systemized static analysis
play

"Systemized" Static Analysis Harry Xu University of - PowerPoint PPT Presentation

Feb 14, 2024 •237 likes •724 views

"Systemized" Static Analysis Harry Xu University of California, Los Angeles Overview of My Work Systems PL 2 Static Analysis: Has the Problem Been Solved? Academia Industry Hundreds of papers published in Less than a dozen

  1. "Systemized" Static Analysis Harry Xu University of California, Los Angeles

  2. Overview of My Work Systems PL 2

  3. Static Analysis: Has the Problem Been Solved? Academia Industry • Hundreds of papers published in • Less than a dozen commercial the past decade analysis tools • Algorithms become increasingly • Use very simple algorithms sophisticated • Software becomes increasingly large and dynamic More elegant More practical 3

  4. The Ever-increasing Gap Lost in multiple Difficulty in Scalability languages implementation 4

  5. Attempts from the PL Community • Poor scalability + Trading off precision for scalability + Minimizing generated information - Further complicates the implementation • Complicated implementations + Using declarative models such as Datalog - Fundamentally limited by a Datalog engine • Lost in multiple - Nothing has been done languages 5

  6. The Outside World • The FB graph had 721M vertices (users), 68.7B edges (friendships) in May 2011 • Google Maps had 20 petabytes of data in 2015 6

  7. Our “Large” Programs • The Linux kernel , 16M lines of code; a fully inlined version has about 1B edges • HBase , 1.37M lines of code; 128M edges in a fully inlined version • Hadoop , 546K lines of code; 44M edges in a fully inlined FB Graph: 68.7B edges version 7

  8. Time for a Mindset Shift? It is not because our programs are too large, but because we haven’t thought about how to develop scalable systems 8

  9. “Big Data” Thinking Solution = (1) Large Dataset + (2) Simple Computation + System Design Don’t complicate the algorithm Leave the algorithm simple Leverage modern computing Don’t worry about too much resources (intermediate) data Design and implement Don’t stop at the interface customized systems between app and system 9

  10. What We Did Built single-machine, disk-based systems specifically for the static analysis workload • Graspan: a graph system for CFL-reachability computation [ASPLOS’17] • Grapple: a graph system for finite-state property checking [In Submission] 10

  11. Why Systemized Static Analyses Work • Poor scalability No longer worry about memory blowup as we have disk-support • Complicated implementations Analysis developers only implement a few interfaces; No longer worry about performance • Lost in multiple Components in different languages are turned into languages graphs of the same format and analyzed together 11

  12. Graspan: Context-Free Language (CFL) Reachability • A program graph P K l 2 l 1 a b c c is K-reachable from a • A context-free Grammar G with balanced parentheses properties K à l 1 l 2 12 Reps, Program analysis via graph reachability, IST, 1998

  13. A Wide Range of Applications • Pointer/alias analysis Alias b = a; a b c c = b; Assign Assign Alias à Assign + • Dataflow analysis, pushdown systems, set-constraint problems can all be converted to context-free-language reachability problems Sridharan and Bodik, Refinement-based context-sensitive pointsto analysis for Java, PLDI , 2006 13 Zheng and Rugina, Demand-driven alias analysis for C, POPL , 2008

  14. A Wide Range of Applications (Cont.) • Pointer/alias analysis Alias b = & a; // Address-of a b c d c = b; & Alias * d = *c; // Dereference Alias à Assign + | & Alias * • Address-of & / dereference* are the open/close parentheses Sridharan and Bodik, Refinement-based context-sensitive pointsto analysis for Java, PLDI , 2006 14 Zheng and Rugina, Demand-driven alias analysis for C, POPL , 2008

  15. “Big Data” Thinking Solution = (1) Large Dataset + (2) Simple Computation + System Design 15

  16. Turning Code Analysis into Data Analytics • Key insights: – The input is a fully inlined program graph – Adding transitive edges explicitly – satisfying (1) – Core computation is adding edges – satisfying (2) – Leveraging disk support for memory blowup • Can existing graph systems be directly used? – No, none of them support dynamic addition of a lot of edges (1) Online edge duplicate check and (2) dynamic graph repartitioning 16

  17. Graspan [Wang-ASPLOS’17] • Scalable – Disk-based processing on the developer's work machine • Parallel – Edge-pair centric computation • Easy to implement a static analysis – Implement a few interfaces 4 students + 1 postdoc, 1.5 years of development; implemented in both Java and C++ https://github.com/Graspan/ 17

  18. How It Works? G GRAMMAR RULES 18

  19. Granspan Design Edge-Pair Centric Preprocessing Postprocessing Computation 19

  20. Computation Occurs in Supersteps Edge-Pair Centric Preprocessing Postprocessing Computation 20

  21. Each Superstep Loads Two Partitions 0 C 1 A B 2 3 4 Edge-Pair Centric Preprocessing Postprocessing Computation 21

  22. Each Superstep Loads Two Partitions 0 1 2 3 4 We keep iterating until delta is 0 Edge-Pair Centric Preprocessing Postprocessing Computation 22

  23. Post-Processing • Repartition oversized partitions to maintain balanced load on memory • Save partitions to disk • Scheduler favors in-memory partitions and those with higher matching degrees Edge-Pair Centric Preprocessing Postprocessing Computation 23

  24. What We Have Analyzed Program #LOC #Inlines Linux 4.4.0-rc5 16M 31.7M PostgreSQL 8.3.9 700K 290K Apache httpd 2.2.18 300K 58K • With – A fully context-sensitive pointer/alias analysis – A fully context-sensitive dataflow analysis • On a Dell Desktop Computer with 8GB memory and 1TB SSD 24

  25. Evaluation • Can the interprocedural analyses improve D. Englers’ checkers? – Found 85 new NULL pointer bugs and 1127 unnecessary NULL tests in Linux 4.4.0-rc5 • How well does Graspan perform? – Computations took 11 mins – 12 hrs • How does Graspan compare to other systems? – GraphChi crashed in 133 seconds – Traditional implementations of these algorithms ran out of memory in most cases – Datalog (SociaLite) – based implementation ran out of memory in most cases • Will try a differential dataflow system like Naiad 25

  26. Grapple: A Finite-State Property Checker • Many bugs in large-scale systems have finite-state properties – Many OS bugs studied in Chou et al. in 2001 are finite state property bugs: misplaced locks, use-after-free, etc. – Most distributed system bugs studied in Gunawi et al. in 2014 are finite state property bugs: socket leaks , task state problems , mishandled exceptions , etc. Gunawi et al. , What bugs live in the cloud? a study of 3000+ issues in cloud systems, SoCC , 2014 26 Chou et al., An empirical study of operating systems errors, SOSP , 2001

  27. Analyses Under the Hood • What we need for the checker – Extract sequences of method calls on each object of interest – Check them against the FSM specification • What analyses we need – Alias analysis – Dataflow analysis – Context sensitivity and path sensitivity 27

  28. Grapple • Phases – A fully path-sensitive, context-sensitive alias analysis – A fully path-sensitive, context-sensitive dataflow analysis – Extract event sequences • Computation Model – Edge-pair-centric model – Challenge: how to represent and solve path constraints during graph processing 28

  29. Grapple Computation Model K, C • A program graph P l 2, c 2 l 1, c 1 a b c c is K-reachable from a • A context-free grammar G with balanced parentheses properties K à l 1 l 2 • C = c 1 ∧ c 2 is satisfiable 29

  30. Path Constraint Representation • Challenges – Each edge carries only fixed-size data – The size is often smaller than 4 bytes • Using interprocedural control flow execution tree (ICFET) as an index engine • Each edge contains a path encoding, which is used to query for a path constraint based upon ICFET 30

  31. Control Flow Execution Tree (CFET) x = parse(args[0]); 0 y = x; 0 x>=0 F T if(x > 0) { y--; } 2 else { y++; } 1 2 1 x+1>0 x-1>0 if(y > 0) { … } F T F T 4, 6 else { … } 3, 5 3 4 5 6 return; A simple numbering algorithm: T child -> ID * 2; F child -> ID * 2 + 1 Built before the graph computation starts 31

  32. Path Representation • An intraprocedural CFET path can be uniquely encoded as a pair [ID start , ID end ] • Decoding can be done efficiently online • Loops are unrolled a certain number of times Example: [0, 6] uniquely identifies the 0 x>=0 F right most path T 1 2 Decoding can be done by right shifts x+1>0 x-1>0 F T F T Symbolic execution used to compute 3 4 5 6 conditions 32

  33. Interprocedural CFET void foo (int x) { int y = x + 1; bar(a) 0 if (x > 0) { y = bar (2 * x); //f 2 } a=2*x, foo(x) a<0 if (y < 0) { … } T F ( f2 0 return; 1 2 x>0 F T } … y=a-1, ) f2 y=a+1, int bar (int a) { 1 2 ) f2 x+1<0 if (a < 0) {return a + 1;} y<0 F T F T return a – 1; 3 4 5 6 } Connecting callers with callees using call and return edges, annotated with call site IDs and symbolic equations 33

  34. Interprocedural Path Representation • A sequence of intervals bar(a) – [2, 0], 25, [2, 0] 0 a=2*x, foo(x) a<0 T F ( f2 – Bounded by the call 0 1 2 stack depth x>0 F T … y=a-1, ) f2 • A constraint can be y=a+1, 1 2 ) f2 x+1<0 y<0 computed by extracting F T F T constraints for path 3 4 5 6 fragments and combining them into a conjunctive form 34

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

&quot;Big Data&quot; Perspective on Static Analysis Scalability Harry Xu and Zhiqiang Zuo

&quot;Big Data&quot; Perspective on Static Analysis Scalability Harry Xu and Zhiqiang Zuo

&quot;Systemized&quot; Program Analyses A &quot;Big Data&quot; Perspective on Static Analysis Scalability Harry Xu and Zhiqiang Zuo University of California, Irvine A Quick Survey Have you used a static program analysis? What did you

1.17k views • 87 slides
Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting insights at compile time Full branch coverage Terminates Doesnt rely on a test suite Types are static analysis. Lets talk about

784 views • 39 slides
Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ? Basic analysis ! Example : Flow analysis ! Increasing precision ! Context -, flow -, and path sensitivity Scaling it up !

527 views • 27 slides
1 Analysis Information Where Do Facts Hold? How much information depends on the client

1 Analysis Information Where Do Facts Hold? How much information depends on the client

711? CS711 Advanced Programming Languages Topics in Program Analysis Radu Rugina Fall 2005 CS711 Overview 2 Program Analysis Static vs. Dynamic Static analysis: inspect programs at compile-time Static analysis: Work done at

282 views • 4 slides
A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical

A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical

A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical problem and how to ignore it An example static analysis What is static analysis used for? Commercial successes Free static analysis tools you should

488 views • 37 slides
Static Analysis Static Analysis they are read? Will the current value of a variable ever be

Static Analysis Static Analysis they are read? Will the current value of a variable ever be

Interesting Questions Interesting Questions Is every statement reachable? Does every non- void method return a value? Compilation 2007 Compilation 2007 Will local variables definitely be assigned before Static Analysis Static

169 views • 13 slides
Static and dynamic verification Software inspections Concerned with analysis of the static

Static and dynamic verification Software inspections Concerned with analysis of the static

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis Software

430 views • 12 slides
Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

I NTELLI D ROID A Targeted Input Generator for the Dynamic Analysis of Android Malware Michelle Y. Wong and David Lie University of Toronto Department of Electrical and Computer Engineering NDSS Symposium 2016 ! ! ! B ACKGROUND Static vs.

1.02k views • 32 slides
Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that

Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that

Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that Martin Steffen IfI UiO Spring 2014 Plan approx. 15 lectures, details see web-page flexible time-schedule, depending on progress/interest

2.15k views • 194 slides
CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu February 1, 2017 Static Analysis Static Analysis is the process of documenting your observations about what identifying characteristics a

575 views • 8 slides
Static and dynamic verification Software inspections Concerned with analysis of the

Static and dynamic verification Software inspections Concerned with analysis of the

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis

310 views • 12 slides
Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Static analysis and all

Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Static analysis and all

Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Plan approx. 15 lectures, details see web-page flexible time-schedule, depending on

938 views • 69 slides
Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis of Programs with Dynamic Memory Mihaela Sighireanu IRIF, University Paris Diderot &amp; CNRS VTSA 2015 1 / 99 Static Analysis Establish

2.15k views • 186 slides
Whats Coverity static analysis ever done for us? Philip Withnall Endless Mobile

Whats Coverity static analysis ever done for us? Philip Withnall Endless Mobile

Whats Coverity static analysis ever done for us? Philip Withnall Endless Mobile philip@tecnocode.co.uk July 30, 2017 MANCHESTER What is static analysis? Compile-time testing of all possible code paths. Whats Coverity static analysis

236 views • 12 slides
Outline t t Why static analysis? t t What is it? Underlying technology t Some

Outline t t Why static analysis? t t What is it? Underlying technology t Some

2005-05-04 Static Analysis methods and tools An industrial study t Pr Emanuelsson Ericsson AB and LiU Prof Ulf Nilsson LiU t itle Outline t t Why static analysis? t t What is it? Underlying technology t Some tools

438 views • 19 slides
Static execution-time analysis CPU speed model Bounds on Static (Sub)program code exec time

Static execution-time analysis CPU speed model Bounds on Static (Sub)program code exec time

Tid rum Static Execution Time Analysis Niklas Holsti Space Systems Finland Ltd (now) Tidorum Ltd(to be) Overview Area of interest Current state Work in progress What to do next 1 bo Akademi, ES lab, 2003-10-03 Tid rum

466 views • 12 slides
Algorithmen fr die Echtzeitgrafik Algorithmen fr die Echtzeitgrafik Daniel Scherzer

Algorithmen fr die Echtzeitgrafik Algorithmen fr die Echtzeitgrafik Daniel Scherzer

Algorithmen fr die Echtzeitgrafik Algorithmen fr die Echtzeitgrafik Daniel Scherzer scherzer@cg.tuwien.ac.at LBI Virtual Archeology 1 Why Parallel Programming? Applications Future Apps Reflect a Concurrent World Supercomputing

424 views • 23 slides
ISC09, Pisa, Italy Outline Outline Contributions 2 Attacks Target Ciphers: RC6, ERC6 and

ISC09, Pisa, Italy Outline Outline Contributions 2 Attacks Target Ciphers: RC6, ERC6 and

A New Approach to 2 Cryptanalysis of Block Ciphers Jorge Nakahara Jr 1 , Daniel Santana de Freitas 2 , Gautham Sekar 4 , 5 , Chang Chiann 3 , Ramon Hugo de Souza 2 , Bart Preneel 4 , 5 1 EPFL, Lausanne, Switzerland jorge.nakahara@epfl.ch 2

556 views • 18 slides
Predicates Reading: EC 1.4 Peter J. Haas INFO 150 Fall Semester 2019 Lecture 3 1/ 15

Predicates Reading: EC 1.4 Peter J. Haas INFO 150 Fall Semester 2019 Lecture 3 1/ 15

Predicates Reading: EC 1.4 Peter J. Haas INFO 150 Fall Semester 2019 Lecture 3 1/ 15 Predicates Simple Predicates and Their Negations Predicates and Sets Quantified Predicates Negating Quantified Predicates Multiple Quantifiers and Their

479 views • 22 slides
Can virtuous institutions crowd out selfish preferences in a market environment? Marco Faillo

Can virtuous institutions crowd out selfish preferences in a market environment? Marco Faillo

Can virtuous institutions crowd out selfish preferences in a market environment? Marco Faillo (University of Trento) Gianluca Grimalda, (University Jaume I of Castelln) Lorenzo Sacconi (University of Trento and Econometica) PRIN meeting,

388 views • 18 slides
Ubuntu Kernel Factory How we have Ubuntu kernels Ike Panhc &lt;ike.pan@canonical.com&gt;

Ubuntu Kernel Factory How we have Ubuntu kernels Ike Panhc &lt;ike.pan@canonical.com&gt;

Ubuntu Kernel Factory How we have Ubuntu kernels Ike Panhc &lt;ike.pan@canonical.com&gt; License: CC-BA-SA How we have Linux kernel Preemptible Preemptible Suspend to RAM Suspend to RAM Linux for PowerPC Linux for PowerPC USB UHCI USB

370 views • 20 slides
Outline Multiprocessors Flynn taxonomy SIMD architectures Vector architectures MIMD

Outline Multiprocessors Flynn taxonomy SIMD architectures Vector architectures MIMD

POLITECNICO DI MILANO Advanced Topics on Heterogeneous System Architectures Multiprocessors Politecnico di Milano SeminarRoom, Bld 20 30 November, 2017 Antonio Miele Marco Santambrogio Politecnico di Milano Outline

964 views • 57 slides
Web Application Security Payloads Andrs Riancho Director of Web Security BlackHat 2011 -

Web Application Security Payloads Andrs Riancho Director of Web Security BlackHat 2011 -

Web Application Security Payloads Andrs Riancho Director of Web Security BlackHat 2011 - Barcelona Topics Short w3af introduction Whats new in w3af Automating Web application exploitation The problem and how other tools are

553 views • 54 slides
Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next?

Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next?

Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next? Pascal Junod University of Applied Sciences Western Switzerland Pascal Junod -- Advanced Block Cipher Design 1 ECRYPT II Summer School - May

914 views • 56 slides

More recommend