1.22k likes | 1.32k Vues
Lecture 01 - Introduction. Program analysis & Synthesis 236347. Eran Yahav. Who?. Eran Yahav Taub 734 Tel: 8294318 yahave@cs.technion.ac.il Monday 13:30-14:30 http://www.cs.tecnion.ac.il/~yahave. Yuri Meshman (TA) Taub 329 Tel: 8294890. What?.
E N D
Lecture 01 - Introduction Program analysis & Synthesis236347 EranYahav
Who? EranYahav Taub 734 Tel: 8294318 yahave@cs.technion.ac.il Monday 13:30-14:30 http://www.cs.tecnion.ac.il/~yahave Yuri Meshman (TA)Taub 329Tel: 8294890
What? • Understand program analysis & synthesis • apply these techniques in your research • understand jargon/papers • conduct research in this area • We will cover some areas in more depth than others • What will help us • TA: Yuri Meshman • 3-5 homework assignments • Small lightweight project • No exam
Your slides have dark background (image source: http://www.apolloideas.com/blog/archives/201)
Your slides don’t have everything you say written on them • Yes, I know, this is by design • Slides are a teaching aid • Not a replacement for attending lectures • If you don’t attend lectures or attend and don’t listen, you will miss some things • If you want slides that have all the material written on them nicely, that format is commonly known as a textbook • See how horrible this slide is? You won’t see many slides with so much text as this one in the rest of the course
Software is Everywhere Unreliable
Zune Bug 1 while (days > 365) { 2 if (IsLeapYear(year)) { 3 if (days > 366) { 4 days -= 366; 5 year += 1; 6 } 7 } else { 8 days -= 365; 9 year += 1; 10 } 11 }
Zune Bug 1 while (366 > 365) { 2 if (IsLeapYear(2008)) { 3 if (366 > 366) { 4 days -= 366; 5 year += 1; 6 } 7 } else { 8 days -= 365; 9 year += 1; 10 } 11 }
Zune Bug 1 while (366 > 365) { 2 if (IsLeapYear(2008)) { 3 if (366 > 366) { 4 days -= 366; 5 year += 1; 6 } 7 } else { 8 days -= 365; 9 year += 1; 10 } 11 } Suggested solution: wait for tomorrow
Patriot Bug - Rounding Error • Time measured in 1/10 seconds • Binary expansion of 1/10 (non-terminating): 0.0001100110011001100110011001100.... • 24-bit register (chopped) 0.00011001100110011001100 • error of • 0.0000000000000000000000011001100... binary, or ~0.000000095 decimal • After 100 hours of operation error is 0.000000095×100×3600×10=0.34 • A Scud travels at about 1,676 meters per second so travels more than half a kilometer in this time
Patriot Bug - Rounding Error • Time measured in 1/10 seconds • Binary expansion of 1/10 (non-terminating): 0.0001100110011001100110011001100.... • 24-bit register (chopped) 0.00011001100110011001100 • error of • 0.0000000000000000000000011001100... binary, or ~0.000000095 decimal • After 100 hours of operation error is 0.000000095×100×3600×10=0.34 • A Scud travels at about 1,676 meters per second, and so travels more than half a kilometer in this time Suggested solution: reboot every 10 hours
I just want to say LOVE YOU SAN!! (W32.Blaster.Worm) August 13, 2003
Windows Exploit(s) Buffer Overflow Memory addresses void foo (char *x) { char buf[2]; strcpy(buf, x); } int main (intargc, char *argv[]) { foo(argv[1]); } ./a.out abracadabra Segmentation fault … Previous frame Return address Saved FP char* x buf[2] Stack grows this way (YMMV)
Windows Exploit(s) Buffer Overflow Memory addresses void foo (char *x) { char buf[2]; strcpy(buf, x); } int main (intargc, char *argv[]) { foo(argv[1]); } ./a.out abracadabra Segmentation fault … Previous frame Return address Saved FP char* x buf[2] ab Stack grows this way (YMMV)
Windows Exploit(s) Buffer Overflow Memory addresses void foo (char *x) { char buf[2]; strcpy(buf, x); } int main (intargc, char *argv[]) { foo(argv[1]); } ./a.out abracadabra Segmentation fault … Previous frame Return address Saved FP char* x ra buf[2] ab Stack grows this way (YMMV)
Windows Exploit(s) Buffer Overflow Memory addresses void foo (char *x) { char buf[2]; strcpy(buf, x); } int main (intargc, char *argv[]) { foo(argv[1]); } ./a.out abracadabra Segmentation fault … Previous frame Return address Saved FP ca char* x ra buf[2] ab Stack grows this way (YMMV)
Windows Exploit(s) Buffer Overflow Memory addresses void foo (char *x) { char buf[2]; strcpy(buf, x); } int main (intargc, char *argv[]) { foo(argv[1]); } ./a.out abracadabra Segmentation fault … Previous frame Return address da Saved FP ca char* x ra buf[2] ab Stack grows this way (YMMV)
Windows Exploit(s) Buffer Overflow Memory addresses void foo (char *x) { char buf[2]; strcpy(buf, x); } int main (intargc, char *argv[]) { foo(argv[1]); } ./a.out abracadabra Segmentation fault … Previous frame br Return address da Saved FP ca char* x ra buf[2] ab Stack grows this way (YMMV)
(In)correct Usage of APIs • Application Trend: Increasing number of libraries and APIs • Non-trivial restrictions on permitted sequences of operations • Typestate: Temporal safety properties • What sequence of operations are permitted on an object? • Encoded as DFA e.g. “Don’t use a Socket unless it is connected” close() getInputStream() getOutputStream() init connected closed connect() close() err getInputStream() getOutputStream() getInputStream() getOutputStream() *
Challenges class SocketHolder{ Socket s; } Socket makeSocket() { return new Socket(); // A } open(Socket l) { l.connect(); } talk(Socket s) { s.getOutputStream()).write(“hello”); } main() { Set<SocketHolder> set = new HashSet<SocketHolder>(); while(…) { SocketHolder h = new SocketHolder(); h.s =makeSocket(); set.add(h) } for (Iterator<SocketHolder> it = set.iterator(); …) { Socket g = it.next().s; open(g); talk(g); } }
But there is hope ! Microsoft’s Static Driver Verifier (from MSR) Found 100’s of errors in 140 drivers, right before Windows7release Microsoft uses and distributes the tool
But there is hope ! “Things like even software verification, this has been the Holy Grail of computer science for many decades but now in some very key areas, for example, driver verification we’re building tools that can do actual proof about the software and how it works in order to guarantee the reliability." -- Bill Gates, 2002
But there is hope ! The Astree Static Analyzer has been used to automatically prove the absence of run-time errors in Airbus’s A340 and A380’s primary flight control software
But there is hope ! Companies such as IBM, Coverity, Klocwork, Grammatech create sophisticated code analysis tools
Theory + Practice In this course, we will study the core theoretical principles behind these approaches and learn how to apply them to build practical analysis engines
Approaches to Reliability General problem undecidable. There are two general classes of automated techniques for program analysis. We will cover both.
Approaches to Reliability Over-approximation Program Behaviors Under-approximation All behaviors in the universe
Under-approximations • standard testing, guided dynamic analysis, symbolic execution, … • Focuses on a subset of behaviors • Which subset? • What guarantees can it provide? • We will cover some of the more interesting ones
Over-approximations • aka “Static Analysis” • abstract interpretation, dataflow analysis, constraint-based analysis, type and effect systems • Always err on the safe side • Many applications: verification, bug finding, code synthesis, program understanding, …
Static Analysis Reason statically (at compile time) about the possible runtime behaviors of a program “The algorithmic discovery of properties of a program by inspection of its source text1” -- Manna, Pnueli 1 Does not have to literally be the source text, just means w/o running it
Static Analysis • Formalize software behavior in a mathematical model (semantics) • Prove properties of the mathematical model • Automatically, typically with approximation of the formal semantics • Develop theory and tools for program correctness and robustness
Static Analysis specification Valid Analyzer program Abstract counterexample
Verification Challenge I main(inti) { int x=3,y=1; do { y = y + 1; } while(--i > 0) assert 0 < x + y } Determine what states can arise during any execution Challenge: set of states is unbounded
Abstract Interpretation main(inti) { int x=3,y=1; do { y = y + 1; } while(--i > 0) assert 0 < x + y } Recipe • Abstraction • Transformers • Exploration Determine what states can arise during any execution Challenge: set of states is unbounded Solution: compute a bounded representation of (a superset) of program states
1) Abstraction main(inti) { int x=3,y=1; do { y = y + 1; } while(--i > 0) assert 0 < x + y } concrete state : VarZ • abstract state (sign) #: Var{+, 0, -, ?} …
2) Transformers main(inti) { int x=3,y=1; do { y = y + 1; } while(--i > 0) assert 0 < x + y } concrete transformer y = y + 1 • abstract transformer y = y + 1
3) Exploration main(inti) { int x=3,y=1; do { y = y + 1; } while(--i > 0) assert 0 < x + y }
Incompleteness main(inti) { int x=3,y=1; do { y = y - 2; y = y + 3; } while(--i > 0) assert 0 < x + y }
Parity Abstraction while (x !=1 ) do { if (x % 2) == 0 { x := x / 2; } else { x := x * 3 + 1; assert (x %2 ==0); } } challenge: how to find “the right” abstraction
Example: Shape (Heap) Analysis void stack-init(inti){ • Node* x = null; • do { • Node t = • malloc(…) • t->n = x; • x = t; • }while(--i>0) • Top = x; • }
Example: Shape (Heap) Analysis void stack-init(inti){ • Node* x = null; • do { • Node t = • malloc(…) • t->n = x; • x = t; • }while(--i>0) • Top = x; • } assert(acyclic(Top))
emp Example: Shape (Heap) Analysis void stack-init(inti){ • Node* x = null; • do { • Node t = • malloc(…) • t->n = x; • x = t; • }while(--i>0) • Top = x; • } assert(acyclic(Top))
emp t Example: Shape (Heap) Analysis void stack-init(inti){ • Node* x = null; • do { • Node t = • malloc(…) • t->n = x; • x = t; • }while(--i>0) • Top = x; • } assert(acyclic(Top))
emp t t Example: Shape (Heap) Analysis void stack-init(inti){ • Node* x = null; • do { • Node t = • malloc(…) • t->n = x; • x = t; • }while(--i>0) • Top = x; • } assert(acyclic(Top))
emp t t t x Example: Shape (Heap) Analysis void stack-init(inti){ • Node* x = null; • do { • Node t = • malloc(…) • t->n = x; • x = t; • }while(--i>0) • Top = x; • } assert(acyclic(Top))