1 / 121

Program analysis & Synthesis 236347

Lecture 01 - Introduction. Program analysis & Synthesis 236347. Eran Yahav. Who?. Eran Yahav Taub 734 Tel: 8294318 yahave@cs.technion.ac.il Monday 13:30-14:30 http://www.cs.tecnion.ac.il/~yahave. Yuri Meshman (TA) Taub 329 Tel: 8294890. What?.

kay
Download Presentation

Program analysis & Synthesis 236347

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 01 - Introduction Program analysis & Synthesis236347 EranYahav

  2. Who? EranYahav Taub 734 Tel: 8294318 yahave@cs.technion.ac.il Monday 13:30-14:30 http://www.cs.tecnion.ac.il/~yahave Yuri Meshman (TA)Taub 329Tel: 8294890

  3. What? • Understand program analysis & synthesis • apply these techniques in your research • understand jargon/papers • conduct research in this area • We will cover some areas in more depth than others • What will help us • TA: Yuri Meshman • 3-5 homework assignments • Small lightweight project • No exam

  4. Your slides have dark background (image source: http://www.apolloideas.com/blog/archives/201)

  5. Your slides don’t have everything you say written on them • Yes, I know, this is by design • Slides are a teaching aid • Not a replacement for attending lectures • If you don’t attend lectures or attend and don’t listen, you will miss some things • If you want slides that have all the material written on them nicely, that format is commonly known as a textbook • See how horrible this slide is? You won’t see many slides with so much text as this one in the rest of the course

  6. Software is Everywhere

  7. Software is Everywhere

  8. Software is Everywhere Unreliable

  9. December 31, 2008

  10. Zune Bug 1 while (days > 365) { 2 if (IsLeapYear(year)) { 3 if (days > 366) { 4 days -= 366; 5 year += 1; 6 } 7 } else { 8 days -= 365; 9 year += 1; 10 } 11 }

  11. Zune Bug 1 while (366 > 365) { 2 if (IsLeapYear(2008)) { 3 if (366 > 366) { 4 days -= 366; 5 year += 1; 6 } 7 } else { 8 days -= 365; 9 year += 1; 10 } 11 }

  12. Zune Bug 1 while (366 > 365) { 2 if (IsLeapYear(2008)) { 3 if (366 > 366) { 4 days -= 366; 5 year += 1; 6 } 7 } else { 8 days -= 365; 9 year += 1; 10 } 11 } Suggested solution: wait for tomorrow

  13. February 25, 1991

  14. Patriot Bug - Rounding Error • Time measured in 1/10 seconds • Binary expansion of 1/10 (non-terminating): 0.0001100110011001100110011001100.... • 24-bit register (chopped) 0.00011001100110011001100 • error of • 0.0000000000000000000000011001100... binary, or ~0.000000095 decimal • After 100 hours of operation error is 0.000000095×100×3600×10=0.34 • A Scud travels at about 1,676 meters per second so travels more than half a kilometer in this time

  15. Patriot Bug - Rounding Error • Time measured in 1/10 seconds • Binary expansion of 1/10 (non-terminating): 0.0001100110011001100110011001100.... • 24-bit register (chopped) 0.00011001100110011001100 • error of • 0.0000000000000000000000011001100... binary, or ~0.000000095 decimal • After 100 hours of operation error is 0.000000095×100×3600×10=0.34 • A Scud travels at about 1,676 meters per second, and so travels more than half a kilometer in this time Suggested solution: reboot every 10 hours

  16. I just want to say LOVE YOU SAN!! (W32.Blaster.Worm) August 13, 2003

  17. Windows Exploit(s) Buffer Overflow Memory addresses void foo (char *x) { char buf[2]; strcpy(buf, x); } int main (intargc, char *argv[]) { foo(argv[1]); } ./a.out abracadabra Segmentation fault … Previous frame Return address Saved FP char* x buf[2] Stack grows this way (YMMV)

  18. Windows Exploit(s) Buffer Overflow Memory addresses void foo (char *x) { char buf[2]; strcpy(buf, x); } int main (intargc, char *argv[]) { foo(argv[1]); } ./a.out abracadabra Segmentation fault … Previous frame Return address Saved FP char* x buf[2] ab Stack grows this way (YMMV)

  19. Windows Exploit(s) Buffer Overflow Memory addresses void foo (char *x) { char buf[2]; strcpy(buf, x); } int main (intargc, char *argv[]) { foo(argv[1]); } ./a.out abracadabra Segmentation fault … Previous frame Return address Saved FP char* x ra buf[2] ab Stack grows this way (YMMV)

  20. Windows Exploit(s) Buffer Overflow Memory addresses void foo (char *x) { char buf[2]; strcpy(buf, x); } int main (intargc, char *argv[]) { foo(argv[1]); } ./a.out abracadabra Segmentation fault … Previous frame Return address Saved FP ca char* x ra buf[2] ab Stack grows this way (YMMV)

  21. Windows Exploit(s) Buffer Overflow Memory addresses void foo (char *x) { char buf[2]; strcpy(buf, x); } int main (intargc, char *argv[]) { foo(argv[1]); } ./a.out abracadabra Segmentation fault … Previous frame Return address da Saved FP ca char* x ra buf[2] ab Stack grows this way (YMMV)

  22. Windows Exploit(s) Buffer Overflow Memory addresses void foo (char *x) { char buf[2]; strcpy(buf, x); } int main (intargc, char *argv[]) { foo(argv[1]); } ./a.out abracadabra Segmentation fault … Previous frame br Return address da Saved FP ca char* x ra buf[2] ab Stack grows this way (YMMV)

  23. (In)correct Usage of APIs • Application Trend: Increasing number of libraries and APIs • Non-trivial restrictions on permitted sequences of operations • Typestate: Temporal safety properties • What sequence of operations are permitted on an object? • Encoded as DFA e.g. “Don’t use a Socket unless it is connected” close() getInputStream() getOutputStream() init connected closed connect() close() err getInputStream() getOutputStream() getInputStream() getOutputStream() *

  24. Challenges class SocketHolder{ Socket s; } Socket makeSocket() { return new Socket(); // A } open(Socket l) { l.connect(); } talk(Socket s) { s.getOutputStream()).write(“hello”); } main() { Set<SocketHolder> set = new HashSet<SocketHolder>(); while(…) { SocketHolder h = new SocketHolder(); h.s =makeSocket(); set.add(h) } for (Iterator<SocketHolder> it = set.iterator(); …) { Socket g = it.next().s; open(g); talk(g); } }

  25. But there is hope ! Microsoft’s Static Driver Verifier (from MSR) Found 100’s of errors in 140 drivers, right before Windows7release Microsoft uses and distributes the tool

  26. But there is hope ! “Things like even software verification, this has been the Holy Grail of computer science for many decades but now in some very key areas, for example, driver verification we’re building tools that can do actual proof about the software and how it works in order to guarantee the reliability." -- Bill Gates, 2002

  27. But there is hope ! The Astree Static Analyzer has been used to automatically prove the absence of run-time errors in Airbus’s A340 and A380’s primary flight control software

  28. But there is hope ! Companies such as IBM, Coverity, Klocwork, Grammatech create sophisticated code analysis tools

  29. Theory + Practice In this course, we will study the core theoretical principles behind these approaches and learn how to apply them to build practical analysis engines

  30. Approaches to Reliability General problem undecidable. There are two general classes of automated techniques for program analysis. We will cover both.

  31. Approaches to Reliability Over-approximation Program Behaviors Under-approximation All behaviors in the universe

  32. Under-approximations • standard testing, guided dynamic analysis, symbolic execution, … • Focuses on a subset of behaviors • Which subset? • What guarantees can it provide? • We will cover some of the more interesting ones

  33. Over-approximations • aka “Static Analysis” • abstract interpretation, dataflow analysis, constraint-based analysis, type and effect systems • Always err on the safe side • Many applications: verification, bug finding, code synthesis, program understanding, …

  34. Static Analysis Reason statically (at compile time) about the possible runtime behaviors of a program “The algorithmic discovery of properties of a program by inspection of its source text1” -- Manna, Pnueli 1 Does not have to literally be the source text, just means w/o running it

  35. Static Analysis • Formalize software behavior in a mathematical model (semantics) • Prove properties of the mathematical model • Automatically, typically with approximation of the formal semantics • Develop theory and tools for program correctness and robustness

  36. Static Analysis specification Valid Analyzer program Abstract counterexample

  37. Verification Challenge I main(inti) { int x=3,y=1; do { y = y + 1; } while(--i > 0) assert 0 < x + y } Determine what states can arise during any execution Challenge: set of states is unbounded

  38. Abstract Interpretation main(inti) { int x=3,y=1; do { y = y + 1; } while(--i > 0) assert 0 < x + y } Recipe • Abstraction • Transformers • Exploration Determine what states can arise during any execution Challenge: set of states is unbounded Solution: compute a bounded representation of (a superset) of program states

  39. 1) Abstraction main(inti) { int x=3,y=1; do { y = y + 1; } while(--i > 0) assert 0 < x + y } concrete state : VarZ • abstract state (sign) #: Var{+, 0, -, ?} …

  40. 2) Transformers main(inti) { int x=3,y=1; do { y = y + 1; } while(--i > 0) assert 0 < x + y } concrete transformer y = y + 1 • abstract transformer y = y + 1

  41. 3) Exploration main(inti) { int x=3,y=1; do { y = y + 1; } while(--i > 0) assert 0 < x + y } 

  42. Incompleteness main(inti) { int x=3,y=1; do { y = y - 2; y = y + 3; } while(--i > 0) assert 0 < x + y } 

  43. Parity Abstraction while (x !=1 ) do { if (x % 2) == 0 { x := x / 2; } else { x := x * 3 + 1; assert (x %2 ==0); } } challenge: how to find “the right” abstraction

  44. Example: Shape (Heap) Analysis void stack-init(inti){ • Node* x = null; • do { • Node t = • malloc(…) • t->n = x; • x = t; • }while(--i>0) • Top = x; • }

  45. Example: Shape (Heap) Analysis void stack-init(inti){ • Node* x = null; • do { • Node t = • malloc(…) • t->n = x; • x = t; • }while(--i>0) • Top = x; • } assert(acyclic(Top))

  46. emp Example: Shape (Heap) Analysis void stack-init(inti){ • Node* x = null; • do { • Node t = • malloc(…) • t->n = x; • x = t; • }while(--i>0) • Top = x; • } assert(acyclic(Top))

  47. emp t Example: Shape (Heap) Analysis void stack-init(inti){ • Node* x = null; • do { • Node t = • malloc(…) • t->n = x; • x = t; • }while(--i>0) • Top = x; • } assert(acyclic(Top))

  48. emp t t Example: Shape (Heap) Analysis void stack-init(inti){ • Node* x = null; • do { • Node t = • malloc(…) • t->n = x; • x = t; • }while(--i>0) • Top = x; • } assert(acyclic(Top))

  49. emp t t t x Example: Shape (Heap) Analysis void stack-init(inti){ • Node* x = null; • do { • Node t = • malloc(…) • t->n = x; • x = t; • }while(--i>0) • Top = x; • } assert(acyclic(Top))

More Related