Tightening: a · x ≤ c where gcd( a) = 1.

◮ Refine with Gomory’s cutting plane method.

Axel Simon Splitting the Control Flow with Boolean Flags

Using Polyhedral Sub-Domains

Reduce the complexity by using sub-domains of Z-polyhedra, e.g.: Octagons [Mine06]: Restrict IneqX to ±x ± y ≤ c, c ∈ Z.

◮ Modifying the closure yields Z-Octagons and a

decision procedure for 2-SAT. [Bagnara08]

1

• 9

f d

• 5
• 1

1 5 9 P P -

+

d=0

Axel Simon Splitting the Control Flow with Boolean Flags

Polyhedral and Points-to Analysis

Consider the following call to f:

char *p; bool r; r = f(&p); /* other statments here */ if (r) printf("value: %s", p);

And the following stub implementation:

int f(char ** pp) { if (rand ()) return 0; /* error */ *pp = "Success."; return 1; /* success */ }

Two possible cases:

Axel Simon Splitting the Control Flow with Boolean Flags

Polyhedral and Points-to Analysis

Consider the following call to f:

char *p; bool r; r = f(&p); /* other statments here */ if (r) printf("value: %s", p);

And the following stub implementation:

int f(char ** pp) { if (rand ()) return 0; /* error */ *pp = "Success."; return 1; /* success */ }

Two possible cases: success rand() returns 0, p points to "Success.", r is 1

Axel Simon Splitting the Control Flow with Boolean Flags

Polyhedral and Points-to Analysis

Consider the following call to f:

char *p; bool r; r = f(&p); /* other statments here */ if (r) printf("value: %s", p);

And the following stub implementation:

int f(char ** pp) { if (rand ()) return 0; /* error */ *pp = "Success."; return 1; /* success */ }

Two possible cases: success rand() returns 0, p points to "Success.", r is 1 error rand() returns non-zero, p is uninitialized, r is 0

Axel Simon Splitting the Control Flow with Boolean Flags

Polyhedral and Points-to Analysis

Consider the following call to f:

char *p; bool r; r = f(&p); /* other statments here */ if (r) printf("value: %s", p);

Let P ∈ PolyX and A : X → P(A) represent state after call to f. points-to set A(xp) value of xp in P value of xr success as 1 error null [0, 232 − 1]

p ∈ γp(P, A) = {xp + p | . . . xp, . . . ∈ P ∧ p ∈ ρ(a) ∧ a ∈ A(xp)}

where A(xp) = {as, null} and ρ(as) = [4096, 231], ρ(null) = {0}

Axel Simon Splitting the Control Flow with Boolean Flags

Evaluating the Condition

Is dereferencing p correct in if (r) printf("value:%s", p);? points-to set A(xp) value of xp in P value of xr success as 1 error null [0, 232 − 1] Possible ways of analysing the program:

Axel Simon Splitting the Control Flow with Boolean Flags

Evaluating the Condition

Is dereferencing p correct in if (r) printf("value:%s", p);? points-to set A(xp) value of xp in P value of xr success as 1 error null [0, 232 − 1] Possible ways of analysing the program:

◮ Evaluate f and return one (joined) result:

A(xp) = {as, null}, P = [ [{xp ≥ 0, xr ≥ 0, xp + (232 − 1)xr ≤ (232 − 1)}] ] Problem: P ⊓ [ [xr ≥ 1] ] ❀ xp = 0 but null ∈ A(xp)

Axel Simon Splitting the Control Flow with Boolean Flags

Evaluating the Condition

Is dereferencing p correct in if (r) printf("value:%s", p);? points-to set A(xp) value of xp in P value of xr success as 1 error null [0, 232 − 1] Possible ways of analysing the program:

◮ Evaluate f and return one (joined) result:

A(xp) = {as, null}, P = [ [{xp ≥ 0, xr ≥ 0, xp + (232 − 1)xr ≤ (232 − 1)}] ] Problem: P ⊓ [ [xr ≥ 1] ] ❀ xp = 0 but null ∈ A(xp)

◮ Analyse twice: keep success and error traces separate.

◮ The error traces are infeasible since r = 0 in P ⊓ [

[xr ≥ 1] ].

Axel Simon Splitting the Control Flow with Boolean Flags

Evaluating the Condition

Is dereferencing p correct in if (r) printf("value:%s", p);? points-to set A(xp) value of xp in P value of xr success as 1 error null [0, 232 − 1] Possible ways of analysing the program:

◮ Evaluate f and return one (joined) result:

A(xp) = {as, null}, P = [ [{xp ≥ 0, xr ≥ 0, xp + (232 − 1)xr ≤ (232 − 1)}] ] Problem: P ⊓ [ [xr ≥ 1] ] ❀ xp = 0 but null ∈ A(xp)

◮ Analyse twice: keep success and error traces separate.

◮ The error traces are infeasible since r = 0 in P ⊓ [

[xr ≥ 1] ].

◮ However, need to re-analyse code between f(&p) and if (r). Axel Simon Splitting the Control Flow with Boolean Flags

Evaluating the Condition

Is dereferencing p correct in if (r) printf("value:%s", p);? points-to set A(xp) value of xp in P value of xr success as 1 error null [0, 232 − 1] Possible ways of analysing the program:

◮ Evaluate f and return one (joined) result:

A(xp) = {as, null}, P = [ [{xp ≥ 0, xr ≥ 0, xp + (232 − 1)xr ≤ (232 − 1)}] ] Problem: P ⊓ [ [xr ≥ 1] ] ❀ xp = 0 but null ∈ A(xp)

◮ Analyse twice: keep success and error traces separate.

◮ The error traces are infeasible since r = 0 in P ⊓ [

[xr ≥ 1] ].

◮ However, need to re-analyse code between f(&p) and if (r).

◮ Choose a different way of performing points-to analysis.

Axel Simon Splitting the Control Flow with Boolean Flags

Refining Points-to Analysis With Boolean Flags

◮ A : X → P(A) is flow-sensitive points-to analysis ◮ null ∈ A to denote NULL

Problem: can only restrict points-to set of xp for certain tests involving p such as if (p!=NULL).

Axel Simon Splitting the Control Flow with Boolean Flags

Refining Points-to Analysis With Boolean Flags

◮ A : X → P(A) is flow-sensitive points-to analysis ◮ null ∈ A to denote NULL

Problem: can only restrict points-to set of xp for certain tests involving p such as if (p!=NULL). Now: Fix A : X → P(X × A) such that A(xp) = {fs, as}.

p ∈ γp(P) = {xp + fsp | . . . xp, . . . fs, . . . ∈ P ∧ p ∈ ρ(as)}

Axel Simon Splitting the Control Flow with Boolean Flags

Refining Points-to Analysis With Boolean Flags

◮ A : X → P(A) is flow-sensitive points-to analysis ◮ null ∈ A to denote NULL

Problem: can only restrict points-to set of xp for certain tests involving p such as if (p!=NULL). Now: Fix A : X → P(X × A) such that A(xp) = {fs, as}.

p ∈ γp(P) = {xp + fsp | . . . xp, . . . fs, . . . ∈ P ∧ p ∈ ρ(as)}

points-to set A(xp) fs in P xp in P xr in P success as if fs = 1 1 1 error as if fs = 1 [0, 232 − 1] P = [ [{fs = xr, xp ≥ 0, r ≥ 0, xp + (232 − 1)r ≤ (232 − 1)}] ]

Axel Simon Splitting the Control Flow with Boolean Flags

Refining Points-to Analysis With Boolean Flags

◮ A : X → P(A) is flow-sensitive points-to analysis ◮ null ∈ A to denote NULL

Problem: can only restrict points-to set of xp for certain tests involving p such as if (p!=NULL). Now: Fix A : X → P(X × A) such that A(xp) = {fs, as}.

p ∈ γp(P) = {xp + fsp | . . . xp, . . . fs, . . . ∈ P ∧ p ∈ ρ(as)}

points-to set A(xp) fs in P xp in P xr in P success as if fs = 1 1 1 error as if fs = 1 [0, 232 − 1] P = [ [{fs = xr, xp ≥ 0, r ≥ 0, xp + (232 − 1)r ≤ (232 − 1)}] ] Is dereferencing p correct in if (r) printf("value:%s", p);? Yes: P ⊓ [ [r ≥ 1] ] ❀ xp = 0, fs = 1

Axel Simon Splitting the Control Flow with Boolean Flags

On Using Flags in Points-to Analysis

◮ can use one points-to map for the whole program ◮ improves precision ◮ cost negligible if points-to flags is equal to variable or constant

Axel Simon Splitting the Control Flow with Boolean Flags

On Using Flags in Points-to Analysis

◮ can use one points-to map for the whole program ◮ improves precision ◮ cost negligible if points-to flags is equal to variable or constant ◮ performing pointer arithmetic is simple. Evaluate e=p+q-r,

and let A(xp) = {a1, f p

1 , . . . ak, f p k }, similarly for xq, xr, xe.

xe ← xp + xq − xr f e

1

← f p

1 + f q 1 − f r 1

. . . . . . f e

k

← f p

k + f q k − f r k

◮ Same calculation, independent of which variable is a pointer. Axel Simon Splitting the Control Flow with Boolean Flags

On Using Flags in Points-to Analysis

◮ can use one points-to map for the whole program ◮ improves precision ◮ cost negligible if points-to flags is equal to variable or constant ◮ performing pointer arithmetic is simple. Evaluate e=p+q-r,

and let A(xp) = {a1, f p

1 , . . . ak, f p k }, similarly for xq, xr, xe.

xe ← xp + xq − xr f e

1

← f p

1 + f q 1 − f r 1

. . . . . . f e

k

← f p

k + f q k − f r k

◮ Same calculation, independent of which variable is a pointer. ◮ if 0 ≤ f e

1 ≤ 1, . . . 0 ≤ f e k ≤ 1: each flag is Boolean

Axel Simon Splitting the Control Flow with Boolean Flags

On Using Flags in Points-to Analysis

◮ can use one points-to map for the whole program ◮ improves precision ◮ cost negligible if points-to flags is equal to variable or constant ◮ performing pointer arithmetic is simple. Evaluate e=p+q-r,

and let A(xp) = {a1, f p

1 , . . . ak, f p k }, similarly for xq, xr, xe.

xe ← xp + xq − xr f e

1

← f p

1 + f q 1 − f r 1

. . . . . . f e

k

← f p

k + f q k − f r k

◮ Same calculation, independent of which variable is a pointer. ◮ if 0 ≤ f e

1 ≤ 1, . . . 0 ≤ f e k ≤ 1: each flag is Boolean

◮ if f e

1 + . . . + f e k ≥ 1: e is not NULL

Axel Simon Splitting the Control Flow with Boolean Flags

On Using Flags in Points-to Analysis

◮ can use one points-to map for the whole program ◮ improves precision ◮ cost negligible if points-to flags is equal to variable or constant ◮ performing pointer arithmetic is simple. Evaluate e=p+q-r,

and let A(xp) = {a1, f p

1 , . . . ak, f p k }, similarly for xq, xr, xe.

xe ← xp + xq − xr f e

1

← f p

1 + f q 1 − f r 1

. . . . . . f e

k

← f p

k + f q k − f r k

◮ Same calculation, independent of which variable is a pointer. ◮ if 0 ≤ f e

1 ≤ 1, . . . 0 ≤ f e k ≤ 1: each flag is Boolean

◮ if f e

1 + . . . + f e k ≥ 1: e is not NULL

◮ if f e

1 + . . . + f e k ≤ 1: e is not the sum of pointers

Axel Simon Splitting the Control Flow with Boolean Flags

Conclusion

Using Boolean variables in a polyhedron

◮ distinguishes two states (if P bounded and Z-polyhedron)

◮ but approximation to Z-polyhedra suffice in practice

◮ are useful to refine points-to analysis ◮ can be cheaper than trace partitioning ◮ simpler to implement than trace partitioning

Axel Simon Splitting the Control Flow with Boolean Flags

Conclusion

Using Boolean variables in a polyhedron

◮ distinguishes two states (if P bounded and Z-polyhedron)

◮ but approximation to Z-polyhedra suffice in practice

◮ are useful to refine points-to analysis ◮ can be cheaper than trace partitioning ◮ simpler to implement than trace partitioning

Observations:

◮ convex polyhedra can express non-convex spaces ◮ duality: some variables in a polyhedron are Boolean

E.g.: string buffer analysis; character is either 0 or 1 . . . 255.

◮ apply trace partitioning within polyhedron when relationship

with Boolean flag become too complicated?

Axel Simon Splitting the Control Flow with Boolean Flags

Value-Range Analysis

• f C Programs

Towards Proving the Absence of Buffer Overflow Vulnerabilities Axel Simon

| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |

1 3

1

◮ defines semantics for C ◮ abstracted using polyhedra ◮ abstraction relation precise

to the bit-level

◮ formal but light-weight

description

◮ add-ons: string buffer and

improved pointer analysis

◮ starting point for other

analyses

◮ appears July 18th 2008

Axel Simon Splitting the Control Flow with Boolean Flags