« Abstract Interpretation with Applications to Semantics and Static Analysis » 1. The Problem: The Design of Safe and Secure Computer- Patrick Cousot École normale supérieure Based Systems 45 rue d’Ulm, 75230 Paris cedex 05, France Patrick.Cousot@ens.fr www.di.ens.fr/~cousot Visiting IBM T.J. Watson Research Center –— Hawthorne N.Y. Computer Science Colloquium — NYU Monday April 9 th , 2007 CS Colloquium, NYU, 9/4/2007 — 1 — ľ P. Cousot CS Colloquium, NYU, 9/4/2007 — 3 — ľ P. Cousot Contents Software is Everywhere The problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . 3 – Exponential growth of hardware since 1975 Abstract interpretation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 ) exponential growth of software (favored by software Theoretical application: semantics of the eager – -calculus 11 engineering methods) Practical application: static analysis . . . . . . . . . . . . . . . . . . . . . 41 – Mainly manual activity ) bugs are everywhere The Astrée static analyzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 A few research directions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Recent publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . 85 Other references . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . 98 CS Colloquium, NYU, 9/4/2007 — 2 — ľ P. Cousot CS Colloquium, NYU, 9/4/2007 — 4 — ľ P. Cousot
Guaranteeing the Reliability and Security of Software-Intensive Systems – A permanent objective since the origin of computer science 2. Abstract Interpretation – An industrial requirement, in particular for safety and security critical software (validation can account for up to 60% of software development costs) CS Colloquium, NYU, 9/4/2007 — 5 — ľ P. Cousot CS Colloquium, NYU, 9/4/2007 — 7 — ľ P. Cousot The Theory of Abstract Interpretation Validation/Formal Methods – A theory of sound approximation of mathematical struc- – Bug-finding methods : unit, integration, and system tures, in particular those involved in the behavior of testing, dynamic verification, bounded model-checking, computer systems error pattern mining, . . . – Systematic derivation of sound methods and algorithms – Absence of bug proving methods : formally prove that for approximating undecidable or highly complex prob- the semantics of a program satisfies a specification lems in various areas of computer science - theorem-proving & proof checking – Main practical application is on the safety and security - model-checking of complex hardware and software computer systems - abstract interpretation – Abstraction: extracting information from a system de- – In practice : complementary methods are used, scription that is relevant to proving a property very difficult to scale up CS Colloquium, NYU, 9/4/2007 — 6 — ľ P. Cousot CS Colloquium, NYU, 9/4/2007 — 8 — ľ P. Cousot
Applications of Abstract Interpretation (Cont’d) – Static Program Analysis [54], [59], [55] including Dataflow Analysis; [55], [58], Set-based Analysis [57], Predicate 3. An Example of Theoretical Ap- Abstraction [3], . . . plication: Semantics of the Ea- – Grammar Analysis and Parsing [6]; ger – -calculus – Hierarchies of Semantics and Proof Methods [56], [5]; – Typing & Type Inference [53]; – (Abstract) Model Checking [58]; – Program Transformation (including program optimiza- tion, partial evaluation, etc) [12]; [1] P. Cousot & R. Cousot. Bi-inductive structural semantics. Februray 15 th , 2007. Submitted. CS Colloquium, NYU, 9/4/2007 — 9 — ľ P. Cousot CS Colloquium, NYU, 9/4/2007 — 11 — ľ P. Cousot Applications of Abstract Interpretation (Cont’d) – Software Watermarking [14]; – Bisimulations [71]; – Language-based security [63]; Syntax – Semantics-based obfuscated malware detection [70]. – Databases [50, 51, 52] – Computational biology [60] – Quantum computing [64, 68] All these techniques involve sound approximations that can be formalized by abstract interpretation CS Colloquium, NYU, 9/4/2007 — 10 — ľ P. Cousot CS Colloquium, NYU, 9/4/2007 — 12 — ľ P. Cousot
Syntax of the Eager – -calculus Example I: Finite Computation function argument variables x ; y ; z ; : : : 2 X (( λ x . x x ) ( λ y . y )) (( λ z . z ) 0) constants ( X \ C = ? ) c 2 C ! evaluate function c ::= 0 j 1 j : : : (( λ y . y ) ( λ y . y )) (( λ z . z ) 0) values v 2 V v ::= c j λ x . a ! evaluate function, cont’d ( λ y . y ) (( λ z . z ) 0) errors e 2 E e ::= c a j e a ! evaluate argument a ; a 0 ; a 1 ; : : : ; b ; ; : : : 2 T terms ( λ y . y ) 0 a ::= x j v j a a 0 ! apply function to a value! argument 0 CS Colloquium, NYU, 9/4/2007 — 13 — ľ P. Cousot CS Colloquium, NYU, 9/4/2007 — 15 — ľ P. Cousot Example II: Infinite Computation function argument ( λ x . x x ) ( λ x . x x ) ! apply function to argument ( λ x . x x ) ( λ x . x x ) Trace Semantics ! apply function to argument ( λ x . x x ) ( λ x . x x ) ! apply function to argument non termination! : : : CS Colloquium, NYU, 9/4/2007 — 14 — ľ P. Cousot CS Colloquium, NYU, 9/4/2007 — 16 — ľ P. Cousot
Example III: Erroneous Computation Traces – T ? (resp. T + , T ! , T / and T 1 ) be the set of finite function argument (resp. nonempty finite, infinite, finite or infinite, and (( λ x . x x ) (( λ z . z ) 0)) (( λ y . y ) 0) nonempty finite or infinite) sequences of terms ! evaluate argument (( λ x . x x ) (( λ z . z ) 0)) 0 – › is the empty sequence › › ff = ff › › = ff . – j ff j 2 N [ f ! g is the length of ff 2 T / . j › j = 0 . ! evaluate function (( λ x . x x ) 0) 0 – If ff 2 T + then j ff j > 0 and ff = ff 0 › ff 1 › : : : › ff j ff j` 1 . ! evaluate function, cont’d – If ff 2 T ! then j ff j = ! and ff = ff 0 › : : : › ff n › : : : . (0 0) 0 a runtime error! CS Colloquium, NYU, 9/4/2007 — 17 — ľ P. Cousot CS Colloquium, NYU, 9/4/2007 — 19 — ľ P. Cousot Finite, Infinite and Erroneous Trace Semantics Operations on Traces – For a 2 T and ff 2 T 1 , we define a @ ff to be ff 0 2 T 1 s(t) such that 8 i < j ff j : ff 0 i = a ff i ff 0 ff 1 ff 2 ff 3 ff i ff = . . . . . . ② ② ② ② ② a ff 0 a ff 1 a ff 2 a ff 3 a ff i a @ ff = . . . . . . ② ② ② ② ② – similarly ff @ a is ff 0 where 8 i < j ff j : ff 0 i = ff i a Error ff 0 ff 1 ff 2 ff 3 ff i 0 1 2 3 4 5 6 7 8 9 10 t ff = . . . . . . ② ② ② ② ② ff 0 a ff 1 a ff 2 a ff 3 a ff i a ff @ a = . . . . . . ② ② ② ② ② CS Colloquium, NYU, 9/4/2007 — 18 — ľ P. Cousot CS Colloquium, NYU, 9/4/2007 — 20 — ľ P. Cousot
Finite and Infinite Trace Semantics Non-Standard Meaning of the Rules s(t) The rules n P i ˛ o R = ˛ i 2 ´ ˛ v C i define v F � R � lfp where the consequence operator is ˛ P v T ^ P Gn ˛ o F � R � ( T ) = v 2 R C ˛ C and . . . 0 1 2 3 4 5 6 7 8 9 10 t CS Colloquium, NYU, 9/4/2007 — 21 — ľ P. Cousot CS Colloquium, NYU, 9/4/2007 — 23 — ľ P. Cousot S of the Eager – -calculus 1 [56] The Computational Lattice Bifinitary Trace Semantics ~ Given S; T 2 } ( T 1 ) , we define – S + , S \ T + a [ x v ] › ff 2 ~ S finite traces v 2 ~ S ; v 2 V v ; v 2 V ( λ x . a ) v › a [ x v ] › ff 2 ~ – S ! , S \ T ! S infinite traces – S v T , S + „ T + ^ S ! « T ! computational order S + ; ( a v ) › ff 0 2 ~ S ! ff 2 ~ ff › v 2 ~ S – h } ( T 1 ) ; v ; T ! ; T + ; t ; ui is a complete lattice v ; a 2 V v ; v ; a 2 V ( a @ ff ) › ( a v ) › ff 0 2 ~ a @ ff 2 ~ S S S + ; ( v b ) › ff 0 2 ~ S ! ff 2 ~ ff › v 2 ~ S v ; v 2 V v ( ff @ b ) › ( v b ) › ff 0 2 ~ ff @ b 2 ~ S S 1 Note: a [ x b ] is the capture-avoiding substitution of b for all free occurences of x within a . We let FV( a ) be the free variables of a . We define the call-by-value semantics of closed terms (without free variables) T , f a 2 T j FV( a ) = ? g . CS Colloquium, NYU, 9/4/2007 — 22 — ľ P. Cousot CS Colloquium, NYU, 9/4/2007 — 24 — ľ P. Cousot
Relational Semantics = ¸ ( Trace Semantics ) s(t) Relational Semantics 0 1 2 3 4 5 6 7 8 9 10 t CS Colloquium, NYU, 9/4/2007 — 25 — ľ P. Cousot CS Colloquium, NYU, 9/4/2007 — 27 — ľ P. Cousot Trace Semantics Relational Semantics s(t) s(t) 0 1 2 3 4 5 6 7 8 9 10 t 0 1 2 3 4 5 6 7 8 9 10 t CS Colloquium, NYU, 9/4/2007 — 26 — ľ P. Cousot CS Colloquium, NYU, 9/4/2007 — 28 — ľ P. Cousot
Recommend
More recommend
![Abstract interpretation based Analysis [FPCA 95], Predicate Abstraction [Mannas festschrift](https://c.sambuz.com/842045/abstract-interpretation-s.jpg)
