t ype g uided w orst c ase i nput g eneration di wang jan
play

T YPE -G UIDED W ORST -C ASE I NPUT G ENERATION Di Wang , Jan - PowerPoint PPT Presentation

Jan 22, 2024 •281 likes •1.12k views

T YPE -G UIDED W ORST -C ASE I NPUT G ENERATION Di Wang , Jan Hoffmann Carnegie Mellon University R ESOURCE A NALYSIS Programs 2 R ESOURCE A NALYSIS Programs Performance 2 R ESOURCE A NALYSIS Time Memory Power Programs Performance

  1. λ T YPE -G UIDED W ORST -C ASE I NPUT G ENERATION Di Wang , Jan Hoffmann Carnegie Mellon University

  2. R ESOURCE A NALYSIS Programs 2

  3. R ESOURCE A NALYSIS Programs Performance 2

  4. R ESOURCE A NALYSIS Time Memory Power … Programs Performance 2

  5. R ESOURCE A NALYSIS Performance bottlenecks Worst-Case Algorithmic complexity Analysis Time vulnerabilities Memory Power … Timing side channels Programs Performance 2

  6. E XAMPLE OF W ORST -C ASE A NALYSIS PHP 1 CVE - CVE-2011-4885. Available on: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4885. 2 PHP 5.3.8 - Hashtables Denial of Service. Available on https://www.exploit-db.com/exploits/18296/. 3 PHP: PHP 5 ChangeLog. Available on http://www.php.net/ChangeLog-5.php#5.3.9. 3

  7. E XAMPLE OF W ORST -C ASE A NALYSIS Potential Denial-of-Service attack 1 PHP 1 CVE - CVE-2011-4885. Available on: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4885. 2 PHP 5.3.8 - Hashtables Denial of Service. Available on https://www.exploit-db.com/exploits/18296/. 3 PHP: PHP 5 ChangeLog. Available on http://www.php.net/ChangeLog-5.php#5.3.9. 3

  8. E XAMPLE OF W ORST -C ASE A NALYSIS Potential Denial-of-Service attack 1 PHP Concrete exploits (by hash collisions) 2 1 CVE - CVE-2011-4885. Available on: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4885. 2 PHP 5.3.8 - Hashtables Denial of Service. Available on https://www.exploit-db.com/exploits/18296/. 3 PHP: PHP 5 ChangeLog. Available on http://www.php.net/ChangeLog-5.php#5.3.9. 3

  9. E XAMPLE OF W ORST -C ASE A NALYSIS Potential Denial-of-Service attack 1 PHP Bug fixed! 3 Concrete exploits (by hash collisions) 2 1 CVE - CVE-2011-4885. Available on: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4885. 2 PHP 5.3.8 - Hashtables Denial of Service. Available on https://www.exploit-db.com/exploits/18296/. 3 PHP: PHP 5 ChangeLog. Available on http://www.php.net/ChangeLog-5.php#5.3.9. 3

  10. E XAMPLE OF W ORST -C ASE A NALYSIS Potential Denial-of-Service attack 1 Worst-case inputs are instrumental to PHP understand and fix performance bugs! Bug fixed! 3 Concrete exploits (by hash collisions) 2 1 CVE - CVE-2011-4885. Available on: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4885. 2 PHP 5.3.8 - Hashtables Denial of Service. Available on https://www.exploit-db.com/exploits/18296/. 3 PHP: PHP 5 ChangeLog. Available on http://www.php.net/ChangeLog-5.php#5.3.9. 3

  11. E XISTING A PPROACHES 4

  12. E XISTING A PPROACHES Dynamic Fuzz testing Symbolic execution Dynamic worst-case analysis … Flexible & universal Potentially unsound: The resulting inputs might not expose the worst-case behavior. 4

  13. E XISTING A PPROACHES Dynamic Static Fuzz testing Type systems Symbolic execution Abstract interpretation Dynamic worst-case analysis … … Sound upper bounds Flexible & universal Potentially not tight: No concrete Potentially unsound: The resulting witness — the bound might be inputs might not expose the too conservative. worst-case behavior. 4

  14. C ONTRIBUTIONS A type-guided worst-case input generation algorithm Proof of soundness and relative completeness Heuristics to improve scalability 5

  15. C ONTRIBUTIONS A type-guided worst-case input generation algorithm Proof of soundness and relative completeness Heuristics to improve scalability λ 5

  16. C ONTRIBUTIONS A type-guided worst-case input generation algorithm Proof of soundness and relative completeness Heuristics to improve scalability λ Resource Aware ML (RaML) 5

  17. C ONTRIBUTIONS A type-guided worst-case input generation algorithm Proof of soundness and relative completeness Heuristics to improve scalability λ Resource Aware ML (RaML) 5

  18. C ONTRIBUTIONS A type-guided worst-case input generation algorithm Proof of soundness and relative completeness Heuristics to improve scalability λ Resource Aware ML (RaML) Symbolic Execution 5

  19. C ONTRIBUTIONS A type-guided worst-case input generation algorithm Proof of soundness and relative completeness Heuristics to improve scalability λ Resource Aware ML (RaML) Guide Symbolic Execution 5

  20. O VERVIEW Motivation Resource Aware ML (RaML) Type-Guided Worst-Case Input Generation Evaluation 6

  21. A MORTIZED R ESOURCE A NALYSIS The potential method 7

  22. A MORTIZED R ESOURCE A NALYSIS The potential method D 4 D 5 … … D 0 D 1 D 2 D 3 D n 7

  23. A MORTIZED R ESOURCE A NALYSIS D i ’s are program states The potential method D 4 D 5 … … D 0 D 1 D 2 D 3 D n 7

  24. A MORTIZED R ESOURCE A NALYSIS D i ’s are program states Arrows are transitions The potential method with actual costs D 4 D 5 … … D 0 D 1 D 2 D 3 D n 7

  25. A MORTIZED R ESOURCE A NALYSIS D i ’s are program states Arrows are transitions The potential method with actual costs D 4 D 5 … … D 0 D 1 D 2 D 3 D n Φ ( D 0 ) Φ ( D 1 ) Φ ( D 2 ) Φ ( D 3 ) Φ ( D n ) 7

  26. A MORTIZED R ESOURCE A NALYSIS D i ’s are program states Arrows are transitions The potential method with actual costs D 4 D 5 … … D 0 D 1 D 2 D 3 D n Φ ( D 0 ) Φ ( D 1 ) Φ ( D 2 ) Φ ( D 3 ) Φ ( D n ) The potential function maps program states to nonnegative numbers 7

  27. A MORTIZED R ESOURCE A NALYSIS D i ’s are program states Arrows are transitions The potential method with actual costs D 4 D 5 … … D 0 D 1 D 2 D 3 D n Φ ( D 0 ) Φ ( D 1 ) Φ ( D 2 ) Φ ( D 3 ) Φ ( D n ) The potential function Φ ( D 2 ) ≥ Cost ( D 2 , D 3 ) + Φ ( D 3 ) maps program states to nonnegative numbers 7

  28. A MORTIZED R ESOURCE A NALYSIS D i ’s are program states Arrows are transitions The potential method with actual costs D 4 D 5 … … D 0 D 1 D 2 D 3 D n Φ ( D 0 ) Φ ( D 1 ) Φ ( D 2 ) Φ ( D 3 ) Φ ( D n ) The potential function Φ ( D 2 ) ≥ Cost ( D 2 , D 3 ) + Φ ( D 3 ) The initial potential is an maps program states to upper bound! nonnegative numbers 7

  29. T YPE -B ASED A NALYSIS The potential at a let rec lpairs l = program point is defined match l with | [] -> [] by a static annotation of | x1 :: xs -> match xs with data structures. | [] -> [] | x2 :: xs ’ -> A list of length n annotated if ( x1 : int ) < ( x2 : int ) then ( x1 , x2 ) :: lpairs xs ’ with a nonnegative number else lpairs xs ’ q has q·n units of potential. 8

  30. T YPE -B ASED A NALYSIS The potential at a let rec lpairs l = program point is defined match l with | [] -> [] by a static annotation of | x1 :: xs -> match xs with data structures. | [] -> [] | x2 :: xs ’ -> A list of length n annotated if ( x1 : int ) < ( x2 : int ) then ( x1 , x2 ) :: lpairs xs ’ with a nonnegative number else lpairs xs ’ q has q·n units of potential. Each of [] , :: , (,) consumes 2 memory cells. 8

  31. T YPE -B ASED A NALYSIS Cost = 2 ⋅ | ℓ | + 2 The potential at a let rec lpairs l = program point is defined match l with | [] -> [] by a static annotation of | x1 :: xs -> match xs with data structures. | [] -> [] | x2 :: xs ’ -> A list of length n annotated if ( x1 : int ) < ( x2 : int ) then ( x1 , x2 ) :: lpairs xs ’ with a nonnegative number else lpairs xs ’ q has q·n units of potential. Each of [] , :: , (,) consumes 2 memory cells. 8

  32. T YPE -B ASED A NALYSIS L 2 ( 𝗃𝗈𝗎 ) 2/0 L 0 ( 𝗃𝗈𝗎 × 𝗃𝗈𝗎 ) The potential at a let rec lpairs l = program point is defined match l with | [] -> [] by a static annotation of | x1 :: xs -> match xs with data structures. | [] -> [] | x2 :: xs ’ -> A list of length n annotated if ( x1 : int ) < ( x2 : int ) then ( x1 , x2 ) :: lpairs xs ’ with a nonnegative number else lpairs xs ’ q has q·n units of potential. Each of [] , :: , (,) consumes 2 memory cells. 8

  33. T YPE -B ASED A NALYSIS L 2 ( 𝗃𝗈𝗎 ) 2/0 L 0 ( 𝗃𝗈𝗎 × 𝗃𝗈𝗎 ) The potential at a let rec lpairs l = Φ 0 = 2 ⋅ | ℓ | + 2 program point is defined match l with | [] -> [] by a static annotation of | x1 :: xs -> match xs with data structures. | [] -> [] | x2 :: xs ’ -> A list of length n annotated if ( x1 : int ) < ( x2 : int ) then ( x1 , x2 ) :: lpairs xs ’ with a nonnegative number else lpairs xs ’ q has q·n units of potential. Each of [] , :: , (,) consumes 2 memory cells. 8

  34. T YPE -B ASED A NALYSIS L 2 ( 𝗃𝗈𝗎 ) 2/0 L 0 ( 𝗃𝗈𝗎 × 𝗃𝗈𝗎 ) The potential at a let rec lpairs l = Φ 0 = 2 ⋅ | ℓ | + 2 program point is defined match l with | [] -> [] Cost = 2 by a static annotation of | x1 :: xs -> match xs with data structures. | [] -> [] | x2 :: xs ’ -> A list of length n annotated if ( x1 : int ) < ( x2 : int ) then ( x1 , x2 ) :: lpairs xs ’ with a nonnegative number else lpairs xs ’ q has q·n units of potential. Each of [] , :: , (,) consumes 2 memory cells. 8

  35. T YPE -B ASED A NALYSIS L 2 ( 𝗃𝗈𝗎 ) 2/0 L 0 ( 𝗃𝗈𝗎 × 𝗃𝗈𝗎 ) The potential at a let rec lpairs l = program point is defined match l with | [] -> [] by a static annotation of | x1 :: xs -> Φ 1 = 2 ⋅ | xs | + 4 match xs with data structures. | [] -> [] | x2 :: xs ’ -> A list of length n annotated if ( x1 : int ) < ( x2 : int ) then ( x1 , x2 ) :: lpairs xs ’ with a nonnegative number else lpairs xs ’ q has q·n units of potential. Each of [] , :: , (,) consumes 2 memory cells. 8

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Willkommen beim Projekt NPUT Welcome to the NPUT project Good practices for

Willkommen beim Projekt NPUT Welcome to the NPUT project Good practices for

Projektpartnerschaft NPUT Dritter Aufenthalt transnationaler Expertinnen und Experten in Reutlingen, Schwbisch Gmnd und Tbingen Studientag am Mittwoch, 23. Mai 2012 in Reutlingen Project partnership NPUT Third mission of

371 views • 23 slides
G UIDED M ATH AND M ATH W ORKSHOP A Common Core Approach to Mathematics Instruction C OMMON C ORE

G UIDED M ATH AND M ATH W ORKSHOP A Common Core Approach to Mathematics Instruction C OMMON C ORE

G UIDED M ATH AND M ATH W ORKSHOP A Common Core Approach to Mathematics Instruction C OMMON C ORE M ATH K-5: T HE S HIFT Greater focus on fewer topics In grades K 2: Concepts, skills, and problem solving related to addition and

286 views • 24 slides
nput &quot; Input Presented by: Jim McKeeth Embarcadero Technologies

nput &quot; Input Presented by: Jim McKeeth Embarcadero Technologies

K4 K4 Keynote 4/16/2015 9:45 AM &quot; Thought hought: : The he Fut Futur ure e of of Mobile obile and and Embedded mbedded Applicat pplication ion nput &quot; Input Presented by: Jim McKeeth

726 views • 29 slides
T HE O PPORTUNITY OF N EXT G ENERATION S CHOOLS B ILL F ERGUSON MD S

T HE O PPORTUNITY OF N EXT G ENERATION S CHOOLS B ILL F ERGUSON MD S

T HE O PPORTUNITY OF N EXT G ENERATION S CHOOLS B ILL F ERGUSON MD S TATE S ENATOR S EPTEMBER 25, 2015 1 Problem 2 Problem 1 A lack of innovative Maryland Public schools

266 views • 26 slides
QUESTIONS)*)h,p://j.mp/EMCYM) ) DEVOTION)&amp;)PRAYER ) ) ARCHIE)POULOS ) Gener eneration t

QUESTIONS)*)h,p://j.mp/EMCYM) ) DEVOTION)&amp;)PRAYER ) ) ARCHIE)POULOS ) Gener eneration t

QUESTIONS)*)h,p://j.mp/EMCYM) ) DEVOTION)&amp;)PRAYER ) ) ARCHIE)POULOS ) Gener eneration t ation to G o Gener eneration ation 1.)Ordered)God,)Ordered)world) 2.)Godly)ordering)of)relaNonships) Pss)45:17,)48:13,)71:18,)79:13,)89:1)

1.67k views • 112 slides
G LOBAL I NTEGRATION AND C ARBON F LOW IN EU AND R EST OF THE W ORLD : A 2- REGIONAL I NPUT -O

G LOBAL I NTEGRATION AND C ARBON F LOW IN EU AND R EST OF THE W ORLD : A 2- REGIONAL I NPUT -O

G LOBAL I NTEGRATION AND C ARBON F LOW IN EU AND R EST OF THE W ORLD : A 2- REGIONAL I NPUT -O UTPUT F RAMEWORK Amarendra Sahoo, Arjan de Koning, Reinout Heijungs Institute of Environmental Sciences (CML) Leiden University We appraise carbon

636 views • 26 slides
W orst Case Ecien t Data Structures Gerth Stlting Bro dal BRICS Departmen t of

W orst Case Ecien t Data Structures Gerth Stlting Bro dal BRICS Departmen t of

W orst Case Ecien t Data Structures Gerth Stlting Bro dal BRICS Departmen t of Computer Science Univ ersit y of Aarh us and MaxPlanc kInstitut f ur Informatik Saarbr uc k en Ov erview

578 views • 21 slides
T HE N EXT G ENERATION OF C IVIL S OCIETY E NGAGEMENT : B OLDLY G OING W HERE N O NGO H AS G ONE B

T HE N EXT G ENERATION OF C IVIL S OCIETY E NGAGEMENT : B OLDLY G OING W HERE N O NGO H AS G ONE B

T HE N EXT G ENERATION OF C IVIL S OCIETY E NGAGEMENT : B OLDLY G OING W HERE N O NGO H AS G ONE B EFORE P RESENTATION T RANSCRIPT O CTOBER 28, 2015 This document was produced for review by the United States Agency for International Development. It

446 views • 17 slides
Fault Tolerance of the I nput/ Output Ports in Massively Def ective Multicore Processor Chips

Fault Tolerance of the I nput/ Output Ports in Massively Def ective Multicore Processor Chips

The 38th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Second Workshop on D Dependable and Secure Nanocomputing Friday June 27, 2008 Anchorage, AK, USA Fault Tolerance of the I nput/ Output Ports in Massively

561 views • 8 slides
CS534: Machine Learning CS534: Machine Learning Thomas G. Dietterich Thomas G. Dietterich 221C

CS534: Machine Learning CS534: Machine Learning Thomas G. Dietterich Thomas G. Dietterich 221C

CS534: Machine Learning CS534: Machine Learning Thomas G. Dietterich Thomas G. Dietterich 221C Dearborn Hall 221C Dearborn Hall tgd@cs.orst.edu tgd@cs.orst.edu http://www.cs.orst.edu/~tgd/classes/534 http://www.cs.orst.edu/~tgd/classes/534

950 views • 79 slides
NEW NEW G GENERA ENERATION OF OF COL OLOUR URING TE G TECHNOL OLOGY UNCOMPROMISING STAND

NEW NEW G GENERA ENERATION OF OF COL OLOUR URING TE G TECHNOL OLOGY UNCOMPROMISING STAND

NEW NEW G GENERA ENERATION OF OF COL OLOUR URING TE G TECHNOL OLOGY UNCOMPROMISING STAND NDAR ARDS FOR OR UN UNCOM OMPROMISING A ARTIST GLAZETTE COLOR represents the new generation of coloring technology. Ultra-advanced dye

639 views • 24 slides
Aaron T Wolf, PhD Program in Water Conflict Management Oregon State University, USA

Aaron T Wolf, PhD Program in Water Conflict Management Oregon State University, USA

Aaron T Wolf, PhD Program in Water Conflict Management Oregon State University, USA International Symposium on Water Diplomacy Stockholm, Sweden 16-17 November 2016 EMAIL: WOLFA@GEO.ORST.EDU WWW.TRANSBOUNDARYWATERS.ORST.EDU Aaron T Wolf, PhD

839 views • 48 slides
Building a Tim e Series of Environm ental Accounts for a W ord I nput-Output Database Aurlien

Building a Tim e Series of Environm ental Accounts for a W ord I nput-Output Database Aurlien

Building a Tim e Series of Environm ental Accounts for a W ord I nput-Output Database Aurlien Genty, Iaki Arto, Frederik Neuwahl Final W I OD conference, Groningen, April 2 4 -2 6 , 2 0 1 2 Joint Research Centre The European Com m ission's

619 views • 25 slides
Public Meeting for Solicitation of I nput I-40/I-40B (Gary Boulevard) Interchange at Exit 65

Public Meeting for Solicitation of I nput I-40/I-40B (Gary Boulevard) Interchange at Exit 65

Public Meeting for Solicitation of I nput I-40/I-40B (Gary Boulevard) Interchange at Exit 65 Modification Study May 24, 2016 6:00pm 8:00pm Frisco Center, Clinton, OK Before we get started Please turn off or mute any electronic

562 views • 42 slides
H1 2015 RESULTS ANALYSTS CALL Aspr pria Uh Uhlenh enhor orst st Hambu burg (DE) TABLE

H1 2015 RESULTS ANALYSTS CALL Aspr pria Uh Uhlenh enhor orst st Hambu burg (DE) TABLE

H1 2015 RESULTS ANALYSTS CALL Aspr pria Uh Uhlenh enhor orst st Hambu burg (DE) TABLE OF CONTENTS - Company Strategy - Portfolio - Healthcare Segment - Office Segment - Financial Resources - H1 2015 Earnings - Outlook and Guidance -

369 views • 36 slides
CSE 513 I ntroduction to Operating Systems Class 8 - I nput/ Output File Systems Jonathan

CSE 513 I ntroduction to Operating Systems Class 8 - I nput/ Output File Systems Jonathan

CSE 513 I ntroduction to Operating Systems Class 8 - I nput/ Output File Systems Jonathan Walpole Dept. of Comp. Sci. and Eng. Oregon Health and Science University I / O devices Device (mechanical hardware) Device controller

1.42k views • 95 slides
15-441: Computer Networks Recitation 3 P1 Lead TAs: Mingran Yang, Alex Bainbridge Agenda 1.

15-441: Computer Networks Recitation 3 P1 Lead TAs: Mingran Yang, Alex Bainbridge Agenda 1.

15-441: Computer Networks Recitation 3 P1 Lead TAs: Mingran Yang, Alex Bainbridge Agenda 1. Project 1 Checkpoint 3 2. Advanced Git 3. Q&amp;A Checkpoint 3 Due Sep 27, 2019 This is only for 15-641 students! You will need to daemonize your

541 views • 26 slides
SSL and CGI and Everything else 15-441: Computer Networks Yours Truly Based on Slides By

SSL and CGI and Everything else 15-441: Computer Networks Yours Truly Based on Slides By

SSL and CGI and Everything else 15-441: Computer Networks Yours Truly Based on Slides By &quot;Generations of TAs P1 Final Submission (1) SSL (2) CGI (3) Daemonize SSL Adding the S in HTTPS Lets talk about Security Bad Guy

799 views • 59 slides
CGI-Browser-CGI qux.com foo.org geht.net bar.com . p.1/ ?? CGI-Browser-CGI qux.com

CGI-Browser-CGI qux.com foo.org geht.net bar.com . p.1/ ?? CGI-Browser-CGI qux.com

CGI-Browser-CGI qux.com foo.org geht.net bar.com . p.1/ ?? CGI-Browser-CGI qux.com foo.org /cgibin/img.pl /cgibin/img.pl geht.net bar.com /cgibin/img.pl /cgibin/img.pl . p.1/ ?? CGI-Browser-CGI qux.com foo.org

459 views • 28 slides
Achieving The Right Approach Dr Naheed Rana NHS RightCare Delivery Partner, London Diabetes Lead

Achieving The Right Approach Dr Naheed Rana NHS RightCare Delivery Partner, London Diabetes Lead

NHS RightCare Achieving The Right Approach Dr Naheed Rana NHS RightCare Delivery Partner, London Diabetes Lead 12th July 2018 What is NHS RightCare? NHS RightCare is a programme committed to reducing unwarranted variation to improve peoples

577 views • 18 slides
Dynamic web content technologies CSCI 470: Web Science

Dynamic web content technologies CSCI 470: Web Science

Dynamic web content technologies CSCI 470: Web Science Keith Vertanen Overview Dynamic content What it is Sources of input CGI

506 views • 21 slides
systemd in Debian - a status update Michael Biebl July 5, 2016 introduction polish and QA

systemd in Debian - a status update Michael Biebl July 5, 2016 introduction polish and QA

systemd in Debian - a status update Michael Biebl July 5, 2016 introduction polish and QA trimming the base OS getting rid of legacy cruft polish and QA stable updates 4 stable point releases in jessie bug fixes and

550 views • 13 slides
CS108 Lecture 24: Web Forms Processing CGI Data Aaron Stevens 27 March 2009 1

CS108 Lecture 24: Web Forms Processing CGI Data Aaron Stevens 27 March 2009 1

CS108 Lecture 24: Web Forms Processing CGI Data Aaron Stevens 27 March 2009 1 Overview/Questions Review: Python and HTML HTML Forms Processing Form Fields Organizing a Python Web Application using functions, decision

592 views • 11 slides
Python Crash Course + Web Forms (CGI) CS370 SE Practice &amp; Startup, Cengiz Gnay (Some slides

Python Crash Course + Web Forms (CGI) CS370 SE Practice &amp; Startup, Cengiz Gnay (Some slides

Python Crash Course + Web Forms (CGI) CS370 SE Practice &amp; Startup, Cengiz Gnay (Some slides courtesy of Eugene Agichstein and the Internets) CS370, Gnay (Emory) Python Intro + CGI Spring 2015 1 / 4 Instructions Go through this

505 views • 39 slides

More recommend